Skip to content

Commit

Permalink
feat(login/log): add more log detail in login process (#452)
Browse files Browse the repository at this point in the history 
close #430
  • Loading branch information
@wklken
wklken authored May 19, 2022
1 parent 253a8f5 commit 78884ff
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 3 deletions.
2 changes: 2 additions & 0 deletions src/api/bkuser_core/common/error_codes.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ def __getattr__(self, code_name):
ErrorCode("CATEGORY_NOT_ENABLED", _("用户目录未启用"), 3210019),
ErrorCode("ERROR_FORMAT", _("传入参数错误"), 3210020),
ErrorCode("SHOULD_CHANGE_INITIAL_PASSWORD", _("平台分配的初始密码未修改"), 3210021),
ErrorCode("USER_IS_DELETED", _("账号已被删除,请联系管理员"), 3210022),
ErrorCode("CATEGORY_PLUGIN_LOAD_FAIL", _("目录登录插件加载失败"), 3210023),
# 用户相关
ErrorCode("PASSWORD_DUPLICATED", _("新密码不能与最近{max_password_history}次密码相同")),
ErrorCode("EMAIL_NOT_PROVIDED", _("该用户没有提供邮箱,发送邮件失败")),
Expand Down
37 changes: 34 additions & 3 deletions src/api/bkuser_core/profiles/v2/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -557,6 +557,7 @@ def login(self, request):
password = serializer.validated_data.get("password")
domain = serializer.validated_data.get("domain", None)

logger.debug("do login check, username<%s>, domain=<%s>", username, domain)
# 无指定 domain 时, 选择默认域
if not domain:
category = ProfileCategory.objects.get_default()
Expand All @@ -569,16 +570,29 @@ def login(self, request):
if category.inactive:
raise error_codes.CATEGORY_NOT_ENABLED

logger.debug(
"do login check, will check in category<%s-%s-%s>", category.type, category.display_name, category.id
)

message_detail = (
f"username={username}, domain={domain} in category<{category.type}-{category.display_name}-{category.id}>"
)

# 这里不检查具体的用户名格式,只判断是否能够获取到对应用户
try:
profile = Profile.objects.get(
Q(email=username) | Q(telephone=username) | Q(username=username),
domain=category.domain,
)
except Profile.DoesNotExist:
logger.info("login check, can't find the %s", message_detail)
# NOTE: 这里不能使用 USER_DOES_NOT_EXIST, 安全问题
raise error_codes.PASSWORD_ERROR
except MultipleObjectsReturned:
logger.info("login check, find multiple profiles via %s", message_detail)
# NOTE: 安全原因, 不能返回账户状态
raise error_codes.PASSWORD_ERROR
# raise error_codes.USER_EXIST_MANY

time_aware_now = now()
config_loader = ConfigProvider(category_id=category.id)
Expand All @@ -596,15 +610,24 @@ def login(self, request):
request=request,
params={"is_success": False, "reason": LogInFailReason.DISABLED_USER.value},
)
logger.info("login check, profile<%s> of %s is disabled or deleted", profile.username, message_detail)
raise error_codes.PASSWORD_ERROR
# NOTE: 安全原因, 不能返回账户状态
# if profile.status == ProfileStatus.DISABLED.value:
# raise error_codes.USER_IS_DISABLED
# else:
# raise error_codes.USER_IS_DELETED
elif profile.status == ProfileStatus.LOCKED.value:
create_profile_log(
profile=profile,
operation="LogIn",
request=request,
params={"is_success": False, "reason": LogInFailReason.LOCKED_USER.value},
)
logger.info("login check, profile<%s> of %s is locked", profile.username, message_detail)
raise error_codes.PASSWORD_ERROR
# NOTE: 安全原因, 不能返回账户状态
# raise error_codes.USER_IS_LOCKED

# 获取密码配置
auto_unlock_seconds = int(config_loader["auto_unlock_seconds"])
Expand All @@ -625,18 +648,25 @@ def login(self, request):

logger.info(f"用户<{profile}> 登录失败错误过多,已被锁定,请 {retry_after_wait}s 后再试")
# 当密码输入错误时,不暴露不同的信息,避免用户名爆破
logger.info(
"login check, profile<%s> of %s entered wrong password too many times",
profile.username,
message_detail,
)
# NOTE: 安全原因, 不能返回账户状态
raise error_codes.PASSWORD_ERROR

try:
login_class = get_plugin_by_category(category).login_handler_cls
except Exception:
logger.exception(
"category<%s-%s-%s> load login handler failed",
"login check, category<%s-%s-%s> load login handler failed",
category.type,
category.display_name,
category.id,
)
raise error_codes.PASSWORD_ERROR
# NOTE: 代码异常, 可以返回加载失败
raise error_codes.CATEGORY_PLUGIN_LOAD_FAIL

try:
login_class().check(profile, password)
Expand All @@ -647,7 +677,8 @@ def login(self, request):
request=request,
params={"is_success": False, "reason": LogInFailReason.BAD_PASSWORD.value},
)
logger.exception("check profile<%s> failed", profile.username)
logger.exception("login check, check profile<%s> of %s failed", profile.username, message_detail)
# NOTE: 这里不能使用其他错误, 一律是 PASSWORD_ERROR, 安全问题
raise error_codes.PASSWORD_ERROR

self._check_password_status(request, profile, config_loader, time_aware_now)
Expand Down
2 changes: 2 additions & 0 deletions src/login/bklogin/backends/bk.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,8 @@ def authenticate(self, request, username=None, password=None, **kwargs):
else:
domain = ""

logger.debug("parse the domain from username, result: username=%s, domain=%s", username, domain)

# 调用用户管理接口进行验证
ok, code, message, extra_values = usermgr_api.authenticate(
username, password, language=kwargs.get("language"), domain=domain
Expand Down

0 comments on commit 78884ff

Please sign in to comment.