+ {% trans 'Loading' %} ...
diff --git a/apps/assets/templates/assets/asset_list.html b/apps/assets/templates/assets/asset_list.html
index 9e994eba8..58e0d86e5 100644
--- a/apps/assets/templates/assets/asset_list.html
+++ b/apps/assets/templates/assets/asset_list.html
@@ -124,7 +124,6 @@
-{% include 'assets/_node_tree.html' %}
{% include 'assets/_asset_update_modal.html' %}
{% include 'assets/_asset_import_modal.html' %}
{% include 'assets/_asset_list_modal.html' %}
diff --git a/apps/assets/utils.py b/apps/assets/utils.py
index 473f6c46b..222933f94 100644
--- a/apps/assets/utils.py
+++ b/apps/assets/utils.py
@@ -59,6 +59,8 @@ class TreeService(Tree):
tag_sep = ' / '
cache_key = '_NODE_FULL_TREE'
cache_time = 3600
+ has_empty_node = False
+ has_ungrouped_node = False
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
@@ -119,9 +121,9 @@ class TreeService(Tree):
return [self.get_node(i, deep=deep) for i in ancestor_ids]
def get_node_full_tag(self, nid):
- ancestors = self.ancestors(nid)
+ ancestors = self.ancestors(nid, with_self=True)
ancestors.reverse()
- return self.tag_sep.join(n.tag for n in ancestors)
+ return self.tag_sep.join([n.tag for n in ancestors])
def get_family(self, nid, deep=False):
ancestors = self.ancestors(nid, with_self=False, deep=deep)
diff --git a/apps/jumpserver/settings.py b/apps/jumpserver/settings.py
index 803c62b83..27df6314f 100644
--- a/apps/jumpserver/settings.py
+++ b/apps/jumpserver/settings.py
@@ -290,10 +290,10 @@ LOGGING = {
'handlers': ['syslog'],
'level': 'INFO'
},
- 'django.db': {
- 'handlers': ['console', 'file'],
- 'level': 'DEBUG'
- }
+ # 'django.db': {
+ # 'handlers': ['console', 'file'],
+ # 'level': 'DEBUG'
+ # }
}
}
diff --git a/apps/orgs/mixins/models.py b/apps/orgs/mixins/models.py
index 3f54e14a7..672b975dc 100644
--- a/apps/orgs/mixins/models.py
+++ b/apps/orgs/mixins/models.py
@@ -64,8 +64,11 @@ class OrgModelMixin(models.Model):
sep = '@'
def save(self, *args, **kwargs):
- if current_org is not None and current_org.is_real():
- self.org_id = current_org.id
+ org = get_current_org()
+ if org is not None and (org.is_real() or org.is_system()):
+ self.org_id = org.id
+ elif org is not None and org.is_default():
+ self.org_id = ''
return super().save(*args, **kwargs)
@property
diff --git a/apps/orgs/models.py b/apps/orgs/models.py
index e46c2b55d..03b46e9bc 100644
--- a/apps/orgs/models.py
+++ b/apps/orgs/models.py
@@ -21,6 +21,8 @@ class Organization(models.Model):
ROOT_NAME = 'ROOT'
DEFAULT_ID = 'DEFAULT'
DEFAULT_NAME = 'DEFAULT'
+ SYSTEM_ID = '00000000-0000-0000-0000-000000000002'
+ SYSTEM_NAME = 'SYSTEM'
_user_admin_orgs = None
class Meta:
@@ -55,6 +57,8 @@ class Organization(models.Model):
return cls.default()
elif id_or_name in [cls.ROOT_ID, cls.ROOT_NAME]:
return cls.root()
+ elif id_or_name in [cls.SYSTEM_ID, cls.SYSTEM_NAME]:
+ return cls.system()
try:
if is_uuid(id_or_name):
@@ -89,7 +93,7 @@ class Organization(models.Model):
return False
def is_real(self):
- return self.id not in (self.DEFAULT_NAME, self.ROOT_ID)
+ return self.id not in (self.DEFAULT_NAME, self.ROOT_ID, self.SYSTEM_ID)
@classmethod
def get_user_admin_orgs(cls, user):
@@ -111,17 +115,18 @@ class Organization(models.Model):
def root(cls):
return cls(id=cls.ROOT_ID, name=cls.ROOT_NAME)
+ @classmethod
+ def system(cls):
+ return cls(id=cls.SYSTEM_ID, name=cls.SYSTEM_NAME)
+
def is_root(self):
- if self.id is self.ROOT_ID:
- return True
- else:
- return False
+ return self.id is self.ROOT_ID
def is_default(self):
- if self.id is self.DEFAULT_ID:
- return True
- else:
- return False
+ return self.id is self.DEFAULT_ID
+
+ def is_system(self):
+ return self.id is self.SYSTEM_ID
def change_to(self):
from .utils import set_current_org
diff --git a/apps/orgs/utils.py b/apps/orgs/utils.py
index 8f380b169..90dde34d4 100644
--- a/apps/orgs/utils.py
+++ b/apps/orgs/utils.py
@@ -1,6 +1,7 @@
# -*- coding: utf-8 -*-
#
from werkzeug.local import LocalProxy
+from contextlib import contextmanager
from common.local import thread_local
from .models import Organization
@@ -52,4 +53,22 @@ def get_current_org_id_for_serializer():
return org_id
+@contextmanager
+def tmp_to_root_org():
+ ori_org = get_current_org()
+ set_to_root_org()
+ yield
+ if ori_org is not None:
+ set_current_org(ori_org)
+
+
+@contextmanager
+def tmp_to_org(org):
+ ori_org = get_current_org()
+ set_current_org(org)
+ yield
+ if ori_org is not None:
+ set_current_org(ori_org)
+
+
current_org = LocalProxy(get_current_org)
diff --git a/apps/perms/api/asset_permission.py b/apps/perms/api/asset_permission.py
index 0c9a43ae5..36bf00d9d 100644
--- a/apps/perms/api/asset_permission.py
+++ b/apps/perms/api/asset_permission.py
@@ -40,24 +40,14 @@ class AssetPermissionViewSet(viewsets.ModelViewSet):
return self.serializer_class
def filter_valid(self, queryset):
- valid = self.request.query_params.get('is_valid', None)
- if valid is None:
+ valid_query = self.request.query_params.get('is_valid', None)
+ if valid_query is None:
return queryset
- if valid in ['0', 'N', 'false', 'False']:
- valid = False
+ invalid = valid_query in ['0', 'N', 'false', 'False']
+ if invalid:
+ queryset = queryset.invalid()
else:
- valid = True
- now = timezone.now()
- if valid:
- queryset = queryset.filter(is_active=True).filter(
- date_start__lt=now, date_expired__gt=now,
- )
- else:
- queryset = queryset.filter(
- Q(is_active=False) |
- Q(date_start__gt=now) |
- Q(date_expired__lt=now)
- )
+ queryset = queryset.valid()
return queryset
def filter_system_user(self, queryset):
diff --git a/apps/perms/api/user_permission.py b/apps/perms/api/user_permission.py
index bb29ce6a1..f965f8ec4 100644
--- a/apps/perms/api/user_permission.py
+++ b/apps/perms/api/user_permission.py
@@ -15,10 +15,6 @@ from orgs.utils import set_to_root_org
from ..utils import (
ParserNode, AssetPermissionUtilV2
)
-from .mixin import (
- UserPermissionCacheMixin, GrantAssetsMixin, NodesWithUngroupMixin
-)
-from .. import const
from ..hands import User, Asset, Node, SystemUser, NodeSerializer
from .. import serializers
from ..models import Action
@@ -66,8 +62,8 @@ class UserGrantedAssetsApi(UserPermissionMixin, ListAPIView):
permission_classes = (IsOrgAdminOrAppUser,)
serializer_class = serializers.AssetGrantedSerializer
only_fields = serializers.AssetGrantedSerializer.Meta.only_fields
- filter_fields = ['hostname', 'ip']
- search_fields = filter_fields
+ filter_fields = ['hostname', 'ip', 'id', 'comment']
+ search_fields = ['hostname', 'ip', 'comment']
def filter_by_nodes(self, queryset):
node_id = self.request.query_params.get("node")
@@ -109,12 +105,21 @@ class UserGrantedNodesApi(UserPermissionMixin, ListAPIView):
查询用户授权的所有节点的API
"""
permission_classes = (IsOrgAdminOrAppUser,)
- serializer_class = serializers.GrantedNodeSerializer
+ serializer_class = serializers.NodeGrantedSerializer
only_fields = NodeSerializer.Meta.only_fields
+ util = None
+
+ def get(self, request, *args, **kwargs):
+ self.util = AssetPermissionUtilV2(self.obj)
+ return super().get(request, *args, **kwargs)
+
+ def get_serializer_context(self):
+ context = super().get_serializer_context()
+ context["tree"] = self.util.user_tree
+ return context
def get_queryset(self):
- util = AssetPermissionUtilV2(self.obj)
- node_keys = util.get_nodes()
+ node_keys = self.util.get_nodes()
queryset = Node.objects.filter(key__in=node_keys)
return queryset
@@ -131,7 +136,6 @@ class UserGrantedNodeChildrenApi(UserGrantedNodesApi):
system_user_id = self.request.query_params.get("system_user")
self.util = AssetPermissionUtilV2(self.obj)
if system_user_id:
- system_user = get_object_or_404(SystemUser, id=system_user_id)
self.util.filter_permissions(system_users=system_user_id)
self.tree = self.util.get_user_tree()
diff --git a/apps/perms/const.py b/apps/perms/const.py
index 4ccab5e38..476fc9d3f 100644
--- a/apps/perms/const.py
+++ b/apps/perms/const.py
@@ -1,6 +1,10 @@
# -*- coding: utf-8 -*-
#
+from django.utils.translation import ugettext_lazy as _
UNGROUPED_NODE_ID = "00000000-0000-0000-0000-000000000002"
+UNGROUPED_NODE_KEY = '-2'
+UNGROUPED_NODE_VALUE = _("Ungrouped")
EMPTY_NODE_ID = "00000000-0000-0000-0000-000000000003"
-EMPTY_NODE_KEY = "1:-2"
+EMPTY_NODE_KEY = "-3"
+EMPTY_NODE_VALUE = _("Empty")
diff --git a/apps/perms/models/asset_permission.py b/apps/perms/models/asset_permission.py
index 7215e01bb..fff6c56f3 100644
--- a/apps/perms/models/asset_permission.py
+++ b/apps/perms/models/asset_permission.py
@@ -5,7 +5,7 @@ from django.db import models
from django.db.models import Q
from django.utils.translation import ugettext_lazy as _
-from common.utils import date_expired_default, set_or_append_attr_bulk
+from common.utils import date_expired_default
from orgs.mixins.models import OrgModelMixin
from assets.models import Asset, SystemUser, Node
diff --git a/apps/perms/models/base.py b/apps/perms/models/base.py
index 02e580c8a..b36d009b3 100644
--- a/apps/perms/models/base.py
+++ b/apps/perms/models/base.py
@@ -4,6 +4,7 @@
import uuid
from django.utils.translation import ugettext_lazy as _
from django.db import models
+from django.db.models import Q
from django.utils import timezone
from orgs.mixins.models import OrgModelMixin
@@ -24,6 +25,18 @@ class BasePermissionQuerySet(models.QuerySet):
return self.active().filter(date_start__lt=timezone.now()) \
.filter(date_expired__gt=timezone.now())
+ def inactive(self):
+ return self.filter(is_active=False)
+
+ def invalid(self):
+ now = timezone.now
+ q = (
+ Q(is_active=False) |
+ Q(date_start__gt=now) |
+ Q(date_expired__lt=now)
+ )
+ return self.filter(q)
+
class BasePermissionManager(OrgManager):
def valid(self):
diff --git a/apps/perms/serializers/user_permission.py b/apps/perms/serializers/user_permission.py
index 9f7ea4ecf..149b618eb 100644
--- a/apps/perms/serializers/user_permission.py
+++ b/apps/perms/serializers/user_permission.py
@@ -9,8 +9,8 @@ from assets.serializers import ProtocolsField
from .asset_permission import ActionsField
__all__ = [
- 'GrantedNodeSerializer',
- 'NodeGrantedSerializer', 'AssetGrantedSerializer',
+ 'NodeGrantedSerializer',
+ 'AssetGrantedSerializer',
'ActionsSerializer', 'AssetSystemUserSerializer',
]
@@ -43,36 +43,29 @@ class AssetGrantedSerializer(serializers.ModelSerializer):
"id", "hostname", "ip", "protocols", "os", 'domain',
"platform", "comment", "org_id",
]
- fields = only_fields
+ fields = only_fields + ['org_name']
read_only_fields = fields
class NodeGrantedSerializer(serializers.ModelSerializer):
- """
- 授权资产组
- """
- # assets_granted = AssetGrantedSerializer(many=True, read_only=True)
- # assets_amount = serializers.ReadOnlyField()
- name = serializers.ReadOnlyField(source='value')
+ assets_amount = serializers.SerializerMethodField()
- # assets_only_fields = AssetGrantedSerializer.Meta.only_fields
- # system_users_only_fields = AssetGrantedSerializer.system_users_only_fields
-
- class Meta:
- model = Node
- only_fields = ['id', 'key', 'value', "org_id"]
- fields = only_fields + ['name']
- read_only_fields = fields
-
-
-class GrantedNodeSerializer(serializers.ModelSerializer):
class Meta:
model = Node
fields = [
- 'id', 'name', 'key', 'value',
+ 'id', 'name', 'key', 'value', 'org_id', "assets_amount"
]
read_only_fields = fields
+ def __init__(self, *args, **kwargs):
+ super().__init__(*args, **kwargs)
+ self.tree = self.context.get("tree")
+
+ def get_assets_amount(self, obj):
+ if not self.tree:
+ return 0
+ return self.tree.assets_amount(obj.key)
+
class ActionsSerializer(serializers.Serializer):
actions = ActionsField(read_only=True)
diff --git a/apps/perms/signals_handler.py b/apps/perms/signals_handler.py
index faadaf1a8..3736e3a84 100644
--- a/apps/perms/signals_handler.py
+++ b/apps/perms/signals_handler.py
@@ -15,25 +15,23 @@ logger = get_logger(__file__)
@on_transaction_commit
def on_permission_created(sender, instance=None, created=False, **kwargs):
pass
- # AssetPermissionUtil.expire_all_cache()
@receiver(post_save, sender=AssetPermission)
def on_permission_update(sender, **kwargs):
pass
- # AssetPermissionUtil.expire_all_cache()
@receiver(post_delete, sender=AssetPermission)
def on_permission_delete(sender, **kwargs):
pass
- # AssetPermissionUtil.expire_all_cache()
@receiver(m2m_changed, sender=AssetPermission.nodes.through)
-def on_permission_nodes_changed(sender, instance=None, **kwargs):
- # AssetPermissionUtil.expire_all_cache()
- if isinstance(instance, AssetPermission) and kwargs['action'] == 'post_add':
+def on_permission_nodes_changed(sender, instance=None, action='', **kwargs):
+ if action != 'post_add':
+ return
+ if isinstance(instance, AssetPermission):
logger.debug("Asset permission nodes change signal received")
nodes = kwargs['model'].objects.filter(pk__in=kwargs['pk_set'])
system_users = instance.system_users.all()
@@ -42,9 +40,10 @@ def on_permission_nodes_changed(sender, instance=None, **kwargs):
@receiver(m2m_changed, sender=AssetPermission.assets.through)
-def on_permission_assets_changed(sender, instance=None, **kwargs):
- # AssetPermissionUtil.expire_all_cache()
- if isinstance(instance, AssetPermission) and kwargs['action'] == 'post_add':
+def on_permission_assets_changed(sender, instance=None, action='', **kwargs):
+ if action != 'post_add':
+ return
+ if isinstance(instance, AssetPermission):
logger.debug("Asset permission assets change signal received")
assets = kwargs['model'].objects.filter(pk__in=kwargs['pk_set'])
system_users = instance.system_users.all()
@@ -53,13 +52,15 @@ def on_permission_assets_changed(sender, instance=None, **kwargs):
@receiver(m2m_changed, sender=AssetPermission.system_users.through)
-def on_permission_system_users_changed(sender, instance=None, **kwargs):
- # AssetPermissionUtil.expire_all_cache()
- if isinstance(instance, AssetPermission) and kwargs['action'] == 'post_add':
- logger.debug("Asset permission system_users change signal received")
+def on_permission_system_users_changed(sender, instance=None, action='', **kwargs):
+ if action != 'post_add':
+ return
+ if isinstance(instance, AssetPermission):
system_users = kwargs['model'].objects.filter(pk__in=kwargs['pk_set'])
+ logger.debug("Asset permission system_users change signal received")
assets = instance.assets.all()
nodes = instance.nodes.all()
for system_user in system_users:
system_user.nodes.add(*tuple(nodes))
system_user.assets.add(*tuple(assets))
+
diff --git a/apps/perms/utils/asset_permission.py b/apps/perms/utils/asset_permission.py
index 8fa37beb5..3f7874753 100644
--- a/apps/perms/utils/asset_permission.py
+++ b/apps/perms/utils/asset_permission.py
@@ -4,6 +4,7 @@ from collections import defaultdict
from functools import reduce
from django.db.models import Q
+from django.conf import settings
from orgs.utils import set_to_root_org
from common.utils import get_logger, timeit
@@ -11,6 +12,7 @@ from common.tree import TreeNode
from assets.utils import TreeService
from ..models import AssetPermission
from ..hands import Node, Asset, SystemUser
+from .. import const
logger = get_logger(__file__)
@@ -129,6 +131,9 @@ class AssetPermissionUtilV2:
@timeit
def add_direct_nodes_to_user_tree(self, user_tree):
+ """
+ 将授权规则的节点放到用户树上, 从full tree中粘贴子树
+ """
nodes_direct_keys = self.permissions \
.exclude(nodes__isnull=True) \
.values_list('nodes__key', flat=True) \
@@ -153,6 +158,10 @@ class AssetPermissionUtilV2:
@timeit
def add_single_assets_node_to_user_tree(self, user_tree):
+ """
+ 将单独授权的资产放到树上,如果设置了单独资产到 未分组中,则放到未分组中
+ 如果没有,则查询资产属于的资产组,放到树上
+ """
# 添加单独授权资产的节点
nodes_single_assets = defaultdict(set)
queryset = self.permissions.exclude(assets__isnull=True) \
@@ -161,13 +170,26 @@ class AssetPermissionUtilV2:
for item in queryset:
nodes_single_assets[item[1]].add(item[0])
- # Todo: 游离资产
nodes_single_assets.pop(None, None)
for key in tuple(nodes_single_assets.keys()):
if user_tree.contains(key):
nodes_single_assets.pop(key)
+ # 如果要设置到ungroup中
+ if settings.PERM_SINGLE_ASSET_TO_UNGROUP_NODE:
+ node_key = Node.ungrouped_key
+ node_value = Node.ungrouped_value
+ user_tree.create_node(
+ identifier=node_key, tag=node_value,
+ parent=user_tree.root,
+ )
+ assets = set()
+ for _assets in nodes_single_assets.values():
+ assets.update(set(_assets))
+ user_tree.set_assets(node_key, assets)
+ return
+
# 获取单独授权资产,并没有在授权的节点上
for key, assets in nodes_single_assets.items():
node = self.full_tree.get_node(key, deep=True)
@@ -180,11 +202,17 @@ class AssetPermissionUtilV2:
@timeit
def parse_user_tree_to_full_tree(self, user_tree):
+ """
+ 经过前面两个动作,用户授权的节点已放到树上,但是树不是完整的,
+ 这里要讲树构造成一个完整的书
+ """
# 开始修正user_tree,保证父节点都在树上
root_children = user_tree.children('')
for child in root_children:
if child.identifier.isdigit():
continue
+ if child.identifier.startswith('-'):
+ continue
ancestors = self.full_tree.ancestors(
child.identifier, with_self=False, deep=True
)
@@ -194,6 +222,19 @@ class AssetPermissionUtilV2:
user_tree.safe_add_ancestors(ancestors)
user_tree.move_node(child.identifier, parent_id)
+ @staticmethod
+ def add_empty_node_if_need(user_tree):
+ """
+ 添加空节点,如果根节点没有子节点的话
+ """
+ if not user_tree.children(user_tree.root):
+ node_key = Node.empty_key
+ node_value = Node.empty_value
+ user_tree.create_node(
+ identifier=node_key, tag=node_value,
+ parent=user_tree.root,
+ )
+
@timeit
def get_user_tree(self):
if self._user_tree:
@@ -207,6 +248,7 @@ class AssetPermissionUtilV2:
self.add_direct_nodes_to_user_tree(user_tree)
self.add_single_assets_node_to_user_tree(user_tree)
self.parse_user_tree_to_full_tree(user_tree)
+ self.add_empty_node_if_need(user_tree)
self._user_tree = user_tree
return user_tree
diff --git a/apps/perms/utils/remote_app_permission.py b/apps/perms/utils/remote_app_permission.py
index a612b9ffb..ae60766ae 100644
--- a/apps/perms/utils/remote_app_permission.py
+++ b/apps/perms/utils/remote_app_permission.py
@@ -74,6 +74,14 @@ def construct_remote_apps_tree_root():
def parse_remote_app_to_tree_node(parent, remote_app):
+ system_user = remote_app.system_user
+ user = {
+ 'id': system_user.id,
+ 'name': system_user.name,
+ 'username': system_user.username,
+ 'protocol': system_user.protocol,
+ 'login_mode': system_user.login_mode,
+ }
tree_node = {
'id': remote_app.id,
'name': remote_app.name,
@@ -82,6 +90,6 @@ def parse_remote_app_to_tree_node(parent, remote_app):
'open': False,
'isParent': False,
'iconSkin': 'file',
- 'meta': {'type': 'remote_app'}
+ 'meta': {'type': 'remote_app', 'user': user}
}
return TreeNode(**tree_node)
diff --git a/apps/users/templates/users/_granted_assets.html b/apps/users/templates/users/_granted_assets.html
index 25240ee03..7904af4fb 100644
--- a/apps/users/templates/users/_granted_assets.html
+++ b/apps/users/templates/users/_granted_assets.html
@@ -4,6 +4,7 @@
+ {% trans 'Loading' %} ...