U Qh@sdZddlmZddlmZddlmZddlmZddl m Z ddl m Z m Z ddlmZdd lmZdd lmZdd lmZdd lmZmZmZGd ddeZddZee ddZee ddZddZdS)au Enhanced Authentication System for Stream Processor This module provides enhanced authentication features including: - Two-Factor Authentication (2FA) with TOTP - Enhanced session management - Password policies and validation - Account lockout protection - Login attempt tracking - Security logging Author: Stream Processor Development Team Version: 1.0.0 Created: 2025 ) timedelta)models)User) ModelBackend)Session)user_logged_inuser_logged_out)receiver)ValidationError) gettext_lazy)TimestampedModel) UserProfile LoginAttempt UserSessionc@s,eZdZdZd ddZddZd dd ZdS) EnhancedAuthenticationBackendzA Enhanced authentication backend with security features. Nc Ks|dks|dkrdSztjj|d}Wn(tjk rN|||ddYdSXtjj|d\}}|r~|||dddS||r|j rdS| |r| ||_ |j dgd|||d |S||||dd dSdS) zB Authenticate user with enhanced security checks. N)usernameFzUser not founduserzAccount locked last_login_ip) update_fieldsTzInvalid password)robjectsget DoesNotExist_log_login_attemptr get_or_createis_account_lockedcheck_passwordis_2fa_enabledreset_failed_attempts_get_client_iprsaveincrement_failed_attempts)selfrequestrpasswordkwargsrprofilecreatedr(G/var/www/html/StreamProcessor/src/apps/authentication/authentication.py authenticate(s.  z*EnhancedAuthenticationBackend.authenticatecCs0|jd}|r |dd}n |jd}|S)z5 Get client IP address from request. HTTP_X_FORWARDED_FOR,r REMOTE_ADDR)METArsplit)r"r#Zx_forwarded_foripr(r(r)rUs   z,EnhancedAuthenticationBackend._get_client_ipcCs2|sdStjj||||jdd||ddS)z< Log login attempt for security monitoring. NHTTP_USER_AGENTr1)r ip_address user_agentsuccessfailure_reason)rrcreaterr.r)r"r#rr5r6r(r(r)r`s z0EnhancedAuthenticationBackend._log_login_attempt)NN)r1)__name__ __module__ __qualname____doc__r*rrr(r(r(r)r#s - rc Csg}t|dkr|tdtdd|Ds>|tdtdd|Ds^|tdtdd|Ds~|td td d|Ds|td d d dddddddg }||kr|td|rt|dS)z Validate password strength. Args: password: Password to validate Raises: ValidationError: If password doesn't meet requirements z-Password must be at least 12 characters long.css|]}|VqdSN)isupper.0cr(r(r) sz+validate_strong_password..z4Password must contain at least one uppercase letter.css|]}|VqdSr=)islowerr?r(r(r)rBsz4Password must contain at least one lowercase letter.css|]}|VqdSr=)isdigitr?r(r(r)rBsz)Password must contain at least one digit.css|]}|dkVqdS)z!@#$%^&*()_+-=[]{}|;:,.<>?Nr(r?r(r(r)rBsz5Password must contain at least one special character.r$Z123456Z password123adminZqwertyZletmeinZwelcomemonkeyZ 1234567890zPassword is too common.N)lenappend_anylowerr )r$errorsZcommon_passwordsr(r(r)validate_strong_passwordps2   rMc Ks|sdStjj|d\}}tjj||jjt||j dddtjj |dd d}| |jkr||jd}|D]B}d |_|ztjj |jd Wqztjk rYqzXqzdS) zG Handle user login - create session record and enforce limits. Nrr2r1)r session_keyr3r4T)r is_activez-last_activityF)rN)r rrrr7sessionrNrrr.rfilterorder_bycountmax_concurrent_sessionsrOr rdeleter) senderr#rr%r&r'active_sessionsZsessions_to_deactivaterPr(r(r)on_user_logged_ins0  rXcKsN|r|s dSz&tjj||jjd}d|_|Wntjk rHYnXdS)z9 Handle user logout - deactivate session record. N)rrNF)rrrrPrNrOr r)rVr#rr%rPr(r(r)on_user_logged_outs rYcCsxttdd}tjj|dttdd}tjjd|dttdd}tjjd |d jdd d S) zw Clean up expired sessions and login attempts. This should be called periodically (e.g., via Celery task). )days)Zcreated_at__ltF)rOZupdated_at__lt)hoursT)rOZlast_activity__lt)rON) timezonenowrrrrQrUrupdate)Z cutoff_dateZinactive_cutoffr(r(r)cleanup_expired_sessionss rbN) r;datetimer django.dbrdjango.contrib.auth.modelsrZdjango.contrib.auth.backendsrdjango.contrib.sessions.modelsrZdjango.contrib.auth.signalsrrdjango.dispatchr django.core.exceptionsr django.utils.translationr rIZapps.core.modelsr Zapps.authentication.modelsr rrrrMrXrYrbr(r(r(r)s$         M) &