U j*gP@sddlZddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z mZddlmZmZddlmZddlmZddlmZdd lmZmZdd lTd d lmZd dlmZd dl m!Z!Gdddej"Z"dS)N) pbkdf2_hmac) urlencode)AES PKCS1_OAEP)SHA1SHA256)RSA)get_random_bytes) PKCS1_v1_5)padunpad)*) send_email)auth) SupervisorcseZdZdZdZeddZeddZddZe d d Z d[d dZ d\ddZ ddZ d]ddZeedddZd^edddZeddZeddZed d!Ze d"d#Ze d$d%Zd&d'Zd(d)Zd*d+Zd,d-Ze d.d/Ze d0d1Ze d2d3Zd4d5Z d_d6d7Z!d`d8d9Z"e d:d;Z#e drrr rB[s zCmfAuth.reset_pass_set_datacCs|j pt|jkS)u_ Проверяем что ссылка для сброса пароля не протухла )rLr*rrrr reset_pass_is_expirediszCmfAuth.reset_pass_is_expiredNcCstddd}|dkr6|jjttd||jjd}tt|  }tt|  }|d|S)NZRS256ZJWT)ZalgtyprK)r7expscope.) r7valuer)r*rQr b64encodejsondumpsr4decode)rdayspayloadheaderrrr create_jwtms zCmfAuth.create_jwt)jwtcCsFtt|d}tt|d}|d|S)NrZrYrR)rrTrUrVr4rW)r\rZrYrrr jwt_to_stryszCmfAuth.jwt_to_strcCs^|dkr||}ttj}t}||||}t | }|d|}|SNrR) r[r r5APPZrsa_private_keyrupdater4signrrTrW)rrXr\Zsignerdigestraresrrr rsa_sign_pack_jwts   zCmfAuth.rsa_sign_pack_jwtcCs|d\}}}t}|d|}||t|}ttj }| ||}|s^dSt| }t| }t |}t |}ttt|dkrtdt|ddS||dS)NrRrPu9Время жизни токена закончилосьrZrY)rrr5r`r4rrr r_rsa_public_keyverifyrWrUloadsr)r*gdebug)rjwtrZrY signaturerbr\verifierZverifiedrrr rsa_verify_unpack_jwts"     zCmfAuth.rsa_verify_unpack_jwtcCsJ|d\}}}t|}t|}t|}t|}||dS)NrRre)rrrrWrUrh)rkrZrYrlrrr rsa_unpack_jwts   zCmfAuth.rsa_unpack_jwtc Cs^|d\}}}t}|d|}||t|}t|}t |}| ||Sr^) rrr5r`r4rrrZ import_keyr rg) rkZrsa_public_key_bytesrZrYrlrbr\rfrmrrr rsa_verify_jwts   zCmfAuth.rsa_verify_jwtc Cs|td|stddSz||}Wn2tk r\}ztjdd}W5d}~XYnX|sptddS|dd}|dd|_|dd|_|dd |_ d|_ d|_ d}t j td rttd }|}W5QRX| |_ |j pd d D]T}|r||d r"d|_ |dkrtjjrtd|d|_ d|_ qtd|jd|j d|j |S)Nzfrom_jwt: startzfrom_jwt: warn not jwtzfail unpack jwtz2from_jwt: warn not cls.rsa_verify_unpack_jwt(rjwt)T)emptyrYr7rQz/custom/org_name :r uCfrom_jwt: Доступ по билету тех поддержки zfrom_jwt: jwt is ok, z, z , is_local=)rirjrn Exceptionr_logger exceptionr7emailrQZjwt_is_supportZjwt_is_match_orgospathexistsZ PROJECT_DIRopenreadstripr startswithglobal_settingsZ support_mode)r6rkr\eobjorg_namefZpermrrr from_jwts@      "zCmfAuth.from_jwtc Cs|jdd|gdgd}|s0|jdd|gdgd}|sJ|jdd|gdgd}|stjj(tjjdddd|id d d ||d W5QRXdS|jrt d |j dtjj0tjjddd|j ddd d d |j |j d W5QRXt dt j jddS|jjdrR|j d\}}tjj|drRtjj|dgdD]}z||jj|}Wn:tk r}zt d|d|W5d}~XYnpX|rD|rdS|tjj6tjjddd|jjdddd d |jj|jjd W5QRX|SqDtjj6tjjddd|jjddd d d |jj|jjd W5QRX|jr|jjdr|||jjr|rdS|tjj*tjjddd|d ddd d ||d W5QRX|Stjj*tjjddd|d dd d d ||d W5QRX|dS)!N ext_loginZILIKEz***)filterfieldsr7rxZ ident_failedrfailTr operatecmf_model_nameparent audit_data result_statuscurrent_transactionsecurity_level parent_name parent_codeusПревышено количество попыток ввода пароля для учетной записи "u$", вход заблокирован auth_failedzToo many failed login attemptsr7reasonunПревышено количество попыток ввода пароля, повторите через u минутZ allow_ldap@)domainplugin.