2016-12-20 16:43:52 +00:00
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
import logging
2017-03-06 13:05:00 +00:00
from django . db import models
from django . utils . translation import ugettext_lazy as _
2018-10-16 08:47:47 +00:00
from django . core . validators import MinValueValidator , MaxValueValidator
2021-05-31 07:01:14 +00:00
from django . core . cache import cache
2016-12-20 16:43:52 +00:00
2021-05-31 07:01:14 +00:00
from common . utils import signer , get_object_or_none
2022-04-07 10:51:35 +00:00
from assets . const import Protocol
2020-03-12 08:24:38 +00:00
from . base import BaseUser
2019-07-26 08:16:06 +00:00
from . asset import Asset
2021-07-08 06:23:18 +00:00
from . authbook import AuthBook
2016-12-20 16:43:52 +00:00
2018-12-18 09:28:45 +00:00
__all__ = [ ' AdminUser ' , ' SystemUser ' ]
2017-12-11 09:08:43 +00:00
logger = logging . getLogger ( __name__ )
2016-12-20 16:43:52 +00:00
2021-07-08 06:23:18 +00:00
class ProtocolMixin :
protocol : str
2022-04-07 10:51:35 +00:00
Protocol = Protocol
2017-12-07 08:25:50 +00:00
2021-07-08 06:23:18 +00:00
SUPPORT_PUSH_PROTOCOLS = [ Protocol . ssh , Protocol . rdp ]
2021-03-17 02:24:12 +00:00
2020-12-29 16:19:59 +00:00
ASSET_CATEGORY_PROTOCOLS = [
2021-07-08 06:23:18 +00:00
Protocol . ssh , Protocol . rdp , Protocol . telnet , Protocol . vnc
2020-12-29 16:19:59 +00:00
]
APPLICATION_CATEGORY_REMOTE_APP_PROTOCOLS = [
2021-07-08 06:23:18 +00:00
Protocol . rdp
2020-12-29 16:19:59 +00:00
]
APPLICATION_CATEGORY_DB_PROTOCOLS = [
2022-02-22 02:09:48 +00:00
Protocol . mysql , Protocol . mariadb , Protocol . oracle ,
Protocol . postgresql , Protocol . sqlserver ,
Protocol . redis , Protocol . mongodb
2020-12-29 16:19:59 +00:00
]
APPLICATION_CATEGORY_CLOUD_PROTOCOLS = [
2021-07-08 06:23:18 +00:00
Protocol . k8s
2020-12-29 16:19:59 +00:00
]
APPLICATION_CATEGORY_PROTOCOLS = [
* APPLICATION_CATEGORY_REMOTE_APP_PROTOCOLS ,
* APPLICATION_CATEGORY_DB_PROTOCOLS ,
* APPLICATION_CATEGORY_CLOUD_PROTOCOLS
]
2017-12-29 15:53:45 +00:00
2021-03-17 02:24:12 +00:00
@property
def is_protocol_support_push ( self ) :
return self . protocol in self . SUPPORT_PUSH_PROTOCOLS
2021-07-08 06:23:18 +00:00
@classmethod
def get_protocol_by_application_type ( cls , app_type ) :
2021-07-27 08:06:00 +00:00
from applications . const import AppType
2021-07-08 06:23:18 +00:00
if app_type in cls . APPLICATION_CATEGORY_PROTOCOLS :
protocol = app_type
2021-07-27 08:06:00 +00:00
elif app_type in AppType . remote_app_types ( ) :
2021-07-08 06:23:18 +00:00
protocol = cls . Protocol . rdp
else :
protocol = None
return protocol
2020-11-13 12:03:57 +00:00
2019-12-19 07:28:17 +00:00
@property
def can_perm_to_asset ( self ) :
2020-12-29 16:19:59 +00:00
return self . protocol in self . ASSET_CATEGORY_PROTOCOLS
2019-12-19 07:28:17 +00:00
2021-09-09 08:04:54 +00:00
@property
def is_asset_protocol ( self ) :
return self . protocol in self . ASSET_CATEGORY_PROTOCOLS
2021-07-08 06:23:18 +00:00
class AuthMixin :
username_same_with_user : bool
protocol : str
ASSET_CATEGORY_PROTOCOLS : list
login_mode : str
LOGIN_MANUAL : str
id : str
username : str
password : str
private_key : str
public_key : str
2020-03-16 08:13:54 +00:00
2021-05-31 07:01:14 +00:00
def set_temp_auth ( self , asset_or_app_id , user_id , auth , ttl = 300 ) :
if not auth :
raise ValueError ( ' Auth not set ' )
key = ' TEMP_PASSWORD_ {} _ {} _ {} ' . format ( self . id , asset_or_app_id , user_id )
logger . debug ( f ' Set system user temp auth: { key } ' )
cache . set ( key , auth , ttl )
def get_temp_auth ( self , asset_or_app_id , user_id ) :
key = ' TEMP_PASSWORD_ {} _ {} _ {} ' . format ( self . id , asset_or_app_id , user_id )
logger . debug ( f ' Get system user temp auth: { key } ' )
password = cache . get ( key )
return password
2021-10-22 06:27:54 +00:00
