feat: Update v3.9.2

fix: 延迟执行设置超时

perf: 修改 delay run

perf: 优化 delay_run 执行

perf: 修改 delay run

Dockerfile-ce

@@ -44,8 +44,8 @@ ARG TOOLS="                           \
         wget"
 
 ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
     sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
     && rm -f /etc/apt/apt.conf.d/docker-clean \
     && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
@@ -63,9 +63,9 @@ RUN --mount=type=cache,target=/root/.cache \
     --mount=type=bind,source=pyproject.toml,target=/opt/jumpserver/pyproject.toml \
     set -ex \
     && python3 -m venv /opt/py3 \
-    && . /opt/py3/bin/activate \
     && pip install poetry -i ${PIP_MIRROR} \
     && poetry config virtualenvs.create false \
+    && . /opt/py3/bin/activate \
     && poetry install
 
 FROM python:3.11-slim-bullseye
@@ -75,8 +75,8 @@ ENV LANG=zh_CN.UTF-8 \
 
 ARG DEPENDENCIES="                    \
         libjpeg-dev                   \
-        libxmlsec1-openssl            \
+        libx11-dev                    \
-        libx11-dev"
+        libxmlsec1-openssl"
 
 ARG TOOLS="                           \
         ca-certificates               \
@@ -94,8 +94,8 @@ ARG TOOLS="                           \
         wget"
 
 ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
     sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
     && rm -f /etc/apt/apt.conf.d/docker-clean \
     && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
@@ -118,7 +118,6 @@ ARG VERSION
 ENV VERSION=$VERSION
 
 VOLUME /opt/jumpserver/data
-VOLUME /opt/jumpserver/logs
 
 EXPOSE 8080
 

GITSHA

@@ -0,0 +1 @@
+73bed4d33d4280d3abefc8ebd61be09b20863610

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -3,6 +3,7 @@
   vars:
     ansible_python_interpreter: /opt/py3/bin/python
     db_name: "{{ jms_asset.spec_info.db_name }}"
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Test MySQL connection
@@ -11,10 +12,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version
       register: db_info
 
@@ -28,10 +29,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
@@ -45,8 +46,8 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/accounts/automations/gather_accounts/database/mysql/main.yml

@@ -2,6 +2,7 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Get info
@@ -10,10 +11,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: users
       register: db_info
 

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -3,6 +3,7 @@
   vars:
     ansible_python_interpreter: /opt/py3/bin/python
     db_name: "{{ jms_asset.spec_info.db_name }}"
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Test MySQL connection
@@ -11,10 +12,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version
       register: db_info
 
@@ -28,10 +29,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
@@ -45,8 +46,8 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/accounts/automations/verify_account/database/mysql/main.yml

@@ -2,6 +2,7 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Verify account
@@ -10,8 +11,8 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/assets/automations/gather_facts/database/mysql/main.yml

@@ -2,6 +2,7 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Get info
@@ -10,10 +11,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version
       register: db_info
 

apps/assets/automations/ping/database/mysql/main.yml

@@ -2,6 +2,7 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Test MySQL connection
@@ -10,8 +11,8 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ omit if not jms_asset.spec_info.use_ssl else jms_asset.spec_info.allow_invalid_cert }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key  | default(omit) }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/authentication/backends/drf.py

@@ -8,7 +8,7 @@ from django.utils.translation import gettext as _
 from rest_framework import authentication, exceptions
 
 from common.auth import signature
-from common.decorators import delay_run
+from common.decorators import merge_delay_run
 from common.utils import get_object_or_none, get_request_ip_or_data, contains_ip
 from ..models import AccessKey, PrivateToken
 
@@ -17,22 +17,24 @@ def date_more_than(d, seconds):
     return d is None or (timezone.now() - d).seconds > seconds
 
 
-@delay_run(ttl=60)
+@merge_delay_run(ttl=60)
-def update_token_last_used(token):
+def update_token_last_used(tokens=()):
+    for token in tokens:
         token.date_last_used = timezone.now()
         token.save(update_fields=['date_last_used'])
 
 
-@delay_run(ttl=60)
+@merge_delay_run(ttl=60)
-def update_user_last_used(user):
+def update_user_last_used(users=()):
+    for user in users:
         user.date_api_key_last_used = timezone.now()
         user.save(update_fields=['date_api_key_last_used'])
 
 
 def after_authenticate_update_date(user, token=None):
-    update_user_last_used(user)
+    update_user_last_used(users=(user,))
     if token:
-        update_token_last_used(token)
+        update_token_last_used(tokens=(token,))
 
 
 class AccessTokenAuthentication(authentication.BaseAuthentication):

apps/common/decorators.py

@@ -73,6 +73,7 @@ executor = ThreadPoolExecutor(
 )
 _loop_debouncer_func_task_cache = {}
 _loop_debouncer_func_args_cache = {}
+_loop_debouncer_func_task_time_cache = {}
 
 
 def get_loop():
@@ -92,6 +93,17 @@ def cancel_or_remove_debouncer_task(cache_key):
 def run_debouncer_func(cache_key, org, ttl, func, *args, **kwargs):
     cancel_or_remove_debouncer_task(cache_key)
     run_func_partial = functools.partial(_run_func_with_org, cache_key, org, func)
+
+    current = time.time()
+    first_run_time = _loop_debouncer_func_task_time_cache.get(cache_key, None)
+    if first_run_time is None:
+        _loop_debouncer_func_task_time_cache[cache_key] = current
+        first_run_time = current
+
+    if current - first_run_time > ttl:
+        executor.submit(run_func_partial, *args, **kwargs)
+        return
+
     loop = _loop_thread.get_loop()
     _debouncer = Debouncer(run_func_partial, lambda: True, ttl, loop=loop, executor=executor)
     task = asyncio.run_coroutine_threadsafe(_debouncer(*args, **kwargs), loop=loop)
@@ -130,6 +142,7 @@ def _run_func_with_org(key, org, func, *args, **kwargs):
         logger.error('delay run error: %s' % e)
     _loop_debouncer_func_task_cache.pop(key, None)
     _loop_debouncer_func_args_cache.pop(key, None)
+    _loop_debouncer_func_task_time_cache.pop(key, None)
 
 
 def delay_run(ttl=5, key=None):
@@ -142,6 +155,9 @@ def delay_run(ttl=5, key=None):
 
     def inner(func):
         suffix_key_func = key if key else default_suffix_key
+        sigs = inspect.signature(func)
+        if len(sigs.parameters) != 0:
+            raise ValueError('Merge delay run must not arguments: %s' % func.__name__)
 
