fix: Any change to the LDAP server URI should require re-authentication and explicit re-entry of

the bind password, not reuse stored credentials
perf: user sugguestion limit and serializer
2025-12-15 08:32:48 +00:00 · 2025-10-23 18:44:23 +08:00 · 2025-10-23 18:44:23 +08:00 · 2025-10-23 18:44:23 +08:00 · 2025-10-21 11:14:02 +08:00
7 changed files with 38 additions and 9 deletions
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -362,6 +362,7 @@ class ConnectionTokenViewSet(AuthFaceMixin, ExtraActionApiMixin, RootOrgViewMixi
        self.validate_serializer(serializer)
        return super().perform_create(serializer)

+
    def _insert_connect_options(self, data, user):
        connect_options = data.pop('connect_options', {})
        default_name_opts = {
@@ -564,7 +565,9 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
    rbac_perms = {
        'create': 'authentication.add_superconnectiontoken',
        'renewal': 'authentication.add_superconnectiontoken',
+        'list': 'authentication.view_superconnectiontoken',
        'check': 'authentication.view_superconnectiontoken',
+        'retrieve': 'authentication.view_superconnectiontoken',
        'get_secret_detail': 'authentication.view_superconnectiontokensecret',
        'get_applet_info': 'authentication.view_superconnectiontoken',
        'release_applet_account': 'authentication.view_superconnectiontoken',
@@ -572,7 +575,12 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
    }

    def get_queryset(self):
-        return ConnectionToken.objects.all()
+        return ConnectionToken.objects.none()
+
+    def get_object(self):
+        pk = self.kwargs.get(self.lookup_field)
+        token = get_object_or_404(ConnectionToken, pk=pk)
+        return token

    def get_user(self, serializer):
        return serializer.validated_data.get('user')
--- a/apps/common/api/action.py
+++ b/apps/common/api/action.py
@@ -1,9 +1,11 @@
 # -*- coding: utf-8 -*-
 #
+from django.conf import settings
 from typing import Callable

 from django.utils.translation import gettext as _
 from rest_framework.decorators import action
+from rest_framework.throttling import UserRateThrottle
 from rest_framework.request import Request
 from rest_framework.response import Response

@@ -14,8 +16,12 @@ from orgs.utils import current_org
 __all__ = ['SuggestionMixin', 'RenderToJsonMixin']


+class CustomUserRateThrottle(UserRateThrottle):
+    rate = '60/m'
+
+
 class SuggestionMixin:
-    suggestion_limit = 10
+    suggestion_limit = settings.SUGGESTION_LIMIT

    filter_queryset: Callable
    get_queryset: Callable
@@ -35,6 +41,7 @@ class SuggestionMixin:
            queryset = queryset.none()

        queryset = self.filter_queryset(queryset)
+
        queryset = queryset[:self.suggestion_limit]
        page = self.paginate_queryset(queryset)

@@ -45,6 +52,11 @@ class SuggestionMixin:
        serializer = self.get_serializer(queryset, many=True)
        return Response(serializer.data)

+    def get_throttles(self):
+        if self.action == 'match':
+            return [CustomUserRateThrottle()]
+        return super().get_throttles()
+

 class RenderToJsonMixin:
    @action(methods=[POST, PUT], detail=False, url_path='render-to-json')
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -729,6 +729,9 @@ class Config(dict):
        'LOKI_BASE_URL': 'http://loki:3100',

        'TOOL_USER_ENABLED': False,
+
+        # Suggestion api
+        'SUGGESTION_LIMIT': 10,
    }

    old_config_map = {
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -266,3 +266,5 @@ LOKI_LOG_ENABLED = CONFIG.LOKI_LOG_ENABLED
 LOKI_BASE_URL = CONFIG.LOKI_BASE_URL

 TOOL_USER_ENABLED = CONFIG.TOOL_USER_ENABLED
+
+SUGGESTION_LIMIT = CONFIG.SUGGESTION_LIMIT
--- a/apps/orgs/mixins/ws.py
+++ b/apps/orgs/mixins/ws.py
@@ -24,5 +24,7 @@ class OrgMixin:

    @sync_to_async
    def has_perms(self, user, perms):
+        self.cookie = self.get_cookie()
+        self.org = self.get_current_org()
        with tmp_to_org(self.org):
            return user.has_perms(perms)
--- a/apps/settings/ws.py
+++ b/apps/settings/ws.py
@@ -56,8 +56,6 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
    async def connect(self):
        user = self.scope["user"]
        if user.is_authenticated:
-            self.cookie = self.get_cookie()
-            self.org = self.get_current_org()
            has_perm = self.has_perms(user, ['rbac.view_systemtools'])
            if await self.is_superuser(user) or (settings.TOOL_USER_ENABLED and has_perm):
                await self.accept()
@@ -128,14 +126,14 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
        close_old_connections()


-class LdapWebsocket(AsyncJsonWebsocketConsumer):
+class LdapWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
    category: str

    async def connect(self):
        user = self.scope["user"]
        query = parse_qs(self.scope['query_string'].decode())
        self.category = query.get('category', [User.Source.ldap.value])[0]
-        if user.is_authenticated:
+        if user.is_authenticated and await self.has_perms(user, ['settings.view_setting']):
            await self.accept()
        else:
            await self.close()
@@ -166,8 +164,6 @@ class LdapWebsocket(AsyncJsonWebsocketConsumer):
        config = {
            'server_uri': serializer.validated_data.get(f"{prefix}SERVER_URI"),
            'bind_dn': serializer.validated_data.get(f"{prefix}BIND_DN"),
-            'password': (serializer.validated_data.get(f"{prefix}BIND_PASSWORD") or
-                         getattr(settings, f"{prefix}BIND_PASSWORD")),
            'use_ssl': serializer.validated_data.get(f"{prefix}START_TLS", False),
            'search_ou': serializer.validated_data.get(f"{prefix}SEARCH_OU"),
            'search_filter': serializer.validated_data.get(f"{prefix}SEARCH_FILTER"),
@@ -175,6 +171,12 @@ class LdapWebsocket(AsyncJsonWebsocketConsumer):
            'auth_ldap': serializer.validated_data.get(f"{prefix.rstrip('_')}", False)
        }

+        password = serializer.validated_data.get(f"{prefix}BIND_PASSWORD")
+        if not password and config['server_uri'] == getattr(settings, f"{prefix}SERVER_URI"):
+            # 只有在没有修改服务器地址的情况下，才使用原有的密码
+            config['password'] = getattr(settings, f"{prefix}BIND_PASSWORD")
+        else:
+            config['password'] = password
        return config

    @staticmethod
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -41,8 +41,8 @@ class UserViewSet(CommonApiMixin, UserQuerysetMixin, SuggestionMixin, BulkModelV
    permission_classes = [RBACPermission, UserObjectPermission]
    serializer_classes = {
        'default': UserSerializer,
-        'suggestion': MiniUserSerializer,
        'invite': InviteSerializer,
+        'match': MiniUserSerializer,
        'retrieve': UserRetrieveSerializer,
    }
    rbac_perms = {
Author	SHA1	Message	Date
wangruidong	5afc1c7889	fix: Any change to the LDAP server URI should require re-authentication and explicit re-entry of the bind password, not reuse stored credentials	2025-10-23 18:44:23 +08:00
ibuler	4fe62f1c15	perf: user sugguestion limit and serializer	2025-10-23 18:44:23 +08:00
wangruidong	4af75ff584	perf: ws/ldap perms check	2025-10-23 18:44:23 +08:00
ibuler	91f6614711	perf: token retrieve	2025-10-21 11:14:02 +08:00