2023-07-24 03:52:25 +00:00
|
|
|
from django.utils.translation import gettext_noop
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
from .const import Scope, system_exclude_permissions, org_exclude_permissions
|
|
|
|
|
2022-04-20 10:50:53 +00:00
|
|
|
_view_root_perms = (
|
|
|
|
('orgs', 'organization', 'view', 'rootorg'),
|
|
|
|
)
|
2022-07-18 05:44:20 +00:00
|
|
|
_view_all_joined_org_perms = (
|
|
|
|
('orgs', 'organization', 'view', 'alljoinedorg'),
|
|
|
|
)
|
2022-04-20 10:50:53 +00:00
|
|
|
|
2022-02-17 12:13:31 +00:00
|
|
|
user_perms = (
|
2022-04-12 06:25:49 +00:00
|
|
|
('rbac', 'menupermission', 'view', 'workbench'),
|
2022-03-07 11:02:37 +00:00
|
|
|
('rbac', 'menupermission', 'view', 'webterminal'),
|
|
|
|
('rbac', 'menupermission', 'view', 'filemanager'),
|
|
|
|
('perms', 'permedasset', 'view,connect', 'myassets'),
|
|
|
|
('perms', 'permedapplication', 'view,connect', 'myapps'),
|
2022-03-04 02:16:21 +00:00
|
|
|
('assets', 'asset', 'match', 'asset'),
|
|
|
|
('assets', 'systemuser', 'match', 'systemuser'),
|
|
|
|
('assets', 'node', 'match', 'node'),
|
2023-02-27 09:13:54 +00:00
|
|
|
("ops", "adhoc", "*", "*"),
|
|
|
|
("ops", "playbook", "*", "*"),
|
|
|
|
("ops", "job", "*", "*"),
|
|
|
|
("ops", "jobexecution", "*", "*"),
|
2023-03-01 10:27:29 +00:00
|
|
|
("ops", "celerytaskexecution", "view", "*"),
|
2022-02-17 12:13:31 +00:00
|
|
|
)
|
|
|
|
|
2022-04-20 03:19:37 +00:00
|
|
|
system_user_perms = (
|
2023-07-13 08:00:24 +00:00
|
|
|
('authentication', 'connectiontoken', 'add,view,reuse,expire', 'connectiontoken'),
|
|
|
|
('authentication', 'temptoken', 'add,change,view', 'temptoken'),
|
|
|
|
('authentication', 'accesskey', '*', '*'),
|
2023-09-11 10:15:03 +00:00
|
|
|
('authentication', 'passkey', '*', '*'),
|
2023-07-13 08:00:24 +00:00
|
|
|
('tickets', 'ticket', 'view', 'ticket'),
|
|
|
|
)
|
|
|
|
system_user_perms += (user_perms + _view_all_joined_org_perms)
|
2022-04-20 03:19:37 +00:00
|
|
|
|
2022-04-20 10:50:53 +00:00
|
|
|
_auditor_perms = (
|
2022-03-10 10:55:53 +00:00
|
|
|
('rbac', 'menupermission', 'view', 'audit'),
|
|
|
|
('audits', '*', '*', '*'),
|
2023-02-17 11:58:43 +00:00
|
|
|
('audits', 'joblog', '*', '*'),
|
2022-03-10 10:55:53 +00:00
|
|
|
('terminal', 'commandstorage', 'view', 'commandstorage'),
|
|
|
|
('terminal', 'sessionreplay', 'view,download', 'sessionreplay'),
|
|
|
|
('terminal', 'session', '*', '*'),
|
|
|
|
('terminal', 'command', '*', '*'),
|
|
|
|
)
|
|
|
|
|
2022-04-20 10:50:53 +00:00
|
|
|
auditor_perms = user_perms + _auditor_perms
|
|
|
|
|
|
|
|
system_auditor_perms = system_user_perms + _auditor_perms + _view_root_perms
|
|
|
|
|
2022-02-17 12:13:31 +00:00
|
|
|
app_exclude_perms = [
|
|
|
|
('users', 'user', 'add,delete', 'user'),
|
|
|
|
('orgs', 'org', 'add,delete,change', 'org'),
|
|
|
|
('rbac', '*', '*', '*'),
|
|
|
|
]
|
|
|
|
|
|
|
|
need_check = [
|
|
|
|
*auditor_perms, *user_perms, *app_exclude_perms,
|
|
|
|
*system_exclude_permissions, *org_exclude_permissions
|
|
|
|
]
|
|
|
|
defines_errors = [d for d in need_check if len(d) != 4]
|
|
|
|
if len(defines_errors) != 0:
|
|
|
|
raise ValueError('Perms define error: {}'.format(defines_errors))
|
|
|
|
|
|
|
|
|
2022-02-18 08:25:54 +00:00
|
|
|
class PredefineRole:
|
2022-02-17 12:13:31 +00:00
|
|
|
id_prefix = '00000000-0000-0000-0000-00000000000'
|
|
|
|
|
|
|
|
def __init__(self, index, name, scope, perms, perms_type='include'):
|
|
|
|
self.id = self.id_prefix + index
|
|
|
|
self.name = name
|
|
|
|
self.scope = scope
|
|
|
|
self.perms = perms
|
|
|
|
self.perms_type = perms_type
|
|
|
|
|
|
|
|
def get_role(self):
|
|
|
|
from rbac.models import Role
|
|
|
|
return Role.objects.get(id=self.id)
|
|
|
|
|
2022-04-02 07:51:23 +00:00
|
|
|
@property
|
|
|
|
def default_perms(self):
|
2022-02-17 12:13:31 +00:00
|
|
|
from rbac.models import Permission
|
|
|
|
q = Permission.get_define_permissions_q(self.perms)
|
|
|
|
permissions = Permission.get_permissions(self.scope)
|
|
|
|
|
|
|
|
if not q:
|
|
|
|
permissions = permissions.none()
|
|
|
|
elif self.perms_type == 'include':
|
|
|
|
permissions = permissions.filter(q)
|
|
|
|
else:
|
|
|
|
permissions = permissions.exclude(q)
|
|
|
|
|
|
|
|
perms = permissions.values_list('id', flat=True)
|
2022-04-02 07:51:23 +00:00
|
|
|
return perms
|
|
|
|
|
|
|
|
def _get_defaults(self):
|
|
|
|
perms = self.default_perms
|
2022-02-17 12:13:31 +00:00
|
|
|
defaults = {
|
|
|
|
'id': self.id, 'name': self.name, 'scope': self.scope,
|
2022-04-12 07:19:59 +00:00
|
|
|
'builtin': True, 'permissions': perms, 'created_by': 'System',
|
2022-02-17 12:13:31 +00:00
|
|
|
}
|
|
|
|
return defaults
|
|
|
|
|
2022-02-21 08:24:03 +00:00
|
|
|
def update_or_create_role(self):
|
2022-02-17 12:13:31 +00:00
|
|
|
from rbac.models import Role
|
2022-02-18 08:25:54 +00:00
|
|
|
defaults = self._get_defaults()
|
2022-02-17 12:13:31 +00:00
|
|
|
permissions = defaults.pop('permissions', [])
|
2022-02-21 08:24:03 +00:00
|
|
|
role, created = Role.objects.update_or_create(defaults, id=self.id)
|
2022-02-17 12:13:31 +00:00
|
|
|
role.permissions.set(permissions)
|
|
|
|
return role, created
|
|
|
|
|
|
|
|
|
|
|
|
class BuiltinRole:
|
2022-02-18 08:25:54 +00:00
|
|
|
system_admin = PredefineRole(
|
2023-07-24 03:52:25 +00:00
|
|
|
'1', gettext_noop('SystemAdmin'), Scope.system, []
|
2022-02-17 12:13:31 +00:00
|
|
|
)
|
2022-02-18 08:25:54 +00:00
|
|
|
system_auditor = PredefineRole(
|
2023-07-24 03:52:25 +00:00
|
|
|
'2', gettext_noop('SystemAuditor'), Scope.system, system_auditor_perms
|
2022-02-17 12:13:31 +00:00
|
|
|
)
|
2022-02-18 08:25:54 +00:00
