mirror of https://github.com/jumpserver/jumpserver
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
278 lines
9.2 KiB
278 lines
9.2 KiB
import uuid
|
|
import logging
|
|
|
|
from django.utils import timezone
|
|
from django.utils.translation import ugettext_lazy as _
|
|
from django.db import models
|
|
from django.db.models import F, Q, TextChoices
|
|
|
|
from common.utils import lazyproperty, date_expired_default
|
|
from common.db.models import BaseCreateUpdateModel, UnionQuerySet
|
|
from assets.models import Asset, Node, FamilyMixin, Account
|
|
from orgs.mixins.models import OrgModelMixin
|
|
from orgs.mixins.models import OrgManager
|
|
from .const import Action, SpecialAccount
|
|
|
|
__all__ = [
|
|
'AssetPermission', 'PermNode',
|
|
'UserAssetGrantedTreeNodeRelation',
|
|
'Action'
|
|
]
|
|
|
|
# 使用场景
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class AssetPermissionQuerySet(models.QuerySet):
|
|
def active(self):
|
|
return self.filter(is_active=True)
|
|
|
|
def valid(self):
|
|
return self.active().filter(date_start__lt=timezone.now()) \
|
|
.filter(date_expired__gt=timezone.now())
|
|
|
|
def inactive(self):
|
|
return self.filter(is_active=False)
|
|
|
|
def invalid(self):
|
|
now = timezone.now()
|
|
q = (Q(is_active=False) | Q(date_start__gt=now) | Q(date_expired__lt=now))
|
|
return self.filter(q)
|
|
|
|
def filter_by_accounts(self, accounts):
|
|
q = Q(accounts__contains=list(accounts)) | \
|
|
Q(accounts__contains=SpecialAccount.ALL.value)
|
|
return self.filter(q)
|
|
|
|
|
|
class AssetPermissionManager(OrgManager):
|
|
def valid(self):
|
|
return self.get_queryset().valid()
|
|
|
|
|
|
class AssetPermission(OrgModelMixin):
|
|
id = models.UUIDField(default=uuid.uuid4, primary_key=True)
|
|
name = models.CharField(max_length=128, verbose_name=_('Name'))
|
|
users = models.ManyToManyField(
|
|
'users.User', related_name='%(class)ss', blank=True, verbose_name=_("User")
|
|
)
|
|
user_groups = models.ManyToManyField(
|
|
'users.UserGroup', related_name='%(class)ss', blank=True, verbose_name=_("User group")
|
|
)
|
|
assets = models.ManyToManyField(
|
|
'assets.Asset', related_name='granted_by_permissions', blank=True, verbose_name=_("Asset")
|
|
)
|
|
nodes = models.ManyToManyField(
|
|
'assets.Node', related_name='granted_by_permissions', blank=True, verbose_name=_("Nodes")
|
|
)
