1
0
mirror of https://github.com/dkmstr/openuds.git synced 2024-12-22 13:34:04 +03:00

added notify preconnect in case of ticket update (username,...)

This commit is contained in:
Adolfo Gómez García 2023-06-06 15:13:36 +02:00
parent 53c964c77e
commit 75cef5b1ab
No known key found for this signature in database
GPG Key ID: DD1ABF20724CDA23

View File

@ -46,6 +46,7 @@ from uds.core.util.request import ExtendedHttpRequest, ExtendedHttpRequestWithUs
from uds.core.auths import auth, exceptions
from uds.core.util.config import GlobalConfig
from uds.core.managers.crypto import CryptoManager
from uds.core.managers.user_service import UserServiceManager
from uds.web.util import errors
from uds.web.forms.LoginForm import LoginForm
from uds.web.forms.MFAForm import MFAForm
@ -57,7 +58,6 @@ from uds import models
from uds.core.util.model import getSqlDatetimeAsUnix
logger = logging.getLogger(__name__)
CSRF_FIELD = 'csrfmiddlewaretoken'
@ -95,17 +95,13 @@ def ticketLauncher(request: HttpRequest) -> HttpResponse:
# Basically, the original /login method, but fixed for modern interface
@never_cache
def login(
request: ExtendedHttpRequest, tag: typing.Optional[str] = None
) -> HttpResponse:
def login(request: ExtendedHttpRequest, tag: typing.Optional[str] = None) -> HttpResponse:
# Default empty form
logger.debug('Tag: %s', tag)
response: typing.Optional[HttpResponse] = None
if request.method == 'POST':
request.session['restricted'] = False # Access is from login
request.authorized = (
False # Ensure that on login page, user is unauthorized first
)
request.authorized = False # Ensure that on login page, user is unauthorized first
form = LoginForm(request.POST, tag=tag)
loginResult = checkLogin(request, form, tag)
@ -113,7 +109,9 @@ def login(
response = HttpResponseRedirect(reverse('page.index'))
# save tag, weblogin will clear session
tag = request.session.get('tag')
auth.webLogin(request, response, loginResult.user, loginResult.password) # data is user password here
auth.webLogin(
request, response, loginResult.user, loginResult.password
) # data is user password here
# And restore tag
request.session['tag'] = tag
@ -130,7 +128,9 @@ def login(
return HttpResponseRedirect(loginResult.url)
if request.ip not in ('127.0.0.1', '::1'): # If not localhost, wait a bit
time.sleep(random.SystemRandom().randint(1600, 2400) / 1000) # On failure, wait a bit if not localhost (random wait)
time.sleep(
random.SystemRandom().randint(1600, 2400) / 1000
) # On failure, wait a bit if not localhost (random wait)
# If error is numeric, redirect...
if loginResult.errid:
return errors.errorView(request, loginResult.errid)
@ -150,16 +150,12 @@ def logout(request: ExtendedHttpRequestWithUser) -> HttpResponse:
request.session['restricted'] = False # Remove restricted
request.authorized = False
logoutResponse = request.user.logout(request)
return auth.webLogout(
request, logoutResponse.url or request.session.get('logouturl', None)
)
return auth.webLogout(request, logoutResponse.url or request.session.get('logouturl', None))
@never_cache
def js(request: ExtendedHttpRequest) -> HttpResponse:
return HttpResponse(
content=configjs.udsJs(request), content_type='application/javascript'
)
return HttpResponse(content=configjs.udsJs(request), content_type='application/javascript')
@never_cache
@ -170,10 +166,8 @@ def servicesData(request: ExtendedHttpRequestWithUser) -> HttpResponse:
# The MFA page does not needs CRF token, so we disable it
@csrf_exempt
def mfa(request: ExtendedHttpRequest) -> HttpResponse:
if (
not request.user or request.authorized
): # If no user, or user is already authorized, redirect to index
def mfa(request: ExtendedHttpRequest) -> HttpResponse: # pylint: disable=too-many-return-statements,too-many-statements
if not request.user or request.authorized: # If no user, or user is already authorized, redirect to index
logger.warning('MFA: No user or user is already authorized')
return HttpResponseRedirect(reverse('page.index')) # No user, no MFA
@ -201,7 +195,7 @@ def mfa(request: ExtendedHttpRequest) -> HttpResponse:
start_time = request.session.get('mfa_start_time', now)
# If mfa process timed out, we need to start login again
if validity > 0 and now - start_time > validity:
if 0 < validity < now - start_time:
logger.debug('MFA: MFA process timed out')
request.session.flush() # Clear session, and redirect to login
return HttpResponseRedirect(reverse('page.login'))
@ -251,10 +245,7 @@ def mfa(request: ExtendedHttpRequest) -> HttpResponse:
response = HttpResponseRedirect(reverse('page.index'))
# If mfaProvider requests to keep MFA code on client, create a mfacookie for this user
if (
mfaProvider.remember_device > 0
and form.cleaned_data['remember'] is True
):
if mfaProvider.remember_device > 0 and form.cleaned_data['remember'] is True:
response.set_cookie(
MFA_COOKIE_NAME,
mfaUserId,
@ -332,26 +323,33 @@ def update_transport_ticket(
# Update username andd password in ticket
username = data.get('username', None) or None # None if not present
password = (
data.get('password', None) or None
) # If password is empty, set it to None
password = data.get('password', None) or None # If password is empty, set it to None
domain = data.get('domain', None) or None # If empty string, set to None
if password:
password = CryptoManager().symCrypt(password, scrambler)
def checkValidTicket(data: typing.Mapping[str, typing.Any]) -> bool:
if 'ticket-info' not in data:
return True
if 'ticket-info' in data:
try:
user = models.User.objects.get(
uuid=data['ticket-info'].get('user', None)
)
if request.user == user:
return True
except models.User.DoesNotExist:
pass
user = models.User.objects.get(uuid=data['ticket-info'].get('user', None))
if request.user != user:
return False
except models.User.DoesNotExist:
return False
if username:
try:
userService = models.UserService.objects.get(
uuid=data['ticket-info'].get('userService', None)
)
UserServiceManager().notifyPreconnect(
userService, username, data.get('protocol', '')
)
except models.UserService.DoesNotExist:
pass
return True
models.TicketStore.update(
uuid=idTicket,
@ -360,14 +358,10 @@ def update_transport_ticket(
password=password,
domain=domain,
)
return HttpResponse(
'{"status": "OK"}', status=200, content_type='application/json'
)
return HttpResponse('{"status": "OK"}', status=200, content_type='application/json')
except Exception as e:
# fallback to error
logger.warning('Error updating ticket: %s', e)
# Invalid request
return HttpResponse(
'{"status": "Invalid Request"}', status=400, content_type='application/json'
)
return HttpResponse('{"status": "Invalid Request"}', status=400, content_type='application/json')