Merge branch 'dev' of github.com:jumpserver/jumpserver into dev

52d09615 · ibuler · e0934753 · 13822cbf · 52d09615 · 52d09615
Commit 52d09615 authored Oct 14, 2019 by ibuler
15 changed files
--- a/apps/assets/api/node.py
+++ b/apps/assets/api/node.py
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-from rest_framework import generics
+from rest_framework import generics, status
 from rest_framework.serializers import ValidationError
 from rest_framework.views import APIView
 from rest_framework.response import Response
@@ -59,6 +59,13 @@ class NodeViewSet(OrgModelViewSet):
            raise ValidationError({"error": msg})
        return super().perform_update(serializer)

+    def destroy(self, request, *args, **kwargs):
+        node = self.get_object()
+        if node.has_children_or_contains_assets():
+            msg = _("Deletion failed and the node contains children or assets")
+            return Response(data={'msg': msg}, status=status.HTTP_403_FORBIDDEN)
+        return super().destroy(request, *args, **kwargs)
+

 class NodeListAsTreeApi(generics.ListAPIView):
    """

--- a/apps/assets/const.py
+++ b/apps/assets/const.py
+# -*- coding: utf-8 -*-
+#
+
+from django.utils.translation import ugettext_lazy as _
+
+
+GENERAL_LIMIT_SPECIAL_CHARACTERS_HELP_TEXT = _(
+    'Only Numbers、letters、 chinese and characters ( {} ) are allowed'
+).format(" ".join(['.', '_', '@', '-']))
+
+GENERAL_LIMIT_SPECIAL_CHARACTERS_PATTERN = r"^[\._@\w-]+$"
+
+GENERAL_LIMIT_SPECIAL_CHARACTERS_ERROR_MSG = \
+    _("* The contains characters that are not allowed")
--- a/apps/assets/forms/asset.py
+++ b/apps/assets/forms/asset.py
@@ -7,6 +7,7 @@ from common.utils import get_logger
 from orgs.mixins.forms import OrgModelForm

 from ..models import Asset, Node
+from ..const import GENERAL_LIMIT_SPECIAL_CHARACTERS_HELP_TEXT


 logger = get_logger(__file__)
@@ -14,10 +15,6 @@ __all__ = [
    'AssetCreateForm', 'AssetUpdateForm', 'AssetBulkUpdateForm', 'ProtocolForm',
 ]

-HELP_TEXTS_ASSET_HOSTNAME = _(
-    'Only Numbers、letters、 chinese and characters ( {} ) are allowed'
-).format(" ".join(['.', '_', '@']))
-

 class ProtocolForm(forms.Form):
    name = forms.ChoiceField(
@@ -72,7 +69,7 @@ class AssetCreateForm(OrgModelForm):
            'nodes': _("Node"),
        }
        help_texts = {
-            'hostname': HELP_TEXTS_ASSET_HOSTNAME,
+            'hostname': GENERAL_LIMIT_SPECIAL_CHARACTERS_HELP_TEXT,
            'admin_user': _(
                'root or other NOPASSWD sudo privilege user existed in asset,'
                'If asset is windows or other set any one, more see admin user left menu'
@@ -119,7 +116,7 @@ class AssetUpdateForm(OrgModelForm):
            'nodes': _("Node"),
        }
        help_texts = {
-            'hostname': HELP_TEXTS_ASSET_HOSTNAME,
+            'hostname': GENERAL_LIMIT_SPECIAL_CHARACTERS_HELP_TEXT,
            'admin_user': _(
                'root or other NOPASSWD sudo privilege user existed in asset,'
                'If asset is windows or other set any one, more see admin user left menu'

--- a/apps/assets/forms/user.py
+++ b/apps/assets/forms/user.py
@@ -6,6 +6,7 @@ from django.utils.translation import gettext_lazy as _
 from common.utils import validate_ssh_private_key, ssh_pubkey_gen, get_logger
 from orgs.mixins.forms import OrgModelForm
 from ..models import AdminUser, SystemUser
+from ..const import GENERAL_LIMIT_SPECIAL_CHARACTERS_HELP_TEXT

 logger = get_logger(__file__)
 __all__ = [
@@ -98,6 +99,7 @@ class SystemUserForm(OrgModelForm, PasswordAndKeyAuthForm):
            }),
        }
        help_texts = {
+            'name': GENERAL_LIMIT_SPECIAL_CHARACTERS_HELP_TEXT,
            'auto_push': _('Auto push system user to asset'),
            'priority': _('1-100, High level will be using login asset as default, '
                          'if user was granted more than 2 system user'),

