merge: with pam (#14911)

* perf: change i18n * perf: pam * perf: change translate * perf: add check account * perf: add date field * perf: add account filter * perf: remove some js * perf: add account status action * perf: update pam * perf: 修改 discover account * perf: update filter * perf: update gathered account * perf: 修改账号同步 * perf: squash migrations * perf: update pam * perf: change i18n * perf: update account risk * perf: 更新风险发现 * perf: remove css * perf: Admin connection token * perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks * perf: Modify account migration files * perf: update pam * perf: remove to check account dir * perf: Admin connection token * perf: update check account * perf: 优化发送结果 * perf: update pam * perf: update bulk update create * perf: prepaire using thread timer for bulk_create_decorator * perf: update bulk create decorator * perf: 优化 playbook manager * perf: 优化收集账号的报表 * perf: Update poetry * perf: Update Dockerfile with new base image tag * fix: Account migrate 0012 file * perf: 修改备份 * perf: update pam * fix: Expand resource_type filter to include raw type * feat: PAM Service (#14552) * feat: PAM Service * perf: import package name --------- Co-authored-by: jiangweidong <1053570670@qq.com> * perf: Change secret dashboard (#14551) Co-authored-by: feng <1304903146@qq.com> * perf: update migrations * perf: 修改支持 pam * perf: Change secret record table dashboard * perf: update status * fix: Automation send report * perf: Change secret report * feat: windows accounts gather * perf: update change status * perf: Account backup * perf: Account backup report * perf: Account migrate * perf: update service to application * perf: update migrations * perf: update logo * feat: oracle accounts gather (#14571) * feat: oracle accounts gather * feat: sqlserver accounts gather * feat: postgresql accounts gather * feat: mysql accounts gather --------- Co-authored-by: wangruidong <940853815@qq.com> * feat: mongodb accounts gather * perf: Change secret * perf: Migrate * perf: Merge conflicting migration files * perf: Change secret * perf: Automation filter org * perf: Account push * perf: Random secret string * perf: Enhance SQL query and update risk handling in accounts * perf: Ticket filter assignee_id * perf: 修改 account remote * perf: 修改一些 adhoc 任务 * perf: Change secret * perf: Remove push account extra api * perf: update status * perf: The entire organization can view activity log * fix: risk field check * perf: add account details api * perf: add demo mode * perf: Delete gather_account * perf: Perfect solution to account version problem * perf: Update status action to handle multiple accounts * perf: Add GatherAccountDetailField and update serializers * perf: Display account history in combination with password change records * perf: Lina translate * fix: Update mysql_filter to handle nested user info * perf: Admin connection token validate_permission account * perf: copy move account * perf: account filter risk * perf: account risk filter * perf: Copy move account failed message * fix: gather account sync account to asset * perf: Pam dashboard * perf: Account dashboard total accounts * perf: Pam dashboard * perf: Change secret filter account secret_reset * perf: 修改 risk filter * perf: pam translate * feat: Check for leaked duplicate passwords. (#14711) * feat: Check for leaked duplicate passwords. * perf: Use SQLite instead of txt as leak password database --------- Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: 老广 <ibuler@qq.com> * perf: merge with remote * perf: Add risk change_password_add handle * perf: Pam dashboard * perf: check account manager import * perf: 重构扫描 * perf: 修改 db * perf: Gather account manager * perf: update change db lib * perf: dashboard * perf: Account gather * perf: 修改 asset get queryset * perf: automation report * perf: Pam account * perf: Pam dashboard api * perf: risk add account * perf: 修改 risk check * perf: Risk account * perf: update risk add reopen action * perf: add pylintrc * Revert "perf: automation report" This reverts commit 22aee54207. * perf: check account engine * perf: Perf: Optimism Gather Report Style * Perf: Remove unuser actions * Perf: Perf push account * perf: perf gather account * perf: Automation report * perf: Push account recorder * perf: Push account record * perf: Pam dashboard * perf: perf * perf: update intergration * perf: integrations application detail add account tab page * feat: Custom change password supports configuration of interactive items * perf: Go and Python demo code * perf: Custom secret change * perf: add user filter * perf: translate * perf: Add demo code docs * perf: update some i18n * perf: update some i18n * perf: Add Java, Node, Go, and cURL demo code * perf: Translate * perf: Change secret translate * perf: Translate * perf: update some i18n * perf: translate * perf: Ansible playbook * perf: update some choice * perf: update some choice * perf: update account serializer remote unused code * perf: conflict * perf: update import --------- Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng <1304903146@qq.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: wangruidong <940853815@qq.com> Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com> Co-authored-by: zhaojisen <1301338853@qq.com>
