-
JumpServer {% trans 'Client' %} v1.1.6
+
JumpServer {% trans 'Client' %} v1.1.7
{% trans 'JumpServer Client, currently used to launch the client, now only support launch RDP SSH client, The Telnet client will next' %}
diff --git a/apps/terminal/api/endpoint.py b/apps/terminal/api/endpoint.py
index 225b3300a..f864c6d13 100644
--- a/apps/terminal/api/endpoint.py
+++ b/apps/terminal/api/endpoint.py
@@ -1,15 +1,16 @@
from rest_framework.decorators import action
from rest_framework.response import Response
from rest_framework import status
+from rest_framework.request import Request
from common.drf.api import JMSBulkModelViewSet
from django.utils.translation import ugettext_lazy as _
from django.shortcuts import get_object_or_404
from assets.models import Asset
from orgs.utils import tmp_to_root_org
from terminal.models import Session
-from common.permissions import IsValidUser
from ..models import Endpoint, EndpointRule
from .. import serializers
+from common.permissions import IsValidUserOrConnectionToken
__all__ = ['EndpointViewSet', 'EndpointRuleViewSet']
@@ -17,39 +18,43 @@ __all__ = ['EndpointViewSet', 'EndpointRuleViewSet']
class SmartEndpointViewMixin:
get_serializer: callable
+ request: Request
- @action(methods=['get'], detail=False, permission_classes=[IsValidUser], url_path='smart')
+ # View 处理过程中用的属性
+ target_instance: None
+ target_protocol: None
+
+ @action(methods=['get'], detail=False, permission_classes=[IsValidUserOrConnectionToken],
+ url_path='smart')
def smart(self, request, *args, **kwargs):
- protocol = request.GET.get('protocol')
- if not protocol:
+ self.target_instance = self.get_target_instance()
+ self.target_protocol = self.get_target_protocol()
+ if not self.target_protocol:
error = _('Not found protocol query params')
return Response(data={'error': error}, status=status.HTTP_404_NOT_FOUND)
- endpoint = self.match_endpoint(request, protocol)
+ endpoint = self.match_endpoint()
serializer = self.get_serializer(endpoint)
return Response(serializer.data)
- def match_endpoint(self, request, protocol):
- instance = self.get_target_instance(request)
- endpoint = self.match_endpoint_by_label(instance, protocol)
+ def match_endpoint(self):
+ endpoint = self.match_endpoint_by_label()
if not endpoint:
- endpoint = self.match_endpoint_by_target_ip(request, instance, protocol)
+ endpoint = self.match_endpoint_by_target_ip()
return endpoint
- @staticmethod
- def match_endpoint_by_label(instance, protocol):
- return Endpoint.match_by_instance_label(instance, protocol)
+ def match_endpoint_by_label(self):
+ return Endpoint.match_by_instance_label(self.target_instance, self.target_protocol)
- @staticmethod
- def match_endpoint_by_target_ip(request, instance, protocol):
+ def match_endpoint_by_target_ip(self):
# 用来方便测试
- target_ip = request.GET.get('target_ip', '')
- if not target_ip and callable(getattr(instance, 'get_target_ip', None)):
- target_ip = instance.get_target_ip()
- endpoint = EndpointRule.match_endpoint(target_ip, protocol, request)
+ target_ip = self.request.GET.get('target_ip', '')
+ if not target_ip and callable(getattr(self.target_instance, 'get_target_ip', None)):
+ target_ip = self.target_instance.get_target_ip()
+ endpoint = EndpointRule.match_endpoint(target_ip, self.target_protocol, self.request)
return endpoint
- @staticmethod
- def get_target_instance(request):
+ def get_target_instance(self):
+ request = self.request
asset_id = request.GET.get('asset_id')
session_id = request.GET.get('session_id')
token_id = request.GET.get('token')
@@ -71,6 +76,14 @@ class SmartEndpointViewMixin:
instance = get_object_or_404(model, pk=pk)
return instance
+ def get_target_protocol(self):
+ protocol = None
+ if isinstance(self.target_instance, Application) and self.target_instance.is_type(Application.APP_TYPE.oracle):
+ protocol = self.target_instance.get_target_protocol_for_oracle()
+ if not protocol:
+ protocol = self.request.GET.get('protocol')
+ return protocol
+