--- a/apps/assets/models/node.py
+++ b/apps/assets/models/node.py
@@ -470,8 +470,13 @@ class Node(OrgModelMixin, SomeNodesMixin, TreeMixin, FamilyMixin, FullValueMixin
        tree_node = TreeNode(**data)
        return tree_node

-    def delete(self, using=None, keep_parents=False):
+    def has_children_or_contains_assets(self):
        if self.children or self.get_assets():
+            return True
+        return False
+
+    def delete(self, using=None, keep_parents=False):
+        if self.has_children_or_contains_assets():
            return
        return super().delete(using=using, keep_parents=keep_parents)


--- a/apps/assets/serializers/asset.py
+++ b/apps/assets/serializers/asset.py
@@ -8,6 +8,10 @@ from django.utils.translation import ugettext_lazy as _
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from common.serializers import AdaptedBulkListSerializer
 from ..models import Asset, Node, Label
+from ..const import (
+    GENERAL_LIMIT_SPECIAL_CHARACTERS_PATTERN,
+    GENERAL_LIMIT_SPECIAL_CHARACTERS_ERROR_MSG
+)
 from .base import ConnectivitySerializer

 __all__ = [
@@ -94,10 +98,10 @@ class AssetSerializer(BulkOrgResourceModelSerializer):

    @staticmethod
    def validate_hostname(hostname):
-        pattern = r"^[\._@\w-]+$"
+        pattern = GENERAL_LIMIT_SPECIAL_CHARACTERS_PATTERN
        res = re.match(pattern, hostname)
        if res is None:
-            msg = _("* The hostname contains characters that are not allowed")
+            msg = GENERAL_LIMIT_SPECIAL_CHARACTERS_ERROR_MSG
            raise serializers.ValidationError(msg)
        return hostname

@@ -136,6 +140,7 @@ class AssetSerializer(BulkOrgResourceModelSerializer):


 class AssetSimpleSerializer(serializers.ModelSerializer):
+    connectivity = ConnectivitySerializer(read_only=True, label=_("Connectivity"))

    class Meta:
        model = Asset

--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
+import re
 from rest_framework import serializers

 from django.utils.translation import ugettext_lazy as _
@@ -6,6 +7,10 @@ from common.serializers import AdaptedBulkListSerializer
 from common.utils import ssh_pubkey_gen
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from ..models import SystemUser
+from ..const import (
+    GENERAL_LIMIT_SPECIAL_CHARACTERS_PATTERN,
+    GENERAL_LIMIT_SPECIAL_CHARACTERS_ERROR_MSG
+)
 from .base import AuthSerializer, AuthSerializerMixin


@@ -33,6 +38,15 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
            'created_by': {'read_only': True},
        }

+    @staticmethod
+    def validate_name(name):
+        pattern = GENERAL_LIMIT_SPECIAL_CHARACTERS_PATTERN
+        res = re.match(pattern, name)
+        if res is None:
+            msg = GENERAL_LIMIT_SPECIAL_CHARACTERS_ERROR_MSG
+            raise serializers.ValidationError(msg)
+        return name
+
    def validate_auto_push(self, value):
        login_mode = self.initial_data.get("login_mode")
        protocol = self.initial_data.get("protocol")

--- a/apps/assets/templates/assets/asset_detail.html
+++ b/apps/assets/templates/assets/asset_detail.html
@@ -22,7 +22,6 @@
                            <li>
                                <a href="{% url 'assets:asset-user-list' pk=asset.id %}" class="text-center"><i class="fa fa-bar-chart-o"></i> {% trans 'Asset user list' %} </a>
                            </li>
-                            {% if user.is_superuser %}
                            <li class="pull-right">
                                <a class="btn btn-outline btn-default" href="{% url 'assets:asset-update' pk=asset.id %}"><i class="fa fa-edit"></i>{% trans 'Update' %}</a>
                            </li>
@@ -31,7 +30,6 @@
                                    <i class="fa fa-trash-o"></i>{% trans 'Delete' %}
                                </a>
                            </li>
-                            {% endif %}
                        </ul>
                    </div>
                    <div class="tab-content">

