feat: 系统设置-安全设置支持配置作业中心命令黑名单

2023-05-31 17:16:48 +08:00 · 2023-05-31 17:16:48 +08:00 · a0bb25e558
parent 51d6090fdc
commit a0bb25e558
7 changed files with 1089 additions and 1339 deletions
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -452,6 +452,9 @@ class Config(dict):
        'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
        'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True,
        'SECURITY_COMMAND_EXECUTION': True,
+        'SECURITY_COMMAND_BLACKLIST': [
+            'reboot', 'shutdown', 'poweroff', 'halt', 'dd', 'half', 'top'
+        ],
        'SECURITY_SERVICE_ACCOUNT_REGISTRATION': True,
        'SECURITY_VIEW_AUTH_NEED_MFA': True,
        'SECURITY_MAX_IDLE_TIME': 30,
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@ -35,6 +35,7 @@ SECURITY_MFA_AUTH = CONFIG.SECURITY_MFA_AUTH
 SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = CONFIG.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY
 SECURITY_MAX_IDLE_TIME = CONFIG.SECURITY_MAX_IDLE_TIME  # Unit: minute
 SECURITY_COMMAND_EXECUTION = CONFIG.SECURITY_COMMAND_EXECUTION
+SECURITY_COMMAND_BLACKLIST = CONFIG.SECURITY_COMMAND_BLACKLIST
 SECURITY_PASSWORD_EXPIRATION_TIME = CONFIG.SECURITY_PASSWORD_EXPIRATION_TIME  # Unit: day
 SECURITY_PASSWORD_MIN_LENGTH = CONFIG.SECURITY_PASSWORD_MIN_LENGTH  # Unit: bit
 SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH = CONFIG.SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH  # Unit: bit
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
--- a/apps/ops/ansible/runner.py
+++ b/apps/ops/ansible/runner.py
@ -9,9 +9,6 @@ from .callback import DefaultCallback

 class AdHocRunner:
    cmd_modules_choices = ('shell', 'raw', 'command', 'script', 'win_shell')
-    cmd_blacklist = [
-        "reboot", 'shutdown', 'poweroff', 'halt', 'dd', 'half', 'top'
-    ]

    def __init__(self, inventory, module, module_args='', pattern='*', project_dir='/tmp/', extra_vars={},
                 dry_run=False, timeout=-1):
@ -30,7 +27,7 @@ class AdHocRunner:
    def check_module(self):
        if self.module not in self.cmd_modules_choices:
            return
-        if self.module_args and self.module_args.split()[0] in self.cmd_blacklist:
+        if self.module_args and self.module_args.split()[0] in settings.SECURITY_COMMAND_BLACKLIST:
            raise Exception("command not allowed: {}".format(self.module_args[0]))

    def run(self, verbosity=0, **kwargs):
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@ -21,6 +21,7 @@ class PrivateSettingSerializer(PublicSettingSerializer):
    SECURITY_VIEW_AUTH_NEED_MFA = serializers.BooleanField()
    SECURITY_MFA_VERIFY_TTL = serializers.IntegerField()
    SECURITY_COMMAND_EXECUTION = serializers.BooleanField()
+    SECURITY_COMMAND_BLACKLIST = serializers.ListField()
    SECURITY_PASSWORD_EXPIRATION_TIME = serializers.IntegerField()
    SECURITY_LUNA_REMEMBER_AUTH = serializers.BooleanField()
    SECURITY_WATERMARK_ENABLED = serializers.BooleanField()
--- a/apps/settings/serializers/security.py
+++ b/apps/settings/serializers/security.py
@ -179,6 +179,11 @@ class SecuritySettingSerializer(SecurityPasswordRuleSerializer, SecurityAuthSeri
        required=False, label=_('Operation center'),
        help_text=_('Allow user run batch command or not using ansible')
    )
+    SECURITY_COMMAND_BLACKLIST = serializers.ListField(
+        child=serializers.CharField(max_length=1024, ),
+        label=_('Operation center command blacklist'),
+        help_text=_("Commands that are not allowed execute.")
+    )
    SECURITY_SESSION_SHARE = serializers.BooleanField(
        required=True, label=_('Session share'),
        help_text=_("Enabled, Allows user active session to be shared with other users")