From b20abb494f5ef03be02cfa0e4f4041a6dfd0b329 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 17 Aug 2023 12:12:58 +0800
Subject: [PATCH] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20vault=20=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=20(#11313)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng <1304903146@qq.com>
---
 apps/accounts/backends/__init__.py   |  4 ++--
 apps/accounts/backends/base.py       |  5 +----
 apps/accounts/tasks/vault.py         |  7 +++----
 apps/jumpserver/conf.py              |  2 +-
 apps/jumpserver/settings/auth.py     |  2 +-
 apps/settings/api/vault.py           |  2 +-
 apps/settings/serializers/feature.py | 10 ++--------
 apps/settings/serializers/public.py  |  2 +-
 config_example.yml                   |  4 ++--
 9 files changed, 14 insertions(+), 24 deletions(-)

diff --git a/apps/accounts/backends/__init__.py b/apps/accounts/backends/__init__.py
index 1b12e6be8..0143d75c8 100644
--- a/apps/accounts/backends/__init__.py
+++ b/apps/accounts/backends/__init__.py
@@ -12,8 +12,9 @@ logger = get_logger(__file__)
 
 
 def get_vault_client(raise_exception=False, **kwargs):
+    enabled = kwargs.get('VAULT_ENABLED')
+    tp = 'hcp' if enabled else 'local'
     try:
-        tp = kwargs.get('VAULT_TYPE')
         module_path = f'apps.accounts.backends.{tp}.main'
         client = import_module(module_path).Vault(**kwargs)
     except Exception as e:
@@ -22,7 +23,6 @@ def get_vault_client(raise_exception=False, **kwargs):
             raise
         tp = VaultTypeChoices.local
         module_path = f'apps.accounts.backends.{tp}.main'
-        kwargs['VAULT_TYPE'] = tp
         client = import_module(module_path).Vault(**kwargs)
     return client
 
diff --git a/apps/accounts/backends/base.py b/apps/accounts/backends/base.py
index 0af8e0167..f7648caed 100644
--- a/apps/accounts/backends/base.py
+++ b/apps/accounts/backends/base.py
@@ -8,10 +8,7 @@ __all__ = ['BaseVault']
 class BaseVault(ABC):
 
     def __init__(self, *args, **kwargs):
-        self.type = kwargs.get('VAULT_TYPE')
-
-    def is_type(self, tp):
-        return self.type == tp
+        self.enabled = kwargs.get('VAULT_ENABLED')
 
     def get(self, instance):
         """ 返回 secret 值 """
diff --git a/apps/accounts/tasks/vault.py b/apps/accounts/tasks/vault.py
index 90e78cebf..6429b7133 100644
--- a/apps/accounts/tasks/vault.py
+++ b/apps/accounts/tasks/vault.py
@@ -8,7 +8,6 @@ from accounts.backends import vault_client
 from accounts.models import Account, AccountTemplate
 from common.utils import get_logger
 from orgs.utils import tmp_to_root_org
-from ..const import VaultTypeChoices
 
 logger = get_logger(__name__)
 
@@ -31,9 +30,9 @@ def sync_instance(instance):
 
 @shared_task(verbose_name=_('Sync secret to vault'))
 def sync_secret_to_vault():
-    if vault_client.is_type(VaultTypeChoices.local):
-        # 这里不能判断 settings.VAULT_TYPE, 必须判断当前 vault_client 的类型
-        print('\033[35m>>> 当前 Vault 类型为本地数据库, 不需要同步')
+    if not vault_client.enabled:
+        # 这里不能判断 settings.VAULT_ENABLED, 必须判断当前 vault_client 的类型
+        print('\033[35m>>> 当前 Vault 功能未开启, 不需要同步')
         return
 
     failed, skipped, succeeded = 0, 0, 0
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 1d513025c..60d665a04 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -255,7 +255,7 @@ class Config(dict):
         'AUTH_TEMP_TOKEN': False,
 
