jumpserver/apps/perms/api/user_permission.py

538 lines
19 KiB
Python
Raw Normal View History

2019-03-04 12:45:57 +00:00
# -*- coding: utf-8 -*-
#
2019-07-01 10:22:40 +00:00
import time
2019-07-01 13:48:25 +00:00
import traceback
import uuid
2019-03-05 11:47:14 +00:00
from hashlib import md5
from django.core.cache import cache
from django.conf import settings
from django.db.models import Q
2019-03-04 12:45:57 +00:00
from django.shortcuts import get_object_or_404
from rest_framework.views import APIView, Response
from rest_framework.generics import (
2019-07-02 04:08:25 +00:00
ListAPIView, get_object_or_404, RetrieveAPIView
2019-03-04 12:45:57 +00:00
)
from django.utils.translation import ugettext as _
2019-03-04 12:45:57 +00:00
from rest_framework.pagination import LimitOffsetPagination
from common.permissions import IsValidUser, IsOrgAdminOrAppUser
from common.tree import TreeNodeSerializer
from common.utils import get_logger, get_object_or_none
2019-03-04 12:45:57 +00:00
from ..utils import (
AssetPermissionUtil, ParserNode,
2019-03-04 12:45:57 +00:00
)
from .. import const
2019-07-01 13:48:25 +00:00
from ..hands import User, Asset, Node, SystemUser, NodeSerializer
from .. import serializers
2019-07-02 08:45:26 +00:00
from ..models import Action
2019-03-04 12:45:57 +00:00
2019-03-05 11:47:14 +00:00
logger = get_logger(__name__)
2019-03-04 12:45:57 +00:00
__all__ = [
'UserGrantedAssetsApi', 'UserGrantedNodesApi',
'UserGrantedNodesWithAssetsApi', 'UserGrantedNodeAssetsApi',
'ValidateUserAssetPermissionApi', 'UserGrantedNodesAsTreeApi',
'UserGrantedNodesWithAssetsAsTreeApi', 'GetUserAssetPermissionActionsApi',
2019-03-04 12:45:57 +00:00
]
2019-03-26 11:46:04 +00:00
class UserPermissionCacheMixin:
2019-03-04 12:45:57 +00:00
cache_policy = '0'
RESP_CACHE_KEY = '_PERMISSION_RESPONSE_CACHE_V2_{}'
2019-03-05 11:47:14 +00:00
CACHE_TIME = settings.ASSETS_PERM_CACHE_TIME
2019-03-26 11:46:04 +00:00
_object = None
2019-03-04 12:45:57 +00:00
2019-03-06 06:58:25 +00:00
def get_object(self):
2019-03-05 11:47:14 +00:00
return None
2019-03-26 11:46:04 +00:00
# 内部使用可控制缓存
def _get_object(self):
if not self._object:
self._object = self.get_object()
return self._object
2019-03-06 06:58:25 +00:00
2019-03-26 11:46:04 +00:00
def get_object_id(self):
obj = self._get_object()
if obj:
return str(obj.id)
return None
def get_request_md5(self):
path = self.request.path
query = {k: v for k, v in self.request.GET.items()}
query.pop("_", None)
query = "&".join(["{}={}".format(k, v) for k, v in query.items()])
full_path = "{}?{}".format(path, query)
2019-03-26 11:46:04 +00:00
return md5(full_path.encode()).hexdigest()
2019-03-06 06:58:25 +00:00
2019-03-26 11:46:04 +00:00
def get_meta_cache_id(self):
obj = self._get_object()
2019-03-05 11:47:14 +00:00
util = AssetPermissionUtil(obj, cache_policy=self.cache_policy)
2019-03-06 06:58:25 +00:00
meta_cache_id = util.cache_meta.get('id')
2019-03-26 11:46:04 +00:00
return meta_cache_id
def get_response_cache_id(self):
obj_id = self.get_object_id()
request_md5 = self.get_request_md5()
meta_cache_id = self.get_meta_cache_id()
resp_cache_id = '{}_{}_{}'.format(obj_id, request_md5, meta_cache_id)
return resp_cache_id
def get_response_from_cache(self):
2019-03-06 06:58:25 +00:00
# 没有数据缓冲
2019-03-26 11:46:04 +00:00
meta_cache_id = self.get_meta_cache_id()
2019-03-06 06:58:25 +00:00
if not meta_cache_id:
2019-07-01 13:48:25 +00:00
logger.debug("Not get meta id: {}".format(meta_cache_id))
2019-03-05 11:47:14 +00:00
return None
2019-03-26 11:46:04 +00:00
# 从响应缓冲里获取响应
2019-07-01 13:48:25 +00:00
key = self.get_response_key()
2019-03-05 11:47:14 +00:00
data = cache.get(key)
if not data:
2019-07-01 13:48:25 +00:00
logger.debug("Not get response from cache: {}".format(key))
