mirror of
https://github.com/jumpserver/jumpserver.git
synced 2025-05-06 15:16:32 +00:00
3f4141ca0b
* perf: change i18n
* perf: pam
* perf: change translate
* perf: add check account
* perf: add date field
* perf: add account filter
* perf: remove some js
* perf: add account status action
* perf: update pam
* perf: 修改 discover account
* perf: update filter
* perf: update gathered account
* perf: 修改账号同步
* perf: squash migrations
* perf: update pam
* perf: change i18n
* perf: update account risk
* perf: 更新风险发现
* perf: remove css
* perf: Admin connection token
* perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks
* perf: Modify account migration files
* perf: update pam
* perf: remove to check account dir
* perf: Admin connection token
* perf: update check account
* perf: 优化发送结果
* perf: update pam
* perf: update bulk update create
* perf: prepaire using thread timer for bulk_create_decorator
* perf: update bulk create decorator
* perf: 优化 playbook manager
* perf: 优化收集账号的报表
* perf: Update poetry
* perf: Update Dockerfile with new base image tag
* fix: Account migrate 0012 file
* perf: 修改备份
* perf: update pam
* fix: Expand resource_type filter to include raw type
* feat: PAM Service (#14552)
* feat: PAM Service
* perf: import package name
---------
Co-authored-by: jiangweidong <1053570670@qq.com>
* perf: Change secret dashboard (#14551)
Co-authored-by: feng <1304903146@qq.com>
* perf: update migrations
* perf: 修改支持 pam
* perf: Change secret record table dashboard
* perf: update status
* fix: Automation send report
* perf: Change secret report
* feat: windows accounts gather
* perf: update change status
* perf: Account backup
* perf: Account backup report
* perf: Account migrate
* perf: update service to application
* perf: update migrations
* perf: update logo
* feat: oracle accounts gather (#14571)
* feat: oracle accounts gather
* feat: sqlserver accounts gather
* feat: postgresql accounts gather
* feat: mysql accounts gather
---------
Co-authored-by: wangruidong <940853815@qq.com>
* feat: mongodb accounts gather
* perf: Change secret
* perf: Migrate
* perf: Merge conflicting migration files
* perf: Change secret
* perf: Automation filter org
* perf: Account push
* perf: Random secret string
* perf: Enhance SQL query and update risk handling in accounts
* perf: Ticket filter assignee_id
* perf: 修改 account remote
* perf: 修改一些 adhoc 任务
* perf: Change secret
* perf: Remove push account extra api
* perf: update status
* perf: The entire organization can view activity log
* fix: risk field check
* perf: add account details api
* perf: add demo mode
* perf: Delete gather_account
* perf: Perfect solution to account version problem
* perf: Update status action to handle multiple accounts
* perf: Add GatherAccountDetailField and update serializers
* perf: Display account history in combination with password change records
* perf: Lina translate
* fix: Update mysql_filter to handle nested user info
* perf: Admin connection token validate_permission account
* perf: copy move account
* perf: account filter risk
* perf: account risk filter
* perf: Copy move account failed message
* fix: gather account sync account to asset
* perf: Pam dashboard
* perf: Account dashboard total accounts
* perf: Pam dashboard
* perf: Change secret filter account secret_reset
* perf: 修改 risk filter
* perf: pam translate
* feat: Check for leaked duplicate passwords. (#14711)
* feat: Check for leaked duplicate passwords.
* perf: Use SQLite instead of txt as leak password database
---------
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: 老广 <ibuler@qq.com>
* perf: merge with remote
* perf: Add risk change_password_add handle
* perf: Pam dashboard
* perf: check account manager import
* perf: 重构扫描
* perf: 修改 db
* perf: Gather account manager
* perf: update change db lib
* perf: dashboard
* perf: Account gather
* perf: 修改 asset get queryset
* perf: automation report
* perf: Pam account
* perf: Pam dashboard api
* perf: risk add account
* perf: 修改 risk check
* perf: Risk account
* perf: update risk add reopen action
* perf: add pylintrc
* Revert "perf: automation report"
This reverts commit 22aee54207.
