|
|
# -*- coding: utf-8 -*-
|
|
|
#
|
|
|
import urllib.parse
|
|
|
import json
|
|
|
from typing import Callable
|
|
|
import os
|
|
|
import base64
|
|
|
import ctypes
|
|
|
|
|
|
from django.core.cache import cache
|
|
|
from django.shortcuts import get_object_or_404
|
|
|
from django.http import HttpResponse
|
|
|
from django.utils import timezone
|
|
|
from django.utils.translation import ugettext as _
|
|
|
from rest_framework.response import Response
|
|
|
from rest_framework.request import Request
|
|
|
from rest_framework.viewsets import GenericViewSet
|
|
|
from rest_framework.decorators import action
|
|
|
from rest_framework.exceptions import PermissionDenied
|
|
|
from rest_framework import serializers
|
|
|
|
|
|
from applications.models import Application
|
|
|
from authentication.signals import post_auth_failed
|
|
|
from common.utils import get_logger, random_string
|
|
|
from common.mixins.api import SerializerMixin
|
|
|
from common.utils.common import get_file_by_arch
|
|
|
from orgs.mixins.api import RootOrgViewMixin
|
|
|
from common.http import is_true
|
|
|
from perms.models.base import Action
|
|
|
from perms.utils.application.permission import get_application_actions
|
|
|
from perms.utils.asset.permission import get_asset_actions
|
|
|
from common.const.http import PATCH
|
|
|
from terminal.models import EndpointRule
|
|
|
from ..serializers import (
|
|
|
ConnectionTokenSerializer, ConnectionTokenSecretSerializer, SuperConnectionTokenSerializer
|
|
|
)
|
|
|
|
|
|
logger = get_logger(__name__)
|
|
|
__all__ = ['UserConnectionTokenViewSet', 'UserSuperConnectionTokenViewSet', 'TokenCacheMixin']
|
|
|
|
|
|
|
|
|
class ClientProtocolMixin:
|
|
|
"""
|
|
|
下载客户端支持的连接文件,里面包含了 token,和 其他连接信息
|
|
|
|
|
|
- [x] RDP
|
|
|
- [ ] KoKo
|
|
|
|
|
|
本质上,这里还是暴露出 token 来,进行使用
|
|
|
"""
|
|
|
request: Request
|
|
|
get_serializer: Callable
|
|
|
create_token: Callable
|
|
|
get_serializer_context: Callable
|
|
|
|
|
|
def get_smart_endpoint(self, protocol, asset=None, application=None):
|
|
|
if asset:
|
|
|
target_ip = asset.get_target_ip()
|
|
|
elif application:
|
|
|
target_ip = application.get_target_ip()
|
|
|
else:
|
|
|
target_ip = ''
|
|
|
endpoint = EndpointRule.match_endpoint(target_ip, protocol, self.request)
|
|
|
return endpoint
|
|
|
|
|
|
def get_request_resource(self, serializer):
|
|
|
asset = serializer.validated_data.get('asset')
|
|
|
application = serializer.validated_data.get('application')
|
|
|
system_user = serializer.validated_data['system_user']
|
|
|
|
|
|
user = serializer.validated_data.get('user')
|
|
|
user = user if user else self.request.user
|
|
|
return asset, application, system_user, user
|
|
|
|
|
|
@staticmethod
|
|
|
def parse_env_bool(env_key, env_default, true_value, false_value):
|
|
|
return true_value if is_true(os.getenv(env_key, env_default)) else false_value
|
|
|
|
|
|
def get_rdp_file_content(self, serializer):
|
|
|
options = {
|
|
|
'full address:s': '',
|
|
|
'username:s': '',
|
|
|
# 'screen mode id:i': '1',
|
|
|
# 'desktopwidth:i': '1280',
|
|
|
# 'desktopheight:i': '800',
|
|
|
'use multimon:i': '0',
|
|
|
'session bpp:i': '32',
|
|
|
'audiomode:i': '0',
