def post(self, *args, **kwargs):
auth_key = self.get_argument('auth_key', '')
meth = self.get_argument('meth', '')
uri = self.get_argument('uri', '')
authtoken = AuthToken()
user_info = authtoken.encode_auth_token(auth_key)
user_id = user_info.get('user_id', '')
my_verify = MyVerify(user_id)
if user_id:
if my_verify.get_verify(meth, uri) == 0:
self.write(dict(status=0, msg='鉴权成功'))
else:
self.write(dict(status=-1, msg='没有权限'))
def post(self, *args, **kwargs):
data = json.loads(self.request.body.decode("utf-8"))
user_id = data.get('user_id', None)
secret_key = data.get('secret_key', None)
if secret_key != my_settings.get('secret_key'):
return self.write(dict(code=-1, msg='secret key error'))
if not user_id:
return self.write(dict(code=-2, msg='auth failed'))
else:
my_verify = MyVerify(str(user_id))
my_verify.write_verify()
return self.write(dict(code=0, msg='缓存成功'))
def inner(self, *args, **kwargs):
###
ticket = self.get_argument('ticket', None)
za_server_url = app_settings.get('za_server_url', '')
za_sso_validate = app_settings.get('za_sso_validate', '')
za_sso_login = app_settings.get('za_sso_login', '')
authtoken = AuthToken()
if ticket:
'''如果带返回值就去获取用户信息'''
validate_args = {'service': za_server_url, 'ticket': ticket}
v = requests.get(za_sso_validate, params=validate_args)
user_info = json.loads(v.text)
username = user_info.get('username', '')
username = '******'
user_id = str(user_info.get('user_id', '2'))
self.set_secure_cookie("username", username)
self.set_secure_cookie("user_id", user_id)
### 生成生成token 并且写入cookie
new_token = authtoken.encode_auth_token(user_id, username)
self.set_cookie('auth_key', new_token, expires_days=1)
with DBContext('readonly') as session:
u = session.query(
Users.username).filter(Users.username == username).first()
'''查询数据库是否用当前用户'''
if u:
''' 如果有 获取当前用户权限,并写入redis缓存起来'''
my_verify = MyVerify(user_id)
my_verify.write_verify()
else:
'''如果没有则把用户信息导入'''
'''跳转完善信息页面,并且告知必须加入权限才能访问'''
pass
### 如果没有则把用户信息导入
### 跳转完善信息页面,并且告知必须加入权限才能访问
auth_key = self.get_cookie('auth_key')
if not auth_key:
'''没登录,就让跳到登陆页面'''
sso_login_url = za_sso_login + '?service=' + za_server_url + '&target=' + za_server_url
self.redirect(sso_login_url)
return
else:
user_info = authtoken.decode_auth_token(auth_key)
### 权限鉴定
my_verify = MyVerify(user_id)
print(my_verify.get_verify(self.request.method, self.request.uri))
if my_verify.get_verify(self.request.method, self.request.uri) != 0:
### 没权限,就跳转提示没有权限页面权限页面
print('没有权限')
# self.redirect('')
return
# 执行post方法或get方法
func(self, *args, **kwargs)
def post(self, *args, **kwargs):
data = json.loads(self.request.body.decode("utf-8"))
username = data.get('username', None)
password = data.get('password', None)
if not username or not password:
self.write(dict(status=-1, msg='账号密码不能为空'))
return
password_md5 = gen_md5(password)
with DBContext('readonly') as session:
user_info = session.query(Users).filter(
Users.username == username, Users.password == password_md5,
Users.status != '10').first()
if not user_info:
self.write(dict(status=-2, msg='账号密码错误'))
return
if user_info.status != '0':
self.write(dict(status=-3, msg='账号被禁用'))
return
user_id = str(user_info.user_id)
### 生成token 并写入cookie
token_info = dict(user_id=user_id,
username=user_info.username,
nickname=user_info.nickname)
authtoken = AuthToken()
auth_key = authtoken.encode_auth_token(**token_info)
with DBContext('default') as session:
session.query(Users).filter(Users.username == username).update(
{Users.last_ip: self.request.headers.get("X-Real-Ip", "")})
session.commit()
self.set_secure_cookie("username", username)
self.set_cookie('enable_nickname',
base64.b64encode(user_info.nickname.encode('utf-8')))
self.set_secure_cookie("nickname", user_info.nickname)
self.set_cookie('auth_key', auth_key, expires_days=1)
### 权限写入缓存
my_verify = MyVerify(user_id)
my_verify.write_verify()
self.write(dict(status=0, msg='登录成功'))
def post(self, *args, **kwargs):
data = json.loads(self.request.body.decode("utf-8"))
username = data.get('username', None)
password = data.get('password', None)
dynamic = data.get('dynamic', None)
if not username or not password: return self.write(dict(code=-1, msg='账号密码不能为空'))
redis_conn = cache_conn()
configs_init('all')
if is_mail(username):
login_mail = redis_conn.hget(const.APP_SETTINGS, const.EMAILLOGIN_DOMAIN)
if login_mail:
if is_mail(username, login_mail.decode('utf-8')):
email = username
username = email.split("@")[0]
email_server = redis_conn.hget(const.APP_SETTINGS, const.EMAILLOGIN_SERVER).decode('utf-8')
if not email_server:
return self.write(dict(code=-9, msg='请配置邮箱服务的SMTP服务地址'))
