jumpserver/apps/perms/api/application/user_permission/common.py

# -*- coding: utf-8 -*-
#
import time

from django.shortcuts import get_object_or_404
from django.utils.decorators import method_decorator
from rest_framework.views import APIView, Response
from rest_framework import status
from rest_framework.generics import (
    ListAPIView, get_object_or_404
)

from orgs.utils import tmp_to_root_org, get_current_org
from applications.models import Application
from perms.utils.application.permission import (
    get_application_system_user_ids,
    validate_permission,
)
from .mixin import AppRoleAdminMixin, AppRoleUserMixin
from perms.hands import User, SystemUser
from perms import serializers


__all__ = [
    'UserGrantedApplicationSystemUsersApi',
    'MyGrantedApplicationSystemUsersApi',
    'ValidateUserApplicationPermissionApi'
]


class BaseGrantedApplicationSystemUsersApi(ListAPIView):
    serializer_class = serializers.ApplicationSystemUserSerializer
    only_fields = serializers.ApplicationSystemUserSerializer.Meta.only_fields
    user: None

    def get_application_system_user_ids(self, application):
        return get_application_system_user_ids(self.user, application)

    def get_queryset(self):
        application_id = self.kwargs.get('application_id')
        application = get_object_or_404(Application, id=application_id)
        system_user_ids = self.get_application_system_user_ids(application)
        system_users = SystemUser.objects.filter(id__in=system_user_ids)\
            .only(*self.only_fields).order_by('priority')
        return system_users


class UserGrantedApplicationSystemUsersApi(AppRoleAdminMixin, BaseGrantedApplicationSystemUsersApi):
    pass


class MyGrantedApplicationSystemUsersApi(AppRoleUserMixin, BaseGrantedApplicationSystemUsersApi):
    pass


@method_decorator(tmp_to_root_org(), name='get')
class ValidateUserApplicationPermissionApi(APIView):
    rbac_perms = {
        'GET': 'perms.view_applicationpermission'
    }

    def get(self, request, *args, **kwargs):
        user_id = request.query_params.get('user_id', '')
        application_id = request.query_params.get('application_id', '')
        system_user_id = request.query_params.get('system_user_id', '')

        data = {
            'has_permission': False,
            'expire_at': int(time.time()),
            'actions': []
        }
        if not all((user_id, application_id, system_user_id)):
            return Response(data)

        user = User.objects.get(id=user_id)
        application = Application.objects.get(id=application_id)
        system_user = SystemUser.objects.get(id=system_user_id)
        has_perm, actions, expire_at = validate_permission(user, application, system_user)
        status_code = status.HTTP_200_OK if has_perm else status.HTTP_403_FORBIDDEN
        data = {
            'has_permission': has_perm,
            'expire_at': int(expire_at),
            'actions': actions
        }
        return Response(data, status=status_code)
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`# -- coding: utf-8 --`
			`#`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00			`import time`

feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`from django.shortcuts import get_object_or_404`
fix(perms): 修复权限校验时的组织切换问题 (#5546) * fix(perms): 修复权限校验时的组织切换问题 * fix(perms): 修复获取actions的切换组织问题 * perf: 继续添加 application 的验证组织 Co-authored-by: ibuler <ibuler@qq.com> 2021-02-03 04:01:18 +00:00			`from django.utils.decorators import method_decorator`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`from rest_framework.views import APIView, Response`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00			`from rest_framework import status`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`from rest_framework.generics import (`
			`ListAPIView, get_object_or_404`
			`)`

fix: validate app perm error 2022-03-07 03:40:32 +00:00			`from orgs.utils import tmp_to_root_org, get_current_org`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`from applications.models import Application`
refactor(perms): 修改授权规则的目录结构（asset、application) 2020-10-22 10:13:14 +00:00			`from perms.utils.application.permission import (`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00			`get_application_system_user_ids,`
			`validate_permission,`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`)`
fix: 修改授权权限 2022-03-15 02:52:19 +00:00			`from .mixin import AppRoleAdminMixin, AppRoleUserMixin`
refactor(perms): 修改授权规则的目录结构（asset、application) 2020-10-22 10:13:14 +00:00			`from perms.hands import User, SystemUser`
			`from perms import serializers`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00

