github/jumpserver
1
0
Fork 0
mirror of https://github.com/jumpserver/jumpserver.git synced 2025-05-02 05:13:21 +00:00
Code Issues Projects Releases Wiki Activity
dev
jumpserver/apps/rbac/permissions.py
fit2bot 3f4141ca0b
merge: with pam () 
* perf: change i18n

* perf: pam

* perf: change translate

* perf: add check account

* perf: add date field

* perf: add account filter

* perf: remove some js

* perf: add account status action

* perf: update pam

* perf: 修改 discover account

* perf: update filter

* perf: update gathered account

* perf: 修改账号同步

* perf: squash migrations

* perf: update pam

* perf: change i18n

* perf: update account risk

* perf: 更新风险发现

* perf: remove css

* perf: Admin connection token

* perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks

* perf: Modify account migration files

* perf: update pam

* perf: remove to check account dir

* perf: Admin connection token

* perf: update check account

* perf: 优化发送结果

* perf: update pam

* perf: update bulk update create

* perf: prepaire using thread timer for bulk_create_decorator

* perf: update bulk create decorator

* perf: 优化 playbook manager

* perf: 优化收集账号的报表

* perf: Update poetry

* perf: Update Dockerfile with new base image tag

* fix: Account migrate 0012 file

* perf: 修改备份

* perf: update pam

* fix: Expand resource_type filter to include raw type

* feat: PAM Service ()

* feat: PAM Service

* perf: import package name

---------

Co-authored-by: jiangweidong <1053570670@qq.com>

* perf: Change secret dashboard ()

Co-authored-by: feng <1304903146@qq.com>

* perf: update migrations

* perf: 修改支持 pam

* perf: Change secret record table dashboard

* perf: update status

* fix: Automation send report

* perf: Change secret report

* feat: windows accounts gather

* perf: update change status

* perf: Account backup

* perf: Account backup report

* perf: Account migrate

* perf: update service to application

* perf: update migrations

* perf: update logo

* feat: oracle accounts gather ()

* feat: oracle accounts gather

* feat: sqlserver accounts gather

* feat: postgresql accounts gather

* feat: mysql accounts gather

---------

Co-authored-by: wangruidong <940853815@qq.com>

* feat: mongodb accounts gather

* perf: Change secret

* perf: Migrate

* perf: Merge conflicting migration files

* perf: Change secret

* perf: Automation filter org

* perf: Account push

* perf: Random secret string

* perf: Enhance SQL query and update risk handling in accounts

* perf: Ticket filter assignee_id

* perf: 修改 account remote

* perf: 修改一些 adhoc 任务

* perf: Change secret

* perf: Remove push account extra api

* perf: update status

* perf: The entire organization can view activity log

* fix: risk field check

* perf: add account details api

* perf: add demo mode

* perf: Delete gather_account

* perf: Perfect solution to account version problem

* perf: Update status action to handle multiple accounts

* perf: Add GatherAccountDetailField and update serializers

* perf: Display account history in combination with password change records

* perf: Lina translate

* fix: Update mysql_filter to handle nested user info

* perf: Admin connection token validate_permission account

* perf: copy move account

* perf: account filter risk

* perf: account risk filter

* perf: Copy move account failed message

* fix: gather account sync account to asset

* perf: Pam dashboard

* perf: Account dashboard total accounts

* perf: Pam dashboard

* perf: Change secret filter account secret_reset

* perf: 修改 risk filter

* perf: pam translate

* feat: Check for leaked duplicate passwords. ()

* feat: Check for leaked duplicate passwords.

* perf: Use SQLite instead of txt as leak password database

---------

Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: 老广 <ibuler@qq.com>

* perf: merge with remote

* perf: Add risk change_password_add handle

* perf: Pam dashboard

* perf: check account manager import

* perf: 重构扫描

* perf: 修改 db

* perf: Gather account manager

* perf: update change db lib

* perf: dashboard

* perf: Account gather

* perf: 修改 asset get queryset

* perf: automation report

* perf: Pam account

* perf: Pam dashboard api

* perf: risk add account

* perf: 修改 risk check

* perf: Risk account

* perf: update risk add reopen action

* perf: add pylintrc

* Revert "perf: automation report"

This reverts commit 22aee54207.

* perf: check account engine

* perf: Perf: Optimism Gather Report Style

* Perf: Remove unuser actions

* Perf: Perf push account

* perf: perf gather account

* perf: Automation report

* perf: Push account recorder

* perf: Push account record

* perf: Pam dashboard

* perf: perf

* perf: update intergration

* perf: integrations application detail add account tab page

* feat: Custom change password supports configuration of interactive items

* perf: Go and Python demo code

* perf: Custom secret change

* perf: add user filter

* perf: translate

* perf: Add demo code docs

* perf: update some i18n

* perf: update some i18n

* perf: Add Java, Node, Go, and cURL demo code

* perf: Translate

* perf: Change secret translate

* perf: Translate

* perf: update some i18n

* perf: translate

* perf: Ansible playbook

* perf: update some choice

* perf: update some choice

* perf: update account serializer remote unused code

* perf: conflict

* perf: update import

---------

Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: feng <1304903146@qq.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: wangruidong <940853815@qq.com>
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
Co-authored-by: zhaojisen <1301338853@qq.com>
2025-02-21 16:39:57 +08:00

