jumpserver/juser/views.py

325 lines
10 KiB
Python
Raw Normal View History

2015-01-05 15:55:05 +00:00
# coding: utf-8
2015-01-10 07:24:16 +00:00
# Author: Guanghongwei
# Email: ibuler@qq.com
import time
2015-01-12 15:52:41 +00:00
import os
2015-01-10 07:54:09 +00:00
import hashlib
import random
2015-01-12 15:52:41 +00:00
import subprocess
import ldap
from ldap import modlist
from Crypto.PublicKey import RSA
import crypt
2015-01-05 15:55:05 +00:00
2015-01-03 12:42:20 +00:00
from django.shortcuts import render_to_response
2015-01-13 14:14:50 +00:00
from django.core.exceptions import ObjectDoesNotExist
2015-01-03 12:42:20 +00:00
2015-01-10 05:50:59 +00:00
from juser.models import UserGroup, User
2015-01-10 07:54:09 +00:00
from connect import PyCrypt, KEY
2015-01-12 15:52:41 +00:00
from connect import BASE_DIR
from connect import CONF
2015-01-10 07:54:09 +00:00
2015-01-13 14:14:50 +00:00
CRYPTOR = PyCrypt(KEY)
2015-01-13 14:57:27 +00:00
LDAP_ENABLE = CONF.getint('ldap', 'ldap_enable')
2015-01-13 14:14:50 +00:00
if LDAP_ENABLE:
LDAP_HOST_URL = CONF.get('ldap', 'host_url')
LDAP_BASE_DN = CONF.get('ldap', 'base_dn')
LDAP_ROOT_DN = CONF.get('ldap', 'root_dn')
LDAP_ROOT_PW = CONF.get('ldap', 'root_pw')
2015-01-10 07:54:09 +00:00
def md5_crypt(string):
return hashlib.new("md5", string).hexdigest()
2015-01-12 15:52:41 +00:00
def gen_rand_pwd(num):
2015-01-10 07:54:09 +00:00
"""生成随机密码"""
seed = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
salt_list = []
for i in range(num):
salt_list.append(random.choice(seed))
salt = ''.join(salt_list)
return salt
2015-01-07 15:56:36 +00:00
2015-01-12 15:52:41 +00:00
def bash(cmd):
"""执行bash命令"""
return subprocess.call(cmd, shell=True)
def is_dir(dir_name, mode=0755):
if not os.path.isdir(dir_name):
os.makedirs(dir_name)
os.chmod(dir_name, mode)
2015-01-07 15:56:36 +00:00
class AddError(Exception):
pass
2015-01-03 12:42:20 +00:00
2015-01-12 15:52:41 +00:00
class LDAPMgmt():
def __init__(self,
2015-01-14 15:08:29 +00:00
host_url,
base_dn,
root_cn,
root_pw):
2015-01-12 15:52:41 +00:00
self.ldap_host = host_url
self.ldap_base_dn = base_dn
self.conn = ldap.initialize(host_url)
self.conn.set_option(ldap.OPT_REFERRALS, 0)
self.conn.protocol_version = ldap.VERSION3
self.conn.simple_bind_s(root_cn, root_pw)
def list(self, filter, scope=ldap.SCOPE_SUBTREE, attr=None):
result = {}
try:
ldap_result = self.conn.search_s(self.ldap_base_dn, scope, filter, attr)
for entry in ldap_result:
name, data = entry
for k, v in data.items():
print '%s: %s' % (k, v)
result[k] = v
return result
except ldap.LDAPError, e:
print e
def add(self, dn, attrs):
try:
ldif = modlist.addModlist(attrs)
self.conn.add_s(dn, ldif)
except ldap.LDAPError, e:
print e
def modify(self, dn, attrs):
try:
attr_s = []
for k, v in attrs.items():
attr_s.append((2, k, v))
self.conn.modify_s(dn, attr_s)
except ldap.LDAPError, e:
print e
def delete(self, dn):
try:
self.conn.delete_s(dn)
except ldap.LDAPError, e:
print e
def gen_sha512(salt, password):
return crypt.crypt(password, '$6$%s$' % salt)
2015-01-07 15:20:48 +00:00
def group_add(request):
2015-01-07 15:56:36 +00:00
error = ''
msg = ''
2015-01-10 08:24:44 +00:00
header_title, path1, path2 = '添加属组 | Add Group', 'juser', 'group_add'
2015-01-10 07:54:09 +00:00
2015-01-07 15:56:36 +00:00
if request.method == 'POST':
2015-01-10 07:15:49 +00:00
group_name = request.POST.get('group_name', None)
comment = request.POST.get('comment', None)
2015-01-07 15:56:36 +00:00
try:
if not group_name:
error = u'组名不能为空'
raise AddError
2015-01-10 05:50:59 +00:00
