feat: update v2.12.2 to latest

.dockerignore

@@ -6,5 +6,4 @@ tmp/*
 django.db
 celerybeat.pid
 ### Vagrant ###
-.vagrant/
-apps/xpack/.git
+.vagrant/

.gitattributes

@@ -1,2 +0,0 @@
-*.mmdb filter=lfs diff=lfs merge=lfs -text
-*.mo filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -39,4 +39,3 @@ logs/*
 .vagrant/
 release/*
 releashe
-/apps/script.py

Dockerfile

@@ -8,6 +8,7 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 
+
 # 构建运行时环境
 FROM python:3.8.6-slim
 ARG PIP_MIRROR=https://pypi.douban.com/simple
@@ -17,37 +18,26 @@ ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
 
 WORKDIR /opt/jumpserver
 
-COPY ./requirements/deb_requirements.txt ./requirements/deb_requirements.txt
+COPY ./requirements/deb_buster_requirements.txt ./requirements/deb_buster_requirements.txt
 RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
     && sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
     && apt update \
-    && apt -y install telnet iproute2 redis-tools default-mysql-client vim wget curl locales procps \
-    && apt -y install $(cat requirements/deb_requirements.txt) \
+    && grep -v '^#' ./requirements/deb_buster_requirements.txt | xargs apt -y install \
     && rm -rf /var/lib/apt/lists/* \
     && localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
-    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
-    && echo "set mouse-=a" > ~/.vimrc
+    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
 
 COPY ./requirements/requirements.txt ./requirements/requirements.txt
 RUN pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
-    && pip install --no-cache-dir $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install --no-cache-dir -r requirements/requirements.txt -i ${PIP_MIRROR} \
-    && rm -rf ~/.cache/pip
+    && pip config set global.index-url ${PIP_MIRROR} \
+    && pip install --no-cache-dir $(grep 'jms' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
+    && pip install --no-cache-dir -r requirements/requirements.txt
 
 COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
 RUN mkdir -p /root/.ssh/ \
     && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config
 
-RUN mkdir -p /opt/jumpserver/oracle/ \
-    && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar > /dev/null \
-    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/jumpserver/oracle/ \
-    && echo "/opt/jumpserver/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
-    && ldconfig \
-    && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
-
 RUN echo > config.yml
-
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
 

README.md

@@ -21,7 +21,6 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 
 改变世界，从一点点开始 ...
 
-> 如需进一步了解 JumpServer 开源项目，推荐阅读 [JumpServer 的初心和使命](https://mp.weixin.qq.com/s/S6q_2rP_9MwaVwyqLQnXzA)
 
 ### 特色优势
 
@@ -33,19 +32,6 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - 多租户: 一套系统，多个子公司和部门同时使用；
 - 多应用支持: 数据库，Windows远程应用，Kubernetes。
 
-### UI 展示
-
-![UI展示](https://www.jumpserver.org/images/screenshot/1.png)
-
-### 在线体验
-
--   环境地址：<https://demo.jumpserver.org/>
-
-| :warning: 注意                 |
-| :--------------------------- |
-| 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
-| 请勿修改体验环境用户的密码！               |
-| 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
 
 ### 快速开始
 
@@ -59,8 +45,6 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal 项目
 - [KoKo](https://github.com/jumpserver/koko) JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco)
 - [Lion](https://github.com/jumpserver/lion-release) JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)
-- [Clients](https://github.com/jumpserver/clients) JumpServer 客户端 项目
-- [Installer](https://github.com/jumpserver/installer) JumpServer 安装包 项目
 
 ### 社区
 
@@ -68,7 +52,7 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 
 #### 微信交流群
 
-<img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
+<img src="https://download.jumpserver.org/images/weixin-group.jpeg" alt="微信群二维码" width="200"/>
 
 ### 贡献
 如果有你好的想法创意，或者帮助我们修复了 Bug, 欢迎提交 Pull Request
@@ -124,7 +108,7 @@ JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.ju
 
 ### License & Copyright
 
-Copyright (c) 2014-2021 飞致云 FIT2CLOUD, All rights reserved.
+Copyright (c) 2014-2020 飞致云 FIT2CLOUD, All rights reserved.
 
 Licensed under The GNU General Public License version 2 (GPLv2)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 

README_EN.md

@@ -85,7 +85,7 @@ If you find a security problem, please contact us directly：
 - 400-052-0755
 
 ### License & Copyright
-Copyright (c) 2014-2021 Beijing Duizhan Tech, Inc., All rights reserved.
+Copyright (c) 2014-2019 Beijing Duizhan Tech, Inc., All rights reserved.
 
 Licensed under The GNU General Public License version 2 (GPLv2)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 

SECURITY.md

@@ -1,9 +0,0 @@
-# 安全说明
-
-JumpServer 是一款正在成长的安全产品， 请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/) 部署安装.
-
-如果你发现安全问题，请直接联系我们，我们携手让世界更好：
-
-- ibuler@fit2cloud.com
-- support@fit2cloud.com
-- 400-052-0755

apps/__init__.py

@@ -1,3 +1,4 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
+

apps/acls/api/login_acl.py

@@ -2,16 +2,15 @@ from common.permissions import IsOrgAdmin, HasQueryParamsUserAndIsCurrentOrgMemb
 from common.drf.api import JMSBulkModelViewSet
 from ..models import LoginACL
 from .. import serializers
-from ..filters import LoginAclFilter
 
 __all__ = ['LoginACLViewSet', ]
 
 
 class LoginACLViewSet(JMSBulkModelViewSet):
     queryset = LoginACL.objects.all()
-    filterset_class = LoginAclFilter
-    search_fields = ('name',)
-    permission_classes = (IsOrgAdmin,)
+    filterset_fields = ('name', 'user', )
+    search_fields = filterset_fields
+    permission_classes = (IsOrgAdmin, )
     serializer_class = serializers.LoginACLSerializer
 
     def get_permissions(self):

apps/acls/api/login_asset_acl.py

@@ -1,3 +1,4 @@
+
 from orgs.mixins.api import OrgBulkModelViewSet
 from common.permissions import IsOrgAdmin
 from .. import models, serializers

apps/acls/api/login_asset_check.py

@@ -1,18 +1,20 @@
+from django.shortcuts import get_object_or_404
 from rest_framework.response import Response
-from rest_framework.generics import CreateAPIView
+from rest_framework.generics import CreateAPIView, RetrieveDestroyAPIView
 
 from common.permissions import IsAppUser
 from common.utils import reverse, lazyproperty
-from orgs.utils import tmp_to_org
+from orgs.utils import tmp_to_org, tmp_to_root_org
 from tickets.api import GenericTicketStatusRetrieveCloseAPI
 from ..models import LoginAssetACL
 from .. import serializers
 
+
 __all__ = ['LoginAssetCheckAPI', 'LoginAssetConfirmStatusAPI']
 
 
 class LoginAssetCheckAPI(CreateAPIView):
-    permission_classes = (IsAppUser,)
+    permission_classes = (IsAppUser, )
     serializer_class = serializers.LoginAssetCheckSerializer
 
     def create(self, request, *args, **kwargs):
@@ -55,12 +57,11 @@ class LoginAssetCheckAPI(CreateAPIView):
             external=True, api_to_ui=True
         )
         ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
-        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
         data = {
             'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
             'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
             'ticket_detail_url': ticket_detail_url,
-            'reviewers': [str(ticket_assignee.assignee) for ticket_assignee in ticket_assignees]
+            'reviewers': [str(user) for user in ticket.assignees.all()],
         }
         return data
 
@@ -73,3 +74,4 @@ class LoginAssetCheckAPI(CreateAPIView):
 
 class LoginAssetConfirmStatusAPI(GenericTicketStatusRetrieveCloseAPI):
     pass
+

apps/acls/filters.py

@@ -1,15 +0,0 @@
-from django_filters import rest_framework as filters
-from common.drf.filters import BaseFilterSet
-
-from acls.models import LoginACL
-
-
-class LoginAclFilter(BaseFilterSet):
-    user = filters.UUIDFilter(field_name='user_id')
-    user_display = filters.CharFilter(field_name='user__name')
-
-    class Meta:
-        model = LoginACL
-        fields = (
-            'name', 'user', 'user_display', 'action'
-        )

apps/acls/migrations/0002_auto_20210926_1047.py

@@ -1,98 +0,0 @@
-# Generated by Django 3.1.12 on 2021-09-26 02:47
-import django
-from django.conf import settings
-from django.db import migrations, models, transaction
-from acls.models import LoginACL
-
-LOGIN_CONFIRM_ZH = '登录复核'
-LOGIN_CONFIRM_EN = 'Login confirm'
-
-DEFAULT_TIME_PERIODS = [{'id': i, 'value': '00:00~00:00'} for i in range(7)]
-
-
-def has_zh(name: str) -> bool:
-    for i in name:
-        if u'\u4e00' <= i <= u'\u9fff':
-            return True
-    return False
-
-
-def migrate_login_confirm(apps, schema_editor):
-    login_acl_model = apps.get_model("acls", "LoginACL")
-    login_confirm_model = apps.get_model("authentication", "LoginConfirmSetting")
-
-    with transaction.atomic():
-        for instance in login_confirm_model.objects.filter(is_active=True):
-            user = instance.user
-            reviewers = instance.reviewers.all()
-            login_confirm = LOGIN_CONFIRM_ZH if has_zh(user.name) else LOGIN_CONFIRM_EN
-            date_created = instance.date_created.strftime('%Y-%m-%d %H:%M:%S')
-            if reviewers.count() == 0:
-                continue
-            data = {
-                'user': user,
-                'name': f'{user.name}-{login_confirm} ({date_created})',
-                'created_by': instance.created_by,
-                'action': LoginACL.ActionChoices.confirm,
-                'rules': {'ip_group': ['*'], 'time_period': DEFAULT_TIME_PERIODS}
-            }
-            instance = login_acl_model.objects.create(**data)
-            instance.reviewers.set(reviewers)
-
-
-def migrate_ip_group(apps, schema_editor):
-    login_acl_model = apps.get_model("acls", "LoginACL")
-    updates = list()
-    with transaction.atomic():
-        for instance in login_acl_model.objects.exclude(action=LoginACL.ActionChoices.confirm):
-            instance.rules = {'ip_group': instance.ip_group, 'time_period': DEFAULT_TIME_PERIODS}
-            updates.append(instance)
-        login_acl_model.objects.bulk_update(updates, ['rules', ])
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('acls', '0001_initial'),
-        ('authentication', '0004_ssotoken'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='loginacl',
-            name='action',
-            field=models.CharField(choices=[('reject', 'Reject'), ('allow', 'Allow'), ('confirm', 'Login confirm')],
-                                   default='reject', max_length=64, verbose_name='Action'),
-        ),
-        migrations.AddField(
-            model_name='loginacl',
-            name='reviewers',
-            field=models.ManyToManyField(blank=True, related_name='login_confirm_acls',
-                                         to=settings.AUTH_USER_MODEL, verbose_name='Reviewers'),
-        ),
-        migrations.AlterField(
-            model_name='loginacl',
-            name='user',
-            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE,
-                                    related_name='login_acls', to=settings.AUTH_USER_MODEL, verbose_name='User'),
-        ),
-        migrations.AddField(
-            model_name='loginacl',
-            name='rules',
-            field=models.JSONField(default=dict, verbose_name='Rule'),
-        ),
-        migrations.RunPython(migrate_login_confirm),
-        migrations.RunPython(migrate_ip_group),
-        migrations.RemoveField(
-            model_name='loginacl',
-            name='ip_group',
-        ),
-        migrations.AlterModelOptions(
-            name='loginacl',
-            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login acl'},
-        ),
-        migrations.AlterModelOptions(
-            name='loginassetacl',
-            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login asset acl'},
-        ),
-    ]

apps/acls/models/login_acl.py

@@ -1,10 +1,8 @@
+
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from .base import BaseACL, BaseACLQuerySet
-from common.utils import get_request_ip, get_ip_city
-from common.utils.ip import contains_ip
-from common.utils.time_period import contains_time_period
-from common.utils.timezone import local_now_display
+from ..utils import contains_ip
 
 
 class ACLManager(models.Manager):
@@ -17,29 +15,23 @@ class LoginACL(BaseACL):
     class ActionChoices(models.TextChoices):
         reject = 'reject', _('Reject')
         allow = 'allow', _('Allow')
-        confirm = 'confirm', _('Login confirm')
 
-    # 用户
-    user = models.ForeignKey(
-        'users.User', on_delete=models.CASCADE, verbose_name=_('User'),
-        related_name='login_acls'
-    )
-    # 规则
-    rules = models.JSONField(default=dict, verbose_name=_('Rule'))
+    # 条件
+    ip_group = models.JSONField(default=list, verbose_name=_('Login IP'))
     # 动作
     action = models.CharField(
-        max_length=64, verbose_name=_('Action'),
-        choices=ActionChoices.choices, default=ActionChoices.reject
+        max_length=64, choices=ActionChoices.choices, default=ActionChoices.reject,
+        verbose_name=_('Action')
     )
-    reviewers = models.ManyToManyField(
-        'users.User', verbose_name=_("Reviewers"),
-        related_name="login_confirm_acls", blank=True
+    # 关联
+    user = models.ForeignKey(
+        'users.User', on_delete=models.CASCADE, related_name='login_acls', verbose_name=_('User')
     )
+
     objects = ACLManager.from_queryset(BaseACLQuerySet)()
 
     class Meta:
         ordering = ('priority', '-date_updated', 'name')
-        verbose_name = _('Login acl')
 
     def __str__(self):
         return self.name
@@ -52,77 +44,14 @@ class LoginACL(BaseACL):
     def action_allow(self):
         return self.action == self.ActionChoices.allow
 
-    @classmethod
-    def filter_acl(cls, user):
-        return user.login_acls.all().valid().distinct()
-
-    @staticmethod
-    def allow_user_confirm_if_need(user, ip):
-        acl = LoginACL.filter_acl(user).filter(
-            action=LoginACL.ActionChoices.confirm
-        ).first()
-        acl = acl if acl and acl.reviewers.exists() else None
-        if not acl:
-            return False, acl
-        ip_group = acl.rules.get('ip_group')
-        time_periods = acl.rules.get('time_period')
-        is_contain_ip = contains_ip(ip, ip_group)
-        is_contain_time_period = contains_time_period(time_periods)
-        return is_contain_ip and is_contain_time_period, acl
-
     @staticmethod
     def allow_user_to_login(user, ip):
-        acl = LoginACL.filter_acl(user).exclude(
-            action=LoginACL.ActionChoices.confirm
-        ).first()
+        acl = user.login_acls.valid().first()
         if not acl:
-            return True, ''
-        ip_group = acl.rules.get('ip_group')
-        time_periods = acl.rules.get('time_period')
-        is_contain_ip = contains_ip(ip, ip_group)
-        is_contain_time_period = contains_time_period(time_periods)
-
-        reject_type = ''
-        if is_contain_ip and is_contain_time_period:
-            # 满足条件
-            allow = acl.action_allow
-            if not allow:
-                reject_type = 'ip' if is_contain_ip else 'time'
-        else:
-            # 不满足条件
-            # 如果acl本身允许，那就拒绝；如果本身拒绝，那就允许
-            allow = not acl.action_allow
-            if not allow:
-                reject_type = 'ip' if not is_contain_ip else 'time'
-
-        return allow, reject_type
-
-    @staticmethod
-    def construct_confirm_ticket_meta(request=None):
-        login_ip = get_request_ip(request) if request else ''
-        login_ip = login_ip or '0.0.0.0'
-        login_city = get_ip_city(login_ip)
-        login_datetime = local_now_display()
-        ticket_meta = {
-            'apply_login_ip': login_ip,
-            'apply_login_city': login_city,
-            'apply_login_datetime': login_datetime,
-        }
-        return ticket_meta
-
-    def create_confirm_ticket(self, request=None):
-        from tickets import const
-        from tickets.models import Ticket
-        from orgs.models import Organization
-        ticket_title = _('Login confirm') + ' {}'.format(self.user)
-        ticket_meta = self.construct_confirm_ticket_meta(request)
-        data = {
-            'title': ticket_title,
-            'type': const.TicketType.login_confirm.value,
-            'meta': ticket_meta,
-            'org_id': Organization.ROOT_ID,
-        }
-        ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(self.reviewers.all())
-        ticket.open(self.user)
-        return ticket
+            return True
+        is_contained = contains_ip(ip, acl.ip_group)
+        if acl.action_allow and is_contained:
+            return True
+        if acl.action_reject and not is_contained:
+            return True
+        return False

apps/acls/models/login_asset_acl.py

@@ -3,7 +3,7 @@ from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
 from orgs.mixins.models import OrgModelMixin, OrgManager
 from .base import BaseACL, BaseACLQuerySet
-from common.utils.ip import contains_ip
+from ..utils import contains_ip
 
 
 class ACLManager(OrgManager):
@@ -37,7 +37,6 @@ class LoginAssetACL(BaseACL, OrgModelMixin):
     class Meta:
         unique_together = ('name', 'org_id')
         ordering = ('priority', '-date_updated', 'name')
-        verbose_name = _('Login asset acl')
 
     def __str__(self):
         return self.name
@@ -84,11 +83,11 @@ class LoginAssetACL(BaseACL, OrgModelMixin):
 
     @classmethod
     def create_login_asset_confirm_ticket(cls, user, asset, system_user, assignees, org_id):
-        from tickets.const import TicketType
+        from tickets.const import TicketTypeChoices
         from tickets.models import Ticket
         data = {
             'title': _('Login asset confirm') + ' ({})'.format(user),
-            'type': TicketType.login_asset_confirm,
+            'type': TicketTypeChoices.login_asset_confirm,
             'meta': {
                 'apply_login_user': str(user),
                 'apply_login_asset': str(asset),
@@ -97,7 +96,7 @@ class LoginAssetACL(BaseACL, OrgModelMixin):
             'org_id': org_id,
         }
         ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(assignees)
+        ticket.assignees.set(assignees)
         ticket.open(applicant=user)
         return ticket
 

apps/acls/serializers/login_acl.py

@@ -1,56 +1,59 @@
 from django.utils.translation import ugettext as _
 from rest_framework import serializers
 from common.drf.serializers import BulkModelSerializer
-from common.drf.serializers import MethodSerializer
-from jumpserver.utils import has_valid_xpack_license
+from orgs.utils import current_org
 from ..models import LoginACL
-from .rules import RuleSerializer
+from ..utils import is_ip_address, is_ip_network,  is_ip_segment
+
 
 __all__ = ['LoginACLSerializer', ]
 
-common_help_text = _('Format for comma-delimited string, with * indicating a match all. ')
+
+def ip_group_child_validator(ip_group_child):
+    is_valid = ip_group_child == '*' \
+               or is_ip_address(ip_group_child) \
+               or is_ip_network(ip_group_child) \
+               or is_ip_segment(ip_group_child)
+    if not is_valid:
+        error = _('IP address invalid: `{}`').format(ip_group_child)
+        raise serializers.ValidationError(error)
 
 
 class LoginACLSerializer(BulkModelSerializer):
-    user_display = serializers.ReadOnlyField(source='user.username', label=_('Username'))
-    reviewers_display = serializers.SerializerMethodField(label=_('Reviewers'))
+    ip_group_help_text = _(
+        'Format for comma-delimited string, with * indicating a match all. '
+        'Such as: '
+        '192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:db8:1a:1110::/64 '
+    )
+
+    ip_group = serializers.ListField(
+        default=['*'], label=_('IP'), help_text=ip_group_help_text,
+        child=serializers.CharField(max_length=1024, validators=[ip_group_child_validator])
+    )
+    user_display = serializers.ReadOnlyField(source='user.name', label=_('User'))
     action_display = serializers.ReadOnlyField(source='get_action_display', label=_('Action'))
-    reviewers_amount = serializers.IntegerField(read_only=True, source='reviewers.count')
-    rules = MethodSerializer()
 
     class Meta:
         model = LoginACL
         fields_mini = ['id', 'name']
         fields_small = fields_mini + [
-            'priority', 'rules', 'action', 'action_display',
-            'is_active', 'user', 'user_display',
-            'date_created', 'date_updated', 'reviewers_amount',
-            'comment', 'created_by'
+            'priority', 'ip_group', 'action', 'action_display',
+            'is_active',
+            'date_created', 'date_updated',
+            'comment', 'created_by',
         ]
-        fields_fk = ['user', 'user_display']
-        fields_m2m = ['reviewers', 'reviewers_display']
-        fields = fields_small + fields_fk + fields_m2m
+        fields_fk = ['user', 'user_display',]
+        fields = fields_small + fields_fk
         extra_kwargs = {
             'priority': {'default': 50},
             'is_active': {'default': True},
-            "reviewers": {'allow_null': False, 'required': True},
         }
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.set_action_choices()
-
-    def set_action_choices(self):
-        action = self.fields.get('action')
-        if not action:
-            return
-        choices = action._choices
-        if not has_valid_xpack_license():
-            choices.pop(LoginACL.ActionChoices.confirm, None)
-        action._choices = choices
-
-    def get_rules_serializer(self):
-        return RuleSerializer()
-
-    def get_reviewers_display(self, obj):
-        return ','.join([str(user) for user in obj.reviewers.all()])
+    @staticmethod
+    def validate_user(user):
+        if user not in current_org.get_members():
+            error = _('The user `{}` is not in the current organization: `{}`').format(
+                user, current_org
+            )
+            raise serializers.ValidationError(error)
+        return user

apps/acls/serializers/rules/__init__.py

@@ -1 +0,0 @@
-from .rules import *

apps/acls/serializers/rules/rules.py

@@ -1,34 +0,0 @@
-# coding: utf-8
-#
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
-
-from common.utils import get_logger
-from common.utils.ip import is_ip_address, is_ip_network, is_ip_segment
-
-logger = get_logger(__file__)
-
-__all__ = ['RuleSerializer']
-
-
-def ip_group_child_validator(ip_group_child):
-    is_valid = ip_group_child == '*' \
-               or is_ip_address(ip_group_child) \
-               or is_ip_network(ip_group_child) \
-               or is_ip_segment(ip_group_child)
-    if not is_valid:
-        error = _('IP address invalid: `{}`').format(ip_group_child)
-        raise serializers.ValidationError(error)
-
-
-class RuleSerializer(serializers.Serializer):
-    ip_group_help_text = _(
-        'Format for comma-delimited string, with * indicating a match all. '
-        'Such as: '
-        '192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:db8:1a:1110::/64 '
-    )
-
-    ip_group = serializers.ListField(
-        default=['*'], label=_('IP'), help_text=ip_group_help_text,
-        child=serializers.CharField(max_length=1024, validators=[ip_group_child_validator]))
-    time_period = serializers.ListField(default=[], label=_('Time Period'))

apps/acls/utils.py

@@ -0,0 +1,68 @@
+from ipaddress import ip_network, ip_address
+
+
+def is_ip_address(address):
+    """ 192.168.10.1 """
+    try:
+        ip_address(address)
+    except ValueError:
+        return False
+    else:
+        return True
+
+
+def is_ip_network(ip):
+    """ 192.168.1.0/24 """
+    try:
+        ip_network(ip)
+    except ValueError:
+        return False
+    else:
+        return True
+
+
+def is_ip_segment(ip):
+    """ 10.1.1.1-10.1.1.20 """
+    if '-' not in ip:
+        return False
+    ip_address1, ip_address2 = ip.split('-')
+    return is_ip_address(ip_address1) and is_ip_address(ip_address2)
+
+
+def in_ip_segment(ip, ip_segment):
+    ip1, ip2 = ip_segment.split('-')
+    ip1 = int(ip_address(ip1))
+    ip2 = int(ip_address(ip2))
+    ip = int(ip_address(ip))
+    return min(ip1, ip2) <= ip <= max(ip1, ip2)
+
+
+def contains_ip(ip, ip_group):
+    """
+    ip_group:
+    [192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:db8:1a:1110::/64.]
+
+    """
+
+    if '*' in ip_group:
+        return True
+
+    for _ip in ip_group:
+        if is_ip_address(_ip):
+            # 192.168.10.1
+            if ip == _ip:
+                return True
+        elif is_ip_network(_ip) and is_ip_address(ip):
+            # 192.168.1.0/24
+            if ip_address(ip) in ip_network(_ip):
+                return True
+        elif is_ip_segment(_ip) and is_ip_address(ip):
+            # 10.1.1.1-10.1.1.20
+            if in_ip_segment(ip, _ip):
+                return True
+        else:
+            # is domain name
+            if ip == _ip:
+                return True
+
+    return False

apps/applications/api/__init__.py

@@ -1,4 +1,4 @@
 from .application import *
-from .account import *
+from .application_user import *
 from .mixin import *
 from .remote_app import *

apps/applications/api/account.py

@@ -1,58 +0,0 @@
-# coding: utf-8
-#
-
-from django_filters import rest_framework as filters
-from django.db.models import F, Q
-
-from common.drf.filters import BaseFilterSet
-from common.drf.api import JMSBulkModelViewSet
-from ..models import Account
-from ..hands import IsOrgAdminOrAppUser, IsOrgAdmin, NeedMFAVerify
-from .. import serializers
-
-
-class AccountFilterSet(BaseFilterSet):
-    username = filters.CharFilter(method='do_nothing')
-    type = filters.CharFilter(field_name='type', lookup_expr='exact')
-    category = filters.CharFilter(field_name='category', lookup_expr='exact')
-    app_display = filters.CharFilter(field_name='app_display', lookup_expr='exact')
-
-    class Meta:
-        model = Account
-        fields = ['app', 'systemuser']
-
-    @property
-    def qs(self):
-        qs = super().qs
-        qs = self.filter_username(qs)
-        return qs
-
-    def filter_username(self, qs):
-        username = self.get_query_param('username')
-        if not username:
-            return qs
-        qs = qs.filter(Q(username=username) | Q(systemuser__username=username)).distinct()
-        return qs
-
-
-class ApplicationAccountViewSet(JMSBulkModelViewSet):
-    model = Account
-    search_fields = ['username', 'app_display']
-    filterset_class = AccountFilterSet
-    filterset_fields = ['username', 'app_display', 'type', 'category', 'app']
-    serializer_class = serializers.AppAccountSerializer
-    permission_classes = (IsOrgAdmin,)
-
-    def get_queryset(self):
-        queryset = Account.objects.all() \
-            .annotate(type=F('app__type')) \
-            .annotate(app_display=F('app__name')) \
-            .annotate(systemuser_display=F('systemuser__name')) \
-            .annotate(category=F('app__category'))
-        return queryset
-
-
-class ApplicationAccountSecretViewSet(ApplicationAccountViewSet):
-    serializer_class = serializers.AppAccountSecretSerializer
-    permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
-    http_method_names = ['get', 'options']

apps/applications/api/application.py

@@ -2,37 +2,18 @@
 #
 
 from orgs.mixins.api import OrgBulkModelViewSet
-from rest_framework.decorators import action
-from rest_framework.response import Response
 
