def post(self):
args = self.get_argument('args', None)
if args is None:
return self.write_json(TPE_PARAM)
try:
args = json.loads(args)
except:
return self.write_json(TPE_JSON_FORMAT)
try:
username = args['username']
password = args['password']
oath_code = args['oath_code']
except:
return self.write_json(TPE_PARAM)
err, user_info, msg = user.login(self, username, password=password)
if err != TPE_OK:
if err == TPE_NOT_EXISTS:
err = TPE_USER_AUTH
return self.write_json(err)
secret = self.get_session('tmp_oath_secret', None)
if secret is None:
return self.write_json(TPE_FAILED, '内部错误!')
self.del_session('tmp_oath_secret')
if not tp_oath_verify_code(secret, oath_code):
return self.write_json(TPE_OATH_MISMATCH)
err = user.update_oath_secret(self, user_info['id'], secret)
if err != TPE_OK:
return self.write_json(err)
return self.write_json(TPE_OK)
def post(self):
args = self.get_argument('args', None)
if args is None:
return self.write_json(TPE_PARAM)
try:
args = json.loads(args)
except:
return self.write_json(TPE_JSON_FORMAT)
try:
username = args['username']
password = args['password']
oath_code = args['oath_code']
except:
return self.write_json(TPE_PARAM)
err, user_info = user.login(self, username, password=password)
if err != TPE_OK:
if err == TPE_NOT_EXISTS:
err = TPE_USER_AUTH
return self.write_json(err)
secret = self.get_session('tmp_oath_secret', None)
if secret is None:
return self.write_json(TPE_FAILED, '内部错误!')
self.del_session('tmp_oath_secret')
if not tp_oath_verify_code(secret, oath_code):
return self.write_json(TPE_OATH_MISMATCH)
err = user.update_oath_secret(self, user_info['id'], secret)
if err != TPE_OK:
return self.write_json(err)
return self.write_json(TPE_OK)
def login(handler,
username,
password=None,
oath_code=None,
check_bind_oath=False):
sys_cfg = tp_cfg().sys
msg = ''
current_unix_time = int(time.mktime(datetime.datetime.now().timetuple()))
# log.e('current:',current_unix_time,'validfrom:', user_info['valid_from'])
err, user_info = get_by_username(username)
if err != TPE_OK:
return err, None, msg
if user_info.privilege == 0:
# 尚未为此用户设置角色
msg = '登录失败,用户尚未分配权限'
return TPE_PRIVILEGE, None, msg
if check_bind_oath and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None, msg
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:
if tp_timestamp_sec(
) - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
user_info.fail_count = 0
user_info.state = TP_STATE_NORMAL
if user_info['state'] == TP_STATE_LOCKED:
msg = '登录失败,用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_LOCKED, msg)
return TPE_USER_LOCKED, None, msg
elif user_info['state'] == TP_STATE_DISABLED:
msg = '登录失败,用户已被禁用'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED,
msg)
return TPE_USER_DISABLED, None, msg
elif user_info['state'] != TP_STATE_NORMAL:
msg = '登录失败,用户状态异常'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg)
return TPE_FAILED, None, msg
elif current_unix_time < user_info['valid_from'] or (
current_unix_time > user_info['valid_to']
and user_info['valid_to'] != 0):
msg = '登录失败,用户已过期'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg)
return TPE_FAILED, None, msg
err_msg = ''
if password is not None:
if user_info['type'] == TpUserType.LOCAL:
# 如果系统配置了密码有效期,则检查用户的密码是否失效
if sys_cfg.password.timeout != 0:
_time_now = tp_timestamp_sec()
if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 *
60 * 24) < _time_now:
msg = '登录失败,用户密码已过期'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_EXPIRED, None, msg
if not tp_password_verify(password, user_info['password']):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
msg = '登录失败,密码错误{}'.format(err_msg)
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
elif user_info['type'] == TP_USER_TYPE_LDAP:
try:
if len(tp_cfg().sys_ldap_password) == 0:
msg = 'LDAP尚未配置'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
else:
_ldap_password = tp_cfg().sys_ldap_password
_ldap_server = tp_cfg().sys.ldap.server
_ldap_port = tp_cfg().sys.ldap.port
_ldap_base_dn = tp_cfg().sys.ldap.base_dn
except:
msg = 'LDAP尚未正确配置'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
try:
ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
if ret != TPE_OK:
if ret == TPE_USER_AUTH:
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
msg = 'LDAP用户验证失败{}'.format(err_msg)
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
else:
msg = 'LDAP用户登录失败,{}'.format(err_msg)
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
except:
msg = 'LDAP用户登录失败,发生内部错误'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
else:
msg = '登录失败,系统内部错误'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
msg)
return TPE_USER_AUTH, None, msg
if oath_code is not None:
# use oath
if len(user_info['oath_secret']) == 0:
return TPE_OATH_MISMATCH, None, msg
if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定!'