* perf: check account engine
* perf: Perf: Optimism Gather Report Style
* Perf: Remove unuser actions
* Perf: Perf push account
* perf: perf gather account
* perf: Automation report
* perf: Push account recorder
* perf: Push account record
* perf: Pam dashboard
* perf: perf
* perf: update intergration
* perf: integrations application detail add account tab page
* feat: Custom change password supports configuration of interactive items
* perf: Go and Python demo code
* perf: Custom secret change
* perf: add user filter
* perf: translate
* perf: Add demo code docs
* perf: update some i18n
* perf: update some i18n
* perf: Add Java, Node, Go, and cURL demo code
* perf: Translate
* perf: Change secret translate
* perf: Translate
* perf: update some i18n
* perf: translate
* perf: Ansible playbook
* perf: update some choice
* perf: update some choice
* perf: update account serializer remote unused code
* perf: conflict
* perf: update import
---------
Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: feng <1304903146@qq.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: wangruidong <940853815@qq.com>
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
Co-authored-by: zhaojisen <1301338853@qq.com>
184 lines
6.1 KiB
Python
184 lines
6.1 KiB
Python
# -*- coding: utf-8 -*-
|
|
#
|
|
|
|
from django.contrib.auth import get_user_model
|
|
from django.core.cache import cache
|
|
from django.utils import timezone
|
|
from django.utils.translation import gettext as _
|
|
from rest_framework import authentication, exceptions
|
|
|
|
from accounts.models import IntegrationApplication
|
|
from common.auth import signature
|
|
from common.decorators import merge_delay_run
|
|
from common.utils import get_object_or_none, get_request_ip_or_data, contains_ip, get_request_ip
|
|
from users.models import User
|
|
from ..models import AccessKey, PrivateToken
|
|
|
|
|
|
def date_more_than(d, seconds):
|
|
return d is None or (timezone.now() - d).seconds > seconds
|
|
|
|
|
|
@merge_delay_run(ttl=60)
|
|
def update_token_last_used(tokens=()):
|
|
access_keys_ids = [token.id for token in tokens if isinstance(token, AccessKey)]
|
|
private_token_keys = [token.key for token in tokens if isinstance(token, PrivateToken)]
|
|
if len(access_keys_ids) > 0:
|
|
AccessKey.objects.filter(id__in=access_keys_ids).update(date_last_used=timezone.now())
|
|
if len(private_token_keys) > 0:
|
|
PrivateToken.objects.filter(key__in=private_token_keys).update(date_last_used=timezone.now())
|
|
|
|
|
|
@merge_delay_run(ttl=60)
|
|
def update_user_last_used(users=()):
|
|
User.objects.filter(id__in=users).update(date_api_key_last_used=timezone.now())
|
|
|
|
|
|
@merge_delay_run(ttl=60)
|
|
def update_service_integration_last_used(service_integrations=()):
|
|
IntegrationApplication.objects.filter(
|
|
id__in=service_integrations
|
|
).update(date_last_used=timezone.now())
|
|
|
|
|
|
def after_authenticate_update_date(user, token=None):
|
|
update_user_last_used.delay(users=(user.id,))
|
|
if token:
|
|
update_token_last_used.delay(tokens=(token,))
|
|
|
|
|
|
class AccessTokenAuthentication(authentication.BaseAuthentication):
|
|
keyword = 'Bearer'
|
|
model = get_user_model()
|
|
|
|
def authenticate(self, request):
|
|
auth = authentication.get_authorization_header(request).split()
|
|
if not auth or auth[0].lower() != self.keyword.lower().encode():
|
|
return None
|
|
|
|
if len(auth) == 1:
|
|
msg = _('Invalid token header. No credentials provided.')
|
|
raise exceptions.AuthenticationFailed(msg)
|
|
elif len(auth) > 2:
|
|
msg = _('Invalid token header. Sign string should not contain spaces.')
|
|
raise exceptions.AuthenticationFailed(msg)
|
|
|
|
try:
|
|
token = auth[1].decode()
|
|
except UnicodeError:
|
|
msg = _('Invalid token header. Sign string should not contain invalid characters.')
