2015-10-04 13:50:29 +00:00
|
|
|
|
# coding: utf-8
|
|
|
|
|
|
2015-11-21 06:42:53 +00:00
|
|
|
|
from django.db.models.query import QuerySet
|
2015-10-04 13:50:29 +00:00
|
|
|
|
from jumpserver.api import *
|
|
|
|
|
import uuid
|
|
|
|
|
import re
|
|
|
|
|
|
2015-10-05 15:48:03 +00:00
|
|
|
|
from jumpserver.models import Setting
|
2015-11-14 13:13:02 +00:00
|
|
|
|
from jperm.models import PermRole
|
2015-11-20 10:42:44 +00:00
|
|
|
|
from jperm.models import PermRule
|
2015-11-14 13:13:02 +00:00
|
|
|
|
|
2015-10-04 13:50:29 +00:00
|
|
|
|
|
2015-11-21 03:53:36 +00:00
|
|
|
|
def get_group_user_perm(ob):
|
2015-11-20 16:42:54 +00:00
|
|
|
|
"""
|
2015-11-21 06:45:20 +00:00
|
|
|
|
ob为用户或用户组
|
2015-11-21 04:41:17 +00:00
|
|
|
|
获取用户、用户组授权的资产、资产组
|
2015-11-20 16:42:54 +00:00
|
|
|
|
return:
|
|
|
|
|
{’asset_group': {
|
2015-11-21 03:53:36 +00:00
|
|
|
|
asset_group1: {'asset': [], 'role': [role1, role2], 'rule': [rule1, rule2]},
|
|
|
|
|
asset_group2: {'asset: [], 'role': [role1, role2], 'rule': [rule1, rule2]},
|
2015-11-20 16:42:54 +00:00
|
|
|
|
}
|
|
|
|
|
'asset':{
|
|
|
|
|
asset1: {'role': [role1, role2], 'rule': [rule1, rule2]},
|
|
|
|
|
asset2: {'role': [role1, role2], 'rule': [rule1, rule2]},
|
|
|
|
|
}
|
|
|
|
|
]},
|
|
|
|
|
'rule':[rule1, rule2,]
|
2015-11-27 04:20:08 +00:00
|
|
|
|
'role': {role1: {'asset': []}, 'asset_group': []}, role2: {}},
|
2015-11-20 16:42:54 +00:00
|
|
|
|
}
|
|
|
|
|
"""
|
|
|
|
|
perm = {}
|
2015-11-21 03:53:36 +00:00
|
|
|
|
if isinstance(ob, User):
|
|
|
|
|
rule_all = PermRule.objects.filter(user=ob)
|
|
|
|
|
elif isinstance(ob, UserGroup):
|
|
|
|
|
rule_all = PermRule.objects.filter(user_group=ob)
|
|
|
|
|
else:
|
|
|
|
|
rule_all = []
|
|
|
|
|
|
|
|
|
|
perm['rule'] = rule_all
|
2015-11-20 16:42:54 +00:00
|
|
|
|
perm_asset_group = perm['asset_group'] = {}
|
|
|
|
|
perm_asset = perm['asset'] = {}
|
2015-11-27 04:20:08 +00:00
|
|
|
|
perm_role = perm['role'] = {}
|
2015-11-21 03:53:36 +00:00
|
|
|
|
for rule in rule_all:
|
2015-11-20 16:42:54 +00:00
|
|
|
|
asset_groups = rule.asset_group.all()
|
|
|
|
|
assets = rule.asset.all()
|
2015-11-27 04:20:08 +00:00
|
|
|
|
perm_roles = rule.role.all()
|
|
|
|
|
# 获取一个规则授权的角色和对应主机
|
|
|
|
|
for role in perm_roles:
|
|
|
|
|
if perm_role.get('role'):
|
|
|
|
|
perm_role[role]['asset'] = perm_role[role].get('asset', set()).union(set(assets))
|
|
|
|
|
perm_role[role]['asset_group'] = perm_role[role].get('asset_group', set()).union(set(asset_groups))
|
|
|
|
|
else:
|
|
|
|
|
perm_role[role] = {'asset': set(assets), 'asset_group': set(asset_groups)}
|
2015-11-20 16:42:54 +00:00
|
|
|
|
|
2015-11-21 03:53:36 +00:00
|
|
|
|
# 获取一个规则用户授权的资产
|
