From a1ded0c7379ef35f6f0fb40226af496c3fc9afeb Mon Sep 17 00:00:00 2001 From: ibuler Date: Thu, 13 Jul 2023 16:00:24 +0800 Subject: [PATCH] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E4=B8=80=E4=BA=9B=20?= =?UTF-8?q?rbac=20=E6=9D=83=E9=99=90=E4=BD=8D=EF=BC=8C=E7=9D=80=E9=87=8D?= =?UTF-8?q?=20connection=20token=20=E7=9A=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/authentication/api/connection_token.py | 26 ++-- .../migrations/0021_auto_20230713_1459.py | 24 ++++ .../authentication/models/connection_token.py | 17 ++- .../serializers/connection_token.py | 36 ++---- apps/locale/ja/LC_MESSAGES/django.mo | 4 +- apps/locale/ja/LC_MESSAGES/django.po | 120 ++++++++++-------- apps/locale/zh/LC_MESSAGES/django.mo | 4 +- apps/locale/zh/LC_MESSAGES/django.po | 116 +++++++++-------- apps/rbac/builtin.py | 11 +- apps/rbac/const.py | 3 +- apps/rbac/tree.py | 3 +- .../migrations/0050_auto_20220606_1745.py | 4 +- 12 files changed, 209 insertions(+), 159 deletions(-) create mode 100644 apps/authentication/migrations/0021_auto_20230713_1459.py diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py index 7a0b38872..d6a872841 100644 --- a/apps/authentication/api/connection_token.py +++ b/apps/authentication/api/connection_token.py @@ -8,7 +8,7 @@ from django.http import HttpResponse from django.shortcuts import get_object_or_404 from django.utils import timezone from django.utils.translation import ugettext_lazy as _ -from rest_framework import status +from rest_framework import status, serializers from rest_framework.decorators import action from rest_framework.exceptions import PermissionDenied, ValidationError from rest_framework.request import Request @@ -28,7 +28,7 @@ from ..models import ConnectionToken, date_expired_default from ..serializers import ( ConnectionTokenSerializer, ConnectionTokenSecretSerializer, SuperConnectionTokenSerializer, ConnectTokenAppletOptionSerializer, - ConnectionTokenUpdateSerializer + ConnectionTokenReusableSerializer, ) __all__ = ['ConnectionTokenViewSet', 'SuperConnectionTokenViewSet'] @@ -212,6 +212,17 @@ class ExtraActionApiMixin(RDPFileClientProtocolURLMixin): instance.expire() return Response(status=status.HTTP_204_NO_CONTENT) + @action(methods=['PATCH'], detail=True, url_path='reuse') + def reuse(self, request, *args, **kwargs): + instance = self.get_object() + if not settings.CONNECTION_TOKEN_REUSABLE: + raise serializers.ValidationError(_('Reusable connection token is not allowed, global setting not enabled')) + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + is_reusable = serializer.validated_data.get('is_reusable', False) + instance.set_reusable(is_reusable) + return Response(data=serializer.data) + @action(methods=['POST'], detail=False) def exchange(self, request, *args, **kwargs): pk = request.data.get('id', None) or request.data.get('pk', None) @@ -232,17 +243,16 @@ class ConnectionTokenViewSet(ExtraActionApiMixin, RootOrgViewMixin, JMSModelView search_fields = filterset_fields serializer_classes = { 'default': ConnectionTokenSerializer, - 'update': ConnectionTokenUpdateSerializer, - 'partial_update': ConnectionTokenUpdateSerializer, + 'reuse': ConnectionTokenReusableSerializer, } http_method_names = ['get', 'post', 'patch', 'head', 'options', 'trace'] rbac_perms = { 'list': 'authentication.view_connectiontoken', 'retrieve': 'authentication.view_connectiontoken', - 'update': 'authentication.change_connectiontoken', 'create': 'authentication.add_connectiontoken', 'exchange': 'authentication.add_connectiontoken', - 'expire': 'authentication.change_connectiontoken', + 'reuse': 'authentication.reuse_connectiontoken', + 'expire': 'authentication.expire_connectiontoken', 'get_rdp_file': 'authentication.add_connectiontoken', 'get_client_protocol_url': 'authentication.add_connectiontoken', } @@ -346,7 +356,7 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet): rbac_perms = { 'create': 'authentication.add_superconnectiontoken', 'renewal': 