class EndpointViewSet(SmartEndpointViewMixin, JMSBulkModelViewSet):
filterset_fields = ('name', 'host')
diff --git a/apps/terminal/backends/command/es.py b/apps/terminal/backends/command/es.py
index 1387f6656..20602769c 100644
--- a/apps/terminal/backends/command/es.py
+++ b/apps/terminal/backends/command/es.py
@@ -18,7 +18,7 @@ from common.utils.common import lazyproperty
from common.utils import get_logger
from common.utils.timezone import local_now_date_display, utc_now
from common.exceptions import JMSException
-from .models import AbstractSessionCommand
+from terminal.models import Command
logger = get_logger(__file__)
@@ -181,7 +181,7 @@ class CommandStore(object):
item['_source'].update({'id': item['_id']})
source_data.append(item['_source'])
- return AbstractSessionCommand.from_multi_dict(source_data)
+ return Command.from_multi_dict(source_data)
def count(self, **query):
body = self.get_query_body(**query)
diff --git a/apps/terminal/backends/command/models.py b/apps/terminal/backends/command/models.py
index 0a795b905..d6eb7a458 100644
--- a/apps/terminal/backends/command/models.py
+++ b/apps/terminal/backends/command/models.py
@@ -47,21 +47,6 @@ class AbstractSessionCommand(OrgModelMixin):
risk_mapper = dict(cls.RISK_LEVEL_CHOICES)
return risk_mapper.get(risk_level)
- @classmethod
- def from_dict(cls, d):
- self = cls()
- for k, v in d.items():
- setattr(self, k, v)
- return self
-
- @classmethod
- def from_multi_dict(cls, l):
- commands = []
- for d in l:
- command = cls.from_dict(d)
- commands.append(command)
- return commands
-
def to_dict(self):
d = {}
for field in self._meta.fields:
diff --git a/apps/terminal/migrations/0052_auto_20220713_1417.py b/apps/terminal/migrations/0052_auto_20220713_1417.py
new file mode 100644
index 000000000..87ad6ba6a
--- /dev/null
+++ b/apps/terminal/migrations/0052_auto_20220713_1417.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.2.12 on 2022-07-13 06:17
+
+import common.db.fields
+import django.core.validators
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('terminal', '0051_sessionsharing_users'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='endpoint',
+ name='oracle_11g_port',
+ field=common.db.fields.PortField(default=15211, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='Oracle 11g Port'),
+ ),
+ migrations.AddField(
+ model_name='endpoint',
+ name='oracle_12c_port',
+ field=common.db.fields.PortField(default=15212, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='Oracle 12c Port'),
+ ),
+ ]
diff --git a/apps/terminal/models/command.py b/apps/terminal/models/command.py
index 3e94740ff..44edf013c 100644
--- a/apps/terminal/models/command.py
+++ b/apps/terminal/models/command.py
@@ -1,7 +1,5 @@
from __future__ import unicode_literals
-import time
-
from django.db import models
from django.db.models.signals import post_save
from django.utils.translation import ugettext_lazy as _
@@ -47,6 +45,21 @@ class Command(AbstractSessionCommand):
cls.objects.bulk_create(commands)
print(f'Create {len(commands)} commands of org ({org})')
+ @classmethod
+ def from_dict(cls, d):
+ self = cls()
+ for k, v in d.items():
+ setattr(self, k, v)
+ return self
+
+ @classmethod
+ def from_multi_dict(cls, l):
+ commands = []
+ for d in l:
+ command = cls.from_dict(d)
+ commands.append(command)
+ return commands
+
class Meta:
db_table = "terminal_command"
ordering = ('-timestamp',)
diff --git a/apps/terminal/models/endpoint.py b/apps/terminal/models/endpoint.py
index 36413f678..f823f6c90 100644
--- a/apps/terminal/models/endpoint.py
+++ b/apps/terminal/models/endpoint.py
@@ -18,6 +18,8 @@ class Endpoint(JMSBaseModel):
mariadb_port = PortField(default=33061, verbose_name=_('MariaDB Port'))
postgresql_port = PortField(default=54320, verbose_name=_('PostgreSQL Port'))
redis_port = PortField(default=63790, verbose_name=_('Redis Port'))
+ oracle_11g_port = PortField(default=15211, verbose_name=_('Oracle 11g Port'))
+ oracle_12c_port = PortField(default=15212, verbose_name=_('Oracle 12c Port'))
