diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py index 86ddbcc2d..1636c2cb1 100644 --- a/apps/authentication/api/connection_token.py +++ b/apps/authentication/api/connection_token.py @@ -28,9 +28,6 @@ from ..serializers import ( __all__ = ['ConnectionTokenViewSet', 'SuperConnectionTokenViewSet'] -# ExtraActionApiMixin - - class RDPFileClientProtocolURLMixin: request: Request get_serializer: callable @@ -72,8 +69,7 @@ class RDPFileClientProtocolURLMixin: # 设置磁盘挂载 drives_redirect = is_true(self.request.query_params.get('drives_redirect')) if drives_redirect: - actions = ActionChoices.choices_to_value(token.actions) - if actions & Action.TRANSFER == Action.TRANSFER: + if ActionChoices.contains(token.actions, ActionChoices.transfer()): rdp_options['drivestoredirect:s'] = '*' # 设置全屏 @@ -181,22 +177,10 @@ class ExtraActionApiMixin(RDPFileClientProtocolURLMixin): get_serializer: callable perform_create: callable - @action(methods=['POST'], detail=False, url_path='secret-info/detail') - def get_secret_detail(self, request, *args, **kwargs): - """ 非常重要的 api, 在逻辑层再判断一下 rbac 权限, 双重保险 """ - rbac_perm = 'authentication.view_connectiontokensecret' - if not request.user.has_perm(rbac_perm): - raise PermissionDenied('Not allow to view secret') - token_id = request.data.get('token') or '' - token = get_object_or_404(ConnectionToken, pk=token_id) - self.check_token_permission(token) - serializer = self.get_serializer(instance=token) - return Response(serializer.data, status=status.HTTP_200_OK) - @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file') def get_rdp_file(self, request, *args, **kwargs): token = self.create_connection_token() - self.check_token_permission(token) + token.is_valid() filename, content = self.get_rdp_file_info(token) filename = '{}.rdp'.format(filename) response = HttpResponse(content, content_type='application/octet-stream') @@ -206,7 +190,7 @@ class ExtraActionApiMixin(RDPFileClientProtocolURLMixin): @action(methods=['POST', 'GET'], detail=False, url_path='client-url') def get_client_protocol_url(self, request, *args, **kwargs): token = self.create_connection_token() - self.check_token_permission(token) + token.is_valid() try: protocol_data = self.get_client_protocol_data(token) except ValueError as e: @@ -224,12 +208,6 @@ class ExtraActionApiMixin(RDPFileClientProtocolURLMixin): instance.expire() return Response(status=status.HTTP_204_NO_CONTENT) - @staticmethod - def check_token_permission(token: ConnectionToken): - is_valid, error = token.check_permission() - if not is_valid: - raise PermissionDenied(error) - def create_connection_token(self): data = self.request.query_params if self.request.method == 'GET' else self.request.data serializer = self.get_serializer(data=data) @@ -259,6 +237,18 @@ class ConnectionTokenViewSet(ExtraActionApiMixin, RootOrgViewMixin, JMSModelView 'get_client_protocol_url': 'authentication.add_connectiontoken', } + @action(methods=['POST'], detail=False, url_path='secret') + def get_secret_detail(self, request, *args, **kwargs): + """ 非常重要的 api, 在逻辑层再判断一下 rbac 权限, 双重保险 """ + rbac_perm = 'authentication.view_connectiontokensecret' + if not request.user.has_perm(rbac_perm): + raise PermissionDenied('Not allow to view secret') + token_id = request.data.get('token') or '' + token = get_object_or_404(ConnectionToken, pk=token_id) + token.is_valid() + serializer = self.get_serializer(instance=token) + return Response(serializer.data, status=status.HTTP_200_OK) + def dispatch(self, request, *args, **kwargs): with tmp_to_root_org(): return super().dispatch(request, *args, **kwargs) @@ -296,9 +286,9 @@ class ConnectionTokenViewSet(ExtraActionApiMixin, RootOrgViewMixin, JMSModelView raise PermissionDenied('Expired') if permed_account.has_secret: - serializer.validated_data['secret'] = '' + data['secret'] = '' if permed_account.username != '@INPUT': - serializer.validated_data['username'] = '' + data['username'] = '' return permed_account diff --git a/apps/authentication/migrations/0014_auto_20221122_2152.py b/apps/authentication/migrations/0014_auto_20221122_2152.py index 6421b7f0b..b198295a5 100644 --- a/apps/authentication/migrations/0014_auto_20221122_2152.py +++ b/apps/authentication/migrations/0014_auto_20221122_2152.py @@ -16,6 +16,11 @@ class Migration(migrations.Migration): old_name='account_username', new_name='login' ), + migrations.AlterField( + model_name='connectiontoken', + name='login', + field=models.CharField(max_length=128, verbose_name='Login account'), + ), migrations.AddField( model_name='connectiontoken', name='username', diff --git a/apps/authentication/models/connection_token.py b/apps/authentication/models/connection_token.py index dd2e3d38f..058d07581 100644 --- a/apps/authentication/models/connection_token.py +++ b/apps/authentication/models/connection_token.py @@ -46,10 +46,6 @@ class ConnectionToken(OrgModelMixin, JMSBaseModel): ('view_connectiontokensecret', _('Can view connection token secret')) ] - @property - def is_valid(self): - return not self.is_expired - @property def is_expired(self): return self.date_expired < timezone.now() @@ -76,69 +72,71 @@ class ConnectionToken(OrgModelMixin, JMSBaseModel): self.date_expired = date_expired_default() self.save() - # actions 和 expired_at 在 check_valid() 中赋值 - actions = expire_at = None + @lazyproperty + def permed_account(self): + from perms.utils import PermAccountUtil + permed_account = PermAccountUtil().validate_permission( + self.user, self.asset, self.login + ) + return permed_account - def check_permission(self): - from perms.utils.account import PermAccountUtil + @lazyproperty + def actions(self): + return self.permed_account.actions + + @lazyproperty + def expire_at(self): + return self.permed_account.date_expired.timestamp() + + def is_valid(self): if self.is_expired: - is_valid = False error = _('Connection token expired at: {}').format(as_current_tz(self.date_expired)) - return is_valid, error + raise PermissionDenied(error) if not self.user or not self.user.is_valid: - is_valid = False error = _('No user or invalid user') - return is_valid, error + raise PermissionDenied(error) if not self.asset or not self.asset.is_active: is_valid = False error = _('No asset or inactive asset') return is_valid, error if not self.login: - is_valid = False error = _('No account') - return is_valid, error + raise PermissionDenied(error) - permed_account = PermAccountUtil().validate_permission( - self.user, self.asset, self.login - ) - if not permed_account or not permed_account.actions: + if not self.permed_account or not self.permed_account.actions: msg = 'user `{}` not has asset `{}` permission for login `{}`'.format( self.user, self.asset, self.login ) raise PermissionDenied(msg) - if permed_account.date_expired < timezone.now(): + if self.permed_account.date_expired < timezone.now(): raise PermissionDenied('Expired') - - is_valid, error = True, '' - return is_valid, error + return True @lazyproperty def platform(self): return self.asset.platform @lazyproperty - def accounts(self): + def account(self): if not self.asset: return None - data = [] - if self.login == '@INPUT': - data.append({ + account = self.asset.accounts.filter(name=self.login).first() + if self.login == '@INPUT' or not account: + return { 'name': self.login, 'username': self.username, 'secret_type': 'password', 'secret': self.secret - }) + } else: - accounts = self.asset.accounts.filter(username=self.login) - for account in accounts: - data.append({ - 'username': account.uesrname, - 'secret_type': account.secret_type, - 'secret': account.secret if account.secret else self.secret - }) - return data + return { + 'name': account.name, + 'username': account.username, + 'secret_type': account.secret_type, + 'secret': account.secret_type or self.secret + } @lazyproperty def domain(self): diff --git a/apps/authentication/serializers/connection_token.py b/apps/authentication/serializers/connection_token.py index 3acf1333b..77981cd4a 100644 --- a/apps/authentication/serializers/connection_token.py +++ b/apps/authentication/serializers/connection_token.py @@ -17,7 +17,6 @@ __all__ = [ class ConnectionTokenSerializer(OrgResourceModelSerializerMixin): username = serializers.CharField(max_length=128, label=_("Input username"), allow_null=True, allow_blank=True) - is_valid = serializers.BooleanField(read_only=True, label=_('Validity')) expire_time = serializers.IntegerField(read_only=True, label=_('Expired time')) class Meta: @@ -25,7 +24,7 @@ class ConnectionTokenSerializer(OrgResourceModelSerializerMixin): fields_mini = ['id'] fields_small = fields_mini + [ 'protocol', 'login', 'secret', 'username', - 'date_expired', 'date_created', + 'actions', 'date_expired', 'date_created', 'date_updated', 'created_by', 'updated_by', 'org_id', 'org_name', ] @@ -34,7 +33,7 @@ class ConnectionTokenSerializer(OrgResourceModelSerializerMixin): ] read_only_fields = [ # 普通 Token 不支持指定 user - 'user', 'is_valid', 'expire_time', + 'user', 'expire_time', 'user_display', 'asset_display', ] fields = fields_small + fields_fk + read_only_fields @@ -98,7 +97,7 @@ class ConnectionTokenAccountSerializer(serializers.ModelSerializer): class Meta: model = Account fields = [ - 'username', 'secret_type', 'secret', + 'name', 'username', 'secret_type', 'secret', ] @@ -144,7 +143,7 @@ class ConnectionTokenSecretSerializer(OrgResourceModelSerializerMixin): user = ConnectionTokenUserSerializer(read_only=True) asset = ConnectionTokenAssetSerializer(read_only=True) platform = ConnectionTokenPlatform(read_only=True) - accounts = ConnectionTokenAccountSerializer(read_only=True, many=True) + account = ConnectionTokenAccountSerializer(read_only=True) gateway = ConnectionTokenGatewaySerializer(read_only=True) # cmd_filter_rules = ConnectionTokenCmdFilterRuleSerializer(many=True) actions = ActionChoicesField() @@ -153,8 +152,7 @@ class ConnectionTokenSecretSerializer(OrgResourceModelSerializerMixin): class Meta: model = ConnectionToken fields = [ - 'id', 'secret', 'user', 'asset', 'login', - 'accounts', 'protocol', 'domain', 'gateway', - 'actions', 'expire_at', - 'platform', + 'id', 'secret', 'user', 'asset', 'account', + 'protocol', 'domain', 'gateway', + 'actions', 'expire_at', 'platform', ] diff --git a/apps/perms/const.py b/apps/perms/const.py index 50141f386..690fb2742 100644 --- a/apps/perms/const.py +++ b/apps/perms/const.py @@ -28,8 +28,16 @@ class ActionChoices(BitChoices): ) @classmethod - def has_perm(cls, action_name, total): - action_value = getattr(cls, action_name) + def transfer(cls): + return cls.upload | cls.download + + @classmethod + def clipboard(cls): + return cls.copy | cls.paste + + @classmethod + def contains(cls, total, action): + action_value = getattr(cls, action) return action_value & total == action_value @classmethod