优化connect.py 和 api.py

pull/26/head
ibuler 2015-08-21 23:45:41 +08:00
parent 9f0620f97e
commit ad16d8b532
4 changed files with 90 additions and 382 deletions

View File

@ -26,8 +26,9 @@ os.environ['DJANGO_SETTINGS_MODULE'] = 'jumpserver.settings'
if django.get_version() != '1.6': if django.get_version() != '1.6':
django.setup() django.setup()
from jlog.models import Log from jlog.models import Log
from jumpserver.api import CONF, BASE_DIR, ServerError, User, UserGroup, Asset, BisGroup from jumpserver.api import CONF, BASE_DIR, ServerError, User, UserGroup, Asset, get_object
from jumpserver.api import CRYPTOR, logger, is_dir from jumpserver.api import CRYPTOR, logger, is_dir
from jumpserver.api import BisGroup as AssetGroup
try: try:
import termios import termios
@ -38,7 +39,7 @@ except ImportError:
sys.exit() sys.exit()
log_dir = os.path.join(BASE_DIR, 'logs') log_dir = os.path.join(BASE_DIR, 'logs')
login_user = User(username=getpass.getuser()) login_user = get_object(User, username=getpass.getuser())
def color_print(msg, color='red', exits=False): def color_print(msg, color='red', exits=False):
@ -98,14 +99,14 @@ class Jtty(object):
timestamp_start = int(time.time()) timestamp_start = int(time.time())
date_start = time.strftime('%Y%m%d', time.localtime(timestamp_start)) date_start = time.strftime('%Y%m%d', time.localtime(timestamp_start))
time_start = time.strftime('%H%M%S', time.localtime(timestamp_start)) time_start = time.strftime('%H%M%S', time.localtime(timestamp_start))
today_connect_log_dir = os.path.join(tty_log_dir, date_start)
log_filename = '%s_%s_%s.log' % (self.username, self.ip, time_start) log_filename = '%s_%s_%s.log' % (self.username, self.ip, time_start)
today_connect_log_dir = os.path.join(tty_log_dir, date_start)
log_file_path = os.path.join(today_connect_log_dir, log_filename) log_file_path = os.path.join(today_connect_log_dir, log_filename)
dept_name = self.user.dept.name dept_name = self.user.dept.name
pid = os.getpid() pid = os.getpid()
pts = os.popen("ps axu | grep %s | grep -v grep | awk '{ print $7 }'" % pid).read().strip() pts = os.popen("ps axu | grep %s | grep -v grep | awk '{ print $7 }'" % pid).read().strip()
remote_ip = os.popen("who | grep %s | awk '{ print $5 }'" % pts).read().strip('()\n') ip_list = os.popen("who | grep %s | awk '{ print $5 }'" % pts).read().strip('()\n')
try: try:
is_dir(today_connect_log_dir) is_dir(today_connect_log_dir)
@ -117,7 +118,7 @@ class Jtty(object):
except IOError: except IOError:
raise ServerError('Create logfile failed, Please modify %s permission.' % today_connect_log_dir) raise ServerError('Create logfile failed, Please modify %s permission.' % today_connect_log_dir)
log = Log(user=self.username, host=self.ip, remote_ip=remote_ip, dept_name=dept_name, log = Log(user=self.username, host=self.ip, remote_ip=ip_list, dept_name=dept_name,
log_path=log_file_path, start_time=datetime.datetime.now(), pid=pid) log_path=log_file_path, start_time=datetime.datetime.now(), pid=pid)
log_file.write('Start time is %s\n' % datetime.datetime.now()) log_file.write('Start time is %s\n' % datetime.datetime.now())
log.save() log.save()
@ -164,18 +165,17 @@ class Jtty(object):