def _clean_auth_info_if_manual_login_mode ( self ) :
if self . login_mode == self . LOGIN_MANUAL :
self . password = ' '
self . private_key = ' '
self . public_key = ' '
2021-07-08 06:23:18 +00:00
2021-10-22 06:27:54 +00:00
def _load_tmp_auth_if_has ( self , asset_or_app_id , user_id ) :
2021-05-31 07:01:14 +00:00
if self . login_mode != self . LOGIN_MANUAL :
2021-07-08 06:23:18 +00:00
return
2021-05-31 07:01:14 +00:00
2021-10-22 06:27:54 +00:00
if not asset_or_app_id or not user_id :
return
auth = self . get_temp_auth ( asset_or_app_id , user_id )
2021-05-31 07:01:14 +00:00
if not auth :
return
2021-10-22 06:27:54 +00:00
2021-05-31 07:01:14 +00:00
username = auth . get ( ' username ' )
password = auth . get ( ' password ' )
if username :
self . username = username
if password :
self . password = password
2021-12-14 11:00:28 +00:00
def load_app_more_auth ( self , app_id = None , username = None , user_id = None ) :
2022-03-22 10:42:11 +00:00
from applications . models import Application
app = get_object_or_none ( Application , pk = app_id )
if app and app . category_remote_app :
# Remote app
self . _load_remoteapp_more_auth ( app , username , user_id )
return
# Other app
2021-10-22 06:27:54 +00:00
self . _clean_auth_info_if_manual_login_mode ( )
# 加载临时认证信息
2021-05-31 07:01:14 +00:00
if self . login_mode == self . LOGIN_MANUAL :
2021-10-22 06:27:54 +00:00
self . _load_tmp_auth_if_has ( app_id , user_id )
2021-05-31 07:01:14 +00:00
return
2021-12-14 11:00:28 +00:00
# 更新用户名
from users . models import User
user = get_object_or_none ( User , pk = user_id ) if user_id else None
if self . username_same_with_user :
if user and not username :
_username = user . username
else :
_username = username
self . username = _username
2021-05-31 07:01:14 +00:00
2022-03-22 10:42:11 +00:00
def _load_remoteapp_more_auth ( self , app , username , user_id ) :
asset = app . get_remote_app_asset ( raise_exception = False )
if asset :
self . load_asset_more_auth ( asset_id = asset . id , username = username , user_id = user_id )
2021-07-08 06:23:18 +00:00
def load_asset_special_auth ( self , asset , username = ' ' ) :
"""
2022-01-26 08:45:41 +00:00
AuthBook 的数据状态
| asset | systemuser | username |
1 | * | * | x |
2 | * | x | * |
当前 AuthBook 只有以上两种状态 , systemuser 与 username 不会并存 。
正常的资产与系统用户关联产生的是第1种状态 , 改密则产生第2种状态 。 改密之后
只有 username 而没有 systemuser 。
Freq : 关联同一资产的多个系统用户指定同一用户名时 , 修改用户密码会影响所有系统用户
这里有一个不对称的行为 , 同名系统用户密码覆盖
当有相同 username 的多个系统用户时 , 有改密动作之后 , 所有的同名系统用户都使用最后
一次改动 , 但如果没有发生过改密 , 同名系统用户使用的密码还是各自的 。
2021-07-08 06:23:18 +00:00
"""
2022-01-26 08:45:41 +00:00
if username == ' ' :
username = self . username
authbook = AuthBook . objects . filter (
asset = asset , username = username , systemuser__isnull = True
) . order_by ( ' -date_created ' ) . first ( )
if not authbook :
authbook = AuthBook . objects . filter (
asset = asset , systemuser = self
) . order_by ( ' -date_created ' ) . first ( )
if not authbook :
2021-07-08 06:23:18 +00:00
return None
2022-01-26 08:45:41 +00:00
2021-07-15 11:11:53 +00:00
authbook . load_auth ( )
2021-07-08 06:23:18 +00:00
self . password = authbook . password
self . private_key = authbook . private_key
self . public_key = authbook . public_key
2021-05-31 07:01:14 +00:00
def load_asset_more_auth ( self , asset_id = None , username = None , user_id = None ) :
from users . models import User
2021-10-22 06:27:54 +00:00
self . _clean_auth_info_if_manual_login_mode ( )
# 加载临时认证信息
2021-05-31 07:01:14 +00:00
if self . login_mode == self . LOGIN_MANUAL :
2021-10-22 06:27:54 +00:00
self . _load_tmp_auth_if_has ( asset_id , user_id )
2021-05-31 07:01:14 +00:00
return
2021-10-22 06:27:54 +00:00
# 更新用户名
user = get_object_or_none ( User , pk = user_id ) if user_id else None
2021-05-31 07:01:14 +00:00
if self . username_same_with_user :
