mirror of
https://github.com/jumpserver/jumpserver.git
synced 2025-09-19 01:45:27 +00:00
merge: with pam (#14911)
* perf: change i18n
* perf: pam
* perf: change translate
* perf: add check account
* perf: add date field
* perf: add account filter
* perf: remove some js
* perf: add account status action
* perf: update pam
* perf: 修改 discover account
* perf: update filter
* perf: update gathered account
* perf: 修改账号同步
* perf: squash migrations
* perf: update pam
* perf: change i18n
* perf: update account risk
* perf: 更新风险发现
* perf: remove css
* perf: Admin connection token
* perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks
* perf: Modify account migration files
* perf: update pam
* perf: remove to check account dir
* perf: Admin connection token
* perf: update check account
* perf: 优化发送结果
* perf: update pam
* perf: update bulk update create
* perf: prepaire using thread timer for bulk_create_decorator
* perf: update bulk create decorator
* perf: 优化 playbook manager
* perf: 优化收集账号的报表
* perf: Update poetry
* perf: Update Dockerfile with new base image tag
* fix: Account migrate 0012 file
* perf: 修改备份
* perf: update pam
* fix: Expand resource_type filter to include raw type
* feat: PAM Service (#14552)
* feat: PAM Service
* perf: import package name
---------
Co-authored-by: jiangweidong <1053570670@qq.com>
* perf: Change secret dashboard (#14551)
Co-authored-by: feng <1304903146@qq.com>
* perf: update migrations
* perf: 修改支持 pam
* perf: Change secret record table dashboard
* perf: update status
* fix: Automation send report
* perf: Change secret report
* feat: windows accounts gather
* perf: update change status
* perf: Account backup
* perf: Account backup report
* perf: Account migrate
* perf: update service to application
* perf: update migrations
* perf: update logo
* feat: oracle accounts gather (#14571)
* feat: oracle accounts gather
* feat: sqlserver accounts gather
* feat: postgresql accounts gather
* feat: mysql accounts gather
---------
Co-authored-by: wangruidong <940853815@qq.com>
* feat: mongodb accounts gather
* perf: Change secret
* perf: Migrate
* perf: Merge conflicting migration files
* perf: Change secret
* perf: Automation filter org
* perf: Account push
* perf: Random secret string
* perf: Enhance SQL query and update risk handling in accounts
* perf: Ticket filter assignee_id
* perf: 修改 account remote
* perf: 修改一些 adhoc 任务
* perf: Change secret
* perf: Remove push account extra api
* perf: update status
* perf: The entire organization can view activity log
* fix: risk field check
* perf: add account details api
* perf: add demo mode
* perf: Delete gather_account
* perf: Perfect solution to account version problem
* perf: Update status action to handle multiple accounts
* perf: Add GatherAccountDetailField and update serializers
* perf: Display account history in combination with password change records
* perf: Lina translate
* fix: Update mysql_filter to handle nested user info
* perf: Admin connection token validate_permission account
* perf: copy move account
* perf: account filter risk
* perf: account risk filter
* perf: Copy move account failed message
* fix: gather account sync account to asset
* perf: Pam dashboard
* perf: Account dashboard total accounts
* perf: Pam dashboard
* perf: Change secret filter account secret_reset
* perf: 修改 risk filter
* perf: pam translate
* feat: Check for leaked duplicate passwords. (#14711)
* feat: Check for leaked duplicate passwords.
* perf: Use SQLite instead of txt as leak password database
---------
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: 老广 <ibuler@qq.com>
* perf: merge with remote
* perf: Add risk change_password_add handle
* perf: Pam dashboard
* perf: check account manager import
* perf: 重构扫描
* perf: 修改 db
* perf: Gather account manager
* perf: update change db lib
* perf: dashboard
* perf: Account gather
* perf: 修改 asset get queryset
* perf: automation report
* perf: Pam account
* perf: Pam dashboard api
* perf: risk add account
* perf: 修改 risk check
* perf: Risk account
* perf: update risk add reopen action
* perf: add pylintrc
* Revert "perf: automation report"
This reverts commit 22aee54207.
