github
/
teleport
mirror of https://github.com/tp4a/teleport
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

审计授权页面,未完成。

pull/105/head
Apex Liu 2017-12-19 17:36:15 +08:00
parent d92e053c63
commit 206c9fdead
13 changed files with 765 additions and 470 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/www/teleport/static/js/asset/host-list.js
View File

@ -1444,7 +1444,6 @@ $app.create_dlg_edit_account = function () {
dlg.dom.username.val('');
} else {
console.log(account);
dlg.account = account;
dlg.field_id = account.id;
dlg.dom.dlg_title.html('编辑:' + account.username);

857
server/www/teleport/static/js/audit/auz-info.js
View File

File diff suppressed because it is too large Load Diff

2
server/www/teleport/static/js/ops/auz-info.js
View File

@ -569,7 +569,7 @@ $app.create_controls = function (cb_stack) {
Cookies.set($app.page_id('ops_auz_detail') + '_sel_host_per_page', per_page, {expires: 365});
}
});
$tp.create_table_pagination($app.table_sel_acc, 'table-sel-host-pagination');
$tp.create_table_pagination($app.table_sel_host, 'table-sel-host-pagination');
$app.dlg_sel_host = $app.create_dlg_sel_host();
cb_stack.add($app.dlg_sel_host.init);

100
server/www/teleport/view/audit/auz-info.mako
View File

@ -142,7 +142,7 @@
<div class="col-md-6">
<div id="area-auditee">
<div class="area-title"><span class="name">被审计</span><span class="desc">(被审计的用户或主机)</span></div>
<div class="area-title"><span class="name">被审计资源</span><span class="desc">(被审计的用户或主机)</span></div>
<div style="padding:5px;">
<div class="table-extend-area">
@ -202,7 +202,7 @@
<%block name="extend_content">
<div class="modal fade" id="dlg-sel-user" tabindex="-1" role="dialog">
<div class="modal fade" id="dlg-sel-auditor-user" tabindex="-1" role="dialog">
<div class="modal-dialog modal-lg" role="document">
<div class="modal-content">
<div class="modal-header">
@ -211,7 +211,7 @@
</div>
<div class="modal-body">
<table id="table-sel-user" class="table table-striped table-bordered table-hover table-data no-footer dtr-inline"></table>
<table id="table-sel-auditor-user" class="table table-striped table-bordered table-hover table-data no-footer dtr-inline"></table>
<div class="table-extend-area">
<div class="table-extend-cell checkbox-select-all"><input data-action="sel-all" type="checkbox"/></div>
<div class="table-extend-cell group-actions">
@ -220,14 +220,14 @@
</div>
</div>
<div class="table-extend-cell table-item-counter">
<ol id="table-sel-user-paging"></ol>
<ol id="table-sel-auditor-user-paging"></ol>
</div>
</div>
<div class="table-extend-area">
<div class="table-extend-cell">
<div style="text-align:right;">
<nav>
<ul id="table-sel-user-pagination" class="pagination"></ul>
<ul id="table-sel-auditor-user-pagination" class="pagination"></ul>
</nav>
</div>
</div>
@ -243,7 +243,48 @@
</div>
</div>
<div class="modal fade" id="dlg-sel-user-group" tabindex="-1" role="dialog">
<div class="modal fade" id="dlg-sel-auditee-user" tabindex="-1" role="dialog">
<div class="modal-dialog modal-lg" role="document">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-label="Close"><i class="fa fa-times-circle fa-fw"></i></button>
<h3 data-field="dlg-title" class="modal-title">选择用户</h3>
</div>
<div class="modal-body">
<table id="table-sel-auditee-user" class="table table-striped table-bordered table-hover table-data no-footer dtr-inline"></table>
<div class="table-extend-area">
<div class="table-extend-cell checkbox-select-all"><input data-action="sel-all" type="checkbox"/></div>
<div class="table-extend-cell group-actions">
<div class="btn-group" role="group">
<button data-action="use-selected" type="button" class="btn btn-primary"><i class="fa fa-edit fa-fw"></i> 添加为被授权资源</button>
</div>
</div>
<div class="table-extend-cell table-item-counter">
<ol id="table-sel-auditee-user-paging"></ol>
</div>
</div>
<div class="table-extend-area">
<div class="table-extend-cell">
<div style="text-align:right;">
<nav>
<ul id="table-sel-auditee-user-pagination" class="pagination"></ul>
</nav>
</div>
</div>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-sm btn-default" data-dismiss="modal"><i class="fa fa-close fa-fw"></i> 关闭</button>
</div>
</div>
</div>
</div>
<div class="modal fade" id="dlg-sel-auditor-user-group" tabindex="-1" role="dialog">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
@ -252,7 +293,7 @@
</div>
<div class="modal-body">
<table id="table-sel-user-group" class="table table-striped table-bordered table-hover table-data no-footer dtr-inline"></table>
<table id="table-sel-auditor-user-group" class="table table-striped table-bordered table-hover table-data no-footer dtr-inline"></table>
<div class="table-extend-area">
<div class="table-extend-cell checkbox-select-all"><input data-action="sel-all" type="checkbox"/></div>
<div class="table-extend-cell group-actions">
@ -261,14 +302,55 @@
</div>
</div>
<div class="table-extend-cell table-item-counter">
<ol id="table-sel-user-group-paging"></ol>
<ol id="table-sel-auditor-user-group-paging"></ol>
</div>
</div>
<div class="table-extend-area">
<div class="table-extend-cell">
<div style="text-align:right;">
<nav>
<ul id="table-sel-user-group-pagination" class="pagination"></ul>
<ul id="table-sel-auditor-user-group-pagination" class="pagination"></ul>
</nav>
</div>
</div>
</div>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-sm btn-default" data-dismiss="modal"><i class="fa fa-close fa-fw"></i> 关闭</button>
</div>
</div>
</div>
</div>
<div class="modal fade" id="dlg-sel-auditee-user-group" tabindex="-1" role="dialog">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-label="Close"><i class="fa fa-times-circle fa-fw"></i></button>
<h3 data-field="dlg-title" class="modal-title">选择用户组</h3>
</div>
<div class="modal-body">
<table id="table-sel-auditee-user-group" class="table table-striped table-bordered table-hover table-data no-footer dtr-inline"></table>
<div class="table-extend-area">
<div class="table-extend-cell checkbox-select-all"><input data-action="sel-all" type="checkbox"/></div>
<div class="table-extend-cell group-actions">
<div class="btn-group" role="group">
<button data-action="use-selected" type="button" class="btn btn-primary"><i class="fa fa-edit fa-fw"></i> 添加为被授权资源</button>
</div>
</div>
<div class="table-extend-cell table-item-counter">
<ol id="table-sel-auditee-user-group-paging"></ol>
</div>
</div>
<div class="table-extend-area">
<div class="table-extend-cell">
<div style="text-align:right;">
<nav>
<ul id="table-sel-auditee-user-group-pagination" class="pagination"></ul>
</nav>
</div>
</div>

