Fix rbac (#7690)

* perf: 优化 suggesstion * perf: 修改 migrations
2022-02-24 12:03:40 +08:00 · 2022-02-24 12:03:40 +08:00 · 02ca473492
parent 484b75bb53
commit 02ca473492
11 changed files with 16 additions and 126 deletions
--- a/apps/applications/api/application.py
+++ b/apps/applications/api/application.py
@ -6,7 +6,7 @@ from rest_framework.decorators import action
 from rest_framework.response import Response

 from common.tree import TreeNodeSerializer
-from common.mixins.views import SuggestionMixin
+from common.mixins.api import SuggestionMixin
 from .. import serializers
 from ..models import Application

--- a/apps/applications/migrations/0018_auto_20220223_1642.py
+++ b/apps/applications/migrations/0018_auto_20220223_1642.py
@ -1,18 +0,0 @@
-# Generated by Django 3.1.14 on 2022-02-23 08:42
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0017_auto_20220217_2135'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='application',
-            name='type',
-            field=models.CharField(choices=[('mysql', 'MySQL'), ('oracle', 'Oracle'), ('postgresql', 'PostgreSQL'), ('mariadb', 'MariaDB'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('chrome', 'Chrome'), ('mysql_workbench', 'MySQL Workbench'), ('vmware_client', 'vSphere Client'), ('custom', 'Custom'), ('k8s', 'Kubernetes')], max_length=16, verbose_name='Type'),
-        ),
-    ]
--- a/apps/assets/migrations/0087_auto_20220223_1642.py
+++ b/apps/assets/migrations/0087_auto_20220223_1642.py
@ -1,18 +0,0 @@
-# Generated by Django 3.1.14 on 2022-02-23 08:42
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0086_auto_20220217_2135'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='systemuser',
-            name='protocol',
-            field=models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol'),
-        ),
-    ]
--- a/apps/common/mixins/api/action.py
+++ b/apps/common/mixins/api/action.py
@ -8,7 +8,6 @@ from rest_framework.decorators import action
 from rest_framework.request import Request

 from common.const.http import POST
-from common.permissions import IsValidUser


 __all__ = ['SuggestionMixin', 'RenderToJsonMixin']
@ -23,8 +22,8 @@ class SuggestionMixin:
    get_serializer: Callable
    get_paginated_response: Callable

-    @action(methods=['get'], detail=False, permission_classes=(IsValidUser,))
-    def suggestions(self, request, *args, **kwargs):
+    @action(methods=['get'], detail=False, url_path='suggestions')
+    def match(self, request, *args, **kwargs):
        queryset = self.filter_queryset(self.get_queryset())
        queryset = queryset[:self.suggestion_limit]
        page = self.paginate_queryset(queryset)
--- a/apps/common/mixins/views.py
+++ b/apps/common/mixins/views.py
@ -8,7 +8,7 @@ from rest_framework.response import Response

 from common.permissions import IsValidUser

-__all__ = ["PermissionsMixin", "SuggestionMixin"]
+__all__ = ["PermissionsMixin"]


 class PermissionsMixin(UserPassesTestMixin):
@ -24,19 +24,3 @@ class PermissionsMixin(UserPassesTestMixin):
            if not permission_class().has_permission(self.request, self):
                return False
        return True
-
-
-class SuggestionMixin:
-    suggestion_mini_count = 10
-
-    @action(methods=['get'], detail=False, permission_classes=(IsValidUser,))
-    def suggestions(self, request, *args, **kwargs):
-        queryset = self.filter_queryset(self.get_queryset())
-        queryset = queryset[:self.suggestion_mini_count]
-        page = self.paginate_queryset(queryset)
-        if page is not None:
-            serializer = self.get_serializer(page, many=True)
-            return self.get_paginated_response(serializer.data)
-
-        serializer = self.get_serializer(queryset, many=True)
-        return Response(serializer.data)
--- a/apps/perms/migrations/0025_auto_20220223_1642.py
+++ b/apps/perms/migrations/0025_auto_20220223_1642.py
@ -1,18 +0,0 @@
-# Generated by Django 3.1.14 on 2022-02-23 08:42
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('perms', '0024_auto_20220217_2135'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='applicationpermission',
-            name='type',
-            field=models.CharField(choices=[('mysql', 'MySQL'), ('oracle', 'Oracle'), ('postgresql', 'PostgreSQL'), ('mariadb', 'MariaDB'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('chrome', 'Chrome'), ('mysql_workbench', 'MySQL Workbench'), ('vmware_client', 'vSphere Client'), ('custom', 'Custom'), ('k8s', 'Kubernetes')], max_length=16, verbose_name='Type'),
-        ),
-    ]
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@ -7,6 +7,7 @@ auditor_perms = (
    ('common', 'permission', 'view', 'resourcestatistics'),
    ('audits', '*', '*', '*'),
    ('rbac', 'menupermission', 'view', 'auditview'),
+    ('terminal', 'commandstorage', 'view', 'commandstorage'),
    ('terminal', 'session', '*', '*'),
    ('terminal', 'command', '*', '*'),
 )
--- a/apps/terminal/api/command.py
+++ b/apps/terminal/api/command.py
@ -29,8 +29,8 @@ __all__ = ['CommandViewSet', 'CommandExportApi', 'InsecureCommandAlertAPI']
 class CommandQueryMixin:
    command_store = get_command_storage()
    filterset_fields = [
-        "asset", "system_user", "user", "session", "risk_level",
-        "input"
+        "asset", "system_user", "user", "session",
+        "risk_level", "input"
    ]
    default_days_ago = 5

