jumpserver/apps/accounts/api/automations/check_account.py

# -*- coding: utf-8 -*-
#
from django.db.models import Q, Count
from django.http import HttpResponse
from django.shortcuts import get_object_or_404
from django.utils import timezone
from rest_framework.decorators import action
from rest_framework.exceptions import MethodNotAllowed
from rest_framework.response import Response

from accounts import serializers
from accounts.const import AutomationTypes
from accounts.models import (
    CheckAccountAutomation,
    AccountRisk,
    RiskChoice,
    CheckAccountEngine,
    AutomationExecution,
)
from assets.models import Asset
from common.api import JMSModelViewSet
from common.utils import many_get
from orgs.mixins.api import OrgBulkModelViewSet
from .base import AutomationExecutionViewSet

__all__ = [
    "CheckAccountAutomationViewSet",
    "CheckAccountExecutionViewSet",
    "AccountRiskViewSet",
    "CheckAccountEngineViewSet",
]

from ...risk_handlers import RiskHandler


class CheckAccountAutomationViewSet(OrgBulkModelViewSet):
    model = CheckAccountAutomation
    filterset_fields = ("name",)
    search_fields = filterset_fields
    serializer_class = serializers.CheckAccountAutomationSerializer


class CheckAccountExecutionViewSet(AutomationExecutionViewSet):
    rbac_perms = (
        ("list", "accounts.view_checkaccountexecution"),
        ("retrieve", "accounts.view_checkaccountsexecution"),
        ("create", "accounts.add_checkaccountexecution"),
        ("adhoc", "accounts.add_checkaccountexecution"),
        ("report", "accounts.view_checkaccountsexecution"),
    )
    ordering = ("-date_created",)
    tp = AutomationTypes.check_account

    def get_queryset(self):
        queryset = super().get_queryset()
        queryset = queryset.filter(automation__type=self.tp)
        return queryset

    @action(methods=["get"], detail=False, url_path="adhoc")
    def adhoc(self, request, *args, **kwargs):
        asset_id = request.query_params.get("asset_id")
        if not asset_id:
            return Response(status=400, data={"asset_id": "This field is required."})

        get_object_or_404(Asset, pk=asset_id)
        execution = AutomationExecution()
        execution.snapshot = {
            "assets": [asset_id],
            "nodes": [],
            "type": AutomationTypes.check_account,
            "engines": ["check_account_secret"],
            "name": "Check asset risk: {} {}".format(asset_id, timezone.now()),
        }
        execution.save()
        execution.start()
        report = execution.manager.gen_report()
        return HttpResponse(report)


class AccountRiskViewSet(OrgBulkModelViewSet):
    model = AccountRisk
    search_fields = ("username", "asset")
    filterset_fields = ("risk", "status", "asset")
    serializer_classes = {
        "default": serializers.AccountRiskSerializer,
        "assets": serializers.AssetRiskSerializer,
        "handle": serializers.HandleRiskSerializer,
    }
    ordering_fields = ("asset", "risk", "status", "username", "date_created")
    ordering = ("status", "asset", "date_created")
    rbac_perms = {
        "sync_accounts": "assets.add_accountrisk",
        "assets": "accounts.view_accountrisk",
        "handle": "accounts.change_accountrisk",
    }

    def update(self, request, *args, **kwargs):
        raise MethodNotAllowed("PUT")

    def create(self, request, *args, **kwargs):
        raise MethodNotAllowed("POST")

    @action(methods=["get"], detail=False, url_path="assets")
    def assets(self, request, *args, **kwargs):
        annotations = {
            f"{risk[0]}_count": Count("id", filter=Q(risk=risk[0]))
            for risk in RiskChoice.choices
        }
        queryset = (
            AccountRisk.objects.select_related(
                "asset", "asset__platform"
            )  # 使用 select_related 来优化 asset 和 asset__platform 的查询
            .values(
                "asset__id", "asset__name", "asset__address", "asset__platform__name"
            )  # 添加需要的字段
            .annotate(risk_total=Count("id"))  # 计算风险总数
            .annotate(**annotations)  # 使用上面定义的 annotations 进行计数
        )
        return self.get_paginated_response_from_queryset(queryset)

