feat: Update v3.8.1

Co-authored-by: feng <1304903146@qq.com>

Dockerfile-ce

@@ -0,0 +1,86 @@
+FROM python:3.11-slim-bullseye as stage-build
+ARG TARGETARCH
+
+ARG VERSION
+ENV VERSION=$VERSION
+
+WORKDIR /opt/jumpserver
+ADD . .
+RUN cd utils && bash -ixeu build.sh
+
+FROM python:3.11-slim-bullseye
+ARG TARGETARCH
+
+ARG BUILD_DEPENDENCIES="              \
+        g++                           \
+        make                          \
+        pkg-config"
+
+ARG DEPENDENCIES="                    \
+        freetds-dev                   \
+        libpq-dev                     \
+        libffi-dev                    \
+        libjpeg-dev                   \
+        libkrb5-dev                   \
+        libldap2-dev                  \
+        libsasl2-dev                  \
+        libssl-dev                    \
+        libxml2-dev                   \
+        libxmlsec1-dev                \
+        libxmlsec1-openssl            \
+        freerdp2-dev                  \
+        libaio-dev"
+
+ARG TOOLS="                           \
+        ca-certificates               \
+        curl                          \
+        default-libmysqlclient-dev    \
+        default-mysql-client          \
+        iputils-ping                  \
+        locales                       \
+        nmap                          \
+        openssh-client                \
+        patch                         \
+        sshpass                       \
+        telnet                        \
+        vim                           \
+        wget"
+
+ARG APT_MIRROR=http://mirrors.ustc.edu.cn
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && rm -f /etc/apt/apt.conf.d/docker-clean \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
+    && echo "set mouse-=a" > ~/.vimrc \
+    && echo "no" | dpkg-reconfigure dash \
+    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
+    && sed -i "s@# export @export @g" ~/.bashrc \
+    && sed -i "s@# alias @alias @g" ~/.bashrc \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+WORKDIR /opt/jumpserver
+
+ARG PIP_MIRROR=https://pypi.tuna.tsinghua.edu.cn/simple
+RUN --mount=type=cache,target=/root/.cache \
+    set -ex \
+    && echo > /opt/jumpserver/config.yml \
+    && pip install poetry -i ${PIP_MIRROR} \
+    && poetry config virtualenvs.create false \
+    && poetry install --only=main
+
+VOLUME /opt/jumpserver/data
+VOLUME /opt/jumpserver/logs
+
+ENV LANG=zh_CN.UTF-8
+
+EXPOSE 8080
+
+ENTRYPOINT ["./entrypoint.sh"]

GITSHA

@@ -0,0 +1 @@
+d6cfda693f1515319157c7cbeb1e46ebd5a8985e

apps/accounts/automations/change_secret/manager.py

@@ -136,7 +136,8 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                 'username': account.username,
                 'secret_type': secret_type,
                 'secret': new_secret,
-                'private_key_path': private_key_path
+                'private_key_path': private_key_path,
+                'become': account.get_ansible_become_auth(),
             }
             if asset.platform.type == 'oracle':
                 h['account']['mode'] = 'sysdba' if account.privileged else None

apps/accounts/automations/push_account/manager.py

@@ -56,7 +56,8 @@ class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
                 'username': account.username,
                 'secret_type': secret_type,
                 'secret': new_secret,
-                'private_key_path': private_key_path
+                'private_key_path': private_key_path,
+                'become': account.get_ansible_become_auth(),
             }
             if asset.platform.type == 'oracle':
                 h['account']['mode'] = 'sysdba' if account.privileged else None

apps/accounts/migrations/0003_automation.py

@@ -38,7 +38,7 @@ class Migration(migrations.Migration):
                 'verbose_name': 'Automation execution',
                 'verbose_name_plural': 'Automation executions',
                 'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                ('add_changesecretexection', 'Can add change secret execution'),
+                                ('add_changesecretexecution', 'Can add change secret execution'),
                                 ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
                                 ('add_gatheraccountsexecution', 'Can add gather accounts execution')],
                 'proxy': True,
@@ -184,7 +184,7 @@ class Migration(migrations.Migration):
         migrations.AlterModelOptions(
             name='automationexecution',
             options={'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                     ('add_changesecretexection', 'Can add change secret execution'),
+                                     ('add_changesecretexecution', 'Can add change secret execution'),
                                      ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
                                      ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
                                      ('view_pushaccountexecution', 'Can view push account execution'),

apps/accounts/migrations/0017_alter_automationexecution_options.py

@@ -0,0 +1,25 @@
+# Generated by Django 4.1.10 on 2023-10-24 05:59
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('accounts', '0016_accounttemplate_password_rules'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='automationexecution',
+            options={
+                'permissions': [
+                    ('view_changesecretexecution', 'Can view change secret execution'),
+                    ('add_changesecretexecution', 'Can add change secret execution'),
+                    ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
+                    ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
+                    ('view_pushaccountexecution', 'Can view push account execution'),
+                    ('add_pushaccountexecution', 'Can add push account execution')
+                ],
+                'verbose_name': 'Automation execution', 'verbose_name_plural': 'Automation executions'},
+        ),
+    ]