4
server/www/teleport/webroot/app/base/database/create.py
View File

@ -727,8 +727,8 @@ class DatabaseInit:
# id: 自增主键
f.append('`id` integer PRIMARY KEY {}'.format(self.db.auto_increment))
# audited: 是否已审查
f.append('`audited` int(3) DEFAULT 0')
# flag: 是否已审查/是否要永久保留
f.append('`flag` int(11) DEFAULT 0')
# sid: 会话ID
f.append('`sid` varchar(32) DEFAULT ""')

6
server/www/teleport/webroot/app/const.py
View File

@ -100,6 +100,12 @@ TP_POLICY_AUTH_gUSER_ACC = 5 # 5=用户组:账号
TP_POLICY_AUTH_gUSER_gACC = 6 # 6=用户组:账号组
TP_POLICY_AUTH_gUSER_HOST = 7 # 7=用户组:主机
TP_POLICY_AUTH_gUSER_gHOST = 8 # 8=用户组:主机组
# 下列四个仅用于审计授权
TP_POLICY_AUTH_USER_USER = 9 # 1=用户:用户
TP_POLICY_AUTH_USER_gUSER = 10 # 2=用户:用户组
TP_POLICY_AUTH_gUSER_USER = 11 # 5=用户组:用户
TP_POLICY_AUTH_gUSER_gUSER = 12 # 6=用户组:用户组
# =======================================================
# 授权标记