-from common.tree import TreeNodeSerializer
-from common.mixins.api import SuggestionMixin
 from ..hands import IsOrgAdminOrAppUser
 from .. import serializers
 from ..models import Application
 
+
 __all__ = ['ApplicationViewSet']
 
 
-class ApplicationViewSet(SuggestionMixin, OrgBulkModelViewSet):
+class ApplicationViewSet(OrgBulkModelViewSet):
     model = Application
-    filterset_fields = {
-        'name': ['exact'],
-        'category': ['exact'],
-        'type': ['exact', 'in'],
-    }
-    search_fields = ('name', 'type', 'category')
+    filterset_fields = ('name', 'type', 'category')
+    search_fields = filterset_fields
     permission_classes = (IsOrgAdminOrAppUser,)
-    serializer_classes = {
-        'default': serializers.AppSerializer,
-        'get_tree': TreeNodeSerializer,
-        'suggestion': serializers.MiniAppSerializer
-    }
-
-    @action(methods=['GET'], detail=False, url_path='tree')
-    def get_tree(self, request, *args, **kwargs):
-        show_count = request.query_params.get('show_count', '1') == '1'
-        queryset = self.filter_queryset(self.get_queryset())
-        tree_nodes = Application.create_tree_nodes(queryset, show_count=show_count)
-        serializer = self.get_serializer(tree_nodes, many=True)
-        return Response(serializer.data)
+    serializer_class = serializers.ApplicationSerializer

apps/applications/api/application_user.py

@@ -0,0 +1,55 @@
+# coding: utf-8
+#
+
+from rest_framework import generics
+from django.conf import settings
+
+from ..hands import IsOrgAdminOrAppUser, IsOrgAdmin, NeedMFAVerify
+from .. import serializers
+from ..models import Application, ApplicationUser
+from perms.models import ApplicationPermission
+
+
+class ApplicationUserListApi(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin, )
+    filterset_fields = ('name', 'username')
+    search_fields = filterset_fields
+    serializer_class = serializers.ApplicationUserSerializer
+    _application = None
+
+    @property
+    def application(self):
+        if self._application is None:
+            app_id = self.request.query_params.get('application_id')
+            if app_id:
+                self._application = Application.objects.get(id=app_id)
+        return self._application
+
+    def get_serializer_context(self):
+        context = super().get_serializer_context()
+        context.update({
+            'application': self.application
+        })
+        return context
+
+    def get_queryset(self):
+        queryset = ApplicationUser.objects.none()
+        if not self.application:
+            return queryset
+        system_user_ids = ApplicationPermission.objects.filter(applications=self.application)\
+            .values_list('system_users', flat=True)
+        if not system_user_ids:
+            return queryset
+        queryset = ApplicationUser.objects.filter(id__in=system_user_ids)
+        return queryset
+
+
+class ApplicationUserAuthInfoListApi(ApplicationUserListApi):
+    serializer_class = serializers.ApplicationUserWithAuthInfoSerializer
+    http_method_names = ['get']
+    permission_classes = [IsOrgAdminOrAppUser]
+
+    def get_permissions(self):
+        if settings.SECURITY_VIEW_AUTH_NEED_MFA:
+            self.permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
+        return super().get_permissions()

apps/applications/api/mixin.py

@@ -1,55 +1,89 @@
-from django.utils.translation import ugettext as _
-
-from common.tree import TreeNode
 from orgs.models import Organization
-from ..models import Application
+
 
 __all__ = ['SerializeApplicationToTreeNodeMixin']
 
 
 class SerializeApplicationToTreeNodeMixin:
-    @staticmethod
-    def filter_organizations(applications):
-        organization_ids = set(applications.values_list('org_id', flat=True))
-        organizations = [Organization.get_instance(org_id) for org_id in organization_ids]
-        organizations.sort(key=lambda x: x.name)
-        return organizations
 
     @staticmethod
-    def create_root_node():
-        name = _('My applications')
-        node = TreeNode(**{
-            'id': 'applications',
-            'name': name,
-            'title': name,
+    def _serialize_db(db):
+        return {
+            'id': db.id,
+            'name': db.name,
+            'title': db.name,
+            'pId': '',
+            'open': False,
+            'iconSkin': 'database',
+            'meta': {'type': 'database_app'}
+        }
+
+    @staticmethod
+    def _serialize_remote_app(remote_app):
+        return {
+            'id': remote_app.id,
+            'name': remote_app.name,
+            'title': remote_app.name,
+            'pId': '',
+            'open': False,
+            'isParent': False,
+            'iconSkin': 'chrome',
+            'meta': {'type': 'remote_app'}
+        }
+
+    @staticmethod
+    def _serialize_cloud(cloud):
+        return {
+            'id': cloud.id,
+            'name': cloud.name,
+            'title': cloud.name,
+            'pId': '',
+            'open': False,
+            'isParent': False,
+            'iconSkin': 'k8s',
+            'meta': {'type': 'k8s_app'}
+        }
+
+    def _serialize_application(self, application):
+        method_name = f'_serialize_{application.category}'
+        data = getattr(self, method_name)(application)
+        data.update({
+            'pId': application.org.id,
+            'org_name': application.org_name
+        })
+        return data
+
+    def serialize_applications(self, applications):
+        data = [self._serialize_application(application) for application in applications]
+        return data
+
+    @staticmethod
+    def _serialize_organization(org):
+        return {
+            'id': org.id,
+            'name': org.name,
+            'title': org.name,
             'pId': '',
             'open': True,
             'isParent': True,
             'meta': {
-                'type': 'root'
+                'type': 'node'
             }
-        })
-        return node
+        }
+
+    def serialize_organizations(self, organizations):
+        data = [self._serialize_organization(org) for org in organizations]
+        return data
+
+    @staticmethod
+    def filter_organizations(applications):
+        organization_ids = set(applications.values_list('org_id', flat=True))
+        organizations = [Organization.get_instance(org_id) for org_id in organization_ids]
+        return organizations
 
     def serialize_applications_with_org(self, applications):
-        if not applications:
-            return []
-        root_node = self.create_root_node()
-        tree_nodes = [root_node]
         organizations = self.filter_organizations(applications)
-
-        for i, org in enumerate(organizations):
-            # 组织节点
-            org_node = org.as_tree_node(pid=root_node.id)
-            tree_nodes.append(org_node)
-            org_applications = applications.filter(org_id=org.id)
-            count = org_applications.count()
-            org_node.name += '({})'.format(count)
-
-            # 各应用节点
-            apps_nodes = Application.create_tree_nodes(
-                queryset=org_applications, root_node=org_node,
-                show_empty=False
-            )
-            tree_nodes += apps_nodes
-        return tree_nodes
+        data_organizations = self.serialize_organizations(organizations)
+        data_applications = self.serialize_applications(applications)
+        data = data_organizations + data_applications
+        return data

apps/applications/const.py

@@ -1,10 +1,11 @@
 #  coding: utf-8
 #
+
 from django.db.models import TextChoices
 from django.utils.translation import ugettext_lazy as _
 
 
-class AppCategory(TextChoices):
+class ApplicationCategoryChoices(TextChoices):
     db = 'db', _('Database')
     remote_app = 'remote_app', _('Remote app')
     cloud = 'cloud', 'Cloud'
@@ -14,7 +15,7 @@ class AppCategory(TextChoices):
         return dict(cls.choices).get(category, '')
 
 
-class AppType(TextChoices):
+class ApplicationTypeChoices(TextChoices):
     # db category
     mysql = 'mysql', 'MySQL'
     oracle = 'oracle', 'Oracle'
@@ -30,38 +31,19 @@ class AppType(TextChoices):
     # cloud category
     k8s = 'k8s', 'Kubernetes'
 
-    @classmethod
-    def category_types_mapper(cls):
-        return {
-            AppCategory.db: [cls.mysql, cls.oracle, cls.pgsql, cls.mariadb],
-            AppCategory.remote_app: [cls.chrome, cls.mysql_workbench, cls.vmware_client, cls.custom],
-            AppCategory.cloud: [cls.k8s]
-        }
-
-    @classmethod
-    def type_category_mapper(cls):
-        mapper = {}
-        for category, tps in cls.category_types_mapper().items():
-            for tp in tps:
-                mapper[tp] = category
-        return mapper
-
     @classmethod
     def get_label(cls, tp):
         return dict(cls.choices).get(tp, '')
 
     @classmethod
     def db_types(cls):
-        return [tp.value for tp in cls.category_types_mapper()[AppCategory.db]]
+        return [cls.mysql.value, cls.oracle.value, cls.pgsql.value, cls.mariadb.value]
 
     @classmethod
     def remote_app_types(cls):
-        return [tp.value for tp in cls.category_types_mapper()[AppCategory.remote_app]]
+        return [cls.chrome.value, cls.mysql_workbench.value, cls.vmware_client.value, cls.custom.value]
 
     @classmethod
     def cloud_types(cls):
-        return [tp.value for tp in cls.category_types_mapper()[AppCategory.cloud]]
-
-
-
+        return [cls.k8s.value]
 

apps/applications/migrations/0010_appaccount_historicalappaccount.py

@@ -1,76 +0,0 @@
-# Generated by Django 3.1.12 on 2021-08-26 09:07
-
-import assets.models.base
-import common.fields.model
-from django.conf import settings
-import django.core.validators
-from django.db import migrations, models
-import django.db.models.deletion
-import simple_history.models
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('assets', '0076_delete_assetuser'),
-        ('applications', '0009_applicationuser'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='HistoricalAccount',
-            fields=[
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
-                ('comment', models.TextField(blank=True, verbose_name='Comment')),
-                ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
-                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
-                ('version', models.IntegerField(default=1, verbose_name='Version')),
-                ('history_id', models.AutoField(primary_key=True, serialize=False)),
-                ('history_date', models.DateTimeField()),
-                ('history_change_reason', models.CharField(max_length=100, null=True)),
-                ('history_type', models.CharField(choices=[('+', 'Created'), ('~', 'Changed'), ('-', 'Deleted')], max_length=1)),
-                ('app', models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='applications.application', verbose_name='Database')),
-                ('history_user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+', to=settings.AUTH_USER_MODEL)),
-                ('systemuser', models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='assets.systemuser', verbose_name='System user')),
-            ],
-            options={
-                'verbose_name': 'historical Account',
-                'ordering': ('-history_date', '-history_id'),
-                'get_latest_by': 'history_date',
-            },
-            bases=(simple_history.models.HistoricalChanges, models.Model),
-        ),
-        migrations.CreateModel(
-            name='Account',
-            fields=[
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
-                ('comment', models.TextField(blank=True, verbose_name='Comment')),
-                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
-                ('version', models.IntegerField(default=1, verbose_name='Version')),
-                ('app', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='applications.application', verbose_name='Database')),
-                ('systemuser', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='assets.systemuser', verbose_name='System user')),
-            ],
-            options={
-                'verbose_name': 'Account',
-                'unique_together': {('username', 'app', 'systemuser')},
-            },
-            bases=(models.Model, assets.models.base.AuthMixin),
-        ),
-    ]

apps/applications/migrations/0011_auto_20210826_1759.py

@@ -1,40 +0,0 @@
-# Generated by Django 3.1.12 on 2021-08-26 09:59
-
-from django.db import migrations, transaction
-from django.db.models import F
-
-
-def migrate_app_account(apps, schema_editor):
-    db_alias = schema_editor.connection.alias
-    app_perm_model = apps.get_model("perms", "ApplicationPermission")
-    app_account_model = apps.get_model("applications", 'Account')
-
-    queryset = app_perm_model.objects \
-        .exclude(system_users__isnull=True) \
-        .exclude(applications__isnull=True) \
-        .annotate(systemuser=F('system_users')) \
-        .annotate(app=F('applications')) \
-        .values('app', 'systemuser', 'org_id')
-
-    accounts = []
-    for p in queryset:
-        if not p['app']:
-            continue
-        account = app_account_model(
-            app_id=p['app'], systemuser_id=p['systemuser'],
-            version=1, org_id=p['org_id']
-        )
-        accounts.append(account)
-
-    app_account_model.objects.using(db_alias).bulk_create(accounts, ignore_conflicts=True)
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0010_appaccount_historicalappaccount'),
-    ]
-
-    operations = [
-        migrations.RunPython(migrate_app_account)
-    ]

apps/applications/migrations/0012_auto_20211014_2209.py

@@ -1,23 +0,0 @@
-# Generated by Django 3.1.13 on 2021-10-14 14:09
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0011_auto_20210826_1759'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='account',
-            name='username',
-            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='historicalaccount',
-            name='username',
-            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
-        ),
-    ]

apps/applications/migrations/0013_auto_20211026_1711.py

@@ -1,17 +0,0 @@
-# Generated by Django 3.1.13 on 2021-10-26 09:11
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0012_auto_20211014_2209'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='application',
-            options={'ordering': ('name',), 'verbose_name': 'Application'},
-        ),
-    ]

apps/applications/models/__init__.py

@@ -1,2 +1 @@
 from .application import *
-from .account import *

apps/applications/models/account.py

@@ -1,88 +0,0 @@
-from django.db import models
-from simple_history.models import HistoricalRecords
-from django.utils.translation import ugettext_lazy as _
-
-from common.utils import lazyproperty
-from assets.models.base import BaseUser
-
-
-class Account(BaseUser):
-    app = models.ForeignKey('applications.Application', on_delete=models.CASCADE, null=True, verbose_name=_('Database'))
-    systemuser = models.ForeignKey('assets.SystemUser', on_delete=models.CASCADE, null=True, verbose_name=_("System user"))
-    version = models.IntegerField(default=1, verbose_name=_('Version'))
-    history = HistoricalRecords()
-
-    auth_attrs = ['username', 'password', 'private_key', 'public_key']
-
-    class Meta:
-        verbose_name = _('Account')
-        unique_together = [('username', 'app', 'systemuser')]
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.auth_snapshot = {}
-
-    def get_or_systemuser_attr(self, attr):
-        val = getattr(self, attr, None)
-        if val:
-            return val
-        if self.systemuser:
-            return getattr(self.systemuser, attr, '')
-        return ''
-
-    def load_auth(self):
-        for attr in self.auth_attrs:
-            value = self.get_or_systemuser_attr(attr)
-            self.auth_snapshot[attr] = [getattr(self, attr), value]
-            setattr(self, attr, value)
-
-    def unload_auth(self):
-        if not self.systemuser:
-            return
-
-        for attr, values in self.auth_snapshot.items():
-            origin_value, loaded_value = values
-            current_value = getattr(self, attr, '')
-            if current_value == loaded_value:
-                setattr(self, attr, origin_value)
-
-    def save(self, *args, **kwargs):
-        self.unload_auth()
-        instance = super().save(*args, **kwargs)
-        self.load_auth()
-        return instance
-
-    @lazyproperty
-    def category(self):
-        return self.app.category
-
-    @lazyproperty
-    def type(self):
-        return self.app.type
-
-    @lazyproperty
-    def app_display(self):
-        return self.systemuser.name
-
-    @property
-    def username_display(self):
-        return self.get_or_systemuser_attr('username') or ''
-
-    @lazyproperty
-    def systemuser_display(self):
-        if not self.systemuser:
-            return ''
-        return str(self.systemuser)
-
-    @property
-    def smart_name(self):
-        username = self.username_display
-
-        if self.app:
-            app = str(self.app)
-        else:
-            app = '*'
-        return '{}@{}'.format(username, app)
-
-    def __str__(self):
-        return self.smart_name

apps/applications/models/application.py

@@ -1,174 +1,19 @@
-from collections import defaultdict
-
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
 
 from orgs.mixins.models import OrgModelMixin
 from common.mixins import CommonModelMixin
-from common.tree import TreeNode
 from assets.models import Asset, SystemUser
 from .. import const
 
 
-class ApplicationTreeNodeMixin:
-    id: str
-    name: str
-    type: str
-    category: str
-
-    @classmethod
-    def create_choice_node(cls, c, id_, pid, tp, opened=False, counts=None,
-                           show_empty=True, show_count=True):
-        count = counts.get(c.value, 0)
-        if count == 0 and not show_empty:
-            return None
-        label = c.label
-        if count is not None and show_count:
-            label = '{} ({})'.format(label, count)
-        data = {
-            'id': id_,
-            'name': label,
-            'title': label,
-            'pId': pid,
-            'isParent': bool(count),
-            'open': opened,
-            'iconSkin': '',
-            'meta': {
-                'type': tp,
-                'data': {
-                    'name': c.name,
-                    'value': c.value
-                }
-            }
-        }
-        return TreeNode(**data)
-
-    @classmethod
-    def create_root_tree_node(cls, queryset, show_count=True):
-        count = queryset.count() if show_count else None
-        root_id = 'applications'
-        root_name = _('Applications')
-        if count is not None and show_count:
-            root_name = '{} ({})'.format(root_name, count)
-        node = TreeNode(**{
-            'id': root_id,
-            'name': root_name,
-            'title': root_name,
-            'pId': '',
-            'isParent': True,
-            'open': True,
-            'iconSkin': '',
-            'meta': {
-                'type': 'applications_root',
-            }
-        })
-        return node
-
-    @classmethod
-    def create_category_tree_nodes(cls, root_node, counts=None, show_empty=True, show_count=True):
-        nodes = []
-        categories = const.AppType.category_types_mapper().keys()
-        for category in categories:
-            i = root_node.id + '_' + category.value
-            node = cls.create_choice_node(
-                category, i, pid=root_node.id, tp='category',
-                counts=counts, opened=False, show_empty=show_empty,
-                show_count=show_count
-            )
-            if not node:
-                continue
-            nodes.append(node)
-        return nodes
-
-    @classmethod
-    def create_types_tree_nodes(cls, root_node, counts, show_empty=True, show_count=True):
-        nodes = []
-        type_category_mapper = const.AppType.type_category_mapper()
-        for tp in const.AppType.type_category_mapper().keys():
-            category = type_category_mapper.get(tp)
-            pid = root_node.id + '_' + category.value
-            i = root_node.id + '_' + tp.value
-            node = cls.create_choice_node(
-                tp, i, pid, tp='type', counts=counts, opened=False,
-                show_empty=show_empty, show_count=show_count
-            )
-            if not node:
-                continue
-            nodes.append(node)
-        return nodes
-
-    @staticmethod
-    def get_tree_node_counts(queryset):
-        counts = defaultdict(int)
-        values = queryset.values_list('type', 'category')
-        for i in values:
-            tp = i[0]
-            category = i[1]
-            counts[tp] += 1
-            counts[category] += 1
-        return counts
-
-    @classmethod
-    def create_tree_nodes(cls, queryset, root_node=None, show_empty=True, show_count=True):
-        counts = cls.get_tree_node_counts(queryset)
-        tree_nodes = []
-
-        # 根节点有可能是组织名称
-        if root_node is None:
-            root_node = cls.create_root_tree_node(queryset, show_count=show_count)
-            tree_nodes.append(root_node)
-
-        # 类别的节点
-        tree_nodes += cls.create_category_tree_nodes(
-            root_node, counts, show_empty=show_empty,
-            show_count=show_count
-        )
-
-        # 类型的节点
-        tree_nodes += cls.create_types_tree_nodes(
-            root_node, counts, show_empty=show_empty,
-            show_count=show_count
-        )
-
-        # 应用的节点
-        for app in queryset:
-            pid = root_node.id + '_' + app.type
-            tree_nodes.append(app.as_tree_node(pid))
-        return tree_nodes
-
-    def as_tree_node(self, pid):
-        icon_skin_category_mapper = {
-            'remote_app': 'chrome',
-            'db': 'database',
-            'cloud': 'cloud'
-        }
-        icon_skin = icon_skin_category_mapper.get(self.category, 'file')
-        node = TreeNode(**{
-            'id': str(self.id),
-            'name': self.name,
-            'title': self.name,
-            'pId': pid,
-            'isParent': False,
-            'open': False,
-            'iconSkin': icon_skin,
-            'meta': {
-                'type': 'application',
-                'data': {
-                    'category': self.category,
-                    'type': self.type,
-                }
-            }
-        })
-        return node
-
-
-class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
+class Application(CommonModelMixin, OrgModelMixin):
     name = models.CharField(max_length=128, verbose_name=_('Name'))
     category = models.CharField(
-        max_length=16, choices=const.AppCategory.choices, verbose_name=_('Category')
+        max_length=16, choices=const.ApplicationCategoryChoices.choices, verbose_name=_('Category')
     )
     type = models.CharField(
-        max_length=16, choices=const.AppType.choices, verbose_name=_('Type')
+        max_length=16, choices=const.ApplicationTypeChoices.choices, verbose_name=_('Type')
     )
     domain = models.ForeignKey(
         'assets.Domain', null=True, blank=True, related_name='applications',
@@ -180,7 +25,6 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
     )
 
     class Meta:
-        verbose_name = _('Application')
         unique_together = [('org_id', 'name')]
         ordering = ('name',)
 