			`__all__ = [`
			`'UserGrantedApplicationSystemUsersApi',`
			`'MyGrantedApplicationSystemUsersApi',`
			`'ValidateUserApplicationPermissionApi'`
			`]`


perf: 修改 rbac tree (#7743) * perf: 修改 rbac tree * perf: 修改verbose name * fix: 修复系统用户 * fix: 还原 xpack Co-authored-by: ibuler <ibuler@qq.com> 2022-03-07 03:19:03 +00:00			`class BaseGrantedApplicationSystemUsersApi(ListAPIView):`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`serializer_class = serializers.ApplicationSystemUserSerializer`
			`only_fields = serializers.ApplicationSystemUserSerializer.Meta.only_fields`
			`user: None`

perf(project): 优化命名的风格 (#5693) perf: 修改错误的地 perf: 优化写错的几个 Co-authored-by: ibuler <ibuler@qq.com> 2021-03-08 02:08:51 +00:00			`def get_application_system_user_ids(self, application):`
			`return get_application_system_user_ids(self.user, application)`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00
			`def get_queryset(self):`
			`application_id = self.kwargs.get('application_id')`
			`application = get_object_or_404(Application, id=application_id)`
perf(project): 优化命名的风格 (#5693) perf: 修改错误的地 perf: 优化写错的几个 Co-authored-by: ibuler <ibuler@qq.com> 2021-03-08 02:08:51 +00:00			`system_user_ids = self.get_application_system_user_ids(application)`
			`system_users = SystemUser.objects.filter(id__in=system_user_ids)\`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`.only(*self.only_fields).order_by('priority')`
			`return system_users`


fix: 修改授权权限 2022-03-15 02:52:19 +00:00			`class UserGrantedApplicationSystemUsersApi(AppRoleAdminMixin, BaseGrantedApplicationSystemUsersApi):`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`pass`


fix: 修改授权权限 2022-03-15 02:52:19 +00:00			`class MyGrantedApplicationSystemUsersApi(AppRoleUserMixin, BaseGrantedApplicationSystemUsersApi):`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`pass`