comment = models.TextField(default='', blank=True, verbose_name=_('Comment'))
default_id = '00000000-0000-0000-0000-000000000001'
@@ -32,6 +34,10 @@ class Endpoint(JMSBaseModel):
def get_port(self, protocol):
return getattr(self, f'{protocol}_port', 0)
+ def get_oracle_port(self, version):
+ protocol = f'oracle_{version}'
+ return self.get_port(protocol)
+
def is_default(self):
return str(self.id) == self.default_id
@@ -57,8 +63,6 @@ class Endpoint(JMSBaseModel):
'http_port': 0,
}
endpoint, created = cls.objects.get_or_create(id=cls.default_id, defaults=data)
- if not endpoint.host and request:
- endpoint.host = request.get_host().split(':')[0]
return endpoint
@classmethod
@@ -116,4 +120,7 @@ class EndpointRule(JMSBaseModel):
endpoint = endpoint_rule.endpoint
else:
endpoint = Endpoint.get_or_create_default(request)
+ if not endpoint.host and request:
+ # 动态添加 current request host
+ endpoint.host = request.get_host().split(':')[0]
return endpoint
diff --git a/apps/terminal/models/sharing.py b/apps/terminal/models/sharing.py
index 6976b09cf..8675ced01 100644
--- a/apps/terminal/models/sharing.py
+++ b/apps/terminal/models/sharing.py
@@ -43,6 +43,8 @@ class SessionSharing(CommonModelMixin, OrgModelMixin):
return 'Creator: {}'.format(self.creator)
def users_display(self):
+ if not self.users:
+ return []
with tmp_to_root_org():
user_ids = self.users.split(',')
users = User.objects.filter(id__in=user_ids)
diff --git a/apps/terminal/notifications.py b/apps/terminal/notifications.py
index 62bc50592..91509a901 100644
--- a/apps/terminal/notifications.py
+++ b/apps/terminal/notifications.py
@@ -130,7 +130,7 @@ class CommandExecutionAlert(CommandAlertMixin, SystemMessage):
for asset in command['assets']:
url = reverse(
'assets:asset-detail', kwargs={'pk': asset.id},
- api_to_ui=True, external=True
+ api_to_ui=True, external=True, is_console=True
) + '?oid={}'.format(asset.org_id)
assets_with_url.append([asset, url])
diff --git a/apps/terminal/serializers/endpoint.py b/apps/terminal/serializers/endpoint.py
index fa3e71c35..3d8e858ac 100644
--- a/apps/terminal/serializers/endpoint.py
+++ b/apps/terminal/serializers/endpoint.py
@@ -8,6 +8,8 @@ __all__ = ['EndpointSerializer', 'EndpointRuleSerializer']
class EndpointSerializer(BulkModelSerializer):
+ # 解决 luna 处理繁琐的问题,oracle_port 返回匹配到的端口
+ oracle_port = serializers.SerializerMethodField(label=_('Oracle port'))
class Meta:
model = Endpoint
@@ -17,6 +19,8 @@ class EndpointSerializer(BulkModelSerializer):
'https_port', 'http_port', 'ssh_port',
'rdp_port', 'mysql_port', 'mariadb_port',
'postgresql_port', 'redis_port',
+ 'oracle_11g_port', 'oracle_12c_port',
+ 'oracle_port',
]
fields = fields_mini + fields_small + [
'comment', 'date_created', 'date_updated', 'created_by'
@@ -30,8 +34,16 @@ class EndpointSerializer(BulkModelSerializer):
'mariadb_port': {'default': 33061},
'postgresql_port': {'default': 54320},
'redis_port': {'default': 63790},
+ 'oracle_11g_port': {'default': 15211},
+ 'oracle_12c_port': {'default': 15212},
}
+ def get_oracle_port(self, obj: Endpoint):
+ view = self.context.get('view')
+ if not view or view.action not in ['smart']:
+ return 0
+ return obj.get_port(view.target_protocol)
+
class EndpointRuleSerializer(BulkModelSerializer):
_ip_group_help_text = '{}
{}'.format(
diff --git a/apps/terminal/serializers/session.py b/apps/terminal/serializers/session.py
index a22d17cdb..148217306 100644
--- a/apps/terminal/serializers/session.py
+++ b/apps/terminal/serializers/session.py
@@ -36,7 +36,7 @@ class SessionSerializer(BulkOrgResourceModelSerializer):
'is_success': {'label': _('Is success')},
'can_replay': {'label': _('Can replay')},
'can_join': {'label': _('Can join')},
- 'terminal': {'label': _('Terminal')},
+ 'terminal': {'label': _('Terminal ID')},
'is_finished': {'label': _('Is finished')},
'can_terminate': {'label': _('Can terminate')},
'terminal_display': {'label': _('Terminal display')},
diff --git a/apps/tickets/api/super_ticket.py b/apps/tickets/api/super_ticket.py
