jumpserver/jperm/perm_api.py

328 lines
12 KiB
Python
Raw Normal View History

2015-10-04 13:50:29 +00:00
# coding: utf-8
from django.db.models.query import QuerySet
2015-10-04 13:50:29 +00:00
from jumpserver.api import *
import uuid
import re
2015-10-05 15:48:03 +00:00
from jumpserver.models import Setting
2015-11-30 11:06:25 +00:00
from jperm.models import PermRole, PermPush, PermRule
2015-10-04 13:50:29 +00:00
2015-11-21 03:53:36 +00:00
def get_group_user_perm(ob):
2015-11-20 16:42:54 +00:00
"""
2015-11-21 06:45:20 +00:00
ob为用户或用户组
2015-11-21 04:41:17 +00:00
获取用户用户组授权的资产资产组
2015-11-20 16:42:54 +00:00
return:
{asset_group': {
2015-11-21 03:53:36 +00:00
asset_group1: {'asset': [], 'role': [role1, role2], 'rule': [rule1, rule2]},
asset_group2: {'asset: [], 'role': [role1, role2], 'rule': [rule1, rule2]},
2015-11-20 16:42:54 +00:00
}
'asset':{
asset1: {'role': [role1, role2], 'rule': [rule1, rule2]},
asset2: {'role': [role1, role2], 'rule': [rule1, rule2]},
}
]},
'rule':[rule1, rule2,]
2015-11-27 04:20:08 +00:00
'role': {role1: {'asset': []}, 'asset_group': []}, role2: {}},
2015-11-20 16:42:54 +00:00
}
"""
perm = {}
2015-11-21 03:53:36 +00:00
if isinstance(ob, User):
rule_all = PermRule.objects.filter(user=ob)
elif isinstance(ob, UserGroup):
rule_all = PermRule.objects.filter(user_group=ob)
else:
rule_all = []
perm['rule'] = rule_all
2015-11-20 16:42:54 +00:00
perm_asset_group = perm['asset_group'] = {}
perm_asset = perm['asset'] = {}
2015-11-27 04:20:08 +00:00
perm_role = perm['role'] = {}
2015-11-21 03:53:36 +00:00
for rule in rule_all:
2015-11-20 16:42:54 +00:00
asset_groups = rule.asset_group.all()
assets = rule.asset.all()
2015-11-27 04:20:08 +00:00
perm_roles = rule.role.all()
# 获取一个规则授权的角色和对应主机
for role in perm_roles:
if perm_role.get('role'):
perm_role[role]['asset'] = perm_role[role].get('asset', set()).union(set(assets))
perm_role[role]['asset_group'] = perm_role[role].get('asset_group', set()).union(set(asset_groups))
else:
perm_role[role] = {'asset': set(assets), 'asset_group': set(asset_groups)}
2015-11-20 16:42:54 +00:00
2015-11-21 03:53:36 +00:00
# 获取一个规则用户授权的资产
2015-11-20 16:42:54 +00:00
for asset in assets:
if perm_asset.get(asset):
2015-11-21 03:53:36 +00:00
perm_asset[asset].get('role', set()).update(set(rule.role.all()))
perm_asset[asset].get('rule', set()).add(rule)
2015-11-20 16:42:54 +00:00
else:
2015-11-21 03:53:36 +00:00
perm_asset[asset] = {'role': set(rule.role.all()), 'rule': set([rule])}
2015-11-20 16:42:54 +00:00
2015-11-21 03:53:36 +00:00
# 获取一个规则用户授权的资产组
for asset_group in asset_groups:
asset_group_assets = asset_group.asset_set.all()
if perm_asset_group.get(asset_group):
perm_asset_group[asset_group].get('role', set()).update(set(rule.role.all()))
perm_asset_group[asset_group].get('rule', set()).add(rule)
else:
perm_asset_group[asset_group] = {'role': set(rule.role.all()), 'rule': set([rule]),
'asset': asset_group_assets}
# 将资产组中的资产添加到资产授权中
for asset in asset_group_assets:
if perm_asset.get(asset):
perm_asset[asset].get('role', set()).update(perm_asset_group[asset_group].get('role', set()))
perm_asset[asset].get('rule', set()).update(perm_asset_group[asset_group].get('rule', set()))
else:
perm_asset[asset] = {'role': perm_asset_group[asset_group].get('role', set()),
'rule': perm_asset_group[asset_group].get('rule', set())}
2015-11-20 16:42:54 +00:00
return perm
2015-11-21 04:41:17 +00:00
def get_group_asset_perm(ob):
"""
2015-11-21 06:45:20 +00:00
ob为资产或资产组
2015-11-21 04:41:17 +00:00
获取资产资产组授权的用户用户组
return:
{user_group': {
