github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: 修复获取令牌信息的remote app资产信息 (#8619) 

* fix: 修复连接令牌只获取自己的令牌信息;修复连接令牌系统用户角色权限问题(普通用户看不到);

* fix: 修复获取令牌信息的remote app资产信息

* fix: 修复获取用户个人信息时使用连接令牌

* fix: 修复获取profile时的连接令牌问题

* fix: 修复连接令牌问题

* fix: 修复连接令牌问题

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
pull/8620/head
fit2bot 2022-07-19 15:57:02 +08:00 committed by GitHub
parent 585ddeb25b
commit cc2b858769
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 33 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apps/authentication/api/connection_token.py
View File

@ -231,7 +231,9 @@ class ConnectionTokenViewSet(ConnectionTokenMixin, RootOrgViewMixin, JMSModelVie
'get_rdp_file': 'authentication.add_connectiontoken', 'get_rdp_file': 'authentication.add_connectiontoken',
'get_client_protocol_url': 'authentication.add_connectiontoken', 'get_client_protocol_url': 'authentication.add_connectiontoken',
} }
queryset = ConnectionToken.objects.all()
def get_queryset(self):
return ConnectionToken.objects.filter(user=self.request.user)
def create_connection_token(self): def create_connection_token(self):
data = self.request.query_params if self.request.method == 'GET' else self.request.data data = self.request.query_params if self.request.method == 'GET' else self.request.data

7
apps/authentication/models.py
View File

@ -228,6 +228,13 @@ class ConnectionToken(OrgModelMixin, models.JMSModel):
return {} return {}
return self.application.get_rdp_remote_app_setting() return self.application.get_rdp_remote_app_setting()
@lazyproperty
def asset_or_remote_app_asset(self):
if self.asset:
return self.asset
if self.application and self.application.category_remote_app:
return self.application.get_remote_app_asset()
@lazyproperty @lazyproperty
def cmd_filter_rules(self): def cmd_filter_rules(self):
from assets.models import CommandFilterRule from assets.models import CommandFilterRule

2
apps/authentication/serializers/connection_token.py
View File

@ -177,7 +177,7 @@ class ConnectionTokenCmdFilterRuleSerializer(serializers.ModelSerializer):
class ConnectionTokenSecretSerializer(OrgResourceModelSerializerMixin): class ConnectionTokenSecretSerializer(OrgResourceModelSerializerMixin):
user = ConnectionTokenUserSerializer(read_only=True) user = ConnectionTokenUserSerializer(read_only=True)
asset = ConnectionTokenAssetSerializer(read_only=True) asset = ConnectionTokenAssetSerializer(read_only=True, source='asset_or_remote_app_asset')
application = ConnectionTokenApplicationSerializer(read_only=True) application = ConnectionTokenApplicationSerializer(read_only=True)
remote_app = ConnectionTokenRemoteAppSerializer(read_only=True) remote_app = ConnectionTokenRemoteAppSerializer(read_only=True)
system_user = ConnectionTokenSystemUserSerializer(read_only=True) system_user = ConnectionTokenSystemUserSerializer(read_only=True)

2
apps/rbac/builtin.py
View File

@ -23,7 +23,7 @@ user_perms = (
) )
system_user_perms = ( system_user_perms = (
('authentication', 'connectiontoken', 'add', 'connectiontoken'), ('authentication', 'connectiontoken', 'add,view', 'connectiontoken'),
('authentication', 'temptoken', 'add,change,view', 'temptoken'), ('authentication', 'temptoken', 'add,change,view', 'temptoken'),
('authentication', 'accesskey', '*', '*'), ('authentication', 'accesskey', '*', '*'),
('tickets', 'ticket', 'view', 'ticket'), ('tickets', 'ticket', 'view', 'ticket'),

4
apps/rbac/models/permission.py
View File

@ -60,11 +60,11 @@ class Permission(DjangoPermission):
if actions == '*' and resource == '*': if actions == '*' and resource == '*':
pass pass
elif actions == '*' and resource != '*': elif actions == '*' and resource != '*':
kwargs['codename__iregex'] = r'[a-z]+_{}'.format(resource) kwargs['codename__iregex'] = r'[a-z]+_{}$'.format(resource)
elif actions != '*' and resource == '*': elif actions != '*' and resource == '*':
kwargs['codename__iregex'] = r'({})_[a-z]+'.format(actions_regex) kwargs['codename__iregex'] = r'({})_[a-z]+'.format(actions_regex)
else: else:
kwargs['codename__iregex'] = r'({})_{}'.format(actions_regex, resource) kwargs['codename__iregex'] = r'({})_{}$'.format(actions_regex, resource)
q |= Q(**kwargs) q |= Q(**kwargs)
return q return q

20
apps/users/api/profile.py
View File

@ -3,6 +3,10 @@ import uuid
from rest_framework import generics from rest_framework import generics
from rest_framework.permissions import IsAuthenticated from rest_framework.permissions import IsAuthenticated
from common.permissions import IsValidUserOrConnectionToken
from common.utils import get_object_or_none
from orgs.utils import tmp_to_root_org
from authentication.models import ConnectionToken
from users.notifications import ( from users.notifications import (
ResetPasswordMsg, ResetPasswordSuccessMsg, ResetSSHKeyMsg, ResetPasswordMsg, ResetPasswordSuccessMsg, ResetSSHKeyMsg,
@ -44,12 +48,26 @@ class UserResetPKApi(UserQuerysetMixin, generics.UpdateAPIView):
class UserProfileApi(generics.RetrieveUpdateAPIView): class UserProfileApi(generics.RetrieveUpdateAPIView):
permission_classes = (IsAuthenticated,) permission_classes = (IsValidUserOrConnectionToken,)
serializer_class = serializers.UserProfileSerializer serializer_class = serializers.UserProfileSerializer
def get_object(self): def get_object(self):
if self.request.user.is_anonymous:
user = self.get_connection_token_user()
if user:
return user
return self.request.user return self.request.user
def get_connection_token_user(self):
token_id = self.request.query_params.get('token')
if not token_id:
return
with tmp_to_root_org():
token = get_object_or_none(ConnectionToken, id=token_id)
if not token:
return
return token.user
class UserPasswordApi(generics.RetrieveUpdateAPIView): class UserPasswordApi(generics.RetrieveUpdateAPIView):
permission_classes = (IsAuthenticated,) permission_classes = (IsAuthenticated,)