jumpserver/apps/users/api.py

236 lines
7.6 KiB
Python
Raw Normal View History

2016-08-09 09:27:37 +00:00
# ~*~ coding: utf-8 ~*~
2018-01-29 08:18:30 +00:00
import uuid
from django.core.cache import cache
2016-08-09 09:27:37 +00:00
2017-02-03 05:37:05 +00:00
from rest_framework import generics
2018-01-23 02:36:20 +00:00
from rest_framework.permissions import AllowAny, IsAuthenticated
from rest_framework.response import Response
2016-10-31 10:58:23 +00:00
from rest_framework.views import APIView
2016-11-25 14:45:47 +00:00
from rest_framework_bulk import BulkModelViewSet
2016-08-23 16:11:13 +00:00
2017-12-12 04:19:45 +00:00
from .serializers import UserSerializer, UserGroupSerializer, \
UserGroupUpdateMemeberSerializer, UserPKUpdateSerializer, \
2018-01-23 02:36:20 +00:00
UserUpdateGroupSerializer, ChangeUserPasswordSerializer
2017-12-04 12:15:47 +00:00
from .tasks import write_login_log_async
2017-02-03 05:37:05 +00:00
from .models import User, UserGroup
2018-01-29 08:18:30 +00:00
from .permissions import IsSuperUser, IsValidUser, IsCurrentUserOrReadOnly, \
IsSuperUserOrAppUser
2018-04-18 04:48:07 +00:00
from .utils import check_user_valid, generate_token, get_login_ip, check_otp_code
from common.mixins import IDInFilterMixin
2016-10-15 08:04:54 +00:00
from common.utils import get_logger
2016-08-23 16:11:13 +00:00
2016-10-07 15:54:29 +00:00
logger = get_logger(__name__)
2016-08-26 08:56:50 +00:00
class UserViewSet(IDInFilterMixin, BulkModelViewSet):
2017-12-18 10:38:30 +00:00
queryset = User.objects.exclude(role="App")
2017-12-12 04:19:45 +00:00
serializer_class = UserSerializer
2018-04-10 01:41:06 +00:00
permission_classes = (IsSuperUser,)
2016-11-25 00:39:24 +00:00
filter_fields = ('username', 'email', 'name', 'id')
2016-11-24 09:08:20 +00:00
2018-04-10 01:41:06 +00:00
def get_permissions(self):
if self.action == "retrieve":
self.permission_classes = (IsSuperUserOrAppUser,)
return super().get_permissions()
2016-08-24 09:14:21 +00:00
2018-01-23 02:36:20 +00:00
class ChangeUserPasswordApi(generics.RetrieveUpdateAPIView):
permission_classes = (IsSuperUser,)
queryset = User.objects.all()
serializer_class = ChangeUserPasswordSerializer
def perform_update(self, serializer):
user = self.get_object()
user.password_raw = serializer.validated_data["password"]
user.save()
2016-11-14 16:48:48 +00:00
class UserUpdateGroupApi(generics.RetrieveUpdateAPIView):
2016-11-09 15:49:10 +00:00
queryset = User.objects.all()
2017-12-12 04:19:45 +00:00
serializer_class = UserUpdateGroupSerializer
2016-11-09 15:49:10 +00:00
permission_classes = (IsSuperUser,)
class UserResetPasswordApi(generics.UpdateAPIView):
queryset = User.objects.all()
2017-12-12 04:19:45 +00:00
serializer_class = UserSerializer
2018-01-23 02:36:20 +00:00
permission_classes = (IsAuthenticated,)
def perform_update(self, serializer):
# Note: we are not updating the user object here.
2017-02-03 05:37:05 +00:00
# We just do the reset-password stuff.
2016-11-09 11:29:15 +00:00
from .utils import send_reset_password_mail
user = self.get_object()
user.password_raw = str(uuid.uuid4())
user.save()
send_reset_password_mail(user)
2016-11-09 15:49:10 +00:00
class UserResetPKApi(generics.UpdateAPIView):
queryset = User.objects.all()
2017-12-12 04:19:45 +00:00
serializer_class = UserSerializer
2018-04-10 01:41:06 +00:00
permission_classes = (IsAuthenticated,)
def perform_update(self, serializer):
2016-11-09 11:29:15 +00:00
from .utils import send_reset_ssh_key_mail
user = self.get_object()
2016-09-18 06:28:34 +00:00
user.is_public_key_valid = False
user.save()
send_reset_ssh_key_mail(user)
2016-09-18 06:28:34 +00:00
2016-11-09 15:49:10 +00:00
class UserUpdatePKApi(generics.UpdateAPIView):
queryset = User.objects.all()
2017-12-12 04:19:45 +00:00
serializer_class = UserPKUpdateSerializer
2017-02-03 05:37:05 +00:00
permission_classes = (IsCurrentUserOrReadOnly,)
2016-11-09 15:49:10 +00:00
def perform_update(self, serializer):
user = self.get_object()
user.public_key = serializer.validated_data['_public_key']
user.save()
2016-11-14 16:48:48 +00:00
class UserGroupViewSet(IDInFilterMixin, BulkModelViewSet):
2016-11-14 16:48:48 +00:00
queryset = UserGroup.objects.all()
2017-12-12 04:19:45 +00:00
serializer_class = UserGroupSerializer
2018-04-10 01:41:06 +00:00
permission_classes = (IsSuperUser,)
2016-11-14 16:48:48 +00:00
class UserGroupUpdateUserApi(generics.RetrieveUpdateAPIView):
queryset = UserGroup.objects.all()
2017-12-12 04:19:45 +00:00
serializer_class = UserGroupUpdateMemeberSerializer
2016-11-14 16:48:48 +00:00
permission_classes = (IsSuperUser,)
