2025-01-03 06:45:54 +00:00
|
|
|
|
from django.db import transaction
|
2022-12-07 11:26:25 +00:00
|
|
|
|
from django.shortcuts import get_object_or_404
|
2025-01-03 06:45:54 +00:00
|
|
|
|
from django.utils.translation import gettext_lazy as _
|
2022-02-28 11:28:58 +00:00
|
|
|
|
from rest_framework.decorators import action
|
2023-04-03 10:18:31 +00:00
|
|
|
|
from rest_framework.generics import ListAPIView, CreateAPIView
|
2022-12-21 10:36:15 +00:00
|
|
|
|
from rest_framework.response import Response
|
2023-03-23 03:20:48 +00:00
|
|
|
|
from rest_framework.status import HTTP_200_OK
|
2021-07-08 06:23:18 +00:00
|
|
|
|
|
2023-01-16 11:02:09 +00:00
|
|
|
|
from accounts import serializers
|
2024-12-25 03:19:39 +00:00
|
|
|
|
from accounts.const import ChangeSecretRecordStatusChoice
|
2023-02-07 11:45:12 +00:00
|
|
|
|
from accounts.filters import AccountFilterSet
|
2023-08-29 06:21:06 +00:00
|
|
|
|
from accounts.mixins import AccountRecordViewLogMixin
|
2024-12-25 03:19:39 +00:00
|
|
|
|
from accounts.models import Account, ChangeSecretRecord
|
2023-02-27 06:20:58 +00:00
|
|
|
|
from assets.models import Asset, Node
|
2023-10-12 08:17:32 +00:00
|
|
|
|
from authentication.permissions import UserConfirmation, ConfirmType
|
2023-08-28 07:43:45 +00:00
|
|
|
|
from common.api.mixin import ExtraFilterFieldsMixin
|
2024-12-02 02:32:52 +00:00
|
|
|
|
from common.drf.filters import AttrRulesFilterBackend
|
2024-12-04 10:47:14 +00:00
|
|
|
|
from common.permissions import IsValidUser
|
2025-01-03 06:45:54 +00:00
|
|
|
|
from common.utils import lazyproperty, get_logger
|
2022-12-21 10:36:15 +00:00
|
|
|
|
from orgs.mixins.api import OrgBulkModelViewSet
|
2023-02-23 03:27:03 +00:00
|
|
|
|
from rbac.permissions import RBACPermission
|
2021-07-08 06:23:18 +00:00
|
|
|
|
|
2025-01-03 06:45:54 +00:00
|
|
|
|
logger = get_logger(__file__)
|
|
|
|
|
|
|
2022-12-07 11:30:26 +00:00
|
|
|
|
__all__ = [
|
2023-02-16 10:32:04 +00:00
|
|
|
|
'AccountViewSet', 'AccountSecretsViewSet',
|
2023-04-03 10:18:31 +00:00
|
|
|
|
'AccountHistoriesSecretAPI', 'AssetAccountBulkCreateApi',
|
2022-12-07 11:30:26 +00:00
|
|
|
|
]
|
2021-07-12 07:55:29 +00:00
|
|
|
|
|
|
|
|
|
|
|
2021-07-08 06:23:18 +00:00
|
|
|
|
class AccountViewSet(OrgBulkModelViewSet):
|
2022-07-14 02:56:09 +00:00
|
|
|
|
model = Account
|
2023-08-09 09:02:41 +00:00
|
|
|
|
search_fields = ('username', 'name', 'asset__name', 'asset__address', 'comment')
|
2024-12-02 02:32:52 +00:00
|
|
|
|
extra_filter_backends = [AttrRulesFilterBackend]
|
2021-07-12 07:55:29 +00:00
|
|
|
|
filterset_class = AccountFilterSet
|
2021-07-08 06:23:18 +00:00
|
|
|
|
serializer_classes = {
|
|
|
|
|
|
'default': serializers.AccountSerializer,
|
2023-07-31 09:39:30 +00:00
|
|
|
|
'retrieve': serializers.AccountDetailSerializer,
|
2021-07-08 06:23:18 +00:00
|
|
|
|
}
|
2022-02-22 07:37:56 +00:00
|
|
|
|
rbac_perms = {
|
2023-02-16 11:39:10 +00:00
|
|
|
|
'partial_update': ['accounts.change_account'],
|
2023-02-14 03:37:57 +00:00
|
|
|
|
'su_from_accounts': 'accounts.view_account',
|
2023-03-23 08:04:09 +00:00
|
|
|
|
'clear_secret': 'accounts.change_account',
|
2025-01-02 12:42:34 +00:00
|
|
|
|
'move_to_assets': 'accounts.create_account',
|
|
|
|
|
|
'copy_to_assets': 'accounts.create_account',
|
2022-02-22 07:37:56 +00:00