log_file.write('End time is %s' % datetime.datetime.now()) log_file.write('End time is %s' % datetime.datetime.now())
log_file.close() log_file.close()
log.is_finished = True log.is_finished = True
log.log_finished = False log.handle_finished = False
log.end_time = datetime.datetime.now() log.end_time = datetime.datetime.now()
log.save() log.save()
def get_connect_item(self): def get_connect_item(self):
port = int(self.asset.port) """获取连接需要的参数也就是服务ip, 端口, 用户账号和密码"""
if not self.asset.is_active: if not self.asset.is_active:
raise ServerError('Host %s is not active.' % self.ip) raise ServerError('该主机被禁用 Host %s is not active.' % self.ip)
if not self.user.is_active: if not self.user.is_active:
raise ServerError('User %s is not active.' % self.username) raise ServerError('该用户被禁用 User %s is not active.' % self.username)
login_type_dict = { login_type_dict = {
'L': self.user.ldap_pwd, 'L': self.user.ldap_pwd,
@ -183,37 +183,38 @@ class Jtty(object):
if self.asset.login_type in login_type_dict: if self.asset.login_type in login_type_dict:
password = CRYPTOR.decrypt(login_type_dict[self.asset.login_type]) password = CRYPTOR.decrypt(login_type_dict[self.asset.login_type])
return self.username, password, self.ip, port return self.username, password, self.ip, int(self.asset.port)
elif self.asset.login_type == 'M': elif self.asset.login_type == 'M':
username = self.asset.username username = self.asset.username
password = CRYPTOR.decrypt(self.asset.password) password = CRYPTOR.decrypt(self.asset.password)
return username, password, self.ip, port return username, password, self.ip, int(self.asset.port)
else: else:
raise ServerError('Login type is not in ["L", "M"]') raise ServerError('不支持的服务器登录方式 Login type is not in ["L", "M"]')
def connect(self): def connect(self):
""" """
Connect server. Connect server.
连接服务器
""" """
username, password, ip, port = self.get_connect_item() username, password, ip, port = self.get_connect_item()
logger.debug("username: %s, password: %s, ip: %s, port: %s" % (username, password, ip, port)) logger.debug("username: %s, password: %s, ip: %s, port: %s" % (username, password, ip, port))
ps1 = "PS1='[\u@%s \W]\$ '\n" % self.ip ps1 = "PS1='[\u@%s \W]\$ '\n" % self.ip
login_msg = "clear;echo -e '\\033[32mLogin %s done. Enjoy it.\\033[0m'\n" % self.ip login_msg = "clear;echo -e '\\033[32mLogin %s done. Enjoy it.\\033[0m'\n" % ip
# Make a ssh connection # 发起ssh连接请求 Make a ssh connection
ssh = paramiko.SSHClient() ssh = paramiko.SSHClient()
ssh.load_system_host_keys() ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try: try:
ssh.connect(ip, port=port, username=username, password=password, compress=True) ssh.connect(ip, port=port, username=username, password=password, compress=True)
except paramiko.ssh_exception.AuthenticationException, paramiko.ssh_exception.SSHException: except paramiko.ssh_exception.AuthenticationException, paramiko.ssh_exception.SSHException:
raise ServerError('Authentication Error.') raise ServerError('认证错误 Authentication Error.')
except socket.error: except socket.error:
raise ServerError('Connect SSH Socket Port Error, Please Correct it.') raise ServerError('端口可能不对 Connect SSH Socket Port Error, Please Correct it.')