|
|
raise exceptions.AuthenticationFailed(msg)
|
|
user, header = self.authenticate_credentials(token)
|
|
after_authenticate_update_date(user)
|
|
return user, header
|
|
|
|
@staticmethod
|
|
def authenticate_credentials(token):
|
|
model = get_user_model()
|
|
user_id = cache.get(token)
|
|
user = get_object_or_none(model, id=user_id)
|
|
|
|
if not user:
|
|
msg = _('Invalid token or cache refreshed.')
|
|
raise exceptions.AuthenticationFailed(msg)
|
|
return user, None
|
|
|
|
def authenticate_header(self, request):
|
|
return self.keyword
|
|
|
|
|
|
class PrivateTokenAuthentication(authentication.TokenAuthentication):
|
|
model = PrivateToken
|
|
|
|
def authenticate(self, request):
|
|
user_token = super().authenticate(request)
|
|
if not user_token:
|
|
return
|
|
user, token = user_token
|
|
after_authenticate_update_date(user, token)
|
|
return user, token
|
|
|
|
|
|
class SessionAuthentication(authentication.SessionAuthentication):
|
|
def authenticate(self, request):
|
|
"""
|
|
Returns a `User` if the request session currently has a logged in user.
|
|
Otherwise, returns `None`.
|
|
"""
|
|
|
|
# Get the session-based user from the underlying HttpRequest object
|
|
user = getattr(request._request, 'user', None)
|
|
|
|
# Unauthenticated, CSRF validation not required
|
|
if not user or not user.is_active:
|
|
return None
|
|
|
|
try:
|
|
self.enforce_csrf(request)
|
|
except exceptions.AuthenticationFailed:
|
|
return None
|
|
|
|
# CSRF passed with authenticated user
|
|
return user, None
|
|
|
|
|
|
class SignatureAuthentication(signature.SignatureAuthentication):
|
|
# The HTTP header used to pass the consumer key ID.
|
|
|
|
# A method to fetch (User instance, user_secret_string) from the
|
|
# consumer key ID, or None in case it is not found. Algorithm
|
|
# will be what the client has sent, in the case that both RSA
|
|
# and HMAC are supported at your site (and also for expansion).
|
|
model = get_user_model()
|
|
|
|
def fetch_user_data(self, key_id, algorithm="hmac-sha256"):
|
|
# ...
|
|
# example implementation:
|
|
try:
|
|
key = AccessKey.objects.get(id=key_id)
|
|
if not key.is_active:
|
|
return None, None
|
|
user, secret = key.user, str(key.secret)
|
|
after_authenticate_update_date(user, key)
|
|
return user, secret
|
|
except (AccessKey.DoesNotExist, exceptions.ValidationError):
|
|
return None, None
|
|
|
|
def is_ip_allow(self, key_id, request):
|
|
try:
|
|
ak = AccessKey.objects.get(id=key_id)
|
|
ip_group = ak.ip_group
|
|
ip = get_request_ip_or_data(request)
|
|
if not contains_ip(ip, ip_group):
|
|
return False
|
|
return True
|
|
except (AccessKey.DoesNotExist, exceptions.ValidationError):
|
|
return False
|
|
|
|
|
|
class ServiceAuthentication(signature.SignatureAuthentication):
|
|
__instance = None
|
|
source = 'jms-pam'
|
|
|
|
def get_object(self, key_id):
|
|
if not self.__instance:
|
|
self.__instance = IntegrationApplication.objects.filter(
|
|
id=key_id, is_active=True,
|
|
).first()
|
|
return self.__instance
|
|
|
|
def fetch_user_data(self, key_id, algorithm=None):
|
|
obj = self.get_object(key_id)
|
|
if not obj:
|
|
return None, None
|
|
return obj, obj.secret
|
|
|
|
def is_ip_allow(self, key_id, request):
|
|
obj = self.get_object(key_id)
|
|
if not contains_ip(get_request_ip(request), obj.ip_group):
|
|
return False
|
|
return True
|
|
|
|
def after_authenticate_update_date(self, user):
|
|
update_service_integration_last_used.delay((user.id,))
|