index ea186bd1b..32c4a56c0 100644
--- a/apps/tickets/api/super_ticket.py
+++ b/apps/tickets/api/super_ticket.py
@@ -20,4 +20,4 @@ class SuperTicketStatusAPI(RetrieveDestroyAPIView):
return Ticket.objects.all()
def perform_destroy(self, instance):
- instance.close(processor=instance.applicant)
+ instance.close()
diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py
index 369bc155d..12b1cab1b 100644
--- a/apps/tickets/api/ticket.py
+++ b/apps/tickets/api/ticket.py
@@ -30,7 +30,8 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
serializer_class = serializers.TicketDisplaySerializer
serializer_classes = {
'list': serializers.TicketListSerializer,
- 'open': serializers.TicketApplySerializer
+ 'open': serializers.TicketApplySerializer,
+ 'approve': serializers.TicketApproveSerializer
}
model = Ticket
perm_model = Ticket
@@ -77,7 +78,8 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
partial = kwargs.pop('partial', False)
instance = self.get_object()
serializer = self.get_serializer(instance, data=request.data, partial=partial)
- serializer.is_valid(raise_exception=True)
+ with tmp_to_root_org():
+ serializer.is_valid(raise_exception=True)
instance = serializer.save()
instance.approve(processor=request.user)
return Response('ok')
diff --git a/apps/tickets/handlers/apply_application.py b/apps/tickets/handlers/apply_application.py
index 15c76c7e5..287c70c4a 100644
--- a/apps/tickets/handlers/apply_application.py
+++ b/apps/tickets/handlers/apply_application.py
@@ -1,6 +1,6 @@
from django.utils.translation import ugettext as _
-from orgs.utils import tmp_to_org, tmp_to_root_org
+from orgs.utils import tmp_to_org
from perms.models import ApplicationPermission
from tickets.models import ApplyApplicationTicket
from .base import BaseHandler
@@ -16,16 +16,19 @@ class Handler(BaseHandler):
# permission
def _create_application_permission(self):
- with tmp_to_root_org():
+ org_id = self.ticket.org_id
+ with tmp_to_org(org_id):
application_permission = ApplicationPermission.objects.filter(id=self.ticket.id).first()
if application_permission:
return application_permission
+ apply_applications = self.ticket.apply_applications.all()
+ apply_system_users = self.ticket.apply_system_users.all()
+
apply_permission_name = self.ticket.apply_permission_name
+ apply_actions = self.ticket.apply_actions
apply_category = self.ticket.apply_category
apply_type = self.ticket.apply_type
- apply_applications = self.ticket.apply_applications.all()
- apply_system_users = self.ticket.apply_system_users.all()
apply_date_start = self.ticket.apply_date_start
apply_date_expired = self.ticket.apply_date_expired
permission_created_by = '{}:{}'.format(
@@ -48,6 +51,7 @@ class Handler(BaseHandler):
'name': apply_permission_name,
'from_ticket': True,
'category': apply_category,
+ 'actions': apply_actions,
'type': apply_type,
'comment': str(permission_comment),
'created_by': permission_created_by,
diff --git a/apps/tickets/handlers/apply_asset.py b/apps/tickets/handlers/apply_asset.py
index 136347782..e9d29697d 100644
--- a/apps/tickets/handlers/apply_asset.py
+++ b/apps/tickets/handlers/apply_asset.py
@@ -16,15 +16,17 @@ class Handler(BaseHandler):
# permission
def _create_asset_permission(self):
- with tmp_to_root_org():
+ org_id = self.ticket.org_id
+ with tmp_to_org(org_id):
asset_permission = AssetPermission.objects.filter(id=self.ticket.id).first()
if asset_permission:
return asset_permission
+ apply_nodes = self.ticket.apply_nodes.all()
+ apply_assets = self.ticket.apply_assets.all()
+ apply_system_users = self.ticket.apply_system_users.all()
+
apply_permission_name = self.ticket.apply_permission_name
- apply_nodes = self.ticket.apply_nodes.all()
- apply_assets = self.ticket.apply_assets.all()
- apply_system_users = self.ticket.apply_system_users.all()
apply_actions = self.ticket.apply_actions
apply_date_start = self.ticket.apply_date_start
apply_date_expired = self.ticket.apply_date_expired
