perf: Add retention period for expired user tokens and implement cleanup task

2025-06-24 14:02:01 +00:00 · 2025-05-29 15:19:30 +08:00 · 2025-05-29 15:19:30 +08:00 · 3f85c67aee
commit 3f85c67aee
parent 53a84850dc
6 changed files with 267 additions and 194 deletions
--- a/apps/authentication/tasks.py
+++ b/apps/authentication/tasks.py
@ -1,12 +1,18 @@
 # -*- coding: utf-8 -*-
 #
+import datetime
+import logging

 from celery import shared_task
+from django.conf import settings
 from django.contrib.sessions.models import Session
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _

+from authentication.models import ConnectionToken, TempToken
+from common.const.crontab import CRONTAB_AT_AM_TWO
 from ops.celery.decorator import register_as_period_task
+from orgs.utils import tmp_to_root_org


@shared_task(
@ -18,3 +24,26 @@ from ops.celery.decorator import register_as_period_task
@register_as_period_task(interval=3600 * 24)
 def clean_django_sessions():
    Session.objects.filter(expire_date__lt=timezone.now()).delete()
+
+
+@shared_task(
+    verbose_name=_('Clean expired temporary, connection tokens'),
+    description=_(
+        "When connecting to assets or generating temporary passwords, the system creates corresponding connection "
+        "tokens or temporary credential records. To maintain security and manage storage, the system automatically "
+        "deletes expired tokens every day at 2:00 AM based on the retention settings configured under System settings "
+        "> Security > User password > Token Retention Period"
+    )
+)
+@register_as_period_task(crontab=CRONTAB_AT_AM_TWO)
+def clean_expire_token():
+    logging.info('Cleaning expired temporary and connection tokens...')
+    with tmp_to_root_org():
+        now = timezone.now()
+        days = settings.SECURITY_EXPIRED_TOKEN_RECORD_KEEP_DAYS
+        expired_time = now - datetime.timedelta(days=days)
+        count = ConnectionToken.objects.filter(date_expired__lt=expired_time).delete()
+        logging.info('Deleted %d expired connection tokens.', count[0])
+        count = TempToken.objects.filter(date_expired__lt=expired_time).delete()
+        logging.info('Deleted %d temporary tokens.', count[0])
+    logging.info('Cleaned expired temporary and connection tokens.')
--- a/apps/i18n/core/zh/LC_MESSAGES/django.po
+++ b/apps/i18n/core/zh/LC_MESSAGES/django.po
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -577,6 +577,7 @@ class Config(dict):
        'SECURITY_MAX_IDLE_TIME': 30,
        'SECURITY_MAX_SESSION_TIME': 24,
        'SECURITY_PASSWORD_EXPIRATION_TIME': 9999,
+        'SECURITY_EXPIRED_TOKEN_RECORD_KEEP_DAYS': 180,
        'SECURITY_PASSWORD_MIN_LENGTH': 6,
        'SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH': 6,
        'SECURITY_PASSWORD_UPPER_CASE': False,
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@ -40,6 +40,7 @@ SECURITY_MAX_SESSION_TIME = CONFIG.SECURITY_MAX_SESSION_TIME  # Unit: hour
 SECURITY_COMMAND_EXECUTION = CONFIG.SECURITY_COMMAND_EXECUTION
 SECURITY_COMMAND_BLACKLIST = CONFIG.SECURITY_COMMAND_BLACKLIST
 SECURITY_PASSWORD_EXPIRATION_TIME = CONFIG.SECURITY_PASSWORD_EXPIRATION_TIME  # Unit: day
+SECURITY_EXPIRED_TOKEN_RECORD_KEEP_DAYS = CONFIG.SECURITY_EXPIRED_TOKEN_RECORD_KEEP_DAYS
 SECURITY_PASSWORD_MIN_LENGTH = CONFIG.SECURITY_PASSWORD_MIN_LENGTH  # Unit: bit
 SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH = CONFIG.SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH  # Unit: bit
 OLD_PASSWORD_HISTORY_LIMIT_COUNT = CONFIG.OLD_PASSWORD_HISTORY_LIMIT_COUNT
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@ -27,6 +27,7 @@ class PrivateSettingSerializer(PublicSettingSerializer):
    SECURITY_COMMAND_EXECUTION = serializers.BooleanField()
    SECURITY_COMMAND_BLACKLIST = serializers.ListField()
    SECURITY_PASSWORD_EXPIRATION_TIME = serializers.IntegerField()
+    SECURITY_EXPIRED_TOKEN_RECORD_KEEP_DAYS = serializers.IntegerField()
    SECURITY_LUNA_REMEMBER_AUTH = serializers.BooleanField()
    SECURITY_WATERMARK_ENABLED = serializers.BooleanField()
    SECURITY_WATERMARK_SESSION_CONTENT = serializers.CharField()
--- a/apps/settings/serializers/security.py
+++ b/apps/settings/serializers/security.py
@ -23,6 +23,11 @@ class SecurityPasswordRuleSerializer(serializers.Serializer):
            'automatic sent to the user by system within 5 days (daily) before the password expires'
        )
    )
+    SECURITY_EXPIRED_TOKEN_RECORD_KEEP_DAYS = serializers.IntegerField(
+        min_value=1, max_value=99999, required=True,
+        label=_('User expired tokens record keep days'),
+        help_text=_("Retention period (in days) for expired user tokens before automatic cleanup.")
+    )
    OLD_PASSWORD_HISTORY_LIMIT_COUNT = serializers.IntegerField(
        min_value=0, max_value=99999, required=True,
        label=_('Recent password count'),