feat: rdp 添加授权过期自动断开

2021-07-05 16:20:42 +08:00 · 2021-07-05 16:20:42 +08:00 · c4bbeaaccc
parent 0fd5ab02e9
commit c4bbeaaccc
2 changed files with 13 additions and 9 deletions
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@ -216,6 +216,8 @@ class UserConnectionTokenViewSet(RootOrgViewMixin, SerializerMixin2, GenericView
        from users.models import User
        from assets.models import SystemUser, Asset
        from applications.models import Application
+        from perms.utils.asset.permission import validate_permission as asset_validate_permission
+        from perms.utils.application.permission import validate_permission as app_validate_permission

        key = self.CACHE_KEY_PREFIX.format(token)
        value = cache.get(key, None)
@ -232,23 +234,24 @@ class UserConnectionTokenViewSet(RootOrgViewMixin, SerializerMixin2, GenericView
        app = None
        if value.get('type') == 'asset':
            asset = get_object_or_404(Asset, id=value.get('asset'))
+            if not asset.is_active:
+                raise serializers.ValidationError("Asset disabled")
+
+            has_perm, expired_at = asset_validate_permission(user, asset, system_user, 'connect')
        else:
            app = get_object_or_404(Application, id=value.get('application'))
+            has_perm, expired_at = app_validate_permission(user, app, system_user)

-        if asset and not asset.is_active:
-            raise serializers.ValidationError("Asset disabled")
-
-        try:
-            self.check_resource_permission(user, asset, app, system_user)
-        except PermissionDenied:
+        if not has_perm:
            raise serializers.ValidationError('Permission expired or invalid')
-        return value, user, system_user, asset, app
+
+        return value, user, system_user, asset, app, expired_at

    @action(methods=['POST'], detail=False, permission_classes=[IsSuperUserOrAppUser], url_path='secret-info/detail')
    def get_secret_detail(self, request, *args, **kwargs):
        token = request.data.get('token', '')
        try:
-            value, user, system_user, asset, app = self.valid_token(token)
+            value, user, system_user, asset, app, expired_at = self.valid_token(token)
        except serializers.ValidationError as e:
            post_auth_failed.send(
                sender=self.__class__, username='', request=self.request,
@ -256,7 +259,7 @@ class UserConnectionTokenViewSet(RootOrgViewMixin, SerializerMixin2, GenericView
            )
            raise e

-        data = dict(user=user, system_user=system_user)
+        data = dict(user=user, system_user=system_user, expired_at=expired_at)
        if asset:
            asset_detail = self._get_asset_secret_detail(asset, user=user, system_user=system_user)
            system_user.load_asset_more_auth(asset.id, user.username, user.id)
--- a/apps/authentication/serializers.py
+++ b/apps/authentication/serializers.py
@ -196,6 +196,7 @@ class ConnectionTokenSecretSerializer(serializers.Serializer):
    system_user = ConnectionTokenSystemUserSerializer(read_only=True)
    gateway = ConnectionTokenGatewaySerializer(read_only=True)
    actions = ActionsField()
+    expired_at = serializers.IntegerField()


 class RDPFileSerializer(ConnectionTokenSerializer):