# coding: utf-8 from jumpserver.api import * import uuid import re from jumpserver.tasks import playbook_run from jumpserver.models import Setting from jperm.models import PermLog from jperm.models import PermRole def get_object_list(model, id_list): """根据id列表获取对象列表""" object_list = [] for object_id in id_list: if object_id: object_list.extend(model.objects.filter(id=int(object_id))) return object_list def get_rand_file_path(base_dir=os.path.join(BASE_DIR, 'tmp')): """获取随机文件路径""" filename = uuid.uuid1().hex return os.path.join(base_dir, filename) def get_inventory(host_group): """生成资产表库存清单""" path = get_rand_file_path() f = open(path, 'w') for group, host_list in host_group.items(): f.write('[%s]\n' % group) for ip in host_list: asset = get_object(Asset, ip=ip) if asset.use_default: f.write('%s\n' % ip) else: f.write('%s ansible_ssh_port=%s ansible_ssh_user=%s ansible_ssh_pass=%s\n' % (ip, asset.port, asset.username, CRYPTOR.decrypt(asset.password))) f.close() return path def get_playbook(template, var): """根据playbook模板,生成playbook""" str_playbook = open(template).read() for k, v in var.items(): str_playbook = re.sub(r'%s' % k, v, str_playbook) # 正则来替换传入的字符 path = get_rand_file_path() f = open(path, 'w') f.write(str_playbook) return path def perm_user_api(perm_info): """ 用户授权api,通过调用ansible API完成用户新建等,传入参数必须如下,列表中可以是对象,也可以是用户名和ip perm_info = {'del': {'users': [], 'assets': [], }, 'new': {'users': [], 'assets': []}} """ log = PermLog(action=perm_info.get('action', '')) try: new_users = perm_info.get('new', {}).get('users', []) new_assets = perm_info.get('new', {}).get('assets', []) del_users = perm_info.get('del', {}).get('users', []) del_assets = perm_info.get('del', {}).get('assets', []) print new_users, new_assets except IndexError: raise ServerError("Error: function perm_user_api传入参数错误") try: new_ip = [asset.ip for asset in new_assets if isinstance(asset, Asset)] del_ip = [asset.ip for asset in del_assets if isinstance(asset, Asset)] new_username = [user.username for user in new_users] del_username = [user.username for user in del_users] except IndexError: raise ServerError("Error: function perm_user_api传入参数类型错误") host_group = {'new': new_ip, 'del': del_ip} inventory = get_inventory(host_group) the_new_users = ','.join(new_username) the_del_users = ','.join(del_username) playbook = get_playbook(os.path.join(BASE_DIR, 'keys/../playbook', 'user_perm.yaml'), {'the_new_group': 'new', 'the_del_group': 'del', 'the_new_users': the_new_users, 'the_del_users': the_del_users, 'KEY_DIR': os.path.join(SSH_KEY_DIR, 'sysuser')}) print playbook, inventory settings = get_object(Setting, name='default') results = playbook_run(inventory, playbook, settings) if not results.get('failures', 1) and not results.get('unreachable', ''): is_success = True else: is_success = False log.results = results log.is_finish = True log.is_success = is_success log.save() return results def user_group_permed(user_group): assets = user_group.asset.all() asset_groups = user_group.asset_group.all() for asset_group in asset_groups: assets.extend(asset_group.asset.all()) return {'assets': assets, 'asset_groups': asset_groups} def user_permed(user): asset_groups = [] assets = [] user_groups = user.group.all() asset_groups.extend(user.asset_group.all()) assets.extend(user.asset.all()) for user_group in user_groups: asset_groups.extend(user_group_permed(user_group).get('assets', [])) assets.extend((user_group_permed(user_group).get('asset_groups', []))) return {'assets': assets, 'asset_groups': asset_groups} def _public_perm_api(info): """ 公用的用户,用户组,主机,主机组编辑修改新建调用的api,用来完成授权 info like that: { 'type': 'new_user', 'user': 'a', 'group': ['A', 'B'] } { 'type': 'edit_user', 'user': 'a', 'group': {'new': ['A'], 'del': []} } { 'type': 'del_user', 'user': ['a', 'b'] } { 'type': 'edit_user_group', 'group': 'A', 'user': {'del': ['a', 'b'], 'new': ['c', 'd']} } { 'type': 