group = UserGroup.objects.filter(name=group_name)
2015-01-07 15:56:36 +00:00
if group:
error = u'%s 已存在' % group_name
2015-01-07 16:01:41 +00:00
raise AddError
2015-01-07 15:56:36 +00:00
2015-01-10 05:50:59 +00:00
group = UserGroup(name=group_name, comment=comment)
2015-01-07 15:56:36 +00:00
group.save()
except AddError:
pass
except TypeError:
error = u'保存用户失败'
else:
2015-01-07 16:07:00 +00:00
msg = u'添加组 %s 成功' % group_name
2015-01-07 15:56:36 +00:00
2015-01-12 15:52:41 +00:00
return render_to_response('juser/group_add.html', locals())
2015-01-07 15:20:48 +00:00
2015-01-09 14:10:38 +00:00
def group_list(request):
2015-01-14 15:30:20 +00:00
header_title, path1, path2 = '查看属组 | Add Group', 'juser', 'group_list'
2015-01-10 05:50:59 +00:00
groups = UserGroup.objects.all()
2015-01-12 15:52:41 +00:00
return render_to_response('juser/group_list.html', locals())
2015-01-09 14:10:38 +00:00
def user_list(request):
2015-01-14 15:51:30 +00:00
user_role = {'SU': u'超级管理员', 'GA': u'组管理员', 'CU': u'普通用户'}
2015-01-14 15:30:20 +00:00
header_title, path1, path2 = '查看用户 | Add User', 'juser', 'user_list'
users = User.objects.all()
return render_to_response('juser/user_list.html', locals())
2015-01-09 14:10:38 +00:00
2015-01-10 06:52:35 +00:00
def db_add_user(**kwargs):
2015-01-10 07:24:16 +00:00
groups_post = kwargs.pop('groups')
2015-01-10 06:52:35 +00:00
user = User(**kwargs)
2015-01-10 07:24:16 +00:00
for group_id in groups_post:
2015-01-10 06:52:35 +00:00
group = UserGroup.objects.filter(id=group_id)
group_select.extend(group)
user.save()
2015-01-10 07:24:16 +00:00
user.user_group = group_select
2015-01-10 06:52:35 +00:00
2015-01-13 14:14:50 +00:00
def db_del_user(username):
try:
user = User.objects.get(username=username)
user.delete()
except ObjectDoesNotExist:
pass
2015-01-12 15:52:41 +00:00
def gen_ssh_key(username, password=None, length=2048):
private_key_dir = os.path.join(BASE_DIR, 'keys/jumpserver/')
private_key_file = os.path.join(private_key_dir, username)
public_key_dir = '/home/%s/.ssh/' % username
public_key_file = os.path.join(public_key_dir, 'authorized_keys')
is_dir(private_key_dir)
is_dir(public_key_dir, mode=0700)
key = RSA.generate(length)
with open(private_key_file, 'w') as pri_f:
pri_f.write(key.exportKey('PEM', password))
os.chmod(private_key_file, 0600)
pub_key = key.publickey()
with open(public_key_file, 'w') as pub_f:
pub_f.write(pub_key.exportKey('OpenSSH'))
os.chmod(public_key_file, 0600)
2015-01-13 15:15:40 +00:00
bash('chown %s:%s %s' % (username, username, public_key_file))
2015-01-12 15:52:41 +00:00
def server_add_user(username, password, ssh_key_pwd1):
bash('useradd %s; echo %s | passwd --stdin %s' % (username, password, username))
gen_ssh_key(username, ssh_key_pwd1)
2015-01-13 14:14:50 +00:00
def server_del_user(username):
bash('userdel -r %s' % username)
2015-01-12 15:52:41 +00:00
def ldap_add_user(username, ldap_pwd):
2015-01-13 14:14:50 +00:00
user_dn = "uid=%s,ou=People,%s" % (username, LDAP_BASE_DN)
2015-01-12 15:52:41 +00:00
password_sha512 = gen_sha512(gen_rand_pwd(6), ldap_pwd)
user = User.objects.get(username=username)
user_attr = {'uid': [str(username)],
'cn': [str(username)],
'objectClass': ['account', 'posixAccount', 'top', 'shadowAccount'],
'userPassword': ['{crypt}%s' % password_sha512],
'shadowLastChange': ['16328'],
'shadowMin': ['0'],
'shadowMax': ['99999'],
'shadowWarning': ['7'],
'loginShell': ['/bin/bash'],
'uidNumber': [str(user.id)],
'gidNumber': [str(user.id)],
'homeDirectory': [str('/home/%s' % username)]}