2025-09-18 00:08:31 +00:00 · 2025-02-21 16:39:57 +08:00
parent d516349a68
commit 3f4141ca0b
399 changed files with 14655 additions and 15063 deletions
--- a/apps/accounts/demos/go/jms_pam.go
+++ b/apps/accounts/demos/go/jms_pam.go
@@ -0,0 +1,162 @@
+package main
+
+import (
+    "encoding/json"
+    "fmt"
+    "net/http"
+    "net/url"
+
+    "github.com/google/uuid"
+    "gopkg.in/twindagger/httpsig.v1"
+)
+
+const DefaultOrgId = "00000000-0000-0000-0000-000000000002"
+
+type RequestParamsError struct {
+	Params []string
+}
+
+func (e *RequestParamsError) Error() string {
+	return fmt.Sprintf("At least one of the following fields must be provided: %v.", e.Params)
+}
+
+type SecretRequest struct {
+	AccountID string
+	AssetID   string
+	Asset     string
+	Account   string
+	Method    string
+}
+
+func NewSecretRequest(asset, assetID, account, accountID string) (*SecretRequest, error) {
+	req := &SecretRequest{
+		Asset:     asset,
+		AssetID:   assetID,
+		Account:   account,
+		AccountID: accountID,
+		Method:    http.MethodGet,
+	}
+
+	return req, req.validate()
+}
+
+func (r *SecretRequest) validate() error {
+	if r.AccountID != "" {
+        if _, err := uuid.Parse(r.AccountID); err != nil {
+            return fmt.Errorf("invalid UUID: %s. Value must be a valid UUID", r.AccountID)
+        }
+		return nil
+	}
+
+	if r.AssetID == "" && r.Asset == "" {
+		return &RequestParamsError{Params: []string{"asset", "asset_id"}}
+	}
+
+	if r.Account == "" {
+		return &RequestParamsError{Params: []string{"account", "account_id"}}
+	}
+
+	if r.AssetID != "" {
+		if _, err := uuid.Parse(r.AssetID); err != nil {
+			return fmt.Errorf("invalid UUID: %s. Value must be a valid UUID", r.AssetID)
+		}
+	}
+	return nil
+}
+
+func (r *SecretRequest) GetURL() string {
+	return "/api/v1/accounts/service-integrations/account-secret/"
+}
+
+func (r *SecretRequest) GetQuery() url.Values {
+	query := url.Values{}
+	if r.AccountID != "" {
+		query.Add("account_id", r.AccountID)
+	}
+	if r.AssetID != "" {
+		query.Add("asset_id", r.AssetID)
+	}
+	if r.Asset != "" {
+		query.Add("asset", r.Asset)
+	}
+	if r.Account != "" {
+		query.Add("account", r.Account)
+	}
+	return query
+}
+
+type Secret struct {
+	Secret string          `json:"secret,omitempty"`
+	Desc   json.RawMessage `json:"desc,omitempty"`
+	Valid  bool            `json:"valid"`
+}
+
+func FromResponse(response *http.Response) Secret {
+	var secret Secret
+	defer response.Body.Close()
+	if response.StatusCode != http.StatusOK {
+		var raw json.RawMessage
+		if err := json.NewDecoder(response.Body).Decode(&raw); err == nil {
+			secret.Desc = raw
+		} else {
+			secret.Desc = json.RawMessage(`{"error": "Unknown error occurred"}`)
+		}
+	} else {
+		_ = json.NewDecoder(response.Body).Decode(&secret)
+		secret.Valid = true
+	}
+	return secret
+}
+
+type JumpServerPAM struct {
+	Endpoint   string
+	KeyID      string
+	KeySecret  string
+	OrgID      string
+	httpClient *http.Client
+}
+
+func NewJumpServerPAM(endpoint, keyID, keySecret, orgID string) *JumpServerPAM {
+	if orgID == "" {
+		orgID = DefaultOrgId
+	}
+	return &JumpServerPAM{
+		Endpoint:   endpoint,
+		KeyID:      keyID,
+		KeySecret:  keySecret,
+		OrgID:      orgID,
+		httpClient: &http.Client{},
+	}
+}
+
+func (c *JumpServerPAM) SignRequest(r *http.Request) error {
+	headers := []string{"(request-target)", "date"}
+	signer, err := httpsig.NewRequestSigner(c.KeyID, c.KeySecret, "hmac-sha256")
+	if err != nil {
+		return err
+	}
+	return signer.SignRequest(r, headers, nil)
+}
+
+func (c *JumpServerPAM) Send(req *SecretRequest) (Secret, error) {
+	fullUrl := c.Endpoint + req.GetURL()
+	query := req.GetQuery()
+	fullURL := fmt.Sprintf("%s?%s", fullUrl, query.Encode())
+
+	request, err := http.NewRequest(req.Method, fullURL, nil)
+	if err != nil {
+		return Secret{}, err
+	}
+	request.Header.Set("Accept", "application/json")
+	request.Header.Set("X-Source", "jms-pam")
+	err = c.SignRequest(request)
+	if err != nil {
+		return Secret{Desc: json.RawMessage(`{"error": "` + err.Error() + `"}`)}, nil
+	}
+	response, err := c.httpClient.Do(request)
+	if err != nil {
+		return Secret{Desc: json.RawMessage(`{"error": "` + err.Error() + `"}`)}, nil
+	}
+
+	return FromResponse(response), nil
+}