def user_delete(request):
OperateLog.create_log(request)
if not request.method == "DELETE":
return JsonResponse(status=status.HTTP_405_METHOD_NOT_ALLOWED, data={})
permission = request.user.has_perm("auth.delete_user")
if permission == False:
return JsonResponse({"error": "你没有权限操作"}, status=status.HTTP_403_FORBIDDEN)
cn = request.GET.get('cn', '')
# 获取登录模式
login_sets = get_login_model()
mode = login_model
try:
if mode == 1:
# 删除ldap用户信息
ldap_user_delete(cn)
ret = User.objects.filter(user_profile__create_source=1).filter(username=cn).delete()
elif mode == 2:
ret = User.objects.filter(user_profile__create_source=2).filter(username=cn).delete()
elif mode == 3 or mode == 4:
# 删除ldap用户信息
ldap_user_delete(cn)
ret = User.objects.filter(username=cn).delete()
return JsonResponse({"message": "删除成功"}, status=status.HTTP_200_OK)
except Exception as e:
return JsonResponse({"error": "删除失败: " + str(e.args)}, status=status.HTTP_400_BAD_REQUEST)
def user_add(request):
OperateLog.create_log(request)
if not request.method == "POST":
return JsonResponse(status=status.HTTP_405_METHOD_NOT_ALLOWED, data={})
# 当前用户是否拥有新增用户权限
permission = request.user.has_perm("auth.add_user")
if permission == False:
return JsonResponse({"error": "你没有权限操作"}, status=status.HTTP_403_FORBIDDEN)
bod = request.body
bod = str(bod, encoding="utf-8")
data = json.loads(bod)
username = data["cn"]
# 校验ldap是否有该用户
ldap_exit = User.objects.filter(user_profile__create_source=1).filter(username=username).exists()
# 校验本地是否有该用户
local_exit = User.objects.filter(user_profile__create_source=2).filter(username=username).exists()
# 获取登录模式
login_sets = get_login_model()
mode = login_model
if mode == 1:
# 如果ldap没有该用户
if ldap_exit == False:
with transaction.atomic():
ldap_user_add(**data)
lu = local_user_add(**data)
up = UserProfile.objects.create(user=lu, create_source=1, is_enable=1)
return JsonResponse({"info": "新增成功"}, status=status.HTTP_200_OK)
# 如果ldap存在该用户
else:
return JsonResponse({"error": "ldap已存在该用户"}, status=status.HTTP_400_BAD_REQUEST)
elif mode == 2:
# 如果本地没有该用户
if local_exit == False:
with transaction.atomic():
lu = local_user_add(**data)
up = UserProfile.objects.create(user=lu, create_source=2, is_enable=1)
return JsonResponse({"info": "新增成功"}, status=status.HTTP_200_OK)
# 如果本地存在该用户
else:
return JsonResponse({"error": "本地已存在该用户"}, status=status.HTTP_400_BAD_REQUEST)
elif mode == 3 or mode == 4:
# 本地或者ldap存在该用户则不进行新增
if (ldap_exit == False) and (local_exit == False):
with transaction.atomic():
# ldap新增
ldap_user_add(**data)
lu = local_user_add(**data)
lup = UserProfile.objects.create(user=lu, create_source=1, is_enable=1)
# 本地新增
bu = local_user_add(**data)
bup = UserProfile.objects.create(user=bu, create_source=2, is_enable=1)
return JsonResponse({"info": "新增成功"}, status=status.HTTP_200_OK)
else:
return JsonResponse({"error": "ldap或本地已存在该用户"}, status=status.HTTP_400_BAD_REQUEST)
def ldap_user_delete(cn):
cn = cn
login_sets = get_login_model()
user_search = login_sets.user_ldapsearch
base_cn = 'cn=%s' % cn
dn = base_cn + ',' + user_search
try:
with connect_ldap() as c:
# 清除用户所有角色后删除
member_clear(cn)
c.delete(dn)
except Exception as e:
return JsonResponse({"error": "删除失败: " + str(e.args)}, status=status.HTTP_400_BAD_REQUEST)
def ldap_user_put(**data):
try:
with connect_ldap() as c:
login_sets = get_login_model()
user_search = login_sets.user_ldapsearch
base_cn = 'cn=%s' % data['cn']
dn = base_cn + ',' + user_search
modify_sn = (MODIFY_REPLACE, data['sn'])
modify_mail = (MODIFY_REPLACE, data['mail'])
c.modify(dn, {'sn': [modify_sn]})
