jumpserver/apps/accounts/demos/go/jms_pam.go

package main

import (
    "encoding/json"
    "fmt"
    "net/http"
    "net/url"

    "github.com/google/uuid"
    "gopkg.in/twindagger/httpsig.v1"
)

const DefaultOrgId = "00000000-0000-0000-0000-000000000002"

type RequestParamsError struct {
	Params []string
}

func (e *RequestParamsError) Error() string {
	return fmt.Sprintf("At least one of the following fields must be provided: %v.", e.Params)
}

type SecretRequest struct {
	AccountID string
	AssetID   string
	Asset     string
	Account   string
	Method    string
}

func NewSecretRequest(asset, assetID, account, accountID string) (*SecretRequest, error) {
	req := &SecretRequest{
		Asset:     asset,
		AssetID:   assetID,
		Account:   account,
		AccountID: accountID,
		Method:    http.MethodGet,
	}

	return req, req.validate()
}

func (r *SecretRequest) validate() error {
	if r.AccountID != "" {
        if _, err := uuid.Parse(r.AccountID); err != nil {
            return fmt.Errorf("invalid UUID: %s. Value must be a valid UUID", r.AccountID)
        }
		return nil
	}

	if r.AssetID == "" && r.Asset == "" {
		return &RequestParamsError{Params: []string{"asset", "asset_id"}}
	}

	if r.Account == "" {
		return &RequestParamsError{Params: []string{"account", "account_id"}}
	}

	if r.AssetID != "" {
		if _, err := uuid.Parse(r.AssetID); err != nil {
			return fmt.Errorf("invalid UUID: %s. Value must be a valid UUID", r.AssetID)
		}
	}
	return nil
}

func (r *SecretRequest) GetURL() string {
	return "/api/v1/accounts/service-integrations/account-secret/"
}

func (r *SecretRequest) GetQuery() url.Values {
	query := url.Values{}
	if r.AccountID != "" {
		query.Add("account_id", r.AccountID)
	}
	if r.AssetID != "" {
		query.Add("asset_id", r.AssetID)
	}
	if r.Asset != "" {
		query.Add("asset", r.Asset)
	}
	if r.Account != "" {
		query.Add("account", r.Account)
	}
	return query
}

type Secret struct {
	Secret string          `json:"secret,omitempty"`
	Desc   json.RawMessage `json:"desc,omitempty"`
	Valid  bool            `json:"valid"`
}

func FromResponse(response *http.Response) Secret {
	var secret Secret
	defer response.Body.Close()
	if response.StatusCode != http.StatusOK {
		var raw json.RawMessage
		if err := json.NewDecoder(response.Body).Decode(&raw); err == nil {
			secret.Desc = raw
		} else {
			secret.Desc = json.RawMessage(`{"error": "Unknown error occurred"}`)
		}
	} else {
		_ = json.NewDecoder(response.Body).Decode(&secret)
		secret.Valid = true
	}
	return secret
}

type JumpServerPAM struct {
	Endpoint   string
	KeyID      string
	KeySecret  string
	OrgID      string
	httpClient *http.Client
}

func NewJumpServerPAM(endpoint, keyID, keySecret, orgID string) *JumpServerPAM {
	if orgID == "" {
		orgID = DefaultOrgId
	}
	return &JumpServerPAM{
		Endpoint:   endpoint,
		KeyID:      keyID,
		KeySecret:  keySecret,
		OrgID:      orgID,
		httpClient: &http.Client{},
	}
}

func (c *JumpServerPAM) SignRequest(r *http.Request) error {
	headers := []string{"(request-target)", "date"}
	signer, err := httpsig.NewRequestSigner(c.KeyID, c.KeySecret, "hmac-sha256")
	if err != nil {
		return err
	}
	return signer.SignRequest(r, headers, nil)
}

func (c *JumpServerPAM) Send(req *SecretRequest) (Secret, error) {
	fullUrl := c.Endpoint + req.GetURL()
	query := req.GetQuery()
	fullURL := fmt.Sprintf("%s?%s", fullUrl, query.Encode())

	request, err := http.NewRequest(req.Method, fullURL, nil)
	if err != nil {
		return Secret{}, err
	}
	request.Header.Set("Accept", "application/json")
	request.Header.Set("X-Source", "jms-pam")
	err = c.SignRequest(request)
	if err != nil {
		return Secret{Desc: json.RawMessage(`{"error": "` + err.Error() + `"}`)}, nil
	}
	response, err := c.httpClient.Do(request)
	if err != nil {
		return Secret{Desc: json.RawMessage(`{"error": "` + err.Error() + `"}`)}, nil
	}

