2015-12-19 09:26:34 +00:00
|
|
|
|
# -*- coding: utf-8 -*-
|
2016-02-25 03:59:29 +00:00
|
|
|
|
from __future__ import unicode_literals
|
2015-04-16 11:03:02 +00:00
|
|
|
|
|
2015-02-09 00:40:54 +00:00
|
|
|
|
from django.db.models import Q
|
2015-12-26 02:12:00 +00:00
|
|
|
|
from django.http import HttpResponseBadRequest, HttpResponseNotAllowed
|
2015-12-19 09:26:34 +00:00
|
|
|
|
from paramiko import SSHException
|
|
|
|
|
from jperm.perm_api import *
|
|
|
|
|
|
2015-12-26 02:12:00 +00:00
|
|
|
|
from juser.models import User, UserGroup
|
|
|
|
|
from jasset.models import Asset, AssetGroup
|
|
|
|
|
from jperm.models import PermRole, PermRule, PermSudo, PermPush
|
2015-12-19 09:26:34 +00:00
|
|
|
|
from jumpserver.models import Setting
|
|
|
|
|
|
2016-02-23 15:29:15 +00:00
|
|
|
|
from jperm.utils import gen_keys, trans_all
|
2015-12-19 09:26:34 +00:00
|
|
|
|
from jperm.ansible_api import MyTask
|
2015-12-26 02:12:00 +00:00
|
|
|
|
from jperm.perm_api import get_role_info, get_role_push_host
|
|
|
|
|
from jumpserver.api import my_render, get_object, CRYPTOR
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
|
|
|
|
# 设置PERM APP Log
|
2016-01-26 07:37:12 +00:00
|
|
|
|
from jumpserver.api import logger
|
|
|
|
|
#logger = set_log(LOG_LEVEL, filename='jumpserver_perm.log')
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_rule_list(request):
|
|
|
|
|
"""
|
|
|
|
|
list rule page
|
|
|
|
|
授权规则列表
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "授权规则", "规则管理", "查看规则"
|
|
|
|
|
# 获取所有规则
|
|
|
|
|
rules_list = PermRule.objects.all()
|
|
|
|
|
rule_id = request.GET.get('id')
|
|
|
|
|
# TODO: 搜索和分页
|
2015-03-23 14:57:19 +00:00
|
|
|
|
keyword = request.GET.get('search', '')
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if rule_id:
|
|
|
|
|
rules_list = rules_list.filter(id=rule_id)
|
2015-03-23 14:57:19 +00:00
|
|
|
|
|
2015-03-11 09:59:15 +00:00
|
|
|
|
if keyword:
|
2015-12-19 09:26:34 +00:00
|
|
|
|
rules_list = rules_list.filter(Q(name=keyword))
|
2015-03-11 09:59:15 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
rules_list, p, rules, page_range, current_page, show_first, show_end = pages(rules_list, request)
|
2015-03-11 09:59:15 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return my_render('jperm/perm_rule_list.html', locals(), request)
|
2015-03-11 09:59:15 +00:00
|
|
|
|
|
2015-03-06 16:12:38 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_rule_detail(request):
|
|
|
|
|
"""
|
|
|
|
|
rule detail page
|
|
|
|
|
授权详情
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "授权规则", "规则管理", "规则详情"
|
2015-03-12 10:43:17 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
# 根据rule_id 取得rule对象
|
|
|
|
|
try:
|
|
|
|
|
if request.method == "GET":
|
|
|
|
|
rule_id = request.GET.get("id")
|
|
|
|
|
if not rule_id:
|
|
|
|
|
raise ServerError("Rule Detail - no rule id get")
|
|
|
|
|
rule_obj = PermRule.objects.get(id=rule_id)
|
|
|
|
|
user_obj = rule_obj.user.all()
|
|
|
|
|
user_group_obj = rule_obj.user_group.all()
|
|
|
|
|
asset_obj = rule_obj.asset.all()
|
|
|
|
|
asset_group_obj = rule_obj.asset_group.all()
|
|
|
|
|
roles_name = [role.name for role in rule_obj.role.all()]
|
|
|
|
|
|
|
|
|
|
# 渲染数据
|
|
|
|
|
roles_name = ','.join(roles_name)
|
|
|
|
|
rule = rule_obj
|
|
|
|
|
users = user_obj
|
|
|
|
|
user_groups = user_group_obj
|
|
|
|
|
assets = asset_obj
|
|
|
|
|
asset_groups = asset_group_obj
|
|
|
|
|
except ServerError, e:
|
|
|
|
|
logger.warning(e)
|
|
|
|
|
|
|
|
|
|
return my_render('jperm/perm_rule_detail.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def perm_rule_add(request):
|
|
|
|
|
"""
|
|
|
|
|
add rule page
|
|
|
|
|
添加授权
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "授权规则", "规则管理", "添加规则"
|
|
|
|
|
|
|
|
|
|
# 渲染数据, 获取所有 用户,用户组,资产,资产组,用户角色, 用于添加授权规则
|
|
|
|
|
users = User.objects.all()
|
|
|
|
|
user_groups = UserGroup.objects.all()
|
|
|
|
|
