一、urls.py
# --*--coding:utf-8--*-- from django.conf.urls import patterns, url urlpatterns = patterns('myauth.login', url(r'^login/$', 'do_login', name='login'), url(r'^logout/$', 'do_logout', name='logout'), )
二、myauth_backend.py
Jms_Users 是繼承Django的AbstractUser類,且setting中指定了認證后台的User 模型為AUTH_USER_MODEL = 'juser.User',所以無需再保存Django User對象(注釋部分)。這里只是token驗證后直接返回用戶,真正的認證並獲取用戶信息過程在login中調用認證接口實現
# --*--coding:utf-8--*-- # author: ArthurMok from django.contrib.auth.models import User as Contrib_Users from juser.models import User as Jms_Users from jumpserver.settings import DJANGO_AUTH_TOKEN from itsdangerous import TimedJSONWebSignatureSerializer as Serializer class MyAuthBackend(object): def authenticate(self, auth_token=None, token=None): s = Serializer(DJANGO_AUTH_TOKEN) username = s.loads(auth_token) try: user = Jms_Users.objects.get(username=username) except Jms_Users.DoesNotExist: return None else: # 用戶已經通過統一接口認證,此處重寫django的認證模塊,使用token驗證 if token == DJANGO_AUTH_TOKEN: # try: # contrib_user = Contrib_Users.objects.get(username=user.username) # except Contrib_Users.DoesNotExist: # # 當在django中無此用戶,便創建 # contrib_user = Contrib_Users(username=user.username, password=auth_token) # contrib_user.is_staff = True # contrib_user.save() # return contrib_user return user else: return None def get_user(self, user_id): try: return Jms_Users.objects.get(pk=user_id) except Jms_Users.DoesNotExist: return None
三、login.py
調用認證接口SSO_URL實現用戶的認證和獲取用戶信息,並保存用戶信息。主要是 _add_user和do_login函數,其他為認證接口調用過程忽略不寫。
def _add_user(request, username, name, mobile, email, department): jms_user = Jms_Users.objects.filter(username=username) if jms_user: pass else: password = PyCrypt.gen_rand_pass(16) groups = [] admin_groups = [] role = 'CU' uuid_r = uuid.uuid4().get_hex() ssh_key_pwd = PyCrypt.gen_rand_pass(16) if not email: email = username+'@'+EMAIL_DOMAIN is_active = True send_mail_need = True try: user = db_add_user(username=username, name=name, phone=mobile, department=department, password=password, email=email, role=role, uuid=uuid_r, groups=groups, admin_groups=admin_groups, ssh_key_pwd=ssh_key_pwd, is_active=is_active, date_joined=datetime.datetime.now()) server_add_user(username=username, ssh_key_pwd=ssh_key_pwd) user = get_object(Jms_Users, username=username) if groups: user_groups = [] for user_group_id in groups: user_groups.extend(UserGroup.objects.filter(id=user_group_id)) except IndexError, e: error = u'添加用戶 %s 失敗 %s ' % (username, e) logger.error(error) return False else: user_add_mail(user, kwargs=locals()) msg = get_display_msg(user, password=password, ssh_key_pwd=ssh_key_pwd, send_mail_need=send_mail_need) logger.info(msg) return True
def do_login(request): local_login_url = 'http://'+request.get_host()+reverse('login') tmp_token = request.GET.get('token') # next_url = request.GET.get('next', '/') if request.user.is_authenticated(): return HttpResponseRedirect(reverse('index', args=())) else: if tmp_token: token = _sso_token(request, tmp_token) if token: user_info = _sso_user_info(request, token) # 認證通過並獲取用戶信息 if user_info: _add_user(request, user_info['um'], user_info['name'], user_info['mobile'], user_info['email'], user_info['department']) s = Serializer(DJANGO_AUTH_TOKEN) auth_token = s.dumps(user_info['um']) contrib_user = authenticate(auth_token=auth_token, token=DJANGO_AUTH_TOKEN) login(request, contrib_user) #登錄 if contrib_user.role == 'SU': request.session['role_id'] = 2 elif contrib_user.role == 'GA': request.session['role_id'] = 1 else: request.session['role_id'] = 0 return HttpResponseRedirect(reverse('index', args=())) sso_login_url = SSO_LOGIN_URL % (SSO_URL, local_login_url) return HttpResponseRedirect(sso_login_url)