--- a/apps/authentication/backends/ldap.py
+++ b/apps/authentication/backends/ldap.py
@@ -32,6 +32,13 @@ class LDAPAuthorizationBackend(LDAPBackend):
        if not username:
            logger.info('Authenticate failed: username is None')
            return None
+        if settings.AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS:
+            user_model = self.get_user_model()
+            exist = user_model.objects.filter(username=username).exists()
+            if not exist:
+                msg = 'Authentication failed: user ({}) is not in the user list'
+                logger.info(msg.format(username))
+                return None
        ldap_user = LDAPUser(self, username=username.strip(), request=request)
        user = self.authenticate_ldap_user(ldap_user, password)
        logger.info('Authenticate user: {}'.format(user))

--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -378,6 +378,7 @@ defaults = {
    'AUTH_LDAP_SYNC_IS_PERIODIC': False,
    'AUTH_LDAP_SYNC_INTERVAL': None,
    'AUTH_LDAP_SYNC_CRONTAB': None,
+    'AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS': False,
    'HTTP_BIND_HOST': '0.0.0.0',
    'HTTP_LISTEN_PORT': 8080,
    'WS_LISTEN_PORT': 8070,

--- a/apps/jumpserver/settings.py
+++ b/apps/jumpserver/settings.py
@@ -429,6 +429,7 @@ AUTH_LDAP_SEARCH_PAGED_SIZE = CONFIG.AUTH_LDAP_SEARCH_PAGED_SIZE
 AUTH_LDAP_SYNC_IS_PERIODIC = CONFIG.AUTH_LDAP_SYNC_IS_PERIODIC
 AUTH_LDAP_SYNC_INTERVAL = CONFIG.AUTH_LDAP_SYNC_INTERVAL
 AUTH_LDAP_SYNC_CRONTAB = CONFIG.AUTH_LDAP_SYNC_CRONTAB
+AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS = CONFIG.AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS

 AUTH_LDAP_SERVER_URI = 'ldap://localhost:389'
 AUTH_LDAP_BIND_DN = 'cn=admin,dc=jumpserver,dc=org'

--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
--- a/apps/orgs/serializers.py
+++ b/apps/orgs/serializers.py

+import re
 from rest_framework.serializers import ModelSerializer
 from rest_framework import serializers
-
 from users.models import User, UserGroup
 from assets.models import Asset, Domain, AdminUser, SystemUser, Label
+from assets.const import (
+    GENERAL_LIMIT_SPECIAL_CHARACTERS_PATTERN,
+    GENERAL_LIMIT_SPECIAL_CHARACTERS_ERROR_MSG
+)
 from perms.models import AssetPermission
 from common.serializers import AdaptedBulkListSerializer
 from .utils import set_current_org, get_current_org
@@ -18,6 +22,15 @@ class OrgSerializer(ModelSerializer):
        fields = '__all__'
        read_only_fields = ['created_by', 'date_created']

+    @staticmethod
+    def validate_name(name):
+        pattern = GENERAL_LIMIT_SPECIAL_CHARACTERS_PATTERN
+        res = re.match(pattern, name)
+        if res is None:
+            msg = GENERAL_LIMIT_SPECIAL_CHARACTERS_ERROR_MSG
+            raise serializers.ValidationError(msg)
+        return name
+

 class OrgReadSerializer(ModelSerializer):
    admins = serializers.SlugRelatedField(slug_field='name', many=True, read_only=True)

--- a/config_example.yml
+++ b/config_example.yml
@@ -72,13 +72,18 @@ REDIS_PORT: 6379
 # RADIUS_PORT: 1812
 # RADIUS_SECRET: 

-# LDAP/AD 设置定时同步参数
+# LDAP/AD settings
+# 定时同步用户
 # 启用/禁用
 # AUTH_LDAP_SYNC_IS_PERIODIC: True
 # 单位: 时
 # AUTH_LDAP_SYNC_INTERVAL: 12
 # Crontab 表达式
 # AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
+#
+# LDAP 用户登录时仅允许在用户列表中的用户执行 LDAP Server 认证
+# AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS: False
+

 # OTP settings
 # OTP/MFA 配置