diff --git a/apps/tickets/handlers/base.py b/apps/tickets/handlers/base.py
index c48ce350b..81341ce8e 100644
--- a/apps/tickets/handlers/base.py
+++ b/apps/tickets/handlers/base.py
@@ -64,9 +64,14 @@ class BaseHandler:
diff_context = {}
if state != TicketState.approved:
return diff_context
+
if self.ticket.type not in [TicketType.apply_asset, TicketType.apply_application]:
return diff_context
+ # 企业微信,钉钉审批不做diff
+ if not hasattr(self.ticket, 'old_rel_snapshot'):
+ return diff_context
+
old_rel_snapshot = self.ticket.old_rel_snapshot
current_rel_snapshot = self.ticket.get_local_snapshot()
diff = set(current_rel_snapshot.items()) - set(old_rel_snapshot.items())
diff --git a/apps/tickets/migrations/0016_auto_20220609_1758.py b/apps/tickets/migrations/0016_auto_20220609_1758.py
index ecf1c85fd..e5e6f61ce 100644
--- a/apps/tickets/migrations/0016_auto_20220609_1758.py
+++ b/apps/tickets/migrations/0016_auto_20220609_1758.py
@@ -139,7 +139,7 @@ class Migration(migrations.Migration):
('ticket_ptr',
models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
primary_key=True, serialize=False, to='tickets.ticket')),
- ('apply_permission_name', models.CharField(max_length=128, verbose_name='Apply name')),
+ ('apply_permission_name', models.CharField(max_length=128, verbose_name='Permission name')),
('apply_actions', models.IntegerField(
choices=[(255, 'All'), (1, 'Connect'), (2, 'Upload file'), (4, 'Download file'),
(6, 'Upload download'), (8, 'Clipboard copy'), (16, 'Clipboard paste'),
@@ -162,7 +162,7 @@ class Migration(migrations.Migration):
('ticket_ptr',
models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
primary_key=True, serialize=False, to='tickets.ticket')),
- ('apply_permission_name', models.CharField(max_length=128, verbose_name='Apply name')),
+ ('apply_permission_name', models.CharField(max_length=128, verbose_name='Permission name')),
('apply_category',
models.CharField(choices=[('db', 'Database'), ('remote_app', 'Remote app'), ('cloud', 'Cloud')],
max_length=16, verbose_name='Category')),
diff --git a/apps/tickets/migrations/0018_applyapplicationticket_apply_actions.py b/apps/tickets/migrations/0018_applyapplicationticket_apply_actions.py
new file mode 100644
index 000000000..74f5ed7a3
--- /dev/null
+++ b/apps/tickets/migrations/0018_applyapplicationticket_apply_actions.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.1.14 on 2022-07-22 08:03
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+ dependencies = [
+ ('tickets', '0017_auto_20220623_1027'),
+ ]
+
+ operations = [
+ migrations.AddField(
+ model_name='applyapplicationticket',
+ name='apply_actions',
+ field=models.IntegerField(choices=[(255, 'All'), (1, 'Connect'), (2, 'Upload file'), (4, 'Download file'), (6, 'Upload download'), (8, 'Clipboard copy'), (16, 'Clipboard paste'), (24, 'Clipboard copy paste')], default=255, verbose_name='Actions'),
+ ),
+ ]
diff --git a/apps/tickets/models/ticket/apply_application.py b/apps/tickets/models/ticket/apply_application.py
new file mode 100644
index 000000000..378047db2
--- /dev/null
+++ b/apps/tickets/models/ticket/apply_application.py
@@ -0,0 +1,45 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from perms.models import Action
+from applications.const import AppCategory, AppType
+from .general import Ticket
+
+__all__ = ['ApplyApplicationTicket']
+
+
+class ApplyApplicationTicket(Ticket):
+ apply_permission_name = models.CharField(max_length=128, verbose_name=_('Permission name'))
+ # 申请信息
+ apply_category = models.CharField(
+ max_length=16, choices=AppCategory.choices, verbose_name=_('Category')
+ )
+ apply_type = models.CharField(
+ max_length=16, choices=AppType.choices, verbose_name=_('Type')
+ )
+ apply_applications = models.ManyToManyField(
+ 'applications.Application', verbose_name=_('Apply applications'),
+ )
+ apply_system_users = models.ManyToManyField(
+ 'assets.SystemUser', verbose_name=_('Apply system users'),
+ )
+ apply_actions = models.IntegerField(
+ choices=Action.DB_CHOICES, default=Action.ALL, verbose_name=_('Actions')
