jumpserver/apps/authentication/api/connection_token.py

332 lines
12 KiB
Python
Raw Normal View History

2022-11-14 06:03:58 +00:00
import base64
import json
2022-11-14 06:03:58 +00:00
import os
import urllib.parse
2022-11-14 06:03:58 +00:00
from django.http import HttpResponse
from django.shortcuts import get_object_or_404
2022-11-22 13:54:40 +00:00
from django.utils import timezone
from rest_framework import status
from rest_framework.decorators import action
2022-11-14 06:03:58 +00:00
from rest_framework.exceptions import PermissionDenied
from rest_framework.request import Request
2022-11-14 06:03:58 +00:00
from rest_framework.response import Response
2022-11-28 14:58:43 +00:00
from rest_framework.serializers import ValidationError
from common.drf.api import JMSModelViewSet
from common.http import is_true
2022-11-25 15:09:55 +00:00
from common.utils import random_string
from common.utils.django import get_request_os
from orgs.mixins.api import RootOrgViewMixin
2022-11-11 07:04:31 +00:00
from perms.models import ActionChoices
2022-12-07 07:09:01 +00:00
from terminal.connect_methods import NativeClient, ConnectMethodUtil
from terminal.models import EndpointRule
2022-11-14 06:03:58 +00:00
from ..models import ConnectionToken
from ..serializers import (
2022-07-20 05:18:56 +00:00
ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
2022-12-07 07:09:01 +00:00
SuperConnectionTokenSerializer, ConnectTokenAppletOptionSerializer
)
__all__ = ['ConnectionTokenViewSet', 'SuperConnectionTokenViewSet']
fix: fix rbac to dev (#7636) * feat: 添加 RBAC 应用模块 * feat: 添加 RBAC Model、API * feat: 添加 RBAC Model、API 2 * feat: 添加 RBAC Model、API 3 * feat: 添加 RBAC Model、API 4 * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC 整理权限位 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位 * feat: RBAC 添加默认角色 * feat: RBAC 添加迁移文件;迁移用户角色->用户角色绑定 * feat: RBAC 添加迁移文件;迁移用户角色->用户角色绑定 * feat: RBAC 修改用户模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 修改用户角色属性的使用 * feat: RBAC No.1 * xxx * perf: 暂存 * perf: ... * perf(rbac): 添加 perms 到 profile serializer 中 * stash * perf: 使用init * perf: 修改migrations * perf: rbac * stash * stash * pref: 修改rbac * stash it * stash: 先去修复其他bug * perf: 修改 role 添加 users * pref: 修改 RBAC Model * feat: 添加权限的 tree api * stash: 暂存一下 * stash: 暂存一下 * perf: 修改 model verbose name * feat: 添加model各种 verbose name * perf: 生成 migrations * perf: 优化权限位 * perf: 添加迁移脚本 * feat: 添加组织角色迁移 * perf: 添加迁移脚本 * stash * perf: 添加migrateion * perf: 暂存一下 * perf: 修改rbac * perf: stash it * fix: 迁移冲突 * fix: 迁移冲突 * perf: 暂存一下 * perf: 修改 rbac 逻辑 * stash: 暂存一下 * perf: 修改内置角色 * perf: 解决 root 组织的问题 * perf: stash it * perf: 优化 rbac * perf: 优化 rolebinding 处理 * perf: 完成用户离开组织的问题 * perf: 暂存一下 * perf: 修改翻译 * perf: 去掉了 IsSuperUser * perf: IsAppUser 去掉完成 * perf: 修改 connection token 的权限 * perf: 去掉导入的问题 * perf: perms define 格式,修改 app 用户 的全新啊 * perf: 修改 permission * perf: 去掉一些 org admin * perf: 去掉部分 org admin * perf: 再去掉点 org admin role * perf: 再去掉部分 org admin * perf: user 角色搜索 * perf: 去掉很多 js * perf: 添加权限位 * perf: 修改权限 * perf: 去掉一个 todo * merge: with dev * fix: 修复冲突 Co-authored-by: Bai <bugatti_it@163.com> Co-authored-by: Michael Bai <baijiangjie@gmail.com> Co-authored-by: ibuler <ibuler@qq.com>
2022-02-17 12:13:31 +00:00
2022-11-14 06:03:58 +00:00
class RDPFileClientProtocolURLMixin:
request: Request
get_serializer: callable
def get_rdp_file_info(self, token: ConnectionToken):
rdp_options = {
'full address:s': '',
'username:s': '',