if not mail_login(email, password, email_server):
return self.write(dict(code=-2, msg='邮箱登陆认证失败'))
with DBContext('r') as session:
user_info = session.query(Users).filter(Users.email == email, Users.username == username,
Users.status != '10').first()
if not user_info:
return self.write(dict(code=-3, msg='邮箱认证通过,请根据邮箱完善用户信息', username=username, email=email))
else:
with DBContext('r') as session:
user_info = session.query(Users).filter(Users.username == username, Users.password == gen_md5(password),
Users.status != '10').first()
if not user_info:
# redis_conn = cache_conn()
# configs_init('all')
ldap_login = redis_conn.hget(const.APP_SETTINGS, const.LDAP_ENABLE)
ldap_login = convert(ldap_login)
if ldap_login != '1':
return self.write(dict(code=-4, msg='账号密码错误'))
### 如果开启了LDAP认证 则进行LDAP认证
else:
####
config_info = redis_conn.hgetall(const.APP_SETTINGS)
config_info = convert(config_info)
ldap_ssl = True if config_info.get(const.LDAP_USE_SSL) == '1' else False
obj = LdapApi(config_info.get(const.LDAP_SERVER_HOST), config_info.get(const.LDAP_ADMIN_DN),
config_info.get(const.LDAP_ADMIN_PASSWORD),
int(config_info.get(const.LDAP_SERVER_PORT, 389)),
ldap_ssl)
ldap_pass_info = obj.ldap_auth(username, password, config_info.get(const.LDAP_SEARCH_BASE),
config_info.get(const.LDAP_SEARCH_FILTER))
if ldap_pass_info[0]:
with DBContext('r') as session:
if not ldap_pass_info[2]:
return self.write(dict(code=-11, msg='LDAP认证成功,但是没有找到用户邮箱,请完善!'))
else:
user_info = session.query(Users).filter(Users.email == ldap_pass_info[2],
Users.username == username,
Users.status != '10').first()
if not user_info:
return self.write(dict(code=-3, msg='LDAP认证通过,完善用户信息', username=ldap_pass_info[1],
email=ldap_pass_info[2]))
else:
return self.write(dict(code=-4, msg='账号密码错误'))
if 'user_info' not in dir():
return self.write(dict(code=-4, msg='账号异常'))
if user_info.status != '0':
return self.write(dict(code=-4, msg='账号被禁用'))
is_superuser = True if user_info.superuser == '0' else False
### 如果被标记为必须动态验证切没有输入动态密钥,则跳转到二维码添加密钥的地方
### 默认为 True, False 则全局禁用MFA
mfa_global = False if convert(redis_conn.hget(const.APP_SETTINGS, const.MFA_GLOBAL)) == '1' else True
if mfa_global and user_info.google_key:
if not dynamic:
### 第一次不带MFA的认证
return self.write(dict(code=1, msg='跳转二次认证'))
else:
### 二次认证
t_otp = pyotp.TOTP(user_info.google_key)
if t_otp.now() != str(dynamic):
return self.write(dict(code=-5, msg='MFA错误'))
user_id = str(user_info.user_id)
### 生成token 并写入cookie
token_exp_hours = redis_conn.hget(const.APP_SETTINGS, const.TOKEN_EXP_TIME)
if token_exp_hours and convert(token_exp_hours):
token_info = dict(user_id=user_id, username=user_info.username, nickname=user_info.nickname,
email=user_info.email, is_superuser=is_superuser, exp_hours=token_exp_hours)
else:
token_info = dict(user_id=user_id, username=user_info.username, nickname=user_info.nickname,
email=user_info.email, is_superuser=is_superuser)
auth_token = AuthToken()
auth_key = auth_token.encode_auth_token_v2(**token_info)
login_ip_list = self.request.headers.get("X-Forwarded-For")
if login_ip_list:
login_ip = login_ip_list.split(",")[0]
with DBContext('w', None, True) as session:
session.query(Users).filter(Users.user_id == user_id).update({Users.last_ip: login_ip})
session.commit()
self.set_secure_cookie("nickname", user_info.nickname)
self.set_secure_cookie("username", user_info.username)
self.set_secure_cookie("user_id", str(user_info.user_id))
self.set_cookie('auth_key', auth_key, expires_days=1)
### 后端权限写入缓存
my_verify = MyVerify(user_id, is_superuser)
my_verify.write_verify()
### 前端权限写入缓存
# get_user_rules(user_id, is_superuser)
return self.write(dict(code=0, auth_key=auth_key.decode(), username=user_info.username,
nickname=user_info.nickname, msg='登录成功'))
def inner(self, *args, **kwargs):
auth_key = self.get_cookie('auth_key', None)
if not auth_key:
# 没登录,就让跳到登陆页面
raise HTTPError(401, 'auth failed')
else:
authtoken = AuthToken()
user_info = authtoken.decode_auth_token(auth_key)
user_id = user_info.get('user_id', None)
username = user_info.get('username', None)
nickname = user_info.get('nickname', None)
if not user_id:
raise HTTPError(401, 'auth failed')
else:
user_id = str(user_id)
self.set_secure_cookie("user_id", user_id)
self.set_cookie('enable_nickname',
base64.b64encode(nickname.encode('utf-8')))
self.set_secure_cookie("nickname", nickname)
self.set_secure_cookie("username", username)
my_verify = MyVerify(user_id)
### 防止明文cookie被篡改
enable_nickname = base64.b64decode(
self.get_cookie('enable_nickname')).decode('utf-8')
if self.get_secure_cookie("nickname").decode(
'utf-8') != enable_nickname:
raise HTTPError(403, 'cookie error!')
