def user_delete(request): OperateLog.create_log(request) if not request.method == "DELETE": return JsonResponse(status=status.HTTP_405_METHOD_NOT_ALLOWED, data={}) permission = request.user.has_perm("auth.delete_user") if permission == False: return JsonResponse({"error": "你没有权限操作"}, status=status.HTTP_403_FORBIDDEN) cn = request.GET.get('cn', '') # 获取登录模式 login_sets = get_login_model() mode = login_model try: if mode == 1: # 删除ldap用户信息 ldap_user_delete(cn) ret = User.objects.filter(user_profile__create_source=1).filter(username=cn).delete() elif mode == 2: ret = User.objects.filter(user_profile__create_source=2).filter(username=cn).delete() elif mode == 3 or mode == 4: # 删除ldap用户信息 ldap_user_delete(cn) ret = User.objects.filter(username=cn).delete() return JsonResponse({"message": "删除成功"}, status=status.HTTP_200_OK) except Exception as e: return JsonResponse({"error": "删除失败: " + str(e.args)}, status=status.HTTP_400_BAD_REQUEST)
def user_add(request): OperateLog.create_log(request) if not request.method == "POST": return JsonResponse(status=status.HTTP_405_METHOD_NOT_ALLOWED, data={}) # 当前用户是否拥有新增用户权限 permission = request.user.has_perm("auth.add_user") if permission == False: return JsonResponse({"error": "你没有权限操作"}, status=status.HTTP_403_FORBIDDEN) bod = request.body bod = str(bod, encoding="utf-8") data = json.loads(bod) username = data["cn"] # 校验ldap是否有该用户 ldap_exit = User.objects.filter(user_profile__create_source=1).filter(username=username).exists() # 校验本地是否有该用户 local_exit = User.objects.filter(user_profile__create_source=2).filter(username=username).exists() # 获取登录模式 login_sets = get_login_model() mode = login_model if mode == 1: # 如果ldap没有该用户 if ldap_exit == False: with transaction.atomic(): ldap_user_add(**data) lu = local_user_add(**data) up = UserProfile.objects.create(user=lu, create_source=1, is_enable=1) return JsonResponse({"info": "新增成功"}, status=status.HTTP_200_OK) # 如果ldap存在该用户 else: return JsonResponse({"error": "ldap已存在该用户"}, status=status.HTTP_400_BAD_REQUEST) elif mode == 2: # 如果本地没有该用户 if local_exit == False: with transaction.atomic(): lu = local_user_add(**data) up = UserProfile.objects.create(user=lu, create_source=2, is_enable=1) return JsonResponse({"info": "新增成功"}, status=status.HTTP_200_OK) # 如果本地存在该用户 else: return JsonResponse({"error": "本地已存在该用户"}, status=status.HTTP_400_BAD_REQUEST) elif mode == 3 or mode == 4: # 本地或者ldap存在该用户则不进行新增 if (ldap_exit == False) and (local_exit == False): with transaction.atomic(): # ldap新增 ldap_user_add(**data) lu = local_user_add(**data) lup = UserProfile.objects.create(user=lu, create_source=1, is_enable=1) # 本地新增 bu = local_user_add(**data) bup = UserProfile.objects.create(user=bu, create_source=2, is_enable=1) return JsonResponse({"info": "新增成功"}, status=status.HTTP_200_OK) else: return JsonResponse({"error": "ldap或本地已存在该用户"}, status=status.HTTP_400_BAD_REQUEST)
def ldap_user_delete(cn): cn = cn login_sets = get_login_model() user_search = login_sets.user_ldapsearch base_cn = 'cn=%s' % cn dn = base_cn + ',' + user_search try: with connect_ldap() as c: # 清除用户所有角色后删除 member_clear(cn) c.delete(dn) except Exception as e: return JsonResponse({"error": "删除失败: " + str(e.args)}, status=status.HTTP_400_BAD_REQUEST)
def ldap_user_put(**data): try: with connect_ldap() as c: login_sets = get_login_model() user_search = login_sets.user_ldapsearch base_cn = 'cn=%s' % data['cn'] dn = base_cn + ',' + user_search modify_sn = (MODIFY_REPLACE, data['sn']) modify_mail = (MODIFY_REPLACE, data['mail']) c.modify(dn, {'sn': [modify_sn]}) c.modify(dn, {'mail': [modify_mail]}) except Exception as e: return str(e.args)
def ldap_user_add(**data): cn = data['cn'] try: with connect_ldap() as c: login_sets = get_login_model() user_search = login_sets.user_ldapsearch base_cn = 'cn=%s' % cn base_dn = base_cn+','+user_search c.add(base_dn, ['inetOrgPerson', 'top', 'ldapPublicKey'], {'sn': data['sn'], 'mail': '*****@*****.**' % data['cn'], "userpassword": sha.hash(data['password']), "sshPublicKey": data.get('sshPublicKey', ''),} ) except Exception as e: return str(e.args)
