jumpserver/apps/accounts/demos/python/jms_pam/main.py

import uuid
from datetime import datetime
from urllib.parse import urlencode

import requests
from httpsig.requests_auth import HTTPSignatureAuth
from requests.exceptions import RequestException

DEFAULT_ORG_ID = '00000000-0000-0000-0000-000000000002'


class RequestParamsError(ValueError):
    def __init__(self, params):
        self.params = params

    def __str__(self):
        msg = "At least one of the following fields must be provided: %s."
        return 'RequestParamsError: (%s)' % msg % ', '.join(self.params)


class SecretRequest(object):
    """
    Validate parameters and their interdependencies.
    Parameters:
        account_id (str): The account ID, must be a valid UUID.
        asset_id (str): The asset ID, must be a valid UUID.
        asset (str): The name of the asset, can be empty.
        account (str): The name of the account, can be empty.

    Validation Logic:
    - When 'account_id' is provided, 'asset', 'asset_id', and 'account' must not be provided.
    - When 'account' is provided, either 'asset' or 'asset_id' must be provided.
    - It is not allowed to provide both 'account_id' and 'asset_id' together.

    Raises:
        ValueError: If the parameters do not meet the requirements, a detailed error message will be raised.
    """

    def __init__(self, asset='', asset_id='', account='', account_id=''):
        self.account_id = account_id
        self.asset_id = asset_id
        self.asset = asset
        self.account = account
        self.method = 'get'
        self._init_check()

    @staticmethod
    def _valid_uuid(value):
        if not value:
            return

        try:
            uuid.UUID(str(value))
        except (ValueError, TypeError):
            raise ValueError('Invalid UUID: %s. Value must be a valid UUID.' % value)

    def _init_check(self):
        for id_value in [self.account_id, self.asset_id]:
            self._valid_uuid(id_value)

        if self.account_id:
            return

        if not self.asset_id and not self.asset:
            raise RequestParamsError(['asset', 'asset_id'])

        if not self.account:
            raise RequestParamsError(['account', 'account_id'])

    @staticmethod
    def get_url():
        return '/api/v1/accounts/service-integrations/account-secret/'

    def get_query(self):
        return {k: getattr(self, k) for k in vars(self) if getattr(self, k)}


class Secret(object):
    def __init__(self, secret='', desc=''):
        self.secret = secret
        self.desc = desc
        self.valid = not desc

    @classmethod
    def from_exception(cls, e):
        return cls(desc=str(e))

    @classmethod
    def from_response(cls, response):
        secret, error = '', ''
        try:
            data = response.json()
            if response.status_code != 200:
                for k, v in data.items():
                    error += '%s: %s; ' % (k, v)
            secret = data.get('secret')
        except Exception as e:
            error = str(e)
        return cls(secret=secret, desc=error)


class JumpServerPAM(object):
    def __init__(self, endpoint, key_id, key_secret, org_id=DEFAULT_ORG_ID):
        self.endpoint = endpoint
        self.key_id = key_id
        self.key_secret = key_secret
        self.org_id = org_id
        self._auth = None

    @property
    def headers(self):
        gmt_form = '%a, %d %b %Y %H:%M:%S GMT'
        return {
            'Accept': 'application/json',
            'X-JMS-ORG': self.org_id,
            'Date': datetime.utcnow().strftime(gmt_form),
            'X-Source': 'jms-pam'
        }

    def _build_url(self, url, query_params=None):
        query_params = query_params or {}
        endpoint = self.endpoint[:-1] if self.endpoint.endswith('/') else self.endpoint
        return '%s%s?%s' % (endpoint, url, urlencode(query_params))

    def _get_auth(self):
        if self._auth is None:
            signature_headers = ['(request-target)', 'accept', 'date']
            self._auth = HTTPSignatureAuth(
                key_id=self.key_id, secret=self.key_secret,
                algorithm='hmac-sha256', headers=signature_headers
            )
        return self._auth

    def send(self, secret_request):
        try:
            url = secret_request.get_url()
            query_params = secret_request.get_query()
            request_method = getattr(requests, secret_request.method)
            response = request_method(
                self._build_url(url, query_params),
                auth=self._get_auth(), headers=self.headers
            )
        except RequestException as e:
            return Secret.from_exception(e)
        return Secret.from_response(response)