|
|
|
|
}
|
2023-05-18 10:33:22 +00:00
|
|
|
|
export_as_zip = True
|
2021-07-08 06:23:18 +00:00
|
|
|
|
|
2022-12-20 08:13:44 +00:00
|
|
|
|
@action(methods=['get'], detail=False, url_path='su-from-accounts')
|
2022-12-06 09:32:48 +00:00
|
|
|
|
def su_from_accounts(self, request, *args, **kwargs):
|
2022-12-20 08:13:44 +00:00
|
|
|
|
account_id = request.query_params.get('account')
|
|
|
|
|
|
asset_id = request.query_params.get('asset')
|
2023-02-21 05:00:04 +00:00
|
|
|
|
|
2022-12-20 08:13:44 +00:00
|
|
|
|
if account_id:
|
|
|
|
|
|
account = get_object_or_404(Account, pk=account_id)
|
|
|
|
|
|
accounts = account.get_su_from_accounts()
|
|
|
|
|
|
elif asset_id:
|
|
|
|
|
|
asset = get_object_or_404(Asset, pk=asset_id)
|
|
|
|
|
|
accounts = asset.accounts.all()
|
|
|
|
|
|
else:
|
2023-03-08 02:58:37 +00:00
|
|
|
|
accounts = Account.objects.none()
|
2023-02-21 13:09:28 +00:00
|
|
|
|
accounts = self.filter_queryset(accounts)
|
2022-12-06 09:32:48 +00:00
|
|
|
|
serializer = serializers.AccountSerializer(accounts, many=True)
|
|
|
|
|
|
return Response(data=serializer.data)
|
|
|
|
|
|
|
2023-03-30 08:06:30 +00:00
|
|
|
|
@action(
|
2023-07-27 06:04:29 +00:00
|
|
|
|
methods=['post'], detail=False, url_path='username-suggestions',
|
2023-03-30 08:06:30 +00:00
|
|
|
|
permission_classes=[IsValidUser]
|
|
|
|
|
|
)
|
2023-02-27 06:20:58 +00:00
|
|
|
|
def username_suggestions(self, request, *args, **kwargs):
|
2023-09-27 06:13:06 +00:00
|
|
|
|
asset_ids = request.data.get('assets', [])
|
|
|
|
|
|
node_ids = request.data.get('nodes', [])
|
|
|
|
|
|
username = request.data.get('username', '')
|
2023-02-27 06:20:58 +00:00
|
|
|
|
|
2023-09-27 06:13:06 +00:00
|
|
|
|
accounts = Account.objects.all()
|
2023-07-27 06:04:29 +00:00
|
|
|
|
if node_ids:
|
|
|
|
|
|
nodes = Node.objects.filter(id__in=node_ids)
|
|
|
|
|
|
node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
|
2023-09-27 06:13:06 +00:00
|
|
|
|
asset_ids.extend(node_asset_ids)
|
|
|
|
|
|
|
|
|
|
|
|
if asset_ids:
|
|
|
|
|
|
accounts = accounts.filter(asset_id__in=list(set(asset_ids)))
|
2023-02-27 06:20:58 +00:00
|
|
|
|
|
|
|
|
|
|
if username:
|
|
|
|
|
|
accounts = accounts.filter(username__icontains=username)
|
|
|
|
|
|
usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
|
|
|
|
|
|
usernames.sort()
|
|
|
|
|
|
common = [i for i in usernames if i in usernames if i.lower() in ['root', 'admin', 'administrator']]
|
|
|
|
|
|
others = [i for i in usernames if i not in common]
|
|
|
|
|
|
usernames = common + others
|
|
|
|
|
|
return Response(data=usernames)
|
|
|
|
|
|
|
2023-03-23 08:04:09 +00:00
|
|
|
|
@action(methods=['patch'], detail=False, url_path='clear-secret')
|
|
|
|
|
|
def clear_secret(self, request, *args, **kwargs):
|
2023-03-23 03:20:48 +00:00
|
|
|
|
account_ids = request.data.get('account_ids', [])
|
|
|
|
|
|
self.model.objects.filter(id__in=account_ids).update(secret=None)
|
|
|
|
|
|
return Response(status=HTTP_200_OK)
|
2021-07-08 06:23:18 +00:00
|
|
|
|
|
2025-01-02 07:26:39 +00:00
|
|
|
|
def _copy_or_move_to_assets(self, request, move=False):
|
|
|
|
|
|
account = self.get_object()
|
|
|
|
|
|
asset_ids = request.data.get('assets', [])
|
|
|
|
|
|
assets = Asset.objects.filter(id__in=asset_ids)
|
|
|
|
|
|
field_names = [