apps/accounts/models/automations/base.py

@@ -33,7 +33,7 @@ class AutomationExecution(AssetAutomationExecution):
         verbose_name_plural = _("Automation executions")
         permissions = [
             ('view_changesecretexecution', _('Can view change secret execution')),
-            ('add_changesecretexection', _('Can add change secret execution')),
+            ('add_changesecretexecution', _('Can add change secret execution')),
 
             ('view_gatheraccountsexecution', _('Can view gather accounts execution')),
             ('add_gatheraccountsexecution', _('Can add gather accounts execution')),

apps/accounts/serializers/automations/change_secret.py

@@ -71,7 +71,6 @@ class ChangeSecretAutomationSerializer(AuthValidateMixin, BaseAutomationSerializ
             return password_rules
 
         length = password_rules.get('length')
-        symbol_set = password_rules.get('symbol_set', '')
 
         try:
             length = int(length)
@@ -84,10 +83,6 @@ class ChangeSecretAutomationSerializer(AuthValidateMixin, BaseAutomationSerializ
             msg = _('* Password length range 6-30 bits')
             raise serializers.ValidationError(msg)
 
-        if not isinstance(symbol_set, str):
-            symbol_set = str(symbol_set)
-
-        password_rules = {'length': length, 'symbol_set': ''.join(symbol_set)}
         return password_rules
 
     def validate(self, attrs):

apps/assets/const/base.py

@@ -64,14 +64,14 @@ class BaseType(TextChoices):
     @classmethod
     def _parse_protocols(cls, protocol, tp):
         from .protocol import Protocol
-        settings = Protocol.settings()
+        _settings = Protocol.settings()
         choices = protocol.get('choices', [])
         if choices == '__self__':
             choices = [tp]
 
         protocols = []
         for name in choices:
-            protocol = {'name': name, **settings.get(name, {})}
+            protocol = {'name': name, **_settings.get(name, {})}
             setting = protocol.pop('setting', {})
             setting_values = {k: v.get('default', None) for k, v in setting.items()}
             protocol['setting'] = setting_values
@@ -112,7 +112,7 @@ class BaseType(TextChoices):
 
     @classmethod
     def get_choices(cls):
-        if not settings.XPACK_LICENSE_IS_VALID:
+        if not settings.XPACK_ENABLED:
             return [
                 (tp.value, tp.label)
                 for tp in cls.get_community_types()

apps/assets/serializers/asset/database.py

@@ -1,3 +1,4 @@
+from django.db.models import QuerySet
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
@@ -34,7 +35,7 @@ class DatabaseSerializer(AssetSerializer):
             if not platform_id and self.instance:
                 platform = self.instance.platform
         elif getattr(self, 'instance', None):
-            if isinstance(self.instance, list):
+            if isinstance(self.instance, (list, QuerySet)):
                 return
             platform = self.instance.platform
         elif self.context.get('request'):

apps/audits/models.py

@@ -287,7 +287,7 @@ class UserSession(models.Model):
     def get_keys():
         session_store_cls = import_module(settings.SESSION_ENGINE).SessionStore
         cache_key_prefix = session_store_cls.cache_key_prefix
-        keys = caches[settings.SESSION_CACHE_ALIAS].keys('*')
+        keys = caches[settings.SESSION_CACHE_ALIAS].iter_keys('*')
         return [k.replace(cache_key_prefix, '') for k in keys]
 
     @classmethod

apps/audits/signal_handlers/login_log.py

@@ -14,7 +14,7 @@ from acls.notifications import UserLoginReminderMsg
 from audits.models import UserLoginLog
 from authentication.signals import post_auth_failed, post_auth_success
 from authentication.utils import check_different_city_login_if_need
-from common.utils import get_request_ip, get_logger
+from common.utils import get_request_ip_or_data, get_logger
 from users.models import User
 from ..const import LoginTypeChoices
 from ..models import UserSession
@@ -60,7 +60,7 @@ def get_login_backend(request):
 
 def generate_data(username, request, login_type=None):
     user_agent = request.META.get('HTTP_USER_AGENT', '')
-    login_ip = get_request_ip(request) or '0.0.0.0'
+    login_ip = get_request_ip_or_data(request) or '0.0.0.0'
 
     if login_type is None and isinstance(request, Request):
         login_type = request.META.get('HTTP_X_JMS_LOGIN_TYPE', 'U')