    def get_accounts(self):
        pass
merge: with pam (#14911) * perf: change i18n * perf: pam * perf: change translate * perf: add check account * perf: add date field * perf: add account filter * perf: remove some js * perf: add account status action * perf: update pam * perf: 修改 discover account * perf: update filter * perf: update gathered account * perf: 修改账号同步 * perf: squash migrations * perf: update pam * perf: change i18n * perf: update account risk * perf: 更新风险发现 * perf: remove css * perf: Admin connection token * perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks * perf: Modify account migration files * perf: update pam * perf: remove to check account dir * perf: Admin connection token * perf: update check account * perf: 优化发送结果 * perf: update pam * perf: update bulk update create * perf: prepaire using thread timer for bulk_create_decorator * perf: update bulk create decorator * perf: 优化 playbook manager * perf: 优化收集账号的报表 * perf: Update poetry * perf: Update Dockerfile with new base image tag * fix: Account migrate 0012 file * perf: 修改备份 * perf: update pam * fix: Expand resource_type filter to include raw type * feat: PAM Service (#14552) * feat: PAM Service * perf: import package name --------- Co-authored-by: jiangweidong <1053570670@qq.com> * perf: Change secret dashboard (#14551) Co-authored-by: feng <1304903146@qq.com> * perf: update migrations * perf: 修改支持 pam * perf: Change secret record table dashboard * perf: update status * fix: Automation send report * perf: Change secret report * feat: windows accounts gather * perf: update change status * perf: Account backup * perf: Account backup report * perf: Account migrate * perf: update service to application * perf: update migrations * perf: update logo * feat: oracle accounts gather (#14571) * feat: oracle accounts gather * feat: sqlserver accounts gather * feat: postgresql accounts gather * feat: mysql accounts gather --------- Co-authored-by: wangruidong <940853815@qq.com> * feat: mongodb accounts gather * perf: Change secret * perf: Migrate * perf: Merge conflicting migration files * perf: Change secret * perf: Automation filter org * perf: Account push * perf: Random secret string * perf: Enhance SQL query and update risk handling in accounts * perf: Ticket filter assignee_id * perf: 修改 account remote * perf: 修改一些 adhoc 任务 * perf: Change secret * perf: Remove push account extra api * perf: update status * perf: The entire organization can view activity log * fix: risk field check * perf: add account details api * perf: add demo mode * perf: Delete gather_account * perf: Perfect solution to account version problem * perf: Update status action to handle multiple accounts * perf: Add GatherAccountDetailField and update serializers * perf: Display account history in combination with password change records * perf: Lina translate * fix: Update mysql_filter to handle nested user info * perf: Admin connection token validate_permission account * perf: copy move account * perf: account filter risk * perf: account risk filter * perf: Copy move account failed message * fix: gather account sync account to asset * perf: Pam dashboard * perf: Account dashboard total accounts * perf: Pam dashboard * perf: Change secret filter account secret_reset * perf: 修改 risk filter * perf: pam translate * feat: Check for leaked duplicate passwords. (#14711) * feat: Check for leaked duplicate passwords. * perf: Use SQLite instead of txt as leak password database --------- Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: 老广 <ibuler@qq.com> * perf: merge with remote * perf: Add risk change_password_add handle * perf: Pam dashboard * perf: check account manager import * perf: 重构扫描 * perf: 修改 db * perf: Gather account manager * perf: update change db lib * perf: dashboard * perf: Account gather * perf: 修改 asset get queryset * perf: automation report * perf: Pam account * perf: Pam dashboard api * perf: risk add account * perf: 修改 risk check * perf: Risk account * perf: update risk add reopen action * perf: add pylintrc * Revert "perf: automation report" This reverts commit 22aee542071638bcefae5a244bcabf76f794d7c3. * perf: check account engine * perf: Perf: Optimism Gather Report Style * Perf: Remove unuser actions * Perf: Perf push account * perf: perf gather account * perf: Automation report * perf: Push account recorder * perf: Push account record * perf: Pam dashboard * perf: perf * perf: update intergration * perf: integrations application detail add account tab page * feat: Custom change password supports configuration of interactive items * perf: Go and Python demo code * perf: Custom secret change * perf: add user filter * perf: translate * perf: Add demo code docs * perf: update some i18n * perf: update some i18n * perf: Add Java, Node, Go, and cURL demo code * perf: Translate * perf: Change secret translate * perf: Translate * perf: update some i18n * perf: translate * perf: Ansible playbook * perf: update some choice * perf: update some choice * perf: update account serializer remote unused code * perf: conflict * perf: update import --------- Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng <1304903146@qq.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: wangruidong <940853815@qq.com> Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com> Co-authored-by: zhaojisen <1301338853@qq.com> 2025-02-21 08:39:57 +00:00			`import uuid`
			`from datetime import datetime`
			`from urllib.parse import urlencode`

			`import requests`
			`from httpsig.requests_auth import HTTPSignatureAuth`
			`from requests.exceptions import RequestException`