assets = Asset.objects.all()
|
|
|
|
|
asset_groups = AssetGroup.objects.all()
|
|
|
|
|
roles = PermRole.objects.all()
|
2015-02-03 15:03:51 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if request.method == 'POST':
|
|
|
|
|
# 获取用户选择的 用户,用户组,资产,资产组,用户角色
|
|
|
|
|
users_select = request.POST.getlist('user', []) # 需要授权用户
|
|
|
|
|
user_groups_select = request.POST.getlist('user_group', []) # 需要授权用户组
|
|
|
|
|
assets_select = request.POST.getlist('asset', []) # 需要授权资产
|
|
|
|
|
asset_groups_select = request.POST.getlist('asset_group', []) # 需要授权资产组
|
|
|
|
|
roles_select = request.POST.getlist('role', []) # 需要授权角色
|
|
|
|
|
rule_name = request.POST.get('name')
|
|
|
|
|
rule_comment = request.POST.get('comment')
|
2015-02-03 15:03:51 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
try:
|
|
|
|
|
rule = get_object(PermRule, name=rule_name)
|
|
|
|
|
|
|
|
|
|
if rule:
|
|
|
|
|
raise ServerError(u'授权规则 %s 已存在' % rule_name)
|
|
|
|
|
|
|
|
|
|
if not rule_name or not roles_select:
|
|
|
|
|
raise ServerError(u'系统用户名称和规则名称不能为空')
|
|
|
|
|
|
|
|
|
|
# 获取需要授权的主机列表
|
|
|
|
|
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select]
|
|
|
|
|
asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select]
|
|
|
|
|
group_assets_obj = []
|
|
|
|
|
for asset_group in asset_groups_obj:
|
|
|
|
|
group_assets_obj.extend(list(asset_group.asset_set.all()))
|
|
|
|
|
calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产
|
|
|
|
|
|
|
|
|
|
# 获取需要授权的用户列表
|
|
|
|
|
users_obj = [User.objects.get(id=user_id) for user_id in users_select]
|
|
|
|
|
user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select]
|
|
|
|
|
|
|
|
|
|
# 获取授予的角色列表
|
|
|
|
|
roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select]
|
|
|
|
|
need_push_asset = set()
|
|
|
|
|
|
|
|
|
|
for role in roles_obj:
|
|
|
|
|
asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产
|
|
|
|
|
need_push_asset.update(set(calc_assets) & set(asset_no_push))
|
|
|
|
|
if need_push_asset:
|
|
|
|
|
raise ServerError(u'没有推送系统用户 %s 的主机 %s'
|
|
|
|
|
% (role.name, ','.join([asset.hostname for asset in need_push_asset])))
|
|
|
|
|
|
|
|
|
|
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
|
|
|
|
|
rule = PermRule(name=rule_name, comment=rule_comment)
|
|
|
|
|
rule.save()
|
|
|
|
|
rule.user = users_obj
|
|
|
|
|
rule.user_group = user_groups_obj
|
|
|
|
|
rule.asset = assets_obj
|
|
|
|
|
rule.asset_group = asset_groups_obj
|
|
|
|
|
rule.role = roles_obj
|
|
|
|
|
rule.save()
|
|
|
|
|
|
|
|
|
|
msg = u"添加授权规则:%s" % rule.name
|
|
|
|
|
return HttpResponseRedirect(reverse('rule_list'))
|
|
|
|
|
except ServerError, e:
|
|
|
|
|
error = e
|
|
|
|
|
return my_render('jperm/perm_rule_add.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_rule_edit(request):
|
|
|
|
|
"""
|
|
|
|
|
edit rule page
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "授权规则", "规则管理", "添加规则"
|
|
|
|
|
|
|
|
|
|
# 根据rule_id 取得rule对象
|
|
|
|
|
rule_id = request.GET.get("id")
|
|
|
|
|
rule = get_object(PermRule, id=rule_id)
|
|
|
|
|
|
|
|
|
|
# 渲染数据, 获取所选的rule对象
|
|
|
|
|
|
|
|
|
|
users = User.objects.all()
|
|
|
|
|
user_groups = UserGroup.objects.all()
|
|
|
|
|
assets = Asset.objects.all()
|
|
|
|
|
asset_groups = AssetGroup.objects.all()
|
|
|
|
|
roles = PermRole.objects.all()
|
|
|
|
|
|
|
|
|
|
if request.method == 'POST' and rule_id:
|
|
|
|
|
# 获取用户选择的 用户,用户组,资产,资产组,用户角色
|
|
|
|
|
rule_name = request.POST.get('name')
|
|
|
|
|
rule_comment = request.POST.get("comment")
|
|
|
|
|
users_select = request.POST.getlist('user', [])
|
|
|
|
|
user_groups_select = request.POST.getlist('user_group', [])
|
|
|
|
|
assets_select = request.POST.getlist('asset', [])
|
|
|
|
|
asset_groups_select = request.POST.getlist('asset_group', [])
|
|
|
|
|
roles_select = request.POST.getlist('role', [])
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
if not rule_name or not roles_select:
|
|
|
|
|