|
|
|
|
|
|
'name', 'username', 'secret_type', 'secret',
|
|
|
|
|
|
'privileged', 'is_active', 'source', 'source_id', 'comment'
|
|
|
|
|
|
]
|
|
|
|
|
|
account_data = {field: getattr(account, field) for field in field_names}
|
|
|
|
|
|
|
|
|
|
|
|
creation_results = {}
|
|
|
|
|
|
success_count = 0
|
|
|
|
|
|
|
|
|
|
|
|
for asset in assets:
|
|
|
|
|
|
account_data['asset'] = asset
|
|
|
|
|
|
creation_results[asset] = {'state': 'created'}
|
|
|
|
|
|
try:
|
2025-01-03 06:45:54 +00:00
|
|
|
|
with transaction.atomic():
|
|
|
|
|
|
self.model.objects.create(**account_data)
|
|
|
|
|
|
success_count += 1
|
2025-01-02 07:26:39 +00:00
|
|
|
|
except Exception as e:
|
2025-01-03 06:45:54 +00:00
|
|
|
|
logger.debug(f'{ "Move" if move else "Copy" } to assets error: {e}')
|
|
|
|
|
|
creation_results[asset] = {'error': _('Account already exists'), 'state': 'error'}
|
2025-01-02 07:26:39 +00:00
|
|
|
|
|
2025-01-02 12:42:34 +00:00
|
|
|
|
results = [{'asset': str(asset), **res} for asset, res in creation_results.items()]
|
2025-01-02 07:26:39 +00:00
|
|
|
|
|
|
|
|
|
|
if move and success_count > 0:
|
|
|
|
|
|
account.delete()
|
|
|
|
|
|
|
2025-01-02 12:42:34 +00:00
|
|
|
|
return Response(results, status=HTTP_200_OK)
|
2025-01-02 07:26:39 +00:00
|
|
|
|
|
2025-01-02 12:42:34 +00:00
|
|
|
|
@action(methods=['post'], detail=True, url_path='move-to-assets')
|
2025-01-02 07:26:39 +00:00
|
|
|
|
def move_to_assets(self, request, *args, **kwargs):
|
|
|
|
|
|
return self._copy_or_move_to_assets(request, move=True)
|
|
|
|
|
|
|
2025-01-02 12:42:34 +00:00
|
|
|
|
@action(methods=['post'], detail=True, url_path='copy-to-assets')
|
2025-01-02 07:26:39 +00:00
|
|
|
|
def copy_to_assets(self, request, *args, **kwargs):
|
|
|
|
|
|
return self._copy_or_move_to_assets(request, move=False)
|
|
|
|
|
|
|
2023-03-27 09:17:20 +00:00
|
|
|
|
|
2023-08-29 06:21:06 +00:00
|
|
|
|
class AccountSecretsViewSet(AccountRecordViewLogMixin, AccountViewSet):
|
2021-07-08 06:23:18 +00:00
|
|
|
|
"""
|
|
|
|
|
|
因为可能要导出所有账号,所以单独建立了一个 viewset
|
|
|
|
|
|
"""
|
|
|
|
|
|
serializer_classes = {
|
2022-11-01 03:13:18 +00:00
|
|
|
|
'default': serializers.AccountSecretSerializer,
|
2021-07-08 06:23:18 +00:00
|
|
|
|
}
|
2022-10-31 09:37:54 +00:00
|
|
|
|
http_method_names = ['get', 'options']
|
2023-02-17 04:30:11 +00:00
|
|
|
|
permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
|
2022-02-17 12:13:31 +00:00
|
|
|
|
rbac_perms = {
|
2023-02-14 03:29:04 +00:00
|
|
|
|
'list': 'accounts.view_accountsecret',
|
|
|
|
|
|
'retrieve': 'accounts.view_accountsecret',
|
2022-02-17 12:13:31 +00:00
|
|
|
|
}
|
2021-07-08 06:23:18 +00:00
|
|
|
|
|
2022-11-01 07:04:13 +00:00
|
|
|
|
|
2023-04-03 10:18:31 +00:00
|
|
|
|
class AssetAccountBulkCreateApi(CreateAPIView):
|
|
|
|
|
|
serializer_class = serializers.AssetAccountBulkSerializer
|
|
|
|
|
|
rbac_perms = {
|
|
|
|
|
|
'POST': 'accounts.add_account',
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
def create(self, request, *args, **kwargs):
|
|
|
|
|
|
serializer = self.get_serializer(data=request.data)
|
|
|
|
|
|
serializer.is_valid(raise_exception=True)
|
|
|
|
|
|
data = serializer.create(serializer.validated_data)
|
|
|
|
|
|
serializer = serializers.AssetAccountBulkSerializerResultSerializer(data, many=True)