*)rru/Ошибка авторизации через z: auth_successedZldap)r7typeokZ allow_basebase)getcmfutilcmfutil disable_aclmodelsCmfAudit audit_eventfail_block_end_daterirjr7 cmf_alertrauth_fail_timeout auth_optionsrSrCmfAuthLdapPlugincountlistZsigninrru_is_permanent_blockauth_success_hookr check_secretauth_fail_hook) r6r7Zchallenge_respr_r auth_pluginZis_successful_signinrrrr get_by_challenge_resps   (         zCmfAuth.get_by_challenge_respc Csttjjrp|jrptd|jdtjj 0t j j ddd|jddddd |j|jd W5QRXt d dSd S) NuУчетная запись "u3" перманентно заблокированаrrzPermanent blockrrTrrulУчетная запись заблокирована, обратитесь к администраторуF)rirauth_fail_permanent_blockfail_permanent_blockrjr7rrrrrrrrrrrr r<s"  zCmfAuth._is_permanent_blockc Cstjjs dS|jdkrdStjdd}d|}tj|}d t j t j dd}tj|||stjjddd|d d d d d ||d td|}|r||krtjjddd|dd d d d ||d tddS)Nrcaptchazauth:user_login_captcha:rr)krrzRequire captcharrTrriz Bad captcha)rirZauth_check_captchafail_try_counterrequestvaluesrr_ZREDIS_DBjoinrandomchoicesstringdigitssetrrrabortrW)rr7rZdb_keyZ db_captchaZ new_captcharrr _auth_check_captchaSs@      zCmfAuth._auth_check_captchacCs\|jd7_|jtjjkrPtjjr,d|_ntjtjtjj j d|_ d|_| dS)NrT)Zminutesr) rrirZauth_fail_try_countrrdatetimenow timedeltarrSrrMrrrr rrs  zCmfAuth.auth_fail_hookcCsd|_|dS)Nr)rrMrrrr rszCmfAuth.auth_success_hookcCs"|}||_||_||||Sr$)r7rx set_pass_hash)r6r7hashr#rrrr new_from_login_hash_salts  z CmfAuth.new_from_login_hash_saltc Csl|d}|d}|dkrZ|dd\}}}t|}t|} | td||t|kStd|dS)NrrZ pbkdf2_sha256rr.zNot Implemented for )rrrrr4r)NotImplementedError) r6r;Z secret_hashZ hash_partsZ hash_algoZn_itersalt_b64hash_b64Zsalt_bZhash_brrr rs   zCmfAuth.check_secretc Cs|j|dddgd}|rf|||jjrftjj(tj j ddd|idddd ||d W5QRX|Stjj(tj j d dd|idd dd ||d W5QRXdS) Nrr7rQr7rrrrTr) rrrrrrrrrrr) rrrrSrrrrrrr)r6r7r8rrrr from_login_passwords2  zCmfAuth.from_login_passwordcCsRtjjs dStjj|dgddgddgdD]"}|jr*|||jr*t|j q*dS)Nz-cmf_created_atrrcmf_created_at)rZorder_byslicer) rirZpassword_check_historyrCmfAuthHistoryZslistrrZCmfAuthReusePasswordErrorr)rr8historyrrr check_historys zCmfAuth.check_historycCs(t|}t|}|j|||ddS)Nr8)r1r2set_pass_hash_bytes)rrr#r8 hash_bytes salt_bytesrrr rs  zCmfAuth.set_pass_hashc Cs|dk r||t|}t|}d|d||_|jtjj |j d}|r|jd|_ t |jddW5QRXdS)Nzpbkdf2_sha256$100000$rr7FT)Z only_data)rrrTrWrZpassword_changed_dateZset_nowr CmfPersonrr7Zpassword_must_changerrrM)rrrr8rrpersonrrr rs    zCmfAuth.set_pass_hash_bytescCstjSr$)rir)r6rrr current_authszCmfAuth.current_authcCs:g}tdD]}|ttjtjq d|dS)Nrrzutf-8) rangeappendrchoicer ascii_lettersrrr4)r6charsirrr gen_salts zCmfAuth.gen_saltc s|dgtjtj|s8dfddt|D}t|}t d| |d}|j |||of|dt j j.tjjdd d|jid d d |j|jd d W5QRX|S)uO Генерирует новый пароль :return: r7rrc3s|]}tVqdSr$)rr.0rZlettersrr sz)CmfAuth.reset_password..r.r/rreset_passwordrNrTr) rrrrrrrrr)Z load_fieldsrrrrrrrr3rr4rrrrrrrrr7)rlengthr8forcer#rrrr rs$    zCmfAuth.reset_passwordc Cs^dtj}d|g}t|||tjj(tjj dddd|idd||dd W5QRXdS) Nu&Пароль для доступа к u Пароль: send_passwordrrxrTr) rrrrrrrrr) configZ HOSTNAME_FQDNrrrrrrrr)r6r8rxZsubjectZ msg_contentsrrr rs   zCmfAuth.send_passwordcCsnddlm}|}tj||d}||jtdddd|ddd}|jd kr\td t |j d d S) Nr)session)r7 rg_member_ofT)r@Zinternalz auth/signup)r7Zgen_pwd)datau>Не удалось создать учётную запись access_token)r) ZrequestsrrrrMZpostrEZ status_coderurCZcookiesr)r6r7rrsrrrrr create_persons  zCmfAuth.create_personc s|jjrZd|_|jjsZ|jD].