# Make a channel and set windows size # 获取连接的隧道并设置窗口大小 Make a channel and set windows size
global channel global channel
win_size = self.get_win_size() win_size = self.get_win_size()
self.chan = channel = ssh.invoke_shell(height=win_size[0], width=win_size[1]) self.chan = channel = ssh.invoke_shell(height=win_size[0], width=win_size[1])
@ -222,7 +223,7 @@ class Jtty(object):
except: except:
pass pass
# Set PS1 and msg it # 设置PS1并提示 Set PS1 and msg it
channel.send(ps1) channel.send(ps1)
channel.send(login_msg) channel.send(login_msg)
@ -235,6 +236,7 @@ class Jtty(object):
def verify_connect(user, option): def verify_connect(user, option):
"""鉴定用户是否有该主机权限 或 匹配到的ip是否唯一"""
ip_matched = [] ip_matched = []
try: try:
assets_info = login_user.get_asset_info() assets_info = login_user.get_asset_info()
@ -255,16 +257,20 @@ def verify_connect(user, option):
ip_matched = list(set(ip_matched)) ip_matched = list(set(ip_matched))
if len(ip_matched) > 1: if len(ip_matched) > 1:
ip_comment = {}
for ip in ip_matched: for ip in ip_matched:
if assets_info[ip][2]: ip_comment[ip] = assets_info[ip][2]
print '%-15s -- %s' % (ip, assets_info[ip][2])
for ip in sorted(ip_comment):
if ip_comment[ip]:
print '%-15s -- %s' % (ip, ip_comment[ip])
else: else:
print '%-15s' % ip print '%-15s' % ip
print '' print ''
elif len(ip_matched) < 1: elif len(ip_matched) < 1:
color_print('No Permission or No host.', 'red') color_print('没有该主机,或者您没有该主机的权限 No Permission or No host.', 'red')
else: else:
asset = Asset(ip=ip_matched[0]).asset asset = get_object(Asset, ip=ip_matched[0])
jtty = Jtty(user, asset) jtty = Jtty(user, asset)
jtty.connect() jtty.connect()
@ -351,12 +357,13 @@ def print_prompt():
# multi_remote_exec_cmd(hosts, username, cmd) # multi_remote_exec_cmd(hosts, username, cmd)
if __name__ == '__main__': def main():
if not login_user.validate(): if not login_user: # 判断用户是否存在
color_print(u'没有该用户 No that user.', exits=True) color_print(u'没有该用户或许你是以root运行的 No that user.', exits=True)
print_prompt() print_prompt()
gid_pattern = re.compile(r'^g\d+$') gid_pattern = re.compile(r'^g\d+$')
try: try:
while True: while True:
try: try:
@ -374,8 +381,8 @@ if __name__ == '__main__':
continue continue
elif gid_pattern.match(option): elif gid_pattern.match(option):
gid = option[1:].strip() gid = option[1:].strip()
asset_group = JassetGroup(id=gid) asset_group = get_object(AssetGroup, id=gid)
if asset_group.validate() and asset_group.is_permed(user=login_user.user): if asset_group and asset_group.is_permed(user=login_user):
asset_group.get_asset_info(printable=True) asset_group.get_asset_info(printable=True)
continue continue
elif option in ['E', 'e']: elif option in ['E', 'e']:
@ -390,3 +397,8 @@ if __name__ == '__main__':
color_print(e, 'red') color_print(e, 'red')
except IndexError: except IndexError:
pass pass
if __name__ == '__main__':
main()

View File

@ -10,7 +10,7 @@ class Log(models.Model):
start_time = models.DateTimeField(null=True) start_time = models.DateTimeField(null=True)
pid = models.IntegerField(max_length=10) pid = models.IntegerField(max_length=10)
is_finished = models.BooleanField(default=False) is_finished = models.BooleanField(default=False)
log_finished = models.BooleanField(default=False) handle_finished = models.BooleanField(default=False)
end_time = models.DateTimeField(null=True) end_time = models.DateTimeField(null=True)
def __unicode__(self): def __unicode__(self):

View File

@ -41,16 +41,18 @@ SEND_IP = CONF.get('base', 'ip')
SEND_PORT = CONF.get('base', 'port') SEND_PORT = CONF.get('base', 'port')
MAIL_FROM = CONF.get('mail', 'email_host_user') MAIL_FROM = CONF.get('mail', 'email_host_user')
log_level = CONF.get('base', 'log')
log_level_total = {'debug': logging.DEBUG, 'info': logging.INFO, 'warning': logging.WARN, 'error': logging.ERROR, def set_log(level):
