perf: 安全模式返回授权的资产

apps/jumpserver/conf.py

@@ -606,7 +606,9 @@ class Config(dict):
         'GPT_MODEL': 'gpt-3.5-turbo',
         'VIRTUAL_APP_ENABLED': False,
 
-        'FILE_UPLOAD_SIZE_LIMIT_MB': 200
+        'FILE_UPLOAD_SIZE_LIMIT_MB': 200,
+
+        'TICKET_APPLY_ASSET_SCOPE': 'all'
     }
 
     old_config_map = {

apps/jumpserver/settings/custom.py

@@ -227,3 +227,5 @@ GPT_MODEL = CONFIG.GPT_MODEL
 VIRTUAL_APP_ENABLED = CONFIG.VIRTUAL_APP_ENABLED
 
 FILE_UPLOAD_SIZE_LIMIT_MB = CONFIG.FILE_UPLOAD_SIZE_LIMIT_MB
+
+TICKET_APPLY_ASSET_SCOPE = CONFIG.TICKET_APPLY_ASSET_SCOPE

apps/locale/ja/LC_MESSAGES/django.mo

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:84c1ff8fcd2a035e5c0919aa1337ac85d22f0e4676eca33dddfdcf7896717f99
-size 171105
+oid sha256:6a7f3882356366531dca8e6459bc4bc50dcbd1e0cf0c379ac93ee3bd1b679d3c
+size 171329

apps/locale/ja/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-01-24 19:44+0800\n"
+"POT-Creation-Date: 2024-01-25 15:38+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -365,7 +365,7 @@ msgstr "アカウントバックアップ計画"
 
 #: accounts/models/automations/backup_account.py:119
 #: assets/models/automations/base.py:115 audits/models.py:65
-#: ops/models/base.py:55 ops/models/celery.py:86 ops/models/job.py:235
+#: ops/models/base.py:55 ops/models/celery.py:86 ops/models/job.py:237
 #: ops/templates/ops/celery_task_log.html:75
 #: perms/models/asset_permission.py:78
 #: settings/templates/ldap/_msg_import_ldap_user.html:5
@@ -476,14 +476,14 @@ msgstr "開始日"
 
 #: accounts/models/automations/change_secret.py:42
 #: assets/models/automations/base.py:116 ops/models/base.py:56
-#: ops/models/celery.py:87 ops/models/job.py:236
+#: ops/models/celery.py:87 ops/models/job.py:238
 #: terminal/models/applet/host.py:142
 msgid "Date finished"
 msgstr "終了日"
 
 #: accounts/models/automations/change_secret.py:43
 #: assets/models/automations/base.py:113 audits/models.py:208
-#: audits/serializers.py:54 ops/models/base.py:49 ops/models/job.py:227
+#: audits/serializers.py:54 ops/models/base.py:49 ops/models/job.py:229
 #: terminal/models/applet/applet.py:320 terminal/models/applet/host.py:140
 #: terminal/models/component/status.py:30
 #: terminal/models/virtualapp/virtualapp.py:99
@@ -609,7 +609,7 @@ msgstr "パスワードルール"
 #: authentication/serializers/connect_token_secret.py:113
 #: authentication/serializers/connect_token_secret.py:168 labels/models.py:11
 #: ops/mixin.py:21 ops/models/adhoc.py:20 ops/models/celery.py:15
-#: ops/models/celery.py:80 ops/models/job.py:136 ops/models/playbook.py:28
+#: ops/models/celery.py:80 ops/models/job.py:138 ops/models/playbook.py:28
 #: ops/serializers/job.py:18 orgs/models.py:82
 #: perms/models/asset_permission.py:61 rbac/models/role.py:29
 #: settings/models.py:33 settings/models.py:181 settings/serializers/msg.py:89
@@ -763,7 +763,7 @@ msgstr "カテゴリ"
 #: assets/serializers/asset/common.py:126 assets/serializers/platform.py:120
 #: assets/serializers/platform.py:139 audits/serializers.py:53
 #: audits/serializers.py:170
-#: authentication/serializers/connect_token_secret.py:126 ops/models/job.py:144
+#: authentication/serializers/connect_token_secret.py:126 ops/models/job.py:146
 #: perms/serializers/user_permission.py:27 terminal/models/applet/applet.py:39
 #: terminal/models/component/storage.py:57
 #: terminal/models/component/storage.py:146 terminal/serializers/applet.py:29
@@ -800,7 +800,7 @@ msgstr "編集済み"
 #: assets/models/automations/base.py:19
 #: assets/serializers/automations/base.py:20
 #: authentication/api/connection_token.py:404 ops/models/base.py:17
-#: ops/models/job.py:146 ops/serializers/job.py:19
+#: ops/models/job.py:148 ops/serializers/job.py:19
 #: terminal/templates/terminal/_msg_command_execute_alert.html:16
 msgid "Assets"
 msgstr "資産"
@@ -931,7 +931,7 @@ msgstr "关联平台，可以配置推送参数，如果不关联，则使用默
 #: accounts/serializers/account/virtual.py:19 assets/models/_user.py:27
 #: assets/models/cmd_filter.py:40 assets/models/cmd_filter.py:88
 #: assets/models/group.py:20 common/db/models.py:36 ops/models/adhoc.py:26
-#: ops/models/job.py:152 ops/models/playbook.py:31 rbac/models/role.py:37
+#: ops/models/job.py:154 ops/models/playbook.py:31 rbac/models/role.py:37
 #: settings/models.py:38 terminal/models/applet/applet.py:45
 #: terminal/models/applet/applet.py:321 terminal/models/applet/host.py:143
 #: terminal/models/component/endpoint.py:25
@@ -1330,7 +1330,7 @@ msgstr "アプリケーション"
 msgid "Can match application"
 msgstr "アプリケーションを一致させることができます"
 
