def post(self): ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE) if ret != TPE_OK: return args = self.get_argument('args', None) if args is None: return self.write_json(TPE_PARAM) try: args = json.loads(args) except: return self.write_json(TPE_JSON_FORMAT) try: cfg = args['ldap'] cfg['port'] = int(cfg['port']) if len(cfg['password']) == 0: if len(tp_cfg().sys_ldap_password) == 0: return self.write_json(TPE_PARAM, message='需要设置LDAP管理员密码') else: cfg['password'] = tp_cfg().sys_ldap_password except: return self.write_json(TPE_PARAM) try: ldap = Ldap(cfg['server'], cfg['port'], cfg['base_dn']) ret, data, err_msg = ldap.get_all_attr(cfg['admin'], cfg['password'], cfg['filter']) if ret != TPE_OK: return self.write_json(ret, message=err_msg) else: return self.write_json(ret, data=data) except: log.e('') return self.write_json(TPE_PARAM)
def post(self): ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE) if ret != TPE_OK: return args = self.get_argument('args', None) if args is None: return self.write_json(TPE_PARAM) try: args = json.loads(args) except: return self.write_json(TPE_JSON_FORMAT) try: dn_hash_list = args['ldap_users'] if len(tp_cfg().sys_ldap_password) == 0: return self.write_json(TPE_PARAM, message='LDAP未能正确配置,需要管理员密码') else: _password = tp_cfg().sys_ldap_password _server = tp_cfg().sys.ldap.server _port = tp_cfg().sys.ldap.port _admin = tp_cfg().sys.ldap.admin _base_dn = tp_cfg().sys.ldap.base_dn _filter = tp_cfg().sys.ldap.filter _attr_username = tp_cfg().sys.ldap.attr_username _attr_surname = tp_cfg().sys.ldap.attr_surname _attr_email = tp_cfg().sys.ldap.attr_email except: return self.write_json(TPE_PARAM) try: ldap = Ldap(_server, _port, _base_dn) ret, data, err_msg = ldap.list_users(_admin, _password, _filter, _attr_username, _attr_surname, _attr_email) if ret != TPE_OK: return self.write_json(ret, message=err_msg) need_import = [] for u in data: h = hashlib.sha1() h.update(u.encode()) dn_hash = h.hexdigest() for x in dn_hash_list: if x == dn_hash: _user = data[u] _user['dn'] = u need_import.append(_user) break if len(need_import) == 0: return self.write_json(ret, message='没有可以导入的LDAP用户') return self._do_import(need_import) except: log.e('') return self.write_json(TPE_PARAM)
def post(self): ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE) if ret != TPE_OK: return args = self.get_argument('args', None) if args is None: return self.write_json(TPE_PARAM) try: args = json.loads(args) except: return self.write_json(TPE_JSON_FORMAT) try: if len(tp_cfg().sys_ldap_password) == 0: return self.write_json(TPE_PARAM, message='LDAP未能正确配置,需要管理员密码') else: _password = tp_cfg().sys_ldap_password _server = tp_cfg().sys.ldap.server _port = tp_cfg().sys.ldap.port _admin = tp_cfg().sys.ldap.admin _base_dn = tp_cfg().sys.ldap.base_dn _filter = tp_cfg().sys.ldap.filter _attr_username = tp_cfg().sys.ldap.attr_username _attr_surname = tp_cfg().sys.ldap.attr_surname _attr_email = tp_cfg().sys.ldap.attr_email except: return self.write_json(TPE_PARAM) try: ldap = Ldap(_server, _port, _base_dn) ret, data, err_msg = ldap.list_users(_admin, _password, _filter, _attr_username, _attr_surname, _attr_email) if ret != TPE_OK: return self.write_json(ret, message=err_msg) exists_users = user.get_users_by_type(TP_USER_TYPE_LDAP) bound_users = [] if exists_users is not None: for u in exists_users: h = hashlib.sha1() h.update(u['ldap_dn'].encode()) bound_users.append(h.hexdigest()) ret_data = [] for u in data: h = hashlib.sha1() h.update(u.encode()) _id = h.hexdigest() if _id in bound_users: continue _user = data[u] _user['id'] = h.hexdigest() ret_data.append(_user) return self.write_json(ret, data=ret_data) except: log.e('') return self.write_json(TPE_PARAM)
def post(self): ret = self.check_privilege(TP_PRIVILEGE_USER_CREATE) if ret != TPE_OK: return args = self.get_argument('args', None) if args is None: return self.write_json(TPE_PARAM) try: args = json.loads(args) except: return self.write_json(TPE_JSON_FORMAT) try: if len(tp_cfg().sys_ldap_password) == 0: return self.write_json(TPE_PARAM, message='LDAP未能正确配置,需要管理员密码') else: _password = tp_cfg().sys_ldap_password _server = tp_cfg().sys.ldap.server _port = tp_cfg().sys.ldap.port _admin = tp_cfg().sys.ldap.admin _base_dn = tp_cfg().sys.ldap.base_dn _filter = tp_cfg().sys.ldap.filter _attr_username = tp_cfg().sys.ldap.attr_username _attr_surname = tp_cfg().sys.ldap.attr_surname _attr_email = tp_cfg().sys.ldap.attr_email except: return self.write_json(TPE_PARAM) try: ldap = Ldap(_server, _port, _base_dn) ret, data, err_msg = ldap.list_users(_admin, _password, _filter, _attr_username, _attr_surname, _attr_email) if ret != TPE_OK: return self.write_json(ret, message=err_msg) exits_users = user.get_users_by_type(TP_USER_TYPE_LDAP) bound_users = [] for u in exits_users: h = hashlib.sha1() h.update(u['ldap_dn'].encode()) bound_users.append(h.hexdigest()) ret_data = [] for u in data: h = hashlib.sha1() h.update(u.encode()) _id = h.hexdigest() if _id in bound_users: continue _user = data[u] _user['id'] = h.hexdigest() ret_data.append(_user) return self.write_json(ret, data=ret_data) except: log.e('') return self.write_json(TPE_PARAM)