2015-11-20 16:42:54 +00:00
|
|
|
|
for asset in assets:
|
|
|
|
|
if perm_asset.get(asset):
|
2015-11-21 03:53:36 +00:00
|
|
|
|
perm_asset[asset].get('role', set()).update(set(rule.role.all()))
|
|
|
|
|
perm_asset[asset].get('rule', set()).add(rule)
|
2015-11-20 16:42:54 +00:00
|
|
|
|
else:
|
2015-11-21 03:53:36 +00:00
|
|
|
|
perm_asset[asset] = {'role': set(rule.role.all()), 'rule': set([rule])}
|
2015-11-20 16:42:54 +00:00
|
|
|
|
|
2015-11-21 03:53:36 +00:00
|
|
|
|
# 获取一个规则用户授权的资产组
|
|
|
|
|
for asset_group in asset_groups:
|
|
|
|
|
asset_group_assets = asset_group.asset_set.all()
|
|
|
|
|
if perm_asset_group.get(asset_group):
|
|
|
|
|
perm_asset_group[asset_group].get('role', set()).update(set(rule.role.all()))
|
|
|
|
|
perm_asset_group[asset_group].get('rule', set()).add(rule)
|
|
|
|
|
else:
|
|
|
|
|
perm_asset_group[asset_group] = {'role': set(rule.role.all()), 'rule': set([rule]),
|
|
|
|
|
'asset': asset_group_assets}
|
|
|
|
|
|
|
|
|
|
# 将资产组中的资产添加到资产授权中
|
|
|
|
|
for asset in asset_group_assets:
|
|
|
|
|
if perm_asset.get(asset):
|
|
|
|
|
perm_asset[asset].get('role', set()).update(perm_asset_group[asset_group].get('role', set()))
|
|
|
|
|
perm_asset[asset].get('rule', set()).update(perm_asset_group[asset_group].get('rule', set()))
|
|
|
|
|
else:
|
|
|
|
|
perm_asset[asset] = {'role': perm_asset_group[asset_group].get('role', set()),
|
|
|
|
|
'rule': perm_asset_group[asset_group].get('rule', set())}
|
2015-11-20 16:42:54 +00:00
|
|
|
|
return perm
|
|
|
|
|
|
|
|
|
|
|
2015-11-21 04:41:17 +00:00
|
|
|
|
def get_group_asset_perm(ob):
|
|
|
|
|
"""
|
2015-11-21 06:45:20 +00:00
|
|
|
|
ob为资产或资产组
|
2015-11-21 04:41:17 +00:00
|
|
|
|
获取资产,资产组授权的用户,用户组
|
|
|
|
|
return:
|
|
|
|
|
{’user_group': {
|
|
|
|
|
user_group1: {'user': [], 'role': [role1, role2], 'rule': [rule1, rule2]},
|
|
|
|
|
user_group2: {'user: [], 'role': [role1, role2], 'rule': [rule1, rule2]},
|
|
|
|
|
}
|
|
|
|
|
'user':{
|
|
|
|
|
user1: {'role': [role1, role2], 'rule': [rule1, rule2]},
|
|
|
|
|
user2: {'role': [role1, role2], 'rule': [rule1, rule2]},
|
|
|
|
|
}
|
|
|
|
|
]},
|
2015-11-27 04:20:08 +00:00
|
|
|
|
'rule':[rule1, rule2,],
|
2015-11-21 04:41:17 +00:00
|
|
|
|
}
|
|
|
|
|
"""
|
|
|
|
|
perm = {}
|
|
|
|
|
if isinstance(ob, Asset):
|
|
|
|
|
rule_all = PermRule.objects.filter(asset=ob)
|
|
|
|
|
elif isinstance(ob, AssetGroup):
|
|
|
|
|
rule_all = PermRule.objects.filter(asset_group=ob)
|
|
|
|
|
else:
|
|
|
|
|
rule_all = []
|
|
|
|
|
|
|
|
|
|
perm['rule'] = rule_all
|
|
|
|
|
perm_user_group = perm['user_group'] = {}
|
|
|
|
|
perm_user = perm['user'] = {}
|
|
|
|
|
for rule in rule_all:
|
|
|
|
|