    @action(methods=["post"], detail=False, url_path="handle")
    def handle(self, request, *args, **kwargs):
        s = self.get_serializer(data=request.data)
        s.is_valid(raise_exception=True)

        asset, username, act, risk = many_get(
            s.validated_data, ("asset", "username", "action", "risk")
        )
        handler = RiskHandler(asset=asset, username=username, request=self.request)
        data = handler.handle(act, risk)
        if not data:
            data = {"message": "Success"}
        s = serializers.AccountRiskSerializer(instance=data)
        return Response(data=s.data)


class CheckAccountEngineViewSet(JMSModelViewSet):
    search_fields = ("name",)
    serializer_class = serializers.CheckAccountEngineSerializer

    perm_model = CheckAccountEngine

    def get_queryset(self):
        return CheckAccountEngine.get_default_engines()

    def filter_queryset(self, queryset: list):
        search = self.request.GET.get('search')
        if search is not None:
            queryset = [
                item for item in queryset
                if search in item['name']
            ]
        return queryset
merge: with pam (#14911) * perf: change i18n * perf: pam * perf: change translate * perf: add check account * perf: add date field * perf: add account filter * perf: remove some js * perf: add account status action * perf: update pam * perf: 修改 discover account * perf: update filter * perf: update gathered account * perf: 修改账号同步 * perf: squash migrations * perf: update pam * perf: change i18n * perf: update account risk * perf: 更新风险发现 * perf: remove css * perf: Admin connection token * perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks * perf: Modify account migration files * perf: update pam * perf: remove to check account dir * perf: Admin connection token * perf: update check account * perf: 优化发送结果 * perf: update pam * perf: update bulk update create * perf: prepaire using thread timer for bulk_create_decorator * perf: update bulk create decorator * perf: 优化 playbook manager * perf: 优化收集账号的报表 * perf: Update poetry * perf: Update Dockerfile with new base image tag * fix: Account migrate 0012 file * perf: 修改备份 * perf: update pam * fix: Expand resource_type filter to include raw type * feat: PAM Service (#14552) * feat: PAM Service * perf: import package name --------- Co-authored-by: jiangweidong <1053570670@qq.com> * perf: Change secret dashboard (#14551) Co-authored-by: feng <1304903146@qq.com> * perf: update migrations * perf: 修改支持 pam * perf: Change secret record table dashboard * perf: update status * fix: Automation send report * perf: Change secret report * feat: windows accounts gather * perf: update change status * perf: Account backup * perf: Account backup report * perf: Account migrate * perf: update service to application * perf: update migrations * perf: update logo * feat: oracle accounts gather (#14571) * feat: oracle accounts gather * feat: sqlserver accounts gather * feat: postgresql accounts gather * feat: mysql accounts gather --------- Co-authored-by: wangruidong <940853815@qq.com> * feat: mongodb accounts gather * perf: Change secret * perf: Migrate * perf: Merge conflicting migration files * perf: Change secret * perf: Automation filter org * perf: Account push * perf: Random secret string * perf: Enhance SQL query and update risk handling in accounts * perf: Ticket filter assignee_id * perf: 修改 account remote * perf: 修改一些 adhoc 任务 * perf: Change secret * perf: Remove push account extra api * perf: update status * perf: The entire organization can view activity log * fix: risk field check * perf: add account details api * perf: add demo mode * perf: Delete gather_account * perf: Perfect solution to account version problem * perf: Update status action to handle multiple accounts * perf: Add GatherAccountDetailField and update serializers * perf: Display account history in combination with password change records * perf: Lina translate * fix: Update mysql_filter to handle nested user info * perf: Admin connection token validate_permission account * perf: copy move account * perf: account filter risk * perf: account risk filter * perf: Copy move account failed message * fix: gather account sync account to asset * perf: Pam dashboard * perf: Account dashboard total accounts * perf: Pam dashboard * perf: Change secret filter account secret_reset * perf: 修改 risk filter * perf: pam translate * feat: Check for leaked duplicate passwords. (#14711) * feat: Check for leaked duplicate passwords. * perf: Use SQLite instead of txt as leak password database --------- Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: 老广 <ibuler@qq.com> * perf: merge with remote * perf: Add risk change_password_add handle * perf: Pam dashboard * perf: check account manager import * perf: 重构扫描 * perf: 修改 db * perf: Gather account manager * perf: update change db lib * perf: dashboard * perf: Account gather * perf: 修改 asset get queryset * perf: automation report * perf: Pam account * perf: Pam dashboard api * perf: risk add account * perf: 修改 risk check * perf: Risk account * perf: update risk add reopen action * perf: add pylintrc * Revert "perf: automation report" This reverts commit 22aee542071638bcefae5a244bcabf76f794d7c3. * perf: check account engine * perf: Perf: Optimism Gather Report Style * Perf: Remove unuser actions * Perf: Perf push account * perf: perf gather account * perf: Automation report * perf: Push account recorder * perf: Push account record * perf: Pam dashboard * perf: perf * perf: update intergration * perf: integrations application detail add account tab page * feat: Custom change password supports configuration of interactive items * perf: Go and Python demo code * perf: Custom secret change * perf: add user filter * perf: translate * perf: Add demo code docs * perf: update some i18n * perf: update some i18n * perf: Add Java, Node, Go, and cURL demo code * perf: Translate * perf: Change secret translate * perf: Translate * perf: update some i18n * perf: translate * perf: Ansible playbook * perf: update some choice * perf: update some choice * perf: update account serializer remote unused code * perf: conflict * perf: update import --------- Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng <1304903146@qq.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: wangruidong <940853815@qq.com> Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com> Co-authored-by: zhaojisen <1301338853@qq.com> 2025-02-21 08:39:57 +00:00			`# -- coding: utf-8 --`
			`#`
			`from django.db.models import Q, Count`
			`from django.http import HttpResponse`
			`from django.shortcuts import get_object_or_404`
			`from django.utils import timezone`
			`from rest_framework.decorators import action`
			`from rest_framework.exceptions import MethodNotAllowed`
			`from rest_framework.response import Response`