-#: assets/api/asset/asset.py:179
+#: assets/api/asset/asset.py:180
 msgid "Cannot create asset directly, you should create a host or other"
 msgstr ""
 "資産を直接作成することはできません。ホストまたはその他を作成する必要がありま"
@@ -1635,7 +1635,7 @@ msgstr "SSHパブリックキー"
 #: assets/models/_user.py:28 assets/models/automations/base.py:114
 #: assets/models/cmd_filter.py:41 assets/models/group.py:19
 #: audits/models.py:267 common/db/models.py:34 ops/models/base.py:54
-#: ops/models/job.py:234 users/models/user.py:1042
+#: ops/models/job.py:236 users/models/user.py:1042
 msgid "Date created"
 msgstr "作成された日付"
 
@@ -1804,7 +1804,7 @@ msgstr "証明書チェックを無視"
 msgid "Proxy"
 msgstr "プロキシー"
 
-#: assets/models/automations/base.py:22 ops/models/job.py:230
+#: assets/models/automations/base.py:22 ops/models/job.py:232
 #: settings/serializers/auth/sms.py:103
 msgid "Parameters"
 msgstr "パラメータ"
@@ -2566,7 +2566,7 @@ msgid "Offline user session"
 msgstr "オフラインユーザセッション"
 
 #: audits/serializers.py:33 ops/models/adhoc.py:25 ops/models/base.py:16
-#: ops/models/base.py:53 ops/models/job.py:145 ops/models/job.py:233
+#: ops/models/base.py:53 ops/models/job.py:147 ops/models/job.py:235
 #: ops/models/playbook.py:30 terminal/models/session/sharing.py:25
 msgid "Creator"
 msgstr "作成者"
@@ -2735,7 +2735,7 @@ msgid "Authentication"
 msgstr "認証"
 
 #: authentication/backends/custom.py:59
-#: authentication/backends/oauth2/backends.py:170
+#: authentication/backends/oauth2/backends.py:173
 msgid "User invalid, disabled or expired"
 msgstr "ユーザーが無効、無効、または期限切れです"
 
@@ -4157,7 +4157,7 @@ msgstr "VCS"
 msgid "Adhoc"
 msgstr "コマンド＃コマンド＃"
 
-#: ops/const.py:39 ops/models/job.py:143
+#: ops/const.py:39 ops/models/job.py:145
 msgid "Playbook"
 msgstr "Playbook"
 
@@ -4242,11 +4242,11 @@ msgstr "定期的または定期的に設定を行う必要があります"
 msgid "Pattern"
 msgstr "パターン"
 
-#: ops/models/adhoc.py:23 ops/models/job.py:140
+#: ops/models/adhoc.py:23 ops/models/job.py:142
 msgid "Module"
 msgstr "モジュール"
 
-#: ops/models/adhoc.py:24 ops/models/celery.py:81 ops/models/job.py:138
+#: ops/models/adhoc.py:24 ops/models/celery.py:81 ops/models/job.py:140
 #: terminal/models/component/task.py:14
 msgid "Args"
 msgstr "アルグ"
@@ -4265,12 +4265,12 @@ msgstr "最後の実行"
 msgid "Date last run"
 msgstr "最終実行日"
 
-#: ops/models/base.py:51 ops/models/job.py:231
+#: ops/models/base.py:51 ops/models/job.py:233
 #: xpack/plugins/cloud/models.py:202
 msgid "Result"
 msgstr "結果"
 
-#: ops/models/base.py:52 ops/models/job.py:232
+#: ops/models/base.py:52 ops/models/job.py:234
 msgid "Summary"
 msgstr "概要"
 
@@ -4303,43 +4303,43 @@ msgstr "発売日"
 msgid "Celery Task Execution"
 msgstr "Celery タスク実行"
 
-#: ops/models/job.py:141
+#: ops/models/job.py:143
 msgid "Chdir"
 msgstr "実行ディレクトリ"
 
-#: ops/models/job.py:142
+#: ops/models/job.py:144
 msgid "Timeout (Seconds)"
 msgstr "タイムアウト（秒）"
 
-#: ops/models/job.py:147
+#: ops/models/job.py:149
 msgid "Use Parameter Define"
 msgstr "パラメータ定義を使用する"
 
-#: ops/models/job.py:148
+#: ops/models/job.py:150
 msgid "Parameters define"
 msgstr "パラメータ定義"
 
-#: ops/models/job.py:149
+#: ops/models/job.py:151
 msgid "Runas"
 msgstr "ユーザーとして実行"
 
-#: ops/models/job.py:151
+#: ops/models/job.py:153
 msgid "Runas policy"
 msgstr "ユーザー ポリシー"
 
-#: ops/models/job.py:215
+#: ops/models/job.py:217
 msgid "Job"
 msgstr "ジョブ＃ジョブ＃"
 
-#: ops/models/job.py:238
+#: ops/models/job.py:240
 msgid "Material"
 msgstr "Material"
 
-#: ops/models/job.py:240
+#: ops/models/job.py:242
 msgid "Material Type"
 msgstr "Material を選択してオプションを設定します。"
 
-#: ops/models/job.py:557
+#: ops/models/job.py:559
 msgid "Job Execution"
 msgstr "ジョブ実行"
 
@@ -7391,6 +7391,18 @@ msgstr "スーパー管理者"
 msgid "Super admin and org admin"
 msgstr "スーパーadminとorg admin"
 
+#: tickets/const.py:62
+msgid "All assets"
+msgstr "すべての資産"
+
+#: tickets/const.py:63
+msgid "Permed assets"
+msgstr "許可された資産"
+
+#: tickets/const.py:64
+msgid "Permed valid assets"
+msgstr "有効な許可を受けた資産"
+
 #: tickets/errors.py:9
 msgid "Ticket already closed"
 msgstr "チケットはすでに閉じています"
@@ -8520,7 +8532,7 @@ msgstr "そして"
 msgid "Or"
 msgstr "または"
 
-#: xpack/plugins/cloud/manager.py:56
+#: xpack/plugins/cloud/manager.py:57
 msgid "Account unavailable"
 msgstr "利用できないアカウント"
 

apps/locale/zh/LC_MESSAGES/django.mo

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:2d6388bc60eeeb67f9bc5deaf8aec65a6027bfebad2fb994104841775cdb912d
-size 140312
+oid sha256:82a37a09d6142219f93f871746f9bc036bff1df07d10f273f8ea8b26c5dbd63b
+size 140456

apps/locale/zh/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-01-24 19:44+0800\n"
+"POT-Creation-Date: 2024-01-25 15:38+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -364,7 +364,7 @@ msgstr "账号备份计划"
 