2019-03-05 11:47:14 +00:00
return None
2019-03-26 11:46:04 +00:00
logger.debug("Get user permission from cache: {}".format(self.get_object()))
response = Response(data)
return response
2019-03-05 11:47:14 +00:00
2019-03-26 11:46:04 +00:00
def expire_response_cache(self):
obj_id = self.get_object_id()
expire_cache_id = '{}_{}'.format(obj_id, '*')
key = self.RESP_CACHE_KEY.format(expire_cache_id)
cache.delete_pattern(key)
2019-03-05 11:47:14 +00:00
2019-07-01 13:48:25 +00:00
def get_response_key(self):
2019-03-26 11:46:04 +00:00
resp_cache_id = self.get_response_cache_id()
key = self.RESP_CACHE_KEY.format(resp_cache_id)
2019-07-01 13:48:25 +00:00
return key
def set_response_to_cache(self, response):
key = self.get_response_key()
2019-03-05 11:47:14 +00:00
cache.set(key, response.data, self.CACHE_TIME)
2019-07-01 13:48:25 +00:00
logger.debug("Set response to cache: {}".format(key))
2019-03-04 12:45:57 +00:00
2019-03-26 11:46:04 +00:00
def get(self, request, *args, **kwargs):
self.cache_policy = request.GET.get('cache_policy', '0')
obj = self._get_object()
if obj is None:
2019-07-01 13:48:25 +00:00
logger.debug("Not get response from cache: obj is none")
2019-03-26 11:46:04 +00:00
return super().get(request, *args, **kwargs)
if AssetPermissionUtil.is_not_using_cache(self.cache_policy):
2019-07-01 13:48:25 +00:00
logger.debug("Not get resp from cache: {}".format(self.cache_policy))
2019-03-26 11:46:04 +00:00
return super().get(request, *args, **kwargs)
elif AssetPermissionUtil.is_refresh_cache(self.cache_policy):
2019-07-01 13:48:25 +00:00
logger.debug("Not get resp from cache: {}".format(self.cache_policy))
2019-03-26 11:46:04 +00:00
self.expire_response_cache()
2019-07-01 13:48:25 +00:00
logger.debug("Try get response from cache")
2019-03-26 11:46:04 +00:00
resp = self.get_response_from_cache()
if not resp:
resp = super().get(request, *args, **kwargs)
self.set_response_to_cache(resp)
return resp
2019-03-04 12:45:57 +00:00
2019-03-26 11:46:04 +00:00
class GrantAssetsMixin:
serializer_class = serializers.AssetGrantedSerializer
def get_serializer(self, queryset, many=True):
assets_ids = []
system_users_ids = set()
for asset in queryset:
assets_ids.append(asset["id"])
system_users_ids.update(set(asset["system_users"]))
assets = Asset.objects.filter(id__in=assets_ids).only(
*self.serializer_class.Meta.only_fields
)
assets_map = {asset.id: asset for asset in assets}
system_users = SystemUser.objects.filter(id__in=system_users_ids).only(
*self.serializer_class.system_users_only_fields
)
system_users_map = {s.id: s for s in system_users}
data = []
for item in queryset:
i = item["id"]
asset = assets_map.get(i)
if not asset:
continue
_system_users = item["system_users"]
system_users_granted = []
for sid, action in _system_users.items():
system_user = system_users_map.get(sid)
if not system_user:
continue
system_user.actions = action
system_users_granted.append(system_user)
asset.system_users_granted = system_users_granted
data.append(asset)
return super().get_serializer(data, many=True)
def search_queryset(self, assets):
search = self.request.query_params.get("search")
if not search:
return assets
assets_map = {asset['id']: asset for asset in assets}
assets_ids = set(assets_map.keys())
assets_ids_search = Asset.objects.filter(id__in=assets_ids).filter(
Q(hostname__icontains=search) | Q(ip__icontains=search)
).values_list('id', flat=True)
assets_ids &= set(assets_ids_search)
return [assets_map.get(asset_id) for asset_id in assets_ids]
class UserGrantedAssetsApi(UserPermissionCacheMixin, GrantAssetsMixin, ListAPIView):
2019-03-04 12:45:57 +00:00
"""
用户授权的所有资产
"""
permission_classes = (IsOrgAdminOrAppUser,)
pagination_class = LimitOffsetPagination
