Example #1
0
    def post(self):
        ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE)
        if ret != TPE_OK:
            return

        args = self.get_argument('args', None)
        if args is None:
            return self.write_json(TPE_PARAM)
        try:
            args = json.loads(args)
        except:
            return self.write_json(TPE_JSON_FORMAT)

        try:
            cfg = args['ldap']
            cfg['port'] = int(cfg['port'])
            if len(cfg['password']) == 0:
                if len(tp_cfg().sys_ldap_password) == 0:
                    return self.write_json(TPE_PARAM, message='需要设置LDAP管理员密码')
                else:
                    cfg['password'] = tp_cfg().sys_ldap_password
        except:
            return self.write_json(TPE_PARAM)

        try:
            ldap = Ldap(cfg['server'], cfg['port'], cfg['base_dn'])
            ret, data, err_msg = ldap.get_all_attr(cfg['admin'], cfg['password'], cfg['filter'])
            if ret != TPE_OK:
                return self.write_json(ret, message=err_msg)
            else:
                return self.write_json(ret, data=data)
        except:
            log.e('')
            return self.write_json(TPE_PARAM)
Example #2
0
    def post(self):
        ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE)
        if ret != TPE_OK:
            return

        args = self.get_argument('args', None)
        if args is None:
            return self.write_json(TPE_PARAM)
        try:
            args = json.loads(args)
        except:
            return self.write_json(TPE_JSON_FORMAT)

        try:
            dn_hash_list = args['ldap_users']

            if len(tp_cfg().sys_ldap_password) == 0:
                return self.write_json(TPE_PARAM, message='LDAP未能正确配置,需要管理员密码')
            else:
                _password = tp_cfg().sys_ldap_password
            _server = tp_cfg().sys.ldap.server
            _port = tp_cfg().sys.ldap.port
            _admin = tp_cfg().sys.ldap.admin
            _base_dn = tp_cfg().sys.ldap.base_dn
            _filter = tp_cfg().sys.ldap.filter
            _attr_username = tp_cfg().sys.ldap.attr_username
            _attr_surname = tp_cfg().sys.ldap.attr_surname
            _attr_email = tp_cfg().sys.ldap.attr_email
        except:
            return self.write_json(TPE_PARAM)

        try:
            ldap = Ldap(_server, _port, _base_dn)
            ret, data, err_msg = ldap.list_users(_admin, _password, _filter,
                                                 _attr_username, _attr_surname,
                                                 _attr_email)

            if ret != TPE_OK:
                return self.write_json(ret, message=err_msg)

            need_import = []
            for u in data:
                h = hashlib.sha1()
                h.update(u.encode())

                dn_hash = h.hexdigest()
                for x in dn_hash_list:
                    if x == dn_hash:
                        _user = data[u]
                        _user['dn'] = u
                        need_import.append(_user)
                        break

            if len(need_import) == 0:
                return self.write_json(ret, message='没有可以导入的LDAP用户')

            return self._do_import(need_import)
        except:
            log.e('')
            return self.write_json(TPE_PARAM)
Example #3
0
    def post(self):
        ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE)
        if ret != TPE_OK:
            return

        args = self.get_argument('args', None)
        if args is None:
            return self.write_json(TPE_PARAM)
        try:
            args = json.loads(args)
        except:
            return self.write_json(TPE_JSON_FORMAT)

        try:
            if len(tp_cfg().sys_ldap_password) == 0:
                return self.write_json(TPE_PARAM, message='LDAP未能正确配置,需要管理员密码')
            else:
                _password = tp_cfg().sys_ldap_password
            _server = tp_cfg().sys.ldap.server
            _port = tp_cfg().sys.ldap.port
            _admin = tp_cfg().sys.ldap.admin
            _base_dn = tp_cfg().sys.ldap.base_dn
            _filter = tp_cfg().sys.ldap.filter
            _attr_username = tp_cfg().sys.ldap.attr_username
            _attr_surname = tp_cfg().sys.ldap.attr_surname
            _attr_email = tp_cfg().sys.ldap.attr_email
        except:
            return self.write_json(TPE_PARAM)

        try:
            ldap = Ldap(_server, _port, _base_dn)
            ret, data, err_msg = ldap.list_users(_admin, _password, _filter,
                                                 _attr_username, _attr_surname,
                                                 _attr_email)
            if ret != TPE_OK:
                return self.write_json(ret, message=err_msg)

            exists_users = user.get_users_by_type(TP_USER_TYPE_LDAP)
            bound_users = []
            if exists_users is not None:
                for u in exists_users:
                    h = hashlib.sha1()
                    h.update(u['ldap_dn'].encode())
                    bound_users.append(h.hexdigest())

            ret_data = []
            for u in data:
                h = hashlib.sha1()
                h.update(u.encode())
                _id = h.hexdigest()
                if _id in bound_users:
                    continue

