def post(self, *args, **kwargs): auth_key = self.get_argument('auth_key', '') meth = self.get_argument('meth', '') uri = self.get_argument('uri', '') authtoken = AuthToken() user_info = authtoken.encode_auth_token(auth_key) user_id = user_info.get('user_id', '') my_verify = MyVerify(user_id) if user_id: if my_verify.get_verify(meth, uri) == 0: self.write(dict(status=0, msg='鉴权成功')) else: self.write(dict(status=-1, msg='没有权限'))
def post(self, *args, **kwargs): data = json.loads(self.request.body.decode("utf-8")) user_id = data.get('user_id', None) secret_key = data.get('secret_key', None) if secret_key != my_settings.get('secret_key'): return self.write(dict(code=-1, msg='secret key error')) if not user_id: return self.write(dict(code=-2, msg='auth failed')) else: my_verify = MyVerify(str(user_id)) my_verify.write_verify() return self.write(dict(code=0, msg='缓存成功'))
def inner(self, *args, **kwargs): ### ticket = self.get_argument('ticket', None) za_server_url = app_settings.get('za_server_url', '') za_sso_validate = app_settings.get('za_sso_validate', '') za_sso_login = app_settings.get('za_sso_login', '') authtoken = AuthToken() if ticket: '''如果带返回值就去获取用户信息''' validate_args = {'service': za_server_url, 'ticket': ticket} v = requests.get(za_sso_validate, params=validate_args) user_info = json.loads(v.text) username = user_info.get('username', '') username = '******' user_id = str(user_info.get('user_id', '2')) self.set_secure_cookie("username", username) self.set_secure_cookie("user_id", user_id) ### 生成生成token 并且写入cookie new_token = authtoken.encode_auth_token(user_id, username) self.set_cookie('auth_key', new_token, expires_days=1) with DBContext('readonly') as session: u = session.query( Users.username).filter(Users.username == username).first() '''查询数据库是否用当前用户''' if u: ''' 如果有 获取当前用户权限,并写入redis缓存起来''' my_verify = MyVerify(user_id) my_verify.write_verify() else: '''如果没有则把用户信息导入''' '''跳转完善信息页面,并且告知必须加入权限才能访问''' pass ### 如果没有则把用户信息导入 ### 跳转完善信息页面,并且告知必须加入权限才能访问 auth_key = self.get_cookie('auth_key') if not auth_key: '''没登录,就让跳到登陆页面''' sso_login_url = za_sso_login + '?service=' + za_server_url + '&target=' + za_server_url self.redirect(sso_login_url) return else: user_info = authtoken.decode_auth_token(auth_key) ### 权限鉴定 my_verify = MyVerify(user_id) print(my_verify.get_verify(self.request.method, self.request.uri)) if my_verify.get_verify(self.request.method, self.request.uri) != 0: ### 没权限,就跳转提示没有权限页面权限页面 print('没有权限') # self.redirect('') return # 执行post方法或get方法 func(self, *args, **kwargs)
def post(self, *args, **kwargs): data = json.loads(self.request.body.decode("utf-8")) username = data.get('username', None) password = data.get('password', None) if not username or not password: self.write(dict(status=-1, msg='账号密码不能为空')) return password_md5 = gen_md5(password) with DBContext('readonly') as session: user_info = session.query(Users).filter( Users.username == username, Users.password == password_md5, Users.status != '10').first() if not user_info: self.write(dict(status=-2, msg='账号密码错误')) return if user_info.status != '0': self.write(dict(status=-3, msg='账号被禁用')) return user_id = str(user_info.user_id) ### 生成token 并写入cookie token_info = dict(user_id=user_id, username=user_info.username, nickname=user_info.nickname) authtoken = AuthToken() auth_key = authtoken.encode_auth_token(**token_info) with DBContext('default') as session: session.query(Users).filter(Users.username == username).update( {Users.last_ip: self.request.headers.get("X-Real-Ip", "")}) session.commit() self.set_secure_cookie("username", username) self.set_cookie('enable_nickname', base64.b64encode(user_info.nickname.encode('utf-8'))) self.set_secure_cookie("nickname", user_info.nickname) self.set_cookie('auth_key', auth_key, expires_days=1) ### 权限写入缓存 my_verify = MyVerify(user_id) my_verify.write_verify() self.write(dict(status=0, msg='登录成功'))
