import logging from django.db import models from django.db.models import Q from django.utils import timezone from django.utils.translation import gettext_lazy as _ from accounts.const import AliasAccount from accounts.models import Account from assets.models import Asset from common.utils import date_expired_default, lazyproperty from common.utils.timezone import local_now from labels.mixins import LabeledMixin from orgs.mixins.models import JMSOrgBaseModel from orgs.mixins.models import OrgManager from perms.const import ActionChoices from users.models import User __all__ = ['AssetPermission', 'ActionChoices', 'AssetPermissionQuerySet'] # 使用场景 logger = logging.getLogger('jumpserver.permissions') class AssetPermissionQuerySet(models.QuerySet): def active(self): return self.filter(is_active=True) def valid(self): return self.active().filter(date_start__lt=timezone.now()) \ .filter(date_expired__gt=timezone.now()) def inactive(self): return self.filter(is_active=False) def invalid(self): now = timezone.now() q = (Q(is_active=False) | Q(date_start__gt=now) | Q(date_expired__lt=now)) return self.filter(q) def filter_by_accounts(self, accounts): q = Q(accounts__contains=list(accounts)) | \ Q(accounts__contains=AliasAccount.ALL.value) return self.filter(q) class AssetPermissionManager(OrgManager): def valid(self): return self.get_queryset().valid() def get_expired_permissions(self): now = local_now() return self.get_queryset().filter(Q(date_start__lte=now) | Q(date_expired__gte=now)) def default_protocols(): return ['all'] class AssetPermission(LabeledMixin, JMSOrgBaseModel): name = models.CharField(max_length=128, verbose_name=_('Name')) users = models.ManyToManyField( 'users.User', related_name='%(class)ss', blank=True, verbose_name=_("User") ) user_groups = models.ManyToManyField( 'users.UserGroup', related_name='%(class)ss', blank=True, verbose_name=_("User group") ) assets = models.ManyToManyField( 'assets.Asset', related_name='granted_by_permissions', blank=True, verbose_name=_("Asset") ) nodes = models.ManyToManyField( 'assets.Node', related_name='granted_by_permissions', blank=True, verbose_name=_("Node") ) # 特殊的账号: @ALL, @INPUT @USER 默认包含,将来在全局设置中进行控制. accounts = models.JSONField(default=list, verbose_name=_("Account")) protocols = models.JSONField(default=default_protocols, verbose_name=_("Protocols")) actions = models.IntegerField(default=ActionChoices.connect, verbose_name=_("Actions")) date_start = models.DateTimeField(default=timezone.now, db_index=True, verbose_name=_("Date start")) date_expired = models.DateTimeField( default=date_expired_default, db_index=True, verbose_name=_('Date expired') ) is_active = models.BooleanField(default=True, verbose_name=_('Active')) from_ticket = models.BooleanField(default=False, verbose_name=_('From ticket')) objects = AssetPermissionManager.from_queryset(AssetPermissionQuerySet)() class Meta: unique_together = [('org_id', 'name')] verbose_name = _("Asset permission") ordering = ('name',) permissions = [] def __str__(self): return self.name @property def is_expired(self): if self.date_expired > timezone.now() > self.date_start: return False return True @property def is_valid(self): if not self.is_expired and self.is_active: return True return False @property def real_accounts(self): return [a for a in self.accounts if not a.startswith('@') or a == '@ALL'] @real_accounts.setter def real_accounts(self, value): self.accounts += value @property def virtual_accounts(self): return [a for a in self.accounts if a.startswith('@') and a != '@ALL'] @virtual_accounts.setter def virtual_accounts(self, value): self.accounts += value @lazyproperty def users_amount(self): return self.users.count() @lazyproperty def user_groups_amount(self): return self.user_groups.count() @lazyproperty def assets_amount(self): return self.assets.count() @lazyproperty def nodes_amount(self): return self.nodes.count() def get_all_users(self): from users.models import User user_ids = self.users.all().values_list('id', flat=True) group_ids = self.user_groups.all().values_list('id', flat=True) user_ids = list(user_ids) group_ids = list(group_ids) qs1_ids = User.objects.filter(id__in=user_ids).distinct().values_list('id', flat=True) qs2_ids = User.objects.filter(groups__id__in=group_ids).distinct().values_list('id', flat=True) qs_ids = list(qs1_ids) + list(qs2_ids) qs = User.objects.filter(id__in=qs_ids, is_service_account=False) return qs def get_all_assets(self, flat=False): from assets.models import Node nodes_keys = self.nodes.all().values_list('key', flat=True) asset_ids = set(self.assets.all().values_list('id', flat=True)) nodes_asset_ids = Node.get_nodes_all_asset_ids_by_keys(nodes_keys) asset_ids.update(nodes_asset_ids) if flat: return asset_ids assets = Asset.objects.filter(id__in=asset_ids) return assets def get_all_accounts(self, flat=False): """ :return: 返回授权的所有账号对象 Account """ asset_ids = self.get_all_assets(flat=True) q = Q(asset_id__in=asset_ids) if AliasAccount.ALL not in self.accounts: q &= Q(username__in=self.accounts) accounts = Account.objects.filter(q).order_by('asset__name', 'name', 'username') if not flat: return accounts return accounts.values_list('id', flat=True) @classmethod def get_all_users_for_perms(cls, perm_ids, flat=False): user_ids = cls.users.through.objects \ .filter(assetpermission_id__in=perm_ids) \ .values_list('user_id', flat=True).distinct() group_ids = cls.user_groups.through.objects \ .filter(assetpermission_id__in=perm_ids) \ .values_list('usergroup_id', flat=True).distinct() group_user_ids = User.groups.through.objects \ .filter(usergroup_id__in=group_ids) \ .values_list('user_id', flat=True).distinct() user_ids = set(user_ids) | set(group_user_ids) if flat: return user_ids return User.objects.filter(id__in=user_ids)