mirror of https://github.com/jumpserver/jumpserver
202 lines
6.5 KiB
Python
202 lines
6.5 KiB
Python
# ~*~ coding: utf-8 ~*~
|
|
|
|
from celery import shared_task
|
|
from django.utils.translation import ugettext as _
|
|
|
|
from common.utils import encrypt_password, get_logger
|
|
from . import const
|
|
from .utils import clean_hosts_by_protocol, clean_hosts
|
|
|
|
|
|
logger = get_logger(__file__)
|
|
__all__ = [
|
|
'push_system_user_util', 'push_system_user_to_assets',
|
|
'push_system_user_to_assets_manual', 'push_system_user_a_asset_manual',
|
|
]
|
|
|
|
|
|
def get_push_linux_system_user_tasks(system_user):
|
|
tasks = [
|
|
{
|
|
'name': 'Add user {}'.format(system_user.username),
|
|
'action': {
|
|
'module': 'user',
|
|
'args': 'name={} shell={} state=present'.format(
|
|
system_user.username, system_user.shell,
|
|
),
|
|
}
|
|
},
|
|
{
|
|
'name': 'Add group {}'.format(system_user.username),
|
|
'action': {
|
|
'module': 'group',
|
|
'args': 'name={} state=present'.format(
|
|
system_user.username,
|
|
),
|
|
}
|
|
},
|
|
{
|
|
'name': 'Check home dir exists',
|
|
'action': {
|
|
'module': 'stat',
|
|
'args': 'path=/home/{}'.format(system_user.username)
|
|
},
|
|
'register': 'home_existed'
|
|
},
|
|
{
|
|
'name': "Set home dir permission",
|
|
'action': {
|
|
'module': 'file',
|
|
'args': "path=/home/{0} owner={0} group={0} mode=700".format(system_user.username)
|
|
},
|
|
'when': 'home_existed.stat.exists == true'
|
|
}
|
|
]
|
|
if system_user.password:
|
|
tasks.append({
|
|
'name': 'Set {} password'.format(system_user.username),
|
|
'action': {
|
|
'module': 'user',
|
|
'args': 'name={} shell={} state=present password={}'.format(
|
|
system_user.username, system_user.shell,
|
|
encrypt_password(system_user.password, salt="K3mIlKK"),
|
|
),
|
|
}
|
|
})
|
|
if system_user.public_key:
|
|
tasks.append({
|
|
'name': 'Set {} authorized key'.format(system_user.username),
|
|
'action': {
|
|
'module': 'authorized_key',
|
|
'args': "user={} state=present key='{}'".format(
|
|
system_user.username, system_user.public_key
|
|
)
|
|
}
|
|
})
|
|
if system_user.sudo:
|
|
sudo = system_user.sudo.replace('\r\n', '\n').replace('\r', '\n')
|
|
sudo_list = sudo.split('\n')
|
|
sudo_tmp = []
|
|
for s in sudo_list:
|
|
sudo_tmp.append(s.strip(','))
|
|
sudo = ','.join(sudo_tmp)
|
|
tasks.append({
|
|
'name': 'Set {} sudo setting'.format(system_user.username),
|
|
'action': {
|
|
'module': 'lineinfile',
|
|
'args': "dest=/etc/sudoers state=present regexp='^{0} ALL=' "
|
|
"line='{0} ALL=(ALL) NOPASSWD: {1}' "
|
|
"validate='visudo -cf %s'".format(
|
|
system_user.username, sudo,
|
|
)
|
|
}
|
|
})
|
|
|
|
return tasks
|
|
|
|
|
|
def get_push_windows_system_user_tasks(system_user):
|
|
tasks = []
|
|
if not system_user.password:
|
|
return tasks
|
|
tasks.append({
|
|
'name': 'Add user {}'.format(system_user.username),
|
|
'action': {
|
|
'module': 'win_user',
|
|
'args': 'fullname={} '
|
|
'name={} '
|
|
'password={} '
|
|
'state=present '
|
|
'update_password=always '
|
|
'password_expired=no '
|
|
'password_never_expires=yes '
|
|
'groups="Users,Remote Desktop Users" '
|
|
'groups_action=add '
|
|
''.format(system_user.name,
|
|
system_user.username,
|
|
system_user.password),
|
|
}
|
|
})
|
|
return tasks
|
|
|
|
|
|
def get_push_system_user_tasks(host, system_user):
|
|
if host.is_unixlike():
|
|
tasks = get_push_linux_system_user_tasks(system_user)
|
|
elif host.is_windows():
|
|
tasks = get_push_windows_system_user_tasks(system_user)
|
|
else:
|
|
msg = _(
|
|
"The asset {} system platform {} does not "
|
|
"support run Ansible tasks".format(host.hostname, host.platform)
|
|
)
|
|
logger.info(msg)
|
|
tasks = []
|
|
return tasks
|
|
|
|
|
|
@shared_task(queue="ansible")
|
|
def push_system_user_util(system_user, assets, task_name):
|
|
from ops.utils import update_or_create_ansible_task
|
|
if not system_user.is_need_push():
|
|
msg = _("Push system user task skip, auto push not enable or "
|
|
"protocol is not ssh or rdp: {}").format(system_user.name)
|
|
logger.info(msg)
|
|
return {}
|
|
|
|
# Set root as system user is dangerous
|
|
if system_user.username.lower() in ["root", "administrator"]:
|
|
msg = _("For security, do not push user {}".format(system_user.username))
|
|
logger.info(msg)
|
|
return {}
|
|
|
|
hosts = clean_hosts(assets)
|
|
if not hosts:
|
|
return {}
|
|
|
|
hosts = clean_hosts_by_protocol(system_user, hosts)
|
|
if not hosts:
|
|
return {}
|
|
|
|
for host in hosts:
|
|
system_user.load_specific_asset_auth(host)
|
|
tasks = get_push_system_user_tasks(host, system_user)
|
|
if not tasks:
|
|
continue
|
|
task, created = update_or_create_ansible_task(
|
|
task_name=task_name, hosts=[host], tasks=tasks, pattern='all',
|
|
options=const.TASK_OPTIONS, run_as_admin=True,
|
|
created_by=system_user.org_id,
|
|
)
|
|
task.run()
|
|
|
|
|
|
@shared_task(queue="ansible")
|
|
def push_system_user_to_assets_manual(system_user):
|
|
assets = system_user.get_all_assets()
|
|
task_name = _("Push system users to assets: {}").format(system_user.name)
|
|
return push_system_user_util(system_user, assets, task_name=task_name)
|
|
|
|
|
|
@shared_task(queue="ansible")
|
|
def push_system_user_a_asset_manual(system_user, asset):
|
|
task_name = _("Push system users to asset: {} => {}").format(
|
|
system_user.name, asset
|
|
)
|
|
return push_system_user_util(system_user, [asset], task_name=task_name)
|
|
|
|
|
|
@shared_task(queue="ansible")
|
|
def push_system_user_to_assets(system_user, assets):
|
|
task_name = _("Push system users to assets: {}").format(system_user.name)
|
|
return push_system_user_util(system_user, assets, task_name)
|
|
|
|
|
|
|
|
# @shared_task
|
|
# @register_as_period_task(interval=3600)
|
|
# @after_app_ready_start
|
|
# @after_app_shutdown_clean_periodic
|
|
# def push_system_user_period():
|
|
# for system_user in SystemUser.objects.all():
|
|
# push_system_user_related_nodes(system_user) |