msg = '登录失败,身份验证器动态验证码错误{}'.format(err_msg)
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_OATH_MISMATCH, msg)
return TPE_OATH_MISMATCH, None, msg
del user_info['password']
del user_info['oath_secret']
if len(user_info['surname']) == 0:
user_info['surname'] = user_info['username']
return TPE_OK, user_info, msg
def login(handler,
username,
password=None,
oath_code=None,
check_bind_oath=False):
sys_cfg = tp_cfg().sys
err, user_info = get_by_username(username)
if err != TPE_OK:
# if err == TPE_NOT_EXISTS:
# syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS,
# '用户身份验证失败,用户`{}`不存在'.format(username))
return err, None
if user_info.privilege == 0:
# 尚未为此用户设置角色
return TPE_PRIVILEGE, None
if check_bind_oath and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:
if tp_timestamp_utc_now(
) - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
user_info.fail_count = 0
user_info.state = TP_STATE_NORMAL
if user_info['state'] == TP_STATE_LOCKED:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_LOCKED, '登录失败,用户已被临时锁定')
return TPE_USER_LOCKED, None
elif user_info['state'] == TP_STATE_DISABLED:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED,
'登录失败,用户已被禁用')
return TPE_USER_DISABLED, None
elif user_info['state'] != TP_STATE_NORMAL:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED,
'登录失败,用户状态异常')
return TPE_FAILED, None
err_msg = ''
if password is not None:
if user_info['type'] == TP_USER_TYPE_LOCAL:
# 如果系统配置了密码有效期,则检查用户的密码是否失效
if sys_cfg.password.timeout != 0:
_time_now = tp_timestamp_utc_now()
if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 *
60 * 24) < _time_now:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, '登录失败,用户密码已过期')
return TPE_USER_AUTH, None
if not tp_password_verify(password, user_info['password']):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
elif user_info['type'] == TP_USER_TYPE_LDAP:
try:
if len(tp_cfg().sys_ldap_password) == 0:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码')
return TPE_USER_AUTH, None
else:
_ldap_password = tp_cfg().sys_ldap_password
_ldap_server = tp_cfg().sys.ldap.server
_ldap_port = tp_cfg().sys.ldap.port
_ldap_base_dn = tp_cfg().sys.ldap.base_dn
except:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, 'LDAP未能正确配置')
return TPE_USER_AUTH, None
try:
ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
if ret != TPE_OK:
if ret == TPE_USER_AUTH:
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH,
'LDAP用户登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
else:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH,
'LDAP用户登录失败,{}'.format(err_msg))
return TPE_USER_AUTH, None
except:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误')
return TPE_USER_AUTH, None
else:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
'登录失败,系统内部错误')
return TPE_USER_AUTH, None
if oath_code is not None:
# use oath
if len(user_info['oath_secret']) == 0:
return TPE_OATH_MISMATCH, None
if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定!'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_OATH_MISMATCH,
"登录失败,身份验证器动态验证码错误{}".format(err_msg))
return TPE_OATH_MISMATCH, None
del user_info['password']
del user_info['oath_secret']
if len(user_info['surname']) == 0:
user_info['surname'] = user_info['username']
return TPE_OK, user_info
def login(handler, username, password=None, oath_code=None, check_bind_oath=False):
sys_cfg = tp_cfg().sys
err, user_info = get_by_username(username)
if err != TPE_OK:
# if err == TPE_NOT_EXISTS:
# syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS,
# '用户身份验证失败,用户`{}`不存在'.format(username))
return err, None
if user_info.privilege == 0:
# 尚未为此用户设置角色
return TPE_PRIVILEGE, None
if check_bind_oath and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:
if tp_timestamp_utc_now() - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
user_info.fail_count = 0
user_info.state = TP_STATE_NORMAL
if user_info['state'] == TP_STATE_LOCKED:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定')
return TPE_USER_LOCKED, None
elif user_info['state'] == TP_STATE_DISABLED:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用')
return TPE_USER_DISABLED, None
elif user_info['state'] != TP_STATE_NORMAL:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常')
return TPE_FAILED, None
err_msg = ''
if password is not None:
if user_info['type'] == TP_USER_TYPE_LOCAL:
# 如果系统配置了密码有效期,则检查用户的密码是否失效
if sys_cfg.password.timeout != 0:
_time_now = tp_timestamp_utc_now()
if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,用户密码已过期')
return TPE_USER_AUTH, None
if not tp_password_verify(password, user_info['password']):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
elif user_info['type'] == TP_USER_TYPE_LDAP:
try:
if len(tp_cfg().sys_ldap_password) == 0:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码')
return TPE_USER_AUTH, None
else:
_ldap_password = tp_cfg().sys_ldap_password
_ldap_server = tp_cfg().sys.ldap.server
_ldap_port = tp_cfg().sys.ldap.port
_ldap_base_dn = tp_cfg().sys.ldap.base_dn
except:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置')
return TPE_USER_AUTH, None
try:
ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
if ret != TPE_OK:
if ret == TPE_USER_AUTH:
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
'LDAP用户登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
else:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
'LDAP用户登录失败,{}'.format(err_msg))
return TPE_USER_AUTH, None
except:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误')
return TPE_USER_AUTH, None
else:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,系统内部错误')
return TPE_USER_AUTH, None
if oath_code is not None:
# use oath
if len(user_info['oath_secret']) == 0:
return TPE_OATH_MISMATCH, None
if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定!'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH,
"登录失败,身份验证器动态验证码错误{}".format(err_msg))
return TPE_OATH_MISMATCH, None
del user_info['password']
del user_info['oath_secret']
if len(user_info['surname']) == 0:
user_info['surname'] = user_info['username']
return TPE_OK, user_info
def login(handler,
username,
password=None,
oath_code=None,
check_bind_oath=False):
sys_cfg = tp_cfg().sys
err, user_info = get_by_username(username)
if err != TPE_OK:
# if err == TPE_NOT_EXISTS:
# syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS, '用户身份验证失败,用户`{}`不存在'.format(username))
return err, None
if user_info.privilege == 0:
# 尚未为此用户设置角色
return TPE_PRIVILEGE, None
if check_bind_oath == True and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:
if tp_timestamp_utc_now(
) - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
user_info.fail_count = 0
user_info.state = TP_STATE_NORMAL
if user_info['state'] == TP_STATE_LOCKED:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_LOCKED, '登录失败,用户已被临时锁定')
return TPE_USER_LOCKED, None
elif user_info['state'] == TP_STATE_DISABLED:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED,
'登录失败,用户已被禁用')
return TPE_USER_DISABLED, None
elif user_info['state'] != TP_STATE_NORMAL:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED,
'登录失败,用户状态异常')
return TPE_FAILED, None
err_msg = ''
if password is not None:
# 如果系统配置了密码有效期,则检查用户的密码是否失效
if sys_cfg.password.timeout != 0:
pass
if not tp_password_verify(password, user_info['password']):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
'登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
if oath_code is not None:
# use oath
if len(user_info['oath_secret']) == 0:
return TPE_OATH_MISMATCH, None
if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定!'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_OATH_MISMATCH,
"登录失败,身份验证器动态验证码错误{}".format(err_msg))
return TPE_OATH_MISMATCH, None
del user_info['password']
del user_info['oath_secret']
if len(user_info['surname']) == 0:
user_info['surname'] = user_info['username']
return TPE_OK, user_info