--- a/apps/terminal/migrations/0044_auto_20220223_1642.py
+++ b/apps/terminal/migrations/0044_auto_20220223_1642.py
@ -1,18 +0,0 @@
-# Generated by Django 3.1.14 on 2022-02-23 08:42
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('terminal', '0043_auto_20220217_2135'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='session',
-            name='protocol',
-            field=models.CharField(choices=[('ssh', 'ssh'), ('rdp', 'rdp'), ('vnc', 'vnc'), ('telnet', 'telnet'), ('mysql', 'mysql'), ('oracle', 'oracle'), ('mariadb', 'mariadb'), ('sqlserver', 'sqlserver'), ('postgresql', 'postgresql'), ('redis', 'redis'), ('mongodb', 'MongoDB'), ('k8s', 'kubernetes')], db_index=True, default='ssh', max_length=16),
-        ),
-    ]
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@ -9,6 +9,7 @@ from rest_framework_bulk import BulkModelViewSet

 from common.mixins import CommonApiMixin
 from common.utils import get_logger
+from common.mixins.api import SuggestionMixin
 from orgs.utils import current_org
 from rbac.models import Role, RoleBinding
 from users.utils import LoginBlockUtil, MFABlockUtils
@ -30,7 +31,7 @@ __all__ = [
 ]


-class UserViewSet(CommonApiMixin, UserQuerysetMixin, BulkModelViewSet):
+class UserViewSet(CommonApiMixin, UserQuerysetMixin, SuggestionMixin, BulkModelViewSet):
    filterset_class = UserFilter
    search_fields = ('username', 'email', 'name', 'id', 'source', 'role')
    serializer_classes = {
@ -41,7 +42,7 @@ class UserViewSet(CommonApiMixin, UserQuerysetMixin, BulkModelViewSet):
    ordering_fields = ('name',)
    ordering = ('name',)
    rbac_perms = {
-        'suggestion': 'users.match_user',
+        'match': 'users.match_user',
        'invite': 'users.invite_user',
        'remove': 'users.remove_user',
        'bulk_remove': 'users.remove_user',
@ -51,18 +52,14 @@ class UserViewSet(CommonApiMixin, UserQuerysetMixin, BulkModelViewSet):
        queryset = super().get_queryset().prefetch_related('groups')
        return queryset

-    def list(self, request, *args, **kwargs):
-        queryset = self.filter_queryset(self.get_queryset())
+    def paginate_queryset(self, queryset):
+        page = super().paginate_queryset(queryset)

-        page = self.paginate_queryset(queryset)
-        if page is not None:
+        if page:
            page = self.set_users_roles_for_cache(page)
-            serializer = self.get_serializer(page, many=True)
-            return self.get_paginated_response(serializer.data)
-
-        queryset = self.set_users_roles_for_cache(queryset)
-        serializer = self.get_serializer(queryset, many=True)
-        return Response(serializer.data)
+        else:
+            self.set_users_roles_for_cache(queryset)
+        return page

    @staticmethod
    def set_users_roles_for_cache(queryset):
@ -87,7 +84,6 @@ class UserViewSet(CommonApiMixin, UserQuerysetMixin, BulkModelViewSet):
        for u in queryset_list:
            system_roles = user_system_role_mapper[u.id]
            org_roles = user_org_role_mapper[u.id]
-            u.roles.cache_set(system_roles | org_roles)
            u.org_roles.cache_set(org_roles)
            u.system_roles.cache_set(system_roles)
        return queryset_list
@ -112,13 +108,6 @@ class UserViewSet(CommonApiMixin, UserQuerysetMixin, BulkModelViewSet):
            self.check_object_permissions(self.request, obj)
            self.perform_destroy(obj)

-    @action(methods=['get'], detail=False)
-    def suggestion(self, *args, **kwargs):
-        queryset = User.get_nature_users()
-        queryset = self.filter_queryset(queryset)[:6]
-        serializer = self.get_serializer(queryset, many=True)
-        return Response(serializer.data)
-
    @action(methods=['post'], detail=False)
    def invite(self, request):
        if not current_org or current_org.is_root():
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@ -11,7 +11,6 @@ from rbac.models import OrgRoleBinding, SystemRoleBinding
 from ..models import User
 from ..const import PasswordStrategy
 from rbac.models import Role
-from rbac.builtin import BuiltinRole

 __all__ = [
    'UserSerializer', 'MiniUserSerializer',
@ -180,16 +179,6 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
        attrs = self.clean_auth_fields(attrs)
        attrs.pop('password_strategy', None)
        return attrs
-    # Todo: 不知道怎么优化呢
-    # def get_can_update(self, obj):
-    #     return CanUpdateDeleteUser.has_update_object_permission(
-    #         self.context['request'], self.context['view'], obj
-    #     )
-    #
-    # def get_can_delete(self, obj):
-    #     return CanUpdateDeleteUser.has_delete_object_permission(
-    #         self.context['request'], self.context['view'], obj
-    #     )

    def save_and_set_custom_m2m_fields(self, validated_data, save_handler):
        m2m_values = {