raise ServerError(u'系统用户和关联系统用户不能为空')
|
|
|
|
|
|
|
|
|
|
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select]
|
|
|
|
|
asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select]
|
|
|
|
|
group_assets_obj = []
|
|
|
|
|
for asset_group in asset_groups_obj:
|
|
|
|
|
group_assets_obj.extend(list(asset_group.asset_set.all()))
|
|
|
|
|
calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产
|
|
|
|
|
|
|
|
|
|
# 获取需要授权的用户列表
|
|
|
|
|
users_obj = [User.objects.get(id=user_id) for user_id in users_select]
|
|
|
|
|
user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select]
|
|
|
|
|
|
|
|
|
|
# 获取授予的角色列表
|
|
|
|
|
roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select]
|
|
|
|
|
need_push_asset = set()
|
|
|
|
|
for role in roles_obj:
|
|
|
|
|
asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产
|
|
|
|
|
need_push_asset.update(set(calc_assets) & set(asset_no_push))
|
|
|
|
|
if need_push_asset:
|
|
|
|
|
raise ServerError(u'没有推送系统用户 %s 的主机 %s'
|
|
|
|
|
% (role.name, ','.join([asset.hostname for asset in need_push_asset])))
|
|
|
|
|
|
|
|
|
|
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
|
|
|
|
|
rule.user = users_obj
|
|
|
|
|
rule.user_group = user_groups_obj
|
|
|
|
|
rule.asset = assets_obj
|
|
|
|
|
rule.asset_group = asset_groups_obj
|
|
|
|
|
rule.role = roles_obj
|
|
|
|
|
rule.name = rule_name
|
|
|
|
|
rule.comment = rule_comment
|
|
|
|
|
rule.save()
|
|
|
|
|
msg = u"更新授权规则:%s成功" % rule.name
|
2015-02-09 10:50:21 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
except ServerError, e:
|
|
|
|
|
error = e
|
2015-03-25 10:45:55 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return my_render('jperm/perm_rule_edit.html', locals(), request)
|
2015-02-09 10:50:21 +00:00
|
|
|
|
|
2015-03-25 10:45:55 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_rule_delete(request):
|
|
|
|
|
"""
|
|
|
|
|
use to delete rule
|
|
|
|
|
:param request:
|
|
|
|
|
:return:
|
|
|
|
|
"""
|
|
|
|
|
if request.method == 'POST':
|
|
|
|
|
# 根据rule_id 取得rule对象
|
|
|
|
|
rule_id = request.POST.get("id")
|
|
|
|
|
rule_obj = PermRule.objects.get(id=rule_id)
|
|
|
|
|
rule_obj.delete()
|
|
|
|
|
return HttpResponse(u"删除授权规则:%s" % rule_obj.name)
|
2015-03-25 10:45:55 +00:00
|
|
|
|
else:
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return HttpResponse(u"不支持该操作")
|
2015-03-27 10:37:10 +00:00
|
|
|
|
|
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_role_list(request):
|
|
|
|
|
"""
|
|
|
|
|
list role page
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "系统用户", "系统用户管理", "查看系统用户"
|
2015-03-27 10:37:10 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
# 获取所有系统角色
|
|
|
|
|
roles_list = PermRole.objects.all()
|
|
|
|
|
role_id = request.GET.get('id')
|
|
|
|
|
# TODO: 搜索和分页
|
2015-03-27 10:37:10 +00:00
|
|
|
|
keyword = request.GET.get('search', '')
|
|
|
|
|
if keyword:
|
2015-12-19 09:26:34 +00:00
|
|
|
|
roles_list = roles_list.filter(Q(name=keyword))
|
2015-02-09 16:21:08 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if role_id:
|
|
|
|
|
roles_list = roles_list.filter(id=role_id)
|
2015-02-09 16:21:08 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
roles_list, p, roles, page_range, current_page, show_first, show_end = pages(roles_list, request)
|
2015-02-09 16:21:08 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return my_render('jperm/perm_role_list.html', locals(), request)
|
2015-02-09 16:21:08 +00:00
|
|
|
|
|
2015-03-27 10:37:10 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_role_add(request):
|
|
|
|
|
"""
|
|
|
|
|
add role page
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户"
|
|
|
|
|
sudos = PermSudo.objects.all()
|
2015-03-27 10:37:10 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if request.method == "POST":
|
|
|
|
|
# 获取参数: name, comment
|
2016-01-04 03:43:17 +00:00
|
|
|
|
name = request.POST.get("role_name", "").strip()
|
2015-12-19 09:26:34 +00:00
|
|
|
|
comment = request.POST.get("role_comment", "")
|
|
|
|
|
password = request.POST.get("role_password", "")
|
|
|
|
|
key_content = request.POST.get("role_key", "")
|
|
|
|
|
sudo_ids = request.POST.getlist('sudo_name')
|
2015-04-15 04:07:59 +00:00
|
|
|
|
|
|
|
|
|
try:
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if get_object(PermRole, name=name):
|
2015-12-22 15:05:38 +00:00
|
|
|
|
raise ServerError(u'已经存在该用户 %s' % name)
|
2016-01-04 03:43:17 +00:00
|
|
|
|
if name == "root":
|
|
|
|
|
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
|
2015-12-19 09:26:34 +00:00
|
|
|
|
default = get_object(Setting, name='default')
|
2015-02-10 13:52:59 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if password:
|
|
|
|
|
encrypt_pass = CRYPTOR.encrypt(password)
|
|
|
|
|
else:
|
|
|
|
|
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
|
|
|
|
|
# 生成随机密码,生成秘钥对
|
|
|
|
|
sudos_obj = [get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids]
|
|
|
|
|
if key_content:
|
2015-12-22 14:39:59 +00:00
|
|
|
|
try:
|
|
|
|
|
key_path = gen_keys(key=key_content)
|
|
|
|
|
except SSHException, e:
|
|
|
|
|
raise ServerError(e)
|
2015-12-19 09:26:34 +00:00
|
|
|
|
else:
|
|
|
|
|
key_path = gen_keys()
|
|
|
|
|
logger.debug('generate role key: %s' % key_path)
|
|
|
|
|
role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path)
|
|
|
|
|
role.save()
|
|
|
|
|
role.sudo = sudos_obj
|
|
|
|
|
msg = u"添加系统用户: %s" % name
|
|
|
|
|
return HttpResponseRedirect(reverse('role_list'))
|
2015-04-15 04:07:59 +00:00
|
|
|
|
except ServerError, e:
|
2015-12-19 09:26:34 +00:00
|
|
|
|
error = e
|
|
|
|
|
return my_render('jperm/perm_role_add.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_role_delete(request):
|
|
|
|
|
"""
|
|
|
|
|
delete role page
|
|
|
|
|
"""
|
2016-01-05 09:22:25 +00:00
|
|
|
|
if request.method == "GET":
|
|
|
|
|
try:
|
|
|
|
|
# 获取参数删除的role对象
|
|
|
|
|
role_id = request.GET.get("id")
|
|
|
|
|
role = get_object(PermRole, id=role_id)
|
|
|
|
|
if not role:
|
|
|
|
|
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
|
|
|
|
|
raise ServerError(u"role_id %s 无数据记录" % role_id)
|
|
|
|
|
# 删除推送到主机上的role
|
|
|
|
|
filter_type = request.GET.get("filter_type")
|
|
|
|
|
print filter_type
|
|
|
|
|
if filter_type:
|
|
|
|
|
if filter_type == "recycle_assets":
|
|
|
|
|
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
|
|
|
|
|
print recycle_assets
|
|
|
|
|
recycle_assets_ip = ','.join([asset.ip for asset in recycle_assets])
|
|
|
|
|
return HttpResponse(recycle_assets_ip)
|
|
|
|
|
else:
|
|
|
|
|
return HttpResponse("no such filter_type: %s" % filter_type)
|
|
|
|
|
else:
|
|
|
|
|
return HttpResponse("filter_type: ?")
|
|
|
|
|
except ServerError, e:
|
|
|
|
|
return HttpResponse(e)
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if request.method == "POST":
|
2015-12-26 02:12:00 +00:00
|
|
|
|
try:
|
|
|
|
|
# 获取参数删除的role对象
|
|
|
|
|
role_id = request.POST.get("id")
|
|
|
|
|
role = get_object(PermRole, id=role_id)
|
|
|
|
|
if not role:
|
2016-01-05 09:22:25 +00:00
|
|
|
|
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
|
|
|
|
|
raise ServerError(u"role_id %s 无数据记录" % role_id)
|
2015-12-26 02:12:00 +00:00
|
|
|
|
role_key = role.key_path
|
|
|
|
|
# 删除推送到主机上的role
|
|
|
|
|
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
|
|
|
|
|
logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets))
|
|
|
|
|
if recycle_assets:
|
|
|
|
|
recycle_resource = gen_resource(recycle_assets)
|
|
|
|
|
task = MyTask(recycle_resource)
|
|
|
|
|
try:
|
2016-01-07 07:15:44 +00:00
|
|
|
|
msg_del_user = task.del_user(get_object(PermRole, id=role_id).name)
|
|
|
|
|
msg_del_sudo = task.del_user_sudo(get_object(PermRole, id=role_id).name)
|
2015-12-26 02:12:00 +00:00
|
|
|
|
except Exception, e:
|
|
|
|
|
logger.warning(u"Recycle Role failed: %s" % e)
|
|
|
|
|
raise ServerError(u"回收已推送的系统用户失败: %s" % e)
|
2016-01-07 07:15:44 +00:00
|
|
|
|
logger.info(u"delete role %s - execute delete user: %s" % (role.name, msg_del_user))
|
|
|
|
|
logger.info(u"delete role %s - execute delete sudo: %s" % (role.name, msg_del_sudo))
|
2015-12-26 02:12:00 +00:00
|
|
|
|
# TODO: 判断返回结果,处理异常
|
|
|
|
|
# 删除存储的秘钥,以及目录
|
|
|
|
|
try:
|
|
|
|
|
key_files = os.listdir(role_key)
|
|
|
|
|
for key_file in key_files:
|
|
|
|
|
os.remove(os.path.join(role_key, key_file))
|
|
|
|
|
os.rmdir(role_key)
|
|
|
|
|
except OSError, e:
|
|
|
|
|
logger.warning(u"Delete Role: delete key error, %s" % e)
|
|
|
|
|
raise ServerError(u"删除系统用户key失败: %s" % e)
|
|
|
|
|
logger.info(u"delete role %s - delete role key directory: %s" % (role.name, role_key))
|
|
|
|
|
# 数据库里删除记录
|
|
|
|
|
role.delete()
|
|
|
|
|
return HttpResponse(u"删除系统用户: %s" % role.name)
|
|
|
|
|
except ServerError, e:
|
|
|
|
|
return HttpResponseBadRequest(u"删除失败, 原因: %s" % e)
|
|
|
|
|
return HttpResponseNotAllowed(u"仅支持POST")
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_role_detail(request):
|
|
|
|
|
"""
|
|
|
|
|
the role detail page
|
|
|
|
|
the role_info data like:
|
|
|
|
|
{'asset_groups': [],
|
|
|
|
|
'assets': [<Asset: 192.168.10.148>],
|
|
|
|
|
'rules': [<PermRule: PermRule object>],
|
|
|
|
|
'': [],
|
|
|
|
|
'': [<User: user1>]}
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户详情"
|
2015-02-09 00:40:54 +00:00
|
|
|
|
|
|
|
|
|
try:
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if request.method == "GET":
|
|
|
|
|
role_id = request.GET.get("id")
|
|
|
|
|
if not role_id:
|
|
|
|
|
raise ServerError("not role id")
|
|
|
|
|
role = get_object(PermRole, id=role_id)
|
|
|
|
|
role_info = get_role_info(role_id)
|
|
|
|
|
|
|
|
|
|
# 渲染数据
|
|
|
|
|
rules = role_info.get("rules")
|
|
|
|
|
assets = role_info.get("assets")
|
|
|
|
|
asset_groups = role_info.get("asset_groups")
|
|
|
|
|
users = role_info.get("users")
|
|
|
|
|
user_groups = role_info.get("user_groups")
|
|
|
|
|
pushed_asset, need_push_asset = get_role_push_host(get_object(PermRole, id=role_id))
|
|
|
|
|
except ServerError, e:
|
|
|
|
|
logger.warning(e)
|
|
|
|
|
|
|
|
|
|
return my_render('jperm/perm_role_detail.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_role_edit(request):
|
|
|
|
|
"""
|
|
|
|
|
edit role page
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户编辑"
|
|
|
|
|
|
|
|
|
|
# 渲染数据
|
|
|
|
|
role_id = request.GET.get("id")
|
|
|
|
|
role = PermRole.objects.get(id=role_id)
|
|
|
|
|
role_pass = CRYPTOR.decrypt(role.password)
|
|
|
|
|
sudo_all = PermSudo.objects.all()
|
|
|
|
|
role_sudos = role.sudo.all()
|
|
|
|
|
sudo_all = PermSudo.objects.all()
|
|
|
|
|
if request.method == "GET":
|
|
|
|
|
return my_render('jperm/perm_role_edit.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
if request.method == "POST":
|
|
|
|
|
# 获取 POST 数据
|
|
|
|
|
role_name = request.POST.get("role_name")
|
|
|
|
|
role_password = request.POST.get("role_password")
|
|
|
|
|
role_comment = request.POST.get("role_comment")
|
|
|
|
|
role_sudo_names = request.POST.getlist("sudo_name")
|
|
|
|
|
role_sudos = [PermSudo.objects.get(id=sudo_id) for sudo_id in role_sudo_names]
|
|
|
|
|
key_content = request.POST.get("role_key", "")
|
2015-02-10 13:52:59 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
try:
|
|
|
|
|
if not role:
|
|
|
|
|
raise ServerError('该系统用户不能存在')
|
|
|
|
|
|
2016-01-04 03:43:17 +00:00
|
|
|
|
if role_name == "root":
|
|
|
|
|
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
|
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if role_password:
|
|
|
|
|
encrypt_pass = CRYPTOR.encrypt(role_password)
|
|
|
|
|
role.password = encrypt_pass
|
|
|
|
|
# 生成随机密码,生成秘钥对
|
|
|
|
|
if key_content:
|
|
|
|
|
try:
|
|
|
|
|
key_path = gen_keys(key=key_content, key_path_dir=role.key_path)
|
|
|
|
|
except SSHException:
|
|
|
|
|
raise ServerError('输入的密钥不合法')
|
|
|
|
|
logger.debug('Recreate role key: %s' % role.key_path)
|
|
|
|
|
# 写入数据库
|
|
|
|
|
role.name = role_name
|
|
|
|
|
role.comment = role_comment
|
|
|
|
|
role.sudo = role_sudos
|
|
|
|
|
|
|
|
|
|
role.save()
|
|
|
|
|
msg = u"更新系统用户: %s" % role.name
|
|
|
|
|
return HttpResponseRedirect(reverse('role_list'))
|
|
|
|
|
except ServerError, e:
|
|
|
|
|
error = e
|
|
|
|
|
|
|
|
|
|
return my_render('jperm/perm_role_edit.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_role_push(request):
|
|
|
|
|
"""
|
|
|
|
|
the role push page
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户推送"
|
|
|
|
|
role_id = request.GET.get('id')
|
|
|
|
|
asset_ids = request.GET.get('asset_id')
|
|
|
|
|
role = get_object(PermRole, id=role_id)
|
|
|
|
|
assets = Asset.objects.all()
|
|
|
|
|
asset_groups = AssetGroup.objects.all()
|
|
|
|
|
if asset_ids:
|
|
|
|
|
need_push_asset = [get_object(Asset, id=asset_id) for asset_id in asset_ids.split(',')]
|
|
|
|
|
|
|
|
|
|
if request.method == "POST":
|
|
|
|
|
# 获取推荐角色的名称列表
|
|
|
|
|
# 计算出需要推送的资产列表
|
|
|
|
|
asset_ids = request.POST.getlist("assets")
|
|
|
|
|
asset_group_ids = request.POST.getlist("asset_groups")
|
|
|
|
|
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids]
|
|
|
|
|
asset_groups_obj = [AssetGroup.objects.get(id=asset_group_id) for asset_group_id in asset_group_ids]
|
|
|
|
|
group_assets_obj = []
|
|
|
|
|
for asset_group in asset_groups_obj:
|
|
|
|
|
group_assets_obj.extend(asset_group.asset_set.all())
|
|
|
|
|
calc_assets = list(set(assets_obj) | set(group_assets_obj))
|
2016-01-04 03:43:17 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
push_resource = gen_resource(calc_assets)
|
|
|
|
|
|
|
|
|
|
# 调用Ansible API 进行推送
|
|
|
|
|
password_push = True if request.POST.get("use_password") else False
|
|
|
|
|
key_push = True if request.POST.get("use_publicKey") else False
|
|
|
|
|
task = MyTask(push_resource)
|
|
|
|
|
ret = {}
|
|
|
|
|
|
|
|
|
|
# 因为要先建立用户,所以password 是必选项,而push key是在 password也完成的情况下的 可选项
|
|
|
|
|
# 1. 以秘钥 方式推送角色
|
|
|
|
|
if key_push:
|
|
|
|
|
ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password))
|
|
|
|
|
ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub'))
|
|
|
|
|
|
|
|
|
|
# 2. 推送账号密码
|
|
|
|
|
elif password_push:
|
|
|
|
|
ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password))
|
|
|
|
|
|
|
|
|
|
# 3. 推送sudo配置文件
|
|
|
|
|
if password_push or key_push:
|
|
|
|
|
sudo_list = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3)
|
|
|
|
|
if sudo_list:
|
|
|
|
|
ret['sudo'] = task.push_sudo_file([role], sudo_list)
|
|
|
|
|
|
|
|
|
|
logger.debug('推送role结果: %s' % ret)
|
|
|
|
|
success_asset = {}
|
|
|
|
|
failed_asset = {}
|
|
|
|
|
logger.debug(ret)
|
|
|
|
|
for push_type, result in ret.items():
|
|
|
|
|
if result.get('failed'):
|
|
|
|
|
for hostname, info in result.get('failed').items():
|
|
|
|
|
if hostname in failed_asset.keys():
|
|
|
|
|
if info in failed_asset.get(hostname):
|
|
|
|
|
failed_asset[hostname] += info
|
|
|
|
|
else:
|
|
|
|
|
failed_asset[hostname] = info
|
|
|
|
|
|
|
|
|
|
for push_type, result in ret.items():
|
|
|
|
|
if result.get('ok'):
|
|
|
|
|
for hostname, info in result.get('ok').items():
|
|
|
|
|
if hostname in failed_asset.keys():
|
|
|
|
|
continue
|
|
|
|
|
elif hostname in success_asset.keys():
|
|
|
|
|
if str(info) in success_asset.get(hostname, ''):
|
|
|
|
|
success_asset[hostname] += str(info)
|
|
|
|
|
else:
|
|
|
|
|
success_asset[hostname] = str(info)
|
|
|
|
|
|
|
|
|
|
# 推送成功 回写push表
|
|
|
|
|
for asset in calc_assets:
|
|
|
|
|
push_check = PermPush.objects.filter(role=role, asset=asset)
|
|
|
|
|
if push_check:
|
|
|
|
|
func = push_check.update
|
|
|
|
|
else:
|
|
|
|
|
def func(**kwargs):
|
|
|
|
|
PermPush(**kwargs).save()
|
2015-03-26 10:42:52 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if failed_asset.get(asset.hostname):
|
|
|
|
|