def post(self, *args, **kwargs): data = json.loads(self.request.body.decode("utf-8")) username = data.get('username', None) password = data.get('password', None) dynamic = data.get('dynamic', None) if not username or not password: return self.write(dict(code=-1, msg='账号密码不能为空')) redis_conn = cache_conn() configs_init('all') if is_mail(username): login_mail = redis_conn.hget(const.APP_SETTINGS, const.EMAILLOGIN_DOMAIN) if login_mail: if is_mail(username, login_mail.decode('utf-8')): email = username username = email.split("@")[0] email_server = redis_conn.hget(const.APP_SETTINGS, const.EMAILLOGIN_SERVER).decode('utf-8') if not email_server: return self.write(dict(code=-9, msg='请配置邮箱服务的SMTP服务地址')) if not mail_login(email, password, email_server): return self.write(dict(code=-2, msg='邮箱登陆认证失败')) with DBContext('r') as session: user_info = session.query(Users).filter(Users.email == email, Users.username == username, Users.status != '10').first() if not user_info: return self.write(dict(code=-3, msg='邮箱认证通过,请根据邮箱完善用户信息', username=username, email=email)) else: with DBContext('r') as session: user_info = session.query(Users).filter(Users.username == username, Users.password == gen_md5(password), Users.status != '10').first() if not user_info: # redis_conn = cache_conn() # configs_init('all') ldap_login = redis_conn.hget(const.APP_SETTINGS, const.LDAP_ENABLE) ldap_login = convert(ldap_login) if ldap_login != '1': return self.write(dict(code=-4, msg='账号密码错误')) ### 如果开启了LDAP认证 则进行LDAP认证 else: #### config_info = redis_conn.hgetall(const.APP_SETTINGS) config_info = convert(config_info) ldap_ssl = True if config_info.get(const.LDAP_USE_SSL) == '1' else False obj = LdapApi(config_info.get(const.LDAP_SERVER_HOST), config_info.get(const.LDAP_ADMIN_DN), config_info.get(const.LDAP_ADMIN_PASSWORD), int(config_info.get(const.LDAP_SERVER_PORT, 389)), ldap_ssl) ldap_pass_info = obj.ldap_auth(username, password, config_info.get(const.LDAP_SEARCH_BASE), config_info.get(const.LDAP_SEARCH_FILTER)) if ldap_pass_info[0]: with DBContext('r') as session: if not ldap_pass_info[2]: return self.write(dict(code=-11, msg='LDAP认证成功,但是没有找到用户邮箱,请完善!')) else: user_info = session.query(Users).filter(Users.email == ldap_pass_info[2], Users.username == username, Users.status != '10').first() if not user_info: return self.write(dict(code=-3, msg='LDAP认证通过,完善用户信息', username=ldap_pass_info[1], email=ldap_pass_info[2])) else: return self.write(dict(code=-4, msg='账号密码错误')) if 'user_info' not in dir(): return self.write(dict(code=-4, msg='账号异常')) if user_info.status != '0': return self.write(dict(code=-4, msg='账号被禁用')) is_superuser = True if user_info.superuser == '0' else False ### 如果被标记为必须动态验证切没有输入动态密钥,则跳转到二维码添加密钥的地方 ### 默认为 True, False 则全局禁用MFA mfa_global = False if convert(redis_conn.hget(const.APP_SETTINGS, const.MFA_GLOBAL)) == '1' else True if mfa_global and user_info.google_key: if not dynamic: ### 第一次不带MFA的认证 return self.write(dict(code=1, msg='跳转二次认证')) else: ### 二次认证 t_otp = pyotp.TOTP(user_info.google_key) if t_otp.now() != str(dynamic): return self.write(dict(code=-5, msg='MFA错误')) user_id = str(user_info.user_id) ### 生成token 并写入cookie token_exp_hours = redis_conn.hget(const.APP_SETTINGS, const.TOKEN_EXP_TIME) if token_exp_hours and convert(token_exp_hours): token_info = dict(user_id=user_id, username=user_info.username, nickname=user_info.nickname, email=user_info.email, is_superuser=is_superuser, exp_hours=token_exp_hours) else: token_info = dict(user_id=user_id, username=user_info.username, nickname=user_info.nickname, email=user_info.email, is_superuser=is_superuser) auth_token = AuthToken() auth_key = auth_token.encode_auth_token_v2(**token_info) login_ip_list = self.request.headers.get("X-Forwarded-For") if login_ip_list: login_ip = login_ip_list.split(",")[0] with DBContext('w', None, True) as session: session.query(Users).filter(Users.user_id == user_id).update({Users.last_ip: login_ip}) session.commit() self.set_secure_cookie("nickname", user_info.nickname) self.set_secure_cookie("username", user_info.username) self.set_secure_cookie("user_id", str(user_info.user_id)) self.set_cookie('auth_key', auth_key, expires_days=1) ### 后端权限写入缓存 my_verify = MyVerify(user_id, is_superuser) my_verify.write_verify() ### 前端权限写入缓存 # get_user_rules(user_id, is_superuser) return self.write(dict(code=0, auth_key=auth_key.decode(), username=user_info.username, nickname=user_info.nickname, msg='登录成功'))