2019-03-05 11:47:14 +00:00
def get_object(self):
2019-03-04 12:45:57 +00:00
user_id = self.kwargs.get('pk', '')
if user_id:
user = get_object_or_404(User, id=user_id)
else:
user = self.request.user
2019-03-05 11:47:14 +00:00
return user
2019-03-04 12:45:57 +00:00
2019-03-05 11:47:14 +00:00
def get_queryset(self):
user = self.get_object()
2019-03-04 12:45:57 +00:00
util = AssetPermissionUtil(user, cache_policy=self.cache_policy)
queryset = util.get_assets()
queryset = self.search_queryset(queryset)
2019-03-04 12:45:57 +00:00
return queryset
def get_permissions(self):
if self.kwargs.get('pk') is None:
self.permission_classes = (IsValidUser,)
return super().get_permissions()
class NodesWithUngroupMixin:
util = None
@staticmethod
def get_ungrouped_node(ungroup_key):
return Node(key=ungroup_key, id=const.UNGROUPED_NODE_ID,
value=_("ungrouped"))
@staticmethod
def get_empty_node():
return Node(key=const.EMPTY_NODE_KEY, id=const.EMPTY_NODE_ID,
value=_("empty"))
def add_ungrouped_nodes(self, node_map, node_keys):
ungroup_key = '1:-1'
for key in node_keys:
if key.endswith('-1'):
ungroup_key = key
break
ungroup_node = self.get_ungrouped_node(ungroup_key)
empty_node = self.get_empty_node()
node_map[ungroup_key] = ungroup_node
node_map[const.EMPTY_NODE_KEY] = empty_node
class UserGrantedNodesApi(UserPermissionCacheMixin, NodesWithUngroupMixin, ListAPIView):
2019-03-04 12:45:57 +00:00
"""
2019-07-02 04:08:25 +00:00
查询用户授权的所有节点的API
2019-03-04 12:45:57 +00:00
"""
permission_classes = (IsOrgAdminOrAppUser,)
serializer_class = NodeSerializer
pagination_class = LimitOffsetPagination
only_fields = NodeSerializer.Meta.only_fields
2019-03-04 12:45:57 +00:00
2019-03-05 11:47:14 +00:00
def get_object(self):
2019-03-04 12:45:57 +00:00
user_id = self.kwargs.get('pk', '')
if user_id:
user = get_object_or_404(User, id=user_id)
else:
user = self.request.user
2019-03-05 11:47:14 +00:00
return user
def get_nodes(self, nodes_with_assets):
node_keys = [n["key"] for n in nodes_with_assets]
nodes = Node.objects.filter(key__in=node_keys).only(
*self.only_fields
)
nodes_map = {n.key: n for n in nodes}
self.add_ungrouped_nodes(nodes_map, node_keys)
_nodes = []
for n in nodes_with_assets:
key = n["key"]
node = nodes_map.get(key)
node._assets_amount = n["assets_amount"]
_nodes.append(node)
return _nodes
def get_serializer(self, nodes_with_assets, many=True):
nodes = self.get_nodes(nodes_with_assets)
return super().get_serializer(nodes, many=True)
2019-03-05 11:47:14 +00:00
def get_queryset(self):
user = self.get_object()
self.util = AssetPermissionUtil(user, cache_policy=self.cache_policy)
nodes_with_assets = self.util.get_nodes_with_assets()
return nodes_with_assets
2019-03-04 12:45:57 +00:00
def get_permissions(self):
if self.kwargs.get('pk') is None:
self.permission_classes = (IsValidUser,)
return super().get_permissions()
class UserGrantedNodesAsTreeApi(UserGrantedNodesApi):
serializer_class = TreeNodeSerializer
only_fields = ParserNode.nodes_only_fields
def get_serializer(self, nodes_with_assets, many=True):
nodes = self.get_nodes(nodes_with_assets)
queryset = []
for node in nodes:
data = ParserNode.parse_node_to_tree_node(node)
queryset.append(data)
return self.get_serializer_class()(queryset, many=many)
class UserGrantedNodesWithAssetsApi(UserPermissionCacheMixin, NodesWithUngroupMixin, ListAPIView):
2019-03-04 12:45:57 +00:00
"""
用户授权的节点并带着节点下资产的api
"""
permission_classes = (IsOrgAdminOrAppUser,)
serializer_class = serializers.NodeGrantedSerializer
pagination_class = LimitOffsetPagination
nodes_only_fields = serializers.NodeGrantedSerializer.Meta.only_fields
assets_only_fields = serializers.NodeGrantedSerializer.assets_only_fields
system_users_only_fields = serializers.NodeGrantedSerializer.system_users_only_fields
