jumpserver/apps/rbac/permissions.py

from rest_framework import permissions, exceptions

from common.utils import get_logger

logger = get_logger(__name__)


class RBACPermission(permissions.DjangoModelPermissions):
    default_rbac_perms_tmpl = (
        ('list', '%(app_label)s.view_%(model_name)s'),
        ('retrieve', '%(app_label)s.view_%(model_name)s'),
        ('create', '%(app_label)s.add_%(model_name)s'),
        ('update', '%(app_label)s.change_%(model_name)s'),
        ('partial_update', '%(app_label)s.change_%(model_name)s'),
        ('destroy', '%(app_label)s.delete_%(model_name)s'),
        ('bulk_update', '%(app_label)s.change_%(model_name)s'),
        ('partial_bulk_update', '%(app_label)s.change_%(model_name)s'),
        ('bulk_destroy', '%(app_label)s.delete_%(model_name)s'),
        ('render_to_json', '%(app_label)s.add_%(model_name)s'),
        ('metadata', ''),
        ('GET', '%(app_label)s.view_%(model_name)s'),
        ('OPTIONS', ''),
        ('HEAD', '%(app_label)s.view_%(model_name)s'),
        ('POST', '%(app_label)s.add_%(model_name)s'),
        ('PUT', '%(app_label)s.change_%(model_name)s'),
        ('PATCH', '%(app_label)s.change_%(model_name)s'),
        ('DELETE', '%(app_label)s.delete_%(model_name)s'),
    )
    # rbac_perms = ((), ())
    # def get_rbac_perms():
    #     return {}

    @staticmethod
    def format_perms(perms_tmpl, model_cls):
        perms = set()
        if not perms_tmpl:
            return perms
        if isinstance(perms_tmpl, str):
            perms_tmpl = [perms_tmpl]
        for perm_tmpl in perms_tmpl:
            perm = perm_tmpl % {
                'app_label': model_cls._meta.app_label,
                'model_name': model_cls._meta.model_name
            }
            perms.add(perm)
        return perms

    @classmethod
    def parse_action_model_perms(cls, action, model_cls):
        perm_tmpl = dict(cls.default_rbac_perms_tmpl).get(action)
        return cls.format_perms(perm_tmpl, model_cls)

    def get_default_action_perms(self, model_cls):
        if model_cls is None:
            return {}
        perms = {}
        for action, tmpl in dict(self.default_rbac_perms_tmpl).items():
            perms[action] = self.format_perms(tmpl, model_cls)
        return perms

    def get_rbac_perms(self, view, model_cls) -> dict:
        if hasattr(view, 'get_rbac_perms'):
            return dict(view.get_rbac_perms())
        perms = self.get_default_action_perms(model_cls)
        if hasattr(view, 'rbac_perms'):
            perms.update(dict(view.rbac_perms))
        return perms

    def _get_action_perms(self, action, model_cls, view):
        action_perms_map = self.get_rbac_perms(view, model_cls)
        if action not in action_perms_map:
            msg = 'Action not allowed: {}, only `{}` supported'.format(
                action, ','.join(list(action_perms_map.keys()))
            )
            logger.error(msg)
            raise exceptions.PermissionDenied(msg)
        perms = action_perms_map[action]
        return perms

    def get_require_perms(self, request, view):
        """
        获取 request, view 需要的 perms
        :param request:
        :param view:
        :return:
        """
        try:
            queryset = self._queryset(view)
            model_cls = queryset.model
        except AssertionError:
            model_cls = None

        action = getattr(view, 'action', None)
        if not action:
            action = request.method
        perms = self._get_action_perms(action, model_cls, view)
        return perms

    def has_permission(self, request, view):
        # Workaround to ensure DjangoModelPermissions are not applied
        # to the root view when using DefaultRouter.
        if getattr(view, '_ignore_rbac_permissions', False):
            return True
        if not request.user:
            return False
        if request.user.is_anonymous and self.authenticated_users_only:
            return False

        action = getattr(view, 'action', None)
        if action == 'metadata':
            return True

        perms = self.get_require_perms(request, view)
        if isinstance(perms, str):
            perms = [perms]
        has = request.user.has_perms(perms)
        logger.debug('View require perms: {}, result: {}'.format(perms, has))
        return has
fix: fix rbac to dev (#7636) * feat: 添加 RBAC 应用模块 * feat: 添加 RBAC Model、API * feat: 添加 RBAC Model、API 2 * feat: 添加 RBAC Model、API 3 * feat: 添加 RBAC Model、API 4 * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC 整理权限位 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位 * feat: RBAC 添加默认角色 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 修改用户模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 修改用户角色属性的使用 * feat: RBAC No.1 * xxx * perf: 暂存 * perf: ... * perf(rbac): 添加 perms 到 profile serializer 中 * stash * perf: 使用init * perf: 修改migrations * perf: rbac * stash * stash * pref: 修改rbac * stash it * stash: 先去修复其他bug * perf: 修改 role 添加 users * pref: 修改 RBAC Model * feat: 添加权限的 tree api * stash: 暂存一下 * stash: 暂存一下 * perf: 修改 model verbose name * feat: 添加model各种 verbose name * perf: 生成 migrations * perf: 优化权限位 * perf: 添加迁移脚本 * feat: 添加组织角色迁移 * perf: 添加迁移脚本 * stash * perf: 添加migrateion * perf: 暂存一下 * perf: 修改rbac * perf: stash it * fix: 迁移冲突 * fix: 迁移冲突 * perf: 暂存一下 * perf: 修改 rbac 逻辑 * stash: 暂存一下 * perf: 修改内置角色 * perf: 解决 root 组织的问题 * perf: stash it * perf: 优化 rbac * perf: 优化 rolebinding 处理 * perf: 完成用户离开组织的问题 * perf: 暂存一下 * perf: 修改翻译 * perf: 去掉了 IsSuperUser * perf: IsAppUser 去掉完成 * perf: 修改 connection token 的权限 * perf: 去掉导入的问题 * perf: perms define 格式，修改 app 用户的全新啊 * perf: 修改 permission * perf: 去掉一些 org admin * perf: 去掉部分 org admin * perf: 再去掉点 org admin role * perf: 再去掉部分 org admin * perf: user 角色搜索 * perf: 去掉很多 js * perf: 添加权限位 * perf: 修改权限 * perf: 去掉一个 todo * merge: with dev * fix: 修复冲突 Co-authored-by: Bai <bugatti_it@163.com> Co-authored-by: Michael Bai <baijiangjie@gmail.com> Co-authored-by: ibuler <ibuler@qq.com> 3 years ago			`from rest_framework import permissions, exceptions`

			`from common.utils import get_logger`

			`logger = get_logger(__name__)`


			`class RBACPermission(permissions.DjangoModelPermissions):`
			`default_rbac_perms_tmpl = (`
			`('list', '%(app_label)s.view_%(model_name)s'),`
			`('retrieve', '%(app_label)s.view_%(model_name)s'),`
			`('create', '%(app_label)s.add_%(model_name)s'),`
			`('update', '%(app_label)s.change_%(model_name)s'),`
			`('partial_update', '%(app_label)s.change_%(model_name)s'),`
			`('destroy', '%(app_label)s.delete_%(model_name)s'),`
fix: 修复批量操作权限bug 3 years ago			`('bulk_update', '%(app_label)s.change_%(model_name)s'),`
			`('partial_bulk_update', '%(app_label)s.change_%(model_name)s'),`
			`('bulk_destroy', '%(app_label)s.delete_%(model_name)s'),`
Fix rbac (#7728) * perf: 重命名 signal handlers * fix: 修复 ticket processor 问题 * perf: 修改 ticket 处理人api * fix: 修复创建系统账号bug * fix: 升级celery_beat==2.2.1和flower==1.0.0;修改celery进程启动参数先后顺序 * perf: 修改 authentication token * fix: 修复上传权限bug * fix: 登录页面增加i18n切换; * fix: 系统角色删除限制 * perf: 修改一下 permissions tree * perf: 生成 i18n * perf: 修改一点点 Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng626 <1304903146@qq.com> Co-authored-by: Jiangjie.Bai <bugatti_it@163.com> 3 years ago			`('render_to_json', '%(app_label)s.add_%(model_name)s'),`
fix: fix rbac to dev (#7636) * feat: 添加 RBAC 应用模块 * feat: 添加 RBAC Model、API * feat: 添加 RBAC Model、API 2 * feat: 添加 RBAC Model、API 3 * feat: 添加 RBAC Model、API 4 * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC 整理权限位 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位 * feat: RBAC 添加默认角色 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 修改用户模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 修改用户角色属性的使用 * feat: RBAC No.1 * xxx * perf: 暂存 * perf: ... * perf(rbac): 添加 perms 到 profile serializer 中 * stash * perf: 使用init * perf: 修改migrations * perf: rbac * stash * stash * pref: 修改rbac * stash it * stash: 先去修复其他bug * perf: 修改 role 添加 users * pref: 修改 RBAC Model * feat: 添加权限的 tree api * stash: 暂存一下 * stash: 暂存一下 * perf: 修改 model verbose name * feat: 添加model各种 verbose name * perf: 生成 migrations * perf: 优化权限位 * perf: 添加迁移脚本 * feat: 添加组织角色迁移 * perf: 添加迁移脚本 * stash * perf: 添加migrateion * perf: 暂存一下 * perf: 修改rbac * perf: stash it * fix: 迁移冲突 * fix: 迁移冲突 * perf: 暂存一下 * perf: 修改 rbac 逻辑 * stash: 暂存一下 * perf: 修改内置角色 * perf: 解决 root 组织的问题 * perf: stash it * perf: 优化 rbac * perf: 优化 rolebinding 处理 * perf: 完成用户离开组织的问题 * perf: 暂存一下 * perf: 修改翻译 * perf: 去掉了 IsSuperUser * perf: IsAppUser 去掉完成 * perf: 修改 connection token 的权限 * perf: 去掉导入的问题 * perf: perms define 格式，修改 app 用户的全新啊 * perf: 修改 permission * perf: 去掉一些 org admin * perf: 去掉部分 org admin * perf: 再去掉点 org admin role * perf: 再去掉部分 org admin * perf: user 角色搜索 * perf: 去掉很多 js * perf: 添加权限位 * perf: 修改权限 * perf: 去掉一个 todo * merge: with dev * fix: 修复冲突 Co-authored-by: Bai <bugatti_it@163.com> Co-authored-by: Michael Bai <baijiangjie@gmail.com> Co-authored-by: ibuler <ibuler@qq.com> 3 years ago			`('metadata', ''),`
			`('GET', '%(app_label)s.view_%(model_name)s'),`
			`('OPTIONS', ''),`
			`('HEAD', '%(app_label)s.view_%(model_name)s'),`
			`('POST', '%(app_label)s.add_%(model_name)s'),`
			`('PUT', '%(app_label)s.change_%(model_name)s'),`
			`('PATCH', '%(app_label)s.change_%(model_name)s'),`
			`('DELETE', '%(app_label)s.delete_%(model_name)s'),`
			`)`
			`# rbac_perms = ((), ())`
			`# def get_rbac_perms():`
			`# return {}`

