perf: Simplify login and MFA limit key templates by removing IP address

apps/accounts/serializers/account/account.py

@@ -341,10 +341,6 @@ class AssetAccountBulkSerializer(
 
     @staticmethod
     def _handle_update_create(vd, lookup):
-        ori = Account.objects.filter(**lookup).first()
-        if ori and ori.secret == vd.get('secret'):
-            return ori, False, 'skipped'
-
         instance, value = Account.objects.update_or_create(defaults=vd, **lookup)
         state = 'created' if value else 'updated'
         return instance, True, state

apps/jumpserver/api/dashboard.py

@@ -1,5 +1,6 @@
 from collections import defaultdict
 
+from django.core.cache import cache
 from django.db.models import Count, Max, F, CharField, Q
 from django.db.models.functions import Cast
 from django.http.response import JsonResponse
@@ -144,6 +145,7 @@ class DateTimeMixin:
 
 
 class DatesLoginMetricMixin:
+    days: int
     dates_list: list
     date_start_end: tuple
     command_type_queryset_list: list
@@ -155,6 +157,8 @@ class DatesLoginMetricMixin:
     operate_logs_queryset: OperateLog.objects
     password_change_logs_queryset: PasswordChangeLog.objects
 
+    CACHE_TIMEOUT = 60
+
     @lazyproperty
     def get_type_to_assets(self):
         result = Asset.objects.annotate(type=F('platform__type')). \
@@ -214,19 +218,34 @@ class DatesLoginMetricMixin:
         return date_metrics_dict.get('id', [])
 
     def get_dates_login_times_assets(self):
+        cache_key = f"stats:top10_assets:{self.days}"
+        data = cache.get(cache_key)
+        if data is not None:
+            return data
+
         assets = self.sessions_queryset.values("asset") \
             .annotate(total=Count("asset")) \
             .annotate(last=Cast(Max("date_start"), output_field=CharField())) \
             .order_by("-total")
-        return list(assets[:10])
+
+        result = list(assets[:10])
+        cache.set(cache_key, result, self.CACHE_TIMEOUT)
+        return result
 
     def get_dates_login_times_users(self):
+        cache_key = f"stats:top10_users:{self.days}"
+        data = cache.get(cache_key)
+        if data is not None:
+            return data
+
         users = self.sessions_queryset.values("user_id") \
             .annotate(total=Count("user_id")) \
             .annotate(user=Max('user')) \
             .annotate(last=Cast(Max("date_start"), output_field=CharField())) \
             .order_by("-total")
-        return list(users[:10])
+        result = list(users[:10])
+        cache.set(cache_key, result, self.CACHE_TIMEOUT)
+        return result
 
     def get_dates_login_record_sessions(self):
         sessions = self.sessions_queryset.order_by('-date_start')

apps/settings/tools/ping.py

@@ -12,6 +12,8 @@ from settings.utils import generate_ips
 
 # From /usr/include/linux/icmp.h; your milage may vary.
 ICMP_ECHO_REQUEST = 8  # Seems to be the same on Solaris.
+ICMPV6_ECHO_REQUEST = 128
+ICMPV6_ECHO_REPLY = 129
 
 
 def checksum(source_string):
@@ -41,7 +43,15 @@ def checksum(source_string):
     return answer
 
 
-def receive_one_ping(my_socket, id, timeout):
+def _get_icmp_header_offset(received_packet, family):
+    if family != socket.AF_INET6:
+        return 20
+    if received_packet and (received_packet[0] >> 4) == 6:
+        return 40
+    return 0
+
+
+def receive_one_ping(my_socket, id, timeout, family):
     """
     Receive the ping from the socket.
     """
@@ -55,11 +65,20 @@ def receive_one_ping(my_socket, id, timeout):
 
         time_received = time.time()
         received_packet, addr = my_socket.recvfrom(1024)
-        icmpHeader = received_packet[20:28]
+        header_offset = _get_icmp_header_offset(received_packet, family)
-        type, code, checksum, packet_id, sequence = struct.unpack("bbHHh", icmpHeader)
+        icmpHeader = received_packet[header_offset:header_offset + 8]
+        if len(icmpHeader) < 8:
+            continue
+        type, code, checksum, packet_id, sequence = struct.unpack("BBHHH", icmpHeader)
+        if family == socket.AF_INET6 and type != ICMPV6_ECHO_REPLY:
+            continue
         if packet_id == id:
             bytes = struct.calcsize("d")
-            time_sent = struct.unpack("d", received_packet[28: 28 + bytes])[0]
+            if len(received_packet) < header_offset + 8 + bytes:
+                continue
+            time_sent = struct.unpack(
+                "d", received_packet[header_offset + 8: header_offset + 8 + bytes]
+            )[0]
             return time_received - time_sent
 
         time_left -= how_long_in_select
@@ -67,11 +86,19 @@ def receive_one_ping(my_socket, id, timeout):
             return
 
