From 34a0a37b6366bc1084adb7e9b1a2100c7692bc7d Mon Sep 17 00:00:00 2001 From: ibuler Date: Tue, 1 Nov 2016 19:31:35 +0800 Subject: [PATCH] Add token --- apps/assets/api.py | 36 ++++++++++++++++++++++++------------ apps/assets/hands.py | 1 + apps/assets/models.py | 10 +++++----- apps/assets/urls.py | 2 +- apps/common/utils.py | 10 ++++++++-- apps/jumpserver/settings.py | 2 +- apps/jumpserver/urls.py | 2 +- apps/users/urls.py | 2 +- 8 files changed, 42 insertions(+), 23 deletions(-) diff --git a/apps/assets/api.py b/apps/assets/api.py index c568a1291..f57e1d7ba 100644 --- a/apps/assets/api.py +++ b/apps/assets/api.py @@ -2,22 +2,20 @@ from rest_framework import serializers from rest_framework import viewsets, serializers, generics +from rest_framework.response import Response from rest_framework.views import APIView from rest_framework_bulk import BulkListSerializer, BulkSerializerMixin, ListBulkCreateUpdateDestroyAPIView from common.mixins import BulkDeleteApiMixin -from common.utils import get_object_or_none -from .models import AssetGroup, Asset, IDC, AssetExtend +from common.utils import get_object_or_none, signer +from .hands import IsSuperUserOrTerminalUser, IsSuperUser +from .models import AssetGroup, Asset, IDC, SystemUser from .serializers import AssetBulkUpdateSerializer class AssetGroupSerializer(serializers.ModelSerializer): class Meta: model = AssetGroup - # exclude = [ - # 'password', 'first_name', 'last_name', 'secret_key_otp', - # 'private_key', 'public_key', 'avatar', - # ] class AssetSerializer(serializers.ModelSerializer): @@ -56,22 +54,36 @@ class IDCViewSet(viewsets.ReadOnlyModelViewSet): """ queryset = IDC.objects.all() serializer_class = IDCSerializer + permission_classes = (IsSuperUser,) class AssetListUpdateApi(BulkDeleteApiMixin, ListBulkCreateUpdateDestroyAPIView): queryset = Asset.objects.all() serializer_class = AssetBulkUpdateSerializer + permission_classes = (IsSuperUser,) -class AssetSystemUserAuthApi(APIView): +class SystemUserAuthApi(APIView): + permission_classes = (IsSuperUserOrTerminalUser,) + def get(self, request, *args, **kwargs): - system_user_id = request.data.get('system_user_id', -1) - system_user_username = request.data.get('system_user_username', '') + system_user_id = request.query_params.get('system_user_id', -1) + system_user_username = request.query_params.get('system_user_username', '') - system_user = get_object_or_none(Asset, id=system_user_id, username=system_user_username) + system_user = get_object_or_none(SystemUser, id=system_user_id, username=system_user_username) if system_user: - password = system_user.password - private_key = system_user.private_key + password = signer.sign(system_user.password) + private_key = signer.sign(system_user.private_key) + + response = { + 'id': system_user.id, + 'password': password, + 'private_key': private_key, + } + + return Response(response) + else: + return Response({'msg': 'error system user id or username'}, status=401) diff --git a/apps/assets/hands.py b/apps/assets/hands.py index 70dedfeb4..acf0db52e 100644 --- a/apps/assets/hands.py +++ b/apps/assets/hands.py @@ -12,4 +12,5 @@ from users.utils import AdminUserRequiredMixin +from users.backends import IsSuperUserOrTerminalUser, IsSuperUser from users.models import User, UserGroup diff --git a/apps/assets/models.py b/apps/assets/models.py index e7c39c9fe..1103d0b4c 100644 --- a/apps/assets/models.py +++ b/apps/assets/models.py @@ -179,7 +179,7 @@ class SystemUser(models.Model): @property def password(self): - return signer.sign(self._password) + return signer.unsign(self._password) @password.setter def password(self, password_raw): @@ -187,19 +187,19 @@ class SystemUser(models.Model): @property def private_key(self): - return signer(self._private_key) + return