147 lines
5.2 KiB
Python
Raw Permalink Blame History

from rest_framework import permissions, exceptions
from common.utils import get_logger
logger = get_logger(__name__)
class RBACPermission(permissions.DjangoModelPermissions):
default_rbac_perms_tmpl = (
('list', '%(app_label)s.view_%(model_name)s'),
('retrieve', '%(app_label)s.view_%(model_name)s'),
('create', '%(app_label)s.add_%(model_name)s'),
('update', '%(app_label)s.change_%(model_name)s'),
('partial_update', '%(app_label)s.change_%(model_name)s'),
('destroy', '%(app_label)s.delete_%(model_name)s'),
('bulk_update', '%(app_label)s.change_%(model_name)s'),
('partial_bulk_update', '%(app_label)s.change_%(model_name)s'),
('bulk_destroy', '%(app_label)s.delete_%(model_name)s'),
('render_to_json', '*'),
('metadata', '*'),
('GET', '%(app_label)s.view_%(model_name)s'),
('OPTIONS', '*'),
('HEAD', '%(app_label)s.view_%(model_name)s'),
('POST', '%(app_label)s.add_%(model_name)s'),
('PUT', '%(app_label)s.change_%(model_name)s'),
('PATCH', '%(app_label)s.change_%(model_name)s'),
('DELETE', '%(app_label)s.delete_%(model_name)s'),
)
# rbac_perms = ((), ())
# def get_rbac_perms():
# return {}
@staticmethod
def format_perms(perms_tmpl, model_cls):
perms = set()
if not perms_tmpl:
return perms
if isinstance(perms_tmpl, str):
perms_tmpl = [perms_tmpl]
for perm_tmpl in perms_tmpl:
perm = perm_tmpl % {
'app_label': model_cls._meta.app_label,
'model_name': model_cls._meta.model_name
}
perms.add(perm)
return perms
@classmethod
def parse_action_model_perms(cls, action, model_cls):
perm_tmpl = dict(cls.default_rbac_perms_tmpl).get(action)
return cls.format_perms(perm_tmpl, model_cls)
def get_default_action_perms(self, model_cls):
if model_cls is None or not hasattr(model_cls, '_meta'):
return {}
perms = {}
for action, tmpl in dict(self.default_rbac_perms_tmpl).items():
perms[action] = self.format_perms(tmpl, model_cls)
return perms
def get_rbac_perms(self, view, model_cls) -> dict:
if hasattr(view, 'get_rbac_perms'):
return dict(view.get_rbac_perms())
perms = {}
if hasattr(view, 'rbac_perms'):
perms.update(dict(view.rbac_perms))
default_perms = self.get_default_action_perms(model_cls)
if '*' not in perms:
for k, v in default_perms.items():
perms.setdefault(k, v)
return perms
def _get_action_perms(self, action, model_cls, view):
action_perms_map = self.get_rbac_perms(view, model_cls)
if action in action_perms_map:
perms = action_perms_map[action]
elif '*' in action_perms_map:
perms = action_perms_map['*']
else:
msg = 'Action not allowed: {}, only `{}` supported'.format(
action, ','.join(list(action_perms_map.keys()))
)
logger.error(msg)
raise exceptions.PermissionDenied(msg)
return perms
def get_model_cls(self, view):
if hasattr(view, 'perm_model'):
return getattr(view, 'perm_model')
try:
queryset = self._queryset(view)
if isinstance(queryset, list) and queryset:
model_cls = queryset[0].__class__
else:
model_cls = queryset.model
except AssertionError as e:
# logger.error(f'Error get model cls: {e}')
model_cls = None
except AttributeError as e:
# logger.error(f'Error get model cls: {e}')
model_cls = None
except Exception as e:
# logger.error('Error get model class: {} of {}'.format(e, view))
raise e
return model_cls
def get_require_perms(self, request, view):
"""
获取 request, view 需要的 perms
:param request:
:param view:
:return:
"""
model_cls = self.get_model_cls(view)
action = getattr(view, 'action', None)
if not action:
action = request.method
perms = self._get_action_perms(action, model_cls, view)
return perms
def has_permission(self, request, view):
# Workaround to ensure DjangoModelPermissions are not applied
# to the root view when using DefaultRouter.
if getattr(view, '_ignore_rbac_permissions', False):
return True
if not request.user:
return False
if request.user.is_anonymous and self.authenticated_users_only:
return False
raw_action = getattr(view, 'raw_action', request.method)
if raw_action in ['metadata', 'OPTIONS']:
return True
perms = self.get_require_perms(request, view)
if isinstance(perms, str):
perms = [perms]
has = request.user.has_perms(perms)
logger.debug('Api require perms: {}, result: {}'.format(perms, has))
return has
def has_object_permission(self, request, view, obj):
return self.has_permission(request, view)
Reference in New Issue View Git Blame Copy Permalink