|
|
|
'disable wallpaper:i': '0',
|
|
|
'disable full window drag:i': '0',
|
|
|
'disable menu anims:i': '0',
|
|
|
'disable themes:i': '0',
|
|
|
'alternate shell:s': '',
|
|
|
'shell working directory:s': '',
|
|
|
'authentication level:i': '2',
|
|
|
'connect to console:i': '0',
|
|
|
'disable cursor setting:i': '0',
|
|
|
'allow font smoothing:i': '1',
|
|
|
'allow desktop composition:i': '1',
|
|
|
'redirectprinters:i': '0',
|
|
|
'prompt for credentials on client:i': '0',
|
|
|
'autoreconnection enabled:i': '1',
|
|
|
'bookmarktype:i': '3',
|
|
|
'use redirection server name:i': '0',
|
|
|
'smart sizing:i': '1',
|
|
|
# 'drivestoredirect:s': '*',
|
|
|
# 'domain:s': ''
|
|
|
# 'alternate shell:s:': '||MySQLWorkbench',
|
|
|
# 'remoteapplicationname:s': 'Firefox',
|
|
|
# 'remoteapplicationcmdline:s': '',
|
|
|
}
|
|
|
|
|
|
asset, application, system_user, user = self.get_request_resource(serializer)
|
|
|
height = self.request.query_params.get('height')
|
|
|
width = self.request.query_params.get('width')
|
|
|
full_screen = is_true(self.request.query_params.get('full_screen'))
|
|
|
drives_redirect = is_true(self.request.query_params.get('drives_redirect'))
|
|
|
token, secret = self.create_token(user, asset, application, system_user)
|
|
|
|
|
|
# 设置磁盘挂载
|
|
|
if drives_redirect:
|
|
|
actions = 0
|
|
|
if asset:
|
|
|
actions = get_asset_actions(user, asset, system_user)
|
|
|
elif application:
|
|
|
actions = get_application_actions(user, application, system_user)
|
|
|
|
|
|
if actions & Action.UPDOWNLOAD == Action.UPDOWNLOAD:
|
|
|
options['drivestoredirect:s'] = '*'
|
|
|
|
|
|
# 全屏
|
|
|
options['screen mode id:i'] = '2' if full_screen else '1'
|
|
|
|
|
|
# RDP Server 地址
|
|
|
endpoint = self.get_smart_endpoint(
|
|
|
protocol='rdp', asset=asset, application=application
|
|
|
)
|
|
|
options['full address:s'] = f'{endpoint.host}:{endpoint.rdp_port}'
|
|
|
# 用户名
|
|
|
options['username:s'] = '{}|{}'.format(user.username, token)
|
|
|
if system_user.ad_domain:
|
|
|
options['domain:s'] = system_user.ad_domain
|
|
|
# 宽高
|
|
|
if width and height:
|
|
|
options['desktopwidth:i'] = width
|
|
|
options['desktopheight:i'] = height
|
|
|
options['winposstr:s:'] = f'0,1,0,0,{width},{height}'
|
|
|
|
|
|
options['session bpp:i'] = os.getenv('JUMPSERVER_COLOR_DEPTH', '32')
|
|
|
options['audiomode:i'] = self.parse_env_bool('JUMPSERVER_DISABLE_AUDIO', 'false', '2', '0')
|
|
|
|
|
|
if asset:
|
|
|
name = asset.hostname
|
|
|
elif application:
|
|
|
name = application.name
|
|
|
application.get_rdp_remote_app_setting()
|
|
|
|
|
|
app = f'||jmservisor'
|
|
|
options['remoteapplicationmode:i'] = '1'
|
|
|
options['alternate shell:s'] = app
|
|
|
options['remoteapplicationprogram:s'] = app
|
|
|
options['remoteapplicationname:s'] = name
|
|
|
options['remoteapplicationcmdline:s'] = '- ' + self.get_encrypt_cmdline(application)
|
|
|
else:
|
|
|
name = '*'
|
|
|
|
|
|
content = ''
|
|
|
for k, v in options.items():
|
|
|
content += f'{k}:{v}\n'
|
|
|
return name, content
|
|
|
|
|
|
def get_ssh_token(self, serializer):
|
|
|
asset, application, system_user, user = self.get_request_resource(serializer)
|
|
|