@@ -191,7 +35,7 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
 
     @property
     def category_remote_app(self):
-        return self.category == const.AppCategory.remote_app.value
+        return self.category == const.ApplicationCategoryChoices.remote_app.value
 
     def get_rdp_remote_app_setting(self):
         from applications.serializers.attrs import get_serializer_class_by_application_type

apps/applications/serializers/application.py

@@ -3,24 +3,19 @@
 
 from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
-
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
-from assets.serializers.base import AuthSerializerMixin
 from common.drf.serializers import MethodSerializer
-from .attrs import (
-    category_serializer_classes_mapping,
-    type_serializer_classes_mapping
-)
+from .attrs import category_serializer_classes_mapping, type_serializer_classes_mapping
+from assets.serializers import SystemUserSerializer
 from .. import models
-from .. import const
 
 __all__ = [
-    'AppSerializer', 'MiniAppSerializer', 'AppSerializerMixin',
-    'AppAccountSerializer', 'AppAccountSecretSerializer'
+    'ApplicationSerializer', 'ApplicationSerializerMixin',
+    'ApplicationUserSerializer', 'ApplicationUserWithAuthInfoSerializer'
 ]
 
 
-class AppSerializerMixin(serializers.Serializer):
+class ApplicationSerializerMixin(serializers.Serializer):
     attrs = MethodSerializer()
 
     def get_attrs_serializer(self):
@@ -48,23 +43,18 @@ class AppSerializerMixin(serializers.Serializer):
             serializer = serializer_class
         return serializer
 
-    def create(self, validated_data):
-        return super().create(validated_data)
 
-    def update(self, instance, validated_data):
-        return super().update(instance, validated_data)
-
-
-class AppSerializer(AppSerializerMixin, BulkOrgResourceModelSerializer):
-    category_display = serializers.ReadOnlyField(source='get_category_display', label=_('Category display'))
-    type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))
+class ApplicationSerializer(ApplicationSerializerMixin, BulkOrgResourceModelSerializer):
+    category_display = serializers.ReadOnlyField(source='get_category_display', label=_('Category(Display)'))
+    type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type(Dispaly)'))
 
     class Meta:
         model = models.Application
         fields_mini = ['id', 'name']
         fields_small = fields_mini + [
-            'category', 'category_display', 'type', 'type_display',
-            'attrs', 'date_created', 'date_updated', 'created_by', 'comment'
+            'category', 'category_display', 'type', 'type_display', 'attrs',
+            'date_created', 'date_updated',
+            'created_by', 'comment'
         ]
         fields_fk = ['domain']
         fields = fields_small + fields_fk
@@ -78,63 +68,41 @@ class AppSerializer(AppSerializerMixin, BulkOrgResourceModelSerializer):
         return _attrs
 
 
-class MiniAppSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = models.Application
-        fields = AppSerializer.Meta.fields_mini
+class ApplicationUserSerializer(SystemUserSerializer):
+    application_name = serializers.SerializerMethodField(label=_('Application name'))
+    application_category = serializers.SerializerMethodField(label=_('Application category'))
+    application_type = serializers.SerializerMethodField(label=_('Application type'))
 
-
-class AppAccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
-    category = serializers.ChoiceField(label=_('Category'), choices=const.AppCategory.choices, read_only=True)
-    category_display = serializers.SerializerMethodField(label=_('Category display'))
-    type = serializers.ChoiceField(label=_('Type'), choices=const.AppType.choices, read_only=True)
-    type_display = serializers.SerializerMethodField(label=_('Type display'))
-
-    category_mapper = dict(const.AppCategory.choices)
-    type_mapper = dict(const.AppType.choices)
-
-    class Meta:
-        model = models.Account
-        fields_mini = ['id', 'username', 'version']
-        fields_write_only = ['password', 'private_key']
-        fields_fk = ['systemuser', 'systemuser_display', 'app', 'app_display']
-        fields = fields_mini + fields_fk + fields_write_only + [
-            'type', 'type_display', 'category', 'category_display',
+    class Meta(SystemUserSerializer.Meta):
+        model = models.ApplicationUser
+        fields_mini = [
+            'id', 'application_name', 'application_category', 'application_type', 'name', 'username'
         ]
+        fields_small = fields_mini + [
+            'protocol', 'login_mode', 'login_mode_display', 'priority',
+            "username_same_with_user", 'comment',
+        ]
+        fields = fields_small
         extra_kwargs = {
-            'username': {'default': '', 'required': False},
-            'password': {'write_only': True},
-            'app_display': {'label': _('Application display')},
-            'systemuser_display': {'label': _('System User')}
-        }
-        use_model_bulk_create = True
-        model_bulk_create_kwargs = {
-            'ignore_conflicts': True
+            'login_mode_display': {'label': _('Login mode display')},
+            'created_by': {'read_only': True},
         }
 
-    def get_category_display(self, obj):
-        return self.category_mapper.get(obj.category)
+    @property
+    def application(self):
+        return self.context['application']
 
-    def get_type_display(self, obj):
-        return self.type_mapper.get(obj.type)
+    def get_application_name(self, obj):
+        return self.application.name
 
-    @classmethod
-    def setup_eager_loading(cls, queryset):
-        """ Perform necessary eager loading of data. """
-        queryset = queryset.prefetch_related('systemuser', 'app')
-        return queryset
+    def get_application_category(self, obj):
+        return self.application.get_category_display()
 
-    def to_representation(self, instance):
-        instance.load_auth()
-        return super().to_representation(instance)
+    def get_application_type(self, obj):
+        return self.application.get_type_display()
 
 
-class AppAccountSecretSerializer(AppAccountSerializer):
-    class Meta(AppAccountSerializer.Meta):
-        extra_kwargs = {
-            'password': {'write_only': False},
-            'private_key': {'write_only': False},
-            'public_key': {'write_only': False},
-            'app_display': {'label': _('Application display')},
-            'systemuser_display': {'label': _('System User')}
-        }
+class ApplicationUserWithAuthInfoSerializer(ApplicationUserSerializer):
+
+    class Meta(ApplicationUserSerializer.Meta):
+        fields = ApplicationUserSerializer.Meta.fields + ['password', 'token']

apps/applications/serializers/attrs/application_category/remote_app.py

@@ -5,7 +5,7 @@ from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ObjectDoesNotExist
 
-from common.utils import get_logger, is_uuid, get_object_or_none
+from common.utils import get_logger, is_uuid
 from assets.models import Asset
 
 logger = get_logger(__file__)
@@ -14,37 +14,28 @@ logger = get_logger(__file__)
 __all__ = ['RemoteAppSerializer']
 
 
-class ExistAssetPrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):
+class CharPrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):
 
     def to_internal_value(self, data):
         instance = super().to_internal_value(data)
         return str(instance.id)
 
-    def to_representation(self, _id):
-        # _id 是 instance.id
+    def to_representation(self, value):
+        # value is instance.id
         if self.pk_field is not None:
-            return self.pk_field.to_representation(_id)
-        # 解决删除资产后，远程应用更新页面会显示资产ID的问题
-        asset = get_object_or_none(Asset, id=_id)
-        if not asset:
-            return None
-        return _id
+            return self.pk_field.to_representation(value)
+        return value
 
 
 class RemoteAppSerializer(serializers.Serializer):
     asset_info = serializers.SerializerMethodField()
-    asset = ExistAssetPrimaryKeyRelatedField(
-        queryset=Asset.objects, required=True, label=_("Asset"), allow_null=True
+    asset = CharPrimaryKeyRelatedField(
+        queryset=Asset.objects, required=False, label=_("Asset"), allow_null=True
     )
     path = serializers.CharField(
         max_length=128, label=_('Application path'), allow_null=True
     )
 
-    def validate_asset(self, asset):
-        if not asset:
-            raise serializers.ValidationError(_('This field is required.'))
-        return asset
-
     @staticmethod
     def get_asset_info(obj):
         asset_id = obj.get('asset')

apps/applications/serializers/attrs/attrs.py

@@ -14,9 +14,9 @@ __all__ = [
 # ---------------------------------------------------
 
 category_serializer_classes_mapping = {
-    const.AppCategory.db.value: application_category.DBSerializer,
-    const.AppCategory.remote_app.value: application_category.RemoteAppSerializer,
-    const.AppCategory.cloud.value: application_category.CloudSerializer,
+    const.ApplicationCategoryChoices.db.value: application_category.DBSerializer,
+    const.ApplicationCategoryChoices.remote_app.value: application_category.RemoteAppSerializer,
+    const.ApplicationCategoryChoices.cloud.value: application_category.CloudSerializer,
 }
 
 # define `attrs` field `type serializers mapping`
@@ -24,17 +24,17 @@ category_serializer_classes_mapping = {
 
 type_serializer_classes_mapping = {
     # db
-    const.AppType.mysql.value: application_type.MySQLSerializer,
-    const.AppType.mariadb.value: application_type.MariaDBSerializer,
-    const.AppType.oracle.value: application_type.OracleSerializer,
-    const.AppType.pgsql.value: application_type.PostgreSerializer,
+    const.ApplicationTypeChoices.mysql.value: application_type.MySQLSerializer,
+    const.ApplicationTypeChoices.mariadb.value: application_type.MariaDBSerializer,
+    const.ApplicationTypeChoices.oracle.value: application_type.OracleSerializer,
+    const.ApplicationTypeChoices.pgsql.value: application_type.PostgreSerializer,
     # remote-app
-    const.AppType.chrome.value: application_type.ChromeSerializer,
-    const.AppType.mysql_workbench.value: application_type.MySQLWorkbenchSerializer,
-    const.AppType.vmware_client.value: application_type.VMwareClientSerializer,
-    const.AppType.custom.value: application_type.CustomSerializer,
+    const.ApplicationTypeChoices.chrome.value: application_type.ChromeSerializer,
+    const.ApplicationTypeChoices.mysql_workbench.value: application_type.MySQLWorkbenchSerializer,
+    const.ApplicationTypeChoices.vmware_client.value: application_type.VMwareClientSerializer,
+    const.ApplicationTypeChoices.custom.value: application_type.CustomSerializer,
     # cloud
-    const.AppType.k8s.value: application_type.K8SSerializer
+    const.ApplicationTypeChoices.k8s.value: application_type.K8SSerializer
 }
 
 

apps/applications/urls/api_urls.py

@@ -10,14 +10,12 @@ app_name = 'applications'
 
 router = BulkRouter()
 router.register(r'applications', api.ApplicationViewSet, 'application')
-router.register(r'accounts', api.ApplicationAccountViewSet, 'application-account')
-router.register(r'account-secrets', api.ApplicationAccountSecretViewSet, 'application-account-secret')
 
 
 urlpatterns = [
     path('remote-apps/<uuid:pk>/connection-info/', api.RemoteAppConnectionInfoApi.as_view(), name='remote-app-connection-info'),
-    # path('accounts/', api.ApplicationAccountViewSet.as_view(), name='application-account'),
-    # path('account-secrets/', api.ApplicationAccountSecretViewSet.as_view(), name='application-account-secret')
+    path('application-users/', api.ApplicationUserListApi.as_view(), name='application-user'),
+    path('application-user-auth-infos/', api.ApplicationUserAuthInfoListApi.as_view(), name='application-user-auth-info')
 ]
 
 

apps/assets/api/accounts.py

@@ -1,15 +1,15 @@
 from django.db.models import F, Q
+from django.conf import settings
 from rest_framework.decorators import action
 from django_filters import rest_framework as filters
 from rest_framework.response import Response
-from django.shortcuts import get_object_or_404
 from rest_framework.generics import CreateAPIView
 
 from orgs.mixins.api import OrgBulkModelViewSet
 from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, NeedMFAVerify
 from common.drf.filters import BaseFilterSet
 from ..tasks.account_connectivity import test_accounts_connectivity_manual
-from ..models import AuthBook, Node
+from ..models import AuthBook
 from .. import serializers
 
 __all__ = ['AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']
@@ -19,13 +19,11 @@ class AccountFilterSet(BaseFilterSet):
     username = filters.CharFilter(method='do_nothing')
     ip = filters.CharFilter(field_name='ip', lookup_expr='exact')
     hostname = filters.CharFilter(field_name='hostname', lookup_expr='exact')
-    node = filters.CharFilter(method='do_nothing')
 
     @property
     def qs(self):
         qs = super().qs
         qs = self.filter_username(qs)
-        qs = self.filter_node(qs)
         return qs
 
     def filter_username(self, qs):
@@ -35,16 +33,6 @@ class AccountFilterSet(BaseFilterSet):
         qs = qs.filter(Q(username=username) | Q(systemuser__username=username)).distinct()
         return qs
 
-    def filter_node(self, qs):
-        node_id = self.get_query_param('node')
-        if not node_id:
-            return qs
-        node = get_object_or_404(Node, pk=node_id)
-        node_ids = node.get_all_children(with_self=True).values_list('id', flat=True)
-        node_ids = list(node_ids)
-        qs = qs.filter(asset__nodes__in=node_ids)
-        return qs
-
     class Meta:
         model = AuthBook
         fields = [
@@ -64,8 +52,8 @@ class AccountViewSet(OrgBulkModelViewSet):
     permission_classes = (IsOrgAdmin,)
 
     def get_queryset(self):
-        queryset = super().get_queryset() \
-            .annotate(ip=F('asset__ip')) \
+        queryset = super().get_queryset()\
+            .annotate(ip=F('asset__ip'))\
             .annotate(hostname=F('asset__hostname'))
         return queryset
 
@@ -86,6 +74,11 @@ class AccountSecretsViewSet(AccountViewSet):
     permission_classes = (IsOrgAdmin, NeedMFAVerify)
     http_method_names = ['get']
 
+    def get_permissions(self):
+        if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
+            self.permission_classes = [IsOrgAdminOrAppUser]
+        return super().get_permissions()
+
 
 class AccountTaskCreateAPI(CreateAPIView):
     permission_classes = (IsOrgAdminOrAppUser,)
@@ -110,5 +103,4 @@ class AccountTaskCreateAPI(CreateAPIView):
     def get_exception_handler(self):
         def handler(e, context):
             return Response({"error": str(e)}, status=400)
-
         return handler

apps/assets/api/admin_user.py

@@ -21,8 +21,6 @@ class AdminUserViewSet(OrgBulkModelViewSet):
     search_fields = filterset_fields
     serializer_class = serializers.AdminUserSerializer
     permission_classes = (IsOrgAdmin,)
-    ordering_fields = ('name',)
-    ordering = ('name', )
 
     def get_queryset(self):
         queryset = super().get_queryset().filter(type=SystemUser.Type.admin)

apps/assets/api/asset.py

@@ -2,40 +2,30 @@
 #
 from assets.api import FilterAssetByNodeMixin
 from rest_framework.viewsets import ModelViewSet
-from rest_framework.generics import RetrieveAPIView, ListAPIView
+from rest_framework.generics import RetrieveAPIView
 from django.shortcuts import get_object_or_404
-from django.db.models import Q
 
 from common.utils import get_logger, get_object_or_none
 from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, IsSuperUser
-from common.mixins.api import SuggestionMixin
-from users.models import User, UserGroup
-from users.serializers import UserSerializer, UserGroupSerializer
-from users.filters import UserFilter
-from perms.models import AssetPermission
-from perms.serializers import AssetPermissionSerializer
-from perms.filters import AssetPermissionFilter
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.mixins import generics
 from ..models import Asset, Node, Platform
 from .. import serializers
 from ..tasks import (
-    update_assets_hardware_info_manual, test_assets_connectivity_manual,
-    test_system_users_connectivity_a_asset, push_system_users_a_asset
+    update_assets_hardware_info_manual, test_assets_connectivity_manual
 )
 from ..filters import FilterAssetByNodeFilterBackend, LabelFilterBackend, IpInFilterBackend
 
+
 logger = get_logger(__file__)
 __all__ = [
     'AssetViewSet', 'AssetPlatformRetrieveApi',
     'AssetGatewayListApi', 'AssetPlatformViewSet',
     'AssetTaskCreateApi', 'AssetsTaskCreateApi',
-    'AssetPermUserListApi', 'AssetPermUserPermissionsListApi',
-    'AssetPermUserGroupListApi', 'AssetPermUserGroupPermissionsListApi',
 ]
 
 
-class AssetViewSet(SuggestionMixin, FilterAssetByNodeMixin, OrgBulkModelViewSet):
+class AssetViewSet(FilterAssetByNodeMixin, OrgBulkModelViewSet):
     """
     API endpoint that allows Asset to be viewed or edited.
     """
@@ -50,10 +40,8 @@ class AssetViewSet(SuggestionMixin, FilterAssetByNodeMixin, OrgBulkModelViewSet)
     }
     search_fields = ("hostname", "ip")
     ordering_fields = ("hostname", "ip", "port", "cpu_cores")
-    ordering = ('hostname', )
     serializer_classes = {
         'default': serializers.AssetSerializer,
-        'suggestion': serializers.MiniAssetSerializer
     }
     permission_classes = (IsOrgAdminOrAppUser,)
     extra_filter_backends = [FilterAssetByNodeFilterBackend, LabelFilterBackend, IpInFilterBackend]
@@ -106,27 +94,21 @@ class AssetPlatformViewSet(ModelViewSet):
 
 
 class AssetsTaskMixin:
-
     def perform_assets_task(self, serializer):
         data = serializer.validated_data
+        assets = data['assets']
         action = data['action']
-        assets = data.get('assets', [])
         if action == "refresh":
             task = update_assets_hardware_info_manual.delay(assets)
         else:
-            # action == 'test':
             task = test_assets_connectivity_manual.delay(assets)
-        return task
-
-    def perform_create(self, serializer):
-        task = self.perform_assets_task(serializer)
-        self.set_task_to_serializer_data(serializer, task)
-
-    def set_task_to_serializer_data(self, serializer, task):
         data = getattr(serializer, '_data', {})
         data["task"] = task.id
         setattr(serializer, '_data', data)
 
+    def perform_create(self, serializer):
+        self.perform_assets_task(serializer)
+
 
 class AssetTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
     model = Asset
@@ -135,37 +117,13 @@ class AssetTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
 
     def create(self, request, *args, **kwargs):
         pk = self.kwargs.get('pk')
-        request.data['asset'] = pk
         request.data['assets'] = [pk]
         return super().create(request, *args, **kwargs)
 
-    def perform_asset_task(self, serializer):
-        data = serializer.validated_data
-        action = data['action']
-        if action not in ['push_system_user', 'test_system_user']:
-            return
-        asset = data['asset']
-        system_users = data.get('system_users')
-        if not system_users:
-            system_users = asset.get_all_systemusers()
-        if action == 'push_system_user':
-            task = push_system_users_a_asset.delay(system_users, asset=asset)
-        elif action == 'test_system_user':
-            task = test_system_users_connectivity_a_asset.delay(system_users, asset=asset)
-        else:
-            task = None
-        return task
-
-    def perform_create(self, serializer):
-        task = self.perform_asset_task(serializer)
-        if not task:
-            task = self.perform_assets_task(serializer)
-        self.set_task_to_serializer_data(serializer, task)
-
 
 class AssetsTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
     model = Asset
-    serializer_class = serializers.AssetsTaskSerializer
+    serializer_class = serializers.AssetTaskSerializer
     permission_classes = (IsOrgAdmin,)
 
 
@@ -180,102 +138,3 @@ class AssetGatewayListApi(generics.ListAPIView):
             return []
         queryset = asset.domain.gateways.filter(protocol='ssh')
         return queryset
-
-
-class BaseAssetPermUserOrUserGroupListApi(ListAPIView):
-    permission_classes = (IsOrgAdmin,)
-
-    def get_object(self):
-        asset_id = self.kwargs.get('pk')
-        asset = get_object_or_404(Asset, pk=asset_id)
-        return asset
-
-    def get_asset_related_perms(self):
-        asset = self.get_object()
-        nodes = asset.get_all_nodes(flat=True)
-        perms = AssetPermission.objects.filter(Q(assets=asset) | Q(nodes__in=nodes))
-        return perms
-
-
-class AssetPermUserListApi(BaseAssetPermUserOrUserGroupListApi):
-    filterset_class = UserFilter
-    search_fields = ('username', 'email', 'name', 'id', 'source', 'role')
-    serializer_class = UserSerializer
-
-    def get_queryset(self):
-        perms = self.get_asset_related_perms()
-        users = User.objects.filter(
-            Q(assetpermissions__in=perms) | Q(groups__assetpermissions__in=perms)
-        ).distinct()
-        return users
-
-
-class AssetPermUserGroupListApi(BaseAssetPermUserOrUserGroupListApi):
-    serializer_class = UserGroupSerializer
-
-    def get_queryset(self):
-        perms = self.get_asset_related_perms()
-        user_groups = UserGroup.objects.filter(assetpermissions__in=perms).distinct()
-        return user_groups
-
-
-class BaseAssetPermUserOrUserGroupPermissionsListApiMixin(generics.ListAPIView):
-    permission_classes = (IsOrgAdmin,)
-    model = AssetPermission
-    serializer_class = AssetPermissionSerializer
-    filterset_class = AssetPermissionFilter
-    search_fields = ('name',)
-
-    def get_object(self):
-        asset_id = self.kwargs.get('pk')
-        asset = get_object_or_404(Asset, pk=asset_id)
-        return asset
-
-    def filter_asset_related(self, queryset):
-        asset = self.get_object()
-        nodes = asset.get_all_nodes(flat=True)
-        perms = queryset.filter(Q(assets=asset) | Q(nodes__in=nodes))
-        return perms
-
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        queryset = self.filter_asset_related(queryset)
-        return queryset
-
-
-class AssetPermUserPermissionsListApi(BaseAssetPermUserOrUserGroupPermissionsListApiMixin):
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        queryset = self.filter_user_related(queryset)
-        queryset = queryset.distinct()
-        return queryset
-
-    def filter_user_related(self, queryset):
-        user = self.get_perm_user()
-        user_groups = user.groups.all()
-        perms = queryset.filter(Q(users=user) | Q(user_groups__in=user_groups))
-        return perms
-
-    def get_perm_user(self):
-        user_id = self.kwargs.get('perm_user_id')
-        user = get_object_or_404(User, pk=user_id)
-        return user
-
-
-class AssetPermUserGroupPermissionsListApi(BaseAssetPermUserOrUserGroupPermissionsListApiMixin):
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        queryset = self.filter_user_group_related(queryset)
-        queryset = queryset.distinct()
-        return queryset
-
-    def filter_user_group_related(self, queryset):
-        user_group = self.get_perm_user_group()
-        perms = queryset.filter(user_groups=user_group)
-        return perms
-
-    def get_perm_user_group(self):
-        user_group_id = self.kwargs.get('perm_user_group_id')
-        user_group = get_object_or_404(UserGroup, pk=user_group_id)
-        return user_group
-

apps/assets/api/cmd_filter.py

@@ -13,6 +13,7 @@ from ..hands import IsOrgAdmin, IsAppUser
 from ..models import CommandFilter, CommandFilterRule
 from .. import serializers
 
+
 __all__ = [
     'CommandFilterViewSet', 'CommandFilterRuleViewSet', 'CommandConfirmAPI',
     'CommandConfirmStatusAPI'
@@ -43,7 +44,7 @@ class CommandFilterRuleViewSet(OrgBulkModelViewSet):
 
 
 class CommandConfirmAPI(CreateAPIView):
-    permission_classes = (IsAppUser,)
+    permission_classes = (IsAppUser, )
     serializer_class = serializers.CommandConfirmSerializer
 
     def create(self, request, *args, **kwargs):
@@ -72,12 +73,11 @@ class CommandConfirmAPI(CreateAPIView):
             external=True, api_to_ui=True
         )
         ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
-        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
         return {
             'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
             'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
             'ticket_detail_url': ticket_detail_url,
-            'reviewers': [str(ticket_assignee.assignee) for ticket_assignee in ticket_assignees]
+            'reviewers': [str(user) for user in ticket.assignees.all()]
         }
 