2015-01-13 14:14:50 +00:00
group_dn = "cn=%s,ou=Group,%s" % (username, LDAP_BASE_DN)
2015-01-12 15:52:41 +00:00
group_attr = {'objectClass': ['posixGroup', 'top'],
'cn': [str(username)],
'userPassword': ['{crypt}x'],
'gidNumber': [str(user.id)]}
2015-01-13 14:14:50 +00:00
sudo_dn = 'cn=%s,ou=Sudoers,%s' % (username, LDAP_BASE_DN)
2015-01-12 15:52:41 +00:00
sudo_attr = {'objectClass': ['top', 'sudoRole'],
'cn': ['%s' % str(username)],
'sudoCommand': ['/bin/pwd'],
'sudoHost': ['192.168.1.1'],
'sudoOption': ['!authenticate'],
'sudoRunAsUser': ['root'],
'sudoUser': ['%s' % str(username)]}
2015-01-14 15:08:29 +00:00
ldap_conn = LDAPMgmt(LDAP_HOST_URL, LDAP_BASE_DN, LDAP_ROOT_DN, LDAP_ROOT_PW)
2015-01-12 15:52:41 +00:00
ldap_conn.add(user_dn, user_attr)
ldap_conn.add(group_dn, group_attr)
ldap_conn.add(sudo_dn, sudo_attr)
2015-01-13 14:14:50 +00:00
def ldap_del_user(username):
user_dn = "uid=%s,ou=People,%s" % (username, LDAP_BASE_DN)
group_dn = "cn=%s,ou=Group,%s" % (username, LDAP_BASE_DN)
sudo_dn = 'cn=%s,ou=Sudoers,%s' % (username, LDAP_BASE_DN)
ldap_conn = LDAPMgmt()
ldap_conn.delete(user_dn)
ldap_conn.delete(group_dn)
ldap_conn.delete(sudo_dn)
2015-01-10 06:52:35 +00:00
2015-01-05 13:20:09 +00:00
def user_add(request):
2015-01-10 05:10:44 +00:00
error = ''
msg = ''
2015-01-10 08:24:44 +00:00
header_title, path1, path2 = '添加用户 | Add User', 'juser', 'user_add'
2015-01-10 06:52:35 +00:00
user_role = {'SU': u'超级管理员', 'GA': u'组管理员', 'CU': u'普通用户'}
all_group = UserGroup.objects.all()
2015-01-10 05:10:44 +00:00
if request.method == 'POST':
2015-01-10 07:15:49 +00:00
username = request.POST.get('username', None)
password = request.POST.get('password', None)
name = request.POST.get('name', None)
email = request.POST.get('email', '')
groups = request.POST.getlist('groups', None)
2015-01-10 08:48:34 +00:00
groups_str = ' '.join(groups)
2015-01-10 08:24:44 +00:00
role_post = request.POST.get('role', None)
2015-01-10 07:15:49 +00:00
ssh_pwd = request.POST.get('ssh_pwd', None)
ssh_key_pwd1 = request.POST.get('ssh_key_pwd1', None)
is_active = request.POST.get('is_active', '1')
2015-01-12 15:52:41 +00:00
ldap_pwd = gen_rand_pwd(16)
2015-01-10 05:10:44 +00:00
2015-01-10 06:52:35 +00:00
try:
2015-01-10 08:24:44 +00:00
if None in [username, password, ssh_key_pwd1, name, groups, role_post, is_active]:
2015-01-10 06:52:35 +00:00
error = u'带*内容不能为空'
raise AddError
user = User.objects.filter(username=username)
if user:
error = u'用户 %s 已存在' % username
raise AddError
except AddError:
pass
else:
2015-01-10 07:24:16 +00:00
time_now = time.time()
2015-01-13 14:14:50 +00:00
try:
db_add_user(username=username,
password=md5_crypt(password),
name=name, email=email,
groups=groups, role=role_post,
ssh_pwd=CRYPTOR.encrypt(ssh_pwd),
ssh_key_pwd1=CRYPTOR.encrypt(ssh_key_pwd1),
ldap_pwd=CRYPTOR.encrypt(ldap_pwd),
is_active=is_active,
date_joined=time_now)
server_add_user(username, password, ssh_key_pwd1)
if LDAP_ENABLE:
ldap_add_user(username, ldap_pwd)
2015-01-13 14:44:58 +00:00
msg = u'添加用户 %s 成功!' % username
2015-01-14 15:58:25 +00:00
# locals = lambda: {}
2015-01-13 14:14:50 +00:00
except Exception, e:
2015-01-13 14:44:58 +00:00
error = u'添加用户 %s 失败 %s ' % (username, e)
try:
db_del_user(username)
server_del_user(username)
if LDAP_ENABLE:
ldap_del_user(username)
except Exception:
pass
2015-01-13 14:14:50 +00:00
2015-01-12 15:52:41 +00:00
return render_to_response('juser/user_add.html', locals())
2015-01-07 15:20:48 +00:00
2015-01-03 12:42:20 +00:00
2014-12-22 09:18:51 +00:00
2015-01-10 04:30:21 +00:00