if user and not username :
2021-06-18 10:10:04 +00:00
_username = user . username
else :
_username = username
2021-07-08 06:23:18 +00:00
self . username = _username
2021-05-31 07:01:14 +00:00
# 加载某个资产的特殊配置认证信息
2021-10-22 06:27:54 +00:00
asset = get_object_or_none ( Asset , pk = asset_id ) if asset_id else None
if not asset :
logger . debug ( ' Asset not found, pass ' )
return
self . load_asset_special_auth ( asset , self . username )
2021-05-31 07:01:14 +00:00
2021-07-08 06:23:18 +00:00
class SystemUser ( ProtocolMixin , AuthMixin , BaseUser ) :
LOGIN_AUTO = ' auto '
LOGIN_MANUAL = ' manual '
LOGIN_MODE_CHOICES = (
( LOGIN_AUTO , _ ( ' Automatic managed ' ) ) ,
( LOGIN_MANUAL , _ ( ' Manually input ' ) )
)
2022-02-21 08:24:03 +00:00
class Type ( models . TextChoices ) :
2021-07-08 06:23:18 +00:00
common = ' common ' , _ ( ' Common user ' )
admin = ' admin ' , _ ( ' Admin user ' )
username_same_with_user = models . BooleanField ( default = False , verbose_name = _ ( " Username same with user " ) )
nodes = models . ManyToManyField ( ' assets.Node ' , blank = True , verbose_name = _ ( " Nodes " ) )
assets = models . ManyToManyField (
' assets.Asset ' , blank = True , verbose_name = _ ( " Assets " ) ,
through = ' assets.AuthBook ' , through_fields = [ ' systemuser ' , ' asset ' ] ,
related_name = ' system_users '
)
users = models . ManyToManyField ( ' users.User ' , blank = True , verbose_name = _ ( " Users " ) )
groups = models . ManyToManyField ( ' users.UserGroup ' , blank = True , verbose_name = _ ( " User groups " ) )
type = models . CharField ( max_length = 16 , choices = Type . choices , default = Type . common , verbose_name = _ ( ' Type ' ) )
priority = models . IntegerField ( default = 81 , verbose_name = _ ( " Priority " ) , help_text = _ ( " 1-100, the lower the value will be match first " ) , validators = [ MinValueValidator ( 1 ) , MaxValueValidator ( 100 ) ] )
2022-04-07 10:51:35 +00:00
protocol = models . CharField ( max_length = 16 , choices = Protocol . choices , default = ' ssh ' , verbose_name = _ ( ' Protocol ' ) )
2021-07-08 06:23:18 +00:00
auto_push = models . BooleanField ( default = True , verbose_name = _ ( ' Auto push ' ) )
sudo = models . TextField ( default = ' /bin/whoami ' , verbose_name = _ ( ' Sudo ' ) )
shell = models . CharField ( max_length = 64 , default = ' /bin/bash ' , verbose_name = _ ( ' Shell ' ) )
login_mode = models . CharField ( choices = LOGIN_MODE_CHOICES , default = LOGIN_AUTO , max_length = 10 , verbose_name = _ ( ' Login mode ' ) )
sftp_root = models . CharField ( default = ' tmp ' , max_length = 128 , verbose_name = _ ( " SFTP Root " ) )
token = models . TextField ( default = ' ' , verbose_name = _ ( ' Token ' ) )
home = models . CharField ( max_length = 4096 , default = ' ' , verbose_name = _ ( ' Home ' ) , blank = True )
system_groups = models . CharField ( default = ' ' , max_length = 4096 , verbose_name = _ ( ' System groups ' ) , blank = True )
ad_domain = models . CharField ( default = ' ' , max_length = 256 )
2021-11-05 08:11:29 +00:00
# linux su 命令 (switch user)
2021-11-05 08:39:08 +00:00
su_enabled = models . BooleanField ( default = False , verbose_name = _ ( ' User switch ' ) )
2021-11-05 08:11:29 +00:00
su_from = models . ForeignKey ( ' self ' , on_delete = models . SET_NULL , related_name = ' su_to ' , null = True , verbose_name = _ ( " Switch from " ) )
2021-07-08 06:23:18 +00:00
def __str__ ( self ) :
username = self . username
if self . username_same_with_user :
2021-07-12 04:46:55 +00:00
username = ' * '
2021-07-08 06:23:18 +00:00
return ' {0.name} ( {1} ) ' . format ( self , username )
@property
def nodes_amount ( self ) :
return self . nodes . all ( ) . count ( )
@property
def login_mode_display ( self ) :
return self . get_login_mode_display ( )
def is_need_push ( self ) :