     @lazyproperty
@@ -89,3 +89,4 @@ class CommandConfirmAPI(CreateAPIView):
 
 class CommandConfirmStatusAPI(GenericTicketStatusRetrieveCloseAPI):
     pass
+

apps/assets/api/domain.py

@@ -22,8 +22,6 @@ class DomainViewSet(OrgBulkModelViewSet):
     search_fields = filterset_fields
     permission_classes = (IsOrgAdminOrAppUser,)
     serializer_class = serializers.DomainSerializer
-    ordering_fields = ('name',)
-    ordering = ('name', )
 
     def get_serializer_class(self):
         if self.request.query_params.get('gateway'):
@@ -35,7 +33,7 @@ class GatewayViewSet(OrgBulkModelViewSet):
     model = Gateway
     filterset_fields = ("domain__name", "name", "username", "ip", "domain")
     search_fields = ("domain__name", "name", "username", "ip")
-    permission_classes = (IsOrgAdminOrAppUser,)
+    permission_classes = (IsOrgAdmin,)
     serializer_class = serializers.GatewaySerializer
 
 

apps/assets/api/mixin.py

@@ -26,7 +26,7 @@ class SerializeToTreeNodeMixin:
                 'isParent': True,
                 'open': node.is_org_root(),
                 'meta': {
-                    'data': {
+                    'node': {
                         "id": node.id,
                         "key": node.key,
                         "value": node.value,
@@ -65,7 +65,7 @@ class SerializeToTreeNodeMixin:
                 'chkDisabled': not asset.is_active,
                 'meta': {
                     'type': 'asset',
-                    'data': {
+                    'asset': {
                         'id': asset.id,
                         'hostname': asset.hostname,
                         'ip': asset.ip,

apps/assets/api/system_user.py

@@ -6,7 +6,6 @@ from common.utils import get_logger
 from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, IsValidUser
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.mixins import generics
-from common.mixins.api import SuggestionMixin
 from orgs.utils import tmp_to_root_org
 from ..models import SystemUser, Asset
 from .. import serializers
@@ -16,6 +15,7 @@ from ..tasks import (
     push_system_user_to_assets
 )
 
+
 logger = get_logger(__file__)
 __all__ = [
     'SystemUserViewSet', 'SystemUserAuthInfoApi', 'SystemUserAssetAuthInfoApi',
@@ -24,7 +24,7 @@ __all__ = [
 ]
 
 
-class SystemUserViewSet(SuggestionMixin, OrgBulkModelViewSet):
+class SystemUserViewSet(OrgBulkModelViewSet):
     """
     System user api set, for add,delete,update,list,retrieve resource
     """
@@ -39,10 +39,7 @@ class SystemUserViewSet(SuggestionMixin, OrgBulkModelViewSet):
     serializer_class = serializers.SystemUserSerializer
     serializer_classes = {
         'default': serializers.SystemUserSerializer,
-        'suggestion': serializers.MiniSystemUserSerializer
     }
-    ordering_fields = ('name', 'protocol', 'login_mode')
-    ordering = ('name', )
     permission_classes = (IsOrgAdminOrAppUser,)
 
 
@@ -75,7 +72,7 @@ class SystemUserTempAuthInfoApi(generics.CreateAPIView):
 
         with tmp_to_root_org():
             instance = get_object_or_404(SystemUser, pk=pk)
-            instance.set_temp_auth(instance_id, user.id, data)
+            instance.set_temp_auth(instance_id, user, data)
         return Response(serializer.data, status=201)
 
 
@@ -92,7 +89,7 @@ class SystemUserAssetAuthInfoApi(generics.RetrieveAPIView):
         asset_id = self.kwargs.get('asset_id')
         user_id = self.request.query_params.get("user_id")
         username = self.request.query_params.get("username")
-        instance.load_asset_more_auth(asset_id, username, user_id)
+        instance.load_asset_more_auth(asset_id=asset_id, user_id=user_id, username=username)
         return instance
 
 
@@ -108,7 +105,8 @@ class SystemUserAppAuthInfoApi(generics.RetrieveAPIView):
         instance = super().get_object()
         app_id = self.kwargs.get('app_id')
         user_id = self.request.query_params.get("user_id")
-        instance.load_app_more_auth(app_id, user_id)
+        if user_id:
+            instance.load_app_more_auth(app_id, user_id)
         return instance
 
 

apps/assets/api/system_user_relation.py

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 from collections import defaultdict
-from django.db.models import F, Value, Model
+from django.db.models import F, Value
 from django.db.models.signals import m2m_changed
 from django.db.models.functions import Concat
 
@@ -13,15 +13,13 @@ from .. import models, serializers
 
 __all__ = [
     'SystemUserAssetRelationViewSet', 'SystemUserNodeRelationViewSet',
-    'SystemUserUserRelationViewSet', 'BaseRelationViewSet',
+    'SystemUserUserRelationViewSet',
 ]
 
 logger = get_logger(__name__)
 
 
 class RelationMixin:
-    model: Model
-
     def get_queryset(self):
         queryset = self.model.objects.all()
         if not current_org.is_root():

apps/assets/migrations/0071_systemuser_type.py

@@ -1,8 +1,7 @@
 # Generated by Django 3.1.6 on 2021-06-04 16:46
-import uuid
+
 from django.db import migrations, models, transaction
 import django.db.models.deletion
-from django.db import IntegrityError
 from django.db.models import F
 
 
@@ -16,7 +15,7 @@ def migrate_admin_user_to_system_user(apps, schema_editor):
     for admin_user in admin_users:
         kwargs = {}
         for attr in [
-            'org_id', 'username', 'password', 'private_key', 'public_key',
+            'id', 'org_id', 'username', 'password', 'private_key', 'public_key',
             'comment', 'date_created', 'date_updated', 'created_by',
         ]:
             value = getattr(admin_user, attr)
@@ -28,16 +27,7 @@ def migrate_admin_user_to_system_user(apps, schema_editor):
         ).exists()
         if exist:
             name = admin_user.name + '_' + str(admin_user.id)[:5]
-
-        i = admin_user.id
-        exist = system_user_model.objects.using(db_alias).filter(
-            id=i, org_id=admin_user.org_id
-        ).exists()
-        if exist:
-            i = uuid.uuid4()
-
         kwargs.update({
-            'id': i,
             'name': name,
             'type': 'admin',
             'protocol': 'ssh',
@@ -46,11 +36,7 @@ def migrate_admin_user_to_system_user(apps, schema_editor):
 
         with transaction.atomic():
             s = system_user_model(**kwargs)
-            try:
-                s.save()
-            except IntegrityError:
-                s.id = None
-                s.save()
+            s.save()
             print("  Migrate admin user to system user: {} => {}".format(admin_user.name, s.name))
             assets = admin_user.assets.all()
             s.assets.set(assets)

apps/assets/migrations/0072_historicalauthbook.py

@@ -18,7 +18,7 @@ def migrate_old_authbook_to_history(apps, schema_editor):
 
     print()
     while True:
-        authbooks = authbook_model.objects.using(db_alias).filter(is_latest=False)[:1000]
+        authbooks = authbook_model.objects.using(db_alias).filter(is_latest=False)[:20]
         if not authbooks:
             break
         historys = []

apps/assets/migrations/0073_auto_20210606_1142.py

@@ -15,7 +15,7 @@ def migrate_system_assets_to_authbook(apps, schema_editor):
     system_users = system_user_model.objects.all()
     for s in system_users:
         while True:
-            systemuser_asset_relations = system_user_asset_model.objects.filter(systemuser=s)[:1000]
+            systemuser_asset_relations = system_user_asset_model.objects.filter(systemuser=s)[:20]
             if not systemuser_asset_relations:
                 break
             authbooks = []

apps/assets/migrations/0077_auto_20211012_1642.py

@@ -1,24 +0,0 @@
-# Generated by Django 3.1.12 on 2021-10-12 08:42
-
-from django.db import migrations
-
-
-def migrate_platform_win2016(apps, schema_editor):
-    platform_model = apps.get_model("assets", "Platform")
-    win2016 = platform_model.objects.filter(name='Windows2016').first()
-    if not win2016:
-        print("Error: Not found Windows2016 platform")
-        return
-    win2016.meta = {"security": "any"}
-    win2016.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0076_delete_assetuser'),
-    ]
-
-    operations = [
-        migrations.RunPython(migrate_platform_win2016)
-    ]

apps/assets/migrations/0078_auto_20211014_2209.py

@@ -1,38 +0,0 @@
-# Generated by Django 3.1.13 on 2021-10-14 14:09
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0077_auto_20211012_1642'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='adminuser',
-            name='username',
-            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='authbook',
-            name='username',
-            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='gateway',
-            name='username',
-            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='historicalauthbook',
-            name='username',
-            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='username',
-            field=models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username'),
-        ),
-    ]

apps/assets/models/asset.py

@@ -333,7 +333,7 @@ class Asset(AbsConnectivity, ProtocolsMixin, NodesRelationMixin, OrgModelMixin):
             'iconSkin': icon_skin,
             'meta': {
                 'type': 'asset',
-                'data': {
+                'asset': {
                     'id': self.id,
                     'hostname': self.hostname,
                     'ip': self.ip,
@@ -345,13 +345,6 @@ class Asset(AbsConnectivity, ProtocolsMixin, NodesRelationMixin, OrgModelMixin):
         tree_node = TreeNode(**data)
         return tree_node
 
-    def get_all_systemusers(self):
-        from .user import SystemUser
-        system_user_ids = SystemUser.assets.through.objects.filter(asset=self)\
-            .values_list('systemuser_id', flat=True)
-        system_users = SystemUser.objects.filter(id__in=system_user_ids)
-        return system_users
-
     class Meta:
         unique_together = [('org_id', 'hostname')]
         verbose_name = _("Asset")

apps/assets/models/authbook.py

@@ -5,12 +5,9 @@ from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from simple_history.models import HistoricalRecords
 
-from common.utils import lazyproperty, get_logger
+from common.utils import lazyproperty
 from .base import BaseUser, AbsConnectivity
 
-logger = get_logger(__name__)
-
-
 __all__ = ['AuthBook']
 
 
@@ -19,6 +16,7 @@ class AuthBook(BaseUser, AbsConnectivity):
     systemuser = models.ForeignKey('assets.SystemUser', on_delete=models.CASCADE, null=True, verbose_name=_("System user"))
     version = models.IntegerField(default=1, verbose_name=_('Version'))
     history = HistoricalRecords()
+    _systemuser_display = ''
 
     auth_attrs = ['username', 'password', 'private_key', 'public_key']
 
@@ -66,6 +64,8 @@ class AuthBook(BaseUser, AbsConnectivity):
 
     @lazyproperty
     def systemuser_display(self):
+        if self._systemuser_display:
+            return self._systemuser_display
         if not self.systemuser:
             return ''
         return str(self.systemuser)
@@ -94,27 +94,7 @@ class AuthBook(BaseUser, AbsConnectivity):
             i.private_key = self.private_key
             i.public_key = self.public_key
             i.comment = 'Update triggered by account {}'.format(self.id)
-
-        # 不触发post_save信号
-        self.__class__.objects.bulk_update(matched, fields=['password', 'private_key', 'public_key'])
-
-    def remove_asset_admin_user_if_need(self):
-        if not self.asset or not self.systemuser:
-            return
-        if not self.systemuser.is_admin_user or self.asset.admin_user != self.systemuser:
-            return
-        self.asset.admin_user = None
-        self.asset.save()
-        logger.debug('Remove asset admin user: {} {}'.format(self.asset, self.systemuser))
-
-    def update_asset_admin_user_if_need(self):
-        if not self.asset or not self.systemuser:
-            return
-        if not self.systemuser.is_admin_user or self.asset.admin_user == self.systemuser:
-            return
-        self.asset.admin_user = self.systemuser
-        self.asset.save()
-        logger.debug('Update asset admin user: {} {}'.format(self.asset, self.systemuser))
+            i.save(update_fields=['password', 'private_key', 'public_key'])
 
     def __str__(self):
         return self.smart_name

apps/assets/models/base.py

@@ -173,7 +173,7 @@ class AuthMixin:
 class BaseUser(OrgModelMixin, AuthMixin):
     id = models.UUIDField(default=uuid.uuid4, primary_key=True)
     name = models.CharField(max_length=128, verbose_name=_('Name'))
-    username = models.CharField(max_length=128, blank=True, verbose_name=_('Username'), db_index=True)
+    username = models.CharField(max_length=128, blank=True, verbose_name=_('Username'), validators=[alphanumeric], db_index=True)
     password = fields.EncryptCharField(max_length=256, blank=True, null=True, verbose_name=_('Password'))
     private_key = fields.EncryptTextField(blank=True, null=True, verbose_name=_('SSH private key'))
     public_key = fields.EncryptTextField(blank=True, null=True, verbose_name=_('SSH public key'))
@@ -185,18 +185,10 @@ class BaseUser(OrgModelMixin, AuthMixin):
     ASSETS_AMOUNT_CACHE_KEY = "ASSET_USER_{}_ASSETS_AMOUNT"
     ASSET_USER_CACHE_TIME = 600
 
-    APPS_AMOUNT_CACHE_KEY = "APP_USER_{}_APPS_AMOUNT"
-    APP_USER_CACHE_TIME = 600
-
     def get_related_assets(self):
         assets = self.assets.filter(org_id=self.org_id)
         return assets
 
-    def get_related_apps(self):
-        from applications.models import Account
-        apps = Account.objects.filter(systemuser=self)
-        return apps
-
     def get_username(self):
         return self.username
 
@@ -209,15 +201,6 @@ class BaseUser(OrgModelMixin, AuthMixin):
             cache.set(cache_key, cached, self.ASSET_USER_CACHE_TIME)
         return cached
 
-    @property
-    def apps_amount(self):
-        cache_key = self.APPS_AMOUNT_CACHE_KEY.format(self.id)
-        cached = cache.get(cache_key)
-        if not cached:
-            cached = self.get_related_apps().count()
-            cache.set(cache_key, cached, self.APP_USER_CACHE_TIME)
-        return cached
-
     def expire_assets_amount(self):
         cache_key = self.ASSETS_AMOUNT_CACHE_KEY.format(self.id)
         cache.delete(cache_key)

apps/assets/models/cmd_filter.py

@@ -105,11 +105,11 @@ class CommandFilterRule(OrgModelMixin):
         return '{} % {}'.format(self.type, self.content)
 
     def create_command_confirm_ticket(self, run_command, session, cmd_filter_rule, org_id):
-        from tickets.const import TicketType
+        from tickets.const import TicketTypeChoices
         from tickets.models import Ticket
         data = {
             'title': _('Command confirm') + ' ({})'.format(session.user),
-            'type': TicketType.command_confirm,
+            'type': TicketTypeChoices.command_confirm,
             'meta': {
                 'apply_run_user': session.user,
                 'apply_run_asset': session.asset,
@@ -122,6 +122,6 @@ class CommandFilterRule(OrgModelMixin):
             'org_id': org_id,
         }
         ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(self.reviewers.all())
+        ticket.assignees.set(self.reviewers.all())
         ticket.open(applicant=session.user_obj)
         return ticket

apps/assets/models/domain.py

@@ -3,19 +3,16 @@
 import socket
 import uuid
 import random
+import re
 
-from django.core.cache import cache
 import paramiko
 from django.db import models
 from django.db.models import TextChoices
 from django.utils.translation import ugettext_lazy as _
 
-from common.utils import get_logger
 from orgs.mixins.models import OrgModelMixin
 from .base import BaseUser
 
-logger = get_logger(__file__)
-
 __all__ = ['Domain', 'Gateway']
 
 
@@ -42,19 +39,10 @@ class Domain(OrgModelMixin):
         return self.gateway_set.filter(is_active=True)
 
     def random_gateway(self):
-        gateways = [gw for gw in self.gateways if gw.is_connective]
-        if gateways:
-            return random.choice(gateways)
-        else:
-            logger.warn(f'Gateway all bad. domain={self}, gateway_num={len(self.gateways)}.')
-            return random.choice(self.gateways)
+        return random.choice(self.gateways)
 
 
 class Gateway(BaseUser):
-    UNCONNECTIVE_KEY_TMPL = 'asset_unconnective_gateway_{}'
-    UNCONNECTIVE_SILENCE_PERIOD_KEY_TMPL = 'asset_unconnective_gateway_silence_period_{}'
-    UNCONNECTIVE_SILENCE_PERIOD_BEGIN_VALUE = 60 * 5
-
     class Protocol(TextChoices):
         ssh = 'ssh', 'SSH'
 
@@ -72,37 +60,6 @@ class Gateway(BaseUser):
         unique_together = [('name', 'org_id')]
         verbose_name = _("Gateway")
 
-    def set_unconnective(self):
-        unconnective_key = self.UNCONNECTIVE_KEY_TMPL.format(self.id)
-        unconnective_silence_period_key = self.UNCONNECTIVE_SILENCE_PERIOD_KEY_TMPL.format(self.id)
-
-        unconnective_silence_period = cache.get(unconnective_silence_period_key,
-                                                self.UNCONNECTIVE_SILENCE_PERIOD_BEGIN_VALUE)
-        cache.set(unconnective_silence_period_key, unconnective_silence_period * 2)
-        cache.set(unconnective_key, unconnective_silence_period, unconnective_silence_period)
-
-    def set_connective(self):
-        unconnective_key = self.UNCONNECTIVE_KEY_TMPL.format(self.id)
-        unconnective_silence_period_key = self.UNCONNECTIVE_SILENCE_PERIOD_KEY_TMPL.format(self.id)
-
-        cache.delete(unconnective_key)
-        cache.delete(unconnective_silence_period_key)
-
-    def get_is_unconnective(self):
-        unconnective_key = self.UNCONNECTIVE_KEY_TMPL.format(self.id)
-        return cache.get(unconnective_key, False)
-
-    @property
-    def is_connective(self):
-        return not self.get_is_unconnective()
-
-    @is_connective.setter
-    def is_connective(self, value):
-        if value:
-            self.set_connective()
-        else:
-            self.set_unconnective()
-
     def test_connective(self, local_port=None):
         if local_port is None:
             local_port = self.port
@@ -120,19 +77,9 @@ class Gateway(BaseUser):
         except(paramiko.AuthenticationException,
                paramiko.BadAuthenticationType,
                paramiko.SSHException,
-               paramiko.ChannelException,
                paramiko.ssh_exception.NoValidConnectionsError,
                socket.gaierror) as e:
-            err = str(e)
-            if err.startswith('[Errno None] Unable to connect to port'):
-                err = _('Unable to connect to port {port} on {ip}')
-                err = err.format(port=self.port, ip=self.ip)
-            elif err == 'Authentication failed.':
-                err = _('Authentication failed')
-            elif err == 'Connect failed':
-                err = _('Connect failed')
-            self.is_connective = False
-            return False, err
+            return False, str(e)
 
         try:
             sock = proxy.get_transport().open_channel(
@@ -144,18 +91,9 @@ class Gateway(BaseUser):
                            key_filename=self.private_key_file,
                            sock=sock,
                            timeout=5)
-        except (paramiko.SSHException,
-                paramiko.ssh_exception.SSHException,
-                paramiko.ChannelException,
-                paramiko.AuthenticationException,
-                TimeoutError) as e:
-
-            err = getattr(e, 'text', str(e))
-            if err == 'Connect failed':
-                err = _('Connect failed')
-            self.is_connective = False
-            return False, err
+        except (paramiko.SSHException, paramiko.ssh_exception.SSHException,
+                paramiko.AuthenticationException, TimeoutError) as e:
+            return False, str(e)
         finally:
             client.close()
-        self.is_connective = True
         return True, None

apps/assets/models/node.py

@@ -608,7 +608,7 @@ class Node(OrgModelMixin, SomeNodesMixin, FamilyMixin, NodeAssetsMixin):
             'isParent': True,
             'open': self.is_org_root(),
             'meta': {
-                'data': {
+                'node': {
                     "id": self.id,
                     "name": self.name,
                     "value": self.value,

apps/assets/models/user.py

@@ -60,10 +60,10 @@ class ProtocolMixin:
 
     @classmethod
     def get_protocol_by_application_type(cls, app_type):
-        from applications.const import AppType
+        from applications.const import ApplicationTypeChoices
         if app_type in cls.APPLICATION_CATEGORY_PROTOCOLS:
             protocol = app_type
-        elif app_type in AppType.remote_app_types():
+        elif app_type in ApplicationTypeChoices.remote_app_types():
             protocol = cls.Protocol.rdp
         else:
             protocol = None
@@ -73,10 +73,6 @@ class ProtocolMixin:
     def can_perm_to_asset(self):
         return self.protocol in self.ASSET_CATEGORY_PROTOCOLS
 
-    @property
-    def is_asset_protocol(self):
-        return self.protocol in self.ASSET_CATEGORY_PROTOCOLS
-
 
 class AuthMixin:
     username_same_with_user: bool
@@ -103,23 +99,16 @@ class AuthMixin:
         password = cache.get(key)
         return password
 
-    def _clean_auth_info_if_manual_login_mode(self):
-        if self.login_mode == self.LOGIN_MANUAL:
-            self.password = ''
-            self.private_key = ''
-            self.public_key = ''
+    def load_tmp_auth_if_has(self, asset_or_app_id, user):
+        if not asset_or_app_id or not user:
+            return
 
-    def _load_tmp_auth_if_has(self, asset_or_app_id, user_id):
         if self.login_mode != self.LOGIN_MANUAL:
             return
 
-        if not asset_or_app_id or not user_id:
-            return
-
-        auth = self.get_temp_auth(asset_or_app_id, user_id)
+        auth = self.get_temp_auth(asset_or_app_id, user)
         if not auth:
             return
-
         username = auth.get('username')
         password = auth.get('password')
 
@@ -129,11 +118,17 @@ class AuthMixin:
             self.password = password
 
     def load_app_more_auth(self, app_id=None, user_id=None):
-        self._clean_auth_info_if_manual_login_mode()
-        # 加载临时认证信息
+        from users.models import User
+
         if self.login_mode == self.LOGIN_MANUAL:
-            self._load_tmp_auth_if_has(app_id, user_id)
+            self.password = ''
+            self.private_key = ''
+        if not user_id:
             return
+        user = get_object_or_none(User, pk=user_id)
+        if not user:
+            return
+        self.load_tmp_auth_if_has(app_id, user)
 
     def load_asset_special_auth(self, asset, username=''):
         """
@@ -153,25 +148,34 @@ class AuthMixin:
 
     def load_asset_more_auth(self, asset_id=None, username=None, user_id=None):
         from users.models import User
-        self._clean_auth_info_if_manual_login_mode()
-        # 加载临时认证信息
+
         if self.login_mode == self.LOGIN_MANUAL:
-            self._load_tmp_auth_if_has(asset_id, user_id)
+            self.password = ''
+            self.private_key = ''
+
+        asset = None
+        if asset_id:
+            asset = get_object_or_none(Asset, pk=asset_id)
+        # 没有资产就没有必要继续了
+        if not asset:
+            logger.debug('Asset not found, pass')
             return
-        # 更新用户名
-        user = get_object_or_none(User, pk=user_id) if user_id else None
+
+        user = None
+        if user_id:
+            user = get_object_or_none(User, pk=user_id)
+
+        _username = self.username
         if self.username_same_with_user:
             if user and not username:
                 _username = user.username
             else:
                 _username = username
             self.username = _username
+
         # 加载某个资产的特殊配置认证信息
-        asset = get_object_or_none(Asset, pk=asset_id) if asset_id else None
-        if not asset:
-            logger.debug('Asset not found, pass')
-            return
-        self.load_asset_special_auth(asset, self.username)
+        self.load_asset_special_auth(asset, _username)
+        self.load_tmp_auth_if_has(asset_id, user)
 
 
 class SystemUser(ProtocolMixin, AuthMixin, BaseUser):

apps/assets/serializers/account.py

@@ -5,7 +5,6 @@ from assets.models import AuthBook
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 
 from .base import AuthSerializerMixin
-from .utils import validate_password_contains_left_double_curly_bracket
 
 
 class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
@@ -22,13 +21,9 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         fields = fields_small + fields_fk
         extra_kwargs = {
             'username': {'required': True},
-            'password': {
-                'write_only': True,
-                "validators": [validate_password_contains_left_double_curly_bracket]
-            },
+            'password': {'write_only': True},
             'private_key': {'write_only': True},
             'public_key': {'write_only': True},
-            'systemuser_display': {'label': _('System user display')}
         }
         ref_name = 'AssetAccountSerializer'
 