fix(perms): 修复权限校验时的组织切换问题 (#5546) * fix(perms): 修复权限校验时的组织切换问题 * fix(perms): 修复获取actions的切换组织问题 * perf: 继续添加 application 的验证组织 Co-authored-by: ibuler <ibuler@qq.com> 2021-02-03 04:01:18 +00:00			`@method_decorator(tmp_to_root_org(), name='get')`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00			`class ValidateUserApplicationPermissionApi(APIView):`
fix: fix rbac to dev (#7636) * feat: 添加 RBAC 应用模块 * feat: 添加 RBAC Model、API * feat: 添加 RBAC Model、API 2 * feat: 添加 RBAC Model、API 3 * feat: 添加 RBAC Model、API 4 * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC 整理权限位 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位 * feat: RBAC 添加默认角色 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 修改用户模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 修改用户角色属性的使用 * feat: RBAC No.1 * xxx * perf: 暂存 * perf: ... * perf(rbac): 添加 perms 到 profile serializer 中 * stash * perf: 使用init * perf: 修改migrations * perf: rbac * stash * stash * pref: 修改rbac * stash it * stash: 先去修复其他bug * perf: 修改 role 添加 users * pref: 修改 RBAC Model * feat: 添加权限的 tree api * stash: 暂存一下 * stash: 暂存一下 * perf: 修改 model verbose name * feat: 添加model各种 verbose name * perf: 生成 migrations * perf: 优化权限位 * perf: 添加迁移脚本 * feat: 添加组织角色迁移 * perf: 添加迁移脚本 * stash * perf: 添加migrateion * perf: 暂存一下 * perf: 修改rbac * perf: stash it * fix: 迁移冲突 * fix: 迁移冲突 * perf: 暂存一下 * perf: 修改 rbac 逻辑 * stash: 暂存一下 * perf: 修改内置角色 * perf: 解决 root 组织的问题 * perf: stash it * perf: 优化 rbac * perf: 优化 rolebinding 处理 * perf: 完成用户离开组织的问题 * perf: 暂存一下 * perf: 修改翻译 * perf: 去掉了 IsSuperUser * perf: IsAppUser 去掉完成 * perf: 修改 connection token 的权限 * perf: 去掉导入的问题 * perf: perms define 格式，修改 app 用户的全新啊 * perf: 修改 permission * perf: 去掉一些 org admin * perf: 去掉部分 org admin * perf: 再去掉点 org admin role * perf: 再去掉部分 org admin * perf: user 角色搜索 * perf: 去掉很多 js * perf: 添加权限位 * perf: 修改权限 * perf: 去掉一个 todo * merge: with dev * fix: 修复冲突 Co-authored-by: Bai <bugatti_it@163.com> Co-authored-by: Michael Bai <baijiangjie@gmail.com> Co-authored-by: ibuler <ibuler@qq.com> 2022-02-17 12:13:31 +00:00			`rbac_perms = {`
fix: validate app perm error 2022-03-07 03:40:32 +00:00			`'GET': 'perms.view_applicationpermission'`
fix: fix rbac to dev (#7636) * feat: 添加 RBAC 应用模块 * feat: 添加 RBAC Model、API * feat: 添加 RBAC Model、API 2 * feat: 添加 RBAC Model、API 3 * feat: 添加 RBAC Model、API 4 * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC 整理权限位 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位 * feat: RBAC 添加默认角色 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 修改用户模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 修改用户角色属性的使用 * feat: RBAC No.1 * xxx * perf: 暂存 * perf: ... * perf(rbac): 添加 perms 到 profile serializer 中 * stash * perf: 使用init * perf: 修改migrations * perf: rbac * stash * stash * pref: 修改rbac * stash it * stash: 先去修复其他bug * perf: 修改 role 添加 users * pref: 修改 RBAC Model * feat: 添加权限的 tree api * stash: 暂存一下 * stash: 暂存一下 * perf: 修改 model verbose name * feat: 添加model各种 verbose name * perf: 生成 migrations * perf: 优化权限位 * perf: 添加迁移脚本 * feat: 添加组织角色迁移 * perf: 添加迁移脚本 * stash * perf: 添加migrateion * perf: 暂存一下 * perf: 修改rbac * perf: stash it * fix: 迁移冲突 * fix: 迁移冲突 * perf: 暂存一下 * perf: 修改 rbac 逻辑 * stash: 暂存一下 * perf: 修改内置角色 * perf: 解决 root 组织的问题 * perf: stash it * perf: 优化 rbac * perf: 优化 rolebinding 处理 * perf: 完成用户离开组织的问题 * perf: 暂存一下 * perf: 修改翻译 * perf: 去掉了 IsSuperUser * perf: IsAppUser 去掉完成 * perf: 修改 connection token 的权限 * perf: 去掉导入的问题 * perf: perms define 格式，修改 app 用户的全新啊 * perf: 修改 permission * perf: 去掉一些 org admin * perf: 去掉部分 org admin * perf: 再去掉点 org admin role * perf: 再去掉部分 org admin * perf: user 角色搜索 * perf: 去掉很多 js * perf: 添加权限位 * perf: 修改权限 * perf: 去掉一个 todo * merge: with dev * fix: 修复冲突 Co-authored-by: Bai <bugatti_it@163.com> Co-authored-by: Michael Bai <baijiangjie@gmail.com> Co-authored-by: ibuler <ibuler@qq.com> 2022-02-17 12:13:31 +00:00			`}`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00
			`def get(self, request, args, *kwargs):`
			`user_id = request.query_params.get('user_id', '')`
			`application_id = request.query_params.get('application_id', '')`
			`system_user_id = request.query_params.get('system_user_id', '')`

feat: 应用授权增加Action动作控制 2021-12-22 09:35:32 +00:00			`data = {`
			`'has_permission': False,`
			`'expire_at': int(time.time()),`
			`'actions': []`
			`}`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00			`if not all((user_id, application_id, system_user_id)):`
feat: 应用授权增加Action动作控制 2021-12-22 09:35:32 +00:00			`return Response(data)`
feat(perms): 添加ApplicationPermission API（包含用户/用户组/授权/校验等API) 2020-10-22 09:05:47 +00:00
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00			`user = User.objects.get(id=user_id)`
			`application = Application.objects.get(id=application_id)`
			`system_user = SystemUser.objects.get(id=system_user_id)`
feat: 应用授权增加Action动作控制 2021-12-22 09:35:32 +00:00			`has_perm, actions, expire_at = validate_permission(user, application, system_user)`
			`status_code = status.HTTP_200_OK if has_perm else status.HTTP_403_FORBIDDEN`
			`data = {`
			`'has_permission': has_perm,`
			`'expire_at': int(expire_at),`
			`'actions': actions`
			`}`
			`return Response(data, status=status_code)`