mirror of
https://github.com/jumpserver/jumpserver.git
synced 2026-04-03 10:52:57 +00:00
3f4141ca0b
* perf: change i18n
* perf: pam
* perf: change translate
* perf: add check account
* perf: add date field
* perf: add account filter
* perf: remove some js
* perf: add account status action
* perf: update pam
* perf: 修改 discover account
* perf: update filter
* perf: update gathered account
* perf: 修改账号同步
* perf: squash migrations
* perf: update pam
* perf: change i18n
* perf: update account risk
* perf: 更新风险发现
* perf: remove css
* perf: Admin connection token
* perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks
* perf: Modify account migration files
* perf: update pam
* perf: remove to check account dir
* perf: Admin connection token
* perf: update check account
* perf: 优化发送结果
* perf: update pam
* perf: update bulk update create
* perf: prepaire using thread timer for bulk_create_decorator
* perf: update bulk create decorator
* perf: 优化 playbook manager
* perf: 优化收集账号的报表
* perf: Update poetry
* perf: Update Dockerfile with new base image tag
* fix: Account migrate 0012 file
* perf: 修改备份
* perf: update pam
* fix: Expand resource_type filter to include raw type
* feat: PAM Service (#14552)
* feat: PAM Service
* perf: import package name
---------
Co-authored-by: jiangweidong <1053570670@qq.com>
* perf: Change secret dashboard (#14551)
Co-authored-by: feng <1304903146@qq.com>
* perf: update migrations
* perf: 修改支持 pam
* perf: Change secret record table dashboard
* perf: update status
* fix: Automation send report
* perf: Change secret report
* feat: windows accounts gather
* perf: update change status
* perf: Account backup
* perf: Account backup report
* perf: Account migrate
* perf: update service to application
* perf: update migrations
* perf: update logo
* feat: oracle accounts gather (#14571)
* feat: oracle accounts gather
* feat: sqlserver accounts gather
* feat: postgresql accounts gather
* feat: mysql accounts gather
---------
Co-authored-by: wangruidong <940853815@qq.com>
* feat: mongodb accounts gather
* perf: Change secret
* perf: Migrate
* perf: Merge conflicting migration files
* perf: Change secret
* perf: Automation filter org
* perf: Account push
* perf: Random secret string
* perf: Enhance SQL query and update risk handling in accounts
* perf: Ticket filter assignee_id
* perf: 修改 account remote
* perf: 修改一些 adhoc 任务
* perf: Change secret
* perf: Remove push account extra api
* perf: update status
* perf: The entire organization can view activity log
* fix: risk field check
* perf: add account details api
* perf: add demo mode
* perf: Delete gather_account
* perf: Perfect solution to account version problem
* perf: Update status action to handle multiple accounts
* perf: Add GatherAccountDetailField and update serializers
* perf: Display account history in combination with password change records
* perf: Lina translate
* fix: Update mysql_filter to handle nested user info
* perf: Admin connection token validate_permission account
* perf: copy move account
* perf: account filter risk
* perf: account risk filter
* perf: Copy move account failed message
* fix: gather account sync account to asset
* perf: Pam dashboard
* perf: Account dashboard total accounts
* perf: Pam dashboard
* perf: Change secret filter account secret_reset
* perf: 修改 risk filter
* perf: pam translate
* feat: Check for leaked duplicate passwords. (#14711)
* feat: Check for leaked duplicate passwords.
* perf: Use SQLite instead of txt as leak password database
---------
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: 老广 <ibuler@qq.com>
* perf: merge with remote
* perf: Add risk change_password_add handle
* perf: Pam dashboard
* perf: check account manager import
* perf: 重构扫描
* perf: 修改 db
* perf: Gather account manager
* perf: update change db lib
* perf: dashboard
* perf: Account gather
* perf: 修改 asset get queryset
* perf: automation report
* perf: Pam account
* perf: Pam dashboard api
* perf: risk add account
* perf: 修改 risk check
* perf: Risk account
* perf: update risk add reopen action
* perf: add pylintrc
* Revert "perf: automation report"
This reverts commit 22aee54207.