@@ -49,7 +44,6 @@ class AccountSecretSerializer(AccountSerializer):
             'password': {'write_only': False},
             'private_key': {'write_only': False},
             'public_key': {'write_only': False},
-            'systemuser_display': {'label': _('System user display')}
         }
 
 

apps/assets/serializers/asset.py

@@ -5,21 +5,19 @@ from django.core.validators import RegexValidator
 from django.utils.translation import ugettext_lazy as _
 
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
-from users.models import User, UserGroup
-from perms.models import AssetPermission
 from ..models import Asset, Node, Platform, SystemUser
 
 __all__ = [
-    'AssetSerializer', 'AssetSimpleSerializer', 'MiniAssetSerializer',
+    'AssetSerializer', 'AssetSimpleSerializer',
     'ProtocolsField', 'PlatformSerializer',
-    'AssetTaskSerializer', 'AssetsTaskSerializer', 'ProtocolsField',
+    'AssetTaskSerializer',
 ]
 
 
 class ProtocolField(serializers.RegexField):
     protocols = '|'.join(dict(Asset.Protocol.choices).keys())
     default_error_messages = {
-        'invalid': _('Protocol format should {}/{}').format(protocols, '1-65535')
+        'invalid': _('Protocol format should {}/{}'.format(protocols, '1-65535'))
     }
     regex = r'^(%s)/(\d{1,5})$' % protocols
 
@@ -71,19 +69,15 @@ class AssetSerializer(BulkOrgResourceModelSerializer):
     """
     资产的数据结构
     """
-
     class Meta:
         model = Asset
-        fields_mini = ['id', 'hostname', 'ip', 'platform', 'protocols']
+        fields_mini = ['id', 'hostname', 'ip']
         fields_small = fields_mini + [
-            'protocol', 'port', 'protocols', 'is_active',
-            'public_ip', 'number', 'comment',
-        ]
-        hardware_fields = [
-            'vendor', 'model', 'sn', 'cpu_model', 'cpu_count',
+            'protocol', 'port', 'protocols', 'is_active', 'public_ip',
+            'number', 'vendor', 'model', 'sn', 'cpu_model', 'cpu_count',
             'cpu_cores', 'cpu_vcpus', 'memory', 'disk_total', 'disk_info',
-            'os', 'os_version', 'os_arch', 'hostname_raw', 'hardware_info',
-            'connectivity', 'date_verified'
+            'os', 'os_version', 'os_arch', 'hostname_raw', 'comment',
+            'hardware_info', 'connectivity', 'date_verified'
         ]
         fields_fk = [
             'domain', 'domain_display', 'platform', 'admin_user', 'admin_user_display'
@@ -94,16 +88,15 @@ class AssetSerializer(BulkOrgResourceModelSerializer):
         read_only_fields = [
             'created_by', 'date_created',
         ]
-        fields = fields_small + hardware_fields + fields_fk + fields_m2m + read_only_fields
+        fields = fields_small + fields_fk + fields_m2m + read_only_fields
 
-        extra_kwargs = {k: {'read_only': True} for k in hardware_fields}
-        extra_kwargs.update({
+        extra_kwargs = {
             'protocol': {'write_only': True},
             'port': {'write_only': True},
-            'hardware_info': {'label': _('Hardware info'), 'read_only': True},
-            'org_name': {'label': _('Org name'), 'read_only': True},
-            'admin_user_display': {'label': _('Admin user display'), 'read_only': True},
-        })
+            'hardware_info': {'label': _('Hardware info')},
+            'org_name': {'label': _('Org name')},
+            'admin_user_display': {'label': _('Admin user display')}
+        }
 
     def get_fields(self):
         fields = super().get_fields()
@@ -164,12 +157,6 @@ class AssetSerializer(BulkOrgResourceModelSerializer):
         return instance
 
 
-class MiniAssetSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Asset
-        fields = AssetSerializer.Meta.fields_mini
-
-
 class PlatformSerializer(serializers.ModelSerializer):
     meta = serializers.DictField(required=False, allow_null=True, label=_('Meta'))
 
@@ -190,12 +177,13 @@ class PlatformSerializer(serializers.ModelSerializer):
 
 
 class AssetSimpleSerializer(serializers.ModelSerializer):
+
     class Meta:
         model = Asset
         fields = ['id', 'hostname', 'ip', 'port', 'connectivity', 'date_verified']
 
 
-class AssetsTaskSerializer(serializers.Serializer):
+class AssetTaskSerializer(serializers.Serializer):
     ACTION_CHOICES = (
         ('refresh', 'refresh'),
         ('test', 'test'),
@@ -205,17 +193,3 @@ class AssetsTaskSerializer(serializers.Serializer):
     assets = serializers.PrimaryKeyRelatedField(
         queryset=Asset.objects, required=False, allow_empty=True, many=True
     )
-
-
-class AssetTaskSerializer(AssetsTaskSerializer):
-    ACTION_CHOICES = tuple(list(AssetsTaskSerializer.ACTION_CHOICES) + [
-        ('push_system_user', 'push_system_user'),
-        ('test_system_user', 'test_system_user')
-    ])
-    action = serializers.ChoiceField(choices=ACTION_CHOICES, write_only=True)
-    asset = serializers.PrimaryKeyRelatedField(
-        queryset=Asset.objects, required=False, allow_empty=True, many=False
-    )
-    system_users = serializers.PrimaryKeyRelatedField(
-        queryset=SystemUser.objects, required=False, allow_empty=True, many=True
-    )

apps/assets/serializers/domain.py

@@ -3,15 +3,14 @@
 from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
 
-from common.validators import alphanumeric
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from ..models import Domain, Gateway
 from .base import AuthSerializerMixin
 
 
 class DomainSerializer(BulkOrgResourceModelSerializer):
-    asset_count = serializers.SerializerMethodField(label=_('Assets amount'))
-    application_count = serializers.SerializerMethodField(label=_('Applications amount'))
+    asset_count = serializers.SerializerMethodField(label=_('Assets count'))
+    application_count = serializers.SerializerMethodField(label=_('Applications count'))
     gateway_count = serializers.SerializerMethodField(label=_('Gateways count'))
 
     class Meta:
@@ -43,8 +42,6 @@ class DomainSerializer(BulkOrgResourceModelSerializer):
 
 
 class GatewaySerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
-    is_connective = serializers.BooleanField(required=False)
-
     class Meta:
         model = Gateway
         fields_mini = ['id', 'name']
@@ -53,14 +50,13 @@ class GatewaySerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         ]
         fields_small = fields_mini + fields_write_only + [
             'username', 'ip', 'port', 'protocol',
-            'is_active', 'is_connective',
+            'is_active',
             'date_created', 'date_updated',
             'created_by', 'comment',
         ]
         fields_fk = ['domain']
         fields = fields_small + fields_fk
         extra_kwargs = {
-            'username': {"validators": [alphanumeric]},
             'password': {'write_only': True},
             'private_key': {"write_only": True},
             'public_key': {"write_only": True},

apps/assets/serializers/system_user.py

@@ -4,18 +4,16 @@ from django.db.models import Count
 
 from common.mixins.serializers import BulkSerializerMixin
 from common.utils import ssh_pubkey_gen
-from common.validators import alphanumeric_re, alphanumeric_cn_re
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from ..models import SystemUser, Asset
-from .utils import validate_password_contains_left_double_curly_bracket
 from .base import AuthSerializerMixin
 
 __all__ = [
-    'SystemUserSerializer', 'MiniSystemUserSerializer',
+    'SystemUserSerializer',
     'SystemUserSimpleSerializer', 'SystemUserAssetRelationSerializer',
     'SystemUserNodeRelationSerializer', 'SystemUserTaskSerializer',
     'SystemUserUserRelationSerializer', 'SystemUserWithAuthInfoSerializer',
-    'SystemUserTempAuthSerializer', 'RelationMixin',
+    'SystemUserTempAuthSerializer',
 ]
 
 
@@ -26,29 +24,23 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
     auto_generate_key = serializers.BooleanField(initial=True, required=False, write_only=True)
     type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))
     ssh_key_fingerprint = serializers.ReadOnlyField(label=_('SSH key fingerprint'))
-    applications_amount = serializers.IntegerField(
-        source='apps_amount', read_only=True, label=_('Apps amount')
-    )
 
     class Meta:
         model = SystemUser
         fields_mini = ['id', 'name', 'username']
         fields_write_only = ['password', 'public_key', 'private_key']
         fields_small = fields_mini + fields_write_only + [
-            'token', 'ssh_key_fingerprint',
-            'type', 'type_display', 'protocol', 'is_asset_protocol',
-            'login_mode', 'login_mode_display', 'priority',
-            'sudo', 'shell', 'sftp_root', 'home', 'system_groups', 'ad_domain',
+            'type', 'type_display', 'protocol', 'login_mode', 'login_mode_display',
+            'priority', 'sudo', 'shell', 'sftp_root', 'token', 'ssh_key_fingerprint',
+            'home', 'system_groups', 'ad_domain',
             'username_same_with_user', 'auto_push', 'auto_generate_key',
-            'date_created', 'date_updated', 'comment', 'created_by',
+            'date_created', 'date_updated',
+            'comment', 'created_by',
         ]
-        fields_m2m = ['cmd_filters', 'assets_amount', 'applications_amount', 'nodes']
+        fields_m2m = ['cmd_filters', 'assets_amount']
         fields = fields_small + fields_m2m
         extra_kwargs = {
-            'password': {
-                "write_only": True,
-                "validators": [validate_password_contains_left_double_curly_bracket]
-            },
+            'password': {"write_only": True},
             'public_key': {"write_only": True},
             'private_key': {"write_only": True},
             'token': {"write_only": True},
@@ -57,7 +49,6 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
             'login_mode_display': {'label': _('Login mode display')},
             'created_by': {'read_only': True},
             'ad_domain': {'required': False, 'allow_blank': True, 'label': _('Ad domain')},
-            'is_asset_protocol': {'label': _('Is asset protocol')}
         }
 
     def validate_auto_push(self, value):
@@ -101,20 +92,15 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         raise serializers.ValidationError(error)
 
     def validate_username(self, username):
-        protocol = self.get_initial_value("protocol")
         if username:
-            regx = alphanumeric_re
-            if protocol == SystemUser.Protocol.telnet:
-                regx = alphanumeric_cn_re
-            if not regx.match(username):
-                raise serializers.ValidationError(_('Special char not allowed'))
             return username
-
+        login_mode = self.get_initial_value("login_mode")
+        protocol = self.get_initial_value("protocol")
         username_same_with_user = self.get_initial_value("username_same_with_user")
+
         if username_same_with_user:
             return ''
 
-        login_mode = self.get_initial_value("login_mode")
         if login_mode == SystemUser.LOGIN_AUTO and protocol != SystemUser.Protocol.vnc:
             msg = _('* Automatic login mode must fill in the username.')
             raise serializers.ValidationError(msg)
@@ -126,8 +112,7 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
             return ''
         return home
 
-    @staticmethod
-    def validate_sftp_root(value):
+    def validate_sftp_root(self, value):
         if value in ['home', 'tmp']:
             return value
         if not value.startswith('/'):
@@ -135,18 +120,7 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
             raise serializers.ValidationError(error)
         return value
 
-    def validate_password(self, password):
-        super().validate_password(password)
-        auto_gen_key = self.get_initial_value("auto_generate_key", False)
-        private_key = self.get_initial_value("private_key")
-        login_mode = self.get_initial_value("login_mode")
-
-        if not self.instance and not auto_gen_key and not password and \
-                not private_key and login_mode == SystemUser.LOGIN_AUTO:
-            raise serializers.ValidationError(_("Password or private key required"))
-        return password
-
-    def _validate_admin_user(self, attrs):
+    def validate_admin_user(self, attrs):
         if self.instance:
             tp = self.instance.type
         else:
@@ -159,7 +133,18 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         attrs['auto_push'] = False
         return attrs
 
-    def _validate_gen_key(self, attrs):
+    def validate_password(self, password):
+        super().validate_password(password)
+        auto_gen_key = self.get_initial_value("auto_generate_key", False)
+        private_key = self.get_initial_value("private_key")
+        login_mode = self.get_initial_value("login_mode")
+
+        if not self.instance and not auto_gen_key and not password and \
+                not private_key and login_mode == SystemUser.LOGIN_AUTO:
+            raise serializers.ValidationError(_("Password or private key required"))
+        return password
+
+    def validate_gen_key(self, attrs):
         username = attrs.get("username", "manual")
         auto_gen_key = attrs.pop("auto_generate_key", False)
         protocol = attrs.get("protocol")
@@ -183,40 +168,18 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
             attrs["public_key"] = public_key
         return attrs
 
-    def _validate_login_mode(self, attrs):
-        if 'login_mode' in attrs:
-            login_mode = attrs['login_mode']
-        else:
-            login_mode = self.instance.login_mode if self.instance else SystemUser.LOGIN_AUTO
-
-        if login_mode == SystemUser.LOGIN_MANUAL:
-            attrs['password'] = ''
-            attrs['private_key'] = ''
-            attrs['public_key'] = ''
-
-        return attrs
-
     def validate(self, attrs):
-        attrs = self._validate_admin_user(attrs)
-        attrs = self._validate_gen_key(attrs)
-        attrs = self._validate_login_mode(attrs)
+        attrs = self.validate_admin_user(attrs)
+        attrs = self.validate_gen_key(attrs)
         return attrs
 
     @classmethod
     def setup_eager_loading(cls, queryset):
         """ Perform necessary eager loading of data. """
-        queryset = queryset\
-            .annotate(assets_amount=Count("assets")) \
-            .prefetch_related('nodes', 'cmd_filters')
+        queryset = queryset.annotate(assets_amount=Count("assets"))
         return queryset
 
 
-class MiniSystemUserSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = SystemUser
-        fields = SystemUserSerializer.Meta.fields_mini
-
-
 class SystemUserWithAuthInfoSerializer(SystemUserSerializer):
     class Meta(SystemUserSerializer.Meta):
         fields_mini = ['id', 'name', 'username']
@@ -240,7 +203,6 @@ class SystemUserSimpleSerializer(serializers.ModelSerializer):
     """
     系统用户最基本信息的数据结构
     """
-
     class Meta:
         model = SystemUser
         fields = ('id', 'name', 'username')

apps/assets/serializers/utils.py

@@ -1,9 +0,0 @@
-from django.utils.translation import ugettext_lazy as _
-from rest_framework import serializers
-
-
-def validate_password_contains_left_double_curly_bracket(password):
-    # validate password contains left double curly bracket
-    # check password not contains `{{`
-    if '{{' in password:
-        raise serializers.ValidationError(_('Password can not contains `{{` '))

apps/assets/signals_handler/authbook.py

@@ -1,7 +1,7 @@
 from django.dispatch import receiver
 from django.apps import apps
 from simple_history.signals import pre_create_historical_record
-from django.db.models.signals import post_save, pre_save, pre_delete
+from django.db.models.signals import post_save, pre_save
 
 from common.utils import get_logger
 from ..models import AuthBook, SystemUser
@@ -28,24 +28,15 @@ def pre_create_historical_record_callback(sender, history_instance=None, **kwarg
             setattr(history_instance, attr, system_user_attr_value)
 
 
-@receiver(pre_delete, sender=AuthBook)
-def on_authbook_post_delete(sender, instance, **kwargs):
-    instance.remove_asset_admin_user_if_need()
-
-
 @receiver(post_save, sender=AuthBook)
-def on_authbook_post_create(sender, instance, created, **kwargs):
-    instance.sync_to_system_user_account()
-    if created:
-        pass
-        # # 不再自动更新资产管理用户，只允许用户手动指定。
-        # 只在创建时进行更新资产的管理用户
-        # instance.update_asset_admin_user_if_need()
+def on_authbook_post_create(sender, instance, **kwargs):
+    if not instance.systemuser:
+        instance.sync_to_system_user_account()
 
 
 @receiver(pre_save, sender=AuthBook)
 def on_authbook_pre_create(sender, instance, **kwargs):
     # 升级版本号
-    instance.version += 1
+    instance.version = instance.history.all().count() + 1
     # 即使在 root 组织也不怕
     instance.org_id = instance.asset.org_id

apps/assets/signals_handler/node_assets_mapping.py

@@ -48,6 +48,7 @@ def expire_node_assets_mapping_for_memory(org_id):
     Node.expire_node_all_asset_ids_mapping_from_cache(root_org_id)
 
     node_assets_mapping_for_memory_pub_sub.publish(org_id)
+    node_assets_mapping_for_memory_pub_sub.publish(root_org_id)
 
 
 @receiver(post_save, sender=Node)
@@ -85,9 +86,7 @@ def subscribe_node_assets_mapping_expire(sender, **kwargs):
                     if message["type"] != "message":
                         continue
                     org_id = message['data'].decode()
-                    root_org_id = Organization.ROOT_ID
                     Node.expire_node_all_asset_ids_mapping_from_memory(org_id)
-                    Node.expire_node_all_asset_ids_mapping_from_memory(root_org_id)
                     logger.debug(
                         "Expire node assets id mapping from memory of org={}, pid={}"
                         "".format(str(org_id), os.getpid())

apps/assets/signals_handler/system_user.py

@@ -131,8 +131,8 @@ def on_system_user_groups_change(instance, action, pk_set, reverse, **kwargs):
 @on_transaction_commit
 def on_system_user_update(instance: SystemUser, created, **kwargs):
     """
-    当系统用户更新时，可能更新了密钥，用户名等，这时要自动推送系统用户到资产上,
-    其实应该当 用户名，密码，密钥 sudo等更新时再推送，这里偷个懒,
+    当系统用户更新时，可能更新了秘钥，用户名等，这时要自动推送系统用户到资产上,
+    其实应该当 用户名，密码，秘钥 sudo等更新时再推送，这里偷个懒,
     这里直接取了 instance.assets 因为nodes和系统用户发生变化时，会自动将nodes下的资产
     关联到上面
     """

apps/assets/tasks/common.py

@@ -4,7 +4,6 @@
 from celery import shared_task
 
 from orgs.utils import tmp_to_root_org
-from assets.models import AuthBook
 
 __all__ = ['add_nodes_assets_to_system_users']
 
@@ -16,13 +15,4 @@ def add_nodes_assets_to_system_users(nodes_keys, system_users):
     nodes = Node.objects.filter(key__in=nodes_keys)
     assets = Node.get_nodes_all_assets(*nodes)
     for system_user in system_users:
-        """ 解决资产和节点进行关联时，已经关联过的节点不会触发 authbook post_save 信号， 
-        无法更新节点下所有资产的管理用户的问题 """
-        for asset in assets:
-            defaults = {'asset': asset, 'systemuser': system_user, 'org_id': asset.org_id}
-            instance, created = AuthBook.objects.update_or_create(
-                defaults=defaults, asset=asset, systemuser=system_user
-            )
-            # # 不再自动更新资产管理用户，只允许用户手动指定。
-            # 只要关联都需要更新资产的管理用户
-            # instance.update_asset_admin_user_if_need()
+        system_user.assets.add(*tuple(assets))

apps/assets/tasks/gather_asset_users.py

@@ -60,12 +60,9 @@ def parse_windows_result_to_users(result):
         task_result.pop()
 
     for line in task_result:
-        username_list = space.split(line)
-        #  such as: ['Admini', 'appadm', 'DefaultAccount', '']
-        for username in username_list:
-            if not username:
-                continue
-            users[username] = {}
+        user = space.split(line)
+        if user[0]:
+            users[user[0]] = {}
     return users
 
 

apps/assets/tasks/push_system_user.py

@@ -4,7 +4,7 @@ from itertools import groupby
 from celery import shared_task
 from common.db.utils import get_object_if_need, get_objects
 from django.utils.translation import ugettext as _
-from django.db.models import Empty, Q
+from django.db.models import Empty
 
 from common.utils import encrypt_password, get_logger
 from assets.models import SystemUser, Asset, AuthBook
@@ -17,7 +17,6 @@ logger = get_logger(__file__)
 __all__ = [
     'push_system_user_util', 'push_system_user_to_assets',
     'push_system_user_to_assets_manual', 'push_system_user_a_asset_manual',
-    'push_system_users_a_asset'
 ]
 
 
@@ -239,12 +238,9 @@ def push_system_user_util(system_user, assets, task_name, username=None):
         no_special_auth = []
         special_auth_set = set()
 
-        auth_books = AuthBook.objects.filter(asset_id__in=asset_ids).filter(
-            Q(username__in=usernames) | Q(systemuser__username__in=usernames)
-        ).prefetch_related('systemuser')
+        auth_books = AuthBook.objects.filter(username__in=usernames, asset_id__in=asset_ids)
 
         for auth_book in auth_books:
-            auth_book.load_auth()
             special_auth_set.add((auth_book.username, auth_book.asset_id))
 
         for _username in usernames:
@@ -284,21 +280,14 @@ def push_system_user_a_asset_manual(system_user, asset, username=None):
     """
     将系统用户推送到一个资产上
     """
-    # if username is None:
-    #     username = system_user.username
+    if username is None:
+        username = system_user.username
     task_name = _("Push system users to asset: {}({}) => {}").format(
         system_user.name, username, asset
     )
     return push_system_user_util(system_user, [asset], task_name=task_name, username=username)
 
 
-@shared_task(queue="ansible")
-@tmp_to_root_org()
-def push_system_users_a_asset(system_users, asset):
-    for system_user in system_users:
-        push_system_user_a_asset_manual(system_user, asset)
-
-
 @shared_task(queue="ansible")
 @tmp_to_root_org()
 def push_system_user_to_assets(system_user_id, asset_ids, username=None):

apps/assets/tasks/system_user_connectivity.py

@@ -18,7 +18,6 @@ logger = get_logger(__name__)
 __all__ = [
     'test_system_user_connectivity_util', 'test_system_user_connectivity_manual',
     'test_system_user_connectivity_period', 'test_system_user_connectivity_a_asset',
-    'test_system_users_connectivity_a_asset'
 ]
 
 
@@ -132,12 +131,6 @@ def test_system_user_connectivity_a_asset(system_user, asset):
     test_system_user_connectivity_util(system_user, [asset], task_name)
 