			`from accounts import serializers`
			`from accounts.const import AutomationTypes`
			`from accounts.models import (`
			`CheckAccountAutomation,`
			`AccountRisk,`
			`RiskChoice,`
			`CheckAccountEngine,`
			`AutomationExecution,`
			`)`
			`from assets.models import Asset`
			`from common.api import JMSModelViewSet`
			`from common.utils import many_get`
			`from orgs.mixins.api import OrgBulkModelViewSet`
			`from .base import AutomationExecutionViewSet`

			`__all__ = [`
			`"CheckAccountAutomationViewSet",`
			`"CheckAccountExecutionViewSet",`
			`"AccountRiskViewSet",`
			`"CheckAccountEngineViewSet",`
			`]`

			`from ...risk_handlers import RiskHandler`


			`class CheckAccountAutomationViewSet(OrgBulkModelViewSet):`
			`model = CheckAccountAutomation`
			`filterset_fields = ("name",)`
			`search_fields = filterset_fields`
			`serializer_class = serializers.CheckAccountAutomationSerializer`


			`class CheckAccountExecutionViewSet(AutomationExecutionViewSet):`
			`rbac_perms = (`
			`("list", "accounts.view_checkaccountexecution"),`
			`("retrieve", "accounts.view_checkaccountsexecution"),`
			`("create", "accounts.add_checkaccountexecution"),`
			`("adhoc", "accounts.add_checkaccountexecution"),`
			`("report", "accounts.view_checkaccountsexecution"),`
			`)`
			`ordering = ("-date_created",)`
			`tp = AutomationTypes.check_account`

