Fix rbac (#7728)

* perf: 重命名 signal handlers * fix: 修复 ticket processor 问题 * perf: 修改 ticket 处理人api * fix: 修复创建系统账号bug * fix: 升级celery_beat==2.2.1和flower==1.0.0;修改celery进程启动参数先后顺序 * perf: 修改 authentication token * fix: 修复上传权限bug * fix: 登录页面增加i18n切换; * fix: 系统角色删除限制 * perf: 修改一下 permissions tree * perf: 生成 i18n * perf: 修改一点点 Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng626 <1304903146@qq.com> Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
2025-09-22 11:58:29 +00:00 · 2022-03-02 20:48:43 +08:00
parent 04e46e4b1c
commit dafc416783
69 changed files with 929 additions and 519 deletions
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -302,16 +302,26 @@ class SecretDetailMixin:
            user=user, system_user=system_user,
            expired_at=expired_at, actions=actions
        )
+        cmd_filter_kwargs = {
+            'system_user_id': system_user.id,
+            'user_id': user.id,
+        }
        if asset:
            asset_detail = self._get_asset_secret_detail(asset)
            system_user.load_asset_more_auth(asset.id, user.username, user.id)
            data['type'] = 'asset'
            data.update(asset_detail)
+            cmd_filter_kwargs['asset_id'] = asset.id
        else:
            app_detail = self._get_application_secret_detail(app)
            system_user.load_app_more_auth(app.id, user.username, user.id)
            data['type'] = 'application'
            data.update(app_detail)
+            cmd_filter_kwargs['application_id'] = app.id
+
+        from assets.models import CommandFilterRule
+        cmd_filter_rules = CommandFilterRule.get_queryset(**cmd_filter_kwargs)
+        data['cmd_filter_rules'] = cmd_filter_rules

        serializer = self.get_serializer(data)
        return Response(data=serializer.data, status=200)
@@ -350,8 +360,10 @@ class UserConnectionTokenViewSet(
        return True

    def create_token(self, user, asset, application, system_user, ttl=5 * 60):
-        if not self.request.user.is_superuser and user != self.request.user:
-            raise PermissionDenied('Only super user can create user token')
+        # 再次强调一下权限
+        perm_required = 'authentication.add_superconnectiontoken'
+        if user != self.request.user and not self.request.user.has_perm(perm_required):
+            raise PermissionDenied('Only can create user token')
        self.check_resource_permission(user, asset, application, system_user)
        token = random_string(36)
        secret = random_string(16)
--- a/apps/authentication/apps.py
+++ b/apps/authentication/apps.py
@@ -7,7 +7,7 @@ class AuthenticationConfig(AppConfig):
    verbose_name = _('Authentication')

    def ready(self):
-        from . import signals_handlers
+        from . import signal_handlers
        from . import notifications
        super().ready()

--- a/apps/authentication/migrations/0007_connectiontoken.py
+++ b/apps/authentication/migrations/0007_connectiontoken.py
@@ -19,8 +19,14 @@ class Migration(migrations.Migration):
                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
            ],
-            options={
-                'permissions': [('add_superconnectiontoken', 'Can add super connection token'), ('view_connectiontokensecret', 'Can view connect token secret')],
-            },
+            options={'verbose_name': 'Connection token'},
+        ),
+        migrations.AlterModelOptions(
+            name='accesskey',
+            options={'verbose_name': 'Access key'},
+        ),
+        migrations.AlterModelOptions(
+            name='ssotoken',
+            options={'verbose_name': 'SSO token'},
        ),
    ]
--- a/apps/authentication/migrations/0008_auto_20220217_2135.py
+++ b/apps/authentication/migrations/0008_auto_20220217_2135.py
@@ -1,21 +0,0 @@
-# Generated by Django 3.1.13 on 2022-02-17 13:35
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('authentication', '0007_connectiontoken'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='accesskey',
-            options={'verbose_name': 'Access key'},
-        ),
-        migrations.AlterModelOptions(
-            name='ssotoken',
-            options={'verbose_name': 'SSO token'},
-        ),
-    ]
--- a/apps/authentication/migrations/0008_superconnectiontoken.py
+++ b/apps/authentication/migrations/0008_superconnectiontoken.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.1.14 on 2022-03-02 11:53
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('authentication', '0007_connectiontoken'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='SuperConnectionToken',
+            fields=[
+            ],
+            options={
+                'verbose_name': 'Super connection token',
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('authentication.connectiontoken',),
+        ),
+    ]
--- a/apps/authentication/models.py
+++ b/apps/authentication/models.py
@@ -58,7 +58,10 @@ class ConnectionToken(models.JMSBaseModel):
    # Todo: add connection token 可能要授权给 普通用户, 或者放开就行