* perf: check account engine
* perf: Perf: Optimism Gather Report Style
* Perf: Remove unuser actions
* Perf: Perf push account
* perf: perf gather account
* perf: Automation report
* perf: Push account recorder
* perf: Push account record
* perf: Pam dashboard
* perf: perf
* perf: update intergration
* perf: integrations application detail add account tab page
* feat: Custom change password supports configuration of interactive items
* perf: Go and Python demo code
* perf: Custom secret change
* perf: add user filter
* perf: translate
* perf: Add demo code docs
* perf: update some i18n
* perf: update some i18n
* perf: Add Java, Node, Go, and cURL demo code
* perf: Translate
* perf: Change secret translate
* perf: Translate
* perf: update some i18n
* perf: translate
* perf: Ansible playbook
* perf: update some choice
* perf: update some choice
* perf: update account serializer remote unused code
* perf: conflict
* perf: update import
---------
Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: feng <1304903146@qq.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: wangruidong <940853815@qq.com>
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
Co-authored-by: zhaojisen <1301338853@qq.com>
This commit is contained in:
fit2bot
GitHub
@@ -29,16 +29,16 @@ from terminal.models import EndpointRule, Endpoint
|
||||
from users.const import FileNameConflictResolution
|
||||
from users.const import RDPSmartSize, RDPColorQuality
|
||||
from users.models import Preference
|
||||
from ..models import ConnectionToken, AdminConnectionToken, date_expired_default
|
||||
from .face import FaceMonitorContext
|
||||
from ..mixins import AuthFaceMixin
|
||||
from ..models import ConnectionToken, date_expired_default
|
||||
from ..serializers import (
|
||||
ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
|
||||
SuperConnectionTokenSerializer, ConnectTokenAppletOptionSerializer,
|
||||
ConnectionTokenReusableSerializer, ConnectTokenVirtualAppOptionSerializer
|
||||
)
|
||||
|
||||
__all__ = ['ConnectionTokenViewSet', 'SuperConnectionTokenViewSet']
|
||||
__all__ = ['ConnectionTokenViewSet', 'SuperConnectionTokenViewSet', 'AdminConnectionTokenViewSet']
|
||||
logger = get_logger(__name__)
|
||||
|
||||
|
||||
@@ -664,3 +664,14 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
|
||||
else:
|
||||
logger.error('Release applet account error: {}'.format(lock_key))
|
||||
return Response({'error': 'not found or expired'}, status=400)
|
||||
|
||||
|
||||
class AdminConnectionTokenViewSet(ConnectionTokenViewSet):
|
||||
|
||||
def check_permissions(self, request):
|
||||
user = request.user
|
||||
if not user.is_superuser:
|
||||
self.permission_denied(request)
|
||||
|
||||
def get_queryset(self):
|
||||
return AdminConnectionToken.objects.all()
|
||||
|
||||
@@ -7,9 +7,10 @@ from django.utils import timezone
|
||||
from django.utils.translation import gettext as _
|
||||
from rest_framework import authentication, exceptions
|
||||
|
||||
from accounts.models import IntegrationApplication
|
||||
from common.auth import signature
|
||||
from common.decorators import merge_delay_run
|
||||
from common.utils import get_object_or_none, get_request_ip_or_data, contains_ip
|
||||
from common.utils import get_object_or_none, get_request_ip_or_data, contains_ip, get_request_ip
|
||||
from users.models import User
|
||||
from ..models import AccessKey, PrivateToken
|
||||
|
||||
@@ -33,6 +34,13 @@ def update_user_last_used(users=()):
|
||||
User.objects.filter(id__in=users).update(date_api_key_last_used=timezone.now())
|
||||
|
||||
|
||||
@merge_delay_run(ttl=60)
|
||||
def update_service_integration_last_used(service_integrations=()):
|
||||
IntegrationApplication.objects.filter(
|
||||
id__in=service_integrations
|
||||
).update(date_last_used=timezone.now())
|
||||
|
||||
|
||||
def after_authenticate_update_date(user, token=None):
|
||||
update_user_last_used.delay(users=(user.id,))
|
||||
if token:
|
||||