+ )
+ apply_date_start = models.DateTimeField(verbose_name=_('Date start'), null=True)
+ apply_date_expired = models.DateTimeField(verbose_name=_('Date expired'), null=True)
+
+ @property
+ def apply_category_display(self):
+ return AppCategory.get_label(self.apply_category)
+
+ @property
+ def apply_type_display(self):
+ return AppType.get_label(self.apply_type)
+
+ @property
+ def apply_actions_display(self):
+ return Action.value_to_choices_display(self.apply_actions)
+
+ def get_apply_actions_display(self):
+ return ', '.join(self.apply_actions_display)
diff --git a/apps/tickets/notifications.py b/apps/tickets/notifications.py
index 3fa0e5a82..26997b0dc 100644
--- a/apps/tickets/notifications.py
+++ b/apps/tickets/notifications.py
@@ -87,7 +87,7 @@ class BaseTicketMessage(UserMessage):
@property
def spec_items(self):
fields = self.ticket._meta.local_fields + self.ticket._meta.local_many_to_many
- excludes = ['ticket_ptr']
+ excludes = ['ticket_ptr', 'flow']
item_names = [field.name for field in fields if field.name not in excludes]
return self._get_fields_items(item_names)
diff --git a/apps/tickets/serializers/flow.py b/apps/tickets/serializers/flow.py
index 42c7bed15..e8c066100 100644
--- a/apps/tickets/serializers/flow.py
+++ b/apps/tickets/serializers/flow.py
@@ -3,6 +3,7 @@ from django.utils.translation import ugettext_lazy as _
from rest_framework import serializers
from orgs.models import Organization
+from orgs.utils import get_current_org_id
from orgs.mixins.serializers import OrgResourceModelSerializerMixin
from tickets.models import TicketFlow, ApprovalRule
from tickets.const import TicketApprovalStrategy
@@ -96,7 +97,9 @@ class TicketFlowSerializer(OrgResourceModelSerializerMixin):
@atomic
def update(self, instance, validated_data):
- if instance.org_id == Organization.ROOT_ID:
+ current_org_id = get_current_org_id()
+ root_org_id = Organization.ROOT_ID
+ if instance.org_id == root_org_id and current_org_id != root_org_id:
instance = self.create(validated_data)
else:
instance = self.create_or_update('update', validated_data, instance)
diff --git a/apps/tickets/serializers/ticket/apply_application.py b/apps/tickets/serializers/ticket/apply_application.py
new file mode 100644
index 000000000..12b3f230d
--- /dev/null
+++ b/apps/tickets/serializers/ticket/apply_application.py
@@ -0,0 +1,65 @@
+from django.utils.translation import ugettext as _
+from rest_framework import serializers
+
+from perms.models import ApplicationPermission
+from perms.serializers.base import ActionsField
+from orgs.utils import tmp_to_org
+from applications.models import Application
+from tickets.models import ApplyApplicationTicket
+from .ticket import TicketApplySerializer
+from .common import BaseApplyAssetApplicationSerializer
+
+__all__ = ['ApplyApplicationSerializer', 'ApplyApplicationDisplaySerializer', 'ApproveApplicationSerializer']
+
+
+class ApplyApplicationSerializer(BaseApplyAssetApplicationSerializer, TicketApplySerializer):
+ apply_actions = ActionsField(required=True, allow_empty=False)
+ permission_model = ApplicationPermission
+
+ class Meta:
+ model = ApplyApplicationTicket
+ writeable_fields = [
+ 'id', 'title', 'type', 'apply_category',
+ 'apply_type', 'apply_applications', 'apply_system_users',
+ 'apply_actions', 'apply_date_start', 'apply_date_expired', 'org_id'
+ ]
+ fields = TicketApplySerializer.Meta.fields + \
+ writeable_fields + ['apply_permission_name', 'apply_actions_display']
+ read_only_fields = list(set(fields) - set(writeable_fields))
+ ticket_extra_kwargs = TicketApplySerializer.Meta.extra_kwargs
+ extra_kwargs = {
+ 'apply_applications': {'required': False, 'allow_empty': True},
+ 'apply_system_users': {'required': False, 'allow_empty': True},
+ }
+ extra_kwargs.update(ticket_extra_kwargs)
+
+ def validate_apply_applications(self, applications):
+ if self.is_final_approval and not applications:
+ raise serializers.ValidationError(_('This field is required.'))
