mirror of
https://github.com/jumpserver/jumpserver.git
synced 2025-05-10 00:57:15 +00:00
3f4141ca0b
* perf: change i18n
* perf: pam
* perf: change translate
* perf: add check account
* perf: add date field
* perf: add account filter
* perf: remove some js
* perf: add account status action
* perf: update pam
* perf: 修改 discover account
* perf: update filter
* perf: update gathered account
* perf: 修改账号同步
* perf: squash migrations
* perf: update pam
* perf: change i18n
* perf: update account risk
* perf: 更新风险发现
* perf: remove css
* perf: Admin connection token
* perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks
* perf: Modify account migration files
* perf: update pam
* perf: remove to check account dir
* perf: Admin connection token
* perf: update check account
* perf: 优化发送结果
* perf: update pam
* perf: update bulk update create
* perf: prepaire using thread timer for bulk_create_decorator
* perf: update bulk create decorator
* perf: 优化 playbook manager
* perf: 优化收集账号的报表
* perf: Update poetry
* perf: Update Dockerfile with new base image tag
* fix: Account migrate 0012 file
* perf: 修改备份
* perf: update pam
* fix: Expand resource_type filter to include raw type
* feat: PAM Service (#14552)
* feat: PAM Service
* perf: import package name
---------
Co-authored-by: jiangweidong <1053570670@qq.com>
* perf: Change secret dashboard (#14551)
Co-authored-by: feng <1304903146@qq.com>
* perf: update migrations
* perf: 修改支持 pam
* perf: Change secret record table dashboard
* perf: update status
* fix: Automation send report
* perf: Change secret report
* feat: windows accounts gather
* perf: update change status
* perf: Account backup
* perf: Account backup report
* perf: Account migrate
* perf: update service to application
* perf: update migrations
* perf: update logo
* feat: oracle accounts gather (#14571)
* feat: oracle accounts gather
* feat: sqlserver accounts gather
* feat: postgresql accounts gather
* feat: mysql accounts gather
---------
Co-authored-by: wangruidong <940853815@qq.com>
* feat: mongodb accounts gather
* perf: Change secret
* perf: Migrate
* perf: Merge conflicting migration files
* perf: Change secret
* perf: Automation filter org
* perf: Account push
* perf: Random secret string
* perf: Enhance SQL query and update risk handling in accounts
* perf: Ticket filter assignee_id
* perf: 修改 account remote
* perf: 修改一些 adhoc 任务
* perf: Change secret
* perf: Remove push account extra api
* perf: update status
* perf: The entire organization can view activity log
* fix: risk field check
* perf: add account details api
* perf: add demo mode
* perf: Delete gather_account
* perf: Perfect solution to account version problem
* perf: Update status action to handle multiple accounts
* perf: Add GatherAccountDetailField and update serializers
* perf: Display account history in combination with password change records
* perf: Lina translate
* fix: Update mysql_filter to handle nested user info
* perf: Admin connection token validate_permission account
* perf: copy move account
* perf: account filter risk
* perf: account risk filter
* perf: Copy move account failed message
* fix: gather account sync account to asset
* perf: Pam dashboard
* perf: Account dashboard total accounts
* perf: Pam dashboard
* perf: Change secret filter account secret_reset
* perf: 修改 risk filter
* perf: pam translate
* feat: Check for leaked duplicate passwords. (#14711)
* feat: Check for leaked duplicate passwords.
* perf: Use SQLite instead of txt as leak password database
---------
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: 老广 <ibuler@qq.com>
* perf: merge with remote
* perf: Add risk change_password_add handle
* perf: Pam dashboard
* perf: check account manager import
* perf: 重构扫描
* perf: 修改 db
* perf: Gather account manager
* perf: update change db lib
* perf: dashboard
* perf: Account gather
* perf: 修改 asset get queryset
* perf: automation report
* perf: Pam account
* perf: Pam dashboard api
* perf: risk add account
* perf: 修改 risk check
* perf: Risk account
* perf: update risk add reopen action
* perf: add pylintrc
* Revert "perf: automation report"
This reverts commit 22aee54207.