'critical': logging.CRITICAL} log_level_total = {'debug': logging.DEBUG, 'info': logging.INFO, 'warning': logging.WARN, 'error': logging.ERROR,
logger = logging.getLogger('jumpserver') 'critical': logging.CRITICAL}
logger.setLevel(logging.DEBUG) logger = logging.getLogger('jumpserver')
fh = logging.FileHandler(JLOG_FILE) logger.setLevel(logging.DEBUG)
fh.setLevel(log_level_total.get(log_level, logging.DEBUG)) fh = logging.FileHandler(JLOG_FILE)
formatter = logging.Formatter('%(asctime)s - %(filename)s - %(levelname)s - %(message)s') fh.setLevel(log_level_total.get(level, logging.DEBUG))
fh.setFormatter(formatter) formatter = logging.Formatter('%(asctime)s - %(filename)s - %(levelname)s - %(message)s')
logger.addHandler(fh) fh.setFormatter(formatter)
logger.addHandler(fh)
return logger
class LDAPMgmt(): class LDAPMgmt():
@ -205,68 +207,45 @@ def get_object(model, **kwargs):
try: try:
the_object = model.objects.get(**kwargs) the_object = model.objects.get(**kwargs)
except ObjectDoesNotExist: except ObjectDoesNotExist:
raise ServerError('Object get %s failed.' % str(kwargs.values())) the_object = None
return the_object return the_object
def require_login(func): def require_role(role='user'):
"""要求登录的装饰器""" """
def _deco(request, *args, **kwargs): 要求用户是某种角色 ["super", "admin", "user"]
if not request.session.get('user_id'): """
return HttpResponseRedirect('/login/') def _deco(func):
return func(request, *args, **kwargs) def __deco(request, *args, **kwargs):
if role == 'user':
if not request.session.get('user_id'):
return HttpResponseRedirect('/login/')
elif role == 'admin':
if request.session.get('role_id', 0) != 1:
return HttpResponseRedirect('/')
elif role == 'super':
if request.session.get('role_id', 0) != 2:
return HttpResponseRedirect('/')
return func(request, *args, **kwargs)
return __deco()
return _deco return _deco
def require_super_user(func): def is_role_request(request, role='user'):
"""要求是超级管理员""" """
def _deco(request, *args, **kwargs): :param request: 请求
if not request.session.get('user_id'): :param role: 角色
return HttpResponseRedirect('/login/') :return: bool
要求请求角色正确
if request.session.get('role_id', 0) != 2: """
return HttpResponseRedirect('/') role_all = {'user': 0, 'admin': 1, 'super': 2}
return func(request, *args, **kwargs) if request.session.get('role_id') == role_all.get(role, '0'):
return _deco
def require_admin(func):
"""要求是管理员"""
def _deco(request, *args, **kwargs):
if not request.session.get('user_id'):
return HttpResponseRedirect('/login/')
if request.session.get('role_id', 0) < 1:
return HttpResponseRedirect('/')
return func(request, *args, **kwargs)
return _deco
def is_super_user(request):
"""要求请求是超级管理员"""
if request.session.get('role_id') == 2:
return True return True
else: else:
return False return False
def is_group_admin(request): @require_role
"""要求请求是组管理员"""
if request.session.get('role_id') == 1:
return True
else:
return False
def is_common_user(request):
"""要求用户是普通用户"""
if request.session.get('role_id') == 0:
return True
else:
return False
@require_login
def get_session_user_dept(request): def get_session_user_dept(request):
user_id = request.session.get('user_id', 0) user_id = request.session.get('user_id', 0)
user = User.objects.filter(id=user_id) user = User.objects.filter(id=user_id)
@ -276,7 +255,7 @@ def get_session_user_dept(request):
return user, dept return user, dept
@require_login @require_role
def get_session_user_info(request): def get_session_user_info(request):
user_id = request.session.get('user_id', 0) user_id = request.session.get('user_id', 0)
user = User.objects.filter(id=user_id) user = User.objects.filter(id=user_id)
@ -310,295 +289,6 @@ def api_user(request):