2021-07-16 06:15:10 +00:00
'use multimon:i': '0',
'session bpp:i': '32',
'audiomode:i': '0',
'disable wallpaper:i': '0',
'disable full window drag:i': '0',
'disable menu anims:i': '0',
'disable themes:i': '0',
'alternate shell:s': '',
'shell working directory:s': '',
'authentication level:i': '2',
'connect to console:i': '0',
'disable cursor setting:i': '0',
'allow font smoothing:i': '1',
'allow desktop composition:i': '1',
'redirectprinters:i': '0',
'prompt for credentials on client:i': '0',
'autoreconnection enabled:i': '1',
'bookmarktype:i': '3',
'use redirection server name:i': '0',
2022-03-25 02:43:48 +00:00
'smart sizing:i': '1',
}
# 设置磁盘挂载
drives_redirect = is_true(self.request.query_params.get('drives_redirect'))
2022-02-16 07:48:28 +00:00
if drives_redirect:
2022-11-23 08:11:17 +00:00
if ActionChoices.contains(token.actions, ActionChoices.transfer()):
rdp_options['drivestoredirect:s'] = '*'
# 设置全屏
full_screen = is_true(self.request.query_params.get('full_screen'))
rdp_options['screen mode id:i'] = '2' if full_screen else '1'
# 设置 RDP Server 地址
endpoint = self.get_smart_endpoint(protocol='rdp', asset=token.asset)
rdp_options['full address:s'] = f'{endpoint.host}:{endpoint.rdp_port}'
# 设置用户名
rdp_options['username:s'] = '{}|{}'.format(token.user.username, str(token.id))
# rdp_options['domain:s'] = token.account_ad_domain
# 设置宽高
height = self.request.query_params.get('height')
width = self.request.query_params.get('width')
if width and height:
rdp_options['desktopwidth:i'] = width
rdp_options['desktopheight:i'] = height
rdp_options['winposstr:s:'] = f'0,1,0,0,{width},{height}'
# 设置其他选项
rdp_options['session bpp:i'] = os.getenv('JUMPSERVER_COLOR_DEPTH', '32')
rdp_options['audiomode:i'] = self.parse_env_bool('JUMPSERVER_DISABLE_AUDIO', 'false', '2', '0')
# 设置远程应用, 不是 Mstsc
if token.connect_method != NativeClient.mstsc:
remote_app_options = token.get_remote_app_option()
rdp_options.update(remote_app_options)
2022-11-29 10:36:42 +00:00
# 文件名
name = token.asset.name
2022-08-10 10:17:59 +00:00
prefix_name = f'{token.user.username}-{name}'
filename = self.get_connect_filename(prefix_name)
2021-09-24 07:31:25 +00:00
content = ''
for k, v in rdp_options.items():
2021-09-24 07:31:25 +00:00
content += f'{k}:{v}\n'
2021-07-27 05:35:25 +00:00
return filename, content
2022-08-10 10:17:59 +00:00
@staticmethod
def get_connect_filename(prefix_name):
prefix_name = prefix_name.replace('/', '_')
prefix_name = prefix_name.replace('\\', '_')
prefix_name = prefix_name.replace('.', '_')
filename = f'{prefix_name}-jumpserver'
filename = urllib.parse.quote(filename)
return filename
@staticmethod
def parse_env_bool(env_key, env_default, true_value, false_value):
return true_value if is_true(os.getenv(env_key, env_default)) else false_value
def get_client_protocol_data(self, token: ConnectionToken):
_os = get_request_os(self.request)
connect_method_name = token.connect_method
2022-12-07 07:09:01 +00:00
connect_method_dict = ConnectMethodUtil.get_connect_method(
token.connect_method, token.protocol, _os
)
if connect_method_dict is None:
raise ValueError('Connect method not support: {}'.format(connect_method_name))
2022-03-28 11:52:48 +00:00
data = {
'id': str(token.id),
'value': token.value,
'protocol': token.protocol,
'command': '',
'file': {}
2022-03-28 11:52:48 +00:00
}
if connect_method_name == NativeClient.mstsc or connect_method_dict['type'] == 'applet':
filename, content = self.get_rdp_file_info(token)