 #: accounts/models/automations/backup_account.py:119
 #: assets/models/automations/base.py:115 audits/models.py:65
-#: ops/models/base.py:55 ops/models/celery.py:86 ops/models/job.py:235
+#: ops/models/base.py:55 ops/models/celery.py:86 ops/models/job.py:237
 #: ops/templates/ops/celery_task_log.html:75
 #: perms/models/asset_permission.py:78
 #: settings/templates/ldap/_msg_import_ldap_user.html:5
@@ -475,14 +475,14 @@ msgstr "开始日期"
 
 #: accounts/models/automations/change_secret.py:42
 #: assets/models/automations/base.py:116 ops/models/base.py:56
-#: ops/models/celery.py:87 ops/models/job.py:236
+#: ops/models/celery.py:87 ops/models/job.py:238
 #: terminal/models/applet/host.py:142
 msgid "Date finished"
 msgstr "结束日期"
 
 #: accounts/models/automations/change_secret.py:43
 #: assets/models/automations/base.py:113 audits/models.py:208
-#: audits/serializers.py:54 ops/models/base.py:49 ops/models/job.py:227
+#: audits/serializers.py:54 ops/models/base.py:49 ops/models/job.py:229
 #: terminal/models/applet/applet.py:320 terminal/models/applet/host.py:140
 #: terminal/models/component/status.py:30
 #: terminal/models/virtualapp/virtualapp.py:99
@@ -608,7 +608,7 @@ msgstr "密码规则"
 #: authentication/serializers/connect_token_secret.py:113
 #: authentication/serializers/connect_token_secret.py:168 labels/models.py:11
 #: ops/mixin.py:21 ops/models/adhoc.py:20 ops/models/celery.py:15
-#: ops/models/celery.py:80 ops/models/job.py:136 ops/models/playbook.py:28
+#: ops/models/celery.py:80 ops/models/job.py:138 ops/models/playbook.py:28
 #: ops/serializers/job.py:18 orgs/models.py:82
 #: perms/models/asset_permission.py:61 rbac/models/role.py:29
 #: settings/models.py:33 settings/models.py:181 settings/serializers/msg.py:89
@@ -761,7 +761,7 @@ msgstr "类别"
 #: assets/serializers/asset/common.py:126 assets/serializers/platform.py:120
 #: assets/serializers/platform.py:139 audits/serializers.py:53
 #: audits/serializers.py:170
-#: authentication/serializers/connect_token_secret.py:126 ops/models/job.py:144
+#: authentication/serializers/connect_token_secret.py:126 ops/models/job.py:146
 #: perms/serializers/user_permission.py:27 terminal/models/applet/applet.py:39
 #: terminal/models/component/storage.py:57
 #: terminal/models/component/storage.py:146 terminal/serializers/applet.py:29
@@ -798,7 +798,7 @@ msgstr "已修改"
 #: assets/models/automations/base.py:19
 #: assets/serializers/automations/base.py:20
 #: authentication/api/connection_token.py:404 ops/models/base.py:17
-#: ops/models/job.py:146 ops/serializers/job.py:19
+#: ops/models/job.py:148 ops/serializers/job.py:19
 #: terminal/templates/terminal/_msg_command_execute_alert.html:16
 msgid "Assets"
 msgstr "资产"
@@ -929,7 +929,7 @@ msgstr "关联平台，可配置推送参数，如果不关联，将使用默认
 #: accounts/serializers/account/virtual.py:19 assets/models/_user.py:27
 #: assets/models/cmd_filter.py:40 assets/models/cmd_filter.py:88
 #: assets/models/group.py:20 common/db/models.py:36 ops/models/adhoc.py:26
-#: ops/models/job.py:152 ops/models/playbook.py:31 rbac/models/role.py:37
+#: ops/models/job.py:154 ops/models/playbook.py:31 rbac/models/role.py:37
 #: settings/models.py:38 terminal/models/applet/applet.py:45
 #: terminal/models/applet/applet.py:321 terminal/models/applet/host.py:143
 #: terminal/models/component/endpoint.py:25
@@ -1324,7 +1324,7 @@ msgstr "应用程序"
 msgid "Can match application"
 msgstr "匹配应用"
 
-#: assets/api/asset/asset.py:179
+#: assets/api/asset/asset.py:180
 msgid "Cannot create asset directly, you should create a host or other"
 msgstr "不能直接创建资产, 你应该创建主机或其他资产"
 