# return HttpResponseRedirect('/login/') # return HttpResponseRedirect('/login/')
# def user_group_perm_asset_group_api(user_group):
# asset_group_list = []
# perm_list = user_group.perm_set.all()
# for perm in perm_list:
# asset_group_list.append(perm.asset_group)
# return asset_group_list
# class Juser(object):
# """
# Jumpserver user class
# 用户类
# """
#
# def __init__(self, username=None, uid=None):
# if username:
# user = User.objects.filter(username=username)
# elif uid:
# user = User.objects.filter(id=uid)
# else:
# user = ''
#
# if user:
# user = user[0]
# self.user = user
# self.id = user.id
# # self.id = user.id
# # self.username = user.username
# # self.name = user.name
# self.group = user.group.all()
# else:
# self.id = None
#
# def __repr__(self):
# if self.id:
# return '<%s Juser instance>' % getattr(self.user, 'username')
# else:
# return 'None'
#
# def __getattr__(self, item):
# if self.id:
# return getattr(self.user, item)
# else:
# return None
#
# def validate(self):
# """
# Validate is or not a true user
# 鉴定用户
# """
# if self.id:
# return True
# else:
# return False
#
# def get_asset_group(self):
# """
# Get user host_groups.
# 获取用户有权限的主机组
# """
# host_group_list = []
# perm_list = []
# user_group_all = self.user.group.all()
# for user_group in user_group_all:
# perm_list.extend(user_group.perm_set.all())
#
# for perm in perm_list:
# host_group_list.append(perm.asset_group)
#
# return host_group_list
#
# def get_asset_group_info(self, printable=False):
# """
# Get or print asset group info
# 获取或打印用户授权资产组
# """
# asset_groups_info = {}
# asset_groups = self.get_asset_group()
#
# for asset_group in asset_groups:
# asset_groups_info[asset_group.id] = [asset_group.name, asset_group.comment]
#
# if printable:
# for group_id in asset_groups_info:
# if asset_groups_info[group_id][1]:
# print "[%3s] %s -- %s" % (group_id,
# asset_groups_info[group_id][0],
# asset_groups_info[group_id][1])
# else:
# print "[%3s] %s" % (group_id, asset_groups_info[group_id][0])
# print ''
# else:
# return asset_groups_info
#
# def get_asset(self):
# """
# Get the assets of under the user control.
# 获取主机列表
# """
# assets = []
# asset_groups = self.get_asset_group()
#
# for asset_group in asset_groups:
# assets.extend(asset_group.asset_set.all())
#
# return assets
#
# def get_asset_info(self, printable=False):
# """
# Get or print the user asset info
# 获取或打印用户资产信息
# """
# assets_info = {}
# assets = self.get_asset()
#
# for asset in assets:
# asset_alias = AssetAlias.objects.filter(user=self.user, asset=asset)
# if asset_alias and asset_alias[0].alias != '':
# assets_info[asset.ip] = [asset.id, asset.ip, str(asset_alias[0].alias)]
# else:
# assets_info[asset.ip] = [asset.id, asset.ip, str(asset.comment)]
#
# if printable:
# ips = assets_info.keys()
# ips.sort()
# for ip in ips:
# if assets_info[ip][2]:
# print '%-15s -- %s' % (ip, assets_info[ip][2])
# else:
# print '%-15s' % ip
# print ''
# else:
# return assets_info
#
# class Jasset(object):
# """
# Jumpserver asset class
# Jumpserver资产类
# """
# def __init__(self, ip=None, id=None):
# if ip:
# asset = Asset.objects.filter(ip=ip)
# elif id:
# asset = Asset.objects.filter(id=id)
# else:
# asset = ''
#
# if asset:
# asset = asset[0]
# self.asset = asset
# self.id = asset.id
# else:
# self.id = None
#
# def __repr__(self):
# if self.id:
# return '<%s Jasset instance>' % self.asset.ip
# else:
# return 'None'
#
# def __getattr__(self, item):
# if self.id:
# return getattr(self.asset, item)
# else:
# return None
#
# def validate(self):
# """
# Validate is or not a true asset
# 判断是否存在
# """
# if self.id:
# return True
# else:
# return False
#
# def get_user(self):
# perm_list = []
# asset_group_all = self.bis_group.all()
# for asset_group in asset_group_all:
# perm_list.extend(asset_group.perm_set.all())
#
# user_group_list = []
# for perm in perm_list:
# user_group_list.append(perm.user_group)
