mirror of https://github.com/jumpserver/jumpserver
83 lines
2.9 KiB
Python
83 lines
2.9 KiB
Python
import time
|
|
from functools import reduce
|
|
|
|
from django.db.models import Q
|
|
|
|
from common.utils import get_logger
|
|
from perms.models import ApplicationPermission, Action
|
|
|
|
logger = get_logger(__file__)
|
|
|
|
|
|
def get_user_all_app_perm_ids(user) -> set:
|
|
app_perm_ids = set()
|
|
user_perm_id = ApplicationPermission.users.through.objects \
|
|
.filter(user_id=user.id) \
|
|
.values_list('applicationpermission_id', flat=True) \
|
|
.distinct()
|
|
app_perm_ids.update(user_perm_id)
|
|
|
|
group_ids = user.groups.through.objects \
|
|
.filter(user_id=user.id) \
|
|
.values_list('usergroup_id', flat=True) \
|
|
.distinct()
|
|
group_ids = list(group_ids)
|
|
groups_perm_id = ApplicationPermission.user_groups.through.objects \
|
|
.filter(usergroup_id__in=group_ids) \
|
|
.values_list('applicationpermission_id', flat=True) \
|
|
.distinct()
|
|
app_perm_ids.update(groups_perm_id)
|
|
|
|
app_perm_ids = ApplicationPermission.objects.filter(
|
|
id__in=app_perm_ids).valid().values_list('id', flat=True)
|
|
app_perm_ids = set(app_perm_ids)
|
|
return app_perm_ids
|
|
|
|
|
|
def validate_permission(user, application, system_user, action='connect'):
|
|
app_perm_ids = get_user_all_app_perm_ids(user)
|
|
app_perm_ids = ApplicationPermission.applications.through.objects.filter(
|
|
applicationpermission_id__in=app_perm_ids,
|
|
application_id=application.id
|
|
).values_list('applicationpermission_id', flat=True)
|
|
app_perm_ids = set(app_perm_ids)
|
|
app_perm_ids = ApplicationPermission.system_users.through.objects.filter(
|
|
applicationpermission_id__in=app_perm_ids,
|
|
systemuser_id=system_user.id
|
|
).values_list('applicationpermission_id', flat=True)
|
|
app_perm_ids = set(app_perm_ids)
|
|
app_perms = ApplicationPermission.objects.filter(
|
|
id__in=app_perm_ids
|
|
).order_by('-date_expired')
|
|
|
|
if app_perms:
|
|
actions = set()
|
|
actions_values = app_perms.values_list('actions', flat=True)
|
|
for value in actions_values:
|
|
_actions = Action.value_to_choices(value)
|
|
actions.update(_actions)
|
|
actions = list(actions)
|
|
app_perm: ApplicationPermission = app_perms.first()
|
|
expire_at = app_perm.date_expired.timestamp()
|
|
else:
|
|
actions = []
|
|
expire_at = time.time()
|
|
|
|
# TODO: 组件改造API完成后统一通过actions判断has_perm
|
|
has_perm = action in actions
|
|
return has_perm, actions, expire_at
|
|
|
|
|
|
def get_application_system_user_ids(user, application):
|
|
queryset = ApplicationPermission.objects.valid()\
|
|
.filter(
|
|
Q(users=user) | Q(user_groups__users=user),
|
|
Q(applications=application)
|
|
).values_list('system_users', flat=True)
|
|
return queryset
|
|
|
|
|
|
def has_application_system_permission(user, application, system_user):
|
|
system_user_ids = get_application_system_user_ids(user, application)
|
|
return system_user.id in system_user_ids
|