jumpserver/apps/perms/utils/asset/permission.py

import time
from collections import defaultdict

from django.db.models import Q

from common.utils import get_logger
from perms.models import AssetPermission, Action
from perms.hands import Asset, User, UserGroup, SystemUser, Node
from perms.utils.asset.user_permission import get_user_all_asset_perm_ids

logger = get_logger(__file__)


def validate_permission(user, asset, account, action='connect'):
    asset_perm_ids = get_user_all_asset_perm_ids(user)

    asset_perm_ids_from_asset = AssetPermission.assets.through.objects.filter(
        assetpermission_id__in=asset_perm_ids,
        asset_id=asset.id
    ).values_list('assetpermission_id', flat=True)

    nodes = asset.get_nodes()
    node_keys = set()
    for node in nodes:
        ancestor_keys = node.get_ancestor_keys(with_self=True)
        node_keys.update(ancestor_keys)
    node_ids = set(Node.objects.filter(key__in=node_keys).values_list('id', flat=True))

    asset_perm_ids_from_node = AssetPermission.nodes.through.objects.filter(
        assetpermission_id__in=asset_perm_ids,
        node_id__in=node_ids
    ).values_list('assetpermission_id', flat=True)

    asset_perm_ids = {*asset_perm_ids_from_asset, *asset_perm_ids_from_node}

    asset_perms = AssetPermission.objects\
        .filter(id__in=asset_perm_ids, accounts__contains=account)\
        .order_by('-date_expired')

    if asset_perms:
        actions = set()
        actions_values = asset_perms.values_list('actions', flat=True)
        for value in actions_values:
            _actions = Action.value_to_choices(value)
            actions.update(_actions)
        asset_perm: AssetPermission = asset_perms.first()
        actions = list(actions)
        expire_at = asset_perm.date_expired.timestamp()
    else:
        actions = []
        expire_at = time.time()

    # TODO: 组件改造API完成后统一通过actions判断has_perm
    has_perm = action in actions
    return has_perm, actions, expire_at


def get_asset_system_user_ids_with_actions(asset_perm_ids, asset: Asset):
    nodes = asset.get_nodes()
    node_keys = set()
    for node in nodes:
        ancestor_keys = node.get_ancestor_keys(with_self=True)
        node_keys.update(ancestor_keys)

    queryset = AssetPermission.objects.filter(id__in=asset_perm_ids)\
        .filter(Q(assets=asset) | Q(nodes__key__in=node_keys))

    asset_protocols = asset.protocols_as_dict.keys()
    values = queryset.filter(
        system_users__protocol__in=asset_protocols
    ).distinct().values_list('system_users', 'actions')
    system_users_actions = defaultdict(int)

    for system_user_id, actions in values:
        if None in (system_user_id, actions):
            continue
        system_users_actions[system_user_id] |= actions
    return system_users_actions


def get_asset_system_user_ids_with_actions_by_user(user: User, asset: Asset):
    asset_perm_ids = get_user_all_asset_perm_ids(user)
    return get_asset_system_user_ids_with_actions(asset_perm_ids, asset)


def has_asset_system_permission(user: User, asset: Asset, system_user: SystemUser):
    systemuser_actions_mapper = get_asset_system_user_ids_with_actions_by_user(user, asset)
    actions = systemuser_actions_mapper.get(system_user.id, 0)
    if actions:
        return True
    return False