@@ -146,3 +154,30 @@ class SignatureAuthentication(signature.SignatureAuthentication):
|
||||
return True
|
||||
except (AccessKey.DoesNotExist, exceptions.ValidationError):
|
||||
return False
|
||||
|
||||
|
||||
class ServiceAuthentication(signature.SignatureAuthentication):
|
||||
__instance = None
|
||||
source = 'jms-pam'
|
||||
|
||||
def get_object(self, key_id):
|
||||
if not self.__instance:
|
||||
self.__instance = IntegrationApplication.objects.filter(
|
||||
id=key_id, is_active=True,
|
||||
).first()
|
||||
return self.__instance
|
||||
|
||||
def fetch_user_data(self, key_id, algorithm=None):
|
||||
obj = self.get_object(key_id)
|
||||
if not obj:
|
||||
return None, None
|
||||
return obj, obj.secret
|
||||
|
||||
def is_ip_allow(self, key_id, request):
|
||||
obj = self.get_object(key_id)
|
||||
if not contains_ip(get_request_ip(request), obj.ip_group):
|
||||
return False
|
||||
return True
|
||||
|
||||
def after_authenticate_update_date(self, user):
|
||||
update_service_integration_last_used.delay((user.id,))
|
||||
|
||||
@@ -49,3 +49,9 @@ class FaceMonitorActionChoices(TextChoices):
|
||||
Verify = 'verify', 'verify'
|
||||
Pause = 'pause', 'pause'
|
||||
Resume = 'resume', 'resume'
|
||||
|
||||
|
||||
class ConnectionTokenType(TextChoices):
|
||||
ADMIN = 'admin', 'Admin'
|
||||
SUPER = 'super', 'Super'
|
||||
USER = 'user', 'User'
|
||||
|
||||
@@ -1,9 +1,8 @@
|
||||
from authentication.mfa.base import BaseMFA
|
||||
from django.conf import settings
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from authentication.mfa.base import BaseMFA
|
||||
from authentication.mixins import AuthFaceMixin
|
||||
from common.const import LicenseEditionChoices
|
||||
from settings.api import settings
|
||||
|
||||
|
||||
class MFAFace(BaseMFA, AuthFaceMixin):
|
||||
@@ -31,9 +30,9 @@ class MFAFace(BaseMFA, AuthFaceMixin):
|
||||
@staticmethod
|
||||
def global_enabled():
|
||||
return (
|
||||
settings.XPACK_LICENSE_IS_VALID and
|
||||
settings.XPACK_LICENSE_EDITION_ULTIMATE and
|
||||
settings.FACE_RECOGNITION_ENABLED
|
||||
settings.XPACK_LICENSE_IS_VALID and
|
||||
settings.XPACK_LICENSE_EDITION_ULTIMATE and
|
||||
settings.FACE_RECOGNITION_ENABLED
|
||||
)
|
||||
|
||||
def get_enable_url(self) -> str:
|
||||
|
||||
@@ -1,14 +1,15 @@
|
||||
# Generated by Django 4.1.13 on 2024-05-09 03:16
|
||||
|
||||
import uuid
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
import authentication.models.access_key
|
||||
import authentication.models.connection_token
|
||||
import common.db.fields
|
||||
from django.db import migrations, models
|
||||
import uuid
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
initial = True
|
||||
|
||||
dependencies = [
|
||||
@@ -18,9 +19,11 @@ class Migration(migrations.Migration):
|
||||
migrations.CreateModel(
|
||||
name='AccessKey',
|
||||
fields=[
|
||||
('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False, verbose_name='AccessKeyID')),
|
||||
('secret', models.CharField(default=authentication.models.access_key.default_secret, max_length=36, verbose_name='AccessKeySecret')),
|
||||
('ip_group', models.JSONField(default=authentication.models.access_key.default_ip_group, verbose_name='IP group')),
|
||||
('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False,
|
||||
verbose_name='AccessKeyID')),
|
||||
('secret', models.CharField(default=authentication.models.default_secret, max_length=36,
|
||||
verbose_name='AccessKeySecret')),
|
||||
('ip_group', models.JSONField(default=authentication.models.default_ip_group, verbose_name='IP group')),
|
||||
('is_active', models.BooleanField(default=True, verbose_name='Active')),
|
||||
('date_last_used', models.DateTimeField(blank=True, null=True, verbose_name='Date last used')),
|
||||
('date_created', models.DateTimeField(auto_now_add=True)),
|
||||
@@ -38,24 +41,30 @@ class Migration(migrations.Migration):
|
||||
('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
|
||||
('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
|
||||