data.update({
'protocol': 'rdp',
'file': {
'name': filename,
'content': content,
}
})
else:
print("Connect method: {}".format(connect_method_dict))
endpoint = self.get_smart_endpoint(
protocol=connect_method_dict['endpoint_protocol'],
asset=token.asset
)
cmd = NativeClient.get_launch_command(connect_method_name, token, endpoint)
data.update({'command': cmd})
return data
2022-03-28 11:52:48 +00:00
def get_smart_endpoint(self, protocol, asset=None):
target_ip = asset.get_target_ip() if asset else ''
endpoint = EndpointRule.match_endpoint(target_ip, protocol, self.request)
return endpoint
2021-09-24 07:31:25 +00:00
class ExtraActionApiMixin(RDPFileClientProtocolURLMixin):
request: Request
get_object: callable
get_serializer: callable
perform_create: callable
2022-11-28 07:01:16 +00:00
@action(methods=['POST', 'GET'], detail=True, url_path='rdp-file')
def get_rdp_file(self, *args, **kwargs):
token = self.get_object()
2022-11-23 08:11:17 +00:00
token.is_valid()
filename, content = self.get_rdp_file_info(token)
filename = '{}.rdp'.format(filename)
response = HttpResponse(content, content_type='application/octet-stream')
2022-04-24 09:00:48 +00:00
response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
return response
2022-11-28 07:01:16 +00:00
@action(methods=['POST', 'GET'], detail=True, url_path='client-url')
def get_client_protocol_url(self, *args, **kwargs):
token = self.get_object()
2022-11-23 08:11:17 +00:00
token.is_valid()
try:
protocol_data = self.get_client_protocol_data(token)
except ValueError as e:
return Response(data={'error': str(e)}, status=status.HTTP_400_BAD_REQUEST)
protocol_data = json.dumps(protocol_data).encode()
protocol_data = base64.b64encode(protocol_data).decode()
data = {
'url': 'jms://{}'.format(protocol_data)
}
return Response(data=data)
@action(methods=['PATCH'], detail=True)
def expire(self, request, *args, **kwargs):
instance = self.get_object()
instance.expire()
return Response(status=status.HTTP_204_NO_CONTENT)
class ConnectionTokenViewSet(ExtraActionApiMixin, RootOrgViewMixin, JMSModelViewSet):
filterset_fields = (
'user_display', 'asset_display'
)
search_fields = filterset_fields
serializer_classes = {
'default': ConnectionTokenSerializer,
}
rbac_perms = {
'list': 'authentication.view_connectiontoken',
'retrieve': 'authentication.view_connectiontoken',
'create': 'authentication.add_connectiontoken',
'expire': 'authentication.add_connectiontoken',
'get_rdp_file': 'authentication.add_connectiontoken',
'get_client_protocol_url': 'authentication.add_connectiontoken',
}
def get_queryset(self):
queryset = ConnectionToken.objects \
.filter(user=self.request.user) \
.filter(date_expired__gt=timezone.now())
2022-11-28 14:58:43 +00:00
return queryset
def get_user(self, serializer):
return self.request.user
def perform_create(self, serializer):
2022-11-22 13:54:40 +00:00
self.validate_serializer(serializer)
return super().perform_create(serializer)
2022-11-22 13:54:40 +00:00
def validate_serializer(self, serializer):
from perms.utils.account import PermAccountUtil
2022-11-22 13:54:40 +00:00
data = serializer.validated_data
user = self.get_user(serializer)
asset = data.get('asset')
account_name = data.get('account')
2022-11-22 13:54:40 +00:00
data['org_id'] = asset.org_id
data['user'] = user
2022-11-25 15:09:55 +00:00
data['value'] = random_string(16)
2022-11-22 13:54:40 +00:00
util = PermAccountUtil()
2022-11-25 15:09:55 +00:00