if self . auto_push and self . is_protocol_support_push :
return True
else :
return False
@property
def is_admin_user ( self ) :
return self . type == self . Type . admin
@property
def is_need_cmd_filter ( self ) :
return self . protocol not in [ self . Protocol . rdp , self . Protocol . vnc ]
@property
def is_need_test_asset_connective ( self ) :
return self . protocol in self . ASSET_CATEGORY_PROTOCOLS
2018-10-10 07:37:20 +00:00
@property
def cmd_filter_rules ( self ) :
from . cmd_filter import CommandFilterRule
rules = CommandFilterRule . objects . filter (
filter__in = self . cmd_filters . all ( )
2018-10-16 08:47:47 +00:00
) . distinct ( )
2018-10-10 07:37:20 +00:00
return rules
2018-12-10 02:11:54 +00:00
def is_command_can_run ( self , command ) :
for rule in self . cmd_filter_rules :
action , matched_cmd = rule . match ( command )
2021-04-26 07:33:51 +00:00
if action == rule . ActionChoices . allow :
2018-12-10 02:11:54 +00:00
return True , None
2021-04-26 07:33:51 +00:00
elif action == rule . ActionChoices . deny :
2018-12-10 02:11:54 +00:00
return False , matched_cmd
return True , None
2019-07-26 08:16:06 +00:00
def get_all_assets ( self ) :
2019-09-24 07:18:12 +00:00
from assets . models import Node
2019-07-26 08:16:06 +00:00
nodes_keys = self . nodes . all ( ) . values_list ( ' key ' , flat = True )
2021-03-08 02:08:51 +00:00
asset_ids = set ( self . assets . all ( ) . values_list ( ' id ' , flat = True ) )
nodes_asset_ids = Node . get_nodes_all_asset_ids_by_keys ( nodes_keys )
asset_ids . update ( nodes_asset_ids )
assets = Asset . objects . filter ( id__in = asset_ids )
2019-07-26 08:16:06 +00:00
return assets
2021-11-05 08:11:29 +00:00
def add_related_assets ( self , assets_or_ids ) :
self . assets . add ( * tuple ( assets_or_ids ) )
self . add_related_assets_to_su_from_if_need ( assets_or_ids )
def add_related_assets_to_su_from_if_need ( self , assets_or_ids ) :
if self . protocol not in [ self . Protocol . ssh . value ] :
return
if not self . su_enabled :
return
if not self . su_from :
return
if self . su_from . protocol != self . protocol :
return
self . su_from . assets . add ( * tuple ( assets_or_ids ) )
2016-12-20 16:43:52 +00:00
class Meta :
2016-12-21 16:36:31 +00:00
ordering = [ ' name ' ]
2018-07-20 02:54:16 +00:00
unique_together = [ ( ' name ' , ' org_id ' ) ]
2018-01-05 09:57:02 +00:00
verbose_name = _ ( " System user " )
2022-03-04 02:16:21 +00:00
permissions = [
( ' match_systemuser ' , _ ( ' Can match system user ' ) ) ,
]
2021-07-08 06:23:18 +00:00
2022-02-17 12:13:31 +00:00
# Deprecated: 准备废弃
2021-07-08 06:23:18 +00:00
class AdminUser ( BaseUser ) :
"""
A privileged user that ansible can use it to push system user and so on
"""
BECOME_METHOD_CHOICES = (
( ' sudo ' , ' sudo ' ) ,
( ' su ' , ' su ' ) ,
)
become = models . BooleanField ( default = True )
become_method = models . CharField ( choices = BECOME_METHOD_CHOICES , default = ' sudo ' , max_length = 4 )
become_user = models . CharField ( default = ' root ' , max_length = 64 )
_become_pass = models . CharField ( default = ' ' , blank = True , max_length = 128 )
CONNECTIVITY_CACHE_KEY = ' _ADMIN_USER_CONNECTIVE_ {} '
_prefer = " admin_user "
def __str__ ( self ) :
return self . name
@property
def become_pass ( self ) :
password = signer . unsign ( self . _become_pass )
if password :
return password
else :
return " "
@become_pass.setter
def become_pass ( self , password ) :
self . _become_pass = signer . sign ( password )
@property
def become_info ( self ) :
if self . become :
info = {
" method " : self . become_method ,
" user " : self . become_user ,
" pass " : self . become_pass ,
}
else :
info = None
return info
class Meta :
ordering = [ ' name ' ]
unique_together = [ ( ' name ' , ' org_id ' ) ]
verbose_name = _ ( " Admin user " )
