Merge branch 'dev' of github.com:jumpserver/jumpserver into dev

README.md

 # Jumpserver 多云环境下更好用的堡垒机
 
-![Total visitor](https://visitor-count-badge.herokuapp.com/total.svg?repo_id=jumpserver)
-![Visitors in today](https://visitor-count-badge.herokuapp.com/today.svg?repo_id=jumpserver)
 [![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/)
 [![Django](https://img.shields.io/badge/django-2.1-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
 [![Ansible](https://img.shields.io/badge/ansible-2.4.2.0-blue.svg?style=plastic)](https://www.ansible.com/)

apps/assets/serializers/node.py

@@ -25,10 +25,12 @@ class NodeSerializer(BulkOrgResourceModelSerializer):
         read_only_fields = ['key', 'org_id']
 
     def validate_value(self, data):
-        if not self.instance and not data:
-            return data
-        instance = self.instance
-        siblings = instance.get_siblings()
+        if self.instance:
+            instance = self.instance
+            siblings = instance.get_siblings()
+        else:
+            instance = Node.org_root()
+            siblings = instance.get_children()
         if siblings.filter(value=data):
             raise serializers.ValidationError(
                 _('The same level node name cannot be the same')

apps/jumpserver/conf.py

@@ -374,6 +374,10 @@ defaults = {
     'RADIUS_SERVER': 'localhost',
     'RADIUS_PORT': 1812,
     'RADIUS_SECRET': '',
+    'AUTH_LDAP_SEARCH_PAGED_SIZE': 1000,
+    'AUTH_LDAP_SYNC_IS_PERIODIC': False,
+    'AUTH_LDAP_SYNC_INTERVAL': None,
+    'AUTH_LDAP_SYNC_CRONTAB': None,
     'HTTP_BIND_HOST': '0.0.0.0',
     'HTTP_LISTEN_PORT': 8080,
     'WS_LISTEN_PORT': 8070,
@@ -386,7 +390,6 @@ defaults = {
     'PERM_SINGLE_ASSET_TO_UNGROUP_NODE': False,
     'WINDOWS_SSH_DEFAULT_SHELL': 'cmd',
     'FLOWER_URL': "127.0.0.1:5555",
-    'AUTH_LDAP_SEARCH_PAGED_SIZE': 1000,
     'DEFAULT_ORG_SHOW_ALL_USERS': True,
 }
 

apps/jumpserver/settings.py

@@ -357,6 +357,7 @@ EMAIL_PORT = 25
 EMAIL_HOST_USER = 'noreply@jumpserver.org'
 EMAIL_HOST_PASSWORD = ''
 EMAIL_FROM = ''
+EMAIL_RECIPIENT = ''
 EMAIL_USE_SSL = False
 EMAIL_USE_TLS = False
 EMAIL_SUBJECT_PREFIX = '[JMS] '
@@ -425,6 +426,10 @@ OTP_VALID_WINDOW = CONFIG.OTP_VALID_WINDOW
 # Auth LDAP settings
 AUTH_LDAP = False
 AUTH_LDAP_SEARCH_PAGED_SIZE = CONFIG.AUTH_LDAP_SEARCH_PAGED_SIZE
+AUTH_LDAP_SYNC_IS_PERIODIC = CONFIG.AUTH_LDAP_SYNC_IS_PERIODIC
+AUTH_LDAP_SYNC_INTERVAL = CONFIG.AUTH_LDAP_SYNC_INTERVAL
+AUTH_LDAP_SYNC_CRONTAB = CONFIG.AUTH_LDAP_SYNC_CRONTAB
+
 AUTH_LDAP_SERVER_URI = 'ldap://localhost:389'
 AUTH_LDAP_BIND_DN = 'cn=admin,dc=jumpserver,dc=org'
 AUTH_LDAP_BIND_PASSWORD = ''

apps/settings/api.py

@@ -30,6 +30,7 @@ class MailTestingAPI(APIView):
         serializer = self.serializer_class(data=request.data)
         if serializer.is_valid():
             email_from = serializer.validated_data["EMAIL_FROM"]
+            email_recipient = serializer.validated_data["EMAIL_RECIPIENT"]
             email_host_user = serializer.validated_data["EMAIL_HOST_USER"]
             for k, v in serializer.validated_data.items():
                 if k.startswith('EMAIL'):
@@ -38,11 +39,12 @@ class MailTestingAPI(APIView):
                 subject = "Test"
                 message = "Test smtp setting"
                 email_from = email_from or email_host_user
-                send_mail(subject, message,  email_from, [email_from])
+                email_recipient = email_recipient or email_from
+                send_mail(subject, message,  email_from, [email_recipient])
             except Exception as e:
                 return Response({"error": str(e)}, status=401)
 