'authentication.add_superconnectiontoken', - 'get_secret_detail': 'authentication.view_connectiontokensecret', + 'get_secret_detail': 'authentication.view_superconnectiontokensecret', 'get_applet_info': 'authentication.view_superconnectiontoken', 'release_applet_account': 'authentication.view_superconnectiontoken', } @@ -376,7 +386,7 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet): @action(methods=['POST'], detail=False, url_path='secret') def get_secret_detail(self, request, *args, **kwargs): """ 非常重要的 api, 在逻辑层再判断一下 rbac 权限, 双重保险 """ - rbac_perm = 'authentication.view_connectiontokensecret' + rbac_perm = 'authentication.view_superconnectiontokensecret' if not request.user.has_perm(rbac_perm): raise PermissionDenied('Not allow to view secret') diff --git a/apps/authentication/migrations/0021_auto_20230713_1459.py b/apps/authentication/migrations/0021_auto_20230713_1459.py new file mode 100644 index 000000000..03913f766 --- /dev/null +++ b/apps/authentication/migrations/0021_auto_20230713_1459.py @@ -0,0 +1,24 @@ +# Generated by Django 3.2.19 on 2023-07-13 06:59 + +from django.db import migrations + + +class Migration(migrations.Migration): + dependencies = [ + ('authentication', '0020_connectiontoken_connect_options'), + ] + + operations = [ + migrations.AlterModelOptions( + name='connectiontoken', + options={'ordering': ('-date_expired',), + 'permissions': [('expire_connectiontoken', 'Can expire connection token'), + ('reuse_connectiontoken', 'Can reuse connection token')], + 'verbose_name': 'Connection token'}, + ), + migrations.AlterModelOptions( + name='superconnectiontoken', + options={'permissions': [('view_superconnectiontokensecret', 'Can view super connection token secret')], + 'verbose_name': 'Super connection token'}, + ), + ] diff --git a/apps/authentication/models/connection_token.py b/apps/authentication/models/connection_token.py index 3375df145..d6ba7e89f 100644 --- a/apps/authentication/models/connection_token.py +++ b/apps/authentication/models/connection_token.py @@ -54,10 +54,11 @@ class ConnectionToken(JMSOrgBaseModel): class Meta: ordering = ('-date_expired',) - verbose_name = _('Connection token') permissions = [ - ('view_connectiontokensecret', _('Can view connection token secret')) + ('expire_connectiontoken', _('Can expire connection token')), + ('reuse_connectiontoken', _('Can reuse connection token')), ] + verbose_name = _('Connection token') @property def is_expired(self): @@ -80,6 +81,15 @@ class ConnectionToken(JMSOrgBaseModel): self.date_expired = timezone.now() self.save(update_fields=['date_expired']) + def set_reusable(self, is_reusable): + self.is_reusable = is_reusable + if self.is_reusable: + seconds = settings.CONNECTION_TOKEN_REUSABLE_EXPIRATION + else: + seconds = settings.CONNECTION_TOKEN_ONETIME_EXPIRATION + self.date_expired = timezone.now() + timedelta(seconds=seconds) + self.save(update_fields=['is_reusable', 'date_expired']) + def renewal(self): """ 续期 Token,将来支持用户自定义创建 token 后,续期策略要修改 """ self.date_expired = date_expired_default() @@ -255,4 +265,7 @@ class ConnectionToken(JMSOrgBaseModel): class SuperConnectionToken(ConnectionToken): class Meta: proxy = True + permissions = [ + ('view_superconnectiontokensecret', _('Can view super connection token secret')) + ] verbose_name = _("Super connection token") diff --git a/apps/authentication/serializers/connection_token.py b/apps/authentication/serializers/connection_token.py index 28cf79127..bc3d051e1 100644 --- a/apps/authentication/serializers/connection_token.py +++ b/apps/authentication/serializers/connection_token.py @@ -1,20 +1,18 @@ -from django.conf import settings -from django.utils import timezone from django.utils.translation import ugettext_lazy as _ from rest_framework import serializers +from common.serializers import CommonModelSerializer from common.serializers.fields import EncryptedField -from orgs.mixins.serializers import OrgResourceModelSerializerMixin from perms.serializers.permission import ActionChoicesField from ..models import ConnectionToken __all__ = [ 'ConnectionTokenSerializer', 'SuperConnectionTokenSerializer', - 'ConnectionTokenUpdateSerializer', + 'ConnectionTokenReusableSerializer', ] -class ConnectionTokenSerializer(OrgResourceModelSerializerMixin): +class ConnectionTokenSerializer(CommonModelSerializer): expire_time = serializers.IntegerField(read_only=True, label=_('Expired time')) input_secret = EncryptedField( label=_("Input secret"), max_length=40960, required=False, allow_blank=True @@ -60,30 +58,12 @@ class ConnectionTokenSerializer(OrgResourceModelSerializerMixin): return info -class ConnectionTokenUpdateSerializer(ConnectionTokenSerializer): - class Meta(ConnectionTokenSerializer.Meta): +class ConnectionTokenReusableSerializer(CommonModelSerializer): + class Meta: + model = ConnectionToken + fields = ['id', 'date_expired', 'is_reusable'] can_update_fields = ['is_reusable'] - read_only_fields = list(set(ConnectionTokenSerializer.Meta.fields) - set(can_update_fields)) - - def _get_date_expired(self): - delta = self.instance.date_expired - self.instance.date_created - if delta.total_seconds() > 3600 * 24: - return self.instance.date_expired - - seconds = settings.CONNECTION_TOKEN_REUSABLE_EXPIRATION - return timezone.now() + timezone.timedelta(seconds=seconds) - - @staticmethod - def validate_is_reusable(value): - if value and not settings.CONNECTION_TOKEN_REUSABLE: - raise serializers.ValidationError(_('Reusable connection token is not allowed, global setting not enabled')) - return value - - def validate(self, attrs): - reusable = attrs.get('is_reusable', False) - if reusable: - attrs['date_expired'] = self._get_date_expired() - return attrs + read_only_fields = list(set(fields) - set(can_update_fields)) class SuperConnectionTokenSerializer(ConnectionTokenSerializer): diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo index 2d02dd7eb..820a5d1b0 100644 --- a/apps/locale/ja/LC_MESSAGES/django.mo +++ b/apps/locale/ja/LC_MESSAGES/django.mo @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:3c01e373aea806f104ae77bb4dfbeab1a9c5d4af9ca5c421f62b40f00bbf4b33 -size 147721 +oid sha256:a4463d66ad3eac6127e435d60759e1a6584f93842d959e6129c9b92d1a68de32 +size 148522 diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po index c78b136bb..a15110564 100644 --- a/apps/locale/ja/LC_MESSAGES/django.po +++ b/apps/locale/ja/LC_MESSAGES/django.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2023-07-11 12:03+0800\n" +"POT-Creation-Date: 2023-07-13 15:56+0800\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -87,7 +87,7 @@ msgstr "テンプレート" msgid "Skip" msgstr "スキップ" -#: accounts/const/account.py:28 audits/const.py:24 rbac/tree.py:229 +#: accounts/const/account.py:28 audits/const.py:24 rbac/tree.py:230 #: templates/_csv_import_export.html:18 templates/_csv_update_modal.html:6 msgid "Update" msgstr "更新" @@ -652,7 +652,7 @@ msgstr "ID" #: authentication/models/sso_token.py:16 #: notifications/models/notification.py:12 #: perms/api/user_permission/mixin.py:55 perms/models/asset_permission.py:58 -#: perms/serializers/permission.py:30 rbac/builtin.py:122 +#: perms/serializers/permission.py:30 rbac/builtin.py:123 #: rbac/models/rolebinding.py:49 terminal/backends/command/models.py:17 #: terminal/models/session/session.py:29 terminal/models/session/sharing.py:32 #: terminal/notifications.py:135 terminal/notifications.py:183 @@ -1023,7 +1023,7 @@ msgid "{} disabled" msgstr "{} 無効" #: assets/automations/ping_gateway/manager.py:33 -#: authentication/models/connection_token.py:118 +#: authentication/models/connection_token.py:128 msgid "No account" msgstr "アカウントなし" @@ -1077,7 +1077,8 @@ msgstr "無効" msgid "Basic" msgstr "基本" -#: assets/const/base.py:35 assets/models/asset/web.py:13 +#: assets/const/base.py:35 assets/const/protocol.py:193 +#: assets/models/asset/web.py:13 msgid "Script" msgstr "脚本" @@ -1185,23 +1186,28 @@ msgstr "AD ドメイン" msgid "Use SSL" msgstr "SSLの使用" -#: assets/const/protocol.py:145 +#: assets/const/protocol.py:149 msgid "Auth username" msgstr "ユーザー名で認証する" -#: assets/const/protocol.py:173 assets/models/asset/web.py:10 +#: assets/const/protocol.py:170 assets/models/asset/web.py:9 +#: assets/serializers/asset/info/spec.py:16 +msgid "Autofill" +msgstr "自動充填" + +#: assets/const/protocol.py:178 assets/models/asset/web.py:10 msgid "Username selector" msgstr "ユーザー名ピッカー" -#: assets/const/protocol.py:178 assets/models/asset/web.py:11 +#: assets/const/protocol.py:183 assets/models/asset/web.py:11 msgid "Password selector" msgstr "パスワードセレクター" -#: assets/const/protocol.py:183 assets/models/asset/web.py:12 +#: assets/const/protocol.py:188 assets/models/asset/web.py:12 msgid "Submit selector" msgstr "ボタンセレクターを確認する" -#: assets/const/protocol.py:201 +#: assets/const/protocol.py:211 msgid "API mode" msgstr "APIモード" @@ -1408,10 +1414,6 @@ msgstr "証明書チェックを無視" msgid "Proxy" msgstr "" -#: assets/models/asset/web.py:9 assets/serializers/asset/info/spec.py:16 -msgid "Autofill" -msgstr "自動充填" - #: assets/models/automations/base.py:22 ops/models/job.py:187 #: settings/serializers/auth/sms.py:99 msgid "Parameters" @@ -1963,7 +1965,7 @@ msgstr "Rmdir" #: audits/const.py:14 audits/const.py:25 #: authentication/templates/authentication/_access_key_modal.html:65 -#: perms/const.py:17 rbac/tree.py:230 +#: perms/const.py:17 rbac/tree.py:231 msgid "Delete" msgstr "削除" @@ -1987,13 +1989,13 @@ msgstr "ダウンロード" msgid "Rename dir" msgstr "マップディレクトリ" -#: audits/const.py:23 rbac/tree.py:228 +#: audits/const.py:23 rbac/tree.py:229 msgid "View" msgstr "表示" #: audits/const.py:26 #: authentication/templates/authentication/_access_key_modal.html:22 -#: rbac/tree.py:227 +#: rbac/tree.py:228 msgid "Create" msgstr "作成" @@ -2230,23 +2232,29 @@ msgstr "外部ストレージへのFTPファイルのアップロード" msgid "This action require verify your MFA" msgstr "この操作には、MFAを検証する必要があります" -#: authentication/api/connection_token.py:288 +#: authentication/api/connection_token.py:219 +msgid "Reusable connection token is not allowed, global setting not enabled" +msgstr "" +"再使用可能な接続トークンの使用は許可されていません。グローバル設定は有効に" +"なっていません" + +#: authentication/api/connection_token.py:298 msgid "Anonymous account is not supported for this asset" msgstr "匿名アカウントはこのプロパティではサポートされていません" -#: authentication/api/connection_token.py:310 +#: authentication/api/connection_token.py:320 msgid "Account not found" msgstr "アカウントが見つかりません" -#: authentication/api/connection_token.py:313 +#: authentication/api/connection_token.py:323 msgid "Permission expired" msgstr "承認の有効期限が切れています" -#: authentication/api/connection_token.py:327 +#: authentication/api/connection_token.py:337 msgid "ACL action is reject: {}({})" msgstr "ACL アクションは拒否です: {}({})" -#: authentication/api/connection_token.py:331 +#: authentication/api/connection_token.py:341 msgid "ACL action is review" msgstr "ACL アクションはレビューです" @@ -2637,7 +2645,7 @@ msgid "Input username" msgstr "カスタム ユーザー名" #: authentication/models/connection_token.py:40 -#: authentication/serializers/connection_token.py:20 +#: authentication/serializers/connection_token.py:18 msgid "Input secret" msgstr "カスタムパスワード" @@ -2674,31 +2682,39 @@ msgstr "期限切れの日付" msgid "From ticket" msgstr "チケットから" -#: authentication/models/connection_token.py:57 +#: authentication/models/connection_token.py:58 +msgid "Can expire connection token" +msgstr "接続トークンの有効期限を設定できます" + +#: authentication/models/connection_token.py:59 +msgid "Can reuse connection token" +msgstr "接続トークンを再利用できます" + +#: authentication/models/connection_token.py:61 msgid "Connection token" msgstr "接続トークン" -#: authentication/models/connection_token.py:59 -msgid "Can view connection token secret" -msgstr "接続トークンの秘密を表示できます" - -#: authentication/models/connection_token.py:106 +#: authentication/models/connection_token.py:116 msgid "Connection token inactive" msgstr "接続トークンがアクティブ化されていません" -#: authentication/models/connection_token.py:109 +#: authentication/models/connection_token.py:119 msgid "Connection token expired at: {}" msgstr "接続トークンの有効期限: {}" -#: authentication/models/connection_token.py:112 +#: authentication/models/connection_token.py:122 msgid "No user or invalid user" msgstr "ユーザーなしまたは期限切れのユーザー" -#: authentication/models/connection_token.py:115 +#: authentication/models/connection_token.py:125 msgid "No asset or inactive asset" msgstr "アセットがないか、有効化されていないアセット" -#: authentication/models/connection_token.py:258 +#: authentication/models/connection_token.py:269 +msgid "Can view super connection token secret" +msgstr "スーパー接続トークンのシークレットを表示できます" + +#: authentication/models/connection_token.py:271 msgid "Super connection token" msgstr "スーパー接続トークン" @@ -2742,15 +2758,15 @@ msgstr "コンポーネント" msgid "Expired now" msgstr "すぐに期限切れ" -#: authentication/serializers/connection_token.py:18 +#: authentication/serializers/connection_token.py:16 msgid "Expired time" msgstr "期限切れ時間" -#: authentication/serializers/connection_token.py:22 +#: authentication/serializers/connection_token.py:20 msgid "Ticket info" msgstr "作業指示情報" -#: authentication/serializers/connection_token.py:23 +#: authentication/serializers/connection_token.py:21 #: perms/models/asset_permission.py:71 perms/serializers/permission.py:36 #: perms/serializers/permission.py:56 #: tickets/models/ticket/apply_application.py:28 @@ -2758,18 +2774,12 @@ msgstr "作業指示情報" msgid "Actions" msgstr "アクション" -#: authentication/serializers/connection_token.py:44 +#: authentication/serializers/connection_token.py:42 #: perms/serializers/permission.py:38 perms/serializers/permission.py:57 #: users/serializers/user.py:96 users/serializers/user.py:172 msgid "Is expired" msgstr "期限切れです" -#: authentication/serializers/connection_token.py:79 -msgid "Reusable connection token is not allowed, global setting not enabled" -msgstr "" -"再使用可能な接続トークンの使用は許可されていません。グローバル設定は有効に" -"なっていません" - #: authentication/serializers/password_mfa.py:16 #: authentication/serializers/password_mfa.py:24 #: notifications/backends/__init__.py:10 settings/serializers/email.py:19 @@ -3899,7 +3909,7 @@ msgstr "" msgid "The organization have resource ({}) cannot be deleted" msgstr "組織のリソース ({}) は削除できません" -#: orgs/apps.py:7 rbac/tree.py:118 +#: orgs/apps.py:7 rbac/tree.py:119 msgid "App organizations" msgstr "アプリ組織" @@ -4058,27 +4068,27 @@ msgstr "{} 少なくとも1つのシステムロール" msgid "RBAC" msgstr "RBAC" -#: rbac/builtin.py:113 +#: rbac/builtin.py:114 msgid "SystemAdmin" msgstr "システム管理者" -#: rbac/builtin.py:116 +#: rbac/builtin.py:117 msgid "SystemAuditor" msgstr "システム監査人" -#: rbac/builtin.py:119 +#: rbac/builtin.py:120 msgid "SystemComponent" msgstr "システムコンポーネント" -#: rbac/builtin.py:125 +#: rbac/builtin.py:126 msgid "OrgAdmin" msgstr "組織管理者" -#: rbac/builtin.py:128 +#: rbac/builtin.py:129 msgid "OrgAuditor" msgstr "監査員を組織する" -#: rbac/builtin.py:131 +#: rbac/builtin.py:132 msgid "OrgUser" msgstr "組織ユーザー" @@ -4229,19 +4239,19 @@ msgstr "私の資産" msgid "Applet" msgstr "リモートアプリケーション" -#: rbac/tree.py:119 +#: rbac/tree.py:120 msgid "Ticket comment" msgstr "チケットコメント" -#: rbac/tree.py:120 tickets/models/ticket/general.py:307 +#: rbac/tree.py:121 tickets/models/ticket/general.py:307 msgid "Ticket" msgstr "チケット" -#: rbac/tree.py:121 +#: rbac/tree.py:122 msgid "Common setting" msgstr "共通設定" -#: rbac/tree.py:122 +#: rbac/tree.py:123 msgid "View permission tree" msgstr "権限ツリーの表示" @@ -5722,7 +5732,7 @@ msgstr "出力" msgid "Risk level" msgstr "リスクレベル" -#: terminal/connect_methods.py:55 +#: terminal/connect_methods.py:34 msgid "DB Client" msgstr "データベース クライアント" diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo index f9f875d29..043ff32f6 100644 --- a/apps/locale/zh/LC_MESSAGES/django.mo +++ b/apps/locale/zh/LC_MESSAGES/django.mo @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:3d81d525d06bd1446780753e7627adbcc344144a3c0ed856d7953b9758913028 -size 120819 +oid sha256:f5261baf86de7c7c1374041d450b51ead282b6f546738c4caffd6b4d4ea22a00 +size 121562 diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po index f6b13ebb4..94f3ea94c 100644 --- a/apps/locale/zh/LC_MESSAGES/django.po +++ b/apps/locale/zh/LC_MESSAGES/django.