jumpserver/apps/accounts/automations/check_account/manager.py

import hashlib
import os
import re
import sqlite3
import uuid

from django.conf import settings
from django.utils import timezone
from django.utils.translation import gettext_lazy as _

from accounts.models import Account, AccountRisk, RiskChoice
from assets.automations.base.manager import BaseManager
from common.const import ConfirmOrIgnore
from common.decorators import bulk_create_decorator, bulk_update_decorator


@bulk_create_decorator(AccountRisk)
def create_risk(data):
    return AccountRisk(**data)


@bulk_update_decorator(AccountRisk, update_fields=["details", "status"])
def update_risk(risk):
    return risk


class BaseCheckHandler:
    risk = ''

    def __init__(self, assets):
        self.assets = assets

    def check(self, account):
        pass

    def clean(self):
        pass


class CheckSecretHandler(BaseCheckHandler):
    risk = RiskChoice.weak_password

    @staticmethod
    def is_weak_password(password):
        # 判断密码长度
        if len(password) < 8:
            return True

        # 判断是否只有一种字符类型
        if password.isdigit() or password.isalpha():
            return True

        # 判断是否只包含数字或字母
        if password.islower() or password.isupper():
            return True

        # 判断是否包含常见弱密码
        common_passwords = ["123456", "password", "12345678", "qwerty", "abc123"]
        if password.lower() in common_passwords:
            return True

        # 正则表达式判断字符多样性（数字、字母、特殊字符）
        if (
                not re.search(r"[A-Za-z]", password)
                or not re.search(r"[0-9]", password)
                or not re.search(r"[\W_]", password)
        ):
            return True
        return False

    def check(self, account):
        if not account.secret:
            return False
        return self.is_weak_password(account.secret)


class CheckRepeatHandler(BaseCheckHandler):
    risk = RiskChoice.repeated_password

    def __init__(self, assets):
        super().__init__(assets)
        self.path, self.conn, self.cursor = self.init_repeat_check_db()
        self.add_password_for_check_repeat()

    @staticmethod
    def init_repeat_check_db():
        path = os.path.join('/tmp', 'accounts_' + str(uuid.uuid4()) + '.db')
        sql = """
        CREATE TABLE IF NOT EXISTS accounts (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            digest CHAR(32)
        )
        """
        index = "CREATE INDEX IF NOT EXISTS idx_digest ON accounts(digest)"
        conn = sqlite3.connect(path)
        cursor = conn.cursor()
        cursor.execute(sql)
        cursor.execute(index)
        return path, conn, cursor

    def check(self, account):
        if not account.secret:
            return False

        digest = self.digest(account.secret)
        sql = 'SELECT COUNT(*) FROM accounts WHERE digest = ?'
        self.cursor.execute(sql, [digest])
        result = self.cursor.fetchone()
        if not result:
            return False
        return result[0] > 1

    @staticmethod
    def digest(secret):
        return hashlib.md5(secret.encode()).hexdigest()

    def add_password_for_check_repeat(self):
        accounts = Account.objects.all().only('id', '_secret', 'secret_type')
        sql = "INSERT INTO accounts (digest) VALUES (?)"

        for account in accounts:
            secret = account.secret
            if not secret:
                continue
            digest = self.digest(secret)
            self.cursor.execute(sql, [digest])
        self.conn.commit()

    def clean(self):
        self.cursor.close()
        self.conn.close()
        os.remove(self.path)


class CheckLeakHandler(BaseCheckHandler):
    risk = RiskChoice.leaked_password

    def __init__(self, *args):
        super().__init__(*args)
        self.conn, self.cursor = self.init_leak_password_db()