* perf: check account engine
* perf: Perf: Optimism Gather Report Style
* Perf: Remove unuser actions
* Perf: Perf push account
* perf: perf gather account
* perf: Automation report
* perf: Push account recorder
* perf: Push account record
* perf: Pam dashboard
* perf: perf
* perf: update intergration
* perf: integrations application detail add account tab page
* feat: Custom change password supports configuration of interactive items
* perf: Go and Python demo code
* perf: Custom secret change
* perf: add user filter
* perf: translate
* perf: Add demo code docs
* perf: update some i18n
* perf: update some i18n
* perf: Add Java, Node, Go, and cURL demo code
* perf: Translate
* perf: Change secret translate
* perf: Translate
* perf: update some i18n
* perf: translate
* perf: Ansible playbook
* perf: update some choice
* perf: update some choice
* perf: update account serializer remote unused code
* perf: conflict
* perf: update import
---------
Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: feng <1304903146@qq.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: wangruidong <940853815@qq.com>
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
Co-authored-by: zhaojisen <1301338853@qq.com>
285 lines
8.7 KiB
Python
285 lines
8.7 KiB
Python
import hashlib
|
|
import os
|
|
import re
|
|
import sqlite3
|
|
import uuid
|
|
|
|
from django.conf import settings
|
|
from django.utils import timezone
|
|
|
|
from accounts.models import Account, AccountRisk, RiskChoice
|
|
from assets.automations.base.manager import BaseManager
|
|
from common.const import ConfirmOrIgnore
|
|
from common.decorators import bulk_create_decorator, bulk_update_decorator
|
|
|
|
|
|
@bulk_create_decorator(AccountRisk)
|
|
def create_risk(data):
|
|
return AccountRisk(**data)
|
|
|
|
|
|
@bulk_update_decorator(AccountRisk, update_fields=["details", "status"])
|
|
def update_risk(risk):
|
|
return risk
|
|
|
|
|
|
class BaseCheckHandler:
|
|
risk = ''
|
|
|
|
def __init__(self, assets):
|
|
self.assets = assets
|
|
|
|
def check(self, account):
|
|
pass
|
|
|
|
def clean(self):
|
|
pass
|
|
|
|
|
|
class CheckSecretHandler(BaseCheckHandler):
|
|
risk = RiskChoice.weak_password
|
|
|
|
@staticmethod
|
|
def is_weak_password(password):
|
|
# 判断密码长度
|
|
if len(password) < 8:
|
|
return True
|
|
|
|
# 判断是否只有一种字符类型
|
|
if password.isdigit() or password.isalpha():
|
|
return True
|
|
|
|
# 判断是否只包含数字或字母
|
|
if password.islower() or password.isupper():
|
|
return True
|
|
|
|
# 判断是否包含常见弱密码
|
|
common_passwords = ["123456", "password", "12345678", "qwerty", "abc123"]
|
|
if password.lower() in common_passwords:
|
|
return True
|
|
|
|
# 正则表达式判断字符多样性(数字、字母、特殊字符)
|
|
if (
|
|
not re.search(r"[A-Za-z]", password)
|
|
or not re.search(r"[0-9]", password)
|
|
or not re.search(r"[\W_]", password)
|
|
):
|
|
return True
|
|
return False
|
|
|
|
def check(self, account):
|
|
if not account.secret:
|
|
return False
|
|
return self.is_weak_password(account.secret)
|
|
|
|
|
|
class CheckRepeatHandler(BaseCheckHandler):
|
|
risk = RiskChoice.repeated_password
|
|
|
|
def __init__(self, assets):
|
|
super().__init__(assets)
|
|
self.path, self.conn, self.cursor = self.init_repeat_check_db()
|
|
self.add_password_for_check_repeat()
|
|
|
|
@staticmethod
|
|
def init_repeat_check_db():
|
|
path = os.path.join('/tmp', 'accounts_' + str(uuid.uuid4()) + '.db')
|
|
sql = """
|
|
CREATE TABLE IF NOT EXISTS accounts (
|
|
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
digest CHAR(32)
|
|
)
|
|
"""
|
|
index = "CREATE INDEX IF NOT EXISTS idx_digest ON accounts(digest)"
|
|
conn = sqlite3.connect(path)
|
|
cursor = conn.cursor()
|
|
cursor.execute(sql)
|
|
cursor.execute(index)
|
|
return path, conn, cursor
|
|
|
|
def check(self, account):
|
|
if not account.secret:
|
|
return False
|
|
|
|
digest = self.digest(account.secret)
|
|
sql = 'SELECT COUNT(*) FROM accounts WHERE digest = ?'
|
|
self.cursor.execute(sql, [digest])
|
|
result = self.cursor.fetchone()
|
|
if not result:
|
|
return False
|
|
return result[0] > 1
|
|
|
|
@staticmethod
|
|
def digest(secret):
|
|
return hashlib.md5(secret.encode()).hexdigest()
|
|
|
|
def add_password_for_check_repeat(self):
|
|
accounts = Account.objects.all().only('id', '_secret', 'secret_type')
|
|
sql = "INSERT INTO accounts (digest) VALUES (?)"