 
-def send_one_ping(my_socket, dest_addr, id, psize):
+def send_one_ping(my_socket, dest_addr, id, psize, family):
     """
     Send one ping to the given >dest_addr<.
     """
-    dest_addr = socket.gethostbyname(dest_addr)
+    if family == socket.AF_INET6:
+        dest_addr = dest_addr
+        icmp_type = ICMPV6_ECHO_REQUEST
+    else:
+        if isinstance(dest_addr, tuple):
+            dest_addr = (dest_addr[0], 1)
+        else:
+            dest_addr = (socket.gethostbyname(dest_addr), 1)
+        icmp_type = ICMP_ECHO_REQUEST
 
     # Remove header size from packet size
     # psize = psize - 8
@@ -84,33 +111,45 @@ def send_one_ping(my_socket, dest_addr, id, psize):
     my_checksum = 0
 
     # Make a dummy heder with a 0 checksum.
-    header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, my_checksum, id, 1)
+    header = struct.pack("BBHHH", icmp_type, 0, my_checksum, id, 1)
     bytes = struct.calcsize("d")
     data = (psize - bytes) * b"Q"
     data = struct.pack("d", time.time()) + data
 
+    if family != socket.AF_INET6:
         # Calculate the checksum on the data and the dummy header.
         my_checksum = checksum(header + data)
 
     # Now that we have the right checksum, we put that in. It's just easier
     # to make up a new header than to stuff it into the dummy.
     header = struct.pack(
-        "bbHHh", ICMP_ECHO_REQUEST, 0, socket.htons(my_checksum), id, 1
+        "BBHHH", icmp_type, 0, socket.htons(my_checksum), id, 1
     )
     packet = header + data
-    my_socket.sendto(packet, (dest_addr, 1))  # Don't know about the 1
+    my_socket.sendto(packet, dest_addr)
+
+
+def resolve_dest_addr(dest_addr):
+    addrinfos = socket.getaddrinfo(
+        dest_addr, None, socket.AF_UNSPEC, socket.SOCK_DGRAM
+    )
+    family, _, _, _, sockaddr = addrinfos[0]
+    return family, sockaddr
 
 
 def ping(dest_addr, timeout, psize, flag=0):
     """
     Returns either the delay (in seconds) or none on timeout.
     """
-    icmp = socket.getprotobyname("icmp")
+    family, dest_sockaddr = resolve_dest_addr(dest_addr)
-    try:
+    if family == socket.AF_INET6:
-        if os.getuid() != 0:
+        icmp = socket.IPPROTO_ICMPV6
-            my_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, icmp)
+        sock_type = socket.SOCK_DGRAM
     else:
-            my_socket = socket.socket(socket.AF_INET, socket.SOCK_RAW, icmp)
+        icmp = socket.getprotobyname("icmp")
+        sock_type = socket.SOCK_DGRAM if os.getuid() != 0 else socket.SOCK_RAW
+    try:
+        my_socket = socket.socket(family, sock_type, icmp)
     except socket.error as e:
         if e.errno == 1:
             # Operation not permitted
@@ -122,8 +161,8 @@ def ping(dest_addr, timeout, psize, flag=0):
     flag &= 0x00FF
     my_id = process_pre | flag
 
-    send_one_ping(my_socket, dest_addr, my_id, psize)
+    send_one_ping(my_socket, dest_sockaddr, my_id, psize, family)
-    delay = receive_one_ping(my_socket, my_id, timeout)
+    delay = receive_one_ping(my_socket, my_id, timeout, family)
 
     my_socket.close()
     return delay

apps/tickets/handlers/apply_asset.py

@@ -18,6 +18,7 @@ class Handler(BaseHandler):
             self._create_asset_permission()
 
     def _create_asset_permission(self):
+        self.ticket.refresh_from_db()
         org_id = self.ticket.org_id
         with tmp_to_org(org_id):
             asset_permission = AssetPermission.objects.filter(id=self.ticket.id).first()

apps/users/utils.py

@@ -139,7 +139,7 @@ class BlockUtilBase:
         username = username.lower() if username else ''
         self.username = username
         self.ip = ip
-        self.limit_key = self.LIMIT_KEY_TMPL.format(username, ip)
+        self.limit_key = self.LIMIT_KEY_TMPL.format(username)
         self.block_key = self.BLOCK_KEY_TMPL.format(username)
         self.key_ttl = int(settings.SECURITY_LOGIN_LIMIT_TIME) * 60
 
@@ -236,12 +236,12 @@ class BlockGlobalIpUtilBase:
 
 
 class LoginBlockUtil(BlockUtilBase):
-    LIMIT_KEY_TMPL = "_LOGIN_LIMIT_{}_{}"
+    LIMIT_KEY_TMPL = "_LOGIN_LIMIT_{}"
     BLOCK_KEY_TMPL = "_LOGIN_BLOCK_{}"
 
 
 class MFABlockUtils(BlockUtilBase):
-    LIMIT_KEY_TMPL = "_MFA_LIMIT_{}_{}"
+    LIMIT_KEY_TMPL = "_MFA_LIMIT_{}"
     BLOCK_KEY_TMPL = "_MFA_BLOCK_{}"