                _user = data[u]
                _user['id'] = h.hexdigest()
                ret_data.append(_user)
            return self.write_json(ret, data=ret_data)
        except:
            log.e('')
            return self.write_json(TPE_PARAM)
Example #4
0
    def post(self):
        ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE)
        if ret != TPE_OK:
            return

        args = self.get_argument('args', None)
        if args is None:
            return self.write_json(TPE_PARAM)
        try:
            args = json.loads(args)
        except:
            return self.write_json(TPE_JSON_FORMAT)

        try:
            dn_hash_list = args['ldap_users']

            if len(tp_cfg().sys_ldap_password) == 0:
                return self.write_json(TPE_PARAM, message='LDAP未能正确配置,需要管理员密码')
            else:
                _password = tp_cfg().sys_ldap_password
            _server = tp_cfg().sys.ldap.server
            _port = tp_cfg().sys.ldap.port
            _admin = tp_cfg().sys.ldap.admin
            _base_dn = tp_cfg().sys.ldap.base_dn
            _filter = tp_cfg().sys.ldap.filter
            _attr_username = tp_cfg().sys.ldap.attr_username
            _attr_surname = tp_cfg().sys.ldap.attr_surname
            _attr_email = tp_cfg().sys.ldap.attr_email
        except:
            return self.write_json(TPE_PARAM)

        try:
            ldap = Ldap(_server, _port, _base_dn)
            ret, data, err_msg = ldap.list_users(_admin, _password, _filter, _attr_username, _attr_surname, _attr_email)

            if ret != TPE_OK:
                return self.write_json(ret, message=err_msg)

            need_import = []
            for u in data:
                h = hashlib.sha1()
                h.update(u.encode())

                dn_hash = h.hexdigest()
                for x in dn_hash_list:
                    if x == dn_hash:
                        _user = data[u]
                        _user['dn'] = u
                        need_import.append(_user)
                        break

            if len(need_import) == 0:
                return self.write_json(ret, message='没有可以导入的LDAP用户')

            return self._do_import(need_import)
        except:
            log.e('')
            return self.write_json(TPE_PARAM)
Example #5
0
    def post(self):
        ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE)
        if ret != TPE_OK:
            return

        args = self.get_argument('args', None)
        if args is None:
            return self.write_json(TPE_PARAM)
        try:
            args = json.loads(args)
        except:
            return self.write_json(TPE_JSON_FORMAT)

        try:
            if len(tp_cfg().sys_ldap_password) == 0:
                return self.write_json(TPE_PARAM, message='LDAP未能正确配置,需要管理员密码')
            else:
                _password = tp_cfg().sys_ldap_password
            _server = tp_cfg().sys.ldap.server
            _port = tp_cfg().sys.ldap.port
            _admin = tp_cfg().sys.ldap.admin
            _base_dn = tp_cfg().sys.ldap.base_dn
            _filter = tp_cfg().sys.ldap.filter
            _attr_username = tp_cfg().sys.ldap.attr_username
            _attr_surname = tp_cfg().sys.ldap.attr_surname
            _attr_email = tp_cfg().sys.ldap.attr_email
        except:
            return self.write_json(TPE_PARAM)

        try:
            ldap = Ldap(_server, _port, _base_dn)
            ret, data, err_msg = ldap.list_users(_admin, _password, _filter, _attr_username, _attr_surname, _attr_email)
            if ret != TPE_OK:
                return self.write_json(ret, message=err_msg)

            exits_users = user.get_users_by_type(TP_USER_TYPE_LDAP)
            bound_users = []
            for u in exits_users:
                h = hashlib.sha1()
                h.update(u['ldap_dn'].encode())
                bound_users.append(h.hexdigest())

            ret_data = []
            for u in data:
                h = hashlib.sha1()
                h.update(u.encode())
                _id = h.hexdigest()
                if _id in bound_users:
                    continue

