jumpserver/apps/accounts/api/automations/check_account.py

# -*- coding: utf-8 -*-
#
from django.db.models import Q, Count
from rest_framework.decorators import action
from rest_framework.exceptions import MethodNotAllowed
from operator import itemgetter

from rest_framework.response import Response

from accounts import serializers
from accounts.const import AutomationTypes
from accounts.models import (
    CheckAccountAutomation,
    AccountRisk,
    RiskChoice,
    CheckAccountEngine,
)
from common.api import JMSModelViewSet
from common.utils import many_get
from orgs.mixins.api import OrgBulkModelViewSet
from .base import AutomationExecutionViewSet

__all__ = [
    "CheckAccountAutomationViewSet",
    "CheckAccountExecutionViewSet",
    "AccountRiskViewSet",
    "CheckAccountEngineViewSet",
]

from ...risk_handlers import RiskHandler


class CheckAccountAutomationViewSet(OrgBulkModelViewSet):
    model = CheckAccountAutomation
    filterset_fields = ("name",)
    search_fields = filterset_fields
    serializer_class = serializers.CheckAccountAutomationSerializer


class CheckAccountExecutionViewSet(AutomationExecutionViewSet):
    rbac_perms = (
        ("list", "accounts.view_checkaccountexecution"),
        ("retrieve", "accounts.view_checkaccountsexecution"),
        ("create", "accounts.add_checkaccountexecution"),
        ("report", "accounts.view_checkaccountsexecution"),
    )
    ordering = ("-date_created",)
    tp = AutomationTypes.check_account

    def get_queryset(self):
        queryset = super().get_queryset()
        queryset = queryset.filter(automation__type=self.tp)
        return queryset


class AccountRiskViewSet(OrgBulkModelViewSet):
    model = AccountRisk
    search_fields = ("username", "asset")
    filterset_fields = ("risk", "status", "asset")
    serializer_classes = {
        "default": serializers.AccountRiskSerializer,
        "assets": serializers.AssetRiskSerializer,
        "handle": serializers.HandleRiskSerializer,
    }
    ordering_fields = ("asset", "risk", "status", "username", "date_created")
    ordering = ("status", "asset", "date_created")
    rbac_perms = {
        "sync_accounts": "assets.add_accountrisk",
        "assets": "accounts.view_accountrisk",
        "handle": "accounts.change_accountrisk",
    }

    def update(self, request, *args, **kwargs):
        raise MethodNotAllowed("PUT")

    def create(self, request, *args, **kwargs):
        raise MethodNotAllowed("POST")

    @action(methods=["get"], detail=False, url_path="assets")
    def assets(self, request, *args, **kwargs):
        annotations = {
            f"{risk[0]}_count": Count("id", filter=Q(risk=risk[0]))
            for risk in RiskChoice.choices
        }
        queryset = (
            AccountRisk.objects.select_related(
                "asset", "asset__platform"
            )  # 使用 select_related 来优化 asset 和 asset__platform 的查询
            .values(
                "asset__id", "asset__name", "asset__address", "asset__platform__name"
            )  # 添加需要的字段
            .annotate(risk_total=Count("id"))  # 计算风险总数
            .annotate(**annotations)  # 使用上面定义的 annotations 进行计数
        )
        return self.get_paginated_response_from_queryset(queryset)

    @action(methods=["post"], detail=False, url_path="handle")
    def handle(self, request, *args, **kwargs):
        s = self.get_serializer(data=request.data)
        s.is_valid(raise_exception=True)

        asset, username, act, risk = many_get(s.validated_data, ("asset", "username", "action", "risk"))
        handler = RiskHandler(asset=asset, username=username, request=self.request)
        data = handler.handle(act, risk)
        if not data:
            data = {"message": "Success"}
        return Response(data)


class CheckAccountEngineViewSet(JMSModelViewSet):
    search_fields = ("name",)
    serializer_class = serializers.CheckAccountEngineSerializer

    @staticmethod
    def init_if_need():
        data = [
            {
                "id": "00000000-0000-0000-0000-000000000001",
                "slug": "check_gathered_account",
                "name": "检查发现的账号",
                "comment": "基于自动发现的账号结果进行检查分析，检查 用户组、公钥、sudoers 等信息",
            },
            {
                "id": "00000000-0000-0000-0000-000000000002",
                "slug": "check_account_secret",
                "name": "检查账号密码强弱",
                "comment": "基于账号密码的安全性进行检查分析, 检查密码强度、泄露等信息",
            },
        ]

        model_cls = CheckAccountEngine
        if model_cls.objects.all().count() == 2:
            return

        for item in data:
            model_cls.objects.create(**item)

    def get_queryset(self):
        self.init_if_need()
        return CheckAccountEngine.objects.all()
perf: add check account 2024-10-22 09:30:20 +00:00			`# -- coding: utf-8 --`
			`#`
perf: update pam 2024-11-04 10:34:35 +00:00			`from django.db.models import Q, Count`
			`from rest_framework.decorators import action`
perf: update pam 2024-11-27 11:33:58 +00:00			`from rest_framework.exceptions import MethodNotAllowed`
			`from operator import itemgetter`