-            return Response({"msg": self.success_message.format(email_host_user)})
+            return Response({"msg": self.success_message.format(email_recipient)})
         else:
             return Response({"error": str(serializer.errors)}, status=401)
 

apps/settings/forms.py

@@ -89,6 +89,10 @@ class EmailSettingForm(BaseForm):
             "Tips: Send mail account, default SMTP account as the send account"
         )
     )
+    EMAIL_RECIPIENT = forms.CharField(
+        max_length=128, label=_("Test recipient"), initial='', required=False,
+        help_text=_("Tips: Used only as a test mail recipient")
+    )
     EMAIL_USE_SSL = forms.BooleanField(
         label=_("Use SSL"), initial=False, required=False,
         help_text=_("If SMTP port is 465, may be select")

apps/settings/serializers.py

@@ -7,6 +7,7 @@ class MailTestSerializer(serializers.Serializer):
     EMAIL_HOST_USER = serializers.CharField(max_length=1024)
     EMAIL_HOST_PASSWORD = serializers.CharField(required=False, allow_blank=True)
     EMAIL_FROM = serializers.CharField(required=False, allow_blank=True)
+    EMAIL_RECIPIENT = serializers.CharField(required=False, allow_blank=True)
     EMAIL_USE_SSL = serializers.BooleanField(default=False)
     EMAIL_USE_TLS = serializers.BooleanField(default=False)
 

apps/settings/utils.py

@@ -170,7 +170,7 @@ class LDAPUtil:
         email = construct_user_email(username, email)
         return email
 
-    def create_or_update_users(self, user_items, force_update=True):
+    def create_or_update_users(self, user_items):
         succeed = failed = 0
         for user_item in user_items:
             exist = user_item.pop('existing', False)
@@ -180,13 +180,14 @@ class LDAPUtil:
             else:
                 ok, error = self.update_user(user_item)
             if not ok:
+                logger.info("Failed User: {}".format(user_item))
                 failed += 1
             else:
                 succeed += 1
         result = {'total': len(user_items), 'succeed': succeed, 'failed': failed}
         return result
 
-    def sync_users(self, username_list):
+    def sync_users(self, username_list=None):
         user_items = self.search_filter_user_items(username_list)
         result = self.create_or_update_users(user_items)
         return result

apps/users/tasks.py

@@ -2,6 +2,7 @@
 #
 
 from celery import shared_task
+from django.conf import settings
 
 from ops.celery.utils import create_or_update_celery_periodic_tasks
 from ops.celery.decorator import after_app_ready_start
@@ -10,6 +11,7 @@ from .models import User
 from .utils import (
     send_password_expiration_reminder_mail, send_user_expiration_reminder_mail
 )
+from settings.utils import LDAPUtil
 
 
 logger = get_logger(__file__)
@@ -66,3 +68,36 @@ def check_user_expired_periodic():
     }
     create_or_update_celery_periodic_tasks(tasks)
 
+
+@shared_task
+def sync_ldap_user():
+    logger.info("Start sync ldap user periodic task")
+    util = LDAPUtil()
+    result = util.sync_users()
+    logger.info("Result: {}".format(result))
+
+
+@shared_task
+@after_app_ready_start
+def sync_ldap_user_periodic():
+    if not settings.AUTH_LDAP:
+        return
+    if not settings.AUTH_LDAP_SYNC_IS_PERIODIC:
+        return
+
+    interval = settings.AUTH_LDAP_SYNC_INTERVAL
+    if isinstance(interval, int):
+        interval = interval * 3600
+    else:
+        interval = None
+    crontab = settings.AUTH_LDAP_SYNC_CRONTAB
+
+    tasks = {
+        'sync_ldap_user_periodic': {
+            'task': sync_ldap_user.name,
+            'interval': interval,
+            'crontab': crontab,
+            'enabled': True,
+        }
+    }
+    create_or_update_celery_periodic_tasks(tasks)

config_example.yml

@@ -72,6 +72,13 @@ REDIS_PORT: 6379
 # RADIUS_PORT: 1812
 # RADIUS_SECRET: 
 
+# LDAP/AD 设置定时同步参数
+# 启用/禁用
+# AUTH_LDAP_SYNC_IS_PERIODIC: True
+# 单位: 时
+# AUTH_LDAP_SYNC_INTERVAL: 12
+# Crontab 表达式
+# AUTH_LDAP_SYNC_CRONTAB: * 6 * * *
 
 # OTP settings
 # OTP/MFA 配置