def user_list(request): OperateLog.create_log(request) # 前端传过来的页码 page = request.GET.get('page', 1) page = int(page) if page == 1: start = 0 end = 10 else: start = 10 * (page - 1) end = 10 * page # 获取登录模式 login_sets = get_login_model() mode = login_model # 1 ldap 2.本地 3.本地+ldap 4.ldap+本地 # 获取ldap,本地+ldap的用户 if mode == 1: user_l = User.objects.exclude(user_profile__create_source=2).values('username', 'last_name') # 获取本地,本地+ldap的用户 elif mode == 2: user_l = User.objects.exclude(user_profile__create_source=1).values('username', 'last_name') # 获取所有用户 elif mode == 3 or mode == 4: user_l = User.objects.distinct().values('username', 'last_name') result = [] u_result = [] # 获取用户总页数 count = user_l.count() total_page = (count // 10) + 1 for u in user_l: if u not in result: result.append(u) total_result = result OperateLog.create_log(request) result = result[start:end] return Response({"total_count": count, "total_page": total_page, "result": result, "total_result": total_result}, status=status.HTTP_200_OK)
def user_put(request): """ :param request: sn, permission_list,cn :return: None """ OperateLog.create_log(request) if not request.method == "PUT": return JsonResponse(status=status.HTTP_405_METHOD_NOT_ALLOWED, data={}) permission = request.user.has_perm("auth.change_user") if permission == False: return JsonResponse({"error": "你没有权限操作"}, status=status.HTTP_403_FORBIDDEN) bod = request.body bod = str(bod, encoding="utf-8") data = json.loads(bod) username = request.user.username # 获取登录模式 login_sets = get_login_model() mode = login_model # 校验ldap是否有该用户 ldap_exit = User.objects.filter(user_profile__create_source=1).filter(username=username).exists() # 校验本地是否有该用户 local_exit = User.objects.filter(user_profile__create_source=2).filter(username=username).exists() try: if mode == 1: with transaction.atomic(): ldap_user_put(**data) local_user_put(**data) elif mode == 2: with transaction.atomic(): local_user_put(**data) elif mode == 3 or mode == 4: if ldap_exit: ldap_user_put(**data) local_user_put(**data) if local_exit: local_user_put(**data) return JsonResponse({"info": "修改成功"}, status=status.HTTP_200_OK) except Exception as e: return JsonResponse({"error": "修改失败", "message": str(e.args)}, status=status.HTTP_400_BAD_REQUEST)
def ldap_change_password(request, **data): try: with connect_ldap() as c: c.search(get_login_model().user_ldapsearch, search_filter='(objectClass=inetOrgPerson)', attributes=['userPassword', 'cn'], search_scope=SUBTREE) ldap_password = '' dn = '' for i in c.entries: if i.entry_attributes_as_dict['cn'][0] == request.user.get_username(): ldap_password = i.entry_attributes_as_dict['userPassword'][0] dn = i.entry_dn break if ldap_password and sha.verify(data['old_password'], ldap_password): c.modify(dn, {'userpassword': [(MODIFY_REPLACE, sha.hash(data['new_password']))]}) except Exception as e: return JsonResponse(status=status.HTTP_400_BAD_REQUEST, data={"error": "ldap密码修改失败", "e": str(e.args)})
class LdapUser(ldapdb.models.Model): """ Class for representing an LDAP user entry. """ # meta-data try: user_search = get_login_model() base_dn = user_search.user_ldapsearch except: pass object_classes = ['inetOrgPerson'] # 基类已经定义dn # dn = CharField(max_length=200, primary_key=True) username = CharField(db_column='cn', primary_key=True) # 定义多处主键时会影响到rdn的生成,最后完整dn生成规则是几个primarykey+base_dn组成。 user_sn = CharField(db_column='sn') email = CharField(db_column='mail', blank=True) phone = CharField(db_column='telephoneNumber', blank=True) password = CharField(db_column='userPassword') sshpublickey = CharField(db_column='sshpublickey', blank=True) memberof = ListField(db_column="memberOf", blank=True) def __str__(self): return self.username def __unicode__(self): return self.username def _save_table(self, raw=False, cls=None, force_insert=None, force_update=None, using=None, update_fields=None): """ Saves the current instance. """ # Connection aliasing connection = connections[using] create = bool(force_insert or not self.dn) # Prepare fields if update_fields: target_fields = [ self._meta.get_field(name) for name in update_fields ] else: target_fields = [ field for field in cls._meta.get_fields(include_hidden=True) if field.concrete and not field.primary_key ] def get_field_value(field, instance): python_value = getattr(instance, field.attname) return field.get_db_prep_save(python_value, connection=connection) if create: old = None else: old = cls.objects.using(using).get(pk=self.saved_pk) changes = { field.db_column: ( None if old is None else get_field_value(field, old), get_field_value(field, self), ) for field in target_fields } # Actual saving old_dn = self.dn new_dn = self.build_dn() updated = False # Insertion if create: # FIXME(rbarrois): This should be handled through a hidden field. hidden_values = [('objectClass', [ obj_class.encode('utf-8') for obj_class in self.object_classes ])] new_values = hidden_values + [ (colname, change[1]) for colname, change in sorted(changes.items()) if change[1] is not None ] new_dn = self.build_dn() logger.debug("Creating new LDAP entry %s", new_dn) connection.add_s(new_dn, new_values) # Update else: modlist = [] for colname, change in sorted(changes.items()): old_value, new_value = change if old_value == new_value: continue modlist.append(( ldap.MOD_DELETE if new_value is None else ldap.MOD_REPLACE, colname, new_value, )) # if new_dn != old_dn: # logger.debug("renaming ldap entry %s to %s", old_dn, new_dn) # connection.rename_s(old_dn, self.build_rdn()) # logger.debug("Modifying existing LDAP entry %s", new_dn) # connection.modify_s(new_dn, modlist) # updated = True # FIXME 重写了这个因为 build_dn 有坑 logger.debug("Modifying existing LDAP entry %s", old_dn) connection.modify_s(old_dn, modlist) updated = True self.dn = new_dn # Finishing self.saved_pk = self.pk return updated
def reset(request): mode = get_login_model() mod = login_model ldap_exit = User.objects.filter(user_profile__create_source=1).filter( username=request.user.get_username()).exists() local_exit = User.objects.filter(user_profile__create_source=2).filter( username=request.user.get_username()).exists() if mod != 2: passwd = sha.hash(request.GET.get('password', '')) if not passwd: return Response(status=status.HTTP_400_BAD_REQUEST, data={ "result": False, "error": "密码输入为空!" }) # aeskey = request.session.get('aeskey', '') aeskey = request.GET.get('new_key', '') if aeskey: decry_str = decrypt(aeskey) username = decry_str.split(':')[0] req_timestamp = decry_str.split(':')[2] if time.time() - float(req_timestamp) > 3600: return Response(status=status.HTTP_400_BAD_REQUEST, data={ "result": False, "error": "重置链接超时" }) else: try: with connect_ldap() as ldap_conn: ldap_conn.search( search_base=mode.user_ldapsearch, search_filter='(objectClass=inetOrgPerson)', search_scope=SUBTREE, attributes=['userPassword', 'cn']) for entry in ldap_conn.entries: if entry.entry_attributes_as_dict['cn'][ 0] == username: ldap_conn.modify(entry.entry_dn, { 'userpassword': [(MODIFY_REPLACE, passwd)] }) if ldap_exit: user_info = User.objects.filter( user_profile__create_source=1 ).get(username=request.user.get_username()) user_info.password = passwd user_info.save() if local_exit: user_info = User.objects.filter( user_profile__create_source=2 ).get(username=request.user.get_username()) user_info.password = passwd user_info.save() if ldap_conn.result['result'] == 0: return Response({ "result": True, "error": "密码重置成功" }) else: data = { "result": False, "error": "str(ldap_conn.result['message'])" } return Response( status=status.HTTP_400_BAD_REQUEST, data=data) except Exception as e: traceback.print_exc() return Response(status=status.HTTP_400_BAD_REQUEST, data={ "result": False, "error": str(e.args) }) else: return Response(status=status.HTTP_400_BAD_REQUEST, data={ "result": False, "error": "未获取到令牌" }) if mod == 2: user_info = User.objects.filter(user_profile__create_source=2).get( username=request.user.get_username()) user_info.password = passwd user_info.save() return Response({"result": True, "error": "密码重置成功"})
def user_detail(request): user = request.GET.get("user", "") oa_group = get_oa_group() permission = [] try: login_sets = get_login_model() mode = login_model # 1 ldap 2.本地 3.