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False,
|
|
|
|
|
result=failed_asset.get(asset.hostname))
|
|
|
|
|
else:
|
|
|
|
|
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True)
|
2015-03-26 10:42:52 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
if not failed_asset:
|
|
|
|
|
msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(success_asset.keys()))
|
2015-04-18 08:58:16 +00:00
|
|
|
|
else:
|
2015-12-30 07:38:28 +00:00
|
|
|
|
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ] 进入系统用户详情,查看失败原因' % (role.name,
|
2015-12-19 09:26:34 +00:00
|
|
|
|
','.join(failed_asset.keys()),
|
|
|
|
|
','.join(success_asset.keys()))
|
|
|
|
|
return my_render('jperm/perm_role_push.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_sudo_list(request):
|
|
|
|
|
"""
|
|
|
|
|
list sudo commands alias
|
|
|
|
|
:param request:
|
|
|
|
|
:return:
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "Sudo命令", "别名管理", "查看别名"
|
|
|
|
|
|
|
|
|
|
# 获取所有sudo 命令别名
|
|
|
|
|
sudos_list = PermSudo.objects.all()
|
|
|
|
|
|
|
|
|
|
# TODO: 搜索和分页
|
|
|
|
|
keyword = request.GET.get('search', '')
|
|
|
|
|
if keyword:
|
|
|
|
|
sudos_list = sudos_list.filter(Q(name=keyword))
|
2015-04-09 03:27:36 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
sudos_list, p, sudos, page_range, current_page, show_first, show_end = pages(sudos_list, request)
|
2015-04-16 11:03:02 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return my_render('jperm/perm_sudo_list.html', locals(), request)
|
2015-04-16 11:03:02 +00:00
|
|
|
|
|
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_sudo_add(request):
|
|
|
|
|
"""
|
|
|
|
|
list sudo commands alias
|
|
|
|
|
:param request:
|
|
|
|
|
:return:
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "Sudo命令", "别名管理", "添加别名"
|
2016-01-07 07:21:39 +00:00
|
|
|
|
try:
|
|
|
|
|
if request.method == "POST":
|
|
|
|
|
# 获取参数: name, comment
|
|
|
|
|
name = request.POST.get("sudo_name").strip().upper()
|
|
|
|
|
comment = request.POST.get("sudo_comment").strip()
|
|
|
|
|
commands = request.POST.get("sudo_commands").strip()
|
2015-03-26 10:42:52 +00:00
|
|
|
|
|
2016-01-07 07:21:39 +00:00
|
|
|
|
if not name or not commands:
|
|
|
|
|
raise ServerError(u"sudo name 和 commands是必填项!")
|
2015-03-26 10:42:52 +00:00
|
|
|
|
|
2016-01-07 07:21:39 +00:00
|
|
|
|
pattern = re.compile(r'[\n,\r]')
|
2016-02-23 15:29:15 +00:00
|
|
|
|
deal_space_commands = list_drop_str(pattern.split(commands), u'')
|
|
|
|
|
deal_all_commands = map(trans_all, deal_space_commands)
|
|
|
|
|
commands = ', '.join(deal_all_commands)
|
2016-01-07 07:21:39 +00:00
|
|
|
|
logger.debug(u'添加sudo %s: %s' % (name, commands))
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
2016-01-07 07:21:39 +00:00
|
|
|
|
if get_object(PermSudo, name=name):
|
|
|
|
|
error = 'Sudo别名 %s已经存在' % name
|
|
|
|
|
else:
|
|
|
|
|
sudo = PermSudo(name=name.strip(), comment=comment, commands=commands)
|
|
|
|
|
sudo.save()
|
|
|
|
|
msg = u"添加Sudo命令别名: %s" % name
|
|
|
|
|
except ServerError, e:
|
|
|
|
|
error = e
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return my_render('jperm/perm_sudo_add.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_sudo_edit(request):
|
|
|
|
|
"""
|
|
|
|
|
list sudo commands alias
|
|
|
|
|
:param request:
|
|
|
|
|
:return:
|
|
|
|
|
"""
|
|
|
|
|
# 渲染数据
|
|
|
|
|
header_title, path1, path2 = "Sudo命令", "别名管理", "编辑别名"
|
|
|
|
|
|
|
|
|
|
sudo_id = request.GET.get("id")
|
|
|
|
|
sudo = PermSudo.objects.get(id=sudo_id)
|
|
|
|
|
|
2016-01-07 07:21:39 +00:00
|
|
|
|
try:
|
|
|
|
|
if request.method == "POST":
|
|
|
|
|
name = request.POST.get("sudo_name").upper()
|
|
|
|
|
commands = request.POST.get("sudo_commands")
|
|
|
|
|
comment = request.POST.get("sudo_comment")
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
2016-01-07 07:21:39 +00:00
|
|
|
|
if not name or not commands:
|
|
|
|
|
raise ServerError(u"sudo name 和 commands是必填项!")