permed_account = util.validate_permission(user, asset, account_name)
2022-11-22 13:54:40 +00:00
if not permed_account or not permed_account.actions:
2022-12-15 08:02:34 +00:00
msg = 'user `{}` not has asset `{}` permission for account `{}`'.format(
2022-11-25 15:09:55 +00:00
user, asset, account_name
2022-11-22 13:54:40 +00:00
)
raise PermissionDenied(msg)
if permed_account.date_expired < timezone.now():
raise PermissionDenied('Expired')
if permed_account.has_secret:
2022-11-25 15:09:55 +00:00
data['input_secret'] = ''
2022-11-22 13:54:40 +00:00
if permed_account.username != '@INPUT':
2022-11-25 15:09:55 +00:00
data['input_username'] = ''
2022-11-22 13:54:40 +00:00
return permed_account
class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
2022-04-24 09:00:48 +00:00
serializer_classes = {
'default': SuperConnectionTokenSerializer,
2022-12-07 07:09:01 +00:00
'get_secret_detail': ConnectionTokenSecretSerializer,
2022-04-24 09:00:48 +00:00
}
rbac_perms = {
'create': 'authentication.add_superconnectiontoken',
2022-12-07 07:09:01 +00:00
'renewal': 'authentication.add_superconnectiontoken',
'get_secret_detail': 'authentication.view_connectiontokensecret',
'get_applet_info': 'authentication.view_superconnectiontoken',
'release_applet_account': 'authentication.view_superconnectiontoken',
2022-04-24 09:00:48 +00:00
}
def get_queryset(self):
return ConnectionToken.objects.all()
def get_user(self, serializer):
return serializer.validated_data.get('user')
@action(methods=['PATCH'], detail=False)
2022-04-24 09:00:48 +00:00
def renewal(self, request, *args, **kwargs):
from common.utils.timezone import as_current_tz
2022-11-28 14:58:43 +00:00
token_id = request.data.get('id') or ''
token = get_object_or_404(ConnectionToken, pk=token_id)
date_expired = as_current_tz(token.date_expired)
if token.is_expired:
raise PermissionDenied('Token is expired at: {}'.format(date_expired))
token.renewal()
data = {
'ok': True,
'msg': f'Token is renewed, date expired: {date_expired}'
}
return Response(data=data, status=status.HTTP_200_OK)
2022-12-07 07:09:01 +00:00
@action(methods=['POST'], detail=False, url_path='secret')
def get_secret_detail(self, request, *args, **kwargs):
""" 非常重要的 api, 在逻辑层再判断一下 rbac 权限, 双重保险 """
rbac_perm = 'authentication.view_connectiontokensecret'
if not request.user.has_perm(rbac_perm):
raise PermissionDenied('Not allow to view secret')
token_id = request.data.get('id') or ''
token = get_object_or_404(ConnectionToken, pk=token_id)
if token.is_expired:
raise ValidationError({'id': 'Token is expired'})
token.is_valid()
serializer = self.get_serializer(instance=token)
expire_now = request.data.get('expire_now', True)
if expire_now:
token.expire()
return Response(serializer.data, status=status.HTTP_200_OK)
@action(methods=['POST'], detail=False, url_path='applet-option')
def get_applet_info(self, *args, **kwargs):
token_id = self.request.data.get('id')
token = get_object_or_404(ConnectionToken, pk=token_id)
if token.is_expired:
return Response({'error': 'Token expired'}, status=status.HTTP_400_BAD_REQUEST)
data = token.get_applet_option()
serializer = ConnectTokenAppletOptionSerializer(data)
return Response(serializer.data)
@action(methods=['DELETE', 'POST'], detail=False, url_path='applet-account/release')
def release_applet_account(self, *args, **kwargs):
account_id = self.request.data.get('id')
msg = ConnectionToken.release_applet_account(account_id)
return Response({'msg': msg})