			`from rest_framework.response import Response`
perf: add check account 2024-10-22 09:30:20 +00:00
			`from accounts import serializers`
			`from accounts.const import AutomationTypes`
perf: update change status 2024-12-03 09:49:04 +00:00			`from accounts.models import (`
			`CheckAccountAutomation,`
			`AccountRisk,`
			`RiskChoice,`
			`CheckAccountEngine,`
			`)`
perf: update check account 2024-11-14 11:00:29 +00:00			`from common.api import JMSModelViewSet`
perf: update change status 2024-12-03 09:49:04 +00:00			`from common.utils import many_get`
perf: add check account 2024-10-22 09:30:20 +00:00			`from orgs.mixins.api import OrgBulkModelViewSet`
			`from .base import AutomationExecutionViewSet`

			`__all__ = [`
perf: update change status 2024-12-03 09:49:04 +00:00			`"CheckAccountAutomationViewSet",`
			`"CheckAccountExecutionViewSet",`
			`"AccountRiskViewSet",`
			`"CheckAccountEngineViewSet",`
perf: add check account 2024-10-22 09:30:20 +00:00			`]`

perf: update pam 2024-11-27 11:33:58 +00:00			`from ...risk_handlers import RiskHandler`

perf: add check account 2024-10-22 09:30:20 +00:00
perf: remove to check account dir 2024-11-13 08:09:07 +00:00			`class CheckAccountAutomationViewSet(OrgBulkModelViewSet):`
perf: update check account 2024-11-14 11:00:29 +00:00			`model = CheckAccountAutomation`
perf: update change status 2024-12-03 09:49:04 +00:00			`filterset_fields = ("name",)`
perf: add check account 2024-10-22 09:30:20 +00:00			`search_fields = filterset_fields`
perf: update check account 2024-11-14 11:00:29 +00:00			`serializer_class = serializers.CheckAccountAutomationSerializer`
perf: add check account 2024-10-22 09:30:20 +00:00

			`class CheckAccountExecutionViewSet(AutomationExecutionViewSet):`
			`rbac_perms = (`
perf: update check account 2024-11-14 11:00:29 +00:00			`("list", "accounts.view_checkaccountexecution"),`
			`("retrieve", "accounts.view_checkaccountsexecution"),`
			`("create", "accounts.add_checkaccountexecution"),`
perf: 优化发送结果 2024-11-18 03:22:46 +00:00			`("report", "accounts.view_checkaccountsexecution"),`
perf: add check account 2024-10-22 09:30:20 +00:00			`)`
perf: update change status 2024-12-03 09:49:04 +00:00			`ordering = ("-date_created",)`
perf: remove to check account dir 2024-11-13 08:09:07 +00:00			`tp = AutomationTypes.check_account`
perf: add check account 2024-10-22 09:30:20 +00:00
			`def get_queryset(self):`
			`queryset = super().get_queryset()`
			`queryset = queryset.filter(automation__type=self.tp)`
			`return queryset`


