diff --git a/apps/assets/api/asset_user.py b/apps/assets/api/asset_user.py index d3824f676..a07544e57 100644 --- a/apps/assets/api/asset_user.py +++ b/apps/assets/api/asset_user.py @@ -7,6 +7,7 @@ from rest_framework import filters from rest_framework_bulk import BulkModelViewSet from django.shortcuts import get_object_or_404 from django.http import Http404 +from django.conf import settings from common.permissions import IsOrgAdminOrAppUser, NeedMFAVerify from common.utils import get_object_or_none, get_logger @@ -110,12 +111,22 @@ class AssetUserViewSet(CommonApiMixin, BulkModelViewSet): class AssetUserExportViewSet(AssetUserViewSet): serializer_class = serializers.AssetUserExportSerializer http_method_names = ['get'] - permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify] + permission_classes = [IsOrgAdminOrAppUser] + + def get_permissions(self): + if settings.CONFIG.SECURITY_VIEW_AUTH_NEED_MFA: + self.permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify] + return super().get_permissions() class AssetUserAuthInfoApi(generics.RetrieveAPIView): serializer_class = serializers.AssetUserAuthInfoSerializer - permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify] + permission_classes = [IsOrgAdminOrAppUser] + + def get_permissions(self): + if settings.CONFIG.SECURITY_VIEW_AUTH_NEED_MFA: + self.permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify] + return super().get_permissions() def get_object(self): query_params = self.request.query_params diff --git a/apps/assets/backends/manager.py b/apps/assets/backends/manager.py index 201f19d43..75b9c38b8 100644 --- a/apps/assets/backends/manager.py +++ b/apps/assets/backends/manager.py @@ -41,8 +41,8 @@ class AssetUserManager: instances_map = {} instances = [] for name, backend in self.backends: - if name != "db" and self._prefer != name: - continue + # if name != "db": + # continue _instances = backend.filter( username=username, assets=assets, latest=latest, prefer=self._prefer, prefer_id=prefer_id, diff --git a/apps/assets/templates/assets/_asset_user_list.html b/apps/assets/templates/assets/_asset_user_list.html index a85a3056d..0d7c86be3 100644 --- a/apps/assets/templates/assets/_asset_user_list.html +++ b/apps/assets/templates/assets/_asset_user_list.html @@ -40,6 +40,7 @@ var prefer = null; var lastMFATime = "{{ request.session.MFA_VERIFY_TIME }}"; var testDatetime = "{% trans 'Test datetime: ' %}"; var mfaVerifyTTL = "{{ SECURITY_MFA_VERIFY_TTL }}"; +var mfaNeedCheck = "{{ SECURITY_VIEW_AUTH_NEED_MFA }}"; function initAssetUserTable() { var options = { @@ -112,6 +113,10 @@ $(document).ready(function(){ authAssetId = $(this).data("asset") ; authHostname = $(this).data("hostname"); authUsername = $(this).data('user'); + if (mfaNeedCheck !== 'True') { + $("#asset_user_auth_view").modal('show'); + return + } var now = new Date(); var nowTime = now.getTime() / 1000; if ( !lastMFATime || nowTime - lastMFATime > mfaVerifyTTL ) { diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 0df26d149..29dfeabbe 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -361,6 +361,7 @@ defaults = { 'TERMINAL_COMMAND_STORAGE': {}, 'SECURITY_MFA_AUTH': False, 'SECURITY_SERVICE_ACCOUNT_REGISTRATION': True, + 'SECURITY_VIEW_AUTH_NEED_MFA': True, 'SECURITY_LOGIN_LIMIT_COUNT': 7, 'SECURITY_LOGIN_LIMIT_TIME': 30, 'SECURITY_MAX_IDLE_TIME': 30, diff --git a/apps/jumpserver/context_processor.py b/apps/jumpserver/context_processor.py index 91a720fd7..0bd5186dd 100644 --- a/apps/jumpserver/context_processor.py +++ b/apps/jumpserver/context_processor.py @@ -18,6 +18,7 @@ def jumpserver_processor(request): 'COPYRIGHT': 'FIT2CLOUD 飞致云' + ' © 2014-2019', 'SECURITY_COMMAND_EXECUTION': settings.SECURITY_COMMAND_EXECUTION, 'SECURITY_MFA_VERIFY_TTL': settings.SECURITY_MFA_VERIFY_TTL, + 'SECURITY_VIEW_AUTH_NEED_MFA': settings.CONFIG.SECURITY_VIEW_AUTH_NEED_MFA, } return context