    class Meta:
-        permissions = [
-            ('add_superconnectiontoken', _('Can add super connection token')),
-            ('view_connectiontokensecret', _('Can view connect token secret'))
-        ]
+        verbose_name = _('Connection token')
+
+
+class SuperConnectionToken(ConnectionToken):
+    class Meta:
+        proxy = True
+        verbose_name = _("Super connection token")
--- a/apps/authentication/serializers.py
+++ b/apps/authentication/serializers.py
@@ -5,7 +5,7 @@ from rest_framework import serializers

 from common.utils import get_object_or_none
 from users.models import User
-from assets.models import Asset, SystemUser, Gateway, Domain
+from assets.models import Asset, SystemUser, Gateway, Domain, CommandFilterRule
 from applications.models import Application
 from users.serializers import UserProfileSerializer
 from assets.serializers import ProtocolsField
@@ -200,6 +200,17 @@ class ConnectionTokenDomainSerializer(serializers.ModelSerializer):
        fields = ['id', 'name', 'gateways']


+class ConnectionTokenFilterRuleSerializer(serializers.ModelSerializer):
+
+    class Meta:
+        model = CommandFilterRule
+        fields = [
+            'id', 'type', 'content', 'ignore_case', 'pattern',
+            'priority', 'action',
+            'date_created',
+        ]
+
+
 class ConnectionTokenSecretSerializer(serializers.Serializer):
    id = serializers.CharField(read_only=True)
    secret = serializers.CharField(read_only=True)
@@ -209,6 +220,7 @@ class ConnectionTokenSecretSerializer(serializers.Serializer):
    remote_app = ConnectionTokenRemoteAppSerializer(read_only=True)
    application = ConnectionTokenApplicationSerializer(read_only=True)
    system_user = ConnectionTokenSystemUserSerializer(read_only=True)
+    cmd_filter_rules = ConnectionTokenFilterRuleSerializer(many=True)
    domain = ConnectionTokenDomainSerializer(read_only=True)
    gateway = ConnectionTokenGatewaySerializer(read_only=True)
    actions = ActionsField()
--- a/apps/authentication/signals_handlers.py
+++ b/apps/authentication/signals_handlers.py
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -115,10 +115,21 @@
        .mfa-div {
            width: 100%;
        }
+
+        .login-page-language {
+            margin-right: -11px !important;
+            padding-top: 12px !important;
+            padding-left: 0 !important;
+            padding-bottom: 8px !important;
+            color: #666 !important;
+            font-weight: 350 !important;
+            min-height: auto !important;
+        }
    </style>
 </head>

 <body>
+
 <div class="login-content">
    <div class="right-image-box">
        <a href="{% if not XPACK_ENABLED %}https://github.com/jumpserver/jumpserver{% endif %}">
@@ -127,6 +138,22 @@
    </div>
    <div class="left-form-box {% if not form.challenge and not form.captcha %} no-captcha-challenge {% endif %}">
        <div style="background-color: white">
+            <ul class="nav navbar-top-links navbar-right">
+                <li class="dropdown">
+                    <a class="dropdown-toggle login-page-language" data-toggle="dropdown" href="#" target="_blank">
+                        <i class="fa fa-globe fa-lg" style="margin-right: 2px"></i>
+                        {% ifequal request.COOKIES.django_language 'en' %}
+                            <span>English<b class="caret"></b></span>
+                        {% else %}
+                            <span>中文(简体)<b class="caret"></b></span>
+                        {% endifequal %}
+                    </a>
+                    <ul class="dropdown-menu profile-dropdown dropdown-menu-right">
+                        <li> <a id="switch_cn" href="{% url 'i18n-switch' lang='zh-hans' %}"> <span>中文(简体)</span> </a> </li>
+                        <li> <a id="switch_en" href="{% url 'i18n-switch' lang='en' %}"> <span>English</span> </a> </li>
+                    </ul>
+                </li>
+            </ul>
            <div class="jms-title">
                <span style="font-size: 21px;font-weight:400;color: #151515;letter-spacing: 0;">{{ JMS_TITLE }}</span>
            </div>