@@ -1627,7 +1627,7 @@ msgstr "SSH公钥"
 #: assets/models/_user.py:28 assets/models/automations/base.py:114
 #: assets/models/cmd_filter.py:41 assets/models/group.py:19
 #: audits/models.py:267 common/db/models.py:34 ops/models/base.py:54
-#: ops/models/job.py:234 users/models/user.py:1042
+#: ops/models/job.py:236 users/models/user.py:1042
 msgid "Date created"
 msgstr "创建日期"
 
@@ -1796,7 +1796,7 @@ msgstr "忽略证书校验"
 msgid "Proxy"
 msgstr "代理"
 
-#: assets/models/automations/base.py:22 ops/models/job.py:230
+#: assets/models/automations/base.py:22 ops/models/job.py:232
 #: settings/serializers/auth/sms.py:103
 msgid "Parameters"
 msgstr "参数"
@@ -2549,7 +2549,7 @@ msgid "Offline user session"
 msgstr "下线用户会话"
 
 #: audits/serializers.py:33 ops/models/adhoc.py:25 ops/models/base.py:16
-#: ops/models/base.py:53 ops/models/job.py:145 ops/models/job.py:233
+#: ops/models/base.py:53 ops/models/job.py:147 ops/models/job.py:235
 #: ops/models/playbook.py:30 terminal/models/session/sharing.py:25
 msgid "Creator"
 msgstr "创建者"
@@ -2714,7 +2714,7 @@ msgid "Authentication"
 msgstr "认证"
 
 #: authentication/backends/custom.py:59
-#: authentication/backends/oauth2/backends.py:170
+#: authentication/backends/oauth2/backends.py:173
 msgid "User invalid, disabled or expired"
 msgstr "用户无效，已禁用或已过期"
 
@@ -4106,7 +4106,7 @@ msgstr "VCS"
 msgid "Adhoc"
 msgstr "命令"
 
-#: ops/const.py:39 ops/models/job.py:143
+#: ops/const.py:39 ops/models/job.py:145
 msgid "Playbook"
 msgstr "Playbook"
 
@@ -4191,11 +4191,11 @@ msgstr "需要周期或定期设置"
 msgid "Pattern"
 msgstr "模式"
 
-#: ops/models/adhoc.py:23 ops/models/job.py:140
+#: ops/models/adhoc.py:23 ops/models/job.py:142
 msgid "Module"
 msgstr "模块"
 
-#: ops/models/adhoc.py:24 ops/models/celery.py:81 ops/models/job.py:138
+#: ops/models/adhoc.py:24 ops/models/celery.py:81 ops/models/job.py:140
 #: terminal/models/component/task.py:14
 msgid "Args"
 msgstr "参数"
@@ -4214,12 +4214,12 @@ msgstr "最后执行"
 msgid "Date last run"
 msgstr "最后运行日期"
 
-#: ops/models/base.py:51 ops/models/job.py:231
+#: ops/models/base.py:51 ops/models/job.py:233
 #: xpack/plugins/cloud/models.py:202
 msgid "Result"
 msgstr "结果"
 
-#: ops/models/base.py:52 ops/models/job.py:232
+#: ops/models/base.py:52 ops/models/job.py:234
 msgid "Summary"
 msgstr "汇总"
 
@@ -4252,43 +4252,43 @@ msgstr "发布日期"
 msgid "Celery Task Execution"
 msgstr "Celery 任务执行"
 
-#: ops/models/job.py:141
+#: ops/models/job.py:143
 msgid "Chdir"
 msgstr "运行目录"
 
-#: ops/models/job.py:142
+#: ops/models/job.py:144
 msgid "Timeout (Seconds)"
 msgstr "超时时间 (秒)"
 
-#: ops/models/job.py:147
+#: ops/models/job.py:149
 msgid "Use Parameter Define"
 msgstr "使用参数定义"
 
-#: ops/models/job.py:148
+#: ops/models/job.py:150
 msgid "Parameters define"
 msgstr "参数定义"
 
-#: ops/models/job.py:149
+#: ops/models/job.py:151
 msgid "Runas"
 msgstr "运行用户"
 