user_group1: {'user': [], 'role': [role1, role2], 'rule': [rule1, rule2]},
user_group2: {'user: [], 'role': [role1, role2], 'rule': [rule1, rule2]},
}
'user':{
user1: {'role': [role1, role2], 'rule': [rule1, rule2]},
user2: {'role': [role1, role2], 'rule': [rule1, rule2]},
}
]},
2015-11-27 04:20:08 +00:00
'rule':[rule1, rule2,],
2015-11-21 04:41:17 +00:00
}
"""
perm = {}
if isinstance(ob, Asset):
rule_all = PermRule.objects.filter(asset=ob)
elif isinstance(ob, AssetGroup):
rule_all = PermRule.objects.filter(asset_group=ob)
else:
rule_all = []
perm['rule'] = rule_all
perm_user_group = perm['user_group'] = {}
perm_user = perm['user'] = {}
for rule in rule_all:
user_groups = rule.user_group.all()
users = rule.user.all()
# 获取一个规则资产的用户
for user in users:
if perm_user.get(user):
perm_user[user].get('role', set()).update(set(rule.role.all()))
perm_user[user].get('rule', set()).add(rule)
else:
perm_user[user] = {'role': set(rule.role.all()), 'rule': set([rule])}
# 获取一个规则资产授权的用户组
for user_group in user_groups:
user_group_users = user_group.user_set.all()
if perm_user_group.get(user_group):
perm_user_group[user_group].get('role', set()).update(set(rule.role.all()))
perm_user_group[user_group].get('rule', set()).add(rule)
else:
perm_user_group[user_group] = {'role': set(rule.role.all()), 'rule': set([rule]),
'user': user_group_users}
# 将用户组中的资产添加到用户授权中
for user in user_group_users:
if perm_user.get(user):
perm_user[user].get('role', set()).update(perm_user_group[user_group].get('role', set()))
perm_user[user].get('rule', set()).update(perm_user_group[user_group].get('rule', set()))
else:
perm_user[user] = {'role': perm_user_group[user_group].get('role', set()),
'rule': perm_user_group[user_group].get('rule', set())}
return perm
2015-11-23 07:34:28 +00:00
def user_have_perm(user, asset):
user_perm_all = get_group_user_perm(user)
user_assets = user_perm_all.get('asset').keys()
if asset in user_assets:
return user_perm_all.get('asset').get(asset).get('role')
else:
2015-11-24 03:58:42 +00:00
return []
2015-11-23 07:34:28 +00:00
2015-11-27 05:24:57 +00:00
def gen_resource(ob, perm=None):
"""
2015-11-27 05:24:57 +00:00
ob为用户或资产列表或资产queryset, 如果同时输入用户和{'role': role1, 'asset': []}则获取用户在这些资产上的信息
生成MyInventory需要的 resource文件
"""
res = []
2015-11-27 05:24:57 +00:00
if isinstance(ob, dict):
role = ob.get('role')
asset_r = ob.get('asset')
user = ob.get('user')
2015-11-22 09:56:38 +00:00
if not perm:
2015-11-27 05:24:57 +00:00
perm = get_group_user_perm(user)
2015-11-27 04:20:08 +00:00
2015-12-01 11:23:35 +00:00
if role:
roles = perm.get('role', {}).keys() # 获取用户所有授权角色
if role not in roles:
return {}
role_assets_all = perm.get('role').get(role).get('asset') # 获取用户该角色所有授权主机
assets = set(role_assets_all) & set(asset_r) # 获取用户提交中合法的主机
for asset in assets:
asset_info = get_asset_info(asset)
info = {'hostname': asset.hostname,
'ip': asset.ip,
'port': asset_info.get('port', 22),
'username': role.name,
'password': CRYPTOR.decrypt(role.password),
'ssh_key': get_role_key(user, role)
}
res.append(info)
else:
for asset, asset_info in perm.get('asset').items():
if asset not in asset_r:
continue
asset_info = get_asset_info(asset)
try:
role = sorted(list(perm.get('asset').get(asset).get('role')))[0]
except IndexError:
continue
info = {'hostname': asset.hostname,
'ip': asset.ip,
'port': asset_info.get('port', 22),
'username': role.name,
'password': CRYPTOR.decrypt(role.password),
'ssh_key': get_role_key(user, role)
}
res.append(info)
2015-11-27 04:20:08 +00:00
2015-11-22 09:56:38 +00:00
elif isinstance(ob, User):
2015-11-21 11:20:11 +00:00
if not perm:
perm = get_group_user_perm(ob)
for asset, asset_info in perm.get('asset').items():
2015-11-21 11:20:11 +00:00
asset_info = get_asset_info(asset)
info = {'hostname': asset.hostname, 'ip': asset.ip, 'port': asset_info.get('port', 22)}
try:
2015-11-21 11:20:11 +00:00
role = sorted(list(perm.get('asset').get(asset).get('role')))[0]
except IndexError:
continue
info['username'] = role.name
2015-11-26 13:01:39 +00:00
info['password'] = CRYPTOR.decrypt(role.password)
2015-11-21 11:20:11 +00:00
info['ssh_key'] = get_role_key(ob, role)
res.append(info)
elif isinstance(ob, (list, QuerySet)):
for asset in ob:
2015-11-21 11:20:11 +00:00
info = get_asset_info(asset)
res.append(info)
2015-12-03 08:53:39 +00:00
logger.debug('生成res: %s' % res)
return res
2015-10-04 13:50:29 +00:00
def get_object_list(model, id_list):
2015-10-06 10:51:49 +00:00
"""根据id列表获取对象列表"""
2015-10-04 13:50:29 +00:00
object_list = []
for object_id in id_list:
if object_id:
object_list.extend(model.objects.filter(id=int(object_id)))
return object_list
def get_role_info(role_id, type="all"):
"""
获取role对应的一些信息
:return: 返回值 均为对象列表
"""
# 获取role对应的授权规则
role_obj = PermRole.objects.get(id=role_id)
rules_obj = role_obj.perm_rule.all()
# 获取role 对应的用户 和 用户组
# 获取role 对应的主机 和主机组
users_obj = []
assets_obj = []
user_groups_obj = []
group_users_obj = []
asset_groups_obj = []
group_assets_obj = []
for rule in rules_obj:
for user in rule.user.all():
users_obj.append(user)
for asset in rule.asset.all():
assets_obj.append(asset)
for user_group in rule.user_group.all():
user_groups_obj.append(user_group)
for user in user_group.user_set.all():
group_users_obj.append(user)
for asset_group in rule.asset_group.all():
asset_groups_obj.append(asset_group)
for asset in asset_group.asset_set.all():
group_assets_obj.append(asset)
calc_users = set(users_obj) | set(group_users_obj)
calc_assets = set(assets_obj) | set(group_assets_obj)
if type == "all":
return {"rules": rules_obj,
"users": list(calc_users),
"user_groups": user_groups_obj,
"assets": list(calc_assets),
"asset_groups": asset_groups_obj,
}
elif type == "rule":
return rules_obj
elif type == "user":
return calc_users
elif type == "user_group":
return user_groups_obj
elif type == "asset":
return calc_assets
elif type == "asset_group":
return asset_groups_obj
else:
return u"不支持的查询"
2015-10-19 15:40:16 +00:00
2015-11-30 11:06:25 +00:00
def get_role_push_host(role):
"""
2015-11-30 11:06:25 +00:00
asset_pushed: {'success': push.success, 'key': push.is_public_key, 'password': push.is_password,
'result': push.result}
asset_no_push: set(asset1, asset2)
"""
# 计算该role 所有push记录 总共推送的主机
2015-11-30 11:06:25 +00:00
pushs = PermPush.objects.filter(role=role)
asset_all = Asset.objects.all()
asset_pushed = {}
for push in pushs:
2015-12-03 08:53:39 +00:00
print push.result
2015-11-30 11:06:25 +00:00
asset_pushed[push.asset] = {'success': push.success, 'key': push.is_public_key, 'password': push.is_password,
'result': push.result}
asset_no_push = set(asset_all) - set(asset_pushed.keys())
2015-12-03 08:53:39 +00:00
print asset_no_push, asset_pushed
2015-11-30 11:06:25 +00:00
return asset_pushed, asset_no_push
2015-12-02 15:50:20 +00:00
@require_role('user')
def perm_role_get(request):
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
return HttpResponse(','.join([i.name for i in role]))
else:
roles = get_group_user_perm(request.user).get('role').keys()
return HttpResponse(','.join(i.name for i in roles))
return HttpResponse('error')
if __name__ == "__main__":
print get_role_info(1)
2015-10-19 15:40:16 +00:00
2015-10-06 15:47:53 +00:00