token, secret = self.create_token(user, asset, application, system_user)
|
|
|
if asset:
|
|
|
name = asset.hostname
|
|
|
elif application:
|
|
|
name = application.name
|
|
|
else:
|
|
|
name = '*'
|
|
|
|
|
|
endpoint = self.get_smart_endpoint(
|
|
|
protocol='ssh', asset=asset, application=application
|
|
|
)
|
|
|
content = {
|
|
|
'ip': endpoint.host,
|
|
|
'port': str(endpoint.ssh_port),
|
|
|
'username': f'JMS-{token}',
|
|
|
'password': secret
|
|
|
}
|
|
|
token = json.dumps(content)
|
|
|
return name, token
|
|
|
|
|
|
def get_encrypt_cmdline(self, app: Application):
|
|
|
parameters = app.get_rdp_remote_app_setting()['parameters']
|
|
|
parameters = parameters.encode('ascii')
|
|
|
|
|
|
lib_path = get_file_by_arch('xpack/libs', 'librailencrypt.so')
|
|
|
lib = ctypes.CDLL(lib_path)
|
|
|
lib.encrypt.argtypes = [ctypes.c_char_p, ctypes.c_int]
|
|
|
lib.encrypt.restype = ctypes.c_char_p
|
|
|
|
|
|
rst = lib.encrypt(parameters, len(parameters))
|
|
|
rst = rst.decode('ascii')
|
|
|
return rst
|
|
|
|
|
|
def get_valid_serializer(self):
|
|
|
if self.request.method == 'GET':
|
|
|
data = self.request.query_params
|
|
|
else:
|
|
|
data = self.request.data
|
|
|
serializer = self.get_serializer(data=data)
|
|
|
serializer.is_valid(raise_exception=True)
|
|
|
return serializer
|
|
|
|
|
|
def get_client_protocol_data(self, serializer):
|
|
|
asset, application, system_user, user = self.get_request_resource(serializer)
|
|
|
protocol = system_user.protocol
|
|
|
username = user.username
|
|
|
config, token = '', ''
|
|
|
if protocol == 'rdp':
|
|
|
name, config = self.get_rdp_file_content(serializer)
|
|
|
elif protocol == 'ssh':
|
|
|
name, token = self.get_ssh_token(serializer)
|
|
|
else:
|
|
|
raise ValueError('Protocol not support: {}'.format(protocol))
|
|
|
|
|
|
filename = "{}-{}-jumpserver".format(username, name)
|
|
|
data = {
|
|
|
"filename": filename,
|
|
|
"protocol": system_user.protocol,
|
|
|
"username": username,
|
|
|
"token": token,
|
|
|
"config": config
|
|
|
}
|
|
|
return data
|
|
|
|
|
|
@action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
|
|
|
def get_rdp_file(self, request, *args, **kwargs):
|
|
|
if self.request.method == 'GET':
|
|
|
data = self.request.query_params
|
|
|
else:
|
|
|
data = self.request.data
|
|
|
serializer = self.get_serializer(data=data)
|
|
|
serializer.is_valid(raise_exception=True)
|
|
|
name, data = self.get_rdp_file_content(serializer)
|
|
|
response = HttpResponse(data, content_type='application/octet-stream')
|
|
|
filename = "{}-{}-jumpserver.rdp".format(self.request.user.username, name)
|
|
|
filename = urllib.parse.quote(filename)
|
|
|
response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
|
|
|
return response
|
|
|
|
|
|
@action(methods=['POST', 'GET'], detail=False, url_path='client-url')
|
|
|
def get_client_protocol_url(self, request, *args, **kwargs):
|
|
|
serializer = self.get_valid_serializer()
|
|
|
try:
|
|
|
protocol_data = self.get_client_protocol_data(serializer)
|
|
|
except ValueError as e:
|
|
|
return Response({'error': str(e)}, status=401)
|
|
|
|
|
|
protocol_data = json.dumps(protocol_data).encode()
|
|
|