* perf: check account engine
* perf: Perf: Optimism Gather Report Style
* Perf: Remove unuser actions
* Perf: Perf push account
* perf: perf gather account
* perf: Automation report
* perf: Push account recorder
* perf: Push account record
* perf: Pam dashboard
* perf: perf
* perf: update intergration
* perf: integrations application detail add account tab page
* feat: Custom change password supports configuration of interactive items
* perf: Go and Python demo code
* perf: Custom secret change
* perf: add user filter
* perf: translate
* perf: Add demo code docs
* perf: update some i18n
* perf: update some i18n
* perf: Add Java, Node, Go, and cURL demo code
* perf: Translate
* perf: Change secret translate
* perf: Translate
* perf: update some i18n
* perf: translate
* perf: Ansible playbook
* perf: update some choice
* perf: update some choice
* perf: update account serializer remote unused code
* perf: conflict
* perf: update import
---------
Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: feng <1304903146@qq.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: wangruidong <940853815@qq.com>
Co-authored-by: jiangweidong <1053570670@qq.com>
Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
Co-authored-by: zhaojisen <1301338853@qq.com>
333 lines
10 KiB
Python
333 lines
10 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
import base64
|
|
import struct
|
|
import uuid
|
|
|
|
import math
|
|
from django.conf import settings
|
|
from django.contrib.auth.models import AbstractUser, UserManager as _UserManager
|
|
from django.core.exceptions import ValidationError
|
|
from django.db import models
|
|
from django.shortcuts import reverse
|
|
from django.utils import timezone
|
|
from django.utils.translation import gettext_lazy as _
|
|
from rest_framework.exceptions import PermissionDenied
|
|
|
|
from common.db import fields, models as jms_models
|
|
from common.utils import (
|
|
date_expired_default,
|
|
get_logger,
|
|
)
|
|
from labels.mixins import LabeledMixin
|
|
from orgs.utils import current_org
|
|
from ._auth import AuthMixin, MFAMixin
|
|
from ._json import JSONFilterMixin
|
|
from ._role import RoleMixin, SystemRoleManager, OrgRoleManager
|
|
from ._source import SourceMixin, Source
|
|
from ._token import TokenMixin
|
|
from ._face import FaceMixin
|
|
|
|
logger = get_logger(__file__)
|
|
__all__ = [
|
|
"User",
|
|
"UserPasswordHistory",
|
|
"MFAMixin",
|
|
"AuthMixin",
|
|
"FaceMixin",
|
|
"RoleMixin"
|
|
]
|
|
|
|
|
|
class UserManager(_UserManager):
|
|
def get_by_natural_key(self, username_or_mail):
|
|
q = models.Q(username=username_or_mail) | models.Q(email=username_or_mail)
|
|
user = self.filter(q).first()
|
|
if not user:
|
|
raise self.model.DoesNotExist
|
|
return user
|
|
|
|
|
|
class User(
|
|
AuthMixin,
|
|
SourceMixin,
|
|
TokenMixin,
|
|
RoleMixin,
|
|
MFAMixin,
|
|
FaceMixin,
|
|
LabeledMixin,
|
|
JSONFilterMixin,
|
|
AbstractUser,
|
|
):
|
|
id = models.UUIDField(default=uuid.uuid4, primary_key=True)
|
|
username = models.CharField(max_length=128, unique=True, verbose_name=_("Username"))
|
|
name = models.CharField(max_length=128, verbose_name=_("Name"))
|
|
email = models.EmailField(max_length=128, unique=True, verbose_name=_("Email"))
|
|
groups = models.ManyToManyField(
|
|
"users.UserGroup",
|
|
related_name="users",
|
|
blank=True,
|
|
verbose_name=_("User group"),
|
|
)
|
|
role = models.CharField(
|
|
default="User", max_length=10, blank=True, verbose_name=_("Role")
|
|
)
|
|
is_service_account = models.BooleanField(
|
|
default=False, verbose_name=_("Is service account")
|
|
)
|
|
avatar = models.ImageField(upload_to="avatar", null=True, verbose_name=_("Avatar"))
|
|
wechat = fields.EncryptCharField(