user_groups = rule.user_group.all()
|
|
|
|
|
users = rule.user.all()
|
|
|
|
|
# 获取一个规则资产的用户
|
|
|
|
|
for user in users:
|
|
|
|
|
if perm_user.get(user):
|
|
|
|
|
perm_user[user].get('role', set()).update(set(rule.role.all()))
|
|
|
|
|
perm_user[user].get('rule', set()).add(rule)
|
|
|
|
|
else:
|
|
|
|
|
perm_user[user] = {'role': set(rule.role.all()), 'rule': set([rule])}
|
|
|
|
|
|
|
|
|
|
# 获取一个规则资产授权的用户组
|
|
|
|
|
for user_group in user_groups:
|
|
|
|
|
user_group_users = user_group.user_set.all()
|
|
|
|
|
if perm_user_group.get(user_group):
|
|
|
|
|
perm_user_group[user_group].get('role', set()).update(set(rule.role.all()))
|
|
|
|
|
perm_user_group[user_group].get('rule', set()).add(rule)
|
|
|
|
|
else:
|
|
|
|
|
perm_user_group[user_group] = {'role': set(rule.role.all()), 'rule': set([rule]),
|
|
|
|
|
'user': user_group_users}
|
|
|
|
|
|
|
|
|
|
# 将用户组中的资产添加到用户授权中
|
|
|
|
|
for user in user_group_users:
|
|
|
|
|
if perm_user.get(user):
|
|
|
|
|
perm_user[user].get('role', set()).update(perm_user_group[user_group].get('role', set()))
|
|
|
|
|
perm_user[user].get('rule', set()).update(perm_user_group[user_group].get('rule', set()))
|
|
|
|
|
else:
|
|
|
|
|
perm_user[user] = {'role': perm_user_group[user_group].get('role', set()),
|
|
|
|
|
'rule': perm_user_group[user_group].get('rule', set())}
|
|
|
|
|
return perm
|
|
|
|
|
|
|
|
|
|
|
2015-11-23 07:34:28 +00:00
|
|
|
|
def user_have_perm(user, asset):
|
|
|
|
|
user_perm_all = get_group_user_perm(user)
|
|
|
|
|
user_assets = user_perm_all.get('asset').keys()
|
|
|
|
|
if asset in user_assets:
|
|
|
|
|
return user_perm_all.get('asset').get(asset).get('role')
|
|
|
|
|
else:
|
2015-11-24 03:58:42 +00:00
|
|
|
|
return []
|
2015-11-23 07:34:28 +00:00
|
|
|
|
|
|
|
|
|
|
2015-11-27 05:24:57 +00:00
|
|
|
|
def gen_resource(ob, perm=None):
|
2015-11-21 06:42:53 +00:00
|
|
|
|
"""
|
2015-11-27 05:24:57 +00:00
|
|
|
|
ob为用户或资产列表或资产queryset, 如果同时输入用户和{'role': role1, 'asset': []},则获取用户在这些资产上的信息
|
2015-11-21 06:42:53 +00:00
|
|
|
|
生成MyInventory需要的 resource文件
|
|
|
|
|
"""
|
|
|
|
|
res = []
|
2015-11-27 05:24:57 +00:00
|
|
|
|
if isinstance(ob, dict):
|
|
|
|
|
role = ob.get('role')
|
|
|
|
|
asset_r = ob.get('asset')
|
|
|
|
|
user = ob.get('user')
|
2015-11-22 09:56:38 +00:00
|
|
|
|
if not perm:
|
2015-11-27 05:24:57 +00:00
|
|
|
|
perm = get_group_user_perm(user)
|
2015-11-27 04:20:08 +00:00
|
|
|
|
roles = perm.get('role', {}).keys()
|
|
|
|
|
if role not in roles:
|
|
|
|
|
return {}
|
|
|
|
|
|
2015-11-27 05:24:57 +00:00
|
|
|
|
role_assets_all = perm.get('role').get(role).get('asset')
|
2015-11-27 04:20:08 +00:00
|
|
|
|
assets = set(role_assets_all) & set(asset_r)