10
server/www/teleport/webroot/app/controller/__init__.py
View File

@ -182,6 +182,16 @@ controllers = [
(r'/audit/policies/update', audit.DoUpdatePoliciesHandler),
# - [json] 调整顺序rank
(r'/audit/policy/rank-reorder', audit.DoRankReorderHandler),
# - [json] 获取指定策略中的操作者
(r'/audit/policy/get-auditors', audit.DoGetAuditorsHandler),
# - [json] 获取指定策略中的被授权目标
(r'/audit/policy/get-auditees', audit.DoGetAuditeesHandler),
# - [json] 向指定策略中添加对象(操作者或资产)
(r'/audit/policy/add-members', audit.DoAddMembersHandler),
# - [json] 从指定策略中移除对象(操作者或资产)
(r'/audit/policy/remove-members', audit.DoRemoveMembersHandler),
# - [json] 构建授权映射表
(r'/audit/build-auz-map', audit.DoBuildAuzMapHandler),
#
# - ssh录像回放页面
(r'/audit/replay/(.*)/(.*)', audit.ReplayHandler),

195
server/www/teleport/webroot/app/controller/audit.py
View File

@ -219,6 +219,191 @@ class DoRankReorderHandler(TPBaseJsonHandler):
self.write_json(err)
class DoGetAuditorsHandler(TPBaseJsonHandler):
def post(self):
ret = self.check_privilege(TP_PRIVILEGE_AUDIT_AUZ)
if ret != TPE_OK:
return
args = self.get_argument('args', None)
if args is None:
return self.write_json(TPE_PARAM)
try:
args = json.loads(args)
except:
return self.write_json(TPE_JSON_FORMAT)
print('---get operator:', args)
sql_filter = {}
sql_order = dict()
sql_order['name'] = 'id'
sql_order['asc'] = True
sql_limit = dict()
sql_limit['page_index'] = 0
sql_limit['per_page'] = 25
try:
tmp = list()
_filter = args['filter']
for i in _filter:
# if i == 'user_id' and _filter[i] == 0:
# tmp.append(i)
# continue
if i == '_name':
if len(_filter[i].strip()) == 0:
tmp.append(i)
for i in tmp:
del _filter[i]
sql_filter.update(_filter)
_limit = args['limit']
if _limit['page_index'] < 0:
_limit['page_index'] = 0
if _limit['per_page'] < 10:
_limit['per_page'] = 10
if _limit['per_page'] > 100:
_limit['per_page'] = 100
sql_limit.update(_limit)
_order = args['order']
if _order is not None:
sql_order['name'] = _order['k']
sql_order['asc'] = _order['v']
except:
return self.write_json(TPE_PARAM)
err, total, page_index, row_data = audit.get_auditors(sql_filter, sql_order, sql_limit)
ret = dict()
ret['page_index'] = page_index
ret['total'] = total
ret['data'] = row_data
self.write_json(err, data=ret)
class DoGetAuditeesHandler(TPBaseJsonHandler):
def post(self):
ret = self.check_privilege(TP_PRIVILEGE_AUDIT_AUZ)
if ret != TPE_OK:
return
args = self.get_argument('args', None)
if args is None:
return self.write_json(TPE_PARAM)
try:
args = json.loads(args)
except:
return self.write_json(TPE_JSON_FORMAT)
print('---get auditee:', args)
sql_filter = {}
sql_order = dict()
sql_order['name'] = 'id'
sql_order['asc'] = True
sql_limit = dict()
sql_limit['page_index'] = 0
sql_limit['per_page'] = 25
try:
# tmp = list()
# _filter = args['filter']
# for i in _filter:
# # if i == 'user_id' and _filter[i] == 0:
# # tmp.append(i)
# # continue
# if i == '_name':
# if len(_filter[i].strip()) == 0:
# tmp.append(i)
#
# for i in tmp:
# del _filter[i]
sql_filter.update(args['filter'])
_limit = args['limit']
if _limit['page_index'] < 0:
_limit['page_index'] = 0
if _limit['per_page'] < 10:
_limit['per_page'] = 10
if _limit['per_page'] > 100:
_limit['per_page'] = 100
sql_limit.update(_limit)
_order = args['order']
if _order is not None:
sql_order['name'] = _order['k']
sql_order['asc'] = _order['v']
except:
return self.write_json(TPE_PARAM)
err, total, page_index, row_data = audit.get_auditees(sql_filter, sql_order, sql_limit)
ret = dict()
ret['page_index'] = page_index
ret['total'] = total
ret['data'] = row_data
self.write_json(err, data=ret)
class DoAddMembersHandler(TPBaseJsonHandler):
def post(self):
ret = self.check_privilege(TP_PRIVILEGE_AUDIT_AUZ)
if ret != TPE_OK:
return
args = self.get_argument('args', None)
if args is None:
return self.write_json(TPE_PARAM)
try:
args = json.loads(args)
except:
return self.write_json(TPE_JSON_FORMAT)
try:
policy_id = int(args['policy_id'])
policy_type = int(args['type'])
ref_type = int(args['rtype'])
members = args['members']
except:
log.e('\n')
return self.write_json(TPE_PARAM)
err = audit.add_members(self, policy_id, policy_type, ref_type, members)
self.write_json(err)
class DoRemoveMembersHandler(TPBaseJsonHandler):
def post(self):
ret = self.check_privilege(TP_PRIVILEGE_AUDIT_AUZ)
if ret != TPE_OK:
return
args = self.get_argument('args', None)
if args is None:
return self.write_json(TPE_PARAM)
try:
args = json.loads(args)
except:
return self.write_json(TPE_JSON_FORMAT)
try:
policy_id = int(args['policy_id'])
policy_type = int(args['policy_type'])
ids = args['ids']
except:
log.e('\n')
return self.write_json(TPE_PARAM)
err = audit.remove_members(self, policy_id, policy_type, ids)
self.write_json(err)
class RecordHandler(TPBaseHandler):
def get(self):
ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY)
@ -538,3 +723,13 @@ class DoGetFileHandler(TPBaseHandler):
read_this_time = BULK_SIZE if read_left > BULK_SIZE else read_left
# all need data read.
class DoBuildAuzMapHandler(TPBaseJsonHandler):
def post(self):
ret = self.check_privilege(TP_PRIVILEGE_AUDIT_AUZ)
if ret != TPE_OK:
return
err = audit.build_auz_map()
self.write_json(err)