def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys msg = '' current_unix_time = int(time.mktime(datetime.datetime.now().timetuple())) # log.e('current:',current_unix_time,'validfrom:', user_info['valid_from']) err, user_info = get_by_username(username) if err != TPE_OK: return err, None, msg if user_info.privilege == 0: # 尚未为此用户设置角色 msg = '登录失败,用户尚未分配权限' return TPE_PRIVILEGE, None, msg if check_bind_oath and len(user_info['oath_secret']) != 0: return TPE_OATH_ALREADY_BIND, None, msg if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 if sys_cfg.login.lock_timeout != 0: if tp_timestamp_sec( ) - user_info.lock_time > sys_cfg.login.lock_timeout * 60: user_info.fail_count = 0 user_info.state = TP_STATE_NORMAL if user_info['state'] == TP_STATE_LOCKED: msg = '登录失败,用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, msg) return TPE_USER_LOCKED, None, msg elif user_info['state'] == TP_STATE_DISABLED: msg = '登录失败,用户已被禁用' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, msg) return TPE_USER_DISABLED, None, msg elif user_info['state'] != TP_STATE_NORMAL: msg = '登录失败,用户状态异常' syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg) return TPE_FAILED, None, msg elif current_unix_time < user_info['valid_from'] or ( current_unix_time > user_info['valid_to'] and user_info['valid_to'] != 0): msg = '登录失败,用户已过期' syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg) return TPE_FAILED, None, msg err_msg = '' if password is not None: if user_info['type'] == TpUserType.LOCAL: # 如果系统配置了密码有效期,则检查用户的密码是否失效 if sys_cfg.password.timeout != 0: _time_now = tp_timestamp_sec() if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now: msg = '登录失败,用户密码已过期' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_EXPIRED, None, msg if not tp_password_verify(password, user_info['password']): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' msg = '登录失败,密码错误{}'.format(err_msg) syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg elif user_info['type'] == TP_USER_TYPE_LDAP: try: if len(tp_cfg().sys_ldap_password) == 0: msg = 'LDAP尚未配置' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg else: _ldap_password = tp_cfg().sys_ldap_password _ldap_server = tp_cfg().sys.ldap.server _ldap_port = tp_cfg().sys.ldap.port _ldap_base_dn = tp_cfg().sys.ldap.base_dn except: msg = 'LDAP尚未正确配置' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg try: ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn) ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password) if ret != TPE_OK: if ret == TPE_USER_AUTH: err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' msg = 'LDAP用户验证失败{}'.format(err_msg) syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg else: msg = 'LDAP用户登录失败,{}'.format(err_msg) syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg except: msg = 'LDAP用户登录失败,发生内部错误' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg else: msg = '登录失败,系统内部错误' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg if oath_code is not None: # use oath if len(user_info['oath_secret']) == 0: return TPE_OATH_MISMATCH, None, msg if not tp_oath_verify_code(user_info['oath_secret'], oath_code): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定!' msg = '登录失败,身份验证器动态验证码错误{}'.format(err_msg) syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, msg) return TPE_OATH_MISMATCH, None, msg del user_info['password'] del user_info['oath_secret'] if len(user_info['surname']) == 0: user_info['surname'] = user_info['username'] return TPE_OK, user_info, msg
def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys err, user_info = get_by_username(username) if err != TPE_OK: # if err == TPE_NOT_EXISTS: # syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS, # '用户身份验证失败,用户`{}`不存在'.format(username)) return err, None if user_info.privilege == 0: # 尚未为此用户设置角色 return TPE_PRIVILEGE, None if check_bind_oath and len(user_info['oath_secret']) != 0: return TPE_OATH_ALREADY_BIND, None if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 if sys_cfg.login.lock_timeout != 0: if tp_timestamp_utc_now( ) - user_info.lock_time > sys_cfg.login.lock_timeout * 60: user_info.fail_count = 0 user_info.state = TP_STATE_NORMAL if user_info['state'] == TP_STATE_LOCKED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定') return TPE_USER_LOCKED, None elif user_info['state'] == TP_STATE_DISABLED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用') return TPE_USER_DISABLED, None elif user_info['state'] != TP_STATE_NORMAL: syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常') return TPE_FAILED, None err_msg = '' if password is not None: if user_info['type'] == TP_USER_TYPE_LOCAL: # 如果系统配置了密码有效期,则检查用户的密码是否失效 if sys_cfg.password.timeout != 0: _time_now = tp_timestamp_utc_now() if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,用户密码已过期') return TPE_USER_AUTH, None if not tp_password_verify(password, user_info['password']): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None elif user_info['type'] == TP_USER_TYPE_LDAP: try: if len(tp_cfg().sys_ldap_password) == 0: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码') return TPE_USER_AUTH, None else: _ldap_password = tp_cfg().sys_ldap_password _ldap_server = tp_cfg().sys.ldap.server _ldap_port = tp_cfg().sys.ldap.port _ldap_base_dn = tp_cfg().sys.ldap.base_dn except: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置') return TPE_USER_AUTH, None try: ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn) ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password) if ret != TPE_OK: if ret == TPE_USER_AUTH: err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None else: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,{}'.format(err_msg)) return TPE_USER_AUTH, None except: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误') return TPE_USER_AUTH, None else: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,系统内部错误') return TPE_USER_AUTH, None if oath_code is not None: # use oath if len(user_info['oath_secret']) == 0: return TPE_OATH_MISMATCH, None if not tp_oath_verify_code(user_info['oath_secret'], oath_code): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定!' syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, "登录失败,身份验证器动态验证码错误{}".format(err_msg)) return TPE_OATH_MISMATCH, None del user_info['password'] del user_info['oath_secret'] if len(user_info['surname']) == 0: user_info['surname'] = user_info['username'] return TPE_OK, user_info
def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys err, user_info = get_by_username(username) if err != TPE_OK: # if err == TPE_NOT_EXISTS: # syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS, # '用户身份验证失败,用户`{}`不存在'.format(username)) return err, None if user_info.privilege == 0: # 尚未为此用户设置角色 return TPE_PRIVILEGE, None if check_bind_oath and len(user_info['oath_secret']) != 0: return TPE_OATH_ALREADY_BIND, None if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 if sys_cfg.login.lock_timeout != 0: if tp_timestamp_utc_now() - user_info.lock_time > sys_cfg.login.lock_timeout * 60: user_info.fail_count = 0 user_info.state = TP_STATE_NORMAL if user_info['state'] == TP_STATE_LOCKED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定') return TPE_USER_LOCKED, None elif user_info['state'] == TP_STATE_DISABLED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用') return TPE_USER_DISABLED, None elif user_info['state'] != TP_STATE_NORMAL: syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常') return TPE_FAILED, None err_msg = '' if password is not None: if user_info['type'] == TP_USER_TYPE_LOCAL: # 如果系统配置了密码有效期,则检查用户的密码是否失效 if sys_cfg.password.timeout != 0: _time_now = tp_timestamp_utc_now() if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,用户密码已过期') return TPE_USER_AUTH, None if not tp_password_verify(password, user_info['password']): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None elif user_info['type'] == TP_USER_TYPE_LDAP: try: if len(tp_cfg().sys_ldap_password) == 0: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码') return TPE_USER_AUTH, None else: _ldap_password = tp_cfg().sys_ldap_password _ldap_server = tp_cfg().sys.ldap.server _ldap_port = tp_cfg().sys.ldap.port _ldap_base_dn = tp_cfg().sys.ldap.base_dn except: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置') return TPE_USER_AUTH, None try: ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn) ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password) if ret != TPE_OK: if ret == TPE_USER_AUTH: err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None else: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,{}'.format(err_msg)) return TPE_USER_AUTH, None except: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误') return TPE_USER_AUTH, None else: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,系统内部错误') return TPE_USER_AUTH, None if oath_code is not None: # use oath if len(user_info['oath_secret']) == 0: return TPE_OATH_MISMATCH, None if not tp_oath_verify_code(user_info['oath_secret'], oath_code): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定!' syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, "登录失败,身份验证器动态验证码错误{}".format(err_msg)) return TPE_OATH_MISMATCH, None del user_info['password'] del user_info['oath_secret'] if len(user_info['surname']) == 0: user_info['surname'] = user_info['username'] return TPE_OK, user_info