 
-@shared_task(queue="ansible")
-def test_system_users_connectivity_a_asset(system_users, asset):
-    for system_user in system_users:
-        test_system_user_connectivity_a_asset(system_user, asset)
-
-
 @shared_task(queue="ansible")
 def test_system_user_connectivity_period():
     if not const.PERIOD_TASK_ENABLED:

apps/assets/urls/api_urls.py

@@ -36,10 +36,6 @@ urlpatterns = [
     path('assets/<uuid:pk>/platform/', api.AssetPlatformRetrieveApi.as_view(), name='asset-platform-detail'),
     path('assets/<uuid:pk>/tasks/', api.AssetTaskCreateApi.as_view(), name='asset-task-create'),
     path('assets/tasks/', api.AssetsTaskCreateApi.as_view(), name='assets-task-create'),
-    path('assets/<uuid:pk>/perm-users/', api.AssetPermUserListApi.as_view(), name='asset-perm-user-list'),
-    path('assets/<uuid:pk>/perm-users/<uuid:perm_user_id>/permissions/', api.AssetPermUserPermissionsListApi.as_view(), name='asset-perm-user-permission-list'),
-    path('assets/<uuid:pk>/perm-user-groups/', api.AssetPermUserGroupListApi.as_view(), name='asset-perm-user-group-list'),
-    path('assets/<uuid:pk>/perm-user-groups/<uuid:perm_user_group_id>/permissions/', api.AssetPermUserGroupPermissionsListApi.as_view(), name='asset-perm-user-group-permission-list'),
 
     path('system-users/<uuid:pk>/auth-info/', api.SystemUserAuthInfoApi.as_view(), name='system-user-auth-info'),
     path('system-users/<uuid:pk>/assets/', api.SystemUserAssetsListView.as_view(), name='system-user-assets'),

apps/audits/api.py

@@ -39,7 +39,7 @@ class UserLoginLogViewSet(ListModelMixin, CommonGenericViewSet):
         ('datetime', ('date_from', 'date_to'))
     ]
     filterset_fields = ['username', 'ip', 'city', 'type', 'status', 'mfa']
-    search_fields = ['username', 'ip', 'city']
+    search_fields =['username', 'ip', 'city']
 
     @staticmethod
     def get_org_members():
@@ -48,10 +48,9 @@ class UserLoginLogViewSet(ListModelMixin, CommonGenericViewSet):
 
     def get_queryset(self):
         queryset = super().get_queryset()
-        if current_org.is_root():
-            return queryset
-        users = self.get_org_members()
-        queryset = queryset.filter(username__in=users)
+        if not current_org.is_default():
+            users = self.get_org_members()
+            queryset = queryset.filter(username__in=users)
         return queryset
 
 

apps/audits/const.py

@@ -1,5 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django.utils.translation import ugettext_lazy as _
-
-DEFAULT_CITY = _("Unknown")

apps/audits/models.py

@@ -5,7 +5,7 @@ from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
 from django.utils import timezone
 
-from orgs.mixins.models import OrgModelMixin, Organization
+from orgs.mixins.models import OrgModelMixin
 from orgs.utils import current_org
 
 __all__ = [
@@ -63,11 +63,6 @@ class OperateLog(OrgModelMixin):
     def __str__(self):
         return "<{}> {} <{}>".format(self.user, self.action, self.resource)
 
-    def save(self, *args, **kwargs):
-        if current_org.is_root() and not self.org_id:
-            self.org_id = Organization.ROOT_ID
-        return super(OperateLog, self).save(*args, **kwargs)
-
 
 class PasswordChangeLog(models.Model):
     id = models.UUIDField(default=uuid.uuid4, primary_key=True)

apps/audits/serializers.py

@@ -35,14 +35,13 @@ class UserLoginLogSerializer(serializers.ModelSerializer):
         fields_mini = ['id']
         fields_small = fields_mini + [
             'username', 'type', 'type_display', 'ip', 'city', 'user_agent',
-            'mfa', 'mfa_display', 'reason', 'reason_display',  'backend',
+            'mfa', 'mfa_display', 'reason', 'backend',
             'status', 'status_display',
             'datetime',
         ]
         fields = fields_small
         extra_kwargs = {
-            "user_agent": {'label': _('User agent')},
-            "reason_display": {'label': _('Reason')}
+            "user_agent": {'label': _('User agent')}
         }
 
 

apps/audits/signals_handler.py

@@ -1,8 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-from django.db.models.signals import (
-    post_save, m2m_changed, pre_delete
-)
+from django.db.models.signals import post_save, post_delete
 from django.dispatch import receiver
 from django.conf import settings
 from django.db import transaction
@@ -13,34 +11,29 @@ from django.utils.translation import ugettext_lazy as _
 from rest_framework.renderers import JSONRenderer
 from rest_framework.request import Request
 
-from assets.models import Asset, SystemUser
-from authentication.signals import post_auth_failed, post_auth_success
-from authentication.utils import check_different_city_login
 from jumpserver.utils import current_request
+from common.utils import get_request_ip, get_logger, get_syslogger
 from users.models import User
 from users.signals import post_user_change_password
+from authentication.signals import post_auth_failed, post_auth_success
 from terminal.models import Session, Command
+from common.utils.encode import model_to_json
 from .utils import write_login_log
 from . import models
-from .models import OperateLog
-from orgs.utils import current_org
-from perms.models import AssetPermission, ApplicationPermission
-from common.const.signals import POST_ADD, POST_REMOVE, POST_CLEAR
-from common.utils import get_request_ip, get_logger, get_syslogger
-from common.utils.encode import model_to_json
 
 logger = get_logger(__name__)
 sys_logger = get_syslogger(__name__)
 json_render = JSONRenderer()
 
+
 MODELS_NEED_RECORD = (
     # users
     'User', 'UserGroup',
     # acls
-    'LoginACL', 'LoginAssetACL', 'LoginConfirmSetting',
+    'LoginACL', 'LoginAssetACL',
     # assets
     'Asset', 'Node', 'AdminUser', 'SystemUser', 'Domain', 'Gateway', 'CommandFilterRule',
-    'CommandFilter', 'Platform', 'AuthBook',
+    'CommandFilter', 'Platform',
     # applications
     'Application',
     # orgs
@@ -97,123 +90,6 @@ def create_operate_log(action, sender, resource):
             logger.error("Create operate log error: {}".format(e))
 
 
-M2M_NEED_RECORD = {
-    'OrganizationMember': (
-        _('User and Organization'),
-        _('{User} JOINED {Organization}'),
-        _('{User} LEFT {Organization}')
-    ),
-    User.groups.through._meta.object_name: (
-        _('User and Group'),
-        _('{User} JOINED {UserGroup}'),
-        _('{User} LEFT {UserGroup}')
-    ),
-    SystemUser.assets.through._meta.object_name: (
-        _('Asset and SystemUser'),
-        _('{Asset} ADD {SystemUser}'),
-        _('{Asset} REMOVE {SystemUser}')
-    ),
-    Asset.nodes.through._meta.object_name: (
-        _('Node and Asset'),
-        _('{Node} ADD {Asset}'),
-        _('{Node} REMOVE {Asset}')
-    ),
-    AssetPermission.users.through._meta.object_name: (
-        _('User asset permissions'),
-        _('{AssetPermission} ADD {User}'),
-        _('{AssetPermission} REMOVE {User}'),
-    ),
-    AssetPermission.user_groups.through._meta.object_name: (
-        _('User group asset permissions'),
-        _('{AssetPermission} ADD {UserGroup}'),
-        _('{AssetPermission} REMOVE {UserGroup}'),
-    ),
-    AssetPermission.assets.through._meta.object_name: (
-        _('Asset permission'),
-        _('{AssetPermission} ADD {Asset}'),
-        _('{AssetPermission} REMOVE {Asset}'),
-    ),
-    AssetPermission.nodes.through._meta.object_name: (
-        _('Node permission'),
-        _('{AssetPermission} ADD {Node}'),
-        _('{AssetPermission} REMOVE {Node}'),
-    ),
-    AssetPermission.system_users.through._meta.object_name: (
-        _('Asset permission and SystemUser'),
-        _('{AssetPermission} ADD {SystemUser}'),
-        _('{AssetPermission} REMOVE {SystemUser}'),
-    ),
-    ApplicationPermission.users.through._meta.object_name: (
-        _('User application permissions'),
-        _('{ApplicationPermission} ADD {User}'),
-        _('{ApplicationPermission} REMOVE {User}'),
-    ),
-    ApplicationPermission.user_groups.through._meta.object_name: (
-        _('User group application permissions'),
-        _('{ApplicationPermission} ADD {UserGroup}'),
-        _('{ApplicationPermission} REMOVE {UserGroup}'),
-    ),
-    ApplicationPermission.applications.through._meta.object_name: (
-        _('Application permission'),
-        _('{ApplicationPermission} ADD {Application}'),
-        _('{ApplicationPermission} REMOVE {Application}'),
-    ),
-    ApplicationPermission.system_users.through._meta.object_name: (
-        _('Application permission and SystemUser'),
-        _('{ApplicationPermission} ADD {SystemUser}'),
-        _('{ApplicationPermission} REMOVE {SystemUser}'),
-    ),
-}
-
-M2M_ACTION = {
-    POST_ADD: 'add',
-    POST_REMOVE: 'remove',
-    POST_CLEAR: 'remove',
-}
-
-
-@receiver(m2m_changed)
-def on_m2m_changed(sender, action, instance, reverse, model, pk_set, **kwargs):
-    if action not in M2M_ACTION:
-        return
-
-    user = current_request.user if current_request else None
-    if not user or not user.is_authenticated:
-        return
-
-    sender_name = sender._meta.object_name
-    if sender_name in M2M_NEED_RECORD:
-        action = M2M_ACTION[action]
-        org_id = current_org.id
-        remote_addr = get_request_ip(current_request)
-        user = str(user)
-        resource_type, resource_tmpl_add, resource_tmpl_remove = M2M_NEED_RECORD[sender_name]
-        if action == 'add':
-            resource_tmpl = resource_tmpl_add
-        elif action == 'remove':
-            resource_tmpl = resource_tmpl_remove
-
-        to_create = []
-        objs = model.objects.filter(pk__in=pk_set)
-
-        instance_name = instance._meta.object_name
-        instance_value = str(instance)
-
-        model_name = model._meta.object_name
-
-        for obj in objs:
-            resource = resource_tmpl.format(**{
-                instance_name: instance_value,
-                model_name: str(obj)
-            })[:128]  # `resource` 字段只有 128 个字符长 😔
-
-            to_create.append(OperateLog(
-                user=user, action=action, resource_type=resource_type,
-                resource=resource, remote_addr=remote_addr, org_id=org_id
-            ))
-        OperateLog.objects.bulk_create(to_create)
-
-
 @receiver(post_save)
 def on_object_created_or_update(sender, instance=None, created=False, update_fields=None, **kwargs):
     # last_login 改变是最后登录日期, 每次登录都会改变
@@ -227,7 +103,7 @@ def on_object_created_or_update(sender, instance=None, created=False, update_fie
     create_operate_log(action, sender, instance)
 
 
-@receiver(pre_delete)
+@receiver(post_delete)
 def on_object_delete(sender, instance=None, **kwargs):
     create_operate_log(models.OperateLog.ACTION_DELETE, sender, instance)
 
@@ -304,7 +180,6 @@ def generate_data(username, request, login_type=None):
 @receiver(post_auth_success)
 def on_user_auth_success(sender, user, request, login_type=None, **kwargs):
     logger.debug('User login success: {}'.format(user.username))
-    check_different_city_login(user, request)
     data = generate_data(user.username, request, login_type=login_type)
     data.update({'mfa': int(user.mfa_enabled), 'status': True})
     write_login_log(**data)

apps/audits/tasks.py

@@ -5,12 +5,14 @@ from django.utils import timezone
 from celery import shared_task
 
 from ops.celery.decorator import (
-    register_as_period_task
+    register_as_period_task, after_app_shutdown_clean_periodic
 )
 from .models import UserLoginLog, OperateLog
 from common.utils import get_log_keep_day
 
 
+@shared_task
+@after_app_shutdown_clean_periodic
 def clean_login_log_period():
     now = timezone.now()
     days = get_log_keep_day('LOGIN_LOG_KEEP_DAYS')
@@ -18,6 +20,8 @@ def clean_login_log_period():
     UserLoginLog.objects.filter(datetime__lt=expired_day).delete()
 
 
+@shared_task
+@after_app_shutdown_clean_periodic
 def clean_operation_log_period():
     now = timezone.now()
     days = get_log_keep_day('OPERATE_LOG_KEEP_DAYS')
@@ -25,6 +29,7 @@ def clean_operation_log_period():
     OperateLog.objects.filter(datetime__lt=expired_day).delete()
 
 
+@shared_task
 def clean_ftp_log_period():
     now = timezone.now()
     days = get_log_keep_day('FTP_LOG_KEEP_DAYS')

apps/audits/utils.py

@@ -1,8 +1,8 @@
 import csv
 import codecs
 from django.http import HttpResponse
+from django.utils.translation import ugettext as _
 
-from .const import DEFAULT_CITY
 from common.utils import validate_ip, get_ip_city
 
 
@@ -27,12 +27,12 @@ def write_content_to_excel(response, header=None, login_logs=None, fields=None):
 
 def write_login_log(*args, **kwargs):
     from audits.models import UserLoginLog
-
+    default_city = _("Unknown")
     ip = kwargs.get('ip') or ''
     if not (ip and validate_ip(ip)):
         ip = ip[:15]
-        city = DEFAULT_CITY
+        city = default_city
     else:
-        city = get_ip_city(ip) or DEFAULT_CITY
+        city = get_ip_city(ip) or default_city
     kwargs.update({'ip': ip, 'city': city})
     UserLoginLog.objects.create(**kwargs)

apps/authentication/api/__init__.py

@@ -9,5 +9,4 @@ from .login_confirm import *
 from .sso import *
 from .wecom import *
 from .dingtalk import *
-from .feishu import *
 from .password import *

apps/authentication/api/connection_token.py

@@ -1,9 +1,6 @@
 # -*- coding: utf-8 -*-
 #
 import urllib.parse
-import json
-import base64
-from typing import Callable
 
 from django.conf import settings
 from django.core.cache import cache
@@ -11,7 +8,6 @@ from django.shortcuts import get_object_or_404
 from django.http import HttpResponse
 from django.utils.translation import ugettext as _
 from rest_framework.response import Response
-from rest_framework.request import Request
 from rest_framework.viewsets import GenericViewSet
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
@@ -19,42 +15,89 @@ from rest_framework import serializers
 
 from authentication.signals import post_auth_failed, post_auth_success
 from common.utils import get_logger, random_string
-from common.mixins.api import SerializerMixin
+from common.drf.api import SerializerMixin
 from common.permissions import IsSuperUserOrAppUser, IsValidUser, IsSuperUser
+
 from orgs.mixins.api import RootOrgViewMixin
-from common.http import is_true
-from perms.utils.asset.permission import get_asset_system_user_ids_with_actions_by_user
-from perms.models.asset_permission import Action
-from authentication.errors import NotHaveUpDownLoadPerm
 
 from ..serializers import (
     ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
+    RDPFileSerializer
 )
 
 logger = get_logger(__name__)
 __all__ = ['UserConnectionTokenViewSet']
 
 
-class ClientProtocolMixin:
-    request: Request
-    get_serializer: Callable
-    create_token: Callable
+class UserConnectionTokenViewSet(RootOrgViewMixin, SerializerMixin, GenericViewSet):
+    permission_classes = (IsSuperUserOrAppUser,)
+    serializer_classes = {
+        'default': ConnectionTokenSerializer,
+        'get_secret_detail': ConnectionTokenSecretSerializer,
+        'get_rdp_file': RDPFileSerializer
+    }
+    CACHE_KEY_PREFIX = 'CONNECTION_TOKEN_{}'
+
+    @staticmethod
+    def check_resource_permission(user, asset, application, system_user):
+        from perms.utils.asset import has_asset_system_permission
+        from perms.utils.application import has_application_system_permission
+        if asset and not has_asset_system_permission(user, asset, system_user):
+            error = f'User not has this asset and system user permission: ' \
+                    f'user={user.id} system_user={system_user.id} asset={asset.id}'
+            raise PermissionDenied(error)
+        if application and not has_application_system_permission(user, application, system_user):
+            error = f'User not has this application and system user permission: ' \
+                    f'user={user.id} system_user={system_user.id} application={application.id}'
+            raise PermissionDenied(error)
+        return True
+
+    def create_token(self, user, asset, application, system_user, ttl=5*60):
+        if not self.request.user.is_superuser and user != self.request.user:
+            raise PermissionDenied('Only super user can create user token')
+        self.check_resource_permission(user, asset, application, system_user)
+        token = random_string(36)
+        value = {
+            'user': str(user.id),
+            'username': user.username,
+            'system_user': str(system_user.id),
+            'system_user_name': system_user.name
+        }
+
+        if asset:
+            value.update({
+                'type': 'asset',
+                'asset': str(asset.id),
+                'hostname': asset.hostname,
+            })
+        elif application:
+            value.update({
+                'type': 'application',
+                'application': application.id,
+                'application_name': str(application)
+            })
+
+        key = self.CACHE_KEY_PREFIX.format(token)
+        cache.set(key, value, timeout=ttl)
+        return token
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
 
-    def get_request_resource(self, serializer):
         asset = serializer.validated_data.get('asset')
         application = serializer.validated_data.get('application')
         system_user = serializer.validated_data['system_user']
-
         user = serializer.validated_data.get('user')
-        if not user or not self.request.user.is_superuser:
-            user = self.request.user
-        return asset, application, system_user, user
+        token = self.create_token(user, asset, application, system_user)
+        return Response({"token": token}, status=201)
 
-    def get_rdp_file_content(self, serializer):
+    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file', permission_classes=[IsValidUser])
+    def get_rdp_file(self, request, *args, **kwargs):
         options = {
             'full address:s': '',
             'username:s': '',
-            # 'screen mode id:i': '1',
+            'screen mode id:i': '1',
             # 'desktopwidth:i': '1280',
             # 'desktopheight:i': '800',
             'use multimon:i': '0',
@@ -77,32 +120,29 @@ class ClientProtocolMixin:
             'bookmarktype:i': '3',
             'use redirection server name:i': '0',
             'smart sizing:i': '0',
-            #'drivestoredirect:s': '*',
             # 'domain:s': ''
             # 'alternate shell:s:': '||MySQLWorkbench',
             # 'remoteapplicationname:s': 'Firefox',
             # 'remoteapplicationcmdline:s': '',
         }
+        if self.request.method == 'GET':
+            data = self.request.query_params
+        else:
+            data = request.data
+        serializer = self.get_serializer(data=data)
+        serializer.is_valid(raise_exception=True)
 
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        height = self.request.query_params.get('height')
-        width = self.request.query_params.get('width')
-        full_screen = is_true(self.request.query_params.get('full_screen'))
-        drives_redirect = is_true(self.request.query_params.get('drives_redirect'))
+        asset = serializer.validated_data.get('asset')
+        application = serializer.validated_data.get('application')
+        system_user = serializer.validated_data['system_user']
+        height = serializer.validated_data.get('height')
+        width = serializer.validated_data.get('width')
+        user = request.user
         token = self.create_token(user, asset, application, system_user)
 
-        if drives_redirect and asset:
-            systemuser_actions_mapper = get_asset_system_user_ids_with_actions_by_user(user, asset)
-            actions = systemuser_actions_mapper.get(system_user.id, [])
-            if actions & Action.UPDOWNLOAD:
-                options['drivestoredirect:s'] = '*'
-            else:
-                raise NotHaveUpDownLoadPerm
-
-        options['screen mode id:i'] = '2' if full_screen else '1'
         address = settings.TERMINAL_RDP_ADDR
         if not address or address == 'localhost:3389':
-            address = self.request.get_host().split(':')[0] + ':3389'
+            address = request.get_host().split(':')[0] + ':3389'
         options['full address:s'] = address
         options['username:s'] = '{}|{}'.format(user.username, token)
         if system_user.ad_domain:
@@ -112,77 +152,21 @@ class ClientProtocolMixin:
             options['desktopheight:i'] = height
         else:
             options['smart sizing:i'] = '1'
-        content = ''
+        data = ''
         for k, v in options.items():
-            content += f'{k}:{v}\n'
+            data += f'{k}:{v}\n'
         if asset:
             name = asset.hostname
         elif application:
             name = application.name
         else:
             name = '*'
-        return name, content
-
-    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file', permission_classes=[IsValidUser])
-    def get_rdp_file(self, request, *args, **kwargs):
-        if self.request.method == 'GET':
-            data = self.request.query_params
-        else:
-            data = self.request.data
-        serializer = self.get_serializer(data=data)
-        serializer.is_valid(raise_exception=True)
-        name, data = self.get_rdp_file_content(serializer)
         response = HttpResponse(data, content_type='application/octet-stream')
-        filename = "{}-{}-jumpserver.rdp".format(self.request.user.username, name)
+        filename = "{}-{}-jumpserver.rdp".format(user.username, name)
         filename = urllib.parse.quote(filename)
         response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
         return response
 
-    def get_valid_serializer(self):
-        if self.request.method == 'GET':
-            data = self.request.query_params
-        else:
-            data = self.request.data
-        serializer = self.get_serializer(data=data)
-        serializer.is_valid(raise_exception=True)
-        return serializer
-
-    def get_client_protocol_data(self, serializer):
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        protocol = system_user.protocol
-        username = user.username
-        name = ''
-        if protocol == 'rdp':
-            name, config = self.get_rdp_file_content(serializer)
-        elif protocol == 'vnc':
-            raise HttpResponse(status=404, data={"error": "VNC not support"})
-        else:
-            config = 'ssh://system_user@asset@user@jumpserver-ssh'
-        filename = "{}-{}-jumpserver".format(username, name)
-        data = {
-            "filename": filename,
-            "protocol": system_user.protocol,
-            "username": username,
-            "config": config
-        }
-        return data
-
-    @action(methods=['POST', 'GET'], detail=False, url_path='client-url', permission_classes=[IsValidUser])
-    def get_client_protocol_url(self, request, *args, **kwargs):
-        serializer = self.get_valid_serializer()
-        protocol_data = self.get_client_protocol_data(serializer)
-        protocol_data = base64.b64encode(json.dumps(protocol_data).encode()).decode()
-        data = {
-            'url': 'jms://{}'.format(protocol_data),
-        }
-        return Response(data=data)
-
-
-class SecretDetailMixin:
-    valid_token: Callable
-    request: Request
-    get_serializer: Callable
-
     @staticmethod
     def _get_application_secret_detail(application):
         from perms.models import Action
@@ -228,100 +212,6 @@ class SecretDetailMixin:
             'actions': actions,
         }
 
