perf: 优化公钥设置，让用户可以选择是否开启

apps/jumpserver/conf.py

@@ -222,6 +222,7 @@ class Config(dict):
 
         'TERMINAL_PASSWORD_AUTH': True,
         'TERMINAL_PUBLIC_KEY_AUTH': True,
+        'TERMINAL_ONLY_SOURCE_LOCAL_CAN_PUBLIC_KEY_AUTH': True,
         'TERMINAL_HEARTBEAT_INTERVAL': 20,
         'TERMINAL_ASSET_LIST_SORT_BY': 'hostname',
         'TERMINAL_ASSET_LIST_PAGE_SIZE': 'auto',

apps/jumpserver/settings/custom.py

@@ -124,3 +124,4 @@ FORGOT_PASSWORD_URL = CONFIG.FORGOT_PASSWORD_URL
 # 自定义默认组织名
 GLOBAL_ORG_DISPLAY_NAME = CONFIG.GLOBAL_ORG_DISPLAY_NAME
 HEALTH_CHECK_TOKEN = CONFIG.HEALTH_CHECK_TOKEN
+TERMINAL_ONLY_SOURCE_LOCAL_CAN_PUBLIC_KEY_AUTH = CONFIG.TERMINAL_ONLY_SOURCE_LOCAL_CAN_PUBLIC_KEY_AUTH

apps/users/models/user.py

@@ -5,6 +5,7 @@ import uuid
 import base64
 import string
 import random
+import datetime
 
 from django.conf import settings
 from django.contrib.auth.models import AbstractUser
@@ -32,6 +33,9 @@ logger = get_logger(__file__)
 
 
 class AuthMixin:
+    date_password_last_updated: datetime.datetime
+    is_local: bool
+
     @property
     def password_raw(self):
         raise AttributeError('Password raw is not a readable attribute')
@@ -63,7 +67,12 @@ class AuthMixin:
         return self.can_use_ssh_key_login()
 
     def can_use_ssh_key_login(self):
-        return self.is_local and settings.TERMINAL_PUBLIC_KEY_AUTH
+        if not settings.TERMINAL_PUBLIC_KEY_AUTH:
+            return False
+        if self.is_local or settings.TERMINAL_ONLY_SOURCE_LOCAL_CAN_PUBLIC_KEY_AUTH:
+            return True
+        else:
+            return False
 
     def is_public_key_valid(self):
         """

apps/users/serializers/profile.py

@@ -101,7 +101,8 @@ class UserProfileSerializer(UserSerializer):
 
     class Meta(UserSerializer.Meta):
         fields = UserSerializer.Meta.fields + [
-            'public_key_comment', 'public_key_hash_md5', 'admin_or_audit_orgs', 'current_org_roles',
+            'public_key_comment', 'public_key_hash_md5',
+            'admin_or_audit_orgs', 'current_org_roles',
             'guide_url', 'user_all_orgs'
         ]
         read_only_fields = [
@@ -164,6 +165,7 @@ class ChangeUserPasswordSerializer(serializers.ModelSerializer):
         model = User
         fields = ['password']
 
+
 class ResetOTPSerializer(serializers.Serializer):
     msg = serializers.CharField(read_only=True)
 

apps/users/serializers/user.py

@@ -34,6 +34,7 @@ class UserSerializer(CommonBulkSerializerMixin, serializers.ModelSerializer):
     is_expired = serializers.BooleanField(read_only=True, label=_('Is expired'))
     can_update = serializers.SerializerMethodField(label=_('Can update'))
     can_delete = serializers.SerializerMethodField(label=_('Can delete'))
+    can_public_key_auth = serializers.ReadOnlyField(source='can_use_ssh_key_login')
     org_roles = serializers.ListField(
         label=_('Organization role name'), allow_null=True, required=False,
         child=serializers.ChoiceField(choices=ORG_ROLE.choices), default=["User"]
@@ -48,7 +49,7 @@ class UserSerializer(CommonBulkSerializerMixin, serializers.ModelSerializer):
             'password', 'email', 'public_key', 'wechat', 'phone', 'mfa_level', 'mfa_enabled',
             'mfa_level_display', 'mfa_force_enabled', 'role_display', 'org_role_display',
             'total_role_display', 'comment', 'source', 'is_valid', 'is_expired',
-            'is_active', 'created_by', 'is_first_login',
+            'is_active', 'created_by', 'is_first_login', 'can_public_key_auth',
             'password_strategy', 'date_password_last_updated', 'date_expired',
             'avatar_url', 'source_display', 'date_joined', 'last_login'
         ]