feat: xrdp挂载受授权的上传下载控制

2021-10-07 15:30:39 +08:00 · 2021-10-07 15:30:39 +08:00 · 6e0341b7b1
parent 2f25e2b24c
commit 6e0341b7b1
2 changed files with 18 additions and 4 deletions
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@ -23,7 +23,9 @@ from common.drf.api import SerializerMixin
 from common.permissions import IsSuperUserOrAppUser, IsValidUser, IsSuperUser
 from orgs.mixins.api import RootOrgViewMixin
 from common.http import is_true
-from assets.models import SystemUser
+from perms.utils.asset.permission import get_asset_system_user_ids_with_actions_by_user
+from perms.models.asset_permission import Action
+from authentication.errors import NotHaveUpDownLoadPerm

 from ..serializers import (
    ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
@ -89,8 +91,14 @@ class ClientProtocolMixin:
        drives_redirect = is_true(self.request.query_params.get('drives_redirect'))
        token = self.create_token(user, asset, application, system_user)

-        if drives_redirect:
-            options['drivestoredirect:s'] = '*'
+        if drives_redirect and asset:
+            systemuser_actions_mapper = get_asset_system_user_ids_with_actions_by_user(user, asset)
+            actions = systemuser_actions_mapper.get(system_user.id, [])
+            if actions & Action.UPDOWNLOAD:
+                options['drivestoredirect:s'] = '*'
+            else:
+                raise NotHaveUpDownLoadPerm
+
        options['screen mode id:i'] = '2' if full_screen else '1'
        address = settings.TERMINAL_RDP_ADDR
        if not address or address == 'localhost:3389':
--- a/apps/authentication/errors.py
+++ b/apps/authentication/errors.py
@ -3,8 +3,8 @@
 from django.utils.translation import ugettext_lazy as _
 from django.urls import reverse
 from django.conf import settings
+from rest_framework import status

-from authentication import sms_verify_code
 from common.exceptions import JMSException
 from .signals import post_auth_failed
 from users.utils import LoginBlockUtil, MFABlockUtils
@ -348,3 +348,9 @@ class FeiShuNotBound(JMSException):
 class PasswdInvalid(JMSException):
    default_code = 'passwd_invalid'
    default_detail = _('Your password is invalid')
+
+
+class NotHaveUpDownLoadPerm(JMSException):
+    status_code = status.HTTP_403_FORBIDDEN
+    code = 'not_have_up_down_load_perm'
+    default_detail = _('No upload or download permission')