# -*- coding: utf-8 -*- from django.db.models import Q from jperm.perm_api import * from jperm.models import PermLog as Log from jperm.models import SysUser from juser.user_api import gen_ssh_key from juser.models import User, UserGroup from jasset.models import Asset, AssetGroup from jperm.models import PermRole, PermRule from jperm.utils import updates_dict, gen_keys, get_rand_pass from jperm.ansible_api import Tasks from jperm.perm_api import get_role_info from jumpserver.api import my_render, get_object @require_role('admin') def perm_rule_list(request): """ list rule page """ # 渲染数据 header_title, path1, path2 = "授权规则", "规则管理", "查看规则" # 获取所有规则 rules_list = PermRule.objects.all() # TODO: 搜索和分页 keyword = request.GET.get('search', '') if keyword: rules_list = rules_list.filter(Q(name=keyword)) rules_list, p, rules, page_range, current_page, show_first, show_end = pages(rules_list, request) return my_render('jperm/perm_rule_list.html', locals(), request) @require_role('admin') def perm_rule_detail(request): """ rule detail page """ # 渲染数据 header_title, path1, path2 = "授权规则", "规则管理", "规则详情" # 根据rule_id 取得rule对象 rule_id = request.GET.get("id") rule_obj = PermRule.objects.get(id=rule_id) user_obj = rule_obj.user.all() asset_obj = rule_obj.asset.all() roles_name = [role.name for role in rule_obj.role.all()] # 渲染数据 roles_name = ','.join(roles_name) rule = rule_obj users = user_obj assets = asset_obj return my_render('jperm/perm_rule_detail.html', locals(), request) def perm_rule_add(request): """ add rule page """ # 渲染数据 header_title, path1, path2 = "授权规则", "规则管理", "添加规则" if request.method == 'GET': # 渲染数据, 获取所有 用户,用户组,资产,资产组,用户角色, 用于添加授权规则 users = User.objects.all() user_groups = UserGroup.objects.all() assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() roles = PermRole.objects.all() return my_render('jperm/perm_rule_add.html', locals(), request) elif request.method == 'POST': # 获取用户选择的 用户,用户组,资产,资产组,用户角色 users_select = request.POST.getlist('user', []) user_groups_select = request.POST.getlist('usergroup', []) assets_select = request.POST.getlist('asset', []) asset_groups_select = request.POST.getlist('assetgroup', []) roles_select = request.POST.getlist('role', []) rule_name = request.POST.get('rulename') rule_comment = request.POST.get('comment') # 获取需要授权的主机列表 assets_obj = [Asset.objects.get(ip=asset) for asset in assets_select] asset_groups_obj = [AssetGroup.objects.get(name=group) for group in asset_groups_select] group_assets_obj = [asset for asset in [group.asset_set.all() for group in asset_groups_obj]] calc_assets = set(group_assets_obj) | set(assets_obj) # 获取需要授权的用户列表 users_obj = [User.objects.get(name=user) for user in users_select] user_groups_obj = [UserGroup.objects.get(name=group) for group in user_groups_select] group_users_obj = [user for user in [group.user_set.all() for group in user_groups_obj]] calc_users = set(group_users_obj) | set(users_obj) # 获取授予的角色列表 roles_obj = [PermRole.objects.get(name=role) for role in roles_select] # 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色) rule = PermRule(name=rule_name, comment=rule_comment) rule.save() rule.user = users_obj rule.usergroup = user_groups_obj rule.asset = assets_obj rule.asset_group = asset_groups_obj rule.role = roles_obj rule.save() return HttpResponse(u"添加授权规则:%s" % rule.name) @require_role('admin') def perm_rule_edit(request): """ edit rule page """ # 渲染数据 header_title, path1, path2 = "授权规则", "规则管理", "添加规则" # 根据rule_id 取得rule对象 rule_id = request.GET.get("id") rule = PermRule.objects.get(id=rule_id) if request.method == 'GET' and rule_id: # 渲染数据, 获取所有的rule对象 users = rule.user.all() user_groups = rule.user_group.all() assets = rule.asset.all() asset_groups = rule.asset_group.all() roles = rule.role.all() return my_render('jperm/perm_rule_edit.html', locals(), request) elif request.method == 'POST' and rule_id: return HttpResponse("uncompleted") @require_role('admin') def perm_rule_delete(request): """ use to delete rule :param request: :return: """ if request.method == 'POST': # 根据rule_id 取得rule对象 rule_id = request.POST.get("id") rule_obj = PermRule.objects.get(id=rule_id) print