-    @action(methods=['POST'], detail=False, permission_classes=[IsSuperUserOrAppUser], url_path='secret-info/detail')
-    def get_secret_detail(self, request, *args, **kwargs):
-        token = request.data.get('token', '')
-        try:
-            value, user, system_user, asset, app, expired_at = self.valid_token(token)
-        except serializers.ValidationError as e:
-            post_auth_failed.send(
-                sender=self.__class__, username='', request=self.request,
-                reason=_('Invalid token')
-            )
-            raise e
-
-        data = dict(user=user, system_user=system_user, expired_at=expired_at)
-        if asset:
-            asset_detail = self._get_asset_secret_detail(asset, user=user, system_user=system_user)
-            system_user.load_asset_more_auth(asset.id, user.username, user.id)
-            data['type'] = 'asset'
-            data.update(asset_detail)
-        else:
-            app_detail = self._get_application_secret_detail(app)
-            system_user.load_app_more_auth(app.id, user.id)
-            data['type'] = 'application'
-            data.update(app_detail)
-
-        self.request.session['auth_backend'] = settings.AUTH_BACKEND_AUTH_TOKEN
-        post_auth_success.send(sender=self.__class__, user=user, request=self.request, login_type='T')
-
-        serializer = self.get_serializer(data)
-        return Response(data=serializer.data, status=200)
-
-
-class UserConnectionTokenViewSet(
-    RootOrgViewMixin, SerializerMixin, ClientProtocolMixin,
-    SecretDetailMixin, GenericViewSet
-):
-    permission_classes = (IsSuperUserOrAppUser,)
-    serializer_classes = {
-        'default': ConnectionTokenSerializer,
-        'get_secret_detail': ConnectionTokenSecretSerializer,
-    }
-    CACHE_KEY_PREFIX = 'CONNECTION_TOKEN_{}'
-
-    @staticmethod
-    def check_resource_permission(user, asset, application, system_user):
-        from perms.utils.asset import has_asset_system_permission
-        from perms.utils.application import has_application_system_permission
-
-        if asset and not has_asset_system_permission(user, asset, system_user):
-            error = f'User not has this asset and system user permission: ' \
-                    f'user={user.id} system_user={system_user.id} asset={asset.id}'
-            raise PermissionDenied(error)
-        if application and not has_application_system_permission(user, application, system_user):
-            error = f'User not has this application and system user permission: ' \
-                    f'user={user.id} system_user={system_user.id} application={application.id}'
-            raise PermissionDenied(error)
-        return True
-
-    def create_token(self, user, asset, application, system_user, ttl=5 * 60):
-        if not self.request.user.is_superuser and user != self.request.user:
-            raise PermissionDenied('Only super user can create user token')
-        self.check_resource_permission(user, asset, application, system_user)
-        token = random_string(36)
-        value = {
-            'user': str(user.id),
-            'username': user.username,
-            'system_user': str(system_user.id),
-            'system_user_name': system_user.name
-        }
-
-        if asset:
-            value.update({
-                'type': 'asset',
-                'asset': str(asset.id),
-                'hostname': asset.hostname,
-            })
-        elif application:
-            value.update({
-                'type': 'application',
-                'application': application.id,
-                'application_name': str(application)
-            })
-
-        key = self.CACHE_KEY_PREFIX.format(token)
-        cache.set(key, value, timeout=ttl)
-        return token
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        token = self.create_token(user, asset, application, system_user)
-        return Response({"token": token}, status=201)
-
     def valid_token(self, token):
         from users.models import User
         from assets.models import SystemUser, Asset
@@ -354,8 +244,39 @@ class UserConnectionTokenViewSet(
 
         if not has_perm:
             raise serializers.ValidationError('Permission expired or invalid')
+
         return value, user, system_user, asset, app, expired_at
 
+    @action(methods=['POST'], detail=False, permission_classes=[IsSuperUserOrAppUser], url_path='secret-info/detail')
+    def get_secret_detail(self, request, *args, **kwargs):
+        token = request.data.get('token', '')
+        try:
+            value, user, system_user, asset, app, expired_at = self.valid_token(token)
+        except serializers.ValidationError as e:
+            post_auth_failed.send(
+                sender=self.__class__, username='', request=self.request,
+                reason=_('Invalid token')
+            )
+            raise e
+
+        data = dict(user=user, system_user=system_user, expired_at=expired_at)
+        if asset:
+            asset_detail = self._get_asset_secret_detail(asset, user=user, system_user=system_user)
+            system_user.load_asset_more_auth(asset.id, user.username, user.id)
+            data['type'] = 'asset'
+            data.update(asset_detail)
+        else:
+            app_detail = self._get_application_secret_detail(app)
+            system_user.load_app_more_auth(app.id, user.id)
+            data['type'] = 'application'
+            data.update(app_detail)
+
+        self.request.session['auth_backend'] = settings.AUTH_BACKEND_AUTH_TOKEN
+        post_auth_success.send(sender=self.__class__, user=user, request=self.request, login_type='T')
+
+        serializer = self.get_serializer(data)
+        return Response(data=serializer.data, status=200)
+
     def get_permissions(self):
         if self.action in ["create", "get_rdp_file"]:
             if self.request.data.get('user', None):

apps/authentication/api/feishu.py

@@ -1,45 +0,0 @@
-from rest_framework.views import APIView
-from rest_framework.request import Request
-from rest_framework.response import Response
-
-from users.permissions import IsAuthPasswdTimeValid
-from users.models import User
-from common.utils import get_logger
-from common.permissions import IsOrgAdmin
-from common.mixins.api import RoleUserMixin, RoleAdminMixin
-from authentication import errors
-
-logger = get_logger(__file__)
-
-
-class FeiShuQRUnBindBase(APIView):
-    user: User
-
-    def post(self, request: Request, **kwargs):
-        user = self.user
-
-        if not user.feishu_id:
-            raise errors.FeiShuNotBound
-
-        user.feishu_id = None
-        user.save()
-        return Response()
-
-
-class FeiShuQRUnBindForUserApi(RoleUserMixin, FeiShuQRUnBindBase):
-    permission_classes = (IsAuthPasswdTimeValid,)
-
-
-class FeiShuQRUnBindForAdminApi(RoleAdminMixin, FeiShuQRUnBindBase):
-    user_id_url_kwarg = 'user_id'
-    permission_classes = (IsOrgAdmin,)
-
-
-class FeiShuEventSubscriptionCallback(APIView):
-    """
-    # https://open.feishu.cn/document/ukTMukTMukTM/uUTNz4SN1MjL1UzM
-    """
-    permission_classes = ()
-
-    def post(self, request: Request, *args, **kwargs):
-        return Response(data=request.data)

apps/authentication/api/login_confirm.py

@@ -8,12 +8,29 @@ from django.shortcuts import get_object_or_404
 
 from common.utils import get_logger
 from common.permissions import IsOrgAdmin
+from ..models import LoginConfirmSetting
+from ..serializers import LoginConfirmSettingSerializer
 from .. import errors, mixins
 
-__all__ = ['TicketStatusApi']
+__all__ = ['LoginConfirmSettingUpdateApi', 'TicketStatusApi']
 logger = get_logger(__name__)
 
 
+class LoginConfirmSettingUpdateApi(UpdateAPIView):
+    permission_classes = (IsOrgAdmin,)
+    serializer_class = LoginConfirmSettingSerializer
+
+    def get_object(self):
+        from users.models import User
+        user_id = self.kwargs.get('user_id')
+        user = get_object_or_404(User, pk=user_id)
+        defaults = {'user': user}
+        s, created = LoginConfirmSetting.objects.get_or_create(
+            defaults, user=user,
+        )
+        return s
+
+
 class TicketStatusApi(mixins.AuthMixin, APIView):
     permission_classes = (AllowAny,)
 
@@ -28,5 +45,5 @@ class TicketStatusApi(mixins.AuthMixin, APIView):
         ticket = self.get_ticket()
         if ticket:
             request.session.pop('auth_ticket_id', '')
-            ticket.close(processor=self.get_user_from_session())
+            ticket.close(processor=request.user)
         return Response('', status=200)

apps/authentication/api/mfa.py

@@ -1,36 +1,21 @@
 # -*- coding: utf-8 -*-
 #
-import builtins
 import time
-
 from django.utils.translation import ugettext as _
 from django.conf import settings
-from django.shortcuts import get_object_or_404
 from rest_framework.permissions import AllowAny
 from rest_framework.generics import CreateAPIView
 from rest_framework.serializers import ValidationError
 from rest_framework.response import Response
 
 from common.permissions import IsValidUser, NeedMFAVerify
-from users.models.user import MFAType, User
 from ..serializers import OtpVerifySerializer
 from .. import serializers
 from .. import errors
 from ..mixins import AuthMixin
 
 
-__all__ = ['MFAChallengeApi', 'UserOtpVerifyApi', 'SendSMSVerifyCodeApi', 'MFASelectTypeApi']
-
-
-class MFASelectTypeApi(AuthMixin, CreateAPIView):
-    permission_classes = (AllowAny,)
-    serializer_class = serializers.MFASelectTypeSerializer
-
-    def perform_create(self, serializer):
-        mfa_type = serializer.validated_data['type']
-        if mfa_type == MFAType.SMS_CODE:
-            user = self.get_user_from_session()
-            user.send_sms_code()
+__all__ = ['MFAChallengeApi', 'UserOtpVerifyApi']
 
 
 class MFAChallengeApi(AuthMixin, CreateAPIView):
@@ -41,9 +26,7 @@ class MFAChallengeApi(AuthMixin, CreateAPIView):
         try:
             user = self.get_user_from_session()
             code = serializer.validated_data.get('code')
-            mfa_type = serializer.validated_data.get('type', MFAType.OTP)
-
-            valid = user.check_mfa(code, mfa_type=mfa_type)
+            valid = user.check_mfa(code)
             if not valid:
                 self.request.session['auth_mfa'] = ''
                 raise errors.MFAFailedError(
@@ -84,19 +67,3 @@ class UserOtpVerifyApi(CreateAPIView):
         if self.request.method.lower() == 'get' and settings.SECURITY_VIEW_AUTH_NEED_MFA:
             self.permission_classes = [NeedMFAVerify]
         return super().get_permissions()
-
-
-class SendSMSVerifyCodeApi(AuthMixin, CreateAPIView):
-    permission_classes = (AllowAny,)
-
-    def create(self, request, *args, **kwargs):
-        username = request.data.get('username', '')
-        username = username.strip()
-        if username:
-            user = get_object_or_404(User, username=username)
-        else:
-            user = self.get_user_from_session()
-        if not user.mfa_enabled:
-            raise errors.NotEnableMFAError
-        timeout = user.send_sms_code()
-        return Response({'code': 'ok', 'timeout': timeout})

apps/authentication/api/sso.py

@@ -9,9 +9,9 @@ from rest_framework.response import Response
 from rest_framework.request import Request
 from rest_framework.permissions import AllowAny
 
-from common.utils.timezone import utc_now
+from common.utils.timezone import utcnow
 from common.const.http import POST, GET
-from common.drf.api import JMSGenericViewSet
+from common.drf.api import JmsGenericViewSet
 from common.drf.serializers import EmptySerializer
 from common.permissions import IsSuperUser
 from common.utils import reverse
@@ -26,7 +26,7 @@ NEXT_URL = 'next'
 AUTH_KEY = 'authkey'
 
 
-class SSOViewSet(AuthMixin, JMSGenericViewSet):
+class SSOViewSet(AuthMixin, JmsGenericViewSet):
     queryset = SSOToken.objects.all()
     serializer_classes = {
         'login_url': SSOTokenSerializer,
@@ -79,7 +79,7 @@ class SSOViewSet(AuthMixin, JMSGenericViewSet):
             return HttpResponseRedirect(next_url)
 
         # 判断是否过期
-        if (utc_now().timestamp() - token.date_created.timestamp()) > settings.AUTH_SSO_AUTHKEY_TTL:
+        if (utcnow().timestamp() - token.date_created.timestamp()) > settings.AUTH_SSO_AUTHKEY_TTL:
             self.send_auth_signal(success=False, reason='authkey_timeout')
             return HttpResponseRedirect(next_url)
 

apps/authentication/apps.py

@@ -6,6 +6,5 @@ class AuthenticationConfig(AppConfig):
 
     def ready(self):
         from . import signals_handlers
-        from . import notifications
         super().ready()
 

apps/authentication/backends/api.py

@@ -240,15 +240,6 @@ class DingTalkAuthentication(JMSModelBackend):
         pass
 
 
-class FeiShuAuthentication(JMSModelBackend):
-    """
-    什么也不做呀😺
-    """
-
-    def authenticate(self, request, **kwargs):
-        pass
-
-
 class AuthorizationTokenAuthentication(JMSModelBackend):
     """
     什么也不做呀😺

apps/authentication/backends/cas/__init__.py

@@ -1,3 +1,4 @@
 # -*- coding: utf-8 -*-
 #
 from .backends import *
+from .callback import *

apps/authentication/backends/cas/callback.py

@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+#
+from django.contrib.auth import get_user_model
+
+
+User = get_user_model()
+
+
+def cas_callback(response):
+    username = response['username']
+    user, user_created = User.objects.get_or_create(username=username)
+    profile, created = user.get_profile()
+
+    profile.role = response['attributes']['role']
+    profile.birth_date = response['attributes']['birth_date']
+    profile.save()

apps/authentication/errors.py

@@ -3,12 +3,10 @@
 from django.utils.translation import ugettext_lazy as _
 from django.urls import reverse
 from django.conf import settings
-from rest_framework import status
 
 from common.exceptions import JMSException
 from .signals import post_auth_failed
 from users.utils import LoginBlockUtil, MFABlockUtils
-from users.models import MFAType
 
 reason_password_failed = 'password_failed'
 reason_password_decrypt_failed = 'password_decrypt_failed'
@@ -60,25 +58,14 @@ block_mfa_msg = _(
     "The account has been locked "
     "(please contact admin to unlock it or try again after {} minutes)"
 )
-otp_failed_msg = _(
-    "One-time password invalid, or ntp sync server time, "
-    "You can also try {times_try} times "
-    "(The account will be temporarily locked for {block_time} minutes)"
-)
-sms_failed_msg = _(
-    "SMS verify code invalid,"
-    "You can also try {times_try} times "
-    "(The account will be temporarily locked for {block_time} minutes)"
-)
-mfa_type_failed_msg = _(
-    "The MFA type({mfa_type}) is not supported, "
+mfa_failed_msg = _(
+    "MFA code invalid, or ntp sync server time, "
     "You can also try {times_try} times "
     "(The account will be temporarily locked for {block_time} minutes)"
 )
 
 mfa_required_msg = _("MFA required")
 mfa_unset_msg = _("MFA not set, please set it first")
-otp_unset_msg = _("OTP not set, please set it first")
 login_confirm_required_msg = _("Login confirm required")
 login_confirm_wait_msg = _("Wait login confirm ticket for accept")
 login_confirm_error_msg = _("Login confirm ticket was {}")
@@ -134,10 +121,6 @@ class CredentialError(AuthFailedNeedLogMixin, AuthFailedNeedBlockMixin, AuthFail
         times_remainder = util.get_remainder_times()
         block_time = settings.SECURITY_LOGIN_LIMIT_TIME
 
-        if times_remainder < 1:
-            self.msg = block_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-            return
-
         default_msg = invalid_login_msg.format(
             times_try=times_remainder, block_time=block_time
         )
@@ -151,7 +134,7 @@ class MFAFailedError(AuthFailedNeedLogMixin, AuthFailedError):
     error = reason_mfa_failed
     msg: str
 
-    def __init__(self, username, request, ip, mfa_type=MFAType.OTP):
+    def __init__(self, username, request, ip):
         util = MFABlockUtils(username, ip)
         util.incr_failed_count()
 
@@ -159,18 +142,9 @@ class MFAFailedError(AuthFailedNeedLogMixin, AuthFailedError):
         block_time = settings.SECURITY_LOGIN_LIMIT_TIME
 
         if times_remainder:
-            if mfa_type == MFAType.OTP:
-                self.msg = otp_failed_msg.format(
-                    times_try=times_remainder, block_time=block_time
-                )
-            elif mfa_type == MFAType.SMS_CODE:
-                self.msg = sms_failed_msg.format(
-                    times_try=times_remainder, block_time=block_time
-                )
-            else:
-                self.msg = mfa_type_failed_msg.format(
-                    mfa_type=mfa_type, times_try=times_remainder, block_time=block_time
-                )
+            self.msg = mfa_failed_msg.format(
+                times_try=times_remainder, block_time=block_time
+            )
         else:
             self.msg = block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
         super().__init__(username=username, request=request)
@@ -228,16 +202,12 @@ class MFARequiredError(NeedMoreInfoError):
     msg = mfa_required_msg
     error = 'mfa_required'
 
-    def __init__(self, error='', msg='', mfa_types=tuple(MFAType)):
-        super().__init__(error=error, msg=msg)
-        self.choices = mfa_types
-
     def as_data(self):
         return {
             'error': self.error,
             'msg': self.msg,
             'data': {
-                'choices': self.choices,
+                'choices': ['code'],
                 'url': reverse('api-auth:mfa-challenge')
             }
         }
@@ -265,13 +235,6 @@ class LoginIPNotAllowed(ACLError):
         super().__init__(_("IP is not allowed"), **kwargs)
 
 
-class TimePeriodNotAllowed(ACLError):
-    def __init__(self, username, request, **kwargs):
-        self.username = username
-        self.request = request
-        super().__init__(_("Time Period is not allowed"), **kwargs)
-
-
 class LoginConfirmBaseError(NeedMoreInfoError):
     def __init__(self, ticket_id, **kwargs):
         self.ticket_id = ticket_id
@@ -352,39 +315,6 @@ class DingTalkNotBound(JMSException):
     default_detail = 'DingTalk is not bound'
 
 
-class FeiShuNotBound(JMSException):
-    default_code = 'feishu_not_bound'
-    default_detail = 'FeiShu is not bound'
-
-
 class PasswdInvalid(JMSException):
     default_code = 'passwd_invalid'
     default_detail = _('Your password is invalid')
-
-
-class NotHaveUpDownLoadPerm(JMSException):
-    status_code = status.HTTP_403_FORBIDDEN
-    code = 'not_have_up_down_load_perm'
-    default_detail = _('No upload or download permission')
-
-
-class NotEnableMFAError(JMSException):
-    default_detail = mfa_unset_msg
-
-
-class OTPBindRequiredError(JMSException):
-    default_detail = otp_unset_msg
-
-    def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
-
-
-class OTPCodeRequiredError(AuthFailedError):
-    msg = _("Please enter MFA code")
-
-class SMSCodeRequiredError(AuthFailedError):
-    msg = _("Please enter SMS code")
-
-class UserPhoneNotSet(AuthFailedError):
-    msg = _('Phone not set')

apps/authentication/forms.py

@@ -43,8 +43,7 @@ class UserLoginForm(forms.Form):
 
 
 class UserCheckOtpCodeForm(forms.Form):
-    code = forms.CharField(label=_('MFA Code'), max_length=6, required=False)
-    mfa_type = forms.CharField(label=_('MFA type'), max_length=6)
+    otp_code = forms.CharField(label=_('MFA code'), max_length=6)
 
 
 class CustomCaptchaTextInput(CaptchaTextInput):
@@ -59,7 +58,7 @@ class ChallengeMixin(forms.Form):
     challenge = forms.CharField(
         label=_('MFA code'), max_length=6, required=False,
         widget=forms.TextInput(attrs={
-            'placeholder': _("Dynamic code"),
+            'placeholder': _("MFA code"),
             'style': 'width: 50%'
         })
     )
@@ -67,11 +66,9 @@ class ChallengeMixin(forms.Form):
 
 def get_user_login_form_cls(*, captcha=False):
     bases = []
+    if settings.SECURITY_LOGIN_CAPTCHA_ENABLED and captcha:
+        bases.append(CaptchaMixin)
     if settings.SECURITY_LOGIN_CHALLENGE_ENABLED:
         bases.append(ChallengeMixin)
-    elif settings.SECURITY_MFA_IN_LOGIN_PAGE:
-        bases.append(UserCheckOtpCodeForm)
-    elif settings.SECURITY_LOGIN_CAPTCHA_ENABLED and captcha:
-        bases.append(CaptchaMixin)
     bases.append(UserLoginForm)
     return type('UserLoginForm', tuple(bases), {})

apps/authentication/middleware.py

@@ -1,14 +0,0 @@
-from django.shortcuts import redirect
-
-
-class MFAMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        response = self.get_response(request)
-        if request.path.find('/auth/login/otp/') > -1:
-            return response
-        if request.session.get('auth_mfa_required'):
-            return redirect('authentication:login-otp')
-        return response

apps/authentication/migrations/0005_delete_loginconfirmsetting.py

@@ -1,16 +0,0 @@
-# Generated by Django 3.1.12 on 2021-09-26 11:13
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('authentication', '0004_ssotoken'),
-    ]
-
-    operations = [
-        migrations.DeleteModel(
-            name='LoginConfirmSetting',
-        ),
-    ]

apps/authentication/mixins.py

@@ -1,13 +1,12 @@
 # -*- coding: utf-8 -*-
 #
 import inspect
-from django.utils.http import urlencode
+from urllib.parse import urlencode
 from functools import partial
 import time
 
 from django.core.cache import cache
 from django.conf import settings
-from django.urls import reverse_lazy
 from django.contrib import auth
 from django.utils.translation import ugettext as _
 from django.contrib.auth import (
@@ -17,13 +16,12 @@ from django.contrib.auth import (
 from django.shortcuts import reverse, redirect
 
 from common.utils import get_object_or_none, get_request_ip, get_logger, bulk_get, FlashMessageUtil
-from acls.models import LoginACL
-from users.models import User, MFAType
+from users.models import User
 from users.utils import LoginBlockUtil, MFABlockUtils
 from . import errors
-from .utils import rsa_decrypt, gen_key_pair
+from .utils import rsa_decrypt
 from .signals import post_auth_success, post_auth_failed
-from .const import RSA_PRIVATE_KEY, RSA_PUBLIC_KEY
+from .const import RSA_PRIVATE_KEY
 
 logger = get_logger(__name__)
 
@@ -31,8 +29,8 @@ logger = get_logger(__name__)
 def check_backend_can_auth(username, backend_path, allowed_auth_backends):
     if allowed_auth_backends is not None and backend_path not in allowed_auth_backends:
         logger.debug('Skip user auth backend: {}, {} not in'.format(
-            username, backend_path, ','.join(allowed_auth_backends)
-        )
+                username, backend_path, ','.join(allowed_auth_backends)
+            )
         )
         return False
     return True
@@ -81,70 +79,7 @@ def authenticate(request=None, **credentials):
 auth.authenticate = authenticate
 
 
-class PasswordEncryptionViewMixin:
-    request = None
-
-    def get_decrypted_password(self, password=None, username=None):
-        request = self.request
-        if hasattr(request, 'data'):
-            data = request.data
-        else:
-            data = request.POST
-
-        username = username or data.get('username')
-        password = password or data.get('password')
-
-        password = self.decrypt_passwd(password)
-        if not password:
-            self.raise_password_decrypt_failed(username=username)
-        return password
-
-    def raise_password_decrypt_failed(self, username):
-        ip = self.get_request_ip()
-        raise errors.CredentialError(
-            error=errors.reason_password_decrypt_failed,
-            username=username, ip=ip, request=self.request
-        )
-
-    def decrypt_passwd(self, raw_passwd):
-        # 获取解密密钥，对密码进行解密
-        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
-        if rsa_private_key is not None:
-            try:
-                return rsa_decrypt(raw_passwd, rsa_private_key)
-            except Exception as e:
-                logger.error(e, exc_info=True)
-                logger.error(
-                    f'Decrypt password failed: password[{raw_passwd}] '
-                    f'rsa_private_key[{rsa_private_key}]'
-                )
-                return None
-        return raw_passwd
-
-    def get_request_ip(self):
-        ip = ''
-        if hasattr(self.request, 'data'):
-            ip = self.request.data.get('remote_addr', '')
-        ip = ip or get_request_ip(self.request)
-        return ip
-
-    def get_context_data(self, **kwargs):
-        # 生成加解密密钥对，public_key传递给前端，private_key存入session中供解密使用
-        rsa_public_key = self.request.session.get(RSA_PUBLIC_KEY)
-        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
-        if not all((rsa_private_key, rsa_public_key)):
-            rsa_private_key, rsa_public_key = gen_key_pair()
-            rsa_public_key = rsa_public_key.replace('\n', '\\n')
-            self.request.session[RSA_PRIVATE_KEY] = rsa_private_key
-            self.request.session[RSA_PUBLIC_KEY] = rsa_public_key
-
-        kwargs.update({
-            'rsa_public_key': rsa_public_key,
-        })
-        return super().get_context_data(**kwargs)
-
-
-class AuthMixin(PasswordEncryptionViewMixin):
+class AuthMixin:
     request = None
     partial_credential_error = None
 
@@ -171,6 +106,13 @@ class AuthMixin(PasswordEncryptionViewMixin):
         user.backend = self.request.session.get("auth_backend")
         return user
 