'del_user_group', 'group': ['A'] } { 'type': 'new_asset', 'asset': 'a', 'group': ['A', 'B'] } { 'type': 'edit_asset', 'asset': 'a', 'group': { 'del': ['A', ['B'], 'new': ['C', ['D']] } } { 'type': 'del_asset', 'asset': ['a', 'b'] } { 'type': 'edit_asset_group', 'group': 'A', 'asset': {'new': ['a', 'b'], 'del': ['c', 'd']} } { 'type': 'del_asset_group', 'group': ['A', 'B'] } """ if info.get('type') == 'new_user': new_assets = [] user = info.get('user') user_groups = info.get('group') for user_group in user_groups: new_assets.extend(user_group_permed(user_group).get('assets', [])) perm_info = { 'action': 'new user: ' + user.name, 'new': {'users': [user], 'assets': new_assets} } elif info.get('type') == 'edit_user': new_assets = [] del_assets = [] user = info.get('user') new_group = info.get('group').get('new') del_group = info.get('group').get('del') for user_group in new_group: new_assets.extend(user_group_permed(user_group).get('assets', [])) for user_group in del_group: del_assets.extend((user_group_permed(user_group).get('assets', []))) perm_info = { 'action': 'edit user: ' + user.name, 'del': {'users': [user], 'assets': del_assets}, 'new': {'users': [user], 'assets': new_assets} } elif info.get('type') == 'del_user': user = info.get('user') del_assets = user_permed(user).get('assets', []) perm_info = { 'action': 'del user: ' + user.name, 'del': {'users': [user], 'assets': del_assets}, } elif info.get('type') == 'edit_user_group': user_group = info.get('group') new_users = info.get('user').get('new') del_users = info.get('user').get('del') assets = user_group_permed(user_group).get('assets', []) perm_info = { 'action': 'edit user group: ' + user_group.name, 'new': {'users': new_users, 'assets': assets}, 'del': {'users': del_users, 'assets': assets} } elif info.get('type') == 'del_user_group': user_group = info.get('group', []) del_users = user_group.user_set.all() assets = user_group_permed(user_group).get('assets', []) perm_info = { 'action': "del user group: " + user_group.name, 'del': {'users': del_users, 'assets': assets} } else: return try: results = perm_user_api(perm_info) # 通过API授权或回收 except ServerError, e: return e else: return results def push_user(user, asset_groups_id): assets = [] if not user: return {'error': '没有该用户'} for group_id in asset_groups_id: asset_group = get_object(AssetGroup, id=group_id) if asset_group: assets.extend(asset_group.asset_set.all()) perm_info = { 'action': 'Push user:' + user.username, 'new': {'users': [user], 'assets': assets} } results = perm_user_api(perm_info) return results def get_role_info(role_id, type="all"): """ 获取role对应的一些信息 :return: 返回值 均为对象列表 """ # 获取role对应的授权规则 role_obj = PermRole.objects.get(id=role_id) rules_obj = role_obj.perm_rule.all() # 获取role 对应的用户 和 用户组 # 获取role 对应的主机 和主机组 users_obj = [] assets_obj = [] user_groups_obj = [] group_users_obj = [] asset_groups_obj = [] group_assets_obj = [] for rule in rules_obj: for user in rule.user.all(): users_obj.append(user) for asset in rule.asset.all(): assets_obj.append(asset) for user_group in rule.user_group.all(): user_groups_obj.append(user_group) for user in user_group.user_set.all(): group_users_obj.append(user) for asset_group in rule.asset_group.all(): asset_groups_obj.append(asset_group) for asset in asset_group.asset_set.all(): group_assets_obj.append(asset) calc_users = set(users_obj) | set(group_users_obj) calc_assets = set(assets_obj) | set(group_assets_obj) if type == "all": return {"rules": rules_obj, "users": list(calc_users), "user_groups": user_groups_obj, "assets": list(calc_assets), "asset_groups": asset_groups_obj, } elif type == "rule": return rules_obj elif type == "user": return calc_users elif type == "user_group": return user_groups_obj elif type == "asset": return calc_assets elif type == "asset_group": return asset_groups_obj else: return u"不支持的查询" if __name__ == "__main__": print get_role_info(1)