From d9552c00382f79a0b18f6ff08af7884e797695d7 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Sun, 25 Apr 2021 18:13:41 +0800
Subject: [PATCH] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E5=85=AC=E9=92=A5?=
 =?UTF-8?q?=E8=AE=BE=E7=BD=AE=EF=BC=8C=E8=AE=A9=E7=94=A8=E6=88=B7=E5=8F=AF?=
 =?UTF-8?q?=E4=BB=A5=E9=80=89=E6=8B=A9=E6=98=AF=E5=90=A6=E5=BC=80=E5=90=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/conf.py            |  1 +
 apps/jumpserver/settings/custom.py |  1 +
 apps/users/models/user.py          | 11 ++++++++++-
 apps/users/serializers/profile.py  |  4 +++-
 apps/users/serializers/user.py     |  3 ++-
 5 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 179376828..91f3da1cb 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -222,6 +222,7 @@ class Config(dict):
 
         'TERMINAL_PASSWORD_AUTH': True,
         'TERMINAL_PUBLIC_KEY_AUTH': True,
+        'TERMINAL_ONLY_SOURCE_LOCAL_CAN_PUBLIC_KEY_AUTH': True,
         'TERMINAL_HEARTBEAT_INTERVAL': 20,
         'TERMINAL_ASSET_LIST_SORT_BY': 'hostname',
         'TERMINAL_ASSET_LIST_PAGE_SIZE': 'auto',
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index 936b27582..31b5d52ac 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -124,3 +124,4 @@ FORGOT_PASSWORD_URL = CONFIG.FORGOT_PASSWORD_URL
 # 自定义默认组织名
 GLOBAL_ORG_DISPLAY_NAME = CONFIG.GLOBAL_ORG_DISPLAY_NAME
 HEALTH_CHECK_TOKEN = CONFIG.HEALTH_CHECK_TOKEN
+TERMINAL_ONLY_SOURCE_LOCAL_CAN_PUBLIC_KEY_AUTH = CONFIG.TERMINAL_ONLY_SOURCE_LOCAL_CAN_PUBLIC_KEY_AUTH
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index fab14e252..b10c07223 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -5,6 +5,7 @@ import uuid
 import base64
 import string
 import random
+import datetime
 
 from django.conf import settings
 from django.contrib.auth.models import AbstractUser
@@ -32,6 +33,9 @@ logger = get_logger(__file__)
 
 
 class AuthMixin:
+    date_password_last_updated: datetime.datetime
+    is_local: bool
+
     @property
     def password_raw(self):
         raise AttributeError('Password raw is not a readable attribute')
@@ -63,7 +67,12 @@ class AuthMixin:
         return self.can_use_ssh_key_login()
 
     def can_use_ssh_key_login(self):
-        return self.is_local and settings.TERMINAL_PUBLIC_KEY_AUTH
+        if not settings.TERMINAL_PUBLIC_KEY_AUTH:
+            return False
+        if self.is_local or settings.TERMINAL_ONLY_SOURCE_LOCAL_CAN_PUBLIC_KEY_AUTH:
+            return True
+        else:
+            return False
 
     def is_public_key_valid(self):
         """
diff --git a/apps/users/serializers/profile.py b/apps/users/serializers/profile.py
index 1c5e99873..68e387245 100644
--- a/apps/users/serializers/profile.py
+++ b/apps/users/serializers/profile.py
@@ -101,7 +101,8 @@ class UserProfileSerializer(UserSerializer):
 
     class Meta(UserSerializer.Meta):
         fields = UserSerializer.Meta.fields + [
-            'public_key_comment', 'public_key_hash_md5', 'admin_or_audit_orgs', 'current_org_roles',
+            'public_key_comment', 'public_key_hash_md5',
+            'admin_or_audit_orgs', 'current_org_roles',
             'guide_url', 'user_all_orgs'
         ]
         read_only_fields = [
@@ -164,6 +165,7 @@ class ChangeUserPasswordSerializer(serializers.ModelSerializer):
         model = User
         fields = ['password']
 
+
 class ResetOTPSerializer(serializers.Serializer):
     msg = serializers.CharField(read_only=True)
 
diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index 0d8e784ed..c63c6264d 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -34,6 +34,7 @@ class UserSerializer(CommonBulkSerializerMixin, serializers.ModelSerializer):
     is_expired = serializers.BooleanField(read_only=True, label=_('Is expired'))
     can_update = serializers.SerializerMethodField(label=_('Can update'))
     can_delete = serializers.SerializerMethodField(label=_('Can delete'))
+    can_public_key_auth = serializers.ReadOnlyField(source='can_use_ssh_key_login')
     org_roles = serializers.ListField(
         label=_('Organization role name'), allow_null=True, required=False,
         child=serializers.ChoiceField(choices=ORG_ROLE.choices), default=["User"]
@@ -48,7 +49,7 @@ class UserSerializer(CommonBulkSerializerMixin, serializers.ModelSerializer):
             'password', 'email', 'public_key', 'wechat', 'phone', 'mfa_level', 'mfa_enabled',
             'mfa_level_display', 'mfa_force_enabled', 'role_display', 'org_role_display',
             'total_role_display', 'comment', 'source', 'is_valid', 'is_expired',
-            'is_active', 'created_by', 'is_first_login',
+            'is_active', 'created_by', 'is_first_login', 'can_public_key_auth',
             'password_strategy', 'date_password_last_updated', 'date_expired',
             'avatar_url', 'source_display', 'date_joined', 'last_login'
         ]