+    def get_request_ip(self):
+        ip = ''
+        if hasattr(self.request, 'data'):
+            ip = self.request.data.get('remote_addr', '')
+        ip = ip or get_request_ip(self.request)
+        return ip
+
     def _check_is_block(self, username, raise_exception=True):
         ip = self.get_request_ip()
         if LoginBlockUtil(username, ip).is_block():
@@ -188,14 +130,24 @@ class AuthMixin(PasswordEncryptionViewMixin):
             username = self.request.POST.get("username")
         self._check_is_block(username, raise_exception)
 
+    def decrypt_passwd(self, raw_passwd):
+        # 获取解密密钥，对密码进行解密
+        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
+        if rsa_private_key is not None:
+            try:
+                return rsa_decrypt(raw_passwd, rsa_private_key)
+            except Exception as e:
+                logger.error(e, exc_info=True)
+                logger.error(f'Decrypt password failed: password[{raw_passwd}] '
+                             f'rsa_private_key[{rsa_private_key}]')
+                return None
+        return raw_passwd
+
     def raise_credential_error(self, error):
         raise self.partial_credential_error(error=error)
 
     def _set_partial_credential_error(self, username, ip, request):
-        self.partial_credential_error = partial(
-            errors.CredentialError, username=username,
-            ip=ip, request=request
-        )
+        self.partial_credential_error = partial(errors.CredentialError, username=username, ip=ip, request=request)
 
     def get_auth_data(self, decrypt_passwd=False):
         request = self.request
@@ -205,24 +157,24 @@ class AuthMixin(PasswordEncryptionViewMixin):
             data = request.POST
 
         items = ['username', 'password', 'challenge', 'public_key', 'auto_login']
-        username, password, challenge, public_key, auto_login = bulk_get(data, items, default='')
+        username, password, challenge, public_key, auto_login = bulk_get(data, *items,  default='')
+        password = password + challenge.strip()
         ip = self.get_request_ip()
         self._set_partial_credential_error(username=username, ip=ip, request=request)
 
         if decrypt_passwd:
-            password = self.get_decrypted_password()
-        password = password + challenge.strip()
+            password = self.decrypt_passwd(password)
+            if not password:
+                self.raise_credential_error(errors.reason_password_decrypt_failed)
         return username, password, public_key, ip, auto_login
 
     def _check_only_allow_exists_user_auth(self, username):
         # 仅允许预先存在的用户认证
-        if not settings.ONLY_ALLOW_EXIST_USER_AUTH:
-            return
-
-        exist = User.objects.filter(username=username).exists()
-        if not exist:
-            logger.error(f"Only allow exist user auth, login failed: {username}")
-            self.raise_credential_error(errors.reason_user_not_exist)
+        if settings.ONLY_ALLOW_EXIST_USER_AUTH:
+            exist = User.objects.filter(username=username).exists()
+            if not exist:
+                logger.error(f"Only allow exist user auth, login failed: {username}")
+                self.raise_credential_error(errors.reason_user_not_exist)
 
     def _check_auth_user_is_valid(self, username, password, public_key):
         user = authenticate(self.request, username=username, password=password, public_key=public_key)
@@ -234,30 +186,12 @@ class AuthMixin(PasswordEncryptionViewMixin):
             self.raise_credential_error(errors.reason_user_inactive)
         return user
 
-    def _check_login_mfa_login_if_need(self, user):
-        request = self.request
-        if hasattr(request, 'data'):
-            data = request.data
-        else:
-            data = request.POST
-        code = data.get('code')
-        mfa_type = data.get('mfa_type')
-        if settings.SECURITY_MFA_IN_LOGIN_PAGE and mfa_type:
-            if not code:
-                if mfa_type ==  MFAType.OTP and bool(user.otp_secret_key):
-                    raise errors.OTPCodeRequiredError
-                elif mfa_type ==  MFAType.SMS_CODE:
-                    raise errors.SMSCodeRequiredError
-            self.check_user_mfa(code, mfa_type, user=user)
-
     def _check_login_acl(self, user, ip):
         # ACL 限制用户登录
-        is_allowed, limit_type = LoginACL.allow_user_to_login(user, ip)
+        from acls.models import LoginACL
+        is_allowed = LoginACL.allow_user_to_login(user, ip)
         if not is_allowed:
-            if limit_type == 'ip':
-                raise errors.LoginIPNotAllowed(username=user.username, request=self.request)
-            elif limit_type == 'time':
-                raise errors.TimePeriodNotAllowed(username=user.username, request=self.request)
+            raise errors.LoginIPNotAllowed(username=user.username, request=self.request)
 
     def set_login_failed_mark(self):
         ip = self.get_request_ip()
@@ -276,7 +210,8 @@ class AuthMixin(PasswordEncryptionViewMixin):
 
     def check_user_auth(self, decrypt_passwd=False):
         self.check_is_block()
-        username, password, public_key, ip, auto_login = self.get_auth_data(decrypt_passwd)
+        request = self.request
+        username, password, public_key, ip, auto_login = self.get_auth_data(decrypt_passwd=decrypt_passwd)
 
         self._check_only_allow_exists_user_auth(username)
         user = self._check_auth_user_is_valid(username, password, public_key)
@@ -286,11 +221,7 @@ class AuthMixin(PasswordEncryptionViewMixin):
         self._check_passwd_is_too_simple(user, password)
         self._check_passwd_need_update(user)
 
-        # 校验login-mfa, 如果登录页面上显示 mfa 的话
-        self._check_login_mfa_login_if_need(user)
-
         LoginBlockUtil(username, ip).clean_failed_count()
-        request = self.request
         request.session['auth_password'] = 1
         request.session['user_id'] = str(user.id)
         request.session['auto_login'] = auto_login
@@ -312,6 +243,7 @@ class AuthMixin(PasswordEncryptionViewMixin):
         elif not user.is_active:
             self.raise_credential_error(errors.reason_user_inactive)
 
+        self._check_is_local_user(user)
         self._check_is_block(user.username)
         self._check_login_acl(user, ip)
 
@@ -372,55 +304,32 @@ class AuthMixin(PasswordEncryptionViewMixin):
     def check_user_mfa_if_need(self, user):
         if self.request.session.get('auth_mfa'):
             return
-        if settings.OTP_IN_RADIUS:
-            return
         if not user.mfa_enabled:
             return
-
         unset, url = user.mfa_enabled_but_not_set()
         if unset:
             raise errors.MFAUnsetError(user, self.request, url)
-        raise errors.MFARequiredError(mfa_types=user.get_supported_mfa_types())
+        raise errors.MFARequiredError()
 
-    def mark_mfa_ok(self, mfa_type=MFAType.OTP):
+    def mark_mfa_ok(self):
         self.request.session['auth_mfa'] = 1
         self.request.session['auth_mfa_time'] = time.time()
-        self.request.session['auth_mfa_required'] = ''
-        self.request.session['auth_mfa_type'] = mfa_type
-
-    def clean_mfa_mark(self):
-        self.request.session['auth_mfa'] = ''
-        self.request.session['auth_mfa_time'] = ''
-        self.request.session['auth_mfa_required'] = ''
-        self.request.session['auth_mfa_type'] = ''
+        self.request.session['auth_mfa_type'] = 'otp'
 
     def check_mfa_is_block(self, username, ip, raise_exception=True):
-        blocked = MFABlockUtils(username, ip).is_block()
-        if not blocked:
-            return
-        logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
-        exception = errors.BlockMFAError(username=username, request=self.request, ip=ip)
-        if raise_exception:
-            raise exception
-        else:
-            return exception
-
-    def check_user_mfa(self, code, mfa_type=MFAType.OTP, user=None):
-        user = user if user else self.get_user_from_session()
-        if not user.mfa_enabled:
-            return
-
-        if not bool(user.phone) and mfa_type == MFAType.SMS_CODE:
-            raise errors.UserPhoneNotSet
-
-        if not bool(user.otp_secret_key) and mfa_type == MFAType.OTP:
-            self.set_passwd_verify_on_session(user)
-            raise errors.OTPBindRequiredError(reverse_lazy('authentication:user-otp-enable-bind'))
+        if MFABlockUtils(username, ip).is_block():
+            logger.warn('Ip was blocked' + ': ' + username + ':' + ip)
+            exception = errors.BlockMFAError(username=username, request=self.request, ip=ip)
+            if raise_exception:
+                raise exception
+            else:
+                return exception
 
+    def check_user_mfa(self, code):
+        user = self.get_user_from_session()
         ip = self.get_request_ip()
         self.check_mfa_is_block(user.username, ip)
-        ok = user.check_mfa(code, mfa_type=mfa_type)
-
+        ok = user.check_mfa(code)
         if ok:
             self.mark_mfa_ok()
             return
@@ -428,7 +337,7 @@ class AuthMixin(PasswordEncryptionViewMixin):
         raise errors.MFAFailedError(
             username=user.username,
             request=self.request,
-            ip=ip, mfa_type=mfa_type,
+            ip=ip
         )
 
     def get_ticket(self):
@@ -454,18 +363,16 @@ class AuthMixin(PasswordEncryptionViewMixin):
             raise errors.LoginConfirmOtherError('', "Not found")
         if ticket.status_open:
             raise errors.LoginConfirmWaitError(ticket.id)
-        elif ticket.state_approve:
+        elif ticket.action_approve:
             self.request.session["auth_confirm"] = "1"
             return
-        elif ticket.state_reject:
-            self.clean_mfa_mark()
+        elif ticket.action_reject:
             raise errors.LoginConfirmOtherError(
-                ticket.id, ticket.get_state_display()
+                ticket.id, ticket.get_action_display()
             )
-        elif ticket.state_close:
-            self.clean_mfa_mark()
+        elif ticket.action_close:
             raise errors.LoginConfirmOtherError(
-                ticket.id, ticket.get_state_display()
+                ticket.id, ticket.get_action_display()
             )
         else:
             raise errors.LoginConfirmOtherError(
@@ -473,9 +380,10 @@ class AuthMixin(PasswordEncryptionViewMixin):
             )
 
     def check_user_login_confirm_if_need(self, user):
-        ip = self.get_request_ip()
-        is_allowed, confirm_setting = LoginACL.allow_user_confirm_if_need(user, ip)
-        if self.request.session.get('auth_confirm') or not is_allowed:
+        if not settings.LOGIN_CONFIRM_ENABLE:
+            return
+        confirm_setting = user.get_login_confirm_setting()
+        if self.request.session.get('auth_confirm') or not confirm_setting:
             return
         self.get_ticket_or_create(confirm_setting)
         self.check_user_login_confirm()
@@ -483,6 +391,7 @@ class AuthMixin(PasswordEncryptionViewMixin):
     def clear_auth_mark(self):
         self.request.session['auth_password'] = ''
         self.request.session['auth_user_id'] = ''
+        self.request.session['auth_mfa'] = ''
         self.request.session['auth_confirm'] = ''
         self.request.session['auth_ticket_id'] = ''
 
@@ -503,31 +412,3 @@ class AuthMixin(PasswordEncryptionViewMixin):
         if args:
             guard_url = "%s?%s" % (guard_url, args)
         return redirect(guard_url)
-
-    @staticmethod
-    def get_user_mfa_methods(user=None):
-        otp_enabled = user.otp_secret_key if user else True
-        # 没有用户时，或者有用户并且有电话配置
-        sms_enabled = any([user and user.phone, not user]) \
-            and settings.SMS_ENABLED and settings.XPACK_ENABLED
-
-        methods = [
-            {
-                'name': 'otp',
-                'label': 'MFA',
-                'enable': otp_enabled,
-                'selected': False,
-            },
-            {
-                'name': 'sms',
-                'label': _('SMS'),
-                'enable': sms_enabled,
-                'selected': False,
-            },
-        ]
-
-        for item in methods:
-            if item['enable']:
-                item['selected'] = True
-                break
-        return methods

apps/authentication/models.py

@@ -1,10 +1,13 @@
 import uuid
 
-from django.utils.translation import ugettext_lazy as _
+from django.utils import timezone
+from django.utils.translation import ugettext_lazy as _, ugettext as __
 from rest_framework.authtoken.models import Token
 from django.conf import settings
 
 from common.db import models
+from common.mixins.models import CommonModelMixin
+from common.utils import get_object_or_none, get_request_ip, get_ip_city
 
 
 class AccessKey(models.Model):
@@ -37,6 +40,53 @@ class PrivateToken(Token):
         verbose_name = _('Private Token')
 
 
+class LoginConfirmSetting(CommonModelMixin):
+    user = models.OneToOneField('users.User', on_delete=models.CASCADE, verbose_name=_("User"), related_name="login_confirm_setting")
+    reviewers = models.ManyToManyField('users.User', verbose_name=_("Reviewers"), related_name="review_login_confirm_settings", blank=True)
+    is_active = models.BooleanField(default=True, verbose_name=_("Is active"))
+
+    @classmethod
+    def get_user_confirm_setting(cls, user):
+        return get_object_or_none(cls, user=user)
+
+    @staticmethod
+    def construct_confirm_ticket_meta(request=None):
+        if request:
+            login_ip = get_request_ip(request)
+        else:
+            login_ip = ''
+        login_ip = login_ip or '0.0.0.0'
+        login_city = get_ip_city(login_ip)
+        login_datetime = timezone.now().strftime('%Y-%m-%d %H:%M:%S')
+        ticket_meta = {
+            'apply_login_ip': login_ip,
+            'apply_login_city': login_city,
+            'apply_login_datetime': login_datetime,
+        }
+        return ticket_meta
+
+    def create_confirm_ticket(self, request=None):
+        from tickets import const
+        from tickets.models import Ticket
+        from orgs.models import Organization
+        ticket_title = _('Login confirm') + ' {}'.format(self.user)
+        ticket_meta = self.construct_confirm_ticket_meta(request)
+        ticket_assignees = self.reviewers.all()
+        data = {
+            'title': ticket_title,
+            'type': const.TicketTypeChoices.login_confirm.value,
+            'meta': ticket_meta,
+            'org_id': Organization.ROOT_ID,
+        }
+        ticket = Ticket.objects.create(**data)
+        ticket.assignees.set(ticket_assignees)
+        ticket.open(self.user)
+        return ticket
+
+    def __str__(self):
+        return '{} confirm'.format(self.user.username)
+
+
 class SSOToken(models.JMSBaseModel):
     """
     类似腾讯企业邮的 [单点登录](https://exmail.qq.com/qy_mng_logic/doc#10036)

apps/authentication/notifications.py

@@ -1,41 +0,0 @@
-from django.utils import timezone
-from django.utils.translation import ugettext as _
-from django.template.loader import render_to_string
-
-from notifications.notifications import UserMessage
-from common.utils import get_logger
-
-logger = get_logger(__file__)
-
-
-class DifferentCityLoginMessage(UserMessage):
-    def __init__(self, user, ip, city):
-        self.ip = ip
-        self.city = city
-        super().__init__(user)
-
-    def get_html_msg(self) -> dict:
-        now_local = timezone.localtime(timezone.now())
-        now = now_local.strftime("%Y-%m-%d %H:%M:%S")
-        subject = _('Different city login reminder')
-        context = dict(
-            subject=subject,
-            name=self.user.name,
-            username=self.user.username,
-            ip=self.ip,
-            time=now,
-            city=self.city,
-        )
-        message = render_to_string('authentication/_msg_different_city.html', context)
-        return {
-            'subject': subject,
-            'message': message
-        }
-
-    @classmethod
-    def gen_test_msg(cls):
-        from users.models import User
-        user = User.objects.first()
-        ip = '8.8.8.8'
-        city = '洛杉矶'
-        return cls(user, ip, city)

apps/authentication/serializers.py

@@ -10,13 +10,14 @@ from applications.models import Application
 from users.serializers import UserProfileSerializer
 from assets.serializers import ProtocolsField
 from perms.serializers.asset.permission import ActionsField
-from .models import AccessKey
+from .models import AccessKey, LoginConfirmSetting
+
 
 __all__ = [
     'AccessKeySerializer', 'OtpVerifySerializer', 'BearerTokenSerializer',
-    'MFAChallengeSerializer', 'SSOTokenSerializer',
-    'ConnectionTokenSerializer', 'ConnectionTokenSecretSerializer',
-    'PasswordVerifySerializer', 'MFASelectTypeSerializer',
+    'MFAChallengeSerializer', 'LoginConfirmSettingSerializer', 'SSOTokenSerializer',
+    'ConnectionTokenSerializer', 'ConnectionTokenSecretSerializer', 'RDPFileSerializer',
+    'PasswordVerifySerializer',
 ]
 
 
@@ -76,10 +77,6 @@ class BearerTokenSerializer(serializers.Serializer):
         return instance
 
 
-class MFASelectTypeSerializer(serializers.Serializer):
-    type = serializers.CharField()
-
-
 class MFAChallengeSerializer(serializers.Serializer):
     type = serializers.CharField(write_only=True, required=False, allow_blank=True)
     code = serializers.CharField(write_only=True)
@@ -91,6 +88,13 @@ class MFAChallengeSerializer(serializers.Serializer):
         pass
 
 
+class LoginConfirmSettingSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = LoginConfirmSetting
+        fields = ['id', 'user', 'reviewers', 'date_created', 'date_updated']
+        read_only_fields = ['date_created', 'date_updated']
+
+
 class SSOTokenSerializer(serializers.Serializer):
     username = serializers.CharField(write_only=True)
     login_url = serializers.CharField(read_only=True)
@@ -162,7 +166,7 @@ class ConnectionTokenAssetSerializer(serializers.ModelSerializer):
 class ConnectionTokenSystemUserSerializer(serializers.ModelSerializer):
     class Meta:
         model = SystemUser
-        fields = ['id', 'name', 'username', 'password', 'private_key', 'ad_domain']
+        fields = ['id', 'name', 'username', 'password', 'private_key']
 
 
 class ConnectionTokenGatewaySerializer(serializers.ModelSerializer):
@@ -193,3 +197,8 @@ class ConnectionTokenSecretSerializer(serializers.Serializer):
     gateway = ConnectionTokenGatewaySerializer(read_only=True)
     actions = ActionsField()
     expired_at = serializers.IntegerField()
+
+
+class RDPFileSerializer(ConnectionTokenSerializer):
+    width = serializers.IntegerField(allow_null=True, max_value=3112, min_value=100, required=False)
+    height = serializers.IntegerField(allow_null=True, max_value=4096, min_value=100, required=False)

apps/authentication/signals_handlers.py

@@ -13,11 +13,6 @@ from .signals import post_auth_success, post_auth_failed
 
 @receiver(user_logged_in)
 def on_user_auth_login_success(sender, user, request, **kwargs):
-    # 开启了 MFA，且没有校验过
-
-    if user.mfa_enabled and not settings.OTP_IN_RADIUS and not request.session.get('auth_mfa'):
-        request.session['auth_mfa_required'] = 1
-
     if settings.USER_LOGIN_SINGLE_MACHINE_ENABLED:
         user_id = 'single_machine_login_' + str(user.id)
         session_key = cache.get(user_id)

apps/authentication/sms_verify_code.py

@@ -1,98 +0,0 @@
-import random
-
-from django.core.cache import cache
-from django.utils.translation import gettext_lazy as _
-
-from common.sdk.sms import SMS
-from common.utils import get_logger
-from common.exceptions import JMSException
-
-logger = get_logger(__file__)
-
-
-class CodeExpired(JMSException):
-    default_code = 'verify_code_expired'
-    default_detail = _('The verification code has expired. Please resend it')
-
-
-class CodeError(JMSException):
-    default_code = 'verify_code_error'
-    default_detail = _('The verification code is incorrect')
-
-
-class CodeSendTooFrequently(JMSException):
-    default_code = 'code_send_too_frequently'
-    default_detail = _('Please wait {} seconds before sending')
-
-    def __init__(self, ttl):
-        super().__init__(detail=self.default_detail.format(ttl))
-
-
-class VerifyCodeUtil:
-    KEY_TMPL = 'auth-verify_code-{}'
-    TIMEOUT = 60
-
-    def __init__(self, account, key_suffix=None, timeout=None):
-        self.account = account
-        self.key_suffix = key_suffix
-        self.code = ''
-
-        if key_suffix is not None:
-            self.key = self.KEY_TMPL.format(key_suffix)
-        else:
-            self.key = self.KEY_TMPL.format(account)
-        self.timeout = self.TIMEOUT if timeout is None else timeout
-
-    def touch(self):
-        """
-        生成，保存，发送
-        """
-        ttl = self.ttl()
-        if ttl > 0:
-            raise CodeSendTooFrequently(ttl)
-        try:
-            self.generate()
-            self.save()
-            self.send()
-        except JMSException:
-            self.clear()
-            raise
-
-    def generate(self):
-        code = ''.join(random.sample('0123456789', 4))
-        self.code = code
-        return code
-
-    def clear(self):
-        cache.delete(self.key)
-
-    def save(self):
-        cache.set(self.key, self.code, self.timeout)
-
-    def send(self):
-        """
-        发送信息的方法，如果有错误直接抛出 api 异常
-        """
-        account = self.account
-        code = self.code
-
-        sms = SMS()
-        sms.send_verify_code(account, code)
-        logger.info(f'Send sms verify code: account={account} code={code}')
-
-    def verify(self, code):
-        right = cache.get(self.key)
-        if not right:
-            raise CodeExpired
-
-        if right != code:
-            raise CodeError
-
-        self.clear()
-        return True
-
-    def ttl(self):
-        return cache.ttl(self.key)
-
-    def get_code(self):
-        return cache.get(self.key)

apps/authentication/templates/authentication/_captcha_field.html

@@ -5,9 +5,9 @@
         <div class="col-sm-6">
             <div class="input-group-prepend">
                 {% if audio %}
-                    <a title="{% trans "Play CAPTCHA as audio file" %}" href="{{ audio }}"></a>
+                    <a title="{% trans "Play CAPTCHA as audio file" %}" href="{{ audio }}">
                 {% endif %}
-                </div>
+            </div>
             {% include "django/forms/widgets/multiwidget.html" %}
          </div>
     </div>

apps/authentication/templates/authentication/_msg_different_city.html

@@ -1,16 +0,0 @@
-{% load i18n %}
-<p>
-    {% trans 'Hello' %} {{ name }},
-</p>
-<p>
-    {% trans 'Your account has remote login behavior, please pay attention' %}
-</p>
-<p>
-    <b>{% trans 'Username' %}:</b> {{ username }}<br>
-    <b>{% trans 'Login time' %}:</b> {{ time }}<br>
-    <b>{% trans 'Login city' %}:</b> {{ city }}({{ ip }})
-</p>
-
-<p>
-    {% trans 'If you suspect that the login behavior is abnormal, please modify the account password in time.' %}
-</p>

apps/authentication/templates/authentication/_msg_reset_password.html

@@ -1,19 +0,0 @@
-{% load i18n %}
-<p>
-    {% trans 'Hello' %} {{ user.name }},
-</p>
-<p>
-    {% trans 'Please click the link below to reset your password, if not your request, concern your account security' %}
-    <br>
-    <br>
-    <a href="{{ rest_password_url }}?token={{ rest_password_token}}" class='showLink' target="_blank">
-        {% trans 'Click here reset password' %}
-    </a>
-</p>
-
-<p>
-    {% trans 'This link is valid for 1 hour. After it expires' %}
-    <a href="{{ forget_password_url }}?email={{ user.email }}">
-        {% trans 'request new one' %}
-    </a>
-</p>

apps/authentication/templates/authentication/_msg_rest_password_success.html

@@ -1,14 +0,0 @@
-{% load i18n %}
-<p>{% trans 'Hello' %} {{ name }},</p>
-
-<p>
-    {% trans 'Your password has just been successfully updated' %}
-</p>
-<p>
-    <b>{% trans 'IP' %}:</b> {{ ip_address }} <br />
-    <b>{% trans 'Browser' %}:</b> {{ browser }}
-</p>
-<p>
-    {% trans 'If the password update was not initiated by you, your account may have security issues' %} <br />
-    {% trans 'If you have any questions, you can contact the administrator' %}
-</p>