c.modify(dn, {'mail': [modify_mail]})
except Exception as e:
return str(e.args)
def ldap_user_add(**data):
cn = data['cn']
try:
with connect_ldap() as c:
login_sets = get_login_model()
user_search = login_sets.user_ldapsearch
base_cn = 'cn=%s' % cn
base_dn = base_cn+','+user_search
c.add(base_dn,
['inetOrgPerson', 'top', 'ldapPublicKey'],
{'sn': data['sn'],
'mail': '*****@*****.**' % data['cn'],
"userpassword": sha.hash(data['password']),
"sshPublicKey": data.get('sshPublicKey', ''),}
)
except Exception as e:
return str(e.args)
def user_list(request):
OperateLog.create_log(request)
# 前端传过来的页码
page = request.GET.get('page', 1)
page = int(page)
if page == 1:
start = 0
end = 10
else:
start = 10 * (page - 1)
end = 10 * page
# 获取登录模式
login_sets = get_login_model()
mode = login_model
# 1 ldap 2.本地 3.本地+ldap 4.ldap+本地
# 获取ldap,本地+ldap的用户
if mode == 1:
user_l = User.objects.exclude(user_profile__create_source=2).values('username', 'last_name')
# 获取本地,本地+ldap的用户
elif mode == 2:
user_l = User.objects.exclude(user_profile__create_source=1).values('username', 'last_name')
# 获取所有用户
elif mode == 3 or mode == 4:
user_l = User.objects.distinct().values('username', 'last_name')
result = []
u_result = []
# 获取用户总页数
count = user_l.count()
total_page = (count // 10) + 1
for u in user_l:
if u not in result:
result.append(u)
total_result = result
OperateLog.create_log(request)
result = result[start:end]
return Response({"total_count": count, "total_page": total_page,
"result": result, "total_result": total_result}, status=status.HTTP_200_OK)
def user_put(request):
"""
:param request: sn, permission_list,cn
:return: None
"""
OperateLog.create_log(request)
if not request.method == "PUT":
return JsonResponse(status=status.HTTP_405_METHOD_NOT_ALLOWED, data={})
permission = request.user.has_perm("auth.change_user")
if permission == False:
return JsonResponse({"error": "你没有权限操作"}, status=status.HTTP_403_FORBIDDEN)
bod = request.body
bod = str(bod, encoding="utf-8")
data = json.loads(bod)
username = request.user.username
# 获取登录模式
login_sets = get_login_model()
mode = login_model
# 校验ldap是否有该用户
ldap_exit = User.objects.filter(user_profile__create_source=1).filter(username=username).exists()
# 校验本地是否有该用户
local_exit = User.objects.filter(user_profile__create_source=2).filter(username=username).exists()
try:
if mode == 1:
with transaction.atomic():
ldap_user_put(**data)
local_user_put(**data)
elif mode == 2:
with transaction.atomic():
local_user_put(**data)
elif mode == 3 or mode == 4:
if ldap_exit:
ldap_user_put(**data)
local_user_put(**data)
if local_exit:
local_user_put(**data)
return JsonResponse({"info": "修改成功"}, status=status.HTTP_200_OK)
except Exception as e:
return JsonResponse({"error": "修改失败", "message": str(e.args)}, status=status.HTTP_400_BAD_REQUEST)
def ldap_change_password(request, **data):
try:
with connect_ldap() as c:
c.search(get_login_model().user_ldapsearch,
search_filter='(objectClass=inetOrgPerson)',
attributes=['userPassword', 'cn'],
search_scope=SUBTREE)
ldap_password = ''
dn = ''
for i in c.entries:
if i.entry_attributes_as_dict['cn'][0] == request.user.get_username():
ldap_password = i.entry_attributes_as_dict['userPassword'][0]
dn = i.entry_dn
break
if ldap_password and sha.verify(data['old_password'], ldap_password):
c.modify(dn, {'userpassword': [(MODIFY_REPLACE, sha.hash(data['new_password']))]})
except Exception as e:
return JsonResponse(status=status.HTTP_400_BAD_REQUEST,
data={"error": "ldap密码修改失败", "e": str(e.args)})
class LdapUser(ldapdb.models.Model):
"""
Class for representing an LDAP user entry.
