feat: audit for password modification TencentBlueKing#289

Canway-shiisa · Mar 21, 2022 · 5b64ae0 · 5b64ae0
1 parent 645cce1
commit 5b64ae0
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 17 deletions.
diff --git a/src/api/bkuser_core/audit/constants.py b/src/api/bkuser_core/audit/constants.py
@@ -44,9 +44,9 @@ class OperationType(AutoLowerEnum):
     EXPORT = auto()
     RESTORATION = auto()
 
-    FORGET_PASSWORD = auto()
-    RESET_PASSWORD = auto()
-    MODIFY_PASSWORD = auto()
+    FORGET_PASSWORD = auto()    # 用户通过 token 重置
+    ADMIN_RESET_PASSWORD = auto()     # 管理员重置密码
+    MODIFY_PASSWORD = auto()    # 用户通过旧密码修改
 
     _choices_labels = (
         (CREATE, "创建"),
@@ -57,9 +57,9 @@ class OperationType(AutoLowerEnum):
         (EXPORT, "导出"),
         (IMPORT, "导入"),
         (RESTORATION, "恢复"),
-        (FORGET_PASSWORD, "忘记密码"),
-        (RESET_PASSWORD, "重置密码"),
-        (MODIFY_PASSWORD, "修改密码"),
+        (FORGET_PASSWORD, "用户通过token重置密码"),
+        (ADMIN_RESET_PASSWORD, "管理员重置密码"),
+        (MODIFY_PASSWORD, "用户通过旧密码修改"),
     )
 
 

diff --git a/src/api/bkuser_core/profiles/v2/views.py b/src/api/bkuser_core/profiles/v2/views.py
@@ -75,8 +75,6 @@ class ProfileViewSet(AdvancedModelViewSet, AdvancedListAPIView):
     serializer_class = local_serializers.ProfileSerializer
     lookup_field = "username"
     filter_backends = [ProfileSearchFilter, filters.OrderingFilter]
-    operate_type = None
-
     relation_fields = ["departments", "leader", "login_set"]
 
     def get_object(self):
@@ -324,7 +322,7 @@ def _update(self, request, partial):
             operate_type = (
                 OperationType.FORGET_PASSWORD.value
                 if request.headers.get("User-From-Token")
-                else OperationType.RESET_PASSWORD.value
+                else OperationType.ADMIN_RESET_PASSWORD.value
             )
 
             pending_password = validated_data.get("password")

diff --git a/src/saas/bkuser_shell/apis/viewset.py b/src/saas/bkuser_shell/apis/viewset.py
@@ -73,7 +73,7 @@ def get_client_ip(request) -> Optional[str]:
 
         return ip
 
-    def _prepare_headers(self, request, force_action_id: str = "", no_auth: bool = False):
+    def _prepare_headers(self, request, force_action_id: str = "", no_auth: bool = False, user_from_token: bool = False):
         """构建通用 Headers"""
         headers = make_default_headers(request.user.username)
         ip = self.get_client_ip(request)
@@ -91,11 +91,18 @@ def _prepare_headers(self, request, force_action_id: str = "", no_auth: bool = F
                 }
             )
 
+        if user_from_token:
+            headers.update(
+                {
+                    'user-from-token': True
+                }
+            )
+
         return headers
 
-    def get_api_client_by_request(self, request, force_action_id: str = "", no_auth: bool = False):
+    def get_api_client_by_request(self, request, force_action_id: str = "", no_auth: bool = False, user_from_token: bool = False):
         """从 request 中获取 api client"""
-        return get_api_client(self._prepare_headers(request, force_action_id, no_auth))
+        return get_api_client(self._prepare_headers(request, force_action_id, no_auth, user_from_token))
 
     @staticmethod
     def get_paging_results(list_func: Callable, page_size: int = 50, **kwargs) -> list:

diff --git a/src/saas/bkuser_shell/audit/constants.py b/src/saas/bkuser_shell/audit/constants.py
@@ -32,12 +32,18 @@
     ("export", _("导出")),
     ("import", _("导入")),
     ("restoration", _("恢复")),
-    ("forget_password", _("忘记密码")),
-    ("reset_password", _("重置密码")),
-    ("modify_password", _("修改密码"))
+    ("forget_password", _("用户通过token重置密码")),
+    ("admin_reset_password", _("管理员重置密码")),
+    ("modify_password", _("用户通过旧密码修改"))
 
 )
 
+OPERATION_ABOUT_PASSWORD = (
+    "forget_password",  # 用户通过 token 重置密码
+    "admin_reset_password",   # 管理员重置密码
+    "modify_password"   # 用户通过旧密码修改
+)
+
 OPERATION_NAME_MAP = {x[0]: x[1] for x in OPERATION_NAME_TUPLE}
 OPERATION_VALUE_MAP = {x[1]: x[0] for x in OPERATION_NAME_TUPLE}
 

diff --git a/src/saas/bkuser_shell/audit/serializers.py b/src/saas/bkuser_shell/audit/serializers.py
@@ -14,7 +14,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
-from .constants import LOGIN_FAILED_REASON_MAP, OPERATION_NAME_MAP, OPERATION_OBJ_NAME_MAP
+from .constants import LOGIN_FAILED_REASON_MAP, OPERATION_ABOUT_PASSWORD, OPERATION_NAME_MAP, OPERATION_OBJ_NAME_MAP
 
 PLACE_HOLDER = "--"
 
@@ -48,7 +48,7 @@ def to_representation(self, instance):
         extra_value = instance["extra_value"]
         categories = self.context.get("categories")
         instance["target_obj"] = f"{extra_value['display_name']}<{extra_value['key']}>"
-        instance["operation"] = (
+        instance["operation"] = f"{OPERATION_NAME_MAP[extra_value['operation']]}" if extra_value['operation'] in OPERATION_ABOUT_PASSWORD else(
             f"{OPERATION_NAME_MAP[extra_value['operation']]}" f"{OPERATION_OBJ_NAME_MAP[extra_value.get('obj_type')]}"
         )