         @functools.wraps(func)
         def wrapper(*args, **kwargs):
@@ -186,12 +202,11 @@ def merge_delay_run(ttl=5, key=None):
             for k, v in kwargs.items():
                 if not isinstance(v, (tuple, list, set)):
                     raise ValueError('func kwargs value must be list or tuple: %s %s' % (func.__name__, v))
+                v = set(v)
                 if k not in cache_kwargs:
                     cache_kwargs[k] = v
-                elif isinstance(v, set):
-                    cache_kwargs[k] = cache_kwargs[k].union(v)
                 else:
-                    cache_kwargs[k] = list(cache_kwargs[k]) + list(v)
+                    cache_kwargs[k] = cache_kwargs[k].union(v)
             _loop_debouncer_func_args_cache[cache_key] = cache_kwargs
             run_debouncer_func(cache_key, org, ttl, func, *args, **cache_kwargs)
 
@@ -201,8 +216,8 @@ def merge_delay_run(ttl=5, key=None):
 
 
 @delay_run(ttl=5)
-def test_delay_run(username):
+def test_delay_run():
-    print("Hello, %s, now is %s" % (username, time.time()))
+    print("Hello,  now is %s" % time.time())
 
 
 @merge_delay_run(ttl=5, key=lambda users=(): users[0][0])

apps/jumpserver/const.py

@@ -8,7 +8,7 @@ __all__ = ['BASE_DIR', 'PROJECT_DIR', 'VERSION', 'CONFIG']
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 PROJECT_DIR = os.path.dirname(BASE_DIR)
-VERSION = '2.0.0'
+VERSION = 'v3.9.2'
 CONFIG = ConfigManager.load_user_config()
 
 

apps/jumpserver/settings/libs.py

@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 #
 import os
-from urllib.parse import urlencode
 
 from .base import (
     REDIS_SSL_CA, REDIS_SSL_CERT, REDIS_SSL_KEY, REDIS_SSL_REQUIRED, REDIS_USE_SSL,
@@ -88,7 +87,6 @@ REDIS_LAYERS_HOST = {
 REDIS_LAYERS_SSL_PARAMS = {}
 if REDIS_USE_SSL:
     REDIS_LAYERS_SSL_PARAMS.update({
-        'ssl': REDIS_USE_SSL,
         'ssl_cert_reqs': REDIS_SSL_REQUIRED,
         "ssl_keyfile": REDIS_SSL_KEY,
         "ssl_certfile": REDIS_SSL_CERT,
@@ -116,8 +114,7 @@ else:
         host=CONFIG.REDIS_HOST, port=CONFIG.REDIS_PORT, db=CONFIG.REDIS_DB_WS
     )
     REDIS_LAYERS_SSL_PARAMS.pop('ssl', None)
-    REDIS_LAYERS_HOST['address'] = '{}?{}'.format(REDIS_LAYERS_ADDRESS,
+    REDIS_LAYERS_HOST['address'] = REDIS_LAYERS_ADDRESS
-                                                  urlencode(REDIS_LAYERS_SSL_PARAMS))
 
 CHANNEL_LAYERS = {
     'default': {

apps/ops/models/job.py

@@ -320,7 +320,6 @@ class JobExecution(JMSOrgBaseModel):
                          "login_password={{login_password}} " \
                          "login_port={{login_port}} " \
                          "%s={{login_db}}" % login_db_token
-            print(login_args)
             shell = "{} {}=\"{}\" ".format(login_args, query_token, self.current_job.args)
             return module, shell
 

apps/orgs/signal_handlers/common.py

@@ -53,7 +53,7 @@ def subscribe_orgs_mapping_expire(sender, **kwargs):
 
 
 @delay_run(ttl=5)
-def expire_user_orgs(*args):
+def expire_user_orgs():
     User.expire_users_rbac_perms_cache()
 
 

apps/users/tasks.py

@@ -88,8 +88,8 @@ def check_unused_users():
     uncommon_users_ttl = settings.SECURITY_UNCOMMON_USERS_TTL
     seconds_to_subtract = uncommon_users_ttl * 24 * 60 * 60
     t = timezone.now() - timedelta(seconds=seconds_to_subtract)
-    last_login_q = Q(last_login__lte=t) | Q(last_login__isnull=True)
+    last_login_q = Q(last_login__lte=t) | (Q(last_login__isnull=True) & Q(date_joined__lte=t))
-    api_key_q = Q(date_api_key_last_used__lte=t) | Q(date_api_key_last_used__isnull=True)
+    api_key_q = Q(date_api_key_last_used__lte=t) | (Q(date_api_key_last_used__isnull=True) & Q(date_joined__lte=t))
 
     users = User.objects \
         .filter(date_joined__lt=t) \
@@ -99,6 +99,7 @@ def check_unused_users():
 
     if not users:
         return
+
     print("Some users are not used for a long time, and they will be disabled.")
     resource_ids = []
     for user in users: