feat: audit for password modification TencentBlueKing#289

Canway-shiisa · Mar 18, 2022 · c54f471 · c54f471
1 parent 2d74040
commit c54f471
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 9 deletions.
diff --git a/src/api/bkuser_core/audit/utils.py b/src/api/bkuser_core/audit/utils.py
@@ -134,9 +134,6 @@ def _catch_exc(self, request, *args, **kwargs):
                 if operate_type == OperationType.UPDATE.value:
                     _params["operator_obj"] = self.get_object()
 
-                if getattr(self, "operate_type", None):
-                    _params["operate_type"] = self.operate_type
-
                 create_general_log(**_params)
                 return _result
 

diff --git a/src/api/bkuser_core/profiles/v2/views.py b/src/api/bkuser_core/profiles/v2/views.py
@@ -23,7 +23,7 @@
 )
 from bkuser_core.apis.v2.viewset import AdvancedBatchOperateViewSet, AdvancedListAPIView, AdvancedModelViewSet
 from bkuser_core.audit.constants import LogInFailReason, OperationType
-from bkuser_core.audit.utils import audit_general_log, create_profile_log
+from bkuser_core.audit.utils import audit_general_log, create_general_log, create_profile_log
 from bkuser_core.categories.constants import CategoryType
 from bkuser_core.categories.loader import get_plugin_by_category
 from bkuser_core.categories.models import ProfileCategory
@@ -288,13 +288,13 @@ def create(self, request, *args, **kwargs):
         )
         return Response(self.serializer_class(instance).data, status=status.HTTP_201_CREATED)
 
-    @audit_general_log(OperationType.UPDATE.value)
     @method_decorator(clear_cache_if_succeed)
     def _update(self, request, partial):
         instance = self.get_object()
         serializer = local_serializers.UpdateProfileSerializer(instance, data=request.data, partial=partial)
         serializer.is_valid(raise_exception=True)
         validated_data = serializer.validated_data
+        operate_type = OperationType.UPDATE.value
 
         # 只允许本地目录修改
         if not ProfileCategory.objects.check_writable(instance.category_id):
@@ -321,7 +321,12 @@ def _update(self, request, partial):
         update_summary = {"request": request}
         # 密码修改加密
         if validated_data.get("password"):
-            self.operate_type = OperationType.RESET_PASSWORD.value
+            operate_type = (
+                OperationType.FORGET_PASSWORD.value
+                if request.headers.get("User-From-Token")
+                else OperationType.RESET_PASSWORD.value
+            )
+
             pending_password = validated_data.get("password")
             config_loader = ConfigProvider(category_id=instance.category_id)
             try:
@@ -364,6 +369,13 @@ def _update(self, request, partial):
             operator=request.operator,
             extra_values=update_summary,
         )
+
+        create_general_log(
+            operator=request.operator,
+            operate_type=operate_type,
+            operator_obj=instance,
+            request=request,
+        )
         return Response(self.serializer_class(instance).data)
 
     @swagger_auto_schema(
@@ -443,7 +455,6 @@ def modify_password(self, request, *args, **kwargs):
         )
         return Response(data=local_serializers.ProfileMinimalSerializer(instance).data)
 
-    @audit_general_log(OperationType.FORGET_PASSWORD.value)
     @swagger_auto_schema(
         query_serializer=AdvancedRetrieveSerialzier(),
         request_body=EmptySerializer,

diff --git a/src/saas/bkuser_shell/password/views.py b/src/saas/bkuser_shell/password/views.py
@@ -61,7 +61,9 @@ def reset_by_token(self, request, validated_data):
         body = {"password": password}
 
         # 调用后台接口重置密码
-        profiles_api_instance.v2_profiles_partial_update(lookup_value=profile.id, body=body, lookup_field="id")
+        profiles_api_instance.v2_profiles_partial_update(
+            lookup_value=profile.id, body=body, lookup_field="id", user_from_token=True
+        )
 
         return Response(data={})
 

diff --git a/src/sdk/bkuser_sdk/api/profiles_api.py b/src/sdk/bkuser_sdk/api/profiles_api.py
@@ -911,11 +911,12 @@ def v2_profiles_partial_update_with_http_info(self, body, lookup_value, **kwargs
                  returns the request thread.
         """
 
-        all_params = ['body', 'lookup_value', 'fields', 'lookup_field', 'include_disabled']  # noqa: E501
+        all_params = ['body', 'lookup_value', 'fields', 'lookup_field', 'include_disabled', 'user_from_token']  # noqa: E501
         all_params.append('async_req')
         all_params.append('_return_http_data_only')
         all_params.append('_preload_content')
         all_params.append('_request_timeout')
+        all_params.append('user_from_token')
 
         params = locals()
         for key, val in six.iteritems(params['kwargs']):
@@ -965,6 +966,10 @@ def v2_profiles_partial_update_with_http_info(self, body, lookup_value, **kwargs
         header_params['Content-Type'] = self.api_client.select_header_content_type(  # noqa: E501
             ['application/json'])  # noqa: E501
 
+        if 'user_from_token' in params:
+            header_params['user-from-token'] = params["user_from_token"]
+
+
         # Authentication setting
         auth_settings = []  # noqa: E501