|
|
# 特殊的账号: @ALL, @INPUT @USER 默认包含,将来在全局设置中进行控制.
|
|
accounts = models.JSONField(default=list, verbose_name=_("Accounts"))
|
|
actions = models.IntegerField(
|
|
choices=Action.DB_CHOICES, default=Action.ALL, verbose_name=_("Actions")
|
|
)
|
|
is_active = models.BooleanField(default=True, verbose_name=_('Active'))
|
|
date_start = models.DateTimeField(
|
|
default=timezone.now, db_index=True, verbose_name=_("Date start")
|
|
)
|
|
date_expired = models.DateTimeField(
|
|
default=date_expired_default, db_index=True, verbose_name=_('Date expired')
|
|
)
|
|
created_by = models.CharField(max_length=128, blank=True, verbose_name=_('Created by'))
|
|
date_created = models.DateTimeField(auto_now_add=True, verbose_name=_('Date created'))
|
|
from_ticket = models.BooleanField(default=False, verbose_name=_('From ticket'))
|
|
comment = models.TextField(verbose_name=_('Comment'), blank=True)
|
|
|
|
objects = AssetPermissionManager.from_queryset(AssetPermissionQuerySet)()
|
|
|
|
class Meta:
|
|
unique_together = [('org_id', 'name')]
|
|
verbose_name = _("Asset permission")
|
|
ordering = ('name',)
|
|
permissions = []
|
|
|
|
def __str__(self):
|
|
return self.name
|
|
|
|
@property
|
|
def is_expired(self):
|
|
if self.date_expired > timezone.now() > self.date_start:
|
|
return False
|
|
return True
|
|
|
|
@property
|
|
def is_valid(self):
|
|
if not self.is_expired and self.is_active:
|
|
return True
|
|
return False
|
|
|
|
def get_all_users(self):
|
|
from users.models import User
|
|
user_ids = self.users.all().values_list('id', flat=True)
|
|
group_ids = self.user_groups.all().values_list('id', flat=True)
|
|
user_ids = list(user_ids)
|
|
group_ids = list(group_ids)
|
|
qs1 = User.objects.filter(id__in=user_ids).distinct()
|
|
qs2 = User.objects.filter(groups__id__in=group_ids).distinct()
|
|
qs = UnionQuerySet(qs1, qs2)
|
|
return qs
|
|
|
|
def get_all_assets(self, flat=False):
|
|
from assets.models import Node
|
|
nodes_keys = self.nodes.all().values_list('key', flat=True)
|
|
asset_ids = set(self.assets.all().values_list('id', flat=True))
|
|
nodes_asset_ids = Node.get_nodes_all_asset_ids_by_keys(nodes_keys)
|
|
asset_ids.update(nodes_asset_ids)
|
|
if flat:
|
|
return asset_ids
|
|
assets = Asset.objects.filter(id__in=asset_ids)
|
|
return assets
|
|
|
|
def get_all_accounts(self, flat=False):
|
|
"""
|
|
:return: 返回授权的所有账号对象 Account
|
|
"""
|
|
asset_ids = self.get_all_assets(flat=True)
|
|
q = Q(asset_id__in=asset_ids)
|
|
if not self.is_perm_all_accounts:
|
|
q &= Q(username__in=self.accounts)
|
|
accounts = Account.objects.filter(q).order_by('asset__name', 'name', 'username')
|
|
if not flat:
|
|
return accounts
|
|
return accounts.values_list('id', flat=True)
|
|
|
|
@property
|
|
def is_perm_all_accounts(self):
|
|
return SpecialAccount.ALL in self.accounts
|
|
|
|
@lazyproperty
|
|
def users_amount(self):
|
|
return self.users.count()
|
|
|
|
@lazyproperty
|
|
def user_groups_amount(self):
|
|
return self.user_groups.count()
|
|
|
|
@lazyproperty
|
|
def assets_amount(self):
|
|
return self.assets.count()
|
|
|
|
@lazyproperty
|
|
def nodes_amount(self):
|
|
return self.nodes.count()
|
|
|
|
def users_display(self):
|
|
names = [user.username for user in self.users.all()]
|
|
return names
|
|
|
|
def user_groups_display(self):
|
|
names = [group.name for group in self.user_groups.all()]