|
|
|
|
|
|
return Response(data=serializer.data, status=HTTP_200_OK)
|
|
|
|
|
|
|
|
|
|
|
|
|
2023-08-29 06:21:06 +00:00
|
|
|
|
class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixin, ListAPIView):
|
2022-11-01 07:04:13 +00:00
|
|
|
|
model = Account.history.model
|
|
|
|
|
|
serializer_class = serializers.AccountHistorySerializer
|
|
|
|
|
|
http_method_names = ['get', 'options']
|
2022-12-21 10:37:05 +00:00
|
|
|
|
permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
|
2022-11-01 07:04:13 +00:00
|
|
|
|
rbac_perms = {
|
2023-02-23 03:27:03 +00:00
|
|
|
|
'GET': 'accounts.view_accountsecret',
|
2022-11-01 07:04:13 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2024-12-25 03:19:39 +00:00
|
|
|
|
@lazyproperty
|
|
|
|
|
|
def account(self) -> Account:
|
2023-02-22 09:58:00 +00:00
|
|
|
|
return get_object_or_404(Account, pk=self.kwargs.get('pk'))
|
|
|
|
|
|
|
2024-12-25 03:19:39 +00:00
|
|
|
|
def get_object(self):
|
|
|
|
|
|
return self.account
|
|
|
|
|
|
|
|
|
|
|
|
@lazyproperty
|
|
|
|
|
|
def latest_history(self):
|
|
|
|
|
|
return self.account.history.first()
|
|
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
|
def latest_change_secret_record(self) -> ChangeSecretRecord:
|
2025-01-23 09:19:06 +00:00
|
|
|
|
return self.account.changesecretrecords.filter(
|
2024-12-25 03:19:39 +00:00
|
|
|
|
status=ChangeSecretRecordStatusChoice.pending
|
|
|
|
|
|
).order_by('-date_created').first()
|
|
|
|
|
|
|
2023-04-19 02:37:46 +00:00
|
|
|
|
@staticmethod
|
|
|
|
|
|
def filter_spm_queryset(resource_ids, queryset):
|
|
|
|
|
|
return queryset.filter(history_id__in=resource_ids)
|
|
|
|
|
|
|
2022-11-01 07:04:13 +00:00
|
|
|
|
def get_queryset(self):
|
2024-12-25 03:19:39 +00:00
|
|
|
|
account = self.account
|
2023-02-22 09:58:00 +00:00
|
|
|
|
histories = account.history.all()
|
2024-12-25 03:19:39 +00:00
|
|
|
|
latest_history = self.latest_history
|
2023-07-31 09:39:30 +00:00
|
|
|
|
if not latest_history:
|
2023-02-22 09:58:00 +00:00
|
|
|
|
return histories
|
2023-07-31 09:39:30 +00:00
|
|
|
|
if account.secret != latest_history.secret:
|
|
|
|
|
|
return histories
|
|
|
|
|
|
if account.secret_type != latest_history.secret_type:
|
|
|
|
|
|
return histories
|
|
|
|
|
|
histories = histories.exclude(history_id=latest_history.history_id)
|
2023-02-22 09:58:00 +00:00
|
|
|
|
return histories
|
2024-12-25 03:19:39 +00:00
|
|
|
|
|
|
|
|
|
|
def filter_queryset(self, queryset):
|
|
|
|
|
|
queryset = super().filter_queryset(queryset)
|
|
|
|
|
|
queryset = list(queryset)
|
|
|
|
|
|
latest_history = self.latest_history
|
|
|
|
|
|
if not latest_history:
|
|
|
|
|
|
return queryset
|
|
|
|
|
|
|
|
|
|
|
|
latest_change_secret_record = self.latest_change_secret_record
|
|
|
|
|
|
if not latest_change_secret_record:
|
|
|
|
|
|
return queryset
|
|
|
|
|
|
|
|
|
|
|
|
if latest_change_secret_record.date_created > latest_history.history_date:
|
|
|
|
|
|
temp_history = self.model(
|
|
|
|
|
|
secret=latest_change_secret_record.new_secret,
|
|
|
|
|
|
secret_type=self.account.secret_type,
|
|
|
|
|
|
version=latest_history.version,
|
|
|
|
|
|
history_date=latest_change_secret_record.date_created,
|
|
|
|
|
|
)
|
|
|
|
|
|
queryset = [temp_history] + queryset
|
|
|
|
|
|
|
|
|
|
|
|
return queryset
|