|
|
|
|
|
|
|
|
|
|
for asset in assets:
|
|
|
|
|
asset_info = get_asset_info(asset)
|
|
|
|
|
info = {'hostname': asset.hostname,
|
|
|
|
|
'ip': asset.ip,
|
|
|
|
|
'port': asset_info.get('port', 22),
|
|
|
|
|
'username': role.name,
|
|
|
|
|
'password': CRYPTOR.decrypt(role.password),
|
2015-11-27 05:24:57 +00:00
|
|
|
|
'ssh_key': get_role_key(user, role)
|
2015-11-27 04:20:08 +00:00
|
|
|
|
}
|
|
|
|
|
res.append(info)
|
|
|
|
|
|
2015-11-22 09:56:38 +00:00
|
|
|
|
elif isinstance(ob, User):
|
2015-11-21 11:20:11 +00:00
|
|
|
|
if not perm:
|
|
|
|
|
perm = get_group_user_perm(ob)
|
|
|
|
|
|
2015-11-21 06:42:53 +00:00
|
|
|
|
for asset, asset_info in perm.get('asset').items():
|
2015-11-21 11:20:11 +00:00
|
|
|
|
asset_info = get_asset_info(asset)
|
|
|
|
|
info = {'hostname': asset.hostname, 'ip': asset.ip, 'port': asset_info.get('port', 22)}
|
2015-11-21 06:42:53 +00:00
|
|
|
|
try:
|
2015-11-21 11:20:11 +00:00
|
|
|
|
role = sorted(list(perm.get('asset').get(asset).get('role')))[0]
|
2015-11-21 06:42:53 +00:00
|
|
|
|
except IndexError:
|
|
|
|
|
continue
|
|
|
|
|
info['username'] = role.name
|
2015-11-26 13:01:39 +00:00
|
|
|
|
info['password'] = CRYPTOR.decrypt(role.password)
|
2015-11-21 11:20:11 +00:00
|
|
|
|
info['ssh_key'] = get_role_key(ob, role)
|
2015-11-21 06:42:53 +00:00
|
|
|
|
res.append(info)
|
|
|
|
|
elif isinstance(ob, (list, QuerySet)):
|
|
|
|
|
for asset in ob:
|
2015-11-21 11:20:11 +00:00
|
|
|
|
info = get_asset_info(asset)
|
2015-11-21 06:42:53 +00:00
|
|
|
|
res.append(info)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
|
2015-10-04 13:50:29 +00:00
|
|
|
|
def get_object_list(model, id_list):
|
2015-10-06 10:51:49 +00:00
|
|
|
|
"""根据id列表获取对象列表"""
|
2015-10-04 13:50:29 +00:00
|
|
|
|
object_list = []
|
|
|
|
|
for object_id in id_list:
|
|
|
|
|
if object_id:
|
|
|
|
|
object_list.extend(model.objects.filter(id=int(object_id)))
|
|
|
|
|
|
|
|
|
|
return object_list
|
|
|
|
|
|
|
|
|
|
|
2015-11-14 13:13:02 +00:00
|
|
|
|
def get_role_info(role_id, type="all"):
|
|
|
|
|
"""
|
|
|
|
|
获取role对应的一些信息
|
|
|
|
|
:return: 返回值 均为对象列表
|
|
|
|
|
"""
|
|
|
|
|
# 获取role对应的授权规则
|
|
|
|
|
role_obj = PermRole.objects.get(id=role_id)
|
|
|
|
|
rules_obj = role_obj.perm_rule.all()
|
|
|
|
|
# 获取role 对应的用户 和 用户组
|
|
|
|
|
# 获取role 对应的主机 和主机组
|
|
|
|
|
users_obj = []
|
|
|
|
|
assets_obj = []
|
|
|
|
|
user_groups_obj = []
|
|
|
|
|
group_users_obj = []
|
|
|
|
|
asset_groups_obj = []
|
|
|
|
|
group_assets_obj = []
|
|
|
|
|
for rule in rules_obj:
|
|
|
|
|
for user in rule.user.all():
|
|
|
|
|
users_obj.append(user)
|
|
|
|
|
for asset in rule.asset.all():
|
|
|
|
|
assets_obj.append(asset)
|
|
|
|
