jumpserver/apps/accounts/models/automations/check_account.py

from itertools import islice

from django.db import models
from django.db.models import TextChoices
from django.utils import timezone
from django.utils.translation import gettext_lazy as _

from common.const import ConfirmOrIgnore
from common.db.models import JMSBaseModel
from orgs.mixins.models import JMSOrgBaseModel
from .base import AccountBaseAutomation
from ...const import AutomationTypes

__all__ = ['CheckAccountAutomation', 'AccountRisk', 'RiskChoice', 'CheckAccountEngine']


class CheckAccountAutomation(AccountBaseAutomation):
    engines = models.JSONField(default=list, verbose_name=_('Engines'))
    recipients = models.ManyToManyField('users.User', verbose_name=_("Recipient"), blank=True)

    def to_attr_json(self):
        attr_json = super().to_attr_json()
        attr_json.update({
            'engines': self.engines,
            'recipients': [str(user.id) for user in self.recipients.all()]
        })
        return attr_json

    def save(self, *args, **kwargs):
        self.type = AutomationTypes.check_account
        super().save(*args, **kwargs)

    class Meta:
        verbose_name = _('account check automation')
        permissions = [
            ('view_checkaccountexecution', _('Can view check account execution')),
            ('add_checkaccountexecution', _('Can add check account execution')),
        ]


class RiskChoice(TextChoices):
    # 依赖自动发现的
    long_time_no_login = 'long_time_no_login', _('Long time no login')  # 好久没登录的账号, 禁用、删除
    new_found = 'new_found', _('New found')  # 未被纳管的账号, 纳管, 删除, 禁用
    group_changed = 'groups_changed', _('Groups change')  # 组变更, 确认
    sudo_changed = 'sudoers_changed', _('Sudo changed')  # sudo 变更, 确认
    authorized_keys_changed = 'authorized_keys_changed', _('Authorized keys changed')  # authorized_keys 变更, 确认
    account_deleted = 'account_deleted', _('Account delete')  # 账号被删除, 确认
    password_expired = 'password_expired', _('Password expired')  # 密码过期, 修改密码
    long_time_password = 'long_time_password', _('Long time no change')  # 好久没改密码的账号, 改密码

    weak_password = 'weak_password', _('Weak password')  # 弱密码, 改密
    leaked_password = 'leaked_password', _('Leaked password')  # 可能泄露的密码, 改密
    repeated_password = 'repeated_password', _('Repeated password')  # 重复度高的密码, 改密
    password_error = 'password_error', _('Password error')  # 密码错误, 修改账号
    no_admin_account = 'no_admin_account', _('No admin account')  # 无管理员账号, 设置账号
    others = 'others', _('Others')  # 其他风险, 确认


class AccountRisk(JMSOrgBaseModel):
    asset = models.ForeignKey(
        'assets.Asset', on_delete=models.CASCADE, related_name='risks', verbose_name=_('Asset')
    )
    username = models.CharField(max_length=32, verbose_name=_('Username'))
    account = models.ForeignKey(
        'accounts.Account', on_delete=models.CASCADE, related_name='risks',
        verbose_name=_('Account'), null=True
    )
    gathered_account = models.ForeignKey(
        'accounts.GatheredAccount', on_delete=models.CASCADE,
        related_name='risks', null=True
    )
    risk = models.CharField(max_length=128, verbose_name=_('Risk'), choices=RiskChoice.choices)
    status = models.CharField(max_length=32, choices=ConfirmOrIgnore.choices, default=ConfirmOrIgnore.pending,
                              blank=True, verbose_name=_('Status'))
    details = models.JSONField(default=list, verbose_name=_('Details'))

    class Meta:
        verbose_name = _('Account risk')
        unique_together = ('asset', 'username', 'risk')

    def __str__(self):
        return f"{self.username}@{self.asset} - {self.risk}"

    def set_status(self, status, user):
        self.status = status
        self.details.append({'date': timezone.now().isoformat(), 'message': f'{user.username} set status to {status}'})
        self.save()

    def update_details(self, message, user):
        self.details.append({'date': timezone.now().isoformat(), 'message': f'{user.username} {message}'})
        self.save(update_fields=['details'])