36
server/www/teleport/webroot/app/model/audit.py
View File

@ -212,7 +212,7 @@ def remove_members(handler, policy_id, policy_type, ids):
return TPE_OK
def get_operators(sql_filter, sql_order, sql_limit):
def get_auditors(sql_filter, sql_order, sql_limit):
ss = SQL(get_db())
ss.select_from('audit_auz', ['id', 'policy_id', 'rtype', 'rid', 'name'], alt_name='p')
@ -252,7 +252,7 @@ def get_operators(sql_filter, sql_order, sql_limit):
return TPE_OK, ss.total_count, ss.page_index, ss.recorder
def get_asset(sql_filter, sql_order, sql_limit):
def get_auditees(sql_filter, sql_order, sql_limit):
ss = SQL(get_db())
ss.select_from('audit_auz', ['id', 'policy_id', 'rtype', 'rid', 'name'], alt_name='p')
@ -502,7 +502,7 @@ def build_auz_map():
s = SQL(get_db())
# 加载所有策略
err = s.reset().select_from('ops_policy', ['id', 'rank', 'state'], alt_name='p').query()
err = s.reset().select_from('audit_policy', ['id', 'rank', 'state'], alt_name='p').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
@ -528,14 +528,14 @@ def build_auz_map():
for i in s.recorder:
_hosts[i.id] = i
# 加载所有的账号
err = s.reset().select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'protocol_port', 'auth_type', 'state'], alt_name='a').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_accs[i.id] = i
# # 加载所有的账号
# err = s.reset().select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'protocol_port', 'auth_type', 'state'], alt_name='a').query()
# if err != TPE_OK:
# return err
# if 0 == len(s.recorder):
# return TPE_OK
# for i in s.recorder:
# _accs[i.id] = i
# 加载所有的组
err = s.reset().select_from('group', ['id', 'type', 'state'], alt_name='g').query()
@ -563,13 +563,13 @@ def build_auz_map():
# if g.gid not in _ghosts:
# _ghosts[g.gid] = []
_ghosts[g.gid].append(_hosts[g.mid])
elif g.type == TP_GROUP_ACCOUNT:
# if g.gid not in _gaccs:
# _gaccs[g.gid] = []
_gaccs[g.gid].append(_accs[g.mid])
# elif g.type == TP_GROUP_ACCOUNT:
# # if g.gid not in _gaccs:
# # _gaccs[g.gid] = []
# _gaccs[g.gid].append(_accs[g.mid])
# 加载所有策略明细
err = s.reset().select_from('ops_auz', ['id', 'policy_id', 'type', 'rtype', 'rid'], alt_name='o').query()
err = s.reset().select_from('audit_auz', ['id', 'policy_id', 'type', 'rtype', 'rid'], alt_name='o').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
@ -751,7 +751,7 @@ def build_auz_map():
db = get_db()
dbtp = db.table_prefix
db.exec('DELETE FROM {}ops_map'.format(dbtp))
db.exec('DELETE FROM {}audit_map'.format(dbtp))
values = []
for i in _map:
@ -764,7 +764,7 @@ def build_auz_map():
a_name=i.a_name, protocol_type=i.protocol_type, protocol_port=i.protocol_port)
values.append(v)
sql = 'INSERT INTO `{dbtp}ops_map` (uni_id,ua_id,p_id,p_rank,p_state,policy_auth_type,u_id,u_state,gu_id,gu_state,h_id,h_state,gh_id,gh_state,a_id,a_state,ga_id,ga_state,' \
sql = 'INSERT INTO `{dbtp}audit_map` (uni_id,ua_id,p_id,p_rank,p_state,policy_auth_type,u_id,u_state,gu_id,gu_state,h_id,h_state,gh_id,gh_state,a_id,a_state,ga_id,ga_state,' \
'u_name,u_surname,h_name,ip,router_ip,router_port,a_name,protocol_type,protocol_port) VALUES \n{values};' \
''.format(dbtp=dbtp, values=',\n'.join(values))