def get_asset_system_user_ids_with_actions_by_group(group: UserGroup, asset: Asset):
    asset_perm_ids = AssetPermission.objects.filter(
        user_groups=group
    ).valid().values_list('id', flat=True).distinct()
    return get_asset_system_user_ids_with_actions(asset_perm_ids, asset)
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00			`import time`
[Update] 修改授权 2018-04-07 16:16:37 +00:00			`from collections import defaultdict`
[Update] 更新缓存机制 2019-03-26 11:46:04 +00:00
[Update] 更新api和model方法 2018-05-31 11:47:57 +00:00			`from django.db.models import Q`
Pre delete action 2016-09-16 01:38:07 +00:00
perf(assets): 优化节点树修改树策略，做读优化，写的速度降低 2020-08-16 15:08:58 +00:00			`from common.utils import get_logger`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00			`from perms.models import AssetPermission, Action`
			`from perms.hands import Asset, User, UserGroup, SystemUser, Node`
fix: 用户页面授权资产列表获取系统用户慢 (#5663) Co-authored-by: xinwen <coderWen@126.com> 2021-03-02 06:48:47 +00:00			`from perms.utils.asset.user_permission import get_user_all_asset_perm_ids`
[Fixture] 完成用户推送task 2017-03-09 06:55:33 +00:00
			`logger = get_logger(__file__)`
Pre delete action 2016-09-16 01:38:07 +00:00

perf: 修改系统用户 2022-07-28 10:50:58 +00:00			`def validate_permission(user, asset, account, action='connect'):`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00			`asset_perm_ids = get_user_all_asset_perm_ids(user)`

			`asset_perm_ids_from_asset = AssetPermission.assets.through.objects.filter(`
			`assetpermission_id__in=asset_perm_ids,`
			`asset_id=asset.id`
			`).values_list('assetpermission_id', flat=True)`

			`nodes = asset.get_nodes()`
			`node_keys = set()`
			`for node in nodes:`
			`ancestor_keys = node.get_ancestor_keys(with_self=True)`
			`node_keys.update(ancestor_keys)`
perf: 修改系统用户 2022-07-28 10:50:58 +00:00			`node_ids = set(Node.objects.filter(key__in=node_keys).values_list('id', flat=True))`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00
			`asset_perm_ids_from_node = AssetPermission.nodes.through.objects.filter(`
			`assetpermission_id__in=asset_perm_ids,`
			`node_id__in=node_ids`
			`).values_list('assetpermission_id', flat=True)`

			`asset_perm_ids = {asset_perm_ids_from_asset, asset_perm_ids_from_node}`

perf: 修改系统用户 2022-07-28 10:50:58 +00:00			`asset_perms = AssetPermission.objects\`
			`.filter(id__in=asset_perm_ids, accounts__contains=account)\`
			`.order_by('-date_expired')`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00
feat: 应用授权增加Action动作控制 2021-12-22 09:35:32 +00:00			`if asset_perms:`
			`actions = set()`
			`actions_values = asset_perms.values_list('actions', flat=True)`
			`for value in actions_values:`
			`_actions = Action.value_to_choices(value)`
			`actions.update(_actions)`
			`asset_perm: AssetPermission = asset_perms.first()`
			`actions = list(actions)`
			`expire_at = asset_perm.date_expired.timestamp()`
			`else:`
			`actions = []`
			`expire_at = time.time()`

			`# TODO: 组件改造API完成后统一通过actions判断has_perm`
			`has_perm = action in actions`
			`return has_perm, actions, expire_at`
feat: 检查资产授权过期接口添加过期时间 2021-05-07 11:40:04 +00:00

perf(project): 优化命名的风格 (#5693) perf: 修改错误的地 perf: 优化写错的几个 Co-authored-by: ibuler <ibuler@qq.com> 2021-03-08 02:08:51 +00:00			`def get_asset_system_user_ids_with_actions(asset_perm_ids, asset: Asset):`
perf(assets): 优化节点树修改树策略，做读优化，写的速度降低 2020-08-16 15:08:58 +00:00			`nodes = asset.get_nodes()`
			`node_keys = set()`
			`for node in nodes:`
			`ancestor_keys = node.get_ancestor_keys(with_self=True)`
			`node_keys.update(ancestor_keys)`
Perm cache (#3211) * [Update] 修改用户树的cache * [Update] 修改用户树缓存 * [Update] telnet (beta) => telnet 2019-09-11 10:52:42 +00:00
fix: 用户页面授权资产列表获取系统用户慢 (#5663) Co-authored-by: xinwen <coderWen@126.com> 2021-03-02 06:48:47 +00:00			`queryset = AssetPermission.objects.filter(id__in=asset_perm_ids)\`
feat: 为rdp 添加一个api 2021-02-23 06:37:42 +00:00			`.filter(Q(assets=asset) \| Q(nodes__key__in=node_keys))`
perf(perms): 优化根据资产获取授权的系统用户 2020-10-30 04:22:57 +00:00
perf(assets): 优化节点树修改树策略，做读优化，写的速度降低 2020-08-16 15:08:58 +00:00			`asset_protocols = asset.protocols_as_dict.keys()`
			`values = queryset.filter(`
			`system_users__protocol__in=asset_protocols`
			`).distinct().values_list('system_users', 'actions')`
			`system_users_actions = defaultdict(int)`