2019-03-04 12:45:57 +00:00
2019-03-05 11:47:14 +00:00
def get_object(self):
2019-03-04 12:45:57 +00:00
user_id = self.kwargs.get('pk', '')
if not user_id:
user = self.request.user
else:
user = get_object_or_404(User, id=user_id)
2019-03-05 11:47:14 +00:00
return user
2019-03-04 12:45:57 +00:00
def get_maps(self, nodes_items):
"""
查库并加入构造的ungrouped节点
:return:
({asset.id: asset}, {node.key: node}, {system_user.id: system_user})
"""
_nodes_keys = set()
_assets_ids = set()
_system_users_ids = set()
for item in nodes_items:
_nodes_keys.add(item["key"])
_assets_ids.update(set(item["assets"].keys()))
for _system_users_id in item["assets"].values():
_system_users_ids.update(_system_users_id.keys())
_nodes = Node.objects.filter(key__in=_nodes_keys).only(
*self.nodes_only_fields
)
_assets = Asset.objects.filter(id__in=_assets_ids).only(
*self.assets_only_fields
)
_system_users = SystemUser.objects.filter(id__in=_system_users_ids).only(
*self.system_users_only_fields
)
_nodes_map = {n.key: n for n in _nodes}
self.add_ungrouped_nodes(_nodes_map, _nodes_keys)
_assets_map = {a.id: a for a in _assets}
_system_users_map = {s.id: s for s in _system_users}
return _nodes_map, _assets_map, _system_users_map
def get_serializer_queryset(self, nodes_items):
"""
将id转为object同时构造queryset
:param nodes_items:
[
{
'key': node.key,
'assets_amount': 10
'assets': {
asset.id: {
system_user.id: actions,
},
},
},
]
"""
2019-03-05 11:47:14 +00:00
queryset = []
_node_map, _assets_map, _system_users_map = self.get_maps(nodes_items)
for item in nodes_items:
key = item["key"]
node = _node_map.get(key)
if not node:
continue
node._assets_amount = item["assets_amount"]
assets_granted = []
for asset_id, system_users_ids_action in item["assets"].items():
asset = _assets_map.get(asset_id)
if not asset:
continue
system_user_granted = []
for system_user_id, action in system_users_ids_action.items():
system_user = _system_users_map.get(system_user_id)
if not system_user:
continue
system_user.actions = action
system_user_granted.append(system_user)
asset.system_users_granted = system_user_granted
assets_granted.append(asset)
node.assets_granted = assets_granted
2019-03-04 12:45:57 +00:00
queryset.append(node)
return queryset
def get_serializer(self, nodes_items, many=True):
queryset = self.get_serializer_queryset(nodes_items)
return super().get_serializer(queryset, many=many)
def get_queryset(self):
user = self.get_object()
self.util = AssetPermissionUtil(user, cache_policy=self.cache_policy)
system_user_id = self.request.query_params.get('system_user')
if system_user_id:
self.util.filter_permissions(
system_users=system_user_id
)
nodes_items = self.util.get_nodes_with_assets()
return nodes_items
2019-03-04 12:45:57 +00:00
def get_permissions(self):
if self.kwargs.get('pk') is None:
self.permission_classes = (IsValidUser,)
return super().get_permissions()
class UserGrantedNodesWithAssetsAsTreeApi(UserGrantedNodesWithAssetsApi):
2019-03-04 12:45:57 +00:00
serializer_class = TreeNodeSerializer
permission_classes = (IsOrgAdminOrAppUser,)
system_user_id = None
nodes_only_fields = ParserNode.nodes_only_fields
assets_only_fields = ParserNode.assets_only_fields
system_users_only_fields = ParserNode.system_users_only_fields
2019-03-04 12:45:57 +00:00
def get_serializer(self, nodes_items, many=True):
_queryset = super().get_serializer_queryset(nodes_items)
2019-03-05 11:47:14 +00:00
queryset = []
for node in _queryset:
data = ParserNode.parse_node_to_tree_node(node)
2019-03-04 12:45:57 +00:00
queryset.append(data)
for asset in node.assets_granted:
system_users = asset.system_users_granted
data = ParserNode.parse_asset_to_tree_node(node, asset, system_users)
2019-03-04 12:45:57 +00:00
