github/jumpserver
1
0
Fork 0
mirror of https://github.com/jumpserver/jumpserver.git synced 2025-05-07 07:37:16 +00:00
Code Issues Projects Releases Wiki Activity

perf: perm account valid

Browse Source
This commit is contained in:
ibuler 2025-04-08 14:57:49 +08:00 committed by 老广
parent 45f0343cfa
commit ba3bce1e2e
6 changed files with 34 additions and 22 deletions
apps
accounts
models
account.py
serializers/account
account.py
assets/models/asset
common.py
authentication
api
connection_token.py
models
connection_token.py
perms/utils
asset_perm.py

24
apps/accounts/models/account.py
View File

@ -136,24 +136,36 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
"""
if self.username.startswith('@'):
return self.username
return self.id
return str(self.id)
def is_ds_account(self):
if self.username.startswith('@'):
return False
if self.platform.category == 'ds':
return True
return False
@lazyproperty
def ds_id(self):
if self.username.startswith('@'):
return None
if self.platform.category == 'ds':
if self.is_ds_account():
return self.asset.ds.id
return None
@lazyproperty
def ds_domain(self):
if self.username.startswith('@'):
return None
if self.ds_id:
return self.asset.ds.domain_name
return None
@lazyproperty
def ds(self):
if not self.is_ds_account():
return {}
return {
'id': self.ds_id,
'domain': self.ds_domain,
}
@lazyproperty
def full_username(self):
if self.ds_domain:

2
apps/accounts/serializers/account/account.py
View File

@ -241,7 +241,7 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
'date_change_secret', 'change_secret_status'
]
fields = BaseAccountSerializer.Meta.fields + [
'su_from', 'asset', 'version', 'ds_domain',
'su_from', 'asset', 'version', 'ds_domain', 'ds_id',
'source', 'source_id', 'secret_reset',
] + AccountCreateUpdateSerializerMixin.Meta.fields + automation_fields
read_only_fields = BaseAccountSerializer.Meta.read_only_fields + automation_fields

2
apps/assets/models/asset/common.py
View File

@ -256,7 +256,7 @@ class Asset(NodesRelationMixin, LabeledMixin, AbsConnectivity, JSONFilterMixin,
@lazyproperty
def all_valid_accounts(self):
queryset = (self.all_accounts.filter(is_active=True)
.prefetch_related('asset', 'asset__platform', 'asset__platform__ad'))
.prefetch_related('asset', 'asset__platform', 'asset__platform__ds'))
return queryset
@lazyproperty

20
apps/authentication/api/connection_token.py
View File

@ -408,22 +408,22 @@ class ConnectionTokenViewSet(AuthFaceMixin, ExtraActionApiMixin, RootOrgViewMixi
def validate_exchange_token(self, token):
user = token.user
asset = token.asset
account_name = token.account
_data = self._validate(user, asset, account_name, token.protocol, token.connect_method)
account_alias = token.account
_data = self._validate(user, asset, account_alias, token.protocol, token.connect_method)
for k, v in _data.items():
setattr(token, k, v)
return token
def _validate(self, user, asset, account_name, protocol, connect_method):
def _validate(self, user, asset, account_alias, protocol, connect_method):
data = dict()
data['org_id'] = asset.org_id
data['user'] = user
data['value'] = random_string(16)
if account_name == AliasAccount.ANON and asset.category not in ['web', 'custom']:
if account_alias == AliasAccount.ANON and asset.category not in ['web', 'custom']:
raise ValidationError(_('Anonymous account is not supported for this asset'))
account = self._validate_perm(user, asset, account_name, protocol)
account = self._validate_perm(user, asset, account_alias, protocol)
if account.has_secret:
data['input_secret'] = ''
@ -442,11 +442,11 @@ class ConnectionTokenViewSet(AuthFaceMixin, ExtraActionApiMixin, RootOrgViewMixi
return data
@staticmethod
def get_permed_account(user, asset, account_name, protocol):
return ConnectionToken.get_user_permed_account(user, asset, account_name, protocol)
def get_permed_account(user, asset, account_alias, protocol):
return ConnectionToken.get_user_permed_account(user, asset, account_alias, protocol)
def _validate_perm(self, user, asset, account_name, protocol):
account = self.get_permed_account(user, asset, account_name, protocol)
def _validate_perm(self, user, asset, account_alias, protocol):
account = self.get_permed_account(user, asset, account_alias, protocol)
if not account or not account.actions:
msg = _('Account not found')
raise JMSException(code='perm_account_invalid', detail=msg)
@ -616,7 +616,7 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
raise PermissionDenied('Not allow to view secret')
token_id = request.data.get('id') or ''
token = ConnectionToken.get_typed_connection_token(token_id)
token = ConnectionToken.get_typed_connection_token(token_id)
token.is_valid()
serializer = self.get_serializer(instance=token)

4
apps/authentication/models/connection_token.py
View File

@ -121,10 +121,10 @@ class ConnectionToken(JMSOrgBaseModel):
self.save()
@classmethod
def get_user_permed_account(cls, user, asset, account_name, protocol):
def get_user_permed_account(cls, user, asset, account_alias, protocol):
from perms.utils import PermAssetDetailUtil
permed_account = PermAssetDetailUtil(user, asset) \
.validate_permission(account_name, protocol)
.validate_permission(account_alias, protocol)
return permed_account
def get_permed_account(self):

4
apps/perms/utils/asset_perm.py
View File

@ -38,14 +38,14 @@ class PermAssetDetailUtil:
queryset = Asset.objects.filter(id=self.asset_id)
return queryset.get()
def validate_permission(self, account_name, protocol):
def validate_permission(self, account_alias, protocol):
with tmp_to_org(self.asset.org):
protocols = self.get_permed_protocols_for_user(only_name=True)
if 'all' not in protocols and protocol not in protocols:
return None
permed_accounts = self.get_permed_accounts_for_user()
accounts_mapper = {account.alias: account for account in permed_accounts}
account = accounts_mapper.get(account_name)
account = accounts_mapper.get(account_alias)
return account
@lazyproperty