                _user = data[u]
                _user['id'] = h.hexdigest()
                ret_data.append(_user)
            return self.write_json(ret, data=ret_data)
        except:
            log.e('')
            return self.write_json(TPE_PARAM)
Example #6
0
def login(handler,
          username,
          password=None,
          oath_code=None,
          check_bind_oath=False):
    sys_cfg = tp_cfg().sys
    msg = ''
    current_unix_time = int(time.mktime(datetime.datetime.now().timetuple()))
    #    log.e('current:',current_unix_time,'validfrom:', user_info['valid_from'])

    err, user_info = get_by_username(username)
    if err != TPE_OK:
        return err, None, msg

    if user_info.privilege == 0:
        # 尚未为此用户设置角色
        msg = '登录失败,用户尚未分配权限'
        return TPE_PRIVILEGE, None, msg

    if check_bind_oath and len(user_info['oath_secret']) != 0:
        return TPE_OATH_ALREADY_BIND, None, msg

    if user_info['state'] == TP_STATE_LOCKED:
        # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
        if sys_cfg.login.lock_timeout != 0:
            if tp_timestamp_sec(
            ) - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
                user_info.fail_count = 0
                user_info.state = TP_STATE_NORMAL
        if user_info['state'] == TP_STATE_LOCKED:
            msg = '登录失败,用户已被临时锁定'
            syslog.sys_log(user_info, handler.request.remote_ip,
                           TPE_USER_LOCKED, msg)
            return TPE_USER_LOCKED, None, msg
    elif user_info['state'] == TP_STATE_DISABLED:
        msg = '登录失败,用户已被禁用'
        syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED,
                       msg)
        return TPE_USER_DISABLED, None, msg
    elif user_info['state'] != TP_STATE_NORMAL:
        msg = '登录失败,用户状态异常'
        syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg)
        return TPE_FAILED, None, msg
    elif current_unix_time < user_info['valid_from'] or (
            current_unix_time > user_info['valid_to']
            and user_info['valid_to'] != 0):
        msg = '登录失败,用户已过期'
        syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg)
        return TPE_FAILED, None, msg

    err_msg = ''
    if password is not None:
        if user_info['type'] == TpUserType.LOCAL:
            # 如果系统配置了密码有效期,则检查用户的密码是否失效
            if sys_cfg.password.timeout != 0:
                _time_now = tp_timestamp_sec()
                if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 *
                                               60 * 24) < _time_now:
                    msg = '登录失败,用户密码已过期'
                    syslog.sys_log(user_info, handler.request.remote_ip,
                                   TPE_USER_AUTH, msg)
                    return TPE_EXPIRED, None, msg

            if not tp_password_verify(password, user_info['password']):
                err, is_locked = update_fail_count(handler, user_info)
                if is_locked:
                    err_msg = ',用户已被临时锁定'
                msg = '登录失败,密码错误{}'.format(err_msg)
                syslog.sys_log(user_info, handler.request.remote_ip,
                               TPE_USER_AUTH, msg)
                return TPE_USER_AUTH, None, msg
        elif user_info['type'] == TP_USER_TYPE_LDAP:
            try:
                if len(tp_cfg().sys_ldap_password) == 0:
                    msg = 'LDAP尚未配置'
                    syslog.sys_log(user_info, handler.request.remote_ip,
                                   TPE_USER_AUTH, msg)
                    return TPE_USER_AUTH, None, msg
                else:
                    _ldap_password = tp_cfg().sys_ldap_password
                _ldap_server = tp_cfg().sys.ldap.server
                _ldap_port = tp_cfg().sys.ldap.port
                _ldap_base_dn = tp_cfg().sys.ldap.base_dn
            except:
                msg = 'LDAP尚未正确配置'
                syslog.sys_log(user_info, handler.request.remote_ip,
                               TPE_USER_AUTH, msg)
                return TPE_USER_AUTH, None, msg

            try:
                ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
                ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
                if ret != TPE_OK:
                    if ret == TPE_USER_AUTH:
                        err, is_locked = update_fail_count(handler, user_info)
                        if is_locked:
                            err_msg = ',用户已被临时锁定'
                        msg = 'LDAP用户验证失败{}'.format(err_msg)
                        syslog.sys_log(user_info, handler.request.remote_ip,
                                       TPE_USER_AUTH, msg)
                        return TPE_USER_AUTH, None, msg
                    else:
                        msg = 'LDAP用户登录失败,{}'.format(err_msg)
                        syslog.sys_log(user_info, handler.request.remote_ip,
                                       TPE_USER_AUTH, msg)
                        return TPE_USER_AUTH, None, msg
            except:
                msg = 'LDAP用户登录失败,发生内部错误'
                syslog.sys_log(user_info, handler.request.remote_ip,
                               TPE_USER_AUTH, msg)
                return TPE_USER_AUTH, None, msg

        else:
            msg = '登录失败,系统内部错误'
            syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
                           msg)
            return TPE_USER_AUTH, None, msg