-#: ops/models/job.py:151
+#: ops/models/job.py:153
 msgid "Runas policy"
 msgstr "用户策略"
 
-#: ops/models/job.py:215
+#: ops/models/job.py:217
 msgid "Job"
 msgstr "作业"
 
-#: ops/models/job.py:238
+#: ops/models/job.py:240
 msgid "Material"
 msgstr "Material"
 
-#: ops/models/job.py:240
+#: ops/models/job.py:242
 msgid "Material Type"
 msgstr "Material 类型"
 
-#: ops/models/job.py:557
+#: ops/models/job.py:559
 msgid "Job Execution"
 msgstr "作业执行"
 
@@ -7287,6 +7287,18 @@ msgstr "超级管理员"
 msgid "Super admin and org admin"
 msgstr "组织管理员或超级管理员"
 
+#: tickets/const.py:62
+msgid "All assets"
+msgstr "所有资产"
+
+#: tickets/const.py:63
+msgid "Permed assets"
+msgstr "授权的资产"
+
+#: tickets/const.py:64
+msgid "Permed valid assets"
+msgstr "有效授权的资产"
+
 #: tickets/errors.py:9
 msgid "Ticket already closed"
 msgstr "工单已经关闭"
@@ -8396,7 +8408,7 @@ msgstr "与"
 msgid "Or"
 msgstr "或"
 
-#: xpack/plugins/cloud/manager.py:56
+#: xpack/plugins/cloud/manager.py:57
 msgid "Account unavailable"
 msgstr "账号无效"
 

apps/perms/utils/permission.py

@@ -13,7 +13,7 @@ class AssetPermissionUtil(object):
     """ 资产授权相关的方法工具 """
 
     @timeit
-    def get_permissions_for_user(self, user, with_group=True, flat=False):
+    def get_permissions_for_user(self, user, with_group=True, flat=False, with_expired=False):
         """ 获取用户的授权规则 """
         perm_ids = set()
         # user
@@ -25,7 +25,7 @@ class AssetPermissionUtil(object):
             groups = user.groups.all()
             group_perm_ids = self.get_permissions_for_user_groups(groups, flat=True)
             perm_ids.update(group_perm_ids)
-        perms = self.get_permissions(ids=perm_ids)
+        perms = self.get_permissions(ids=perm_ids, with_expired=with_expired)
         if flat:
             return perms.values_list('id', flat=True)
         return perms
@@ -102,6 +102,8 @@ class AssetPermissionUtil(object):
         return model.objects.filter(id__in=ids)
 
     @staticmethod
-    def get_permissions(ids):
-        perms = AssetPermission.objects.filter(id__in=ids).valid().order_by('-date_expired')
-        return perms
+    def get_permissions(ids, with_expired=False):
+        perms = AssetPermission.objects.filter(id__in=ids)
+        if not with_expired:
+            perms = perms.valid()
+        return perms.order_by('-date_expired')

apps/perms/utils/user_perm.py

@@ -29,14 +29,19 @@ class AssetPermissionPermAssetUtil:
         # 比原来的查到所有 asset id 再搜索块很多，因为当资产量大的时候，搜索会很慢
         return (node_assets | direct_assets).order_by().distinct()
 
-    @timeit
-    def get_perm_nodes_assets(self):
-        """ 获取所有授权节点下的资产 """
+    def get_perm_nodes(self):
+        """ 获取所有授权节点 """
         nodes_ids = AssetPermission.objects \
             .filter(id__in=self.perm_ids) \
             .values_list('nodes', flat=True)
         nodes_ids = set(nodes_ids)
         nodes = Node.objects.filter(id__in=nodes_ids).only('id', 'key')
+        return nodes
+
+    @timeit
+    def get_perm_nodes_assets(self):
+        """ 获取所有授权节点下的资产 """
+        nodes = self.get_perm_nodes()
         assets = PermNode.get_nodes_all_assets(*nodes, distinct=False)
         return assets
 

apps/tickets/api/__init__.py

@@ -5,3 +5,4 @@ from .ticket import *
 from .comment import *
 from .relation import *
 from .super_ticket import *
+from .perms import *