queryset.append(data)
queryset = sorted(queryset)
return self.serializer_class(queryset, many=True)
2019-03-04 12:45:57 +00:00
class UserGrantedNodeAssetsApi(UserPermissionCacheMixin, GrantAssetsMixin, ListAPIView):
2019-03-04 12:45:57 +00:00
"""
查询用户授权的节点下的资产的api, 与上面api不同的是只返回某个节点下的资产
"""
permission_classes = (IsOrgAdminOrAppUser,)
pagination_class = LimitOffsetPagination
2019-03-05 11:47:14 +00:00
def get_object(self):
2019-03-04 12:45:57 +00:00
user_id = self.kwargs.get('pk', '')
if user_id:
user = get_object_or_404(User, id=user_id)
else:
user = self.request.user
2019-03-05 11:47:14 +00:00
return user
def get_node_key(self):
2019-03-05 11:47:14 +00:00
node_id = self.kwargs.get('node_id')
2019-06-12 09:04:49 +00:00
if str(node_id) == const.UNGROUPED_NODE_ID:
key = self.util.tree.ungrouped_key
elif str(node_id) == const.EMPTY_NODE_ID:
key = const.EMPTY_NODE_KEY
2019-06-12 09:04:49 +00:00
else:
node = get_object_or_404(Node, id=node_id)
key = node.key
return key
2019-03-04 12:45:57 +00:00
def get_queryset(self):
user = self.get_object()
self.util = AssetPermissionUtil(user, cache_policy=self.cache_policy)
key = self.get_node_key()
nodes_items = self.util.get_nodes_with_assets()
assets_system_users = {}
for item in nodes_items:
if item["key"] == key:
assets_system_users = item["assets"]
break
assets = []
for asset_id, system_users in assets_system_users.items():
assets.append({"id": asset_id, "system_users": system_users})
assets = self.search_queryset(assets)
2019-03-04 12:45:57 +00:00
return assets
def get_permissions(self):
if self.kwargs.get('pk') is None:
self.permission_classes = (IsValidUser,)
return super().get_permissions()
2019-03-26 11:46:04 +00:00
class ValidateUserAssetPermissionApi(UserPermissionCacheMixin, APIView):
2019-03-04 12:45:57 +00:00
permission_classes = (IsOrgAdminOrAppUser,)
2019-03-05 11:47:14 +00:00
def get(self, request, *args, **kwargs):
2019-03-04 12:45:57 +00:00
user_id = request.query_params.get('user_id', '')
asset_id = request.query_params.get('asset_id', '')
system_id = request.query_params.get('system_user_id', '')
action_name = request.query_params.get('action_name', '')
cache_policy = self.request.query_params.get("cache_policy", '0')
2019-03-04 12:45:57 +00:00
try:
asset_id = uuid.UUID(asset_id)
system_id = uuid.UUID(system_id)
except ValueError:
2019-03-04 12:45:57 +00:00
return Response({'msg': False}, status=403)
user = get_object_or_404(User, id=user_id)
util = AssetPermissionUtil(user, cache_policy=cache_policy)
assets = util.get_assets()
for asset in assets:
if asset_id == asset["id"]:
action = asset["system_users"].get(system_id)
if action and action_name in Action.value_to_choices(action):
return Response({'msg': True}, status=200)
break
return Response({'msg': False}, status=403)
2019-07-02 02:51:48 +00:00
class GetUserAssetPermissionActionsApi(UserPermissionCacheMixin, RetrieveAPIView):
permission_classes = (IsOrgAdminOrAppUser,)
serializer_class = serializers.ActionsSerializer
2019-07-02 02:51:48 +00:00
def get_object(self):
user_id = self.request.query_params.get('user_id', '')
asset_id = self.request.query_params.get('asset_id', '')
system_id = self.request.query_params.get('system_user_id', '')
2019-03-04 12:45:57 +00:00
user = get_object_or_404(User, id=user_id)
asset = get_object_or_404(Asset, id=asset_id)
su = get_object_or_404(SystemUser, id=system_id)
util = AssetPermissionUtil(user, cache_policy=self.cache_policy)
granted_assets = util.get_assets()
2019-07-02 02:51:48 +00:00
granted_system_users = granted_assets.get(asset, {})
_object = {}
2019-07-02 02:51:48 +00:00
if su not in granted_system_users:
_object['actions'] = 0
else:
_object['actions'] = granted_system_users[su]
return _object