mirror of https://github.com/jumpserver/jumpserver
262 lines
8.7 KiB
Python
262 lines
8.7 KiB
Python
# coding: utf-8
|
|
|
|
from __future__ import absolute_import, unicode_literals
|
|
|
|
from common.utils import setattr_bulk, get_logger
|
|
from ops.tasks import push_users
|
|
from .hands import User, UserGroup, Asset, AssetGroup, SystemUser
|
|
|
|
logger = get_logger(__file__)
|
|
|
|
|
|
def get_user_group_granted_asset_groups(user_group):
|
|
"""Return asset groups granted of the user group
|
|
|
|
:param user_group: Instance of :class: ``UserGroup``
|
|
:return: {asset_group1: {system_user1, },
|
|
asset_group2: {system_user1, system_user2}}
|
|
"""
|
|
asset_groups = {}
|
|
asset_permissions = user_group.asset_permissions.all()
|
|
|
|
for asset_permission in asset_permissions:
|
|
if not asset_permission.is_valid:
|
|
continue
|
|
for asset_group in asset_permission.asset_groups.all():
|
|
if asset_group in asset_groups:
|
|
asset_groups[asset_group] |= set(asset_permission.system_users.all())
|
|
else:
|
|
asset_groups[asset_group] = set(asset_permission.system_users.all())
|
|
return asset_groups
|
|
|
|
|
|
def get_user_group_granted_assets(user_group):
|
|
"""Return assets granted of the user group
|
|
|
|
:param user_group: Instance of :class: ``UserGroup``
|
|
:return: {asset1: {system_user1, }, asset1: {system_user1, system_user2]}
|
|
"""
|
|
assets = {}
|
|
asset_permissions = user_group.asset_permissions.all()
|
|
|
|
for asset_permission in asset_permissions:
|
|
if not asset_permission.is_valid:
|
|
continue
|
|
for asset in asset_permission.get_granted_assets():
|
|
if not asset.is_active:
|
|
continue
|
|
if asset in assets:
|
|
assets[asset] |= set(asset_permission.system_users.all())
|
|
else:
|
|
assets[asset] = set(asset_permission.system_users.all())
|
|
return assets
|
|
|
|
|
|
def get_user_granted_asset_groups_direct(user):
|
|
"""Return asset groups granted of the user direct nor inherit from user group
|
|
|
|
:param user: Instance of :class: ``User``
|
|
:return: {asset_group: {system_user1, },
|
|
asset_group2: {system_user1, system_user2]}
|
|
"""
|
|
asset_groups = {}
|
|
asset_permissions_direct = user.asset_permissions.all()
|
|
|
|
for asset_permission in asset_permissions_direct:
|
|
if not asset_permission.is_valid:
|
|
continue
|
|
for asset_group in asset_permission.asset_groups.all():
|
|
if asset_group in asset_groups:
|
|
asset_groups[asset_group] |= set(asset_permission.system_users.all())
|
|
else:
|
|
setattr(asset_group, 'inherited', False)
|
|
asset_groups[asset_group] = set(asset_permission.system_users.all())
|
|
|
|
return asset_groups
|
|
|
|
|
|
def get_user_granted_asset_groups_inherit_from_user_groups(user):
|
|
"""Return asset groups granted of the user and inherit from user group
|
|
|
|
:param user: Instance of :class: ``User``
|
|
:return: {asset_group: {system_user1, },
|
|
asset_group2: {system_user1, system_user2]}
|
|
"""
|
|
asset_groups = {}
|
|
user_groups = user.groups.all()
|
|
asset_permissions = set()
|
|
|
|
# Get asset permission list of user groups for this user
|
|
for user_group in user_groups:
|
|
asset_permissions |= set(user_group.asset_permissions.all())
|
|
|
|
# Get asset groups granted from user groups
|
|
for asset_permission in asset_permissions:
|
|
if not asset_permission.is_valid:
|
|
continue
|
|
for asset_group in asset_permission.asset_groups.all():
|
|
if asset_group in asset_groups:
|
|
asset_groups[asset_group] |= set(asset_permission.system_users.all())
|
|
else:
|
|
setattr(asset_group, 'inherited', True)
|
|
asset_groups[asset_group] = set(asset_permission.system_users.all())
|
|
|
|
return asset_groups
|
|
|
|
|
|
def get_user_granted_asset_groups(user):
|
|
"""Get user granted asset groups all, include direct and inherit from user group
|
|
|
|
:param user: Instance of :class: ``User``
|
|
:return: {asset1: {system_user1, system_user2}, asset2: {...}}
|
|
"""
|
|
|
|
asset_groups_inherit_from_user_groups = \
|
|
get_user_granted_asset_groups_inherit_from_user_groups(user)
|
|
asset_groups_direct = get_user_granted_asset_groups_direct(user)
|
|
asset_groups = asset_groups_inherit_from_user_groups
|
|
|
|
# Merge direct granted and inherit from user group
|