    @classmethod
    def gen_fake_data(cls, count=1000, batch_size=50):
        from assets.models import Asset
        from accounts.models import Account

        assets = Asset.objects.all()
        accounts = Account.objects.all()

        counter = iter(range(count))
        while True:
            batch = list(islice(counter, batch_size))
            if not batch:
                break

            to_create = []
            for i in batch:
                asset = assets[i % len(assets)]
                account = accounts[i % len(accounts)]
                risk = RiskChoice.choices[i % len(RiskChoice.choices)][0]
                to_create.append(cls(asset=asset, username=account.username, risk=risk))

            cls.objects.bulk_create(to_create)


class CheckAccountEngine(JMSBaseModel):
    name = models.CharField(max_length=128, verbose_name=_('Name'), unique=True)
    slug = models.SlugField(max_length=128, verbose_name=_('Slug'), unique=True)

    def __str__(self):
        return self.name

    @staticmethod
    def get_default_engines():
        data = [
            {
                "id": "00000000-0000-0000-0000-000000000001",
                "slug": "check_gathered_account",
                "name": _("Check the discovered accounts"),
                "comment": _(
                    "Perform checks and analyses based on automatically discovered account results, "
                    "including user groups, public keys, sudoers, and other information"
                )
            },
            {
                "id": "00000000-0000-0000-0000-000000000002",
                "slug": "check_account_secret",
                "name": _("Check the strength of your account and password"),
                "comment": _(
                    "Perform checks and analyses based on the security of account passwords, "
                    "including password strength, leakage, etc."
                )
            },
            {
                "id": "00000000-0000-0000-0000-000000000003",
                "slug": "check_account_repeat",
                "name": _("Check if the account and password are repeated"),
                "comment": _("Check if the account is the same as other accounts")
            },
            {
                "id": "00000000-0000-0000-0000-000000000004",
                "slug": "check_account_leak",
                "name": _("Check whether the account password is a common password"),
                "comment": _("Check whether the account password is a commonly leaked password")
            },
        ]
        return data
merge: with pam (#14911) * perf: change i18n * perf: pam * perf: change translate * perf: add check account * perf: add date field * perf: add account filter * perf: remove some js * perf: add account status action * perf: update pam * perf: 修改 discover account * perf: update filter * perf: update gathered account * perf: 修改账号同步 * perf: squash migrations * perf: update pam * perf: change i18n * perf: update account risk * perf: 更新风险发现 * perf: remove css * perf: Admin connection token * perf: Add a switch to check connectivity after changing the password, and add a custom ssh command for push tasks * perf: Modify account migration files * perf: update pam * perf: remove to check account dir * perf: Admin connection token * perf: update check account * perf: 优化发送结果 * perf: update pam * perf: update bulk update create * perf: prepaire using thread timer for bulk_create_decorator * perf: update bulk create decorator * perf: 优化 playbook manager * perf: 优化收集账号的报表 * perf: Update poetry * perf: Update Dockerfile with new base image tag * fix: Account migrate 0012 file * perf: 修改备份 * perf: update pam * fix: Expand resource_type filter to include raw type * feat: PAM Service (#14552) * feat: PAM Service * perf: import package name --------- Co-authored-by: jiangweidong <1053570670@qq.com> * perf: Change secret dashboard (#14551) Co-authored-by: feng <1304903146@qq.com> * perf: update migrations * perf: 修改支持 pam * perf: Change secret record table dashboard * perf: update status * fix: Automation send report * perf: Change secret report * feat: windows accounts gather * perf: update change status * perf: Account backup * perf: Account backup report * perf: Account migrate * perf: update service to application * perf: update migrations * perf: update logo * feat: oracle accounts gather (#14571) * feat: oracle accounts gather * feat: sqlserver accounts gather * feat: postgresql accounts gather * feat: mysql accounts gather --------- Co-authored-by: wangruidong <940853815@qq.com> * feat: mongodb accounts gather * perf: Change secret * perf: Migrate * perf: Merge conflicting migration files * perf: Change secret * perf: Automation filter org * perf: Account push * perf: Random secret string * perf: Enhance SQL query and update risk handling in accounts * perf: Ticket filter assignee_id * perf: 修改 account remote * perf: 修改一些 adhoc 任务 * perf: Change secret * perf: Remove push account extra api * perf: update status * perf: The entire organization can view activity log * fix: risk field check * perf: add account details api * perf: add demo mode * perf: Delete gather_account * perf: Perfect solution to account version problem * perf: Update status action to handle multiple accounts * perf: Add GatherAccountDetailField and update serializers * perf: Display account history in combination with password change records * perf: Lina translate * fix: Update mysql_filter to handle nested user info * perf: Admin connection token validate_permission account * perf: copy move account * perf: account filter risk * perf: account risk filter * perf: Copy move account failed message * fix: gather account sync account to asset * perf: Pam dashboard * perf: Account dashboard total accounts * perf: Pam dashboard * perf: Change secret filter account secret_reset * perf: 修改 risk filter * perf: pam translate * feat: Check for leaked duplicate passwords. (#14711) * feat: Check for leaked duplicate passwords. * perf: Use SQLite instead of txt as leak password database --------- Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: 老广 <ibuler@qq.com> * perf: merge with remote * perf: Add risk change_password_add handle * perf: Pam dashboard * perf: check account manager import * perf: 重构扫描 * perf: 修改 db * perf: Gather account manager * perf: update change db lib * perf: dashboard * perf: Account gather * perf: 修改 asset get queryset * perf: automation report * perf: Pam account * perf: Pam dashboard api * perf: risk add account * perf: 修改 risk check * perf: Risk account * perf: update risk add reopen action * perf: add pylintrc * Revert "perf: automation report" This reverts commit 22aee542071638bcefae5a244bcabf76f794d7c3. * perf: check account engine * perf: Perf: Optimism Gather Report Style * Perf: Remove unuser actions * Perf: Perf push account * perf: perf gather account * perf: Automation report * perf: Push account recorder * perf: Push account record * perf: Pam dashboard * perf: perf * perf: update intergration * perf: integrations application detail add account tab page * feat: Custom change password supports configuration of interactive items * perf: Go and Python demo code * perf: Custom secret change * perf: add user filter * perf: translate * perf: Add demo code docs * perf: update some i18n * perf: update some i18n * perf: Add Java, Node, Go, and cURL demo code * perf: Translate * perf: Change secret translate * perf: Translate * perf: update some i18n * perf: translate * perf: Ansible playbook * perf: update some choice * perf: update some choice * perf: update account serializer remote unused code * perf: conflict * perf: update import --------- Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng <1304903146@qq.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: wangruidong <940853815@qq.com> Co-authored-by: jiangweidong <1053570670@qq.com> Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com> Co-authored-by: zhaojisen <1301338853@qq.com> 2025-02-21 08:39:57 +00:00			`from itertools import islice`

			`from django.db import models`
			`from django.db.models import TextChoices`
			`from django.utils import timezone`
			`from django.utils.translation import gettext_lazy as _`

			`from common.const import ConfirmOrIgnore`
			`from common.db.models import JMSBaseModel`
			`from orgs.mixins.models import JMSOrgBaseModel`
			`from .base import AccountBaseAutomation`
			`from ...const import AutomationTypes`

			`__all__ = ['CheckAccountAutomation', 'AccountRisk', 'RiskChoice', 'CheckAccountEngine']`


			`class CheckAccountAutomation(AccountBaseAutomation):`
			`engines = models.JSONField(default=list, verbose_name=_('Engines'))`
			`recipients = models.ManyToManyField('users.User', verbose_name=_("Recipient"), blank=True)`

			`def to_attr_json(self):`
			`attr_json = super().to_attr_json()`
			`attr_json.update({`
			`'engines': self.engines,`
			`'recipients': [str(user.id) for user in self.recipients.all()]`
			`})`
			`return attr_json`

			`def save(self, args, *kwargs):`
			`self.type = AutomationTypes.check_account`
			`super().save(args, *kwargs)`

			`class Meta:`
			`verbose_name = _('account check automation')`
			`permissions = [`
			`('view_checkaccountexecution', _('Can view check account execution')),`
			`('add_checkaccountexecution', _('Can add check account execution')),`
			`]`


			`class RiskChoice(TextChoices):`
			`# 依赖自动发现的`
			`long_time_no_login = 'long_time_no_login', _('Long time no login') # 好久没登录的账号, 禁用、删除`
			`new_found = 'new_found', _('New found') # 未被纳管的账号, 纳管, 删除, 禁用`
			`group_changed = 'groups_changed', _('Groups change') # 组变更, 确认`
			`sudo_changed = 'sudoers_changed', _('Sudo changed') # sudo 变更, 确认`
			`authorized_keys_changed = 'authorized_keys_changed', _('Authorized keys changed') # authorized_keys 变更, 确认`
			`account_deleted = 'account_deleted', _('Account delete') # 账号被删除, 确认`
			`password_expired = 'password_expired', _('Password expired') # 密码过期, 修改密码`
			`long_time_password = 'long_time_password', _('Long time no change') # 好久没改密码的账号, 改密码`