			`def get_queryset(self):`
			`queryset = super().get_queryset()`
			`queryset = queryset.filter(automation__type=self.tp)`
			`return queryset`

			`@action(methods=["get"], detail=False, url_path="adhoc")`
			`def adhoc(self, request, args, *kwargs):`
			`asset_id = request.query_params.get("asset_id")`
			`if not asset_id:`
			`return Response(status=400, data={"asset_id": "This field is required."})`

			`get_object_or_404(Asset, pk=asset_id)`
			`execution = AutomationExecution()`
			`execution.snapshot = {`
			`"assets": [asset_id],`
			`"nodes": [],`
			`"type": AutomationTypes.check_account,`
			`"engines": ["check_account_secret"],`
			`"name": "Check asset risk: {} {}".format(asset_id, timezone.now()),`
			`}`
			`execution.save()`
			`execution.start()`
			`report = execution.manager.gen_report()`
			`return HttpResponse(report)`


			`class AccountRiskViewSet(OrgBulkModelViewSet):`
			`model = AccountRisk`
			`search_fields = ("username", "asset")`
			`filterset_fields = ("risk", "status", "asset")`
			`serializer_classes = {`
			`"default": serializers.AccountRiskSerializer,`
			`"assets": serializers.AssetRiskSerializer,`
			`"handle": serializers.HandleRiskSerializer,`
			`}`
			`ordering_fields = ("asset", "risk", "status", "username", "date_created")`
			`ordering = ("status", "asset", "date_created")`
			`rbac_perms = {`
			`"sync_accounts": "assets.add_accountrisk",`
			`"assets": "accounts.view_accountrisk",`
			`"handle": "accounts.change_accountrisk",`
			`}`

			`def update(self, request, args, *kwargs):`
			`raise MethodNotAllowed("PUT")`

			`def create(self, request, args, *kwargs):`
			`raise MethodNotAllowed("POST")`

			`@action(methods=["get"], detail=False, url_path="assets")`
			`def assets(self, request, args, *kwargs):`
			`annotations = {`
			`f"{risk[0]}_count": Count("id", filter=Q(risk=risk[0]))`
			`for risk in RiskChoice.choices`
			`}`
			`queryset = (`
			`AccountRisk.objects.select_related(`
			`"asset", "asset__platform"`
			`) # 使用 select_related 来优化 asset 和 asset__platform 的查询`
			`.values(`
			`"asset__id", "asset__name", "asset__address", "asset__platform__name"`
			`) # 添加需要的字段`
			`.annotate(risk_total=Count("id")) # 计算风险总数`
			`.annotate(**annotations) # 使用上面定义的 annotations 进行计数`
			`)`
			`return self.get_paginated_response_from_queryset(queryset)`

			`@action(methods=["post"], detail=False, url_path="handle")`
			`def handle(self, request, args, *kwargs):`
			`s = self.get_serializer(data=request.data)`
			`s.is_valid(raise_exception=True)`

			`asset, username, act, risk = many_get(`
			`s.validated_data, ("asset", "username", "action", "risk")`
			`)`
			`handler = RiskHandler(asset=asset, username=username, request=self.request)`
			`data = handler.handle(act, risk)`
			`if not data:`
			`data = {"message": "Success"}`
			`s = serializers.AccountRiskSerializer(instance=data)`
			`return Response(data=s.data)`


			`class CheckAccountEngineViewSet(JMSModelViewSet):`
			`search_fields = ("name",)`
			`serializer_class = serializers.CheckAccountEngineSerializer`

			`perm_model = CheckAccountEngine`

			`def get_queryset(self):`
			`return CheckAccountEngine.get_default_engines()`

			`def filter_queryset(self, queryset: list):`
			`search = self.request.GET.get('search')`
			`if search is not None:`
			`queryset = [`
			`item for item in queryset`
			`if search in item['name']`
			`]`
			`return queryset`