mirror of https://github.com/jumpserver/jumpserver
319 lines
12 KiB
Python
319 lines
12 KiB
Python
# coding: utf-8
|
||
|
||
from django.db.models.query import QuerySet
|
||
from jumpserver.api import *
|
||
import uuid
|
||
import re
|
||
|
||
from jumpserver.models import Setting
|
||
from jperm.models import PermRole, PermPush, PermRule
|
||
|
||
|
||
def get_group_user_perm(ob):
|
||
"""
|
||
ob为用户或用户组
|
||
获取用户、用户组授权的资产、资产组
|
||
return:
|
||
{’asset_group': {
|
||
asset_group1: {'asset': [], 'role': [role1, role2], 'rule': [rule1, rule2]},
|
||
asset_group2: {'asset: [], 'role': [role1, role2], 'rule': [rule1, rule2]},
|
||
}
|
||
'asset':{
|
||
asset1: {'role': [role1, role2], 'rule': [rule1, rule2]},
|
||
asset2: {'role': [role1, role2], 'rule': [rule1, rule2]},
|
||
}
|
||
]},
|
||
'rule':[rule1, rule2,]
|
||
'role': {role1: {'asset': []}, 'asset_group': []}, role2: {}},
|
||
}
|
||
"""
|
||
perm = {}
|
||
if isinstance(ob, User):
|
||
rule_all = set(PermRule.objects.filter(user=ob))
|
||
for user_group in ob.group.all():
|
||
rule_all = rule_all.union(set(PermRule.objects.filter(user_group=user_group)))
|
||
|
||
elif isinstance(ob, UserGroup):
|
||
rule_all = PermRule.objects.filter(user_group=ob)
|
||
else:
|
||
rule_all = []
|
||
|
||
perm['rule'] = rule_all
|
||
perm_asset_group = perm['asset_group'] = {}
|
||
perm_asset = perm['asset'] = {}
|
||
perm_role = perm['role'] = {}
|
||
for rule in rule_all:
|
||
asset_groups = rule.asset_group.all()
|
||
assets = rule.asset.all()
|
||
perm_roles = rule.role.all()
|
||
group_assets = []
|
||
for asset_group in asset_groups:
|
||
group_assets.extend(asset_group.asset_set.all())
|
||
# 获取一个规则授权的角色和对应主机
|
||
for role in perm_roles:
|
||
if perm_role.get(role):
|
||
perm_role[role]['asset'] = perm_role[role].get('asset', set()).union(set(assets).union(set(group_assets)))
|
||
perm_role[role]['asset_group'] = perm_role[role].get('asset_group', set()).union(set(asset_groups))
|
||
else:
|
||
perm_role[role] = {'asset': set(assets).union(set(group_assets)), 'asset_group': set(asset_groups)}
|
||
|
||
# 获取一个规则用户授权的资产
|
||
for asset in assets:
|
||
if perm_asset.get(asset):
|
||
perm_asset[asset].get('role', set()).update(set(rule.role.all()))
|
||
perm_asset[asset].get('rule', set()).add(rule)
|
||
else:
|
||
perm_asset[asset] = {'role': set(rule.role.all()), 'rule': set([rule])}
|
||
|
||
# 获取一个规则用户授权的资产组
|
||
for asset_group in asset_groups:
|
||
asset_group_assets = asset_group.asset_set.all()
|
||
if perm_asset_group.get(asset_group):
|
||
perm_asset_group[asset_group].get('role', set()).update(set(rule.role.all()))
|
||
perm_asset_group[asset_group].get('rule', set()).add(rule)
|
||
else:
|
||
perm_asset_group[asset_group] = {'role': set(rule.role.all()), 'rule': set([rule]),
|
||
'asset': asset_group_assets}
|
||
|
||
# 将资产组中的资产添加到资产授权中
|
||
for asset in asset_group_assets:
|
||
if perm_asset.get(asset):
|
||
perm_asset[asset].get('role', set()).update(perm_asset_group[asset_group].get('role', set()))
|
||
perm_asset[asset].get('rule', set()).update(perm_asset_group[asset_group].get('rule', set()))
|
||
else:
|
||
perm_asset[asset] = {'role': perm_asset_group[asset_group].get('role', set()),
|
||
'rule': perm_asset_group[asset_group].get('rule', set())}
|
||
print perm
|
||
return perm
|
||
|
||
|
||
def get_group_asset_perm(ob):
|
||
"""
|
||
ob为资产或资产组
|
||
获取资产,资产组授权的用户,用户组
|
||
return:
|
||
{’user_group': {
|
||