rule_id, rule_obj print rule_obj.name rule_obj.delete() return HttpResponse(u"删除授权规则:%s" % rule_obj.name) else: return HttpResponse(u"不支持该操作") @require_role('admin') def perm_role_list(request): """ list role page """ # 渲染数据 header_title, path1, path2 = "系统角色", "角色管理", "查看角色" # 获取所有系统角色 roles_list = PermRole.objects.all() # TODO: 搜索和分页 keyword = request.GET.get('search', '') if keyword: roles_list = roles_list.filter(Q(name=keyword)) roles_list, p, roles, page_range, current_page, show_first, show_end = pages(roles_list, request) return my_render('jperm/perm_role_list.html', locals(), request) @require_role('admin') def perm_role_add(request): """ add role page """ # 渲染数据 header_title, path1, path2 = "系统角色", "角色管理", "添加角色" if request.method == "GET": default_password = get_rand_pass() return my_render('jperm/perm_role_add.html', locals(), request) elif request.method == "POST": # 获取参数: name, comment name = request.POST.get("role_name") comment = request.POST.get("role_comment") password = request.POST.get("role_password") # 生成随机密码,生成秘钥对 key_path = gen_keys() role = PermRole(name=name, comment=comment, password=password, key_path=key_path) role.save() return HttpResponse(u"添加角色: %s" % name) else: return HttpResponse(u"不支持该操作") @require_role('admin') def perm_role_delete(request): """ delete role page """ if request.method == "POST": # 获取参数删除的role对象 role_id = request.POST.get("id") role = PermRole.objects.get(id=role_id) role_key = role.key_path # 删除存储的秘钥,以及目录 key_files = os.listdir(role_key) for key_file in key_files: os.remove(os.path.join(role_key, key_file)) os.rmdir(role_key) # 数据库里删除记录 role.delete() return HttpResponse(u"删除角色: %s" % role.name) else: return HttpResponse(u"不支持该操作") @require_role('admin') def perm_role_detail(request): """ the role detail page the role_info data like: {'asset_groups': [], 'assets': [], 'rules': [], '': [], '': []} """ # 渲染数据 header_title, path1, path2 = "系统角色", "角色管理", "角色详情" if request.method == "GET": role_id = request.GET.get("id") role_info = get_role_info(role_id) # 渲染数据 for key, value in role_info.iteritems(): key = value return my_render('jperm/perm_role_detail.html', locals(), request) @require_role('admin') def perm_role_edit(request): """ edit role page """ # 渲染数据 header_title, path1, path2 = "系统角色", "角色管理", "角色编辑" if request.method == "GET": role_id = request.GET.get("id") # 渲染数据 role = PermRole.objects.get(id=role_id) return my_render('jperm/perm_role_edit.html', locals(), request) if request.method == "POST": return HttpResponse(u"未实现") @require_role('admin') def perm_role_push(request): """ the role push page """ # 渲染数据 header_title, path1, path2 = "系统角色", "角色管理", "角色推送" if request.method == "GET": # 渲染数据 roles = PermRole.objects.all() assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() return my_render('jperm/perm_role_push.html', locals(), request) if request.method == "POST": # 获取推荐角色的名称列表 role_names = request.POST.getlist("roles") # 计算出需要推送的资产列表 asset_ips = request.POST.getlist("assets") asset_group_names = request.POST.getlist("asset_groups") assets_obj = [Asset.objects.get(ip=asset_ip) for asset_ip in asset_ips] asset_groups_obj = [AssetGroup.objects.get(name=asset_group_name) for asset_group_name in asset_group_names] group_assets_obj = [] for asset_group in asset_groups_obj: group_assets_obj.extend(asset_group.asset_set.all()) calc_assets = set(assets_obj) | set(group_assets_obj) # 生成Inventory push_resource = [{"hostname": asset.ip, "port": asset.port, "username": asset.username, "password": asset.password} for asset in calc_assets] # 获取角色的推送方式,以及推送需要的信息 roles_obj = [PermRole.objects.get(name=role_name) for role_name in role_names] role_pass = {} role_key = {} for role in roles_obj: role_pass[role.name] = role.password role_key[role.name] = os.path.join(role.key_path, 'id_rsa.pub') # 调用Ansible API 进行推送 password_push = request.POST.get("use_password") key_push = request.POST.get("use_publicKey") task = Tasks(push_resource) ret = {} ret_failed = [] if password_push: ret["password_push"] = task.add_multi_user(**role_pass) if ret["password_push"].get("status") != "success": ret_failed.append(1) if