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
2016-01-07 07:21:39 +00:00
|
|
|
|
pattern = re.compile(r'[\n,\r]')
|
2016-02-23 15:29:15 +00:00
|
|
|
|
deal_space_commands = list_drop_str(pattern.split(commands), u'')
|
|
|
|
|
deal_all_commands = map(trans_all, deal_space_commands)
|
|
|
|
|
commands = ', '.join(deal_all_commands).strip()
|
2016-01-07 07:21:39 +00:00
|
|
|
|
logger.debug(u'添加sudo %s: %s' % (name, commands))
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
2016-01-07 07:21:39 +00:00
|
|
|
|
sudo.name = name.strip()
|
|
|
|
|
sudo.commands = commands
|
|
|
|
|
sudo.comment = comment
|
|
|
|
|
sudo.save()
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
2016-01-07 07:21:39 +00:00
|
|
|
|
msg = u"更新命令别名: %s" % name
|
|
|
|
|
except ServerError, e:
|
|
|
|
|
error = e
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return my_render('jperm/perm_sudo_edit.html', locals(), request)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_sudo_delete(request):
|
|
|
|
|
"""
|
|
|
|
|
list sudo commands alias
|
|
|
|
|
:param request:
|
|
|
|
|
:return:
|
|
|
|
|
"""
|
|
|
|
|
if request.method == "POST":
|
|
|
|
|
# 获取参数删除的role对象
|
|
|
|
|
sudo_id = request.POST.get("id")
|
|
|
|
|
sudo = PermSudo.objects.get(id=sudo_id)
|
|
|
|
|
# 数据库里删除记录
|
|
|
|
|
sudo.delete()
|
|
|
|
|
return HttpResponse(u"删除系统用户: %s" % sudo.name)
|
2015-04-04 04:47:07 +00:00
|
|
|
|
else:
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return HttpResponse(u"不支持该操作")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('admin')
|
|
|
|
|
def perm_role_recycle(request):
|
|
|
|
|
role_id = request.GET.get('role_id')
|
|
|
|
|
asset_ids = request.GET.get('asset_id').split(',')
|
|
|
|
|
|
|
|
|
|
# 仅有推送的角色才回收
|
|
|
|
|
assets = [get_object(Asset, id=asset_id) for asset_id in asset_ids]
|
|
|
|
|
recycle_assets = []
|
|
|
|
|
for asset in assets:
|
|
|
|
|
if True in [push.success for push in asset.perm_push.all()]:
|
|
|
|
|
recycle_assets.append(asset)
|
|
|
|
|
recycle_resource = gen_resource(recycle_assets)
|
|
|
|
|
task = MyTask(recycle_resource)
|
2016-02-25 03:59:29 +00:00
|
|
|
|
try:
|
|
|
|
|
msg_del_user = task.del_user(get_object(PermRole, id=role_id).name)
|
|
|
|
|
msg_del_sudo = task.del_user_sudo(get_object(PermRole, id=role_id).name)
|
|
|
|
|
logger.info("recycle user msg: %s" % msg_del_user)
|
|
|
|
|
logger.info("recycle sudo msg: %s" % msg_del_sudo)
|
|
|
|
|
except Exception, e:
|
|
|
|
|
logger.warning("Recycle Role failed: %s" % e)
|
|
|
|
|
raise ServerError(u"回收已推送的系统用户失败: %s" % e)
|
2015-12-19 09:26:34 +00:00
|
|
|
|
|
|
|
|
|
for asset_id in asset_ids:
|
|
|
|
|
asset = get_object(Asset, id=asset_id)
|
|
|
|
|
assets.append(asset)
|
|
|
|
|
role = get_object(PermRole, id=role_id)
|
|
|
|
|
PermPush.objects.filter(asset=asset, role=role).delete()
|
|
|
|
|
|
|
|
|
|
return HttpResponse('删除成功')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@require_role('user')
|
|
|
|
|
def perm_role_get(request):
|
|
|
|
|
asset_id = request.GET.get('id', 0)
|
|
|
|
|
if asset_id:
|
|
|
|
|
asset = get_object(Asset, id=asset_id)
|
|
|
|
|
if asset:
|
|
|
|
|
role = user_have_perm(request.user, asset=asset)
|
2015-12-25 12:26:31 +00:00
|
|
|
|
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return HttpResponse(','.join([i.name for i in role]))
|
2015-04-19 10:36:41 +00:00
|
|
|
|
else:
|
2015-12-19 09:26:34 +00:00
|
|
|
|
roles = get_group_user_perm(request.user).get('role').keys()
|
|
|
|
|
return HttpResponse(','.join(i.name for i in roles))
|
2015-04-04 04:47:07 +00:00
|
|
|
|
|
2015-12-19 09:26:34 +00:00
|
|
|
|
return HttpResponse('error')
|
2015-04-04 04:47:07 +00:00
|
|
|
|
|