#
# user_permed_list = []
# for user_group in user_group_list:
# user_permed_list.extend(user_group.user_set.all())
# user_permed_list = list(set(user_permed_list))
# return user_permed_list
# class JassetGroup(object):
# """
# Jumpserver AssetGroup class
# Jumpserver 资产组类
# """
# def __init__(self, name=None, id=None):
# if id:
# asset_group = BisGroup.objects.filter(id=int(id))
# elif name:
# asset_group = BisGroup.objects.filter(name=name)
# else:
# asset_group = ''
#
# if asset_group:
# asset_group = asset_group[0]
# self.asset_group = asset_group
# # self.name = asset_group.name
# self.id = asset_group.id
# else:
# self.id = None
#
# def __repr__(self):
# if self.id:
# return '<%s JassetGroup instance>' % self.name
# else:
# return 'None'
#
# def validate(self):
# """
# Validate it is a true asset group or not
# 鉴定是否为真是存在的组
# """
# if self.id:
# return True
# else:
# return False
#
# def get_asset(self):
# return self.asset_group.asset_set.all()
#
# def get_asset_info(self, printable=False):
# assets = self.get_asset()
# for asset in assets:
# if asset.comment:
# print '%-15s -- %s' % (asset.ip, asset.comment)
# else:
# print '%-15s' % asset.ip
# print ''
#
# def get_asset_num(self):
# return len(self.get_asset())
#
# def get_user_group(self):
# perm_list = self.asset_group.perm_set.all()
# user_group_list = []
# for perm in perm_list:
# user_group_list.append(perm.user_group)
# return user_group_list
#
# def get_user(self):
# user_list = []
# user_group_list = self.get_user_group()
# for user_group in user_group_list:
# user_list.extend(user_group.user_set.all())
# return user_list
#
# def is_permed(self, user=None, user_group=None):
# if user:
# if user in self.get_user():
# return True
#
# if user_group:
# if user_group in self.get_user_group():
# return True
# return False
# def asset_perm_api(asset):
# if asset:
# perm_list = []
# asset_group_all = asset.bis_group.all()
# for asset_group in asset_group_all:
# perm_list.extend(asset_group.perm_set.all())
#
# user_group_list = []
# for perm in perm_list:
# user_group_list.append(perm.user_group)
#
# user_permed_list = []
# for user_group in user_group_list:
# user_permed_list.extend(user_group.user_set.all())
# user_permed_list = list(set(user_permed_list))
# return user_permed_list
def validate(request, user_group=None, user=None, asset_group=None, asset=None, edept=None): def validate(request, user_group=None, user=None, asset_group=None, asset=None, edept=None):
dept = get_session_user_dept(request)[1] dept = get_session_user_dept(request)[1]
if edept: if edept:
@ -694,6 +384,7 @@ def bash(cmd):
def is_dir(dir_name, username='root', mode=0755): def is_dir(dir_name, username='root', mode=0755):
"""目录存在,如果不存在就建立,并且权限正确"""
if not os.path.isdir(dir_name): if not os.path.isdir(dir_name):
os.makedirs(dir_name) os.makedirs(dir_name)
bash("chown %s:%s '%s'" % (username, username, dir_name)) bash("chown %s:%s '%s'" % (username, username, dir_name))
@ -720,3 +411,5 @@ if LDAP_ENABLE:
else: else:
ldap_conn = None ldap_conn = None
log_level = CONF.get('base', 'log')
logger = set_log(log_level)

View File

@ -19,6 +19,9 @@ class UserGroup(models.Model):
def __unicode__(self): def __unicode__(self):
return self.name return self.name
def get_user(self):
return self.user_set.all()
class User(models.Model): class User(models.Model):
USER_ROLE_CHOICES = ( USER_ROLE_CHOICES = (
@ -104,7 +107,7 @@ class User(models.Model):
assets = self.get_asset() assets = self.get_asset()
for asset in assets: for asset in assets:
asset_alias = AssetAlias.objects.filter(user=self.user, asset=asset) asset_alias = AssetAlias.objects.filter(user=self, asset=asset)
if asset_alias and asset_alias[0].alias != '': if asset_alias and asset_alias[0].alias != '':
assets_info[asset.ip] = [asset.id, asset.ip, str(asset_alias[0].alias)] assets_info[asset.ip] = [asset.id, asset.ip, str(asset_alias[0].alias)]
else: else: