From 6fe6342ca4bba651084ff9c3a4f540b8a3d1c9f8 Mon Sep 17 00:00:00 2001 From: ibuler Date: Wed, 25 Nov 2015 14:59:57 +0800 Subject: [PATCH] =?UTF-8?q?=E8=A7=92=E8=89=B2key=E9=97=AE=E9=A2=98?= =?UTF-8?q?=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- jperm/utils.py | 18 ++---- jperm/views.py | 98 +++++++++++++++-------------- jumpserver/api.py | 13 ++-- static/css/style.css | 4 +- templates/jperm/perm_role_add.html | 81 +++++++++++------------- templates/jperm/perm_role_edit.html | 73 +++++++++------------ templates/jperm/perm_role_list.html | 1 - templates/setting.html | 43 ++++++++++++- 8 files changed, 175 insertions(+), 156 deletions(-) diff --git a/jperm/utils.py b/jperm/utils.py index 8561eb8f7..0d8cf3265 100644 --- a/jperm/utils.py +++ b/jperm/utils.py @@ -6,6 +6,7 @@ import os.path from paramiko.rsakey import RSAKey from jumpserver.api import mkdir from uuid import uuid4 +from jumpserver.api import CRYPTOR from jumpserver.settings import KEY_DIR @@ -14,18 +15,7 @@ def get_rand_pass(): """ get a reandom password. """ - lower = [chr(i) for i in range(97,123)] - upper = [chr(i).upper() for i in range(97,123)] - digit = [str(i) for i in range(10)] - password_pool = [] - password_pool.extend(lower) - password_pool.extend(upper) - password_pool.extend(digit) - pass_list = [random.choice(password_pool) for i in range(1,14)] - pass_list.insert(random.choice(range(1,14)), '@') - pass_list.insert(random.choice(range(1,14)), random.choice(digit)) - password = ''.join(pass_list) - return password + CRYPTOR.gen_rand_pass(20) def updates_dict(*args): @@ -38,7 +28,7 @@ def updates_dict(*args): return result -def gen_keys(): +def gen_keys(gen=True): """ 在KEY_DIR下创建一个 uuid命名的目录, 并且在该目录下 生产一对秘钥 @@ -47,6 +37,8 @@ def gen_keys(): key_basename = "key-" + uuid4().hex key_path_dir = os.path.join(KEY_DIR, 'role_key', key_basename) mkdir(key_path_dir, mode=0755) + if not gen: + return key_path_dir key = RSAKey.generate(2048) private_key = os.path.join(key_path_dir, 'id_rsa') public_key = os.path.join(key_path_dir, 'id_rsa.pub') diff --git a/jperm/views.py b/jperm/views.py index 0128bfca2..f550f8e13 100644 --- a/jperm/views.py +++ b/jperm/views.py @@ -255,36 +255,41 @@ def perm_role_add(request): # 渲染数据 header_title, path1, path2 = "系统角色", "角色管理", "添加角色" - if request.method == "GET": - default_password = get_rand_pass() - return my_render('jperm/perm_role_add.html', locals(), request) - - elif request.method == "POST": + if request.method == "POST": # 获取参数: name, comment - name = request.POST.get("role_name") - comment = request.POST.get("role_comment") - password = request.POST.get("role_password") - encrypt_pass = CRYPTOR.encrypt(password) - # 生成随机密码,生成秘钥对 + name = request.POST.get("role_name", "") + comment = request.POST.get("role_comment", "") + password = request.POST.get("role_password", "") + key_content = request.POST.get("role_key", "") + try: + if get_object(PermRole, name=name): + raise ServerError('已经存在该用户 %s' % name) - key_path = gen_keys() - role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path) - role.save() - - msg = u"添加角色: %s" % name - # 渲染 刷新数据 - header_title, path1, path2 = "系统角色", "角色管理", "查看角色" - roles_list = PermRole.objects.all() - # TODO: 搜索和分页 - keyword = request.GET.get('search', '') - if keyword: - roles_list = roles_list.filter(Q(name=keyword)) - - roles_list, p, roles, page_range, current_page, show_first, show_end = pages(roles_list, request) - return my_render('jperm/perm_role_list.html', locals(), request) + if '' == password and '' == key_content: + raise ServerError('账号和密码必填一项') + if password: + encrypt_pass = CRYPTOR.encrypt(password) + else: + encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20)) + # 生成随机密码,生成秘钥对 + if key_content: + key_path = gen_keys(gen=False) + with open(os.path.join(key_path, 'id_rsa'), 'w') as f: + f.write(key_content) + else: + key_path = gen_keys() + logger.debug('generate role key: %s' % key_path) + role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path) + role.save() + msg = u"添加角色: %s" % name + return HttpResponseRedirect('/perm/role/') + except ServerError, e: + error = e else: return HttpResponse(u"不支持该操作") + return my_render('jperm/perm_role_add.html', locals(), request) + @require_role('admin') def perm_role_delete(request): @@ -346,36 +351,37 @@ def perm_role_edit(request): # 渲染数据 role_id = request.GET.get("id") - role = PermRole.objects.get(id=role_id) - role_pass = CRYPTOR.decrypt(role.password) - if request.method == "GET": - return my_render('jperm/perm_role_edit.html', locals(), request) + role = get_object(PermRole, id=role_id) if request.method == "POST": # 获取 POST 数据 role_name = request.POST.get("role_name") role_password = request.POST.get("role_password") - encrypt_role_pass = CRYPTOR.encrypt(role_password) role_comment = request.POST.get("role_comment") + key_content = request.POST.get("role_key", "") + try: + if not role: + raise ServerError('角色用户不能存在') - # 写入数据库 - role.name = role_name - role.password = encrypt_role_pass - role.comment = role_comment + if role_password: + encrypt_pass = CRYPTOR.encrypt(role_password) + role.password = encrypt_pass + # 生成随机密码,生成秘钥对 + if key_content: + with open(os.path.join(role.key_path, 'id_rsa'), 'w') as f: + f.write(key_content) + logger.debug('Recreate role key: %s' % role.key_path) + # 写入数据库 + role.name = role_name + role.comment = role_comment - role.save() - msg = u"更新系统角色: %s" % role.name + role.save() + msg = u"更新系统角色: %s" % role.name + return HttpResponseRedirect('/jperm/role/') + except ServerError, e: + error = e - # 渲染 刷新数据 - header_title, path1, path2 = "系统角色", "角色管理", "查看角色" - roles_list = PermRole.objects.all() - # TODO: 搜索和分页 - keyword = request.GET.get('search', '') - if keyword: - roles_list = roles_list.filter(Q(name=keyword)) - - roles_list, p, roles, page_range, current_page, show_first, show_end = pages(roles_list, request) - return my_render('jperm/perm_role_list.html', locals(), request) + return my_render('jperm/perm_role_edit.html', locals(), request) @require_role('admin') diff --git a/jumpserver/api.py b/jumpserver/api.py index fa53587f2..d36b306d2 100644 --- a/jumpserver/api.py +++ b/jumpserver/api.py @@ -48,6 +48,9 @@ def set_log(level): def get_asset_info(asset): + """ + 获取资产的相关账号端口信息 + """ default = get_object(Setting, name='default') info = {'hostname': asset.hostname, 'ip': asset.ip} if asset.use_default_auth: @@ -68,6 +71,9 @@ def get_asset_info(asset): def get_role(user, asset): + """ + 获取用户在这个资产上的授权角色列表 + """ roles = [] rules = PermRule.objects.filter(user=user, asset=asset) for rule in rules: @@ -77,20 +83,19 @@ def get_role(user, asset): def get_role_key(user, role): """ - 由于role的key的权限是所有人可以读的, ansible要求为600,所以拷贝一份到特殊目录 + 由于role的key的权限是所有人可以读的, ansible执行命令等要求为600,所以拷贝一份到特殊目录 :param user: :param role: :return: self key path """ user_role_key_dir = os.path.join(KEY_DIR, 'user') user_role_key_path = os.path.join(user_role_key_dir, '%s_%s.pem' % (user.username, role.name)) - mkdir(user_role_key_dir, mode=777) + mkdir(user_role_key_dir, mode=0777) if not os.path.isfile(user_role_key_path): with open(os.path.join(role.key_path, 'id_rsa')) as fk: with open(user_role_key_path, 'w') as fu: fu.write(fk.read()) - - print user_role_key_path, user.username + logger.debug("创建新的用户角色key %s" % user_role_key_path) chown(user_role_key_path, user.username) os.chmod(user_role_key_path, 0600) return user_role_key_path diff --git a/static/css/style.css b/static/css/style.css index 1257e3571..b8a15d909 100644 --- a/static/css/style.css +++ b/static/css/style.css @@ -4566,4 +4566,6 @@ body.skin-3 { .form-group.required .control-label:after { content: " *"; color: red; -} \ No newline at end of file +} + +.n-invalid {border: 1px solid #f00;} diff --git a/templates/jperm/perm_role_add.html b/templates/jperm/perm_role_add.html index ef0753982..b50c2a778 100644 --- a/templates/jperm/perm_role_add.html +++ b/templates/jperm/perm_role_add.html @@ -26,7 +26,7 @@
-
+ {% if error %}
{{ error }}
{% endif %} @@ -41,9 +41,18 @@
- +
- + + 如果不添加密码,会自动生成 +
+
+
+
+ +
+ + 如果不添加密钥,会自动生成, 密码密钥必填一项
@@ -69,52 +78,34 @@ {% endblock %} {% block self_footer_js %} - - {% endblock %} diff --git a/templates/jperm/perm_role_edit.html b/templates/jperm/perm_role_edit.html index 3b5637560..ba3ec94a1 100644 --- a/templates/jperm/perm_role_edit.html +++ b/templates/jperm/perm_role_edit.html @@ -26,7 +26,7 @@
- + {% if error %}
{{ error }}
{% endif %} @@ -41,9 +41,18 @@
- +
- + + 不修改请留空 +
+
+
+
+ +
+ + 不修改请留空
@@ -69,49 +78,25 @@ {% endblock %} {% block self_footer_js %} diff --git a/templates/jperm/perm_role_list.html b/templates/jperm/perm_role_list.html index 045012ccd..c3deffa2d 100644 --- a/templates/jperm/perm_role_list.html +++ b/templates/jperm/perm_role_list.html @@ -34,7 +34,6 @@
添加角色 推送角色 - 删除所选
diff --git a/templates/setting.html b/templates/setting.html index de6264d46..6324b5a89 100644 --- a/templates/setting.html +++ b/templates/setting.html @@ -37,7 +37,7 @@
- + {% if error %}
{{ error }}
{% endif %} @@ -71,7 +71,7 @@
- 如果不修改密钥,请留空 + 如果不修改密钥,请留空, 密钥密码必填一项
@@ -101,4 +101,43 @@
+{% endblock %} +{% block self_footer_js %} + {% endblock %} \ No newline at end of file