apps/audits/signal_handlers/operate_log.py

@@ -39,6 +39,7 @@ def on_m2m_changed(sender, action, instance, reverse, model, pk_set, **kwargs):
         log_id, before_instance = get_instance_dict_from_cache(instance_id)
 
         field_name = str(model._meta.verbose_name)
+        pk_set = pk_set or {}
         objs = model.objects.filter(pk__in=pk_set)
         objs_display = [str(o) for o in objs]
         action = M2M_ACTION[action]

apps/jumpserver/settings/base.py

@@ -1,5 +1,6 @@
 import os
 import platform
+import re
 
 from redis.sentinel import SentinelManagedSSLConnection
 
@@ -79,8 +80,8 @@ if CONFIG.SITE_URL:
 ALLOWED_DOMAINS = DOMAINS.split(',') if DOMAINS else ['localhost:8080']
 ALLOWED_DOMAINS = [host.strip() for host in ALLOWED_DOMAINS]
 ALLOWED_DOMAINS = [host.replace('http://', '').replace('https://', '') for host in ALLOWED_DOMAINS if host]
-ALLOWED_DOMAINS = [host.replace(':80', '').replace(':443', '') for host in ALLOWED_DOMAINS]
 ALLOWED_DOMAINS = [host.split('/')[0] for host in ALLOWED_DOMAINS if host]
+ALLOWED_DOMAINS = [re.sub(':80$|:443$', '', host) for host in ALLOWED_DOMAINS]
 
 DEBUG_HOSTS = ('127.0.0.1', 'localhost', 'core')
 DEBUG_PORT = ['8080', '80', ]

apps/ops/ansible/modules_utils/custom_common.py

@@ -26,6 +26,9 @@ def common_argument_spec():
 
 
 class SSHClient:
+    SLEEP_INTERVAL = 0.3
+    COMPLETE_FLAG = 'complete'
+
     def __init__(self, module):
         self.module = module
         self.channel = None
@@ -85,7 +88,10 @@ class SSHClient:
         su_output, err_msg = self.execute(commands)
         if err_msg:
             return err_msg
-        i_output, err_msg = self.execute(['whoami'], delay_time=1)
+        i_output, err_msg = self.execute(
+            ['whoami && echo "complete"'],
+            validate_output=True
+        )
         if err_msg:
             return err_msg
 
@@ -153,15 +159,21 @@ class SSHClient:
         output = self.channel.recv(size).decode(encoding)
         return output
 
-    def execute(self, commands, delay_time=0.3):
+    def execute(self, commands, validate_output=False):
         if not self.is_connect:
             self.connect()
         output, error_msg = '', ''
         try:
             for command in commands:
                 self.channel.send(command + '\n')
-                time.sleep(delay_time)
-                output = self._get_recv()
+                if not validate_output:
+                    time.sleep(self.SLEEP_INTERVAL)
+                    output += self._get_recv()
+                    continue
+                while self.COMPLETE_FLAG not in output:
+                    time.sleep(self.SLEEP_INTERVAL)
+                    received_output = self._get_recv().replace(f'"{self.COMPLETE_FLAG}"', '')
+                    output += received_output
         except Exception as e:
             error_msg = str(e)
         return output, error_msg

apps/rbac/migrations/0012_remove_add_changesecretexection_permission.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.1.10 on 2023-10-20 07:01
+
+from django.db import migrations
+
+
+def migrate_remove_add_changesecretexection_permission(apps, *args):
+    perm_model = apps.get_model('auth', 'Permission')
+    perm_model.objects.filter(codename='add_changesecretexection').delete()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('rbac', '0011_remove_redundant_permission'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_remove_add_changesecretexection_permission)
+    ]

apps/rbac/tree.py

@@ -88,7 +88,7 @@ special_pid_mapper = {
     "accounts.add_gatheraccountsexecution": "gather_account_node",
     "accounts.changesecretautomation": "asset_change_plan_node",
     "accounts.view_changesecretexecution": "asset_change_plan_node",
-    "accounts.add_changesecretexection": "asset_change_plan_node",
+    "accounts.add_changesecretexecution": "asset_change_plan_node",
     "accounts.view_changesecretrecord": "asset_change_plan_node",
     'orgs.organization': 'view_setting',
     'settings.setting': 'view_setting',

apps/tickets/migrations/0016_auto_20220609_1758.py

@@ -27,6 +27,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 'abstract': False,
+                'verbose_name': 'Apply Login Ticket'
             },
             bases=('tickets.ticket',),
         ),
@@ -101,6 +102,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 'abstract': False,
+                'verbose_name': 'Apply Login Asset Ticket'
             },
             bases=('tickets.ticket',),
         ),
@@ -130,6 +132,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 'abstract': False,
+                'verbose_name': 'Apply Command Ticket'
             },
             bases=('tickets.ticket',),
         ),