protocol_data = base64.b64encode(protocol_data).decode()
|
|
|
data = {
|
|
|
'url': 'jms://{}'.format(protocol_data),
|
|
|
}
|
|
|
return Response(data=data)
|
|
|
|
|
|
|
|
|
class SecretDetailMixin:
|
|
|
valid_token: Callable
|
|
|
request: Request
|
|
|
get_serializer: Callable
|
|
|
|
|
|
@staticmethod
|
|
|
def _get_application_secret_detail(application):
|
|
|
gateway = None
|
|
|
remote_app = None
|
|
|
asset = None
|
|
|
|
|
|
if application.category_remote_app:
|
|
|
remote_app = application.get_rdp_remote_app_setting()
|
|
|
asset = application.get_remote_app_asset()
|
|
|
domain = asset.domain
|
|
|
else:
|
|
|
domain = application.domain
|
|
|
|
|
|
if domain and domain.has_gateway():
|
|
|
gateway = domain.random_gateway()
|
|
|
|
|
|
return {
|
|
|
'asset': asset,
|
|
|
'application': application,
|
|
|
'gateway': gateway,
|
|
|
'domain': domain,
|
|
|
'remote_app': remote_app,
|
|
|
}
|
|
|
|
|
|
@staticmethod
|
|
|
def _get_asset_secret_detail(asset):
|
|
|
gateway = None
|
|
|
if asset and asset.domain and asset.domain.has_gateway():
|
|
|
gateway = asset.domain.random_gateway()
|
|
|
|
|
|
return {
|
|
|
'asset': asset,
|
|
|
'application': None,
|
|
|
'domain': asset.domain,
|
|
|
'gateway': gateway,
|
|
|
'remote_app': None,
|
|
|
}
|
|
|
|
|
|
@action(methods=['POST'], detail=False, url_path='secret-info/detail')
|
|
|
def get_secret_detail(self, request, *args, **kwargs):
|
|
|
perm_required = 'authentication.view_connectiontokensecret'
|
|
|
|
|
|
# 非常重要的 api,再逻辑层再判断一下,双重保险
|
|
|
if not request.user.has_perm(perm_required):
|
|
|
raise PermissionDenied('Not allow to view secret')
|
|
|
|
|
|
token = request.data.get('token', '')
|
|
|
try:
|
|
|
value, user, system_user, asset, app, expired_at, actions = self.valid_token(token)
|
|
|
except serializers.ValidationError as e:
|
|
|
post_auth_failed.send(
|
|
|
sender=self.__class__, username='', request=self.request,
|
|
|
reason=_('Invalid token')
|
|
|
)
|
|
|
raise e
|
|
|
|
|
|
data = dict(
|
|
|
id=token, secret=value.get('secret', ''),
|
|
|
user=user, system_user=system_user,
|
|
|
expired_at=expired_at, actions=actions
|
|
|
)
|
|
|
cmd_filter_kwargs = {
|
|
|
'system_user_id': system_user.id,
|
|
|
'user_id': user.id,
|
|
|
}
|
|
|
if asset:
|
|
|
asset_detail = self._get_asset_secret_detail(asset)
|
|
|
system_user.load_asset_more_auth(asset.id, user.username, user.id)
|
|
|
data['type'] = 'asset'
|
|
|
data.update(asset_detail)
|
|
|
cmd_filter_kwargs['asset_id'] = asset.id
|
|
|
else:
|
|
|
app_detail = self._get_application_secret_detail(app)
|
|
|
system_user.load_app_more_auth(app.id, user.username, user.id)
|
|
|
data['type'] = 'application'
|
|
|
data.update(app_detail)
|
|
|
cmd_filter_kwargs['application_id'] = app.id
|
|
|
|
|
|
from assets.models import CommandFilterRule
|
|
|
cmd_filter_rules = CommandFilterRule.get_queryset(**cmd_filter_kwargs)
|
|
|
data['cmd_filter_rules'] = cmd_filter_rules
|
|
|
|
|
|
serializer = self.get_serializer(data)
|
|
|
return Response(data=serializer.data, status=200)
|
|
|
|
|
|
|
|
|
class TokenCacheMixin:
|
|
|
""" endpoint smart view 用到此类来解析token中的资产、应用 """
|
|
|
CACHE_KEY_PREFIX = 'CONNECTION_TOKEN_{}'