    @staticmethod
    def init_leak_password_db():
        db_path = os.path.join(
            settings.APPS_DIR, 'accounts', 'automations',
            'check_account', 'leak_passwords.db'
        )

        if settings.LEAK_PASSWORD_DB_PATH and os.path.isfile(settings.LEAK_PASSWORD_DB_PATH):
            db_path = settings.LEAK_PASSWORD_DB_PATH

        db_conn = sqlite3.connect(db_path)
        db_cursor = db_conn.cursor()
        return db_conn, db_cursor

    def check(self, account):
        if not account.secret:
            return False

        sql = 'SELECT 1 FROM passwords WHERE password = ? LIMIT 1'
        self.cursor.execute(sql, (account.secret,))
        leak = self.cursor.fetchone() is not None
        return leak

    def clean(self):
        self.cursor.close()
        self.conn.close()


class CheckAccountManager(BaseManager):
    batch_size = 100
    tmpl = 'Checked the status of account %s: %s'

    def __init__(self, execution):
        super().__init__(execution)
        self.assets = []
        self.batch_risks = []
        self.handlers = []

    def add_risk(self, risk, account):
        self.summary[risk] += 1
        self.result[risk].append({
            'asset': str(account.asset), 'username': account.username,
        })
        risk_obj = {'account': account, 'risk': risk}
        self.batch_risks.append(risk_obj)

    def commit_risks(self, assets):
        account_risks = AccountRisk.objects.filter(asset__in=assets)
        ori_risk_map = {}

        for risk in account_risks:
            key = f'{risk.account_id}_{risk.risk}'
            ori_risk_map[key] = risk

        now = timezone.now().isoformat()
        for d in self.batch_risks:
            account = d["account"]
            key = f'{account.id}_{d["risk"]}'
            origin_risk = ori_risk_map.get(key)

            if origin_risk and origin_risk.status != ConfirmOrIgnore.pending:
                details = origin_risk.details or []
                details.append({"datetime": now, 'type': 'refind'})

                if len(details) > 10:
                    details = [*details[:5], *details[-5:]]

                origin_risk.details = details
                origin_risk.status = ConfirmOrIgnore.pending
                update_risk(origin_risk)
            else:
                create_risk({
                    "account": account,
                    "asset": account.asset,
                    "username": account.username,
                    "risk": d["risk"],
                    "details": [{"datetime": now, 'type': 'init'}],
                })

    def pre_run(self):
        super().pre_run()
        self.assets = self.execution.get_all_assets()

    def batch_check(self, handler):
        print("Engine: {}".format(handler.__class__.__name__))
        for i in range(0, len(self.assets), self.batch_size):
            _assets = self.assets[i: i + self.batch_size]
            accounts = Account.objects.filter(asset__in=_assets)

            print("Start to check accounts: {}".format(len(accounts)))

            for account in accounts:
                error = handler.check(account)
                msg = handler.risk if error else 'ok'

                print("Check: {} => {}".format(account, msg))
                if not error:
                    continue
                self.add_risk(handler.risk, account)
            self.commit_risks(_assets)

    def do_run(self, *args, **kwargs):
        for engine in self.execution.snapshot.get("engines", []):
            if engine == "check_account_secret":
                handler = CheckSecretHandler(self.assets)
            elif engine == "check_account_repeat":
                handler = CheckRepeatHandler(self.assets)
            elif engine == "check_account_leak":
                handler = CheckLeakHandler(self.assets)
            else:
                print("Unknown engine: {}".format(engine))
                continue

            self.handlers.append(handler)
            self.batch_check(handler)

    def post_run(self):
        super().post_run()
        for handler in self.handlers:
            handler.clean()

    def get_report_subject(self):
        return "Check account report of %s" % self.execution.id

    def get_report_template(self):
        return "accounts/check_account_report.html"

    def print_summary(self):
        tmpl = _("\n---\nSummary: \nok: {}, weak password: {}, leaked password: {}, "
                 "repeated password: {}, no secret: {}, using time: {}s").format(
            self.summary["ok"],
            self.summary[RiskChoice.weak_password],
            self.summary[RiskChoice.leaked_password],
            self.summary[RiskChoice.repeated_password],
            self.summary["no_secret"],
            int(self.duration)
        )
        print(tmpl)