user_group1: {'user': [], 'role': [role1, role2], 'rule': [rule1, rule2]},
|
||
user_group2: {'user: [], 'role': [role1, role2], 'rule': [rule1, rule2]},
|
||
}
|
||
'user':{
|
||
user1: {'role': [role1, role2], 'rule': [rule1, rule2]},
|
||
user2: {'role': [role1, role2], 'rule': [rule1, rule2]},
|
||
}
|
||
]},
|
||
'rule':[rule1, rule2,],
|
||
}
|
||
"""
|
||
perm = {}
|
||
if isinstance(ob, Asset):
|
||
rule_all = PermRule.objects.filter(asset=ob)
|
||
elif isinstance(ob, AssetGroup):
|
||
rule_all = PermRule.objects.filter(asset_group=ob)
|
||
else:
|
||
rule_all = []
|
||
|
||
perm['rule'] = rule_all
|
||
perm_user_group = perm['user_group'] = {}
|
||
perm_user = perm['user'] = {}
|
||
for rule in rule_all:
|
||
user_groups = rule.user_group.all()
|
||
users = rule.user.all()
|
||
# 获取一个规则资产的用户
|
||
for user in users:
|
||
if perm_user.get(user):
|
||
perm_user[user].get('role', set()).update(set(rule.role.all()))
|
||
perm_user[user].get('rule', set()).add(rule)
|
||
else:
|
||
perm_user[user] = {'role': set(rule.role.all()), 'rule': set([rule])}
|
||
|
||
# 获取一个规则资产授权的用户组
|
||
for user_group in user_groups:
|
||
user_group_users = user_group.user_set.all()
|
||
if perm_user_group.get(user_group):
|
||
perm_user_group[user_group].get('role', set()).update(set(rule.role.all()))
|
||
perm_user_group[user_group].get('rule', set()).add(rule)
|
||
else:
|
||
perm_user_group[user_group] = {'role': set(rule.role.all()), 'rule': set([rule]),
|
||
'user': user_group_users}
|
||
|
||
# 将用户组中的资产添加到用户授权中
|
||
for user in user_group_users:
|
||
if perm_user.get(user):
|
||
perm_user[user].get('role', set()).update(perm_user_group[user_group].get('role', set()))
|
||
perm_user[user].get('rule', set()).update(perm_user_group[user_group].get('rule', set()))
|
||
else:
|
||
perm_user[user] = {'role': perm_user_group[user_group].get('role', set()),
|
||
'rule': perm_user_group[user_group].get('rule', set())}
|
||
return perm
|
||
|
||
|
||
def user_have_perm(user, asset):
|
||
user_perm_all = get_group_user_perm(user)
|
||
user_assets = user_perm_all.get('asset').keys()
|
||
if asset in user_assets:
|
||
return user_perm_all.get('asset').get(asset).get('role')
|
||
else:
|
||
return []
|
||
|
||
|
||
def gen_resource(ob, perm=None):
|
||
"""
|
||
ob为用户或资产列表或资产queryset, 如果同时输入用户和{'role': role1, 'asset': []},则获取用户在这些资产上的信息
|
||
生成MyInventory需要的 resource文件
|
||
"""
|
||
res = []
|
||
if isinstance(ob, dict):
|
||
role = ob.get('role')
|
||
asset_r = ob.get('asset')
|
||
user = ob.get('user')
|
||
if not perm:
|
||
perm = get_group_user_perm(user)
|
||
|
||
if role:
|
||
roles = perm.get('role', {}).keys() # 获取用户所有授权角色
|
||
if role not in roles:
|
||
return {}
|
||
|
||
role_assets_all = perm.get('role').get(role).get('asset') # 获取用户该角色所有授权主机
|
||
assets = set(role_assets_all) & set(asset_r) # 获取用户提交中合法的主机
|
||
|
||
for asset in assets:
|
||
asset_info = get_asset_info(asset)
|
||
role_key = get_role_key(user, role)
|
||
info = {'hostname': asset.hostname,
|
||
'ip': asset.ip,
|
||
'port': asset_info.get('port', 22),
|
||
'username': role.name,
|
||
'password': CRYPTOR.decrypt(role.password)
|
||
}
|
||
|
||
if os.path.isfile(role_key):
|
||
info['ssh_key'] = role_key
|
||
|
||
res.append(info)
|
||
else:
|
||
for asset, asset_info in perm.get('asset').items():
|
||
if asset not in asset_r:
|
||
continue
|
||
asset_info = get_asset_info(asset)
|
||
try:
|
||
role = sorted(list(perm.get('asset').get(asset).get('role')))[0]
|
||
except IndexError:
|
||
continue
|
||
|
||
role_key = get_role_key(user, role)
|
||
info = {'hostname': asset.hostname,
|
||
'ip': asset.ip,
|
||
'port': asset_info.get('port', 22),
|
||
'username': role.name,
|
||
'password': CRYPTOR.decrypt(role.password),
|
||
}
|
||
if os.path.isfile(role_key):
|
||
info['ssh_key'] = role_key
|
||
|
||
res.append(info)
|
||
|
||
elif isinstance(ob, User):
|
||
if not perm:
|
||
perm = get_group_user_perm(ob)
|
||
|
||
for asset, asset_info in perm.get('asset').items():
|
||
asset_info = get_asset_info(asset)
|
||
info = {'hostname': asset.hostname, 'ip': asset.ip, 'port': asset_info.get('port', 22)}
|
||
try:
|
||
role = sorted(list(perm.get('asset').get(asset).get('role')))[0]
|
||
except IndexError:
|
||
continue
|
||
info['username'] = role.name
|
||
info['password'] = CRYPTOR.decrypt(role.password)
|
||
|
||
role_key = get_role_key(ob, role)
|
||
if os.path.isfile(role_key):
|
||
info['ssh_key'] = role_key
|
||
res.append(info)
|
||
|
||
elif isinstance(ob, (list, QuerySet)):
|
||
for asset in ob:
|
||
info = get_asset_info(asset)
|
||
res.append(info)
|
||
logger.debug('生成res: %s' % res)
|
||
return res
|
||
|
||
|
||
def get_object_list(model, id_list):
|
||
"""根据id列表获取对象列表"""
|
||
object_list = []
|
||
for object_id in id_list:
|
||
if object_id:
|
||
object_list.extend(model.objects.filter(id=int(object_id)))
|
||
|
||
return object_list
|
||
|
||
|
||
def get_role_info(role_id, type="all"):
|
||
"""
|
||
获取role对应的一些信息
|
||
:return: 返回值 均为对象列表
|
||
"""
|
||
# 获取role对应的授权规则
|
||
role_obj = PermRole.objects.get(id=role_id)
|
||
rule_push_obj = role_obj.perm_rule.all()
|
||
# 获取role 对应的用户 和 用户组
|
||
# 获取role 对应的主机 和主机组
|
||
users_obj = []
|
||
assets_obj = []
|
||
user_groups_obj = []
|
||
asset_groups_obj = []
|
||
for push in rule_push_obj:
|
||
for user in push.user.all():
|
||
users_obj.append(user)
|
||
for asset in push.asset.all():
|
||
assets_obj.append(asset)
|
||
for user_group in push.user_group.all():
|
||
user_groups_obj.append(user_group)
|
||
for asset_group in push.asset_group.all():
|
||
asset_groups_obj.append(asset_group)
|
||
|
||
if type == "all":
|
||
return {"rules": set(rule_push_obj),
|
||
"users": set(users_obj),
|
||
"user_groups": set(user_groups_obj),
|
||
"assets": set(assets_obj),
|
||
"asset_groups": set(asset_groups_obj),
|
||
}
|
||
|
||
elif type == "rule":
|
||
return set(rule_push_obj)
|
||
elif type == "user":
|
||
return set(users_obj)
|
||
elif type == "user_group":
|
||
return set(user_groups_obj)
|
||
elif type == "asset":
|
||
return set(assets_obj)
|
||
elif type == "asset_group":
|
||
return set(asset_groups_obj)
|
||
else:
|
||
return u"不支持的查询"
|
||
|
||
|
||
def get_role_push_host(role):
|
||
"""
|
||
asset_pushed: {'success': push.success, 'key': push.is_public_key, 'password': push.is_password,
|
||
'result': push.result}
|
||
asset_no_push: set(asset1, asset2)
|
||
"""
|
||
# 计算该role 所有push记录 总共推送的主机
|
||
pushs = PermPush.objects.filter(role=role)
|
||
asset_all = Asset.objects.all()
|
||
asset_pushed = {}
|
||
for push in pushs:
|
||
asset_pushed[push.asset] = {'success': push.success, 'key': push.is_public_key, 'password': push.is_password,
|
||
'result': push.result}
|
||
asset_no_push = set(asset_all) - set(asset_pushed.keys())
|
||
return asset_pushed, asset_no_push
|
||
|
||
|
||
if __name__ == "__main__":
|
||
print get_role_info(1)
|
||
|