	return FromResponse(response), nil
}
merge: with pam (#14911) * perf: change i18n * perf: pam * perf: change translate * perf: add check account * perf: add date field * perf: add account filter * perf: remove some js * perf: add account status action * perf: update pam * perf: 修改 discover account * perf: update filter * perf: update gathered account * perf: 修改账号同步 * perf: squash migrations * perf: update pam * perf: change i18n * perf: update account risk * perf: 更新风险发现 * perf: remove css * perf: Admin connection token * perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks * perf: Modify account migration files * perf: update pam * perf: remove to check account dir * perf: Admin connection token * perf: update check account * perf: 优化发送结果 * perf: update pam * perf: update bulk update create * perf: prepaire using thread timer for bulk_create_decorator * perf: update bulk create decorator * perf: 优化 playbook manager * perf: 优化收集账号的报表 * perf: Update poetry * perf: Update Dockerfile with new base image tag * fix: Account migrate 0012 file * perf: 修改备份 * perf: update pam * fix: Expand resource_type filter to include raw type * feat: PAM Service (#14552) * feat: PAM Service * perf: import package name --------- Co-authored-by: jiangweidong <1053570670@qq.com> * perf: Change secret dashboard (#14551) Co-authored-by: feng <1304903146@qq.com> * perf: update migrations * perf: 修改支持 pam * perf: Change secret record table dashboard * perf: update status * fix: Automation send report * perf: Change secret report * feat: windows accounts gather * perf: update change status * perf: Account backup * perf: Account backup report * perf: Account migrate * perf: update service to application * perf: update migrations * perf: update logo * feat: oracle accounts gather (#14571) * feat: oracle accounts gather * feat: sqlserver accounts gather * feat: postgresql accounts gather * feat: mysql accounts gather --------- Co-authored-by: wangruidong <940853815@qq.com> * feat: mongodb accounts gather * perf: Change secret * perf: Migrate * perf: Merge conflicting migration files * perf: Change secret * perf: Automation filter org * perf: Account push * perf: Random secret string * perf: Enhance SQL query and update risk handling in accounts * perf: Ticket filter assignee_id * perf: 修改 account remote * perf: 修改一些 adhoc 任务 * perf: Change secret * perf: Remove push account extra api * perf: update status * perf: The entire organization can view activity log * fix: risk field check * perf: add account details api * perf: add demo mode * perf: Delete gather_account * perf: Perfect solution to account version problem * perf: Update status action to handle multiple accounts * perf: Add GatherAccountDetailField and update serializers * perf: Display account history in combination with password change records * perf: Lina translate * fix: Update mysql_filter to handle nested user info * perf: Admin connection token validate_permission account * perf: copy move account * perf: account filter risk * perf: account risk filter * perf: Copy move account failed message * fix: gather account sync account to asset * perf: Pam dashboard * perf: Account dashboard total accounts * perf: Pam dashboard * perf: Change secret filter account secret_reset * perf: 修改 risk filter * perf: pam translate * feat: Check for leaked duplicate passwords. (#14711) * feat: Check for leaked duplicate passwords. * perf: Use SQLite instead of txt as leak password database --------- Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: 老广 <ibuler@qq.com> * perf: merge with remote * perf: Add risk change_password_add handle * perf: Pam dashboard * perf: check account manager import * perf: 重构扫描 * perf: 修改 db * perf: Gather account manager * perf: update change db lib * perf: dashboard * perf: Account gather * perf: 修改 asset get queryset * perf: automation report * perf: Pam account * perf: Pam dashboard api * perf: risk add account * perf: 修改 risk check * perf: Risk account * perf: update risk add reopen action * perf: add pylintrc * Revert "perf: automation report" This reverts commit 22aee542071638bcefae5a244bcabf76f794d7c3. * perf: check account engine * perf: Perf: Optimism Gather Report Style * Perf: Remove unuser actions * Perf: Perf push account * perf: perf gather account * perf: Automation report * perf: Push account recorder * perf: Push account record * perf: Pam dashboard * perf: perf * perf: update intergration * perf: integrations application detail add account tab page * feat: Custom change password supports configuration of interactive items * perf: Go and Python demo code * perf: Custom secret change * perf: add user filter * perf: translate * perf: Add demo code docs * perf: update some i18n * perf: update some i18n * perf: Add Java, Node, Go, and cURL demo code * perf: Translate * perf: Change secret translate * perf: Translate * perf: update some i18n * perf: translate * perf: Ansible playbook * perf: update some choice * perf: update some choice * perf: update account serializer remote unused code * perf: conflict * perf: update import --------- Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng <1304903146@qq.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: wangruidong <940853815@qq.com> Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com> Co-authored-by: zhaojisen <1301338853@qq.com> 2025-02-21 08:39:57 +00:00			`package main`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"net/http"`
			`"net/url"`

			`"github.com/google/uuid"`
			`"gopkg.in/twindagger/httpsig.v1"`
			`)`

			`const DefaultOrgId = "00000000-0000-0000-0000-000000000002"`

			`type RequestParamsError struct {`
			`Params []string`
			`}`

			`func (e *RequestParamsError) Error() string {`
			`return fmt.Sprintf("At least one of the following fields must be provided: %v.", e.Params)`
			`}`