|
|
return names
|
|
|
|
def assets_display(self):
|
|
names = [asset.name for asset in self.assets.all()]
|
|
return names
|
|
|
|
def nodes_display(self):
|
|
names = [node.full_value for node in self.nodes.all()]
|
|
return names
|
|
|
|
|
|
class UserAssetGrantedTreeNodeRelation(OrgModelMixin, FamilyMixin, BaseCreateUpdateModel):
|
|
class NodeFrom(TextChoices):
|
|
granted = 'granted', 'Direct node granted'
|
|
child = 'child', 'Have children node'
|
|
asset = 'asset', 'Direct asset granted'
|
|
|
|
user = models.ForeignKey('users.User', db_constraint=False, on_delete=models.CASCADE)
|
|
node = models.ForeignKey('assets.Node', default=None, on_delete=models.CASCADE,
|
|
db_constraint=False, null=False, related_name='granted_node_rels')
|
|
node_key = models.CharField(max_length=64, verbose_name=_("Key"), db_index=True)
|
|
node_parent_key = models.CharField(max_length=64, default='', verbose_name=_('Parent key'),
|
|
db_index=True)
|
|
node_from = models.CharField(choices=NodeFrom.choices, max_length=16, db_index=True)
|
|
node_assets_amount = models.IntegerField(default=0)
|
|
|
|
@property
|
|
def key(self):
|
|
return self.node_key
|
|
|
|
@property
|
|
def parent_key(self):
|
|
return self.node_parent_key
|
|
|
|
@classmethod
|
|
def get_node_granted_status(cls, user, key):
|
|
ancestor_keys = set(cls.get_node_ancestor_keys(key, with_self=True))
|
|
ancestor_rel_nodes = cls.objects.filter(user=user, node_key__in=ancestor_keys)
|
|
|
|
for rel_node in ancestor_rel_nodes:
|
|
if rel_node.key == key:
|
|
return rel_node.node_from, rel_node
|
|
if rel_node.node_from == cls.NodeFrom.granted:
|
|
return cls.NodeFrom.granted, None
|
|
return '', None
|
|
|
|
|
|
class PermNode(Node):
|
|
class Meta:
|
|
proxy = True
|
|
ordering = []
|
|
|
|
# 特殊节点
|
|
UNGROUPED_NODE_KEY = 'ungrouped'
|
|
UNGROUPED_NODE_VALUE = _('Ungrouped')
|
|
FAVORITE_NODE_KEY = 'favorite'
|
|
FAVORITE_NODE_VALUE = _('Favorite')
|
|
|
|
node_from = ''
|
|
granted_assets_amount = 0
|
|
|
|
annotate_granted_node_rel_fields = {
|
|
'granted_assets_amount': F('granted_node_rels__node_assets_amount'),
|
|
'node_from': F('granted_node_rels__node_from')
|
|
}
|
|
|
|
def use_granted_assets_amount(self):
|
|
self.assets_amount = self.granted_assets_amount
|
|
|
|
@classmethod
|
|
def get_ungrouped_node(cls, assets_amount):
|
|
return cls(
|
|
id=cls.UNGROUPED_NODE_KEY,
|
|
key=cls.UNGROUPED_NODE_KEY,
|
|
value=cls.UNGROUPED_NODE_VALUE,
|
|
assets_amount=assets_amount
|
|
)
|
|
|
|
@classmethod
|
|
def get_favorite_node(cls, assets_amount):
|
|
node = cls(
|
|
id=cls.FAVORITE_NODE_KEY,
|
|
key=cls.FAVORITE_NODE_KEY,
|
|
value=cls.FAVORITE_NODE_VALUE,
|
|
)
|
|
node.assets_amount = assets_amount
|
|
return node
|
|
|
|
def get_granted_status(self, user):
|
|
status, rel_node = UserAssetGrantedTreeNodeRelation.get_node_granted_status(user, self.key)
|
|
self.node_from = status
|
|
if rel_node:
|
|
self.granted_assets_amount = rel_node.node_assets_amount
|
|
return status
|
|
|
|
def save(self):
|
|
# 这是个只读 Model
|
|
raise NotImplementedError
|
|
|
|
|
|
class PermedAsset(Asset):
|
|
class Meta:
|
|
proxy = True
|
|
verbose_name = _('Permed asset')
|
|
permissions = [
|
|
('view_myassets', _('Can view my assets')),
|
|
('view_userassets', _('Can view user assets')),
|
|
('view_usergroupassets', _('Can view usergroup assets')),
|
|
]
|