			`DEFAULT_ORG_ID = '00000000-0000-0000-0000-000000000002'`


			`class RequestParamsError(ValueError):`
			`def __init__(self, params):`
			`self.params = params`

			`def __str__(self):`
			`msg = "At least one of the following fields must be provided: %s."`
			`return 'RequestParamsError: (%s)' % msg % ', '.join(self.params)`


			`class SecretRequest(object):`
			`"""`
			`Validate parameters and their interdependencies.`
			`Parameters:`
			`account_id (str): The account ID, must be a valid UUID.`
			`asset_id (str): The asset ID, must be a valid UUID.`
			`asset (str): The name of the asset, can be empty.`
			`account (str): The name of the account, can be empty.`

			`Validation Logic:`
			`- When 'account_id' is provided, 'asset', 'asset_id', and 'account' must not be provided.`
			`- When 'account' is provided, either 'asset' or 'asset_id' must be provided.`
			`- It is not allowed to provide both 'account_id' and 'asset_id' together.`

			`Raises:`
			`ValueError: If the parameters do not meet the requirements, a detailed error message will be raised.`
			`"""`

			`def __init__(self, asset='', asset_id='', account='', account_id=''):`
			`self.account_id = account_id`
			`self.asset_id = asset_id`
			`self.asset = asset`
			`self.account = account`
			`self.method = 'get'`
			`self._init_check()`

			`@staticmethod`
			`def _valid_uuid(value):`
			`if not value:`
			`return`

			`try:`
			`uuid.UUID(str(value))`
			`except (ValueError, TypeError):`
			`raise ValueError('Invalid UUID: %s. Value must be a valid UUID.' % value)`

			`def _init_check(self):`
			`for id_value in [self.account_id, self.asset_id]:`
			`self._valid_uuid(id_value)`

			`if self.account_id:`
			`return`

			`if not self.asset_id and not self.asset:`
			`raise RequestParamsError(['asset', 'asset_id'])`

			`if not self.account:`
			`raise RequestParamsError(['account', 'account_id'])`

			`@staticmethod`
			`def get_url():`
			`return '/api/v1/accounts/service-integrations/account-secret/'`

			`def get_query(self):`
			`return {k: getattr(self, k) for k in vars(self) if getattr(self, k)}`


			`class Secret(object):`
			`def __init__(self, secret='', desc=''):`
			`self.secret = secret`
			`self.desc = desc`
			`self.valid = not desc`

			`@classmethod`
			`def from_exception(cls, e):`
			`return cls(desc=str(e))`

			`@classmethod`
			`def from_response(cls, response):`
			`secret, error = '', ''`
			`try:`
			`data = response.json()`
			`if response.status_code != 200:`
			`for k, v in data.items():`
			`error += '%s: %s; ' % (k, v)`
			`secret = data.get('secret')`
			`except Exception as e:`
			`error = str(e)`
			`return cls(secret=secret, desc=error)`


			`class JumpServerPAM(object):`
			`def __init__(self, endpoint, key_id, key_secret, org_id=DEFAULT_ORG_ID):`
			`self.endpoint = endpoint`
			`self.key_id = key_id`
			`self.key_secret = key_secret`
			`self.org_id = org_id`
			`self._auth = None`

			`@property`
			`def headers(self):`
			`gmt_form = '%a, %d %b %Y %H:%M:%S GMT'`
			`return {`
			`'Accept': 'application/json',`
			`'X-JMS-ORG': self.org_id,`
			`'Date': datetime.utcnow().strftime(gmt_form),`
			`'X-Source': 'jms-pam'`
			`}`

			`def _build_url(self, url, query_params=None):`
			`query_params = query_params or {}`
			`endpoint = self.endpoint[:-1] if self.endpoint.endswith('/') else self.endpoint`
			`return '%s%s?%s' % (endpoint, url, urlencode(query_params))`

			`def _get_auth(self):`
			`if self._auth is None:`
			`signature_headers = ['(request-target)', 'accept', 'date']`
			`self._auth = HTTPSignatureAuth(`
			`key_id=self.key_id, secret=self.key_secret,`
			`algorithm='hmac-sha256', headers=signature_headers`
			`)`
			`return self._auth`

			`def send(self, secret_request):`
			`try:`
			`url = secret_request.get_url()`
			`query_params = secret_request.get_query()`
			`request_method = getattr(requests, secret_request.method)`
			`response = request_method(`
			`self._build_url(url, query_params),`
			`auth=self._get_auth(), headers=self.headers`
			`)`
			`except RequestException as e:`
			`return Secret.from_exception(e)`
			`return Secret.from_response(response)`

			`def get_accounts(self):`
			`pass`