本地+ldap 4.ldap+本地 # 获取ldap,本地+ldap的用户 # 校验ldap是否有该用户 ldap_exit = User.objects.filter(user_profile__create_source=1).filter(username=user).exists() # 校验本地是否有该用户 local_exit = User.objects.filter(user_profile__create_source=2).filter(username=user).exists() # 获取用户所有信息 if mode == 1: user_single = User.objects.filter(user_profile__create_source=1).get(username=user) elif mode == 2: user_single = User.objects.filter(user_profile__create_source=2).get(username=user) elif mode == 3: if local_exit: user_single = User.objects.filter(user_profile__create_source=2).get(username=user) else: user_single = User.objects.filter(user_profile__create_source=1).get(username=user) elif mode == 4: if ldap_exit: user_single = User.objects.filter(user_profile__create_source=1).get(username=user) else: user_single = User.objects.filter(user_profile__create_source=2).get(username=user) u_id = user_single.id # 获取该用户所有的分组 gr = Group.objects.filter(user__id=u_id).values('id', 'name') cn = user_single.username sn = user_single.last_name mail = user_single.email s_dict = {1: "ldap", 2: "本地"} create_source = user_single.user_profile.create_source # 遍历系统所有分组 for oa in oa_group: # 遍历用户的所有分组 for g in gr: if oa["id"] == g["id"]: oa["view"] = 1 permission.append(oa) data = {"cn": cn, "sn": sn, "mail": mail, "create_source": s_dict[create_source], "permission": permission} return JsonResponse({"data": data}, status=status.HTTP_200_OK) except Exception as e: return Response({"error": str(e.args)}, status=status.HTTP_400_BAD_REQUEST)
def login(request): """ author:zxy function:登录验证 param :request 前端发来的请求 return: 以user.id为内容的JsonResponse """ # 判断请求类型 if not request.method == "POST": return JsonResponse(status=status.HTTP_405_METHOD_NOT_ALLOWED, data={}) params = request.POST post_code = params.get("check_code", "").lower() session_code = request.session.get('verifycode', "").lower() username = params.get("username", "") # 输入的密码 password = params.get("password", "") # 判断验证码 if (not post_code) or (session_code != post_code): return JsonResponse({"error": "验证码错误"}, status=status.HTTP_417_EXPECTATION_FAILED, safe=False) # 1:ldap 2: 本地 3: 本地+ldap 4: ldap+本地 login_mode = get_login_model() mode = login_mode.login_model try: use = User.objects.filter(username=username).first() if use and use.is_superuser == True: if use.password.startswith('{SSHA}'): ps = sha.verify(password, use.password) else: ps = check_password(password, use.password) if ps == False: return JsonResponse({"error": "密码错误"}, status=status.HTTP_400_BAD_REQUEST) auth.login(request, use) except: pass if not use or (use and use.is_superuser == False): # ldap验证 if mode == 1: try: use = User.objects.filter(user_profile__create_source=1).get( username=username) password_t = use.password very = sha.verify(password, password_t) if very == False: return JsonResponse({"error": "密码错误"}, status=status.HTTP_400_BAD_REQUEST) auth.login(request, use) except Exception as e: return JsonResponse({ 'error': '该用户不存在', 'e': str(e) }, status=status.HTTP_400_BAD_REQUEST) # 本地验证 elif mode == 2: try: # daigaigg use = User.objects.filter(user_profile__create_source=2).get( username=username) password_t = use.password very = sha.verify(password, password_t) if very == False: return JsonResponse({"error": "密码错误"}, status=status.HTTP_400_BAD_REQUEST) auth.login(request, use) except Exception as e: return JsonResponse({ 'error': '该用户不存在', 'e': str(e) }, status=status.HTTP_400_BAD_REQUEST) # 本地优先 elif mode == 3: use = User.objects.filter(user_profile__create_source=2).filter( username=username).first() use1 = User.objects.filter(user_profile__create_source=1).filter( username=username).first() try: if use: use = use elif use == None: use = use1 elif use1 == None: return JsonResponse({"error": "该用户不存在"}, status=status.HTTP_400_BAD_REQUEST) password_b = use.password very = sha.verify(password, password_b) if very == False: return JsonResponse({"error": "密码错误"}, status=status.HTTP_400_BAD_REQUEST) auth.login(request, use) except Exception as e: return JsonResponse({"error": "该用户不存在"}, status=status.HTTP_400_BAD_REQUEST) # ldap优先 elif mode == 4: use = User.objects.filter(user_profile__create_source=1).filter( username=username).first() use1 = User.objects.filter(user_profile__create_source=2).filter( username=username).first() try: if use: use = use elif use == None: use = use1 elif use1 == None: return JsonResponse({"error": "该用户不存在"}, status=status.HTTP_400_BAD_REQUEST) password_b = use.password very = sha.verify(password, password_b) if very == False: return JsonResponse({"error": "密码错误"}, status=status.HTTP_400_BAD_REQUEST) auth.login(request, use) except Exception as e: return JsonResponse({"error": "该用户不存在"}, status=status.HTTP_400_BAD_REQUEST) return JsonResponse({"id": use.id}, status=status.HTTP_200_OK)