			`@staticmethod`
			`def format_perms(perms_tmpl, model_cls):`
			`perms = set()`
			`if not perms_tmpl:`
			`return perms`
			`if isinstance(perms_tmpl, str):`
			`perms_tmpl = [perms_tmpl]`
			`for perm_tmpl in perms_tmpl:`
			`perm = perm_tmpl % {`
			`'app_label': model_cls._meta.app_label,`
			`'model_name': model_cls._meta.model_name`
			`}`
			`perms.add(perm)`
			`return perms`

			`@classmethod`
			`def parse_action_model_perms(cls, action, model_cls):`
			`perm_tmpl = dict(cls.default_rbac_perms_tmpl).get(action)`
			`return cls.format_perms(perm_tmpl, model_cls)`

			`def get_default_action_perms(self, model_cls):`
			`if model_cls is None:`
			`return {}`
			`perms = {}`
			`for action, tmpl in dict(self.default_rbac_perms_tmpl).items():`
			`perms[action] = self.format_perms(tmpl, model_cls)`
			`return perms`

			`def get_rbac_perms(self, view, model_cls) -> dict:`
			`if hasattr(view, 'get_rbac_perms'):`
			`return dict(view.get_rbac_perms())`
			`perms = self.get_default_action_perms(model_cls)`
			`if hasattr(view, 'rbac_perms'):`
			`perms.update(dict(view.rbac_perms))`
			`return perms`

			`def _get_action_perms(self, action, model_cls, view):`
			`action_perms_map = self.get_rbac_perms(view, model_cls)`
			`if action not in action_perms_map:`
			msg = 'Action not allowed: {}, only `{}` supported'.format(
			`action, ','.join(list(action_perms_map.keys()))`
			`)`
			`logger.error(msg)`
			`raise exceptions.PermissionDenied(msg)`
			`perms = action_perms_map[action]`
			`return perms`

			`def get_require_perms(self, request, view):`
			`"""`
			`获取 request, view 需要的 perms`
			`:param request:`
			`:param view:`
			`:return:`
			`"""`
			`try:`
			`queryset = self._queryset(view)`
			`model_cls = queryset.model`
			`except AssertionError:`
			`model_cls = None`

			`action = getattr(view, 'action', None)`
			`if not action:`
			`action = request.method`
			`perms = self._get_action_perms(action, model_cls, view)`
			`return perms`

			`def has_permission(self, request, view):`
			`# Workaround to ensure DjangoModelPermissions are not applied`
			`# to the root view when using DefaultRouter.`
			`if getattr(view, '_ignore_rbac_permissions', False):`
			`return True`
			`if not request.user:`
			`return False`
			`if request.user.is_anonymous and self.authenticated_users_only:`
			`return False`

			`action = getattr(view, 'action', None)`
			`if action == 'metadata':`
			`return True`

			`perms = self.get_require_perms(request, view)`
			`if isinstance(perms, str):`
			`perms = [perms]`
			`has = request.user.has_perms(perms)`
			`logger.debug('View require perms: {}, result: {}'.format(perms, has))`
			`return has`