"""
# meta-data
try:
user_search = get_login_model()
base_dn = user_search.user_ldapsearch
except:
pass
object_classes = ['inetOrgPerson']
# 基类已经定义dn
# dn = CharField(max_length=200, primary_key=True)
username = CharField(db_column='cn', primary_key=True)
# 定义多处主键时会影响到rdn的生成,最后完整dn生成规则是几个primarykey+base_dn组成。
user_sn = CharField(db_column='sn')
email = CharField(db_column='mail', blank=True)
phone = CharField(db_column='telephoneNumber', blank=True)
password = CharField(db_column='userPassword')
sshpublickey = CharField(db_column='sshpublickey', blank=True)
memberof = ListField(db_column="memberOf", blank=True)
def __str__(self):
return self.username
def __unicode__(self):
return self.username
def _save_table(self,
raw=False,
cls=None,
force_insert=None,
force_update=None,
using=None,
update_fields=None):
"""
Saves the current instance.
"""
# Connection aliasing
connection = connections[using]
create = bool(force_insert or not self.dn)
# Prepare fields
if update_fields:
target_fields = [
self._meta.get_field(name) for name in update_fields
]
else:
target_fields = [
field for field in cls._meta.get_fields(include_hidden=True)
if field.concrete and not field.primary_key
]
def get_field_value(field, instance):
python_value = getattr(instance, field.attname)
return field.get_db_prep_save(python_value, connection=connection)
if create:
old = None
else:
old = cls.objects.using(using).get(pk=self.saved_pk)
changes = {
field.db_column: (
None if old is None else get_field_value(field, old),
get_field_value(field, self),
)
for field in target_fields
}
# Actual saving
old_dn = self.dn
new_dn = self.build_dn()
updated = False
# Insertion
if create:
# FIXME(rbarrois): This should be handled through a hidden field.
hidden_values = [('objectClass', [
obj_class.encode('utf-8') for obj_class in self.object_classes
])]
new_values = hidden_values + [
(colname, change[1])
for colname, change in sorted(changes.items())
if change[1] is not None
]
new_dn = self.build_dn()
logger.debug("Creating new LDAP entry %s", new_dn)
connection.add_s(new_dn, new_values)
# Update
else:
modlist = []
for colname, change in sorted(changes.items()):
old_value, new_value = change
if old_value == new_value:
continue
modlist.append((
ldap.MOD_DELETE if new_value is None else ldap.MOD_REPLACE,
colname,
new_value,
))
# if new_dn != old_dn:
# logger.debug("renaming ldap entry %s to %s", old_dn, new_dn)
# connection.rename_s(old_dn, self.build_rdn())
# logger.debug("Modifying existing LDAP entry %s", new_dn)
# connection.modify_s(new_dn, modlist)
# updated = True
# FIXME 重写了这个因为 build_dn 有坑
logger.debug("Modifying existing LDAP entry %s", old_dn)
connection.modify_s(old_dn, modlist)
updated = True
self.dn = new_dn
# Finishing
self.saved_pk = self.pk
return updated
def reset(request):
mode = get_login_model()
mod = login_model
ldap_exit = User.objects.filter(user_profile__create_source=1).filter(
username=request.user.get_username()).exists()
local_exit = User.objects.filter(user_profile__create_source=2).filter(
username=request.user.get_username()).exists()
if mod != 2:
passwd = sha.hash(request.GET.get('password', ''))
if not passwd:
return Response(status=status.HTTP_400_BAD_REQUEST,
data={
"result": False,
"error": "密码输入为空!"