8
server/www/teleport/webroot/app/model/group.py
View File

@ -297,6 +297,14 @@ def get_groups(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append('g.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'.format(dbtp=dbtp, pid=pid, rtype=gtype))
elif k == 'auditor_policy_id':
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append('g.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'.format(dbtp=dbtp, pid=pid, ptype=TP_POLICY_OPERATOR, rtype=gtype))
elif k == 'auditee_policy_id':
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append('g.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'.format(dbtp=dbtp, pid=pid, ptype=TP_POLICY_ASSET, rtype=gtype))
else:
log.w('unknown exclude field: {}\n'.format(k))

2
server/www/teleport/webroot/app/model/host.py
View File

@ -44,6 +44,8 @@ def get_hosts(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
_where.append('h.id NOT IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'.format(get_db().table_prefix, TP_GROUP_HOST, sql_exclude[k]))
elif k == 'ops_policy_id':
_where.append('h.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'.format(dbtp=get_db().table_prefix, pid=sql_exclude[k], rtype=TP_HOST))
elif k == 'auditee_policy_id':
_where.append('h.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'.format(dbtp=get_db().table_prefix, pid=sql_exclude[k], ptype=TP_POLICY_ASSET, rtype=TP_HOST))
else:
log.w('unknown exclude field: {}\n'.format(k))

10
server/www/teleport/webroot/app/model/ops.py
View File

@ -648,6 +648,10 @@ def build_auz_map():
_map = []
db = get_db()
dbtp = db.table_prefix
db.exec('DELETE FROM {}ops_map'.format(dbtp))
s = SQL(get_db())
# 加载所有策略
@ -897,10 +901,8 @@ def build_auz_map():
_map.append(x)
db = get_db()
dbtp = db.table_prefix
db.exec('DELETE FROM {}ops_map'.format(dbtp))
if len(_map) == 0:
return TPE_OK
values = []
for i in _map:

4
server/www/teleport/webroot/app/model/user.py
View File

@ -129,6 +129,10 @@ def get_users(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
_where.append('u.id NOT IN (SELECT mid FROM {dbtp}group_map WHERE type={gtype} AND gid={gid})'.format(dbtp=dbtp, gtype=TP_GROUP_USER, gid=sql_exclude[k]))
elif k == 'ops_policy_id':
_where.append('u.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'.format(dbtp=dbtp, pid=sql_exclude[k], rtype=TP_USER))
elif k == 'auditor_policy_id':
_where.append('u.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'.format(dbtp=dbtp, pid=sql_exclude[k], ptype=TP_POLICY_OPERATOR, rtype=TP_USER))
elif k == 'auditee_policy_id':
_where.append('u.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'.format(dbtp=dbtp, pid=sql_exclude[k], ptype=TP_POLICY_ASSET, rtype=TP_USER))
else:
log.w('unknown exclude field: {}\n'.format(k))