|
|
max_length=128, blank=True, verbose_name=_("Wechat")
|
|
)
|
|
phone = fields.EncryptCharField(
|
|
max_length=128, blank=True, null=True, verbose_name=_("Phone")
|
|
)
|
|
mfa_level = models.SmallIntegerField(
|
|
default=0, choices=MFAMixin.MFA_LEVEL_CHOICES, verbose_name=_("MFA")
|
|
)
|
|
otp_secret_key = fields.EncryptCharField(
|
|
max_length=128, blank=True, null=True, verbose_name=_("OTP secret key")
|
|
)
|
|
# Todo: Auto generate key, let user download
|
|
private_key = fields.EncryptTextField(
|
|
blank=True, null=True, verbose_name=_("Private key")
|
|
)
|
|
public_key = fields.EncryptTextField(
|
|
blank=True, null=True, verbose_name=_("Public key")
|
|
)
|
|
comment = models.TextField(blank=True, null=True, verbose_name=_("Comment"))
|
|
is_first_login = models.BooleanField(default=True, verbose_name=_("Is first login"))
|
|
date_expired = models.DateTimeField(
|
|
default=date_expired_default,
|
|
blank=True,
|
|
null=True,
|
|
db_index=True,
|
|
verbose_name=_("Date expired"),
|
|
)
|
|
created_by = models.CharField(
|
|
max_length=30, default="", blank=True, verbose_name=_("Created by")
|
|
)
|
|
updated_by = models.CharField(
|
|
max_length=30, default="", blank=True, verbose_name=_("Updated by")
|
|
)
|
|
date_password_last_updated = models.DateTimeField(
|
|
auto_now_add=True,
|
|
blank=True,
|
|
null=True,
|
|
verbose_name=_("Date password last updated"),
|
|
)
|
|
need_update_password = models.BooleanField(
|
|
default=False, verbose_name=_("Need update password")
|
|
)
|
|
source = models.CharField(
|
|
max_length=30,
|
|
default=Source.local,
|
|
choices=Source.choices,
|
|
verbose_name=_("Source"),
|
|
)
|
|
wecom_id = models.CharField(
|
|
null=True, default=None, max_length=128, verbose_name=_("WeCom")
|
|
)
|
|
dingtalk_id = models.CharField(
|
|
null=True, default=None, max_length=128, verbose_name=_("DingTalk")
|
|
)
|
|
feishu_id = models.CharField(
|
|
null=True, default=None, max_length=128, verbose_name=_("FeiShu")
|
|
)
|
|
lark_id = models.CharField(
|
|
null=True, default=None, max_length=128, verbose_name="Lark"
|
|
)
|
|
slack_id = models.CharField(
|
|
null=True, default=None, max_length=128, verbose_name=_("Slack")
|
|
)
|
|
face_vector = fields.EncryptTextField(
|
|
null=True, blank=True, max_length=2048, verbose_name=_("Face Vector")
|
|
)
|
|
date_api_key_last_used = models.DateTimeField(
|
|
null=True, blank=True, verbose_name=_("Date api key used")
|
|
)
|
|
date_updated = models.DateTimeField(auto_now=True, verbose_name=_("Date updated"))
|
|
objects = UserManager()
|
|
DATE_EXPIRED_WARNING_DAYS = 5
|
|
|
|
def __str__(self):
|
|
return "{0.name}({0.username})".format(self)
|
|
|
|
@classmethod
|
|
def get_queryset(cls):
|
|
queryset = cls.objects.all()
|
|
if not current_org.is_root():
|
|
queryset = current_org.get_members()
|
|
queryset = queryset.exclude(is_service_account=True)
|
|
return queryset
|
|
|
|
@property
|
|
def secret_key(self):
|
|
instance = self.preferences.filter(name="secret_key").first()
|
|
if not instance:
|
|
return
|
|
return instance.decrypt_value
|
|
|
|
@property
|
|
def receive_backends(self):
|
|
try:
|
|
return self.user_msg_subscription.receive_backends
|
|
except:
|
|
return []
|
|
|
|
@property
|
|
def is_otp_secret_key_bound(self):
|
|
return bool(self.otp_secret_key)
|
|
|
|
def get_absolute_url(self):
|
|
return reverse("users:user-detail", args=(self.id,))
|
|
|
|
@property
|
|
def is_expired(self):
|
|
if self.date_expired and self.date_expired < timezone.now():
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
def is_password_authenticate(self):
|
|
cas = self.Source.cas
|
|
saml2 = self.Source.saml2
|
|
oauth2 = self.Source.oauth2
|
|