apps/tickets/api/perms.py

@@ -0,0 +1,66 @@
+from django.conf import settings
+
+from assets.models import Asset, Node
+from assets.serializers.asset.common import MiniAssetSerializer
+from assets.serializers.node import NodeSerializer
+from common.api import SuggestionMixin
+from orgs.mixins.api import OrgReadonlyModelViewSet
+from perms.utils import AssetPermissionPermAssetUtil
+from perms.utils.permission import AssetPermissionUtil
+from tickets.const import TicketApplyAssetScope
+
+__all__ = ['ApplyAssetsViewSet', 'ApplyNodesViewSet']
+
+
+class ApplyAssetsViewSet(OrgReadonlyModelViewSet, SuggestionMixin):
+    model = Asset
+    serializer_class = MiniAssetSerializer
+    rbac_perms = (
+        ("match", "assets.match_asset"),
+    )
+
+    search_fields = ("name", "address", "comment")
+
+    def get_queryset(self):
+        if TicketApplyAssetScope.is_permed():
+            queryset = self.get_assets(with_expired=True)
+        elif TicketApplyAssetScope.is_permed_valid():
+            queryset = self.get_assets()
+        else:
+            queryset = super().get_queryset()
+        return queryset
+
+    def get_assets(self, with_expired=False):
+        perms = AssetPermissionUtil().get_permissions_for_user(
+            self.request.user, flat=True, with_expired=with_expired
+        )
+        util = AssetPermissionPermAssetUtil(perms)
+        assets = util.get_all_assets()
+        return assets
+
+
+class ApplyNodesViewSet(OrgReadonlyModelViewSet, SuggestionMixin):
+    model = Node
+    serializer_class = NodeSerializer
+    rbac_perms = (
+        ("match", "assets.match_node"),
+    )
+
+    search_fields = ('full_value',)
+
+    def get_queryset(self):
+        if TicketApplyAssetScope.is_permed():
+            queryset = self.get_nodes(with_expired=True)
+        elif TicketApplyAssetScope.is_permed_valid():
+            queryset = self.get_nodes()
+        else:
+            queryset = super().get_queryset()
+        return queryset
+
+    def get_nodes(self, with_expired=False):
+        perms = AssetPermissionUtil().get_permissions_for_user(
+            self.request.user, flat=True, with_expired=with_expired
+        )
+        util = AssetPermissionPermAssetUtil(perms)
+        nodes = util.get_perm_nodes()
+        return nodes

apps/tickets/const.py

@@ -1,3 +1,4 @@
+from django.conf import settings
 from django.db.models import TextChoices, IntegerChoices
 from django.utils.translation import gettext_lazy as _
 
@@ -56,3 +57,21 @@ class TicketApprovalStrategy(TextChoices):
     custom_user = 'custom_user', _("Custom user")
     super_admin = 'super_admin', _("Super admin")
     super_org_admin = 'super_org_admin', _("Super admin and org admin")
+
+
+class TicketApplyAssetScope(TextChoices):
+    all = 'all', _("All assets")
+    permed = 'permed', _("Permed assets")
+    permed_valid = 'permed_valid', _('Permed valid assets')
+
+    @classmethod
+    def get_scope(cls):
+        return settings.TICKET_APPLY_ASSET_SCOPE.lower()
+
+    @classmethod
+    def is_permed(cls):
+        return cls.get_scope() == cls.permed
+
+    @classmethod
+    def is_permed_valid(cls):
+        return cls.get_scope() == cls.permed_valid

apps/tickets/urls/api_urls.py

@@ -16,6 +16,8 @@ router.register('apply-login-tickets', api.ApplyLoginTicketViewSet, 'apply-login
 router.register('apply-command-tickets', api.ApplyCommandTicketViewSet, 'apply-command-ticket')
 router.register('apply-login-asset-tickets', api.ApplyLoginAssetTicketViewSet, 'apply-login-asset-ticket')
 router.register('ticket-session-relation', api.TicketSessionRelationViewSet, 'ticket-session-relation')
+router.register('apply-assets', api.ApplyAssetsViewSet, 'ticket-session-relation')
+router.register('apply-nodes', api.ApplyNodesViewSet, 'ticket-session-relation')
 
 urlpatterns = [
     path('tickets/<uuid:ticket_id>/session/', api.TicketSessionApi.as_view(), name='ticket-session'),