			`type SecretRequest struct {`
			`AccountID string`
			`AssetID string`
			`Asset string`
			`Account string`
			`Method string`
			`}`

			`func NewSecretRequest(asset, assetID, account, accountID string) (*SecretRequest, error) {`
			`req := &SecretRequest{`
			`Asset: asset,`
			`AssetID: assetID,`
			`Account: account,`
			`AccountID: accountID,`
			`Method: http.MethodGet,`
			`}`

			`return req, req.validate()`
			`}`

			`func (r *SecretRequest) validate() error {`
			`if r.AccountID != "" {`
			`if _, err := uuid.Parse(r.AccountID); err != nil {`
			`return fmt.Errorf("invalid UUID: %s. Value must be a valid UUID", r.AccountID)`
			`}`
			`return nil`
			`}`

			`if r.AssetID == "" && r.Asset == "" {`
			`return &RequestParamsError{Params: []string{"asset", "asset_id"}}`
			`}`

			`if r.Account == "" {`
			`return &RequestParamsError{Params: []string{"account", "account_id"}}`
			`}`

			`if r.AssetID != "" {`
			`if _, err := uuid.Parse(r.AssetID); err != nil {`
			`return fmt.Errorf("invalid UUID: %s. Value must be a valid UUID", r.AssetID)`
			`}`
			`}`
			`return nil`
			`}`

			`func (r *SecretRequest) GetURL() string {`
			`return "/api/v1/accounts/service-integrations/account-secret/"`
			`}`

			`func (r *SecretRequest) GetQuery() url.Values {`
			`query := url.Values{}`
			`if r.AccountID != "" {`
			`query.Add("account_id", r.AccountID)`
			`}`
			`if r.AssetID != "" {`
			`query.Add("asset_id", r.AssetID)`
			`}`
			`if r.Asset != "" {`
			`query.Add("asset", r.Asset)`
			`}`
			`if r.Account != "" {`
			`query.Add("account", r.Account)`
			`}`
			`return query`
			`}`

			`type Secret struct {`
			Secret string `json:"secret,omitempty"`
			Desc json.RawMessage `json:"desc,omitempty"`
			Valid bool `json:"valid"`
			`}`

			`func FromResponse(response *http.Response) Secret {`
			`var secret Secret`
			`defer response.Body.Close()`
			`if response.StatusCode != http.StatusOK {`
			`var raw json.RawMessage`
			`if err := json.NewDecoder(response.Body).Decode(&raw); err == nil {`
			`secret.Desc = raw`
			`} else {`
			secret.Desc = json.RawMessage(`{"error": "Unknown error occurred"}`)
			`}`
			`} else {`
			`_ = json.NewDecoder(response.Body).Decode(&secret)`
			`secret.Valid = true`
			`}`
			`return secret`
			`}`

			`type JumpServerPAM struct {`
			`Endpoint string`
			`KeyID string`
			`KeySecret string`
			`OrgID string`
			`httpClient *http.Client`
			`}`

			`func NewJumpServerPAM(endpoint, keyID, keySecret, orgID string) *JumpServerPAM {`
			`if orgID == "" {`
			`orgID = DefaultOrgId`
			`}`
			`return &JumpServerPAM{`
			`Endpoint: endpoint,`
			`KeyID: keyID,`
			`KeySecret: keySecret,`
			`OrgID: orgID,`
			`httpClient: &http.Client{},`
			`}`
			`}`

			`func (c JumpServerPAM) SignRequest(r http.Request) error {`
			`headers := []string{"(request-target)", "date"}`
			`signer, err := httpsig.NewRequestSigner(c.KeyID, c.KeySecret, "hmac-sha256")`
			`if err != nil {`
			`return err`
			`}`
			`return signer.SignRequest(r, headers, nil)`
			`}`

			`func (c JumpServerPAM) Send(req SecretRequest) (Secret, error) {`
			`fullUrl := c.Endpoint + req.GetURL()`
			`query := req.GetQuery()`
			`fullURL := fmt.Sprintf("%s?%s", fullUrl, query.Encode())`

			`request, err := http.NewRequest(req.Method, fullURL, nil)`
			`if err != nil {`
			`return Secret{}, err`
			`}`
			`request.Header.Set("Accept", "application/json")`
			`request.Header.Set("X-Source", "jms-pam")`
			`err = c.SignRequest(request)`
			`if err != nil {`
			return Secret{Desc: json.RawMessage(`{"error": "` + err.Error() + `"}`)}, nil
			`}`
			`response, err := c.httpClient.Do(request)`
			`if err != nil {`
			return Secret{Desc: json.RawMessage(`{"error": "` + err.Error() + `"}`)}, nil
			`}`

			`return FromResponse(response), nil`
			`}`