|
|
|
system_component = PredefineRole(
|
2023-07-24 03:52:25 +00:00
|
|
|
'4', gettext_noop('SystemComponent'), Scope.system, app_exclude_perms, 'exclude'
|
2022-02-17 12:13:31 +00:00
|
|
|
)
|
2022-02-18 08:25:54 +00:00
|
|
|
system_user = PredefineRole(
|
2023-07-24 03:52:25 +00:00
|
|
|
'3', gettext_noop('User'), Scope.system, system_user_perms
|
2022-02-17 12:13:31 +00:00
|
|
|
)
|
2022-02-18 08:25:54 +00:00
|
|
|
org_admin = PredefineRole(
|
2023-07-24 03:52:25 +00:00
|
|
|
'5', gettext_noop('OrgAdmin'), Scope.org, []
|
2022-02-17 12:13:31 +00:00
|
|
|
)
|
2022-02-18 08:25:54 +00:00
|
|
|
org_auditor = PredefineRole(
|
2023-07-24 03:52:25 +00:00
|
|
|
'6', gettext_noop('OrgAuditor'), Scope.org, auditor_perms
|
2022-02-17 12:13:31 +00:00
|
|
|
)
|
2022-02-18 08:25:54 +00:00
|
|
|
org_user = PredefineRole(
|
2023-07-24 03:52:25 +00:00
|
|
|
'7', gettext_noop('OrgUser'), Scope.org, user_perms
|
2022-02-17 12:13:31 +00:00
|
|
|
)
|
2022-06-13 06:22:07 +00:00
|
|
|
system_role_mapper = None
|
|
|
|
org_role_mapper = None
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def get_roles(cls):
|
|
|
|
roles = {
|
|
|
|
k: v
|
|
|
|
for k, v in cls.__dict__.items()
|
2022-02-18 08:25:54 +00:00
|
|
|
if isinstance(v, PredefineRole)
|
2022-02-17 12:13:31 +00:00
|
|
|
}
|
|
|
|
return roles
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def get_system_role_by_old_name(cls, name):
|
2022-06-13 06:22:07 +00:00
|
|
|
if not cls.system_role_mapper:
|
|
|
|
cls.system_role_mapper = {
|
|
|
|
'App': cls.system_component.get_role(),
|
|
|
|
'Admin': cls.system_admin.get_role(),
|
|
|
|
'User': cls.system_user.get_role(),
|
|
|
|
'Auditor': cls.system_auditor.get_role()
|
|
|
|
}
|
2023-06-20 07:30:58 +00:00
|
|
|
return cls.system_role_mapper.get(name, cls.system_role_mapper['User'])
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def get_org_role_by_old_name(cls, name):
|
2022-06-13 06:22:07 +00:00
|
|
|
if not cls.org_role_mapper:
|
|
|
|
cls.org_role_mapper = {
|
|
|
|
'Admin': cls.org_admin.get_role(),
|
|
|
|
'User': cls.org_user.get_role(),
|
|
|
|
'Auditor': cls.org_auditor.get_role(),
|
|
|
|
}
|
2023-06-20 07:30:58 +00:00
|
|
|
return cls.org_role_mapper.get(name, cls.org_role_mapper['User'])
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
@classmethod
|
2022-02-21 08:24:03 +00:00
|
|
|
def sync_to_db(cls, show_msg=False):
|
2022-02-17 12:13:31 +00:00
|
|
|
roles = cls.get_roles()
|
2022-10-22 03:17:02 +00:00
|
|
|
print(" - Update builtin roles")
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
for pre_role in roles.values():
|
2022-02-21 08:24:03 +00:00
|
|
|
role, created = pre_role.update_or_create_role()
|
|
|
|
if show_msg:
|
2022-09-23 10:59:19 +00:00
|
|
|
print(" - Update: {} - {}".format(role.name, created))
|