('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
|
||||
('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
|
||||
('org_id',
|
||||
models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
|
||||
('value', models.CharField(default='', max_length=64, verbose_name='Value')),
|
||||
('account', models.CharField(max_length=128, verbose_name='Account name')),
|
||||
('input_username', models.CharField(blank=True, default='', max_length=128, verbose_name='Input username')),
|
||||
('input_secret', common.db.fields.EncryptTextField(blank=True, default='', max_length=64, verbose_name='Input secret')),
|
||||
('input_username',
|
||||
models.CharField(blank=True, default='', max_length=128, verbose_name='Input username')),
|
||||
('input_secret',
|
||||
common.db.fields.EncryptTextField(blank=True, default='', max_length=64, verbose_name='Input secret')),
|
||||
('protocol', models.CharField(default='ssh', max_length=16, verbose_name='Protocol')),
|
||||
('connect_method', models.CharField(max_length=32, verbose_name='Connect method')),
|
||||
('connect_options', models.JSONField(default=dict, verbose_name='Connect options')),
|
||||
('user_display', models.CharField(default='', max_length=128, verbose_name='User display')),
|
||||
('asset_display', models.CharField(default='', max_length=128, verbose_name='Asset display')),
|
||||
('is_reusable', models.BooleanField(default=False, verbose_name='Reusable')),
|
||||
('date_expired', models.DateTimeField(default=authentication.models.connection_token.date_expired_default, verbose_name='Date expired')),
|
||||
('date_expired',
|
||||
models.DateTimeField(default=authentication.models.connection_token.date_expired_default,
|
||||
verbose_name='Date expired')),
|
||||
('is_active', models.BooleanField(default=True, verbose_name='Active')),
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Connection token',
|
||||
'ordering': ('-date_expired',),
|
||||
'permissions': [('expire_connectiontoken', 'Can expire connection token'), ('reuse_connectiontoken', 'Can reuse connection token')],
|
||||
'permissions': [('expire_connectiontoken', 'Can expire connection token'),
|
||||
('reuse_connectiontoken', 'Can reuse connection token')],
|
||||
},
|
||||
),
|
||||
migrations.CreateModel(
|
||||
@@ -98,7 +107,8 @@ class Migration(migrations.Migration):
|
||||
('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
|
||||
('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
|
||||
('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
|
||||
('authkey', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False, verbose_name='Token')),
|
||||
('authkey',
|
||||
models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False, verbose_name='Token')),
|
||||
('expired', models.BooleanField(default=False, verbose_name='Expired')),
|
||||
],
|
||||
options={
|
||||
|
||||
30
apps/authentication/migrations/0004_connectiontoken_type.py
Normal file
30
apps/authentication/migrations/0004_connectiontoken_type.py
Normal file
@@ -0,0 +1,30 @@
|
||||
# Generated by Django 4.1.13 on 2024-11-11 11:04
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('authentication', '0003_sshkey'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name='connectiontoken',
|
||||
name='type',
|
||||
field=models.CharField(choices=[('admin', 'Admin'), ('super', 'Super'), ('user', 'User')], default='user', max_length=16, verbose_name='Type'),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='AdminConnectionToken',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Admin connection token',
|
||||
'proxy': True,
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('authentication.connectiontoken',),
|
||||
),
|
||||
]
|
||||
@@ -5,6 +5,8 @@ from django.db import models
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
import common.db.models
|
||||
|
||||
from common.db.utils import default_ip_group
|
||||
from common.utils.random import random_string
|
||||
|
||||
|
||||
@@ -12,10 +14,6 @@ def default_secret():