def inner(self, *args, **kwargs): auth_key = self.get_cookie('auth_key', None) if not auth_key: # 没登录,就让跳到登陆页面 raise HTTPError(401, 'auth failed') else: authtoken = AuthToken() user_info = authtoken.decode_auth_token(auth_key) user_id = user_info.get('user_id', None) username = user_info.get('username', None) nickname = user_info.get('nickname', None) if not user_id: raise HTTPError(401, 'auth failed') else: user_id = str(user_id) self.set_secure_cookie("user_id", user_id) self.set_cookie('enable_nickname', base64.b64encode(nickname.encode('utf-8'))) self.set_secure_cookie("nickname", nickname) self.set_secure_cookie("username", username) my_verify = MyVerify(user_id) ### 防止明文cookie被篡改 enable_nickname = base64.b64decode( self.get_cookie('enable_nickname')).decode('utf-8') if self.get_secure_cookie("nickname").decode( 'utf-8') != enable_nickname: raise HTTPError(403, 'cookie error!') ### 如果不是超级管理员,开始鉴权 if not self.is_superuser(): # 没权限,就让跳到权限页面 0代表有权限,1代表没权限 if my_verify.get_verify(self.request.method, self.request.uri) != 0: '''如果没有权限,就刷新一次权限''' my_verify.write_verify() if my_verify.get_verify(self.request.method, self.request.uri) == 0: raise HTTPError(403, 'request forbidden!') ### 写入日志 if self.request.method != 'GET': try: data = json.loads(self.request.body.decode("utf-8")) except Exception as e: pass with DBContext('default') as session: session.add( OperationRecord(username=username, nickname=nickname, method=self.request.method, uri=self.request.uri, data=str(data))) session.commit() func(self, *args, **kwargs)
def post(self, *args, **kwargs): data = json.loads(self.request.body.decode("utf-8")) username = data.get('username', None) password = data.get('password', None) dynamic = data.get('dynamic', None) next_url = data.get('next_url', None) if not username or not password: return self.write(dict(code=-1, msg='账号密码不能为空')) if is_mail(username): redis_conn = cache_conn() configs_init('all') login_mail = redis_conn.hget(const.APP_SETTINGS, const.EMAILLOGIN_DOMAIN) if login_mail: if is_mail(username, login_mail.decode('utf-8')): email = username username = email.split("@")[0] email_server = redis_conn.hget( const.APP_SETTINGS, const.EMAILLOGIN_SERVER).decode('utf-8') if not email_server: return self.write(dict(code=-9, msg='请配置邮箱服务的SMTP服务地址')) if not mail_login(email, password, email_server): return self.write(dict(code=-2, msg='邮箱登陆认证失败')) with DBContext('r') as session: user_info = session.query(Users).filter( Users.email == email, Users.username == username, Users.status != '10').first() if not user_info: return self.write( dict(code=-3, msg='邮箱认证通过,请根据邮箱完善用户信息', email=email)) else: with DBContext('r') as session: user_info = session.query(Users).filter( Users.username == username, Users.password == gen_md5(password), Users.status != '10').first() if not user_info: return self.write(dict(code=-4, msg='账号密码错误')) if user_info.status != '0': return self.write(dict(code=-4, msg='账号被禁用')) if user_info.superuser == '0': is_superuser = True else: is_superuser = False ### 如果被标记为必须动态验证切没有输入动态密钥,则跳转到二维码添加密钥的地方 if user_info.google_key: totp = pyotp.TOTP(user_info.google_key) if dynamic: if totp.now() != str(dynamic): return self.write(dict(code=-5, msg='MFA错误')) else: return self.write(dict(code=-8, msg='请输入MFA')) user_id = str(user_info.user_id) ### 生成token 并写入cookie token_info = dict(user_id=user_id, username=user_info.username, nickname=user_info.nickname, is_superuser=is_superuser) auth_token = AuthToken() auth_key = auth_token.encode_auth_token(**token_info) login_ip_list = self.request.headers.get("X-Forwarded-For") if login_ip_list: login_ip = login_ip_list.split(",")[0] with DBContext('w', None, True) as session: session.query(Users).filter(Users.user_id == user_id).update( {Users.last_ip: login_ip}) self.set_secure_cookie("nickname", user_info.nickname) self.set_secure_cookie("username", user_info.username) self.set_secure_cookie("user_id", str(user_info.user_id)) self.set_cookie('auth_key', auth_key, expires_days=1) ### 后端权限写入缓存 my_verify = MyVerify(user_id) my_verify.write_verify() ### 前端权限写入缓存 get_user_rules(user_id) return self.write( dict(code=0, auth_key=auth_key.decode(encoding="utf-8"), username=user_info.username, nickname=user_info.nickname, next_url=next_url, msg='登录成功'))