+ tp = self.initial_data.get('apply_type')
+ return self.filter_many_to_many_field(Application, applications, type=tp)
+
+
+class ApproveApplicationSerializer(ApplyApplicationSerializer):
+ class Meta(ApplyApplicationSerializer.Meta):
+ read_only_fields = ApplyApplicationSerializer.Meta.read_only_fields + ['title', 'type']
+
+
+class ApplyApplicationDisplaySerializer(ApplyApplicationSerializer):
+ apply_applications = serializers.SerializerMethodField()
+ apply_system_users = serializers.SerializerMethodField()
+
+ class Meta:
+ model = ApplyApplicationSerializer.Meta.model
+ fields = ApplyApplicationSerializer.Meta.fields
+ read_only_fields = fields
+
+ @staticmethod
+ def get_apply_applications(instance):
+ with tmp_to_org(instance.org_id):
+ return instance.apply_applications.values_list('id', flat=True)
+
+ @staticmethod
+ def get_apply_system_users(instance):
+ with tmp_to_org(instance.org_id):
+ return instance.apply_system_users.values_list('id', flat=True)
diff --git a/apps/tickets/serializers/ticket/apply_asset.py b/apps/tickets/serializers/ticket/apply_asset.py
index b8a007e8d..93a4026c1 100644
--- a/apps/tickets/serializers/ticket/apply_asset.py
+++ b/apps/tickets/serializers/ticket/apply_asset.py
@@ -23,10 +23,11 @@ class ApplyAssetSerializer(BaseApplyAssetApplicationSerializer, TicketApplySeria
model = ApplyAssetTicket
writeable_fields = [
'id', 'title', 'type', 'apply_nodes', 'apply_assets',
- 'apply_system_users', 'apply_actions', 'apply_actions_display',
+ 'apply_system_users', 'apply_actions',
'apply_date_start', 'apply_date_expired', 'org_id'
]
- fields = TicketApplySerializer.Meta.fields + writeable_fields + ['apply_permission_name']
+ fields = TicketApplySerializer.Meta.fields + \
+ writeable_fields + ['apply_permission_name', 'apply_actions_display']
read_only_fields = list(set(fields) - set(writeable_fields))
ticket_extra_kwargs = TicketApplySerializer.Meta.extra_kwargs
extra_kwargs = {
diff --git a/apps/tickets/serializers/ticket/ticket.py b/apps/tickets/serializers/ticket/ticket.py
index facf3fcec..a0760e4d0 100644
--- a/apps/tickets/serializers/ticket/ticket.py
+++ b/apps/tickets/serializers/ticket/ticket.py
@@ -9,7 +9,7 @@ from tickets.models import Ticket, TicketFlow
from tickets.const import TicketType
__all__ = [
- 'TicketDisplaySerializer', 'TicketApplySerializer', 'TicketListSerializer'
+ 'TicketDisplaySerializer', 'TicketApplySerializer', 'TicketListSerializer', 'TicketApproveSerializer'
]
@@ -59,6 +59,13 @@ class TicketDisplaySerializer(TicketSerializer):
read_only_fields = fields
+class TicketApproveSerializer(TicketSerializer):
+ class Meta:
+ model = Ticket
+ fields = TicketSerializer.Meta.fields
+ read_only_fields = fields
+
+
class TicketApplySerializer(TicketSerializer):
org_id = serializers.CharField(
required=True, max_length=36, allow_blank=True, label=_("Organization")
diff --git a/apps/tickets/templates/tickets/ticket_approve_diff.html b/apps/tickets/templates/tickets/ticket_approve_diff.html
index 9fe6b80e0..8426b34ed 100644
--- a/apps/tickets/templates/tickets/ticket_approve_diff.html
+++ b/apps/tickets/templates/tickets/ticket_approve_diff.html
@@ -2,6 +2,7 @@
{{ approve_info }}
+{% if content %}
+{% endif %}
diff --git a/apps/users/api/profile.py b/apps/users/api/profile.py
index 3f5605144..b916c47a9 100644
--- a/apps/users/api/profile.py
+++ b/apps/users/api/profile.py
@@ -3,6 +3,10 @@ import uuid
from rest_framework import generics
from rest_framework.permissions import IsAuthenticated
+from common.permissions import IsValidUserOrConnectionToken
+from common.utils import get_object_or_none
+from orgs.utils import tmp_to_root_org
+from authentication.models import ConnectionToken
from users.notifications import (
ResetPasswordMsg, ResetPasswordSuccessMsg, ResetSSHKeyMsg,
@@ -44,12 +48,26 @@ class UserResetPKApi(UserQuerysetMixin, generics.UpdateAPIView):
class UserProfileApi(generics.RetrieveUpdateAPIView):
- permission_classes = (IsAuthenticated,)
+ permission_classes = (IsValidUserOrConnectionToken,)
serializer_class = serializers.UserProfileSerializer
def get_object(self):