			`for system_user_id, actions in values:`
			`if None in (system_user_id, actions):`
			`continue`
			`system_users_actions[system_user_id] \|= actions`
			`return system_users_actions`


perf(project): 优化命名的风格 (#5693) perf: 修改错误的地 perf: 优化写错的几个 Co-authored-by: ibuler <ibuler@qq.com> 2021-03-08 02:08:51 +00:00			`def get_asset_system_user_ids_with_actions_by_user(user: User, asset: Asset):`
fix: 用户页面授权资产列表获取系统用户慢 (#5663) Co-authored-by: xinwen <coderWen@126.com> 2021-03-02 06:48:47 +00:00			`asset_perm_ids = get_user_all_asset_perm_ids(user)`
perf(project): 优化命名的风格 (#5693) perf: 修改错误的地 perf: 优化写错的几个 Co-authored-by: ibuler <ibuler@qq.com> 2021-03-08 02:08:51 +00:00			`return get_asset_system_user_ids_with_actions(asset_perm_ids, asset)`
Perf (#2929) * [Update] 优化性能 * [Update] 修改assets * [Update] 优化处理 * [Update] Youhua * [Update] 修改ungroup * [Update] 修改perms的api地址，去掉sysuser adminuser的可连接性 * [Update] 修改perms urls兼容 * [Update] 修改分类 * [Update] 修改信号 * [Update] 优化获取授权资产 * [Update] 添加注释 (#2928) * [update] 去掉nodes 的部分字段 * [Update] 删除不用的代码 * [Update] 拆分users * [Update] 修改用户的属性 2019-07-11 10:12:14 +00:00

feat: 为rdp 添加一个api 2021-02-23 06:37:42 +00:00			`def has_asset_system_permission(user: User, asset: Asset, system_user: SystemUser):`
perf(project): 优化命名的风格 (#5693) perf: 修改错误的地 perf: 优化写错的几个 Co-authored-by: ibuler <ibuler@qq.com> 2021-03-08 02:08:51 +00:00			`systemuser_actions_mapper = get_asset_system_user_ids_with_actions_by_user(user, asset)`
fix: 系统用户 actions 2021-11-16 03:12:59 +00:00			`actions = systemuser_actions_mapper.get(system_user.id, 0)`
feat: 为rdp 添加一个api 2021-02-23 06:37:42 +00:00			`if actions:`
			`return True`
			`return False`


perf(project): 优化命名的风格 (#5693) perf: 修改错误的地 perf: 优化写错的几个 Co-authored-by: ibuler <ibuler@qq.com> 2021-03-08 02:08:51 +00:00			`def get_asset_system_user_ids_with_actions_by_group(group: UserGroup, asset: Asset):`
fix: 用户页面授权资产列表获取系统用户慢 (#5663) Co-authored-by: xinwen <coderWen@126.com> 2021-03-02 06:48:47 +00:00			`asset_perm_ids = AssetPermission.objects.filter(`
			`user_groups=group`
			`).valid().values_list('id', flat=True).distinct()`
perf(project): 优化命名的风格 (#5693) perf: 修改错误的地 perf: 优化写错的几个 Co-authored-by: ibuler <ibuler@qq.com> 2021-03-08 02:08:51 +00:00			`return get_asset_system_user_ids_with_actions(asset_perm_ids, asset)`