}|j|D]}|jd|d|7_q*q|jj|_tj||}|jjrt t j ||jdW5QRX|S)Nrrrsrt)rr) groups is_changedrQis_nullrSr~superrMrrrrr)rargskwargsrZgrp_namerc __class__rr rMs  z CmfAuth.savecCs&|jjr gStdd|jdDS)NcSsg|]}|ddqS)rtr)rrrrr #sz)CmfAuth.prepare_scope..rs)rQrrrrrrr prepare_scopeszCmfAuth.prepare_scopecCs||}tjdkr|S|dd}zt|}Wn tk rRd}t|YnX|||}|sd|ddd}t |t||S)NFalserYissuJНе удалось прочитать публичный ключ EvaTeamuEНе удалось валидировать токен от EVA_APP r!) rorZEVA_ACCOUNT_USErZread_crm_pub_key RuntimeErrorrurploggingerror)r6 eva_app_tokenr\rZ crm_pub_keyrrgrrr check_token%s     zCmfAuth.check_token)usersc Osf||}|dd}|D]@}zt|d}dddddd g} d } |d r|jt|d | d } | r|| _q|j|| d } n|j|| d } | stj|d } t d|| |dpd} t| p|| _ |d pd} t| p d | _ | j jr i| _ | js.g| _|| jkrF| j|g| j |<|drt d|||| jkr| j|| j |=d| j _| Wq|dD]:} t d|d| d|| j || d| j _q|d| _t d|t d| j | tt d| jWqtk rZtd|YqXqddiS)u Метод вызывается из eva_app при синхронизации создает и привязывает пользователей https://bcrm.carbonsoft.ru/project/Document/DOC-003025#spec-0-ldap rYrr7rrQrreg_org_name_listrxrNZ old_loginrru(Создали пользователя rrZ cmf_deletedu4Пользователь {} удален из Eva {}Tru,Добавляем пользователю u права u в Eva rz user_dict=z user.groups=z user.scope=u)Не удалось обработать resultr)rr(lowerr~rr7rrrrjrMrxrrrr rformatremoverrZcommit_with_eventrQrurw)r6rr rrr\rZ user_dictr7_fieldsuserrxrZgrp_coderrr rpc_account_sync_push7sl                zCmfAuth.rpc_account_sync_pushc Ostjs dSdd}tjsdS||}|dd}|D]}tjj|dddgd} | s`t} || |d|dd| _| tjj|ddd gd} | st} || ||| _ |d| _| | _ | q6tjj d d d d |DgdD] } | qddiS)NcSsF|D]<}|dks|ds|dr&qt||rt||||qdS)N)idcodeZext_ipZcmf_Z_id)rendswithhasattrsetattr)rZobj_dictZ field_namerrr copy_f~s z/CmfAuth.rpc_account_plugin_push..copy_frYrpluginrr )ext_idrrrzNOT INcSsg|] }|dqS)rr)rrrrr rsz3CmfAuth.rpc_account_plugin_push..)rr r) rZIS_BOX_VERSIONrrZ CmfPluginrrrMrrrrdelete) r6rZ auth_pluginsrrrr\rrrZauth_plugin_objrrr rpc_account_plugin_pushzs2     " zCmfAuth.rpc_account_plugin_pushcKsl|jtj|jjdtjtjd}ttdtj }|j d| f||dddd|t j |||f|dS)N)ZsecondsrXZAUTH_SESSION_COOKIE_DOMAINZ session_tokenTLaxrexpiresZsecureZhttponlyZsamesite)Z reauth_daterrZaccess_token_expires_inrSr PROLONG_DAYSgetattrrhost set_cookieZ get_tokenrset_nginx_token)rresponse cookie_kwargsr cookie_domainrrr set_session_tokens$  zCmfAuth.set_session_tokencKsL|jd|jtjddf|tjtjtjtjddddd|dS)NrrrTrr)r#rdrTOKEN_TTL_DAYSrrrr )rr%r'r&rrr set_access_tokens   zCmfAuth.set_access_tokencKs<|stjtjtjd}|jd||dddd|dS)Nrnginx_auth_token password123Trr)r+r,)rrrrr)r#)r%r'rr&rrr r$szCmfAuth.set_nginx_tokenu_Разблокировка учетных записей по истечению времениz @minutely)Z only_once descriptionZ system_jobZschedulecCs^tjjr dStj}tjjdgdd|gddgd}|s:qZ|D]}d|_| q>t qdS)Nrs*