+ if self.request.user.is_anonymous:
+ user = self.get_connection_token_user()
+ if user:
+ return user
return self.request.user
+ def get_connection_token_user(self):
+ token_id = self.request.query_params.get('token')
+ if not token_id:
+ return
+ with tmp_to_root_org():
+ token = get_object_or_none(ConnectionToken, id=token_id)
+ if not token:
+ return
+ return token.user
+
class UserPasswordApi(generics.RetrieveUpdateAPIView):
permission_classes = (IsAuthenticated,)
diff --git a/apps/users/api/user.py b/apps/users/api/user.py
index a5d726fe0..70939f51f 100644
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -33,7 +33,7 @@ __all__ = [
class UserViewSet(CommonApiMixin, UserQuerysetMixin, SuggestionMixin, BulkModelViewSet):
filterset_class = UserFilter
- search_fields = ('username', 'email', 'name', 'id', 'source', 'role', 'is_active')
+ search_fields = ('username', 'email', 'name')
serializer_classes = {
'default': UserSerializer,
'suggestion': MiniUserSerializer,
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 2fd33aa08..78d5eb540 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -628,6 +628,7 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
radius = 'radius', 'Radius'
cas = 'cas', 'CAS'
saml2 = 'saml2', 'SAML2'
+ oauth2 = 'oauth2', 'OAuth2'
SOURCE_BACKEND_MAPPING = {
Source.local: [
@@ -652,6 +653,9 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
Source.saml2: [
settings.AUTH_BACKEND_SAML2
],
+ Source.oauth2: [
+ settings.AUTH_BACKEND_OAUTH2
+ ],
}
id = models.UUIDField(default=uuid.uuid4, primary_key=True)
@@ -796,7 +800,8 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
def is_password_authenticate(self):
cas = self.Source.cas
saml2 = self.Source.saml2
- return self.source not in [cas, saml2]
+ oauth2 = self.Source.oauth2
+ return self.source not in [cas, saml2, oauth2]
def set_unprovide_attr_if_need(self):
if not self.name:
diff --git a/apps/users/signal_handlers.py b/apps/users/signal_handlers.py
index bd9b01845..bcf50173a 100644
--- a/apps/users/signal_handlers.py
+++ b/apps/users/signal_handlers.py
@@ -9,6 +9,7 @@ from django.db.models.signals import post_save
from authentication.backends.oidc.signals import openid_create_or_update_user
from authentication.backends.saml2.signals import saml2_create_or_update_user
+from authentication.backends.oauth2.signals import oauth2_create_or_update_user
from common.utils import get_logger
from common.decorator import on_transaction_commit
from .signals import post_user_create
@@ -26,16 +27,18 @@ def user_authenticated_handle(user, created, source, attrs=None, **kwargs):
user.source = source
user.save()
- if not created and settings.AUTH_SAML2_ALWAYS_UPDATE_USER:
+ if not attrs:
+ return
+
+ always_update = getattr(settings, 'AUTH_%s_ALWAYS_UPDATE_USER' % source.upper(), False)
+ if not created and always_update:
attr_whitelist = ('user', 'username', 'email', 'phone', 'comment')
logger.debug(
- "Receive saml2 user updated signal: {}, "
+ "Receive {} user updated signal: {}, "
"Update user info: {},"
"(Update only properties in the whitelist. [{}])"
- "".format(user, str(attrs), ','.join(attr_whitelist))
+ "".format(source, user, str(attrs), ','.join(attr_whitelist))
)
- if not attrs:
- return
for key, value in attrs.items():
if key in attr_whitelist and value:
setattr(user, key, value)
@@ -103,6 +106,12 @@ def on_saml2_create_or_update_user(sender, user, created, attrs, **kwargs):
user_authenticated_handle(user, created, source, attrs, **kwargs)
+@receiver(oauth2_create_or_update_user)
+def on_oauth2_create_or_update_user(sender, user, created, attrs, **kwargs):
+ source = user.Source.oauth2.value
+ user_authenticated_handle(user, created, source, attrs, **kwargs)
+
+
@receiver(populate_user)
def on_ldap_create_user(sender, user, ldap_user, **kwargs):
if user and user.username not in ['admin']:
diff --git a/apps/users/templates/users/forgot_password.html b/apps/users/templates/users/forgot_password.html
index 8289726f3..16c784250 100644
--- a/apps/users/templates/users/forgot_password.html
+++ b/apps/users/templates/users/forgot_password.html
@@ -6,6 +6,7 @@