|
|
import uuid
|
|
|
from datetime import datetime, timedelta
|
|
|
from django.utils import timezone
|
|
|
from django.utils.translation import ugettext_lazy as _
|
|
|
from django.conf import settings
|
|
|
from rest_framework.authtoken.models import Token
|
|
|
from orgs.mixins.models import OrgModelMixin
|
|
|
|
|
|
from django.db import models
|
|
|
from common.utils import lazyproperty
|
|
|
from common.utils.timezone import as_current_tz
|
|
|
from common.db.models import BaseCreateUpdateModel, JMSBaseModel
|
|
|
|
|
|
|
|
|
class AccessKey(models.Model):
|
|
|
id = models.UUIDField(verbose_name='AccessKeyID', primary_key=True,
|
|
|
default=uuid.uuid4, editable=False)
|
|
|
secret = models.UUIDField(verbose_name='AccessKeySecret',
|
|
|
default=uuid.uuid4, editable=False)
|
|
|
user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name='User',
|
|
|
on_delete=models.CASCADE, related_name='access_keys')
|
|
|
is_active = models.BooleanField(default=True, verbose_name=_('Active'))
|
|
|
date_created = models.DateTimeField(auto_now_add=True)
|
|
|
|
|
|
def get_id(self):
|
|
|
return str(self.id)
|
|
|
|
|
|
def get_secret(self):
|
|
|
return str(self.secret)
|
|
|
|
|
|
def get_full_value(self):
|
|
|
return '{}:{}'.format(self.id, self.secret)
|
|
|
|
|
|
def __str__(self):
|
|
|
return str(self.id)
|
|
|
|
|
|
class Meta:
|
|
|
verbose_name = _("Access key")
|
|
|
|
|
|
|
|
|
class PrivateToken(Token):
|
|
|
"""Inherit from auth token, otherwise migration is boring"""
|
|
|
|
|
|
class Meta:
|
|
|
verbose_name = _('Private Token')
|
|
|
|
|
|
|
|
|
class SSOToken(BaseCreateUpdateModel):
|
|
|
"""
|
|
|
类似腾讯企业邮的 [单点登录](https://exmail.qq.com/qy_mng_logic/doc#10036)
|
|
|
出于安全考虑,这里的 `token` 使用一次随即过期。但我们保留每一个生成过的 `token`。
|
|
|
"""
|
|
|
authkey = models.UUIDField(primary_key=True, default=uuid.uuid4, verbose_name=_('Token'))
|
|
|
expired = models.BooleanField(default=False, verbose_name=_('Expired'))
|
|
|
user = models.ForeignKey('users.User', on_delete=models.CASCADE, verbose_name=_('User'), db_constraint=False)
|
|
|
|
|
|
class Meta:
|
|
|
verbose_name = _('SSO token')
|
|
|
|
|
|
|
|
|
def date_expired_default():
|
|
|
return timezone.now() + timedelta(seconds=settings.CONNECTION_TOKEN_EXPIRATION)
|
|
|
|
|
|
|
|
|
class ConnectionToken(OrgModelMixin, JMSBaseModel):
|
|
|
class Type(models.TextChoices):
|
|
|
asset = 'asset', _('Asset')
|
|
|
application = 'application', _('Application')
|
|
|
|
|
|
type = models.CharField(
|
|
|
max_length=16, default=Type.asset, choices=Type.choices, verbose_name=_("Type")
|
|
|
)
|
|
|
secret = models.CharField(max_length=64, default='', verbose_name=_("Secret"))
|
|
|
date_expired = models.DateTimeField(
|
|
|
default=date_expired_default, verbose_name=_("Date expired")
|
|
|
)
|
|
|
|
|
|
user = models.ForeignKey(
|
|
|
'users.User', on_delete=models.SET_NULL, verbose_name=_('User'),
|
|
|
related_name='connection_tokens', null=True, blank=True
|
|
|
)
|
|
|
user_display = models.CharField(max_length=128, default='', verbose_name=_("User display"))
|
|
|
asset = models.ForeignKey(
|
|
|
'assets.Asset', on_delete=models.SET_NULL, verbose_name=_('Asset'),
|
|
|
related_name='connection_tokens', null=True, blank=True
|
|
|
)
|
|
|
asset_display = models.CharField(max_length=128, default='', verbose_name=_("Asset display"))
|
|
|
account = models.CharField(max_length=128, default='', verbose_name=_("Account"))
|
|
|
|
|
|
class Meta:
|
|
|
ordering = ('-date_expired',)
|
|
|
verbose_name = _('Connection token')
|
|
|
permissions = [
|
|
|
('view_connectiontokensecret', _('Can view connection token secret'))
|
|
|
]
|
|
|
|
|
|
@classmethod
|
|
|
def get_default_date_expired(cls):
|
|
|
return date_expired_default()
|
|
|
|
|
|
@property
|
|
|
def is_expired(self):
|
|
|
return self.date_expired < timezone.now()
|
|
|
|
|
|
@property
|
|
|
def expire_time(self):
|
|
|
interval = self.date_expired - timezone.now()
|
|
|
seconds = interval.total_seconds()
|
|
|
if seconds < 0:
|
|
|
seconds = 0
|
|
|
return int(seconds)
|
|
|
|
|
|
def expire(self):
|
|
|
self.date_expired = timezone.now()
|
|
|
self.save()
|
|
|
|
|
|
@property
|
|
|
def is_valid(self):
|
|
|
return not self.is_expired
|
|
|
|
|
|
def is_type(self, tp):
|
|
|
return self.type == tp
|
|
|
|
|
|
def renewal(self):
|
|
|
""" 续期 Token,将来支持用户自定义创建 token 后,续期策略要修改 """
|
|
|
self.date_expired = self.get_default_date_expired()
|
|
|
self.save()
|
|
|
|
|
|
actions = expired_at = None # actions 和 expired_at 在 check_valid() 中赋值
|
|
|
|
|
|
def check_valid(self):
|
|
|
from perms.utils.permission import validate_permission as asset_validate_permission
|
|
|
from perms.utils.application.permission import validate_permission as app_validate_permission
|
|
|
|
|
|
if self.is_expired:
|
|
|
is_valid = False
|
|
|
error = _('Connection token expired at: {}').format(as_current_tz(self.date_expired))
|
|
|
return is_valid, error
|
|
|
|
|
|
if not self.user:
|
|
|
is_valid = False
|
|
|
error = _('User not exists')
|
|
|
return is_valid, error
|
|
|
if not self.user.is_valid:
|
|
|
is_valid = False
|
|
|
error = _('User invalid, disabled or expired')
|
|
|
return is_valid, error
|
|
|
|
|
|
if not self.system_user:
|
|
|
is_valid = False
|
|
|
error = _('System user not exists')
|
|
|
return is_valid, error
|
|
|
|
|
|
if self.is_type(self.Type.asset):
|
|
|
if not self.asset:
|
|
|
is_valid = False
|
|
|
error = _('Asset not exists')
|
|
|
return is_valid, error
|
|
|
if not self.asset.is_active:
|
|
|
is_valid = False
|
|
|
error = _('Asset inactive')
|
|
|
return is_valid, error
|
|
|
has_perm, actions, expired_at = asset_validate_permission(
|
|
|
self.user, self.asset, self.system_user
|
|
|
)
|
|
|
if not has_perm:
|
|
|
is_valid = False
|
|
|
error = _('User has no permission to access asset or permission expired')
|
|
|
return is_valid, error
|
|
|
self.actions = actions
|
|
|
self.expired_at = expired_at
|
|
|
|
|
|
elif self.is_type(self.Type.application):
|
|
|
if not self.application:
|
|
|
is_valid = False
|
|
|
error = _('Application not exists')
|
|
|
return is_valid, error
|
|
|