### 如果不是超级管理员,开始鉴权
if not self.is_superuser():
# 没权限,就让跳到权限页面 0代表有权限,1代表没权限
if my_verify.get_verify(self.request.method,
self.request.uri) != 0:
'''如果没有权限,就刷新一次权限'''
my_verify.write_verify()
if my_verify.get_verify(self.request.method,
self.request.uri) == 0:
raise HTTPError(403, 'request forbidden!')
### 写入日志
if self.request.method != 'GET':
try:
data = json.loads(self.request.body.decode("utf-8"))
except Exception as e:
pass
with DBContext('default') as session:
session.add(
OperationRecord(username=username,
nickname=nickname,
method=self.request.method,
uri=self.request.uri,
data=str(data)))
session.commit()
func(self, *args, **kwargs)
def post(self, *args, **kwargs):
data = json.loads(self.request.body.decode("utf-8"))
username = data.get('username', None)
password = data.get('password', None)
dynamic = data.get('dynamic', None)
next_url = data.get('next_url', None)
if not username or not password:
return self.write(dict(code=-1, msg='账号密码不能为空'))
if is_mail(username):
redis_conn = cache_conn()
configs_init('all')
login_mail = redis_conn.hget(const.APP_SETTINGS,
const.EMAILLOGIN_DOMAIN)
if login_mail:
if is_mail(username, login_mail.decode('utf-8')):
email = username
username = email.split("@")[0]
email_server = redis_conn.hget(
const.APP_SETTINGS,
const.EMAILLOGIN_SERVER).decode('utf-8')
if not email_server:
return self.write(dict(code=-9,
msg='请配置邮箱服务的SMTP服务地址'))
if not mail_login(email, password, email_server):
return self.write(dict(code=-2, msg='邮箱登陆认证失败'))
with DBContext('r') as session:
user_info = session.query(Users).filter(
Users.email == email, Users.username == username,
Users.status != '10').first()
if not user_info:
return self.write(
dict(code=-3,
msg='邮箱认证通过,请根据邮箱完善用户信息',
email=email))
else:
with DBContext('r') as session:
user_info = session.query(Users).filter(
Users.username == username,
Users.password == gen_md5(password),
Users.status != '10').first()
if not user_info:
return self.write(dict(code=-4, msg='账号密码错误'))
if user_info.status != '0':
return self.write(dict(code=-4, msg='账号被禁用'))
if user_info.superuser == '0':
is_superuser = True
else:
is_superuser = False
### 如果被标记为必须动态验证切没有输入动态密钥,则跳转到二维码添加密钥的地方
if user_info.google_key:
totp = pyotp.TOTP(user_info.google_key)
if dynamic:
if totp.now() != str(dynamic):
return self.write(dict(code=-5, msg='MFA错误'))
else:
return self.write(dict(code=-8, msg='请输入MFA'))
user_id = str(user_info.user_id)
### 生成token 并写入cookie
token_info = dict(user_id=user_id,
username=user_info.username,
nickname=user_info.nickname,
is_superuser=is_superuser)
auth_token = AuthToken()
auth_key = auth_token.encode_auth_token(**token_info)
login_ip_list = self.request.headers.get("X-Forwarded-For")
if login_ip_list:
login_ip = login_ip_list.split(",")[0]
with DBContext('w', None, True) as session:
session.query(Users).filter(Users.user_id == user_id).update(
{Users.last_ip: login_ip})
self.set_secure_cookie("nickname", user_info.nickname)
self.set_secure_cookie("username", user_info.username)
self.set_secure_cookie("user_id", str(user_info.user_id))
self.set_cookie('auth_key', auth_key, expires_days=1)
### 后端权限写入缓存
my_verify = MyVerify(user_id)
my_verify.write_verify()
### 前端权限写入缓存
get_user_rules(user_id)
return self.write(
dict(code=0,
auth_key=auth_key.decode(encoding="utf-8"),
username=user_info.username,
nickname=user_info.nickname,
next_url=next_url,
msg='登录成功'))