2016-10-15 09:14:56 +00:00
2016-12-16 11:32:05 +00:00
class UserToken(APIView):
2016-12-28 16:29:59 +00:00
permission_classes = (AllowAny,)
2016-12-16 11:32:05 +00:00
2016-12-28 16:29:59 +00:00
def post(self, request):
if not request.user.is_authenticated:
username = request.data.get('username', '')
email = request.data.get('email', '')
password = request.data.get('password', '')
public_key = request.data.get('public_key', '')
2017-01-17 08:34:47 +00:00
user, msg = check_user_valid(
username=username, email=email,
password=password, public_key=public_key)
else:
user = request.user
msg = None
2016-12-28 16:29:59 +00:00
if user:
2016-12-29 11:17:00 +00:00
token = generate_token(request, user)
return Response({'Token': token, 'Keyword': 'Bearer'}, status=200)
2016-12-28 16:29:59 +00:00
else:
return Response({'error': msg}, status=406)
2016-12-16 11:32:05 +00:00
class UserProfile(APIView):
permission_classes = (IsValidUser,)
2018-04-18 04:48:07 +00:00
serializer_class = UserSerializer
2016-12-16 11:32:05 +00:00
def get(self, request):
2018-04-18 04:48:07 +00:00
# return Response(request.user.to_json())
return Response(self.serializer_class(request.user).data)
2016-12-16 11:32:05 +00:00
2017-01-17 08:34:47 +00:00
def post(self, request):
2018-04-18 04:48:07 +00:00
return Response(self.serializer_class(request.user).data)
2017-01-17 08:34:47 +00:00
2016-12-16 11:32:05 +00:00
2016-11-09 11:29:15 +00:00
class UserAuthApi(APIView):
2016-12-29 11:17:00 +00:00
permission_classes = (AllowAny,)
2018-04-18 04:48:07 +00:00
serializer_class = UserSerializer
2016-10-31 10:58:23 +00:00
2017-01-17 08:34:47 +00:00
def post(self, request):
2018-04-18 04:48:07 +00:00
otp_check = request.data.get('otp_check', None)
if otp_check:
# otp验证
return self.check_auth_otp(request)
else:
# password验证
return self.check_auth_password(request)
def check_auth_password(self, request):
user, msg = self.check_user_valid(request)
if user:
token = generate_token(request, user)
if not user.otp_enabled:
self.write_login_log(request, user)
return Response({'token': token, 'user': self.serializer_class(user).data})
else:
return Response({'msg': msg}, status=401)
def check_auth_otp(self, request):
otp_code = request.data.get('otp_code', '')
user, msg = self.check_user_valid(request)
if user:
token = generate_token(request, user)
if check_otp_code(user.otp_secret_key, otp_code):
self.write_login_log(request, user)
return Response({'token': token, 'user': self.serializer_class(user).data})
return Response({'msg': msg}, status=401)
@staticmethod
def check_user_valid(request):
2016-10-31 10:58:23 +00:00
username = request.data.get('username', '')
password = request.data.get('password', '')
public_key = request.data.get('public_key', '')
2018-04-18 04:48:07 +00:00
user, msg = check_user_valid(
username=username, password=password,
public_key=public_key
)
return user, msg
@staticmethod
def write_login_log(request, user):
2017-01-17 08:34:47 +00:00
login_ip = request.data.get('remote_addr', None)
2018-04-18 04:48:07 +00:00
login_type = request.data.get('login_type', '')
2016-12-29 11:17:00 +00:00
user_agent = request.data.get('HTTP_USER_AGENT', '')
2017-11-14 01:44:16 +00:00
if not login_ip:
2018-04-18 04:48:07 +00:00
login_ip = get_login_ip(request)
2018-03-04 05:01:33 +00:00
2018-04-18 04:48:07 +00:00
write_login_log_async.delay(
user.username, ip=login_ip,
type=login_type, user_agent=user_agent,
2017-11-14 01:44:16 +00:00
)
2016-11-09 11:29:15 +00:00
2018-01-29 08:18:30 +00:00
class UserConnectionTokenApi(APIView):
permission_classes = (IsSuperUserOrAppUser,)
def post(self, request):
user_id = request.data.get('user', '')
asset_id = request.data.get('asset', '')
system_user_id = request.data.get('system_user', '')
token = str(uuid.uuid4())
value = {
'user': user_id,
'asset': asset_id,
'system_user': system_user_id
}
cache.set(token, value, timeout=20)
2018-01-29 08:18:30 +00:00
return Response({"token": token}, status=201)
def get(self, request):
token = request.query_params.get('token')
2018-03-12 11:39:27 +00:00
user_only = request.query_params.get('user-only', None)
2018-01-29 08:18:30 +00:00
value = cache.get(token, None)
2018-03-12 11:39:27 +00:00
if not value:
return Response('', status=404)
2018-01-29 08:18:30 +00:00
2018-03-12 11:39:27 +00:00
if not user_only:
return Response(value)
else:
return Response({'user': value['user']})
2018-01-29 08:18:30 +00:00
2018-03-12 11:39:27 +00:00
def get_permissions(self):
if self.request.query_params.get('user-only', None):
self.permission_classes = (AllowAny,)
return super().get_permissions()