mirror of https://github.com/jumpserver/jumpserver
195 lines
6.2 KiB
Python
195 lines
6.2 KiB
Python
# -*- coding: utf-8 -*-
|
|
#
|
|
from django.utils.translation import ugettext_lazy as _
|
|
from rest_framework import serializers
|
|
|
|
from common.utils import validate_ssh_public_key
|
|
from common.mixins import BulkSerializerMixin
|
|
from common.serializers import AdaptedBulkListSerializer
|
|
from common.permissions import CanUpdateDeleteUser
|
|
from ..models import User
|
|
|
|
|
|
__all__ = [
|
|
'UserSerializer', 'UserPKUpdateSerializer',
|
|
'ChangeUserPasswordSerializer', 'ResetOTPSerializer',
|
|
'UserProfileSerializer', 'UserDisplaySerializer',
|
|
]
|
|
|
|
|
|
class UserOrgSerializer(serializers.Serializer):
|
|
id = serializers.CharField()
|
|
name = serializers.CharField()
|
|
|
|
|
|
class UserSerializer(BulkSerializerMixin, serializers.ModelSerializer):
|
|
EMAIL_SET_PASSWORD = _('Reset link will be generated and sent to the user')
|
|
CUSTOM_PASSWORD = _('Set password')
|
|
PASSWORD_STRATEGY_CHOICES = (
|
|
(0, EMAIL_SET_PASSWORD),
|
|
(1, CUSTOM_PASSWORD)
|
|
)
|
|
password_strategy = serializers.ChoiceField(
|
|
choices=PASSWORD_STRATEGY_CHOICES, required=True, initial=0,
|
|
label=_('Password strategy'), write_only=True
|
|
)
|
|
|
|
class Meta:
|
|
model = User
|
|
list_serializer_class = AdaptedBulkListSerializer
|
|
fields = [
|
|
'id', 'name', 'username', 'password', 'email', 'public_key',
|
|
'groups', 'role', 'wechat', 'phone', 'mfa_level',
|
|
'comment', 'source', 'is_valid', 'is_expired',
|
|
'is_active', 'created_by', 'is_first_login',
|
|
'password_strategy',
|
|
'date_password_last_updated', 'date_expired',
|
|
'avatar_url',
|
|
]
|
|
extra_kwargs = {
|
|
'password': {'write_only': True, 'required': False, 'allow_null': True, 'allow_blank': True},
|
|
'public_key': {'write_only': True},
|
|
'is_first_login': {'label': _('Is first login'), 'read_only': True},
|
|
'is_valid': {'label': _('Is valid')},
|
|
'is_expired': {'label': _('Is expired')},
|
|
'avatar_url': {'label': _('Avatar url')},
|
|
'created_by': {'read_only': True, 'allow_blank': True},
|
|
}
|
|
|
|
def __init__(self, *args, **kwargs):
|
|
super().__init__(*args, **kwargs)
|
|
self.set_role_choices()
|
|
|
|
def set_role_choices(self):
|
|
role = self.fields['role']
|
|
choices = role.choices
|
|
choices.pop('App', None)
|
|
role.choices = choices
|
|
|
|
def validate_role(self, value):
|
|
request = self.context.get('request')
|
|
if not request.user.is_superuser and value != User.ROLE_USER:
|
|
role_display = dict(User.ROLE_CHOICES)[User.ROLE_USER]
|
|
msg = _("Role limit to {}".format(role_display))
|
|
raise serializers.ValidationError(msg)
|
|
return value
|
|
|
|
def validate_password(self, password):
|
|
from ..utils import check_password_rules
|
|
password_strategy = self.initial_data.get('password_strategy')
|
|
if password_strategy == '0':
|
|
return
|
|
if password_strategy is None and not password:
|
|
return
|
|
if not check_password_rules(password):
|
|
msg = _('Password does not match security rules')
|
|
raise serializers.ValidationError(msg)
|
|
return password
|
|
|
|
def validate_groups(self, groups):
|
|
role = self.initial_data.get('role')
|
|
if self.instance:
|
|
role = role or self.instance.role
|
|
if role == User.ROLE_AUDITOR:
|
|
return []
|
|
return groups
|
|
|
|
@staticmethod
|
|
def change_password_to_raw(attrs):
|
|
password = attrs.pop('password', None)
|
|
if password:
|
|
attrs['password_raw'] = password
|
|
return attrs
|
|
|
|
@staticmethod
|
|
def clean_auth_fields(attrs):
|
|
for field in ('password', 'public_key'):
|
|
value = attrs.get(field)
|
|
if not value:
|
|
attrs.pop(field, None)
|
|
return attrs
|
|
|
|
def validate(self, attrs):
|
|
attrs = self.change_password_to_raw(attrs)
|
|
attrs = self.clean_auth_fields(attrs)
|
|
attrs.pop('password_strategy', None)
|
|
return attrs
|
|
|
|
|
|
class UserDisplaySerializer(UserSerializer):
|
|
can_update = serializers.SerializerMethodField()
|
|
can_delete = serializers.SerializerMethodField()
|
|
|
|
class Meta(UserSerializer.Meta):
|
|
fields = UserSerializer.Meta.fields + [
|
|
'groups_display', 'role_display', 'source_display',
|
|
'can_update', 'can_delete',
|
|
]
|
|
|
|
def get_can_update(self, obj):
|
|
return CanUpdateDeleteUser.has_update_object_permission(
|
|
self.context['request'], self.context['view'], obj
|
|
)
|
|
|
|
def get_can_delete(self, obj):
|
|
return CanUpdateDeleteUser.has_delete_object_permission(
|
|
self.context['request'], self.context['view'], obj
|
|
)
|
|
|
|
def get_extra_kwargs(self):
|
|
kwargs = super().get_extra_kwargs()
|
|
kwargs.update({
|
|
'can_update': {'read_only': True},
|
|
'can_delete': {'read_only': True},
|
|
'groups_display': {'label': _('Groups name')},
|
|
'source_display': {'label': _('Source name')},
|
|
'role_display': {'label': _('Role name')},
|
|
})
|
|
return kwargs
|
|
|
|
|
|
class UserPKUpdateSerializer(serializers.ModelSerializer):
|
|
class Meta:
|
|
model = User
|
|
fields = ['id', 'public_key']
|
|
|
|
@staticmethod
|
|
def validate_public_key(value):
|
|
if not validate_ssh_public_key(value):
|
|
raise serializers.ValidationError(_('Not a valid ssh public key'))
|
|
return value
|
|
|
|
|
|
class ChangeUserPasswordSerializer(serializers.ModelSerializer):
|
|
|
|
class Meta:
|
|
model = User
|
|
fields = ['password']
|
|
|
|
|
|
class ResetOTPSerializer(serializers.Serializer):
|
|
msg = serializers.CharField(read_only=True)
|
|
|
|
def create(self, validated_data):
|
|
pass
|
|
|
|
def update(self, instance, validated_data):
|
|
pass
|
|
|
|
|
|
class UserProfileSerializer(serializers.ModelSerializer):
|
|
admin_orgs = UserOrgSerializer(many=True, read_only=True)
|
|
|
|
class Meta:
|
|
model = User
|
|
fields = [
|
|
'id', 'name', 'username', 'email',
|
|
'role', 'wechat', 'phone', 'mfa_level',
|
|
'comment', 'source', 'is_valid', 'is_expired',
|
|
'is_active', 'created_by', 'is_first_login',
|
|
'date_password_last_updated', 'date_expired',
|
|
'avatar_url',
|
|
|
|
'groups', 'admin_orgs',
|
|
]
|