key_push: ret["key_push"] = task.push_multi_key(**role_key) if ret["key_push"].get("status") != "success": ret_failed.append(1) print ret if ret_failed: return HttpResponse(u"推送失败") else: return HttpResponse(u"推送系统角色: %s" % ','.join(role_names)) @require_role('admin') def perm_group_list(request): header_title, path1, path2 = '用户组授权', '授权管理', '用户组授权' keyword = request.GET.get('search', '') user_groups_list = UserGroup.objects.all() if keyword: request = user_groups_list.filter(Q(name=keyword) | Q(comment=keyword)) user_groups_list, p, user_groups, page_range, current_page, show_first, show_end = pages(user_groups_list, request) return my_render('jperm/perm_group_list.html', locals(), request) @require_role('admin') def perm_group_edit(request): header_title, path1, path2 = '用户组授权', '授权管理', '授权更改' user_group_id = request.GET.get('id', '') user_group = get_object(UserGroup, id=user_group_id) asset_all = Asset.objects.all() asset_group_all = AssetGroup.objects.all() asset_permed = user_group.asset.all() # 获取授权的资产对象列表 asset_group_permed = user_group.asset_group.all() # 获取授权的资产组对象列表 if request.method == 'GET' and user_group: assets = [asset for asset in asset_all if asset not in asset_permed] asset_groups = [asset_group for asset_group in asset_group_all if asset_group not in asset_group_permed] return my_render('jperm/perm_group_edit.html', locals(), request) elif request.method == 'POST' and user_group: asset_id_select = request.POST.getlist('asset_select', []) asset_group_id_select = request.POST.getlist('asset_groups_select', []) asset_select = get_object_list(Asset, asset_id_select) asset_group_select = get_object_list(AssetGroup, asset_group_id_select) asset_new = list(set(asset_select) - set(asset_permed)) # 计算的得到新授权的资产对象列表 asset_del = list(set(asset_permed) - set(asset_select)) # 计算得到回收权限的资产对象列表 asset_group_new = list(set(asset_group_select) - set(asset_group_permed)) # 新授权的资产组对象列表 asset_group_del = list(set(asset_group_permed) - set(asset_group_select)) # 回收的资产组对象列表 users = user_group.user_set.all() perm_info = { 'action': 'perm group edit: ' + user_group.name, 'del': {'users': users, 'assets': asset_del}, 'new': {'users': users, 'assets': asset_new} } results = perm_user_api(perm_info) unreachable_asset = [] failures_asset = [] for ip in results.get('unreachable'): unreachable_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) for ip in results.get('failures'): failures_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) failures_asset.extend(unreachable_asset) # 失败的授权要统计 for asset in failures_asset: if asset in asset_select: asset_select.remove(asset) else: asset_select.append(asset) user_group.asset = asset_select user_group.asset_group = asset_group_select user_group.save() # 保存到数据库 return HttpResponse(json.dumps(results, sort_keys=True, indent=4), content_type="application/json") else: return HttpResponse('输入错误') def log(request): header_title, path1, path2 = '授权记录', '授权管理', '授权记录' log_all = Log.objects.all().order_by('-datetime') log_all, p, logs, page_range, current_page, show_first, show_end = pages(log_all, request) return my_render('jperm/perm_log.html', locals(), request) def sys_user_add(request): asset_group_all = AssetGroup.objects.all() if request.method == 'POST': username = request.POST.get('username', '') password = request.POST.get('password', '') asset_groups_id = request.POST.getlist('asset_groups_select', []) comment = request.POST.get('comment') sys_user = SysUser(username=username, password=password, comment=comment) sys_user.save() gen_ssh_key(username, key_dir=os.path.join(SSH_KEY_DIR, 'sysuser'), authorized_keys=False) results = push_user(sys_user, asset_groups_id) return HttpResponse(json.dumps(results, sort_keys=True, indent=4), content_type="application/json") return my_render('jperm/sys_user_add.html', locals(), request) def sys_user_list(request): users_list = SysUser.objects.all() users_list, p, users, page_range, current_page, show_first, show_end = pages(users_list, request) return my_render('jperm/sys_user_list.html', locals(), request) def sys_user_edit(request): pass def sys_user_del(request): pass