return self.source not in [cas, saml2, oauth2]
|
|
|
|
@property
|
|
def expired_remain_days(self):
|
|
date_remain = self.date_expired - timezone.now()
|
|
return date_remain.days
|
|
|
|
@property
|
|
def will_expired(self):
|
|
if 0 <= self.expired_remain_days <= self.DATE_EXPIRED_WARNING_DAYS:
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
@property
|
|
def lang(self):
|
|
return self.preference.get_value("lang")
|
|
|
|
@lang.setter
|
|
def lang(self, value):
|
|
self.preference.set_value('lang', value)
|
|
|
|
@property
|
|
def preference(self):
|
|
from users.models.preference import PreferenceManager
|
|
return PreferenceManager(self)
|
|
|
|
@property
|
|
def is_valid(self):
|
|
if self.is_active and not self.is_expired:
|
|
return True
|
|
return False
|
|
|
|
def set_required_attr_if_need(self):
|
|
if not self.name:
|
|
self.name = self.username
|
|
if not self.email or "@" not in self.email:
|
|
email = "{}@{}".format(self.username, settings.EMAIL_SUFFIX)
|
|
if "@" in self.username:
|
|
email = self.username
|
|
self.email = email
|
|
|
|
def save(self, *args, **kwargs):
|
|
self.set_required_attr_if_need()
|
|
if self.username == "admin":
|
|
self.role = "Admin"
|
|
self.is_active = True
|
|
return super().save(*args, **kwargs)
|
|
|
|
def is_member_of(self, user_group):
|
|
if user_group in self.groups.all():
|
|
return True
|
|
return False
|
|
|
|
def set_avatar(self, f):
|
|
self.avatar.save(self.username, f)
|
|
|
|
@classmethod
|
|
def get_avatar_url(cls, username):
|
|
user_default = settings.STATIC_URL + "img/avatar/user.png"
|
|
return user_default
|
|
|
|
def avatar_url(self):
|
|
admin_default = settings.STATIC_URL + "img/avatar/admin.png"
|
|
user_default = settings.STATIC_URL + "img/avatar/user.png"
|
|
if self.avatar:
|
|
return self.avatar.url
|
|
if self.is_superuser:
|
|
return admin_default
|
|
else:
|
|
return user_default
|
|
|
|
def unblock_login(self):
|
|
from users.utils import LoginBlockUtil, MFABlockUtils
|
|
|
|
LoginBlockUtil.unblock_user(self.username)
|
|
MFABlockUtils.unblock_user(self.username)
|
|
|
|
@property
|
|
def login_blocked(self):
|
|
from users.utils import LoginBlockUtil, MFABlockUtils
|
|
|
|
if LoginBlockUtil.is_user_block(self.username):
|
|
return True
|
|
if MFABlockUtils.is_user_block(self.username):
|
|
return True
|
|
return False
|
|
|
|
def delete(self, using=None, keep_parents=False):
|
|
if self.pk == 1 or self.username == "admin":
|
|
raise PermissionDenied(_("Can not delete admin user"))
|
|
return super(User, self).delete(using=using, keep_parents=keep_parents)
|
|
|
|
class Meta:
|
|
ordering = ["username"]
|
|
verbose_name = _("User")
|
|
unique_together = (
|
|
("dingtalk_id",),
|
|
("wecom_id",),
|
|
("feishu_id",),
|
|
("lark_id",),
|
|
("slack_id",),
|
|
)
|
|
permissions = [
|
|
("invite_user", _("Can invite user")),
|
|
("remove_user", _("Can remove user")),
|
|
("match_user", _("Can match user")),
|
|
]
|
|
|
|
def can_send_created_mail(self):
|
|
if self.email and self.source == self.Source.local.value:
|
|
return True
|
|
return False
|
|
|
|
|
|
class UserPasswordHistory(models.Model):
|
|
id = models.UUIDField(default=uuid.uuid4, primary_key=True)
|
|
password = models.CharField(max_length=128)
|
|
user = models.ForeignKey(
|
|
"users.User",
|
|
related_name="history_passwords",
|
|
on_delete=jms_models.CASCADE_SIGNAL_SKIP,
|
|
verbose_name=_("User"),
|
|
)
|
|
date_created = models.DateTimeField(
|
|
auto_now_add=True, verbose_name=_("Date created")
|
|
)
|
|
|
|
def __str__(self):
|
|
return f"{self.user} set at {self.date_created}"
|
|
|
|
def __repr__(self):
|
|
return self.__str__()
|
|
|
|
class Meta:
|
|
verbose_name = _("User password history")
|