|
for asset_group, system_users in asset_groups_direct.items():
|
|
if asset_group in asset_groups:
|
|
asset_groups[asset_group] |= asset_groups_direct[asset_group]
|
|
else:
|
|
asset_groups[asset_group] = asset_groups_direct[asset_group]
|
|
return asset_groups
|
|
|
|
|
|
def get_user_granted_assets_direct(user):
|
|
"""Return assets granted of the user directly
|
|
|
|
:param user: Instance of :class: ``User``
|
|
:return: {asset1: {system_user1, system_user2}, asset2: {...}}
|
|
"""
|
|
assets = {}
|
|
asset_permissions_direct = user.asset_permissions.all()
|
|
|
|
for asset_permission in asset_permissions_direct:
|
|
if not asset_permission.is_valid:
|
|
continue
|
|
for asset in asset_permission.get_granted_assets():
|
|
if not asset.is_active:
|
|
continue
|
|
if asset in assets:
|
|
assets[asset] |= set(asset_permission.system_users.all())
|
|
else:
|
|
setattr(asset, 'inherited', False)
|
|
assets[asset] = set(asset_permission.system_users.all())
|
|
return assets
|
|
|
|
|
|
def get_user_granted_assets_inherit_from_user_groups(user):
|
|
"""Return assets granted of the user inherit from user groups
|
|
|
|
:param user: Instance of :class: ``User``
|
|
:return: {asset1: {system_user1, system_user2}, asset2: {...}}
|
|
"""
|
|
assets = {}
|
|
user_groups = user.groups.all()
|
|
|
|
for user_group in user_groups:
|
|
assets_inherited = get_user_group_granted_assets(user_group)
|
|
for asset in assets_inherited:
|
|
if not asset.is_active:
|
|
continue
|
|
if asset in assets:
|
|
assets[asset] |= assets_inherited[asset]
|
|
else:
|
|
setattr(asset, 'inherited', True)
|
|
assets[asset] = assets_inherited[asset]
|
|
return assets
|
|
|
|
|
|
def get_user_granted_assets(user):
|
|
"""Return assets granted of the user inherit from user groups
|
|
|
|
:param user: Instance of :class: ``User``
|
|
:return: {asset1: {system_user1, system_user2}, asset2: {...}}
|
|
"""
|
|
assets_direct = get_user_granted_assets_direct(user)
|
|
assets_inherited = get_user_granted_assets_inherit_from_user_groups(user)
|
|
assets = assets_inherited
|
|
|
|
for asset in assets_direct:
|
|
if not asset.is_active:
|
|
continue
|
|
if asset in assets:
|
|
assets[asset] |= assets_direct[asset]
|
|
else:
|
|
assets[asset] = assets_direct[asset]
|
|
return assets
|
|
|
|
|
|
def get_user_group_asset_permissions(user_group):
|
|
permissions = user_group.asset_permissions.all()
|
|
return permissions
|
|
|
|
|
|
def get_user_asset_permissions(user):
|
|
user_group_permissions = set()
|
|
direct_permissions = set(setattr_bulk(user.asset_permissions.all(), 'inherited', 0))
|
|
|
|
for user_group in user.groups.all():
|
|
permissions = get_user_group_asset_permissions(user_group)
|
|
user_group_permissions |= set(permissions)
|
|
user_group_permissions = set(setattr_bulk(user_group_permissions, 'inherited', 1))
|
|
return direct_permissions | user_group_permissions
|
|
|
|
|
|
def get_user_groups_granted_in_asset(asset):
|
|
pass
|
|
|
|
|
|
def get_users_granted_in_asset(asset):
|
|
pass
|
|
|
|
|
|
def get_user_groups_granted_in_asset_group(asset):
|
|
pass
|
|
|
|
|
|
def get_users_granted_in_asset_group(asset):
|
|
pass
|
|
|
|
|
|
def push_system_user(assets, system_user):
|
|
logger.info('Push system user %s' % system_user.name)
|
|
for asset in assets:
|
|
logger.info('\tAsset: %s' % asset.ip)
|
|
if not assets:
|
|
return None
|
|
|
|
assets = [asset._to_secret_json() for asset in assets]
|
|
system_user = system_user._to_secret_json()
|
|
task = push_users(assets, system_user)
|
|
return task.id
|
|
|
|
|
|
def associate_system_users_and_assets(system_users, assets, asset_groups):
|
|
"""关联系统用户和资产, 目的是保存它们的关系, 然后新加入的资产或系统
|
|
用户时,推送系统用户到资产
|
|
|
|
Todo: 这里需要最终Api定下来更改一下, 现在策略是以系统用户为核心推送, 一个系统用户
|
|
推送一次
|
|
"""
|
|
assets_all = set(assets)
|
|
|
|
for asset_group in asset_groups:
|
|
assets_all |= set(asset_group.assets.all())
|
|
|
|
for system_user in system_users:
|
|
assets_need_push = []
|
|
if system_user.auto_push:
|
|
assets_need_push.extend(
|
|
[asset for asset in assets_all
|
|
if asset not in system_user.assets.all()
|
|
]
|
|
)
|
|
system_user.assets.add(*(tuple(assets_all)))
|
|
push_system_user(assets_need_push, system_user)
|
|
|
|
|