|
|
|
|
|
|
def get_token_cache_key(self, token):
|
|
|
return self.CACHE_KEY_PREFIX.format(token)
|
|
|
|
|
|
def get_token_ttl(self, token):
|
|
|
key = self.get_token_cache_key(token)
|
|
|
return cache.ttl(key)
|
|
|
|
|
|
def set_token_to_cache(self, token, value, ttl=5 * 60):
|
|
|
key = self.get_token_cache_key(token)
|
|
|
cache.set(key, value, timeout=ttl)
|
|
|
|
|
|
def get_token_from_cache(self, token):
|
|
|
key = self.get_token_cache_key(token)
|
|
|
value = cache.get(key, None)
|
|
|
return value
|
|
|
|
|
|
def renewal_token(self, token, ttl=5 * 60):
|
|
|
value = self.get_token_from_cache(token)
|
|
|
if value:
|
|
|
pre_ttl = self.get_token_ttl(token)
|
|
|
self.set_token_to_cache(token, value, ttl)
|
|
|
post_ttl = self.get_token_ttl(token)
|
|
|
ok = True
|
|
|
msg = f'{pre_ttl}s is renewed to {post_ttl}s.'
|
|
|
else:
|
|
|
ok = False
|
|
|
msg = 'Token is not found.'
|
|
|
data = {
|
|
|
'ok': ok,
|
|
|
'msg': msg
|
|
|
}
|
|
|
return data
|
|
|
|
|
|
|
|
|
class BaseUserConnectionTokenViewSet(
|
|
|
RootOrgViewMixin, SerializerMixin, ClientProtocolMixin,
|
|
|
TokenCacheMixin, GenericViewSet
|
|
|
):
|
|
|
|
|
|
@staticmethod
|
|
|
def check_resource_permission(user, asset, application, system_user):
|
|
|
from perms.utils.asset import has_asset_system_permission
|
|
|
from perms.utils.application import has_application_system_permission
|
|
|
|
|
|
if asset and not has_asset_system_permission(user, asset, system_user):
|
|
|
error = f'User not has this asset and system user permission: ' \
|
|
|
f'user={user.id} system_user={system_user.id} asset={asset.id}'
|
|
|
raise PermissionDenied(error)
|
|
|
if application and not has_application_system_permission(user, application, system_user):
|
|
|
error = f'User not has this application and system user permission: ' \
|
|
|
f'user={user.id} system_user={system_user.id} application={application.id}'
|
|
|
raise PermissionDenied(error)
|
|
|
return True
|
|
|
|
|
|
def create_token(self, user, asset, application, system_user, ttl=5 * 60):
|
|
|
self.check_resource_permission(user, asset, application, system_user)
|
|
|
token = random_string(36)
|
|
|
secret = random_string(16)
|
|
|
value = {
|
|
|
'id': token,
|
|
|
'secret': secret,
|
|
|
'user': str(user.id),
|
|
|
'username': user.username,
|
|
|
'system_user': str(system_user.id),
|
|
|
'system_user_name': system_user.name,
|
|
|
'created_by': str(self.request.user),
|
|
|
'date_created': str(timezone.now())
|
|
|
}
|
|
|
|
|
|
if asset:
|
|
|
value.update({
|
|
|
'type': 'asset',
|
|
|
'asset': str(asset.id),
|
|
|
'hostname': asset.hostname,
|
|
|
})
|
|
|
elif application:
|
|
|
value.update({
|
|
|
'type': 'application',
|
|
|
'application': application.id,
|
|
|
'application_name': str(application)
|
|
|
})
|
|
|
|
|
|
self.set_token_to_cache(token, value, ttl)
|
|
|
return token, secret
|
|
|
|
|
|
def create(self, request, *args, **kwargs):
|
|
|
serializer = self.get_serializer(data=request.data)
|
|
|
serializer.is_valid(raise_exception=True)
|
|
|
|
|
|
asset, application, system_user, user = self.get_request_resource(serializer)
|
|
|
token, secret = self.create_token(user, asset, application, system_user)