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: JumpServer 0.3.3\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2023-07-11 12:03+0800\n" +"POT-Creation-Date: 2023-07-13 15:56+0800\n" "PO-Revision-Date: 2021-05-20 10:54+0800\n" "Last-Translator: ibuler \n" "Language-Team: JumpServer team\n" @@ -86,7 +86,7 @@ msgstr "模板" msgid "Skip" msgstr "跳过" -#: accounts/const/account.py:28 audits/const.py:24 rbac/tree.py:229 +#: accounts/const/account.py:28 audits/const.py:24 rbac/tree.py:230 #: templates/_csv_import_export.html:18 templates/_csv_update_modal.html:6 msgid "Update" msgstr "更新" @@ -648,7 +648,7 @@ msgstr "ID" #: authentication/models/sso_token.py:16 #: notifications/models/notification.py:12 #: perms/api/user_permission/mixin.py:55 perms/models/asset_permission.py:58 -#: perms/serializers/permission.py:30 rbac/builtin.py:122 +#: perms/serializers/permission.py:30 rbac/builtin.py:123 #: rbac/models/rolebinding.py:49 terminal/backends/command/models.py:17 #: terminal/models/session/session.py:29 terminal/models/session/sharing.py:32 #: terminal/notifications.py:135 terminal/notifications.py:183 @@ -1016,7 +1016,7 @@ msgid "{} disabled" msgstr "{} 已禁用" #: assets/automations/ping_gateway/manager.py:33 -#: authentication/models/connection_token.py:118 +#: authentication/models/connection_token.py:128 msgid "No account" msgstr "没有账号" @@ -1070,7 +1070,8 @@ msgstr "禁用" msgid "Basic" msgstr "基本" -#: assets/const/base.py:35 assets/models/asset/web.py:13 +#: assets/const/base.py:35 assets/const/protocol.py:193 +#: assets/models/asset/web.py:13 msgid "Script" msgstr "脚本" @@ -1178,23 +1179,28 @@ msgstr "AD 网域" msgid "Use SSL" msgstr "使用 SSL" -#: assets/const/protocol.py:145 +#: assets/const/protocol.py:149 msgid "Auth username" msgstr "使用用户名认证" -#: assets/const/protocol.py:173 assets/models/asset/web.py:10 +#: assets/const/protocol.py:170 assets/models/asset/web.py:9 +#: assets/serializers/asset/info/spec.py:16 +msgid "Autofill" +msgstr "自动代填" + +#: assets/const/protocol.py:178 assets/models/asset/web.py:10 msgid "Username selector" msgstr "用户名选择器" -#: assets/const/protocol.py:178 assets/models/asset/web.py:11 +#: assets/const/protocol.py:183 assets/models/asset/web.py:11 msgid "Password selector" msgstr "密码选择器" -#: assets/const/protocol.py:183 assets/models/asset/web.py:12 +#: assets/const/protocol.py:188 assets/models/asset/web.py:12 msgid "Submit selector" msgstr "确认按钮选择器" -#: assets/const/protocol.py:201 +#: assets/const/protocol.py:211 msgid "API mode" msgstr "API 模式" @@ -1401,10 +1407,6 @@ msgstr "忽略证书校验" msgid "Proxy" msgstr "代理" -#: assets/models/asset/web.py:9 assets/serializers/asset/info/spec.py:16 -msgid "Autofill" -msgstr "自动代填" - #: assets/models/automations/base.py:22 ops/models/job.py:187 #: settings/serializers/auth/sms.py:99 msgid "Parameters" @@ -1947,7 +1949,7 @@ msgstr "删除目录" #: audits/const.py:14 audits/const.py:25 #: authentication/templates/authentication/_access_key_modal.html:65 -#: perms/const.py:17 rbac/tree.py:230 +#: perms/const.py:17 rbac/tree.py:231 msgid "Delete" msgstr "删除" @@ -1971,13 +1973,13 @@ msgstr "下载" msgid "Rename dir" msgstr "映射目录" -#: audits/const.py:23 rbac/tree.py:228 +#: audits/const.py:23 rbac/tree.py:229 msgid "View" msgstr "查看" #: audits/const.py:26 #: authentication/templates/authentication/_access_key_modal.html:22 -#: rbac/tree.py:227 +#: rbac/tree.py:228 msgid "Create" msgstr "创建" @@ -2214,23 +2216,27 @@ msgstr "上传 FTP 文件到外部存储" msgid "This action require verify your MFA" msgstr "该操作需要验证您的 MFA, 请先开启并配置" -#: authentication/api/connection_token.py:288 +#: authentication/api/connection_token.py:219 +msgid "Reusable connection token is not allowed, global setting not enabled" +msgstr "不允许使用可重复使用的连接令牌,未启用全局设置" + +#: authentication/api/connection_token.py:298 msgid "Anonymous account is not supported for this asset" msgstr "匿名账号不支持当前资产" -#: authentication/api/connection_token.py:310 +#: authentication/api/connection_token.py:320 msgid "Account not found" msgstr "账号未找到" -#: authentication/api/connection_token.py:313 +#: authentication/api/connection_token.py:323 msgid "Permission expired" msgstr "授权已过期" -#: authentication/api/connection_token.py:327 +#: authentication/api/connection_token.py:337 msgid "ACL action is reject: {}({})" msgstr "ACL 动作是拒绝: {}({})" -#: authentication/api/connection_token.py:331 +#: authentication/api/connection_token.py:341 msgid "ACL action is review" msgstr "ACL 动作是复核" @@ -2607,7 +2613,7 @@ msgid "Input username" msgstr "自定义用户名" #: authentication/models/connection_token.py:40 -#: authentication/serializers/connection_token.py:20 +#: authentication/serializers/connection_token.py:18 msgid "Input secret" msgstr "自定义密码" @@ -2644,31 +2650,39 @@ msgstr "失效日期" msgid "From ticket" msgstr "来自工单" -#: authentication/models/connection_token.py:57 +#: authentication/models/connection_token.py:58 +msgid "Can expire connection token" +msgstr "可以失效连接令牌" + +#: authentication/models/connection_token.py:59 +msgid "Can reuse connection token" +msgstr "可以复用连接令牌" + +#: authentication/models/connection_token.py:61 msgid "Connection token" msgstr "连接令牌" -#: authentication/models/connection_token.py:59 -msgid "Can view connection token secret" -msgstr "可以查看连接令牌密文" - -#: authentication/models/connection_token.py:106 +#: authentication/models/connection_token.py:116 msgid "Connection token inactive" msgstr "连接令牌未激活" -#: authentication/models/connection_token.py:109 +#: authentication/models/connection_token.py:119 msgid "Connection token expired at: {}" msgstr "连接令牌过期: {}" -#: authentication/models/connection_token.py:112 +#: authentication/models/connection_token.py:122 msgid "No user or invalid user" msgstr "没有用户或用户失效" -#: authentication/models/connection_token.py:115 +#: authentication/models/connection_token.py:125 msgid "No asset or inactive asset" msgstr "没有资产或资产未激活" -#: authentication/models/connection_token.py:258 +#: authentication/models/connection_token.py:269 +msgid "Can view super connection token secret" +msgstr "可以查看超级连接令牌密文" + +#: authentication/models/connection_token.py:271 msgid "Super connection token" msgstr "超级连接令牌" @@ -2712,15 +2726,15 @@ msgstr "组件" msgid "Expired now" msgstr "立刻过期" -#: authentication/serializers/connection_token.py:18 +#: authentication/serializers/connection_token.py:16 msgid "Expired time" msgstr "过期时间" -#: authentication/serializers/connection_token.py:22 +#: authentication/serializers/connection_token.py:20 msgid "Ticket info" msgstr "工单信息" -#: authentication/serializers/connection_token.py:23 +#: authentication/serializers/connection_token.py:21 #: perms/models/asset_permission.py:71 perms/serializers/permission.py:36 #: perms/serializers/permission.py:56 #: tickets/models/ticket/apply_application.py:28 @@ -2728,16 +2742,12 @@ msgstr "工单信息" msgid "Actions" msgstr "动作" -#: authentication/serializers/connection_token.py:44 +#: authentication/serializers/connection_token.py:42 #: perms/serializers/permission.py:38 perms/serializers/permission.py:57 #: users/serializers/user.py:96 users/serializers/user.py:172 msgid "Is expired" msgstr "已过期" -#: authentication/serializers/connection_token.py:79 -msgid "Reusable connection token is not allowed, global setting not enabled" -msgstr "不允许使用可重复使用的连接令牌,未启用全局设置" - #: authentication/serializers/password_mfa.py:16 #: authentication/serializers/password_mfa.py:24 #: notifications/backends/__init__.py:10 settings/serializers/email.py:19 @@ -3851,7 +3861,7 @@ msgstr "LDAP 同步设置组织为当前组织,请切换其他组织后再进 msgid "The organization have resource ({}) cannot be deleted" msgstr "组织存在资源 ({}) 不能被删除" -#: orgs/apps.py:7 rbac/tree.py:118 +#: orgs/apps.py:7 rbac/tree.py:119 msgid "App organizations" msgstr "组织管理" @@ -4010,27 +4020,27 @@ msgstr "{} 至少有一个系统角色" msgid "RBAC" msgstr "RBAC" -#: rbac/builtin.py:113 +#: rbac/builtin.py:114 msgid "SystemAdmin" msgstr "系统管理员" -#: rbac/builtin.py:116 +#: rbac/builtin.py:117 msgid "SystemAuditor" msgstr "系统审计员" -#: rbac/builtin.py:119 +#: rbac/builtin.py:120 msgid "SystemComponent" msgstr "系统组件" -#: rbac/builtin.py:125 +#: rbac/builtin.py:126 msgid "OrgAdmin" msgstr "组织管理员" -#: rbac/builtin.py:128 +#: rbac/builtin.py:129 msgid "OrgAuditor" msgstr "组织审计员" -#: rbac/builtin.py:131 +#: rbac/builtin.py:132 msgid "OrgUser" msgstr "组织用户" @@ -4180,19 +4190,19 @@ msgstr "我的资产" msgid "Applet" msgstr "远程应用" -#: rbac/tree.py:119 +#: rbac/tree.py:120 msgid "Ticket comment" msgstr "工单评论" -#: rbac/tree.py:120 tickets/models/ticket/general.py:307 +#: rbac/tree.py:121 tickets/models/ticket/general.py:307 msgid "Ticket" msgstr "工单管理" -#: rbac/tree.py:121 +#: rbac/tree.py:122 msgid "Common setting" msgstr "一般设置" -#: rbac/tree.py:122 +#: rbac/tree.py:123 msgid "View permission tree" msgstr "查看授权树" @@ -5635,7 +5645,7 @@ msgstr "输出" msgid "Risk level" msgstr "风险等级" -#: terminal/connect_methods.py:55 +#: terminal/connect_methods.py:34 msgid "DB Client" msgstr "数据库客户端" diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py index f2dd13dae..508883446 100644 --- a/apps/rbac/builtin.py +++ b/apps/rbac/builtin.py @@ -26,11 +26,12 @@ user_perms = ( ) system_user_perms = ( - ('authentication', 'connectiontoken', 'add,change,view', 'connectiontoken'), - ('authentication', 'temptoken', 'add,change,view', 'temptoken'), - ('authentication', 'accesskey', '*', '*'), - ('tickets', 'ticket', 'view', 'ticket'), - ) + user_perms + _view_all_joined_org_perms + ('authentication', 'connectiontoken', 'add,view,reuse,expire', 'connectiontoken'), + ('authentication', 'temptoken', 'add,change,view', 'temptoken'), + ('authentication', 'accesskey', '*', '*'), + ('tickets', 'ticket', 'view', 'ticket'), +) +system_user_perms += (user_perms + _view_all_joined_org_perms) _auditor_perms = ( ('rbac', 'menupermission', 'view', 'audit'), diff --git a/apps/rbac/const.py b/apps/rbac/const.py index 91ca727eb..cd7fd642a 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -22,7 +22,8 @@ exclude_permissions = ( ('common', 'setting', '*', '*'), ('authentication', 'privatetoken', '*', '*'), - ('authentication', 'connectiontoken', 'delete', 'connectiontoken'), + ('authentication', 'connectiontoken', 'delete,change', 'connectiontoken'), + ('authentication', 'connectiontoken', 'view', 'connectiontokensecret'), ('authentication', 'ssotoken', '*', '*'), ('authentication', 'superconnectiontoken', 'change,delete', 'superconnectiontoken'), ('authentication', 'temptoken', 'delete', 'temptoken'), diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py index 1c9673162..a586208b6 100644 --- a/apps/rbac/tree.py +++ b/apps/rbac/tree.py @@ -65,6 +65,7 @@ special_pid_mapper = { 'acls.commandgroup': 'perms', 'acls.loginacl': 'perms', 'acls.loginassetacl': 'perms', + 'acls.connectmethodacl': 'perms', 'xpack.account': 'cloud_import', 'xpack.syncinstancedetail': 'cloud_import', 'xpack.syncinstancetask': 'cloud_import', @@ -390,7 +391,7 @@ class PermissionTreeUtil: 'chkDisabled': self.check_disabled, 'checked': checked, 'meta': { - 'type': tp, + 'type': tp, }, **data } diff --git a/apps/terminal/migrations/0050_auto_20220606_1745.py b/apps/terminal/migrations/0050_auto_20220606_1745.py index a47defba9..05e15f866 100644 --- a/apps/terminal/migrations/0050_auto_20220606_1745.py +++ b/apps/terminal/migrations/0050_auto_20220606_1745.py @@ -15,7 +15,7 @@ class Migration(migrations.Migration): field=models.CharField( choices=[('koko', 'KoKo'), ('guacamole', 'Guacamole'), ('omnidb', 'OmniDB'), ('xrdp', 'Xrdp'), ('lion', 'Lion'), ('core', 'Core'), ('celery', 'Celery'), ('magnus', 'Magnus'), - ('razor', 'Razor'), ('tinker', 'Tinker'), ('video_worker', 'Video Worker'), ('chen', 'Chen')], - default='koko', max_length=64, verbose_name='type'), + ('razor', 'Razor'), ('tinker', 'Tinker'), ('video_worker', 'Video Worker'), ('chen', 'Chen'), + ('kael', 'Kael')], default='koko', max_length=64, verbose_name='type'), ), ]