})
# aeskey = request.session.get('aeskey', '')
aeskey = request.GET.get('new_key', '')
if aeskey:
decry_str = decrypt(aeskey)
username = decry_str.split(':')[0]
req_timestamp = decry_str.split(':')[2]
if time.time() - float(req_timestamp) > 3600:
return Response(status=status.HTTP_400_BAD_REQUEST,
data={
"result": False,
"error": "重置链接超时"
})
else:
try:
with connect_ldap() as ldap_conn:
ldap_conn.search(
search_base=mode.user_ldapsearch,
search_filter='(objectClass=inetOrgPerson)',
search_scope=SUBTREE,
attributes=['userPassword', 'cn'])
for entry in ldap_conn.entries:
if entry.entry_attributes_as_dict['cn'][
0] == username:
ldap_conn.modify(entry.entry_dn, {
'userpassword': [(MODIFY_REPLACE, passwd)]
})
if ldap_exit:
user_info = User.objects.filter(
user_profile__create_source=1
).get(username=request.user.get_username())
user_info.password = passwd
user_info.save()
if local_exit:
user_info = User.objects.filter(
user_profile__create_source=2
).get(username=request.user.get_username())
user_info.password = passwd
user_info.save()
if ldap_conn.result['result'] == 0:
return Response({
"result": True,
"error": "密码重置成功"
})
else:
data = {
"result": False,
"error":
"str(ldap_conn.result['message'])"
}
return Response(
status=status.HTTP_400_BAD_REQUEST,
data=data)
except Exception as e:
traceback.print_exc()
return Response(status=status.HTTP_400_BAD_REQUEST,
data={
"result": False,
"error": str(e.args)
})
else:
return Response(status=status.HTTP_400_BAD_REQUEST,
data={
"result": False,
"error": "未获取到令牌"
})
if mod == 2:
user_info = User.objects.filter(user_profile__create_source=2).get(
username=request.user.get_username())
user_info.password = passwd
user_info.save()
return Response({"result": True, "error": "密码重置成功"})
def user_detail(request):
user = request.GET.get("user", "")
oa_group = get_oa_group()
permission = []
try:
login_sets = get_login_model()
mode = login_model
# 1 ldap 2.本地 3.本地+ldap 4.ldap+本地
# 获取ldap,本地+ldap的用户
# 校验ldap是否有该用户
ldap_exit = User.objects.filter(user_profile__create_source=1).filter(username=user).exists()
# 校验本地是否有该用户
local_exit = User.objects.filter(user_profile__create_source=2).filter(username=user).exists()
# 获取用户所有信息
if mode == 1:
user_single = User.objects.filter(user_profile__create_source=1).get(username=user)
elif mode == 2:
user_single = User.objects.filter(user_profile__create_source=2).get(username=user)
elif mode == 3:
if local_exit:
user_single = User.objects.filter(user_profile__create_source=2).get(username=user)
else:
user_single = User.objects.filter(user_profile__create_source=1).get(username=user)
elif mode == 4:
if ldap_exit:
user_single = User.objects.filter(user_profile__create_source=1).get(username=user)
else:
user_single = User.objects.filter(user_profile__create_source=2).get(username=user)
u_id = user_single.id
# 获取该用户所有的分组
gr = Group.objects.filter(user__id=u_id).values('id', 'name')
cn = user_single.username
sn = user_single.last_name
mail = user_single.email
s_dict = {1: "ldap", 2: "本地"}
create_source = user_single.user_profile.create_source
# 遍历系统所有分组
for oa in oa_group:
# 遍历用户的所有分组
for g in gr:
if oa["id"] == g["id"]:
oa["view"] = 1
permission.append(oa)
data = {"cn": cn,
"sn": sn,
"mail": mail,
"create_source": s_dict[create_source],
"permission": permission}
return JsonResponse({"data": data}, status=status.HTTP_200_OK)
except Exception as e:
return Response({"error": str(e.args)}, status=status.HTTP_400_BAD_REQUEST)
def login(request):
"""
author:zxy
function:登录验证
param :request 前端发来的请求
return: 以user.id为内容的JsonResponse
"""
# 判断请求类型
if not request.method == "POST":
return JsonResponse(status=status.HTTP_405_METHOD_NOT_ALLOWED, data={})
params = request.POST
post_code = params.get("check_code", "").lower()
session_code = request.session.get('verifycode', "").lower()
username = params.get("username", "")
# 输入的密码
password = params.get("password", "")
# 判断验证码
if (not post_code) or (session_code != post_code):
return JsonResponse({"error": "验证码错误"},
status=status.HTTP_417_EXPECTATION_FAILED,
safe=False)
# 1:ldap 2: 本地 3: 本地+ldap 4: ldap+本地
login_mode = get_login_model()
mode = login_mode.login_model
try:
use = User.objects.filter(username=username).first()
if use and use.is_superuser == True:
if use.password.startswith('{SSHA}'):
ps = sha.verify(password, use.password)
else:
ps = check_password(password, use.password)
if ps == False:
return JsonResponse({"error": "密码错误"},
status=status.HTTP_400_BAD_REQUEST)
auth.login(request, use)
except:
pass
if not use or (use and use.is_superuser == False):
# ldap验证
if mode == 1:
try:
use = User.objects.filter(user_profile__create_source=1).get(
username=username)
password_t = use.password
very = sha.verify(password, password_t)
if very == False:
return JsonResponse({"error": "密码错误"},
status=status.HTTP_400_BAD_REQUEST)
auth.login(request, use)
except Exception as e:
return JsonResponse({
'error': '该用户不存在',
'e': str(e)
},
status=status.HTTP_400_BAD_REQUEST)
# 本地验证
elif mode == 2:
try:
# daigaigg
use = User.objects.filter(user_profile__create_source=2).get(
username=username)
password_t = use.password
very = sha.verify(password, password_t)
if very == False:
return JsonResponse({"error": "密码错误"},
status=status.HTTP_400_BAD_REQUEST)
auth.login(request, use)
except Exception as e:
return JsonResponse({
'error': '该用户不存在',
'e': str(e)
},
status=status.HTTP_400_BAD_REQUEST)
# 本地优先
elif mode == 3:
use = User.objects.filter(user_profile__create_source=2).filter(
username=username).first()
use1 = User.objects.filter(user_profile__create_source=1).filter(
username=username).first()
try:
if use:
use = use
elif use == None:
use = use1
elif use1 == None:
return JsonResponse({"error": "该用户不存在"},
status=status.HTTP_400_BAD_REQUEST)
password_b = use.password
very = sha.verify(password, password_b)
if very == False:
return JsonResponse({"error": "密码错误"},
status=status.HTTP_400_BAD_REQUEST)
auth.login(request, use)
except Exception as e:
return JsonResponse({"error": "该用户不存在"},
status=status.HTTP_400_BAD_REQUEST)
# ldap优先
elif mode == 4:
use = User.objects.filter(user_profile__create_source=1).filter(
username=username).first()
use1 = User.objects.filter(user_profile__create_source=2).filter(
username=username).first()
try:
if use:
use = use
elif use == None:
use = use1
elif use1 == None:
return JsonResponse({"error": "该用户不存在"},
status=status.HTTP_400_BAD_REQUEST)
password_b = use.password
very = sha.verify(password, password_b)
if very == False:
return JsonResponse({"error": "密码错误"},
status=status.HTTP_400_BAD_REQUEST)
auth.login(request, use)
except Exception as e:
return JsonResponse({"error": "该用户不存在"},
status=status.HTTP_400_BAD_REQUEST)
return JsonResponse({"id": use.id}, status=status.HTTP_200_OK)