|
|
|
|
for account in accounts:
|
|
secret = account.secret
|
|
if not secret:
|
|
continue
|
|
digest = self.digest(secret)
|
|
self.cursor.execute(sql, [digest])
|
|
self.conn.commit()
|
|
|
|
def clean(self):
|
|
self.cursor.close()
|
|
self.conn.close()
|
|
os.remove(self.path)
|
|
|
|
|
|
class CheckLeakHandler(BaseCheckHandler):
|
|
risk = RiskChoice.leaked_password
|
|
|
|
def __init__(self, *args):
|
|
super().__init__(*args)
|
|
self.conn, self.cursor = self.init_leak_password_db()
|
|
|
|
@staticmethod
|
|
def init_leak_password_db():
|
|
db_path = os.path.join(
|
|
settings.APPS_DIR, 'accounts', 'automations',
|
|
'check_account', 'leak_passwords.db'
|
|
)
|
|
|
|
if settings.LEAK_PASSWORD_DB_PATH and os.path.isfile(settings.LEAK_PASSWORD_DB_PATH):
|
|
db_path = settings.LEAK_PASSWORD_DB_PATH
|
|
|
|
db_conn = sqlite3.connect(db_path)
|
|
db_cursor = db_conn.cursor()
|
|
return db_conn, db_cursor
|
|
|
|
def check(self, account):
|
|
if not account.secret:
|
|
return False
|
|
|
|
sql = 'SELECT 1 FROM passwords WHERE password = ? LIMIT 1'
|
|
self.cursor.execute(sql, (account.secret,))
|
|
leak = self.cursor.fetchone() is not None
|
|
return leak
|
|
|
|
def clean(self):
|
|
self.cursor.close()
|
|
self.conn.close()
|
|
|
|
|
|
class CheckAccountManager(BaseManager):
|
|
batch_size = 100
|
|
tmpl = 'Checked the status of account %s: %s'
|
|
|
|
def __init__(self, execution):
|
|
super().__init__(execution)
|
|
self.assets = []
|
|
self.batch_risks = []
|
|
self.handlers = []
|
|
|
|
def add_risk(self, risk, account):
|
|
self.summary[risk] += 1
|
|
self.result[risk].append({
|
|
'asset': str(account.asset), 'username': account.username,
|
|
})
|
|
risk_obj = {'account': account, 'risk': risk}
|
|
self.batch_risks.append(risk_obj)
|
|
|
|
def commit_risks(self, assets):
|
|
account_risks = AccountRisk.objects.filter(asset__in=assets)
|
|
ori_risk_map = {}
|
|
|
|
for risk in account_risks:
|
|
key = f'{risk.account_id}_{risk.risk}'
|
|
ori_risk_map[key] = risk
|
|
|
|
now = timezone.now().isoformat()
|
|
for d in self.batch_risks:
|
|
account = d["account"]
|
|
key = f'{account.id}_{d["risk"]}'
|
|
origin_risk = ori_risk_map.get(key)
|
|
|
|
if origin_risk and origin_risk.status != ConfirmOrIgnore.pending:
|
|
details = origin_risk.details or []
|
|
details.append({"datetime": now, 'type': 'refind'})
|
|
|
|
if len(details) > 10:
|
|
details = [*details[:5], *details[-5:]]
|
|
|
|
origin_risk.details = details
|
|
origin_risk.status = ConfirmOrIgnore.pending
|
|
update_risk(origin_risk)
|
|
else:
|
|
create_risk({
|
|
"account": account,
|
|
"asset": account.asset,
|
|
"username": account.username,
|
|
"risk": d["risk"],
|
|
"details": [{"datetime": now, 'type': 'init'}],
|
|
})
|
|
|
|
def pre_run(self):
|
|
super().pre_run()
|
|
self.assets = self.execution.get_all_assets()
|
|
self.execution.date_start = timezone.now()
|
|
self.execution.save(update_fields=["date_start"])
|
|
|
|
def batch_check(self, handler):
|
|
print("Engine: {}".format(handler.__class__.__name__))
|
|
for i in range(0, len(self.assets), self.batch_size):
|
|
_assets = self.assets[i: i + self.batch_size]
|
|
accounts = Account.objects.filter(asset__in=_assets)
|
|
|
|
print("Start to check accounts: {}".format(len(accounts)))
|
|
|
|
for account in accounts:
|
|
error = handler.check(account)
|
|
msg = handler.risk if error else 'ok'
|
|
|
|
print("Check: {} => {}".format(account, msg))
|
|
if not error:
|
|
continue
|
|
self.add_risk(handler.risk, account)
|
|
self.commit_risks(_assets)
|
|
|
|
def do_run(self, *args, **kwargs):
|
|
for engine in self.execution.snapshot.get("engines", []):
|
|
if engine == "check_account_secret":
|
|
handler = CheckSecretHandler(self.assets)
|
|
elif engine == "check_account_repeat":
|
|
handler = CheckRepeatHandler(self.assets)
|
|
elif engine == "check_account_leak":
|
|
handler = CheckLeakHandler(self.assets)
|
|
else:
|
|
print("Unknown engine: {}".format(engine))
|
|
continue
|
|
|
|
self.handlers.append(handler)
|
|
self.batch_check(handler)
|
|
|
|
def post_run(self):
|
|
super().post_run()
|
|
for handler in self.handlers:
|
|
handler.clean()
|
|
|
|
def get_report_subject(self):
|
|
return "Check account report of %s" % self.execution.id
|
|
|
|
def get_report_template(self):
|
|
return "accounts/check_account_report.html"
|
|
|
|
def print_summary(self):
|
|
tmpl = (
|
|
"\n---\nSummary: \nok: %s, weak password: %s, leaked password: %s, "
|
|
"repeated password: %s, no secret: %s, using time: %ss"
|
|
% (
|
|
self.summary["ok"],
|
|
self.summary[RiskChoice.weak_password],
|
|
self.summary[RiskChoice.leaked_password],
|
|
self.summary[RiskChoice.repeated_password],
|
|
|
|
self.summary["no_secret"],
|
|
int(self.duration),
|
|
)
|
|
)
|
|
print(tmpl)
|