    if oath_code is not None:
        # use oath
        if len(user_info['oath_secret']) == 0:
            return TPE_OATH_MISMATCH, None, msg

        if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
            err, is_locked = update_fail_count(handler, user_info)
            if is_locked:
                err_msg = ',用户已被临时锁定!'
            msg = '登录失败,身份验证器动态验证码错误{}'.format(err_msg)
            syslog.sys_log(user_info, handler.request.remote_ip,
                           TPE_OATH_MISMATCH, msg)
            return TPE_OATH_MISMATCH, None, msg

    del user_info['password']
    del user_info['oath_secret']

    if len(user_info['surname']) == 0:
        user_info['surname'] = user_info['username']
    return TPE_OK, user_info, msg
Example #7
0
def login(handler,
          username,
          password=None,
          oath_code=None,
          check_bind_oath=False):
    sys_cfg = tp_cfg().sys

    err, user_info = get_by_username(username)
    if err != TPE_OK:
        # if err == TPE_NOT_EXISTS:
        #     syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS,
        #                    '用户身份验证失败,用户`{}`不存在'.format(username))
        return err, None

    if user_info.privilege == 0:
        # 尚未为此用户设置角色
        return TPE_PRIVILEGE, None

    if check_bind_oath and len(user_info['oath_secret']) != 0:
        return TPE_OATH_ALREADY_BIND, None

    if user_info['state'] == TP_STATE_LOCKED:
        # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
        if sys_cfg.login.lock_timeout != 0:
            if tp_timestamp_utc_now(
            ) - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
                user_info.fail_count = 0
                user_info.state = TP_STATE_NORMAL
        if user_info['state'] == TP_STATE_LOCKED:
            syslog.sys_log(user_info, handler.request.remote_ip,
                           TPE_USER_LOCKED, '登录失败,用户已被临时锁定')
            return TPE_USER_LOCKED, None
    elif user_info['state'] == TP_STATE_DISABLED:
        syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED,
                       '登录失败,用户已被禁用')
        return TPE_USER_DISABLED, None
    elif user_info['state'] != TP_STATE_NORMAL:
        syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED,
                       '登录失败,用户状态异常')
        return TPE_FAILED, None

    err_msg = ''
    if password is not None:
        if user_info['type'] == TP_USER_TYPE_LOCAL:
            # 如果系统配置了密码有效期,则检查用户的密码是否失效
            if sys_cfg.password.timeout != 0:
                _time_now = tp_timestamp_utc_now()
                if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 *
                                               60 * 24) < _time_now:
                    syslog.sys_log(user_info, handler.request.remote_ip,
                                   TPE_USER_AUTH, '登录失败,用户密码已过期')
                    return TPE_USER_AUTH, None

            if not tp_password_verify(password, user_info['password']):
                err, is_locked = update_fail_count(handler, user_info)
                if is_locked:
                    err_msg = ',用户已被临时锁定'
                syslog.sys_log(user_info, handler.request.remote_ip,
                               TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg))
                return TPE_USER_AUTH, None
        elif user_info['type'] == TP_USER_TYPE_LDAP:
            try:
                if len(tp_cfg().sys_ldap_password) == 0:
                    syslog.sys_log(user_info, handler.request.remote_ip,
                                   TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码')
                    return TPE_USER_AUTH, None
                else:
                    _ldap_password = tp_cfg().sys_ldap_password
                _ldap_server = tp_cfg().sys.ldap.server
                _ldap_port = tp_cfg().sys.ldap.port
                _ldap_base_dn = tp_cfg().sys.ldap.base_dn
            except:
                syslog.sys_log(user_info, handler.request.remote_ip,
                               TPE_USER_AUTH, 'LDAP未能正确配置')
                return TPE_USER_AUTH, None

            try:
                ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
                ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
                if ret != TPE_OK:
                    if ret == TPE_USER_AUTH:
                        err, is_locked = update_fail_count(handler, user_info)
                        if is_locked:
                            err_msg = ',用户已被临时锁定'
                        syslog.sys_log(user_info, handler.request.remote_ip,
                                       TPE_USER_AUTH,
                                       'LDAP用户登录失败,密码错误{}'.format(err_msg))
                        return TPE_USER_AUTH, None
                    else:
                        syslog.sys_log(user_info, handler.request.remote_ip,
                                       TPE_USER_AUTH,
                                       'LDAP用户登录失败,{}'.format(err_msg))
                        return TPE_USER_AUTH, None
            except:
                syslog.sys_log(user_info, handler.request.remote_ip,
                               TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误')
                return TPE_USER_AUTH, None