         # Vault
-        'VAULT_TYPE': 'local',
+        'VAULT_ENABLED': False,
         'VAULT_HCP_HOST': '',
         'VAULT_HCP_TOKEN': '',
         'VAULT_HCP_MOUNT_POINT': 'jumpserver',
diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py
index 23c95df69..1654ae63c 100644
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@@ -175,7 +175,7 @@ AUTH_OAUTH2_LOGOUT_URL_NAME = "authentication:oauth2:logout"
 AUTH_TEMP_TOKEN = CONFIG.AUTH_TEMP_TOKEN
 
 # Vault
-VAULT_TYPE = CONFIG.VAULT_TYPE
+VAULT_ENABLED = CONFIG.VAULT_ENABLED
 VAULT_HCP_HOST = CONFIG.VAULT_HCP_HOST
 VAULT_HCP_TOKEN = CONFIG.VAULT_HCP_TOKEN
 VAULT_HCP_MOUNT_POINT = CONFIG.VAULT_HCP_MOUNT_POINT
diff --git a/apps/settings/api/vault.py b/apps/settings/api/vault.py
index 7cbe4c39e..a17eeca5c 100644
--- a/apps/settings/api/vault.py
+++ b/apps/settings/api/vault.py
@@ -29,7 +29,7 @@ class VaultTestingAPI(GenericAPIView):
 
     def post(self, request):
         config = self.get_config(request)
-        config['VAULT_TYPE'] = settings.VAULT_TYPE
+        config['VAULT_ENABLED'] = settings.VAULT_ENABLED
         try:
             client = get_vault_client(raise_exception=True, **config)
             ok, error = client.is_active()
diff --git a/apps/settings/serializers/feature.py b/apps/settings/serializers/feature.py
index d9d6d7ec5..3d11da9d6 100644
--- a/apps/settings/serializers/feature.py
+++ b/apps/settings/serializers/feature.py
@@ -3,7 +3,6 @@ import uuid
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
-from accounts.const import VaultTypeChoices
 from common.serializers.fields import EncryptedField
 
 __all__ = [
@@ -41,9 +40,8 @@ class AnnouncementSettingSerializer(serializers.Serializer):
 class VaultSettingSerializer(serializers.Serializer):
     PREFIX_TITLE = _('Vault')
 
-    VAULT_TYPE = serializers.ChoiceField(
-        default=VaultTypeChoices.local, choices=VaultTypeChoices.choices,
-        required=False, label=_('Type')
+    VAULT_ENABLED = serializers.BooleanField(
+        required=False, label=_('Enable Vault'), read_only=True
     )
     VAULT_HCP_HOST = serializers.CharField(
         max_length=256, allow_blank=True, required=False, label=_('Host')
@@ -55,10 +53,6 @@ class VaultSettingSerializer(serializers.Serializer):
         max_length=256, allow_blank=True, required=False, label=_('Mount Point')
     )
 
-    def validate(self, attrs):
-        attrs.pop('VAULT_TYPE', None)
-        return attrs
-
 
 class TicketSettingSerializer(serializers.Serializer):
     PREFIX_TITLE = _('Ticket')
diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index 7fb1308ae..02f900d5f 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -53,7 +53,7 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     TICKETS_ENABLED = serializers.BooleanField()
     CONNECTION_TOKEN_REUSABLE = serializers.BooleanField()
     CACHE_LOGIN_PASSWORD_ENABLED = serializers.BooleanField()
-    VAULT_TYPE = serializers.CharField()
+    VAULT_ENABLED = serializers.BooleanField()
 
 
 class ServerInfoSerializer(serializers.Serializer):
diff --git a/config_example.yml b/config_example.yml
index bab9b35f5..03cc0aa03 100644
--- a/config_example.yml
+++ b/config_example.yml
@@ -96,6 +96,6 @@ REDIS_PORT: 6379
 # 仅允许已存在的用户登录，不允许第三方认证后，自动创建用户
 # ONLY_ALLOW_EXIST_USER_AUTH: False
 
-# 当前存储的类型，默认 local，新增类型 hcp 为远端 vault 存储
-# VAULT_TYPE: local
+# 开启 Vault 账号存储
+# VAULT_ENABLED: False