|
for user_group in rule.user_group.all():
|
|
|
|
|
user_groups_obj.append(user_group)
|
|
|
|
|
for user in user_group.user_set.all():
|
|
|
|
|
group_users_obj.append(user)
|
|
|
|
|
for asset_group in rule.asset_group.all():
|
|
|
|
|
asset_groups_obj.append(asset_group)
|
|
|
|
|
for asset in asset_group.asset_set.all():
|
|
|
|
|
group_assets_obj.append(asset)
|
|
|
|
|
|
|
|
|
|
calc_users = set(users_obj) | set(group_users_obj)
|
|
|
|
|
calc_assets = set(assets_obj) | set(group_assets_obj)
|
|
|
|
|
|
|
|
|
|
if type == "all":
|
|
|
|
|
return {"rules": rules_obj,
|
|
|
|
|
"users": list(calc_users),
|
|
|
|
|
"user_groups": user_groups_obj,
|
|
|
|
|
"assets": list(calc_assets),
|
|
|
|
|
"asset_groups": asset_groups_obj,
|
|
|
|
|
}
|
|
|
|
|
elif type == "rule":
|
|
|
|
|
return rules_obj
|
|
|
|
|
elif type == "user":
|
|
|
|
|
return calc_users
|
|
|
|
|
elif type == "user_group":
|
|
|
|
|
return user_groups_obj
|
|
|
|
|
elif type == "asset":
|
|
|
|
|
return calc_assets
|
|
|
|
|
elif type == "asset_group":
|
|
|
|
|
return asset_groups_obj
|
|
|
|
|
else:
|
|
|
|
|
return u"不支持的查询"
|
2015-10-19 15:40:16 +00:00
|
|
|
|
|
|
|
|
|
|
2015-11-28 11:33:21 +00:00
|
|
|
|
def get_role_push_host(role):
|
|
|
|
|
"""
|
|
|
|
|
get the role push host
|
|
|
|
|
:return: the asset object
|
|
|
|
|
"""
|
|
|
|
|
# 计算该role 所有push记录 总共推送的主机
|
|
|
|
|
assets = []
|
|
|
|
|
asset_groups = []
|
|
|
|
|
for push in role.perm_push.all():
|
|
|
|
|
assets.extend(push.asset.all())
|
|
|
|
|
asset_groups.extend(push.asset_group.all())
|
|
|
|
|
group_assets = []
|
|
|
|
|
for asset_group in asset_groups:
|
|
|
|
|
group_assets.extend(asset_group.asset_set.all())
|
|
|
|
|
cacl_assets = set(assets) | set(group_assets)
|
|
|
|
|
|
|
|
|
|
# 计算所有主机 在push记录里面的 使用密码和使用秘钥状况
|
|
|
|
|
result = []
|
|
|
|
|
for asset in cacl_assets:
|
|
|
|
|
all_push = asset.perm_push.all()
|
|
|
|
|
if True in [push.is_password for push in all_push if role in push.role.all()]:
|
|
|
|
|
is_password = u"是"
|
|
|
|
|
else:
|
|
|
|
|
is_password = u"否"
|
|
|
|
|
if True in [push.is_public_key for push in all_push if role in push.role.all()]:
|
|
|
|
|
is_public_key = u"是"
|
|
|
|
|
else:
|
|
|
|
|
is_public_key = u"否"
|
|
|
|
|
result.append({"ip": asset.ip,
|
|
|
|
|
"group": ','.join([group.name for group in asset.group.all()]),
|
|
|
|
|
"password": is_password,
|
|
|
|
|
"pubkey": is_public_key})
|
|
|
|
|
return result
|
|
|
|
|
|
2015-11-14 13:13:02 +00:00
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
print get_role_info(1)
|
2015-10-19 15:40:16 +00:00
|
|
|
|
|
|
|
|
|
|
2015-10-06 15:47:53 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|