			`class AccountRiskViewSet(OrgBulkModelViewSet):`
			`model = AccountRisk`
perf: update change status 2024-12-03 09:49:04 +00:00			`search_fields = ("username", "asset")`
			`filterset_fields = ("risk", "status", "asset")`
perf: add check account 2024-10-22 09:30:20 +00:00			`serializer_classes = {`
perf: update change status 2024-12-03 09:49:04 +00:00			`"default": serializers.AccountRiskSerializer,`
			`"assets": serializers.AssetRiskSerializer,`
			`"handle": serializers.HandleRiskSerializer,`
perf: add check account 2024-10-22 09:30:20 +00:00			`}`
perf: update change status 2024-12-03 09:49:04 +00:00			`ordering_fields = ("asset", "risk", "status", "username", "date_created")`
			`ordering = ("status", "asset", "date_created")`
perf: add check account 2024-10-22 09:30:20 +00:00			`rbac_perms = {`
perf: update change status 2024-12-03 09:49:04 +00:00			`"sync_accounts": "assets.add_accountrisk",`
			`"assets": "accounts.view_accountrisk",`
			`"handle": "accounts.change_accountrisk",`
perf: add check account 2024-10-22 09:30:20 +00:00			`}`
perf: update pam 2024-11-27 11:33:58 +00:00
			`def update(self, request, args, *kwargs):`
perf: update change status 2024-12-03 09:49:04 +00:00			`raise MethodNotAllowed("PUT")`
perf: update pam 2024-11-27 11:33:58 +00:00
			`def create(self, request, args, *kwargs):`
perf: update change status 2024-12-03 09:49:04 +00:00			`raise MethodNotAllowed("POST")`
perf: update pam 2024-11-04 10:34:35 +00:00
perf: update change status 2024-12-03 09:49:04 +00:00			`@action(methods=["get"], detail=False, url_path="assets")`
perf: update pam 2024-11-04 10:34:35 +00:00			`def assets(self, request, args, *kwargs):`
			`annotations = {`
perf: update change status 2024-12-03 09:49:04 +00:00			`f"{risk[0]}_count": Count("id", filter=Q(risk=risk[0]))`
perf: update pam 2024-11-04 10:34:35 +00:00			`for risk in RiskChoice.choices`
			`}`
			`queryset = (`
perf: update change status 2024-12-03 09:49:04 +00:00			`AccountRisk.objects.select_related(`
			`"asset", "asset__platform"`
			`) # 使用 select_related 来优化 asset 和 asset__platform 的查询`
			`.values(`
			`"asset__id", "asset__name", "asset__address", "asset__platform__name"`
			`) # 添加需要的字段`
			`.annotate(risk_total=Count("id")) # 计算风险总数`
perf: update pam 2024-11-04 10:34:35 +00:00			`.annotate(**annotations) # 使用上面定义的 annotations 进行计数`
			`)`
			`return self.get_paginated_response_from_queryset(queryset)`
perf: add check account 2024-10-22 09:30:20 +00:00
perf: update change status 2024-12-03 09:49:04 +00:00			`@action(methods=["post"], detail=False, url_path="handle")`
perf: update pam 2024-11-27 11:33:58 +00:00			`def handle(self, request, args, *kwargs):`
perf: update change status 2024-12-03 09:49:04 +00:00			`s = self.get_serializer(data=request.data)`
			`s.is_valid(raise_exception=True)`
perf: update pam 2024-11-27 11:33:58 +00:00
perf: update change status 2024-12-03 09:49:04 +00:00			`asset, username, act, risk = many_get(s.validated_data, ("asset", "username", "action", "risk"))`
			`handler = RiskHandler(asset=asset, username=username, request=self.request)`
perf: update pam 2024-11-27 11:33:58 +00:00			`data = handler.handle(act, risk)`
			`if not data:`
perf: update change status 2024-12-03 09:49:04 +00:00			`data = {"message": "Success"}`
perf: update pam 2024-11-27 11:33:58 +00:00			`return Response(data)`

perf: squash migrations 2024-11-01 10:49:03 +00:00
perf: update check account 2024-11-14 11:00:29 +00:00			`class CheckAccountEngineViewSet(JMSModelViewSet):`
perf: update change status 2024-12-03 09:49:04 +00:00			`search_fields = ("name",)`
perf: update check account 2024-11-14 11:00:29 +00:00			`serializer_class = serializers.CheckAccountEngineSerializer`
perf: squash migrations 2024-11-01 10:49:03 +00:00
perf: update change status 2024-12-03 09:49:04 +00:00			`@staticmethod`
			`def init_if_need():`
			`data = [`
			`{`
			`"id": "00000000-0000-0000-0000-000000000001",`
			`"slug": "check_gathered_account",`
			`"name": "检查发现的账号",`
			`"comment": "基于自动发现的账号结果进行检查分析，检查用户组、公钥、sudoers 等信息",`
			`},`
			`{`
			`"id": "00000000-0000-0000-0000-000000000002",`
			`"slug": "check_account_secret",`
			`"name": "检查账号密码强弱",`
			`"comment": "基于账号密码的安全性进行检查分析, 检查密码强度、泄露等信息",`
			`},`
			`]`

			`model_cls = CheckAccountEngine`
			`if model_cls.objects.all().count() == 2:`
			`return`

			`for item in data:`
			`model_cls.objects.create(**item)`

perf: squash migrations 2024-11-01 10:49:03 +00:00			`def get_queryset(self):`
perf: update change status 2024-12-03 09:49:04 +00:00			`self.init_if_need()`
perf: update check account 2024-11-14 11:00:29 +00:00			`return CheckAccountEngine.objects.all()`