fix: 修复 public 和 smart API 权限包含 connection token

apps/common/permissions.py

@@ -7,6 +7,9 @@ from rest_framework import permissions
 
 from authentication.const import ConfirmType
 from common.exceptions import UserConfirmRequired
+from orgs.utils import tmp_to_root_org
+from authentication.models import ConnectionToken
+from common.utils import get_object_or_none
 
 
 class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
@@ -17,6 +20,22 @@ class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
                and request.user.is_valid
 
 
+class IsValidUserOrConnectionToken(IsValidUser):
+
+    def has_permission(self, request, view):
+        return super(IsValidUserOrConnectionToken, self).has_permission(request, view) \
+               or self.is_valid_connection_token(request)
+
+    @staticmethod
+    def is_valid_connection_token(request):
+        token_id = request.query_params.get('token')
+        if not token_id:
+            return False
+        with tmp_to_root_org():
+            token = get_object_or_none(ConnectionToken, id=token_id)
+        return token and token.is_valid
+
+
 class OnlySuperUser(IsValidUser):
     def has_permission(self, request, view):
         return super().has_permission(request, view) \

apps/settings/api/public.py

@@ -3,7 +3,11 @@ from rest_framework.permissions import AllowAny, IsAuthenticated
 from django.conf import settings
 
 from jumpserver.utils import has_valid_xpack_license, get_xpack_license_info
-from common.utils import get_logger, lazyproperty
+from common.utils import get_logger, lazyproperty, get_object_or_none
+from authentication.models import ConnectionToken
+from orgs.utils import tmp_to_root_org
+from common.permissions import IsValidUserOrConnectionToken
+
 from .. import serializers
 from ..utils import get_interface_setting_or_default
 
@@ -28,7 +32,7 @@ class OpenPublicSettingApi(generics.RetrieveAPIView):
 
 
 class PublicSettingApi(OpenPublicSettingApi):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsValidUserOrConnectionToken,)
     serializer_class = serializers.PrivateSettingSerializer
 
     def get_object(self):

apps/terminal/api/endpoint.py

@@ -9,9 +9,9 @@ from assets.models import Asset
 from orgs.utils import tmp_to_root_org
 from applications.models import Application
 from terminal.models import Session
-from common.permissions import IsValidUser
 from ..models import Endpoint, EndpointRule
 from .. import serializers
+from common.permissions import IsValidUserOrConnectionToken
 
 
 __all__ = ['EndpointViewSet', 'EndpointRuleViewSet']
@@ -25,7 +25,8 @@ class SmartEndpointViewMixin:
     target_instance: None
     target_protocol: None
 
-    @action(methods=['get'], detail=False, permission_classes=[IsValidUser], url_path='smart')
+    @action(methods=['get'], detail=False, permission_classes=[IsValidUserOrConnectionToken],
+            url_path='smart')
     def smart(self, request, *args, **kwargs):
         self.target_instance = self.get_target_instance()
         self.target_protocol = self.get_target_protocol()