|
||||
return random_string(36)
|
||||
|
||||
|
||||
def default_ip_group():
|
||||
return ["*"]
|
||||
|
||||
|
||||
class AccessKey(models.Model):
|
||||
id = models.UUIDField(verbose_name='AccessKeyID', primary_key=True, default=uuid.uuid4, editable=False)
|
||||
secret = models.CharField(verbose_name='AccessKeySecret', default=default_secret, max_length=36)
|
||||
|
||||
@@ -12,6 +12,7 @@ from rest_framework.exceptions import PermissionDenied
|
||||
from accounts.models import VirtualAccount
|
||||
from assets.const import Protocol
|
||||
from assets.const.host import GATEWAY_NAME
|
||||
from authentication.const import ConnectionTokenType
|
||||
from common.db.fields import EncryptTextField
|
||||
from common.exceptions import JMSException
|
||||
from common.utils import lazyproperty, pretty_string, bulk_get
|
||||
@@ -26,6 +27,8 @@ def date_expired_default():
|
||||
|
||||
|
||||
class ConnectionToken(JMSOrgBaseModel):
|
||||
_type = ConnectionTokenType.USER
|
||||
|
||||
value = models.CharField(max_length=64, default='', verbose_name=_("Value"))
|
||||
user = models.ForeignKey(
|
||||
'users.User', on_delete=models.SET_NULL, null=True, blank=True,
|
||||
@@ -53,6 +56,11 @@ class ConnectionToken(JMSOrgBaseModel):
|
||||
face_monitor_token = models.CharField(max_length=128, null=True, blank=True, verbose_name=_("Face monitor token"))
|
||||
is_active = models.BooleanField(default=True, verbose_name=_("Active"))
|
||||
|
||||
type = models.CharField(
|
||||
max_length=16, choices=ConnectionTokenType.choices,
|
||||
default=ConnectionTokenType.USER, verbose_name=_('Type')
|
||||
)
|
||||
|
||||
class Meta:
|
||||
ordering = ('-date_expired',)
|
||||
permissions = [
|
||||
@@ -61,6 +69,10 @@ class ConnectionToken(JMSOrgBaseModel):
|
||||
]
|
||||
verbose_name = _('Connection token')
|
||||
|
||||
def save(self, *args, **kwargs):
|
||||
self.type = self._meta.model._type
|
||||
return super().save(*args, **kwargs)
|
||||
|
||||
@property
|
||||
def is_expired(self):
|
||||
return self.date_expired < timezone.now()
|
||||
@@ -269,9 +281,28 @@ class ConnectionToken(JMSOrgBaseModel):
|
||||
|
||||
|
||||
class SuperConnectionToken(ConnectionToken):
|
||||
_type = ConnectionTokenType.SUPER
|
||||
|
||||
class Meta:
|
||||
proxy = True
|
||||
permissions = [
|
||||
('view_superconnectiontokensecret', _('Can view super connection token secret'))
|
||||
]
|
||||
verbose_name = _("Super connection token")
|
||||
|
||||
|
||||
class AdminConnectionTokenManager(models.Manager):
|
||||
def get_queryset(self):
|
||||
queryset = super().get_queryset()
|
||||
queryset = queryset.filter(type=ConnectionTokenType.ADMIN)
|
||||
return queryset
|
||||
|
||||
|
||||
class AdminConnectionToken(ConnectionToken):
|
||||
_type = ConnectionTokenType.ADMIN
|
||||
|
||||
objects = AdminConnectionTokenManager()
|
||||
|
||||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _("Admin connection token")
|
||||
|
||||
@@ -402,6 +402,14 @@
|
||||
</button>
|
||||
</div>
|
||||
|
||||
{% if demo_mode %}
|
||||
<div>
|
||||
<p class="red-fonts" style='text-align: center;'>
|
||||
{% trans 'Username' %}: demo {% trans 'Password' %}: jumpserver
|
||||
</p>
|
||||
</div>
|
||||
{% endif %}
|
||||
|
||||
<div class="more-login">
|
||||
{% if auth_methods %}
|
||||
<div class="more-methods-title {{ current_lang.code }}">
|
||||
|
||||
@@ -13,6 +13,7 @@ router.register('sso', api.SSOViewSet, 'sso')
|
||||
router.register('temp-tokens', api.TempTokenViewSet, 'temp-token')
|
||||
router.register('connection-token', api.ConnectionTokenViewSet, 'connection-token')
|
||||
router.register('super-connection-token', api.SuperConnectionTokenViewSet, 'super-connection-token')
|
||||
router.register('admin-connection-token', api.AdminConnectionTokenViewSet, 'admin-connection-token')
|
||||
router.register('confirm', api.UserConfirmationViewSet, 'confirm')
|
||||
router.register('ssh-key', api.SSHkeyViewSet, 'ssh-key')
|
||||
|
||||
|
||||
Reference in New Issue
Block a user