			`weak_password = 'weak_password', _('Weak password') # 弱密码, 改密`
			`leaked_password = 'leaked_password', _('Leaked password') # 可能泄露的密码, 改密`
			`repeated_password = 'repeated_password', _('Repeated password') # 重复度高的密码, 改密`
			`password_error = 'password_error', _('Password error') # 密码错误, 修改账号`
			`no_admin_account = 'no_admin_account', _('No admin account') # 无管理员账号, 设置账号`
			`others = 'others', _('Others') # 其他风险, 确认`


			`class AccountRisk(JMSOrgBaseModel):`
			`asset = models.ForeignKey(`
			`'assets.Asset', on_delete=models.CASCADE, related_name='risks', verbose_name=_('Asset')`
			`)`
			`username = models.CharField(max_length=32, verbose_name=_('Username'))`
			`account = models.ForeignKey(`
			`'accounts.Account', on_delete=models.CASCADE, related_name='risks',`
			`verbose_name=_('Account'), null=True`
			`)`
			`gathered_account = models.ForeignKey(`
			`'accounts.GatheredAccount', on_delete=models.CASCADE,`
			`related_name='risks', null=True`
			`)`
			`risk = models.CharField(max_length=128, verbose_name=_('Risk'), choices=RiskChoice.choices)`
			`status = models.CharField(max_length=32, choices=ConfirmOrIgnore.choices, default=ConfirmOrIgnore.pending,`
			`blank=True, verbose_name=_('Status'))`
			`details = models.JSONField(default=list, verbose_name=_('Details'))`

			`class Meta:`
			`verbose_name = _('Account risk')`
			`unique_together = ('asset', 'username', 'risk')`

			`def __str__(self):`
			`return f"{self.username}@{self.asset} - {self.risk}"`

			`def set_status(self, status, user):`
			`self.status = status`
			`self.details.append({'date': timezone.now().isoformat(), 'message': f'{user.username} set status to {status}'})`
			`self.save()`

			`def update_details(self, message, user):`
			`self.details.append({'date': timezone.now().isoformat(), 'message': f'{user.username} {message}'})`
			`self.save(update_fields=['details'])`

			`@classmethod`
			`def gen_fake_data(cls, count=1000, batch_size=50):`
			`from assets.models import Asset`
			`from accounts.models import Account`

			`assets = Asset.objects.all()`
			`accounts = Account.objects.all()`

			`counter = iter(range(count))`
			`while True:`
			`batch = list(islice(counter, batch_size))`
			`if not batch:`
			`break`

			`to_create = []`
			`for i in batch:`
			`asset = assets[i % len(assets)]`
			`account = accounts[i % len(accounts)]`
			`risk = RiskChoice.choices[i % len(RiskChoice.choices)][0]`
			`to_create.append(cls(asset=asset, username=account.username, risk=risk))`

			`cls.objects.bulk_create(to_create)`


			`class CheckAccountEngine(JMSBaseModel):`
			`name = models.CharField(max_length=128, verbose_name=_('Name'), unique=True)`
			`slug = models.SlugField(max_length=128, verbose_name=_('Slug'), unique=True)`

			`def __str__(self):`
			`return self.name`

			`@staticmethod`
			`def get_default_engines():`
			`data = [`
			`{`
			`"id": "00000000-0000-0000-0000-000000000001",`
			`"slug": "check_gathered_account",`
			`"name": _("Check the discovered accounts"),`
			`"comment": _(`
			`"Perform checks and analyses based on automatically discovered account results, "`
			`"including user groups, public keys, sudoers, and other information"`
			`)`
			`},`
			`{`
			`"id": "00000000-0000-0000-0000-000000000002",`
			`"slug": "check_account_secret",`
			`"name": _("Check the strength of your account and password"),`
			`"comment": _(`
			`"Perform checks and analyses based on the security of account passwords, "`
			`"including password strength, leakage, etc."`
			`)`
			`},`
			`{`
			`"id": "00000000-0000-0000-0000-000000000003",`
			`"slug": "check_account_repeat",`
			`"name": _("Check if the account and password are repeated"),`
			`"comment": _("Check if the account is the same as other accounts")`
			`},`
			`{`
			`"id": "00000000-0000-0000-0000-000000000004",`
			`"slug": "check_account_leak",`
			`"name": _("Check whether the account password is a common password"),`
			`"comment": _("Check whether the account password is a commonly leaked password")`
			`},`
			`]`
			`return data`