fix: 修复 public 和 smart API 权限包含 connection token

2022-07-15 14:56:51 +08:00 · 2022-07-15 14:56:51 +08:00 · 41541a91b9
parent 93537c07a1
commit 41541a91b9
3 changed files with 28 additions and 4 deletions
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@ -7,6 +7,9 @@ from rest_framework import permissions

 from authentication.const import ConfirmType
 from common.exceptions import UserConfirmRequired
+from orgs.utils import tmp_to_root_org
+from authentication.models import ConnectionToken
+from common.utils import get_object_or_none


 class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
@ -17,6 +20,22 @@ class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
               and request.user.is_valid


+class IsValidUserOrConnectionToken(IsValidUser):
+
+    def has_permission(self, request, view):
+        return super(IsValidUserOrConnectionToken, self).has_permission(request, view) \
+               or self.is_valid_connection_token(request)
+
+    @staticmethod
+    def is_valid_connection_token(request):
+        token_id = request.query_params.get('token')
+        if not token_id:
+            return False
+        with tmp_to_root_org():
+            token = get_object_or_none(ConnectionToken, id=token_id)
+        return token and token.is_valid
+
+
 class OnlySuperUser(IsValidUser):
    def has_permission(self, request, view):
        return super().has_permission(request, view) \
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@ -3,7 +3,11 @@ from rest_framework.permissions import AllowAny, IsAuthenticated
 from django.conf import settings

 from jumpserver.utils import has_valid_xpack_license, get_xpack_license_info
-from common.utils import get_logger, lazyproperty
+from common.utils import get_logger, lazyproperty, get_object_or_none
+from authentication.models import ConnectionToken
+from orgs.utils import tmp_to_root_org
+from common.permissions import IsValidUserOrConnectionToken
+
 from .. import serializers
 from ..utils import get_interface_setting_or_default

@ -28,7 +32,7 @@ class OpenPublicSettingApi(generics.RetrieveAPIView):


 class PublicSettingApi(OpenPublicSettingApi):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsValidUserOrConnectionToken,)
    serializer_class = serializers.PrivateSettingSerializer

    def get_object(self):
--- a/apps/terminal/api/endpoint.py
+++ b/apps/terminal/api/endpoint.py
@ -9,9 +9,9 @@ from assets.models import Asset
 from orgs.utils import tmp_to_root_org
 from applications.models import Application
 from terminal.models import Session
-from common.permissions import IsValidUser
 from ..models import Endpoint, EndpointRule
 from .. import serializers
+from common.permissions import IsValidUserOrConnectionToken


 __all__ = ['EndpointViewSet', 'EndpointRuleViewSet']
@ -25,7 +25,8 @@ class SmartEndpointViewMixin:
    target_instance: None
    target_protocol: None

-    @action(methods=['get'], detail=False, permission_classes=[IsValidUser], url_path='smart')
+    @action(methods=['get'], detail=False, permission_classes=[IsValidUserOrConnectionToken],
+            url_path='smart')
    def smart(self, request, *args, **kwargs):
        self.target_instance = self.get_target_instance()
        self.target_protocol = self.get_target_protocol()