        else:
            syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
                           '登录失败,系统内部错误')
            return TPE_USER_AUTH, None

    if oath_code is not None:
        # use oath
        if len(user_info['oath_secret']) == 0:
            return TPE_OATH_MISMATCH, None

        if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
            err, is_locked = update_fail_count(handler, user_info)
            if is_locked:
                err_msg = ',用户已被临时锁定!'
            syslog.sys_log(user_info, handler.request.remote_ip,
                           TPE_OATH_MISMATCH,
                           "登录失败,身份验证器动态验证码错误{}".format(err_msg))
            return TPE_OATH_MISMATCH, None

    del user_info['password']
    del user_info['oath_secret']

    if len(user_info['surname']) == 0:
        user_info['surname'] = user_info['username']
    return TPE_OK, user_info
Example #8
0
def login(handler, username, password=None, oath_code=None, check_bind_oath=False):
    sys_cfg = tp_cfg().sys

    err, user_info = get_by_username(username)
    if err != TPE_OK:
        # if err == TPE_NOT_EXISTS:
        #     syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS,
        #                    '用户身份验证失败,用户`{}`不存在'.format(username))
        return err, None

    if user_info.privilege == 0:
        # 尚未为此用户设置角色
        return TPE_PRIVILEGE, None

    if check_bind_oath and len(user_info['oath_secret']) != 0:
        return TPE_OATH_ALREADY_BIND, None

    if user_info['state'] == TP_STATE_LOCKED:
        # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
        if sys_cfg.login.lock_timeout != 0:
            if tp_timestamp_utc_now() - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
                user_info.fail_count = 0
                user_info.state = TP_STATE_NORMAL
        if user_info['state'] == TP_STATE_LOCKED:
            syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定')
            return TPE_USER_LOCKED, None
    elif user_info['state'] == TP_STATE_DISABLED:
        syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用')
        return TPE_USER_DISABLED, None
    elif user_info['state'] != TP_STATE_NORMAL:
        syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常')
        return TPE_FAILED, None

    err_msg = ''
    if password is not None:
        if user_info['type'] == TP_USER_TYPE_LOCAL:
            # 如果系统配置了密码有效期,则检查用户的密码是否失效
            if sys_cfg.password.timeout != 0:
                _time_now = tp_timestamp_utc_now()
                if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now:
                    syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,用户密码已过期')
                    return TPE_USER_AUTH, None

            if not tp_password_verify(password, user_info['password']):
                err, is_locked = update_fail_count(handler, user_info)
                if is_locked:
                    err_msg = ',用户已被临时锁定'
                syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg))
                return TPE_USER_AUTH, None
        elif user_info['type'] == TP_USER_TYPE_LDAP:
            try:
                if len(tp_cfg().sys_ldap_password) == 0:
                    syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码')
                    return TPE_USER_AUTH, None
                else:
                    _ldap_password = tp_cfg().sys_ldap_password
                _ldap_server = tp_cfg().sys.ldap.server
                _ldap_port = tp_cfg().sys.ldap.port
                _ldap_base_dn = tp_cfg().sys.ldap.base_dn
            except:
                syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置')
                return TPE_USER_AUTH, None

            try:
                ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
                ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
                if ret != TPE_OK:
                    if ret == TPE_USER_AUTH:
                        err, is_locked = update_fail_count(handler, user_info)
                        if is_locked:
                            err_msg = ',用户已被临时锁定'
                        syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
                                       'LDAP用户登录失败,密码错误{}'.format(err_msg))
                        return TPE_USER_AUTH, None
                    else:
                        syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
                                       'LDAP用户登录失败,{}'.format(err_msg))
                        return TPE_USER_AUTH, None
            except:
                syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误')
                return TPE_USER_AUTH, None

        else:
            syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,系统内部错误')
            return TPE_USER_AUTH, None

    if oath_code is not None:
        # use oath
        if len(user_info['oath_secret']) == 0:
            return TPE_OATH_MISMATCH, None

        if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
            err, is_locked = update_fail_count(handler, user_info)
            if is_locked:
                err_msg = ',用户已被临时锁定!'
            syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH,
                           "登录失败,身份验证器动态验证码错误{}".format(err_msg))
            return TPE_OATH_MISMATCH, None

    del user_info['password']
    del user_info['oath_secret']

    if len(user_info['surname']) == 0:
        user_info['surname'] = user_info['username']
    return TPE_OK, user_info