|
|
|
tp = 'app' if application else 'asset'
|
|
|
data = {
|
|
|
"id": token, 'secret': secret,
|
|
|
'type': tp, 'protocol': system_user.protocol,
|
|
|
'expire_time': self.get_token_ttl(token),
|
|
|
}
|
|
|
return Response(data, status=201)
|
|
|
|
|
|
|
|
|
class UserConnectionTokenViewSet(BaseUserConnectionTokenViewSet, SecretDetailMixin):
|
|
|
serializer_classes = {
|
|
|
'default': ConnectionTokenSerializer,
|
|
|
'get_secret_detail': ConnectionTokenSecretSerializer,
|
|
|
}
|
|
|
rbac_perms = {
|
|
|
'GET': 'authentication.view_connectiontoken',
|
|
|
'create': 'authentication.add_connectiontoken',
|
|
|
'get_secret_detail': 'authentication.view_connectiontokensecret',
|
|
|
'get_rdp_file': 'authentication.add_connectiontoken',
|
|
|
'get_client_protocol_url': 'authentication.add_connectiontoken',
|
|
|
}
|
|
|
|
|
|
def valid_token(self, token):
|
|
|
from users.models import User
|
|
|
from assets.models import SystemUser, Asset
|
|
|
from applications.models import Application
|
|
|
from perms.utils.asset.permission import validate_permission as asset_validate_permission
|
|
|
from perms.utils.application.permission import validate_permission as app_validate_permission
|
|
|
|
|
|
value = self.get_token_from_cache(token)
|
|
|
if not value:
|
|
|
raise serializers.ValidationError('Token not found')
|
|
|
|
|
|
user = get_object_or_404(User, id=value.get('user'))
|
|
|
if not user.is_valid:
|
|
|
raise serializers.ValidationError("User not valid, disabled or expired")
|
|
|
|
|
|
system_user = get_object_or_404(SystemUser, id=value.get('system_user'))
|
|
|
asset = None
|
|
|
app = None
|
|
|
if value.get('type') == 'asset':
|
|
|
asset = get_object_or_404(Asset, id=value.get('asset'))
|
|
|
if not asset.is_active:
|
|
|
raise serializers.ValidationError("Asset disabled")
|
|
|
has_perm, actions, expired_at = asset_validate_permission(user, asset, system_user)
|
|
|
else:
|
|
|
app = get_object_or_404(Application, id=value.get('application'))
|
|
|
has_perm, actions, expired_at = app_validate_permission(user, app, system_user)
|
|
|
|
|
|
if not has_perm:
|
|
|
raise serializers.ValidationError('Permission expired or invalid')
|
|
|
return value, user, system_user, asset, app, expired_at, actions
|
|
|
|
|
|
def get(self, request):
|
|
|
token = request.query_params.get('token')
|
|
|
value = self.get_token_from_cache(token)
|
|
|
if not value:
|
|
|
return Response('', status=404)
|
|
|
return Response(value)
|
|
|
|
|
|
|
|
|
class UserSuperConnectionTokenViewSet(
|
|
|
BaseUserConnectionTokenViewSet, TokenCacheMixin, GenericViewSet
|
|
|
):
|
|
|
serializer_classes = {
|
|
|
'default': SuperConnectionTokenSerializer,
|
|
|
}
|
|
|
rbac_perms = {
|
|
|
'create': 'authentication.add_superconnectiontoken',
|
|
|
'renewal': 'authentication.add_superconnectiontoken'
|
|
|
}
|
|
|
|
|
|
@action(methods=[PATCH], detail=False)
|
|
|
def renewal(self, request, *args, **kwargs):
|
|
|
""" 续期 Token """
|
|
|
token = request.data.get('token', '')
|
|
|
data = self.renewal_token(token)
|
|
|
status_code = 200 if data.get('ok') else 404
|
|
|
return Response(data=data, status=status_code)
|