has_perm, actions, expired_at = app_validate_permission(
|
|
|
self.user, self.application, self.system_user
|
|
|
)
|
|
|
if not has_perm:
|
|
|
is_valid = False
|
|
|
error = _('User has no permission to access application or permission expired')
|
|
|
return is_valid, error
|
|
|
self.actions = actions
|
|
|
self.expired_at = expired_at
|
|
|
|
|
|
return True, ''
|
|
|
|
|
|
@lazyproperty
|
|
|
def domain(self):
|
|
|
if self.asset:
|
|
|
return self.asset.domain
|
|
|
if not self.application:
|
|
|
return
|
|
|
if self.application.category_remote_app:
|
|
|
asset = self.application.get_remote_app_asset()
|
|
|
domain = asset.domain if asset else None
|
|
|
else:
|
|
|
domain = self.application.domain
|
|
|
return domain
|
|
|
|
|
|
@lazyproperty
|
|
|
def gateway(self):
|
|
|
from assets.models import Domain
|
|
|
if not self.domain:
|
|
|
return
|
|
|
self.domain: Domain
|
|
|
return self.domain.random_gateway()
|
|
|
|
|
|
@lazyproperty
|
|
|
def remote_app(self):
|
|
|
if not self.application:
|
|
|
return {}
|
|
|
if not self.application.category_remote_app:
|
|
|
return {}
|
|
|
return self.application.get_rdp_remote_app_setting()
|
|
|
|
|
|
@lazyproperty
|
|
|
def asset_or_remote_app_asset(self):
|
|
|
if self.asset:
|
|
|
return self.asset
|
|
|
if self.application and self.application.category_remote_app:
|
|
|
return self.application.get_remote_app_asset()
|
|
|
|
|
|
@lazyproperty
|
|
|
def cmd_filter_rules(self):
|
|
|
from assets.models import CommandFilterRule
|
|
|
kwargs = {
|
|
|
'user_id': self.user.id,
|
|
|
'system_user_id': self.system_user.id,
|
|
|
}
|
|
|
if self.asset:
|
|
|
kwargs['asset_id'] = self.asset.id
|
|
|
elif self.application:
|
|
|
kwargs['application_id'] = self.application_id
|
|
|
rules = CommandFilterRule.get_queryset(**kwargs)
|
|
|
return rules
|
|
|
|
|
|
def load_system_user_auth(self):
|
|
|
if self.asset:
|
|
|
self.system_user.load_asset_more_auth(self.asset.id, self.user.username, self.user.id)
|
|
|
elif self.application:
|
|
|
self.system_user.load_app_more_auth(self.application.id, self.user.username, self.user.id)
|
|
|
|
|
|
|
|
|
class TempToken(JMSBaseModel):
|
|
|
username = models.CharField(max_length=128, verbose_name=_("Username"))
|
|
|
secret = models.CharField(max_length=64, verbose_name=_("Secret"))
|
|
|
verified = models.BooleanField(default=False, verbose_name=_("Verified"))
|
|
|
date_verified = models.DateTimeField(null=True, verbose_name=_("Date verified"))
|
|
|
date_expired = models.DateTimeField(verbose_name=_("Date expired"))
|
|
|
|
|
|
class Meta:
|
|
|
verbose_name = _("Temporary token")
|
|
|
|
|
|
@property
|
|
|
def user(self):
|
|
|
from users.models import User
|
|
|
return User.objects.filter(username=self.username).first()
|
|
|
|
|
|
@property
|
|
|
def is_valid(self):
|
|
|
not_expired = self.date_expired and self.date_expired > timezone.now()
|
|
|
return not self.verified and not_expired
|
|
|
|
|
|
|
|
|
class SuperConnectionToken(ConnectionToken):
|
|
|
class Meta:
|
|
|
proxy = True
|
|
|
verbose_name = _("Super connection token")
|