signer.unsign(self._private_key) @private_key.setter def private_key(self, private_key_raw): - self._private_key = signer(private_key_raw) + self._private_key = signer.sign(private_key_raw) @property def public_key(self): - return signer(self._public_key) + return signer.unsign(self._public_key) @public_key.setter def public_key(self, public_key_raw): - self._public_key = signer(public_key_raw) + self._public_key = signer.sign(public_key_raw) def get_assets_inherit_from_asset_groups(self): assets = set() diff --git a/apps/assets/urls.py b/apps/assets/urls.py index 50c4669cb..825b3e4ab 100644 --- a/apps/assets/urls.py +++ b/apps/assets/urls.py @@ -64,10 +64,10 @@ urlpatterns = [ ] urlpatterns += [ - #json url(r'^v1/assets/$', api.AssetViewSet.as_view({'get':'list'}), name='assets-list-api'), url(r'^v1/assets_bulk/$', api.AssetListUpdateApi.as_view(), name='asset-bulk-update-api'), url(r'^v1/idc/$', api.IDCViewSet.as_view({'get':'list'}), name='idc-list-json'), + url(r'^v1/system-user/auth/', api.SystemUserAuthApi.as_view(), name='system-user-auth'), ] diff --git a/apps/common/utils.py b/apps/common/utils.py index 3944a44fd..d3bd61ddf 100644 --- a/apps/common/utils.py +++ b/apps/common/utils.py @@ -44,7 +44,10 @@ class Signer(object): def unsign(self, value): s = JSONWebSignatureSerializer(self.secret_key) - return s.loads(value) + try: + return s.loads(value) + except BadSignature: + return None def sign_t(self, value, expires_in=3600): s = TimedJSONWebSignatureSerializer(self.secret_key, expires_in=expires_in) @@ -52,7 +55,10 @@ class Signer(object): def unsign_t(self, value): s = TimedJSONWebSignatureSerializer(self.secret_key) - return s.loads(value) + try: + return s.loads(value) + except (BadSignature, SignatureExpired): + return None def date_expired_default(): diff --git a/apps/jumpserver/settings.py b/apps/jumpserver/settings.py index 0e509807e..78e08dabd 100644 --- a/apps/jumpserver/settings.py +++ b/apps/jumpserver/settings.py @@ -269,9 +269,9 @@ REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'users.backends.TerminalAuthentication', 'users.backends.AccessTokenAuthentication', + 'rest_framework.authentication.TokenAuthentication', 'rest_framework.authentication.BasicAuthentication', 'rest_framework.authentication.SessionAuthentication', - 'rest_framework.authentication.TokenAuthentication', ), } # This setting is required to override the Django's main loop, when running in diff --git a/apps/jumpserver/urls.py b/apps/jumpserver/urls.py index e9bf765de..81a5f9d15 100644 --- a/apps/jumpserver/urls.py +++ b/apps/jumpserver/urls.py @@ -23,7 +23,7 @@ urlpatterns = [ url(r'^captcha/', include('captcha.urls')), url(r'^$', TemplateView.as_view(template_name='base.html'), name='index'), url(r'^(api/)?users/', include('users.urls')), - url(r'^assets/', include('assets.urls')), + url(r'^(api/)?assets/', include('assets.urls')), url(r'^(api/)?perms/', include('perms.urls')), url(r'^(api/)?audits/', include('audits.urls')), url(r'^(api/)?terminal/', include('terminal.urls')), diff --git a/apps/users/urls.py b/apps/users/urls.py index 7a9f94029..c6c059419 100644 --- a/apps/users/urls.py +++ b/apps/users/urls.py @@ -36,7 +36,7 @@ urlpatterns = [ urlpatterns += [ url(r'^v1/users/$', api.UserListUpdateApi.as_view(), name='user-bulk-update-api'), - url(r'^v1/users/token$', api.UserTokenApi.as_view(), name='user-token-api'), + url(r'^v1/users/token/$', api.UserTokenApi.as_view(), name='user-token-api'), url(r'^v1/users/(?P\d+)/$', api.UserDetailApi.as_view(), name='user-patch-api'), url(r'^v1/users/(?P\d+)/reset-password/$', api.UserResetPasswordApi.as_view(), name='user-reset-password-api'), url(r'^v1/users/(?P\d+)/reset-pk/$', api.UserResetPKApi.as_view(), name='user-reset-pk-api'),