github
/
teleport
mirror of https://github.com/tp4a/teleport
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

使用暴力方法解决授权策略映射更新的问题,效率低下但可以工作了。

pull/105/head
Apex Liu 2018-03-22 17:54:40 +08:00
parent 06448a6003
commit 689767c3a7
6 changed files with 656 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
dist/server/script/main.py vendored
View File

@ -566,10 +566,10 @@ class InstallerLinux(InstallerBase):
os.chmod(_d[1], stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH)
# create symbolic link
os.symlink('/etc/init.d/teleport', '/etc/rc2.d/S50teleport')
os.symlink('/etc/init.d/teleport', '/etc/rc3.d/S50teleport')
os.symlink('/etc/init.d/teleport', '/etc/rc4.d/S50teleport')
os.symlink('/etc/init.d/teleport', '/etc/rc5.d/S50teleport')
os.symlink('/etc/init.d/teleport', '/etc/rc2.d/S95teleport')
os.symlink('/etc/init.d/teleport', '/etc/rc3.d/S95teleport')
os.symlink('/etc/init.d/teleport', '/etc/rc4.d/S95teleport')
os.symlink('/etc/init.d/teleport', '/etc/rc5.d/S95teleport')
def _start_service(self):
cc.v('')
@ -603,6 +603,11 @@ class InstallerLinux(InstallerBase):
utils.remove('/etc/rc3.d/S50teleport')
utils.remove('/etc/rc4.d/S50teleport')
utils.remove('/etc/rc5.d/S50teleport')
# from 3.0.0.3, the start order changed from 50 to 95 for MySQL compatible, because start order of MySQL is 64.
utils.remove('/etc/rc2.d/S95teleport')
utils.remove('/etc/rc3.d/S95teleport')
utils.remove('/etc/rc4.d/S95teleport')
utils.remove('/etc/rc5.d/S95teleport')
def _check_service(self):
cc.v('')

33
server/www/teleport/static/js/user/user-group-list.js
View File

@ -158,7 +158,7 @@ $app.create_controls = function (cb_stack) {
// $app.dom.btn_unlock_group.click(function () {
// $app.on_btn_unlock_group_click();
// });
$app.dom.btn_remove_group.click(function(){
$app.dom.btn_remove_group.click(function () {
$app.on_btn_remove_group_click();
});
@ -274,14 +274,33 @@ $app.on_table_groups_render_created = function (render) {
if (_.isUndefined(fields.members))
return '';
console.log(fields.members);
var ret = [];
for (var i = 0; i < fields.members.length; ++i) {
ret.push('<div class="user-info-wrap"><div class="user-info" title="' + fields.members[i].account + '\n' + fields.members[i].email + '">');
// ret.push('<i class="fa fa-vcard-o"></i> ' + fields.members[i].surname);
ret.push(fields.members[i].surname);
// ret.push('<span class="user-account">'+fields.members[i].account+'</span>');
// ret.push('<span class="user-email">' + fields.members[i].account + '&lt;' + fields.members[i].email + '&gt;</span>');
var surname = fields.members[i].surname;
var email = fields.members[i].email;
if (email.length !== 0) {
email = '&lt;' + email + '&gt;';
}
var u_info = '账号:' + fields.members[i].username;
if (email.length > 0)
u_info += '\n邮箱' + email;
if (surname.length === 0) {
surname = fields.members[i].username;
}
ret.push('<div class="user-info-wrap"><div class="user-info" title="' + u_info + '">');
ret.push(surname);
ret.push('</div></div>');
// ret.push('<div class="user-info-wrap"><div class="user-info" title="' + fields.members[i].username + '\n' + fields.members[i].email + '">');
// // ret.push('<i class="fa fa-vcard-o"></i> ' + fields.members[i].surname);
// ret.push(fields.members[i].surname);
// // ret.push('<span class="user-account">'+fields.members[i].account+'</span>');
// // ret.push('<span class="user-email">' + fields.members[i].account + '&lt;' + fields.members[i].email + '&gt;</span>');
// ret.push('</div></div>');
}
if (fields.member_count > 5) {
@ -440,7 +459,7 @@ $app.on_btn_remove_group_click = function (_row_id) {
var cb_stack = CALLBACK_STACK.create();
var _msg_remove = '您确定要移除此用户组吗?';
if(group_list.length > 1)
if (group_list.length > 1)
_msg_remove = '您确定要移除选定的 <strong>' + group_list.length + '个</strong> 用户组吗?';
$tp.dlg_confirm(cb_stack, {
msg: '<div class="alert alert-danger"><p><strong>注意:删除操作不可恢复!!</strong></p><p>删除用户组将同时删除所有分配给此用户组的授权!</p></div><div class="alert alert-info">删除用户组不会删除组内的用户账号!</div><p>' + _msg_remove + '</p>',

10
server/www/teleport/webroot/app/model/audit.py
View File

@ -4,6 +4,7 @@ from app.const import *
from app.base.logger import log
from app.base.db import get_db, SQL
from app.model import syslog
from app.model import policy
from app.base.utils import AttrDict, tp_timestamp_utc_now
@ -193,7 +194,8 @@ def add_members(handler, policy_id, policy_type, ref_type, members):
sql.append(str_sql)
if db.transaction(sql):
return TPE_OK
# return TPE_OK
return policy.rebuild_audit_auz_map()
else:
return TPE_DATABASE
@ -209,7 +211,8 @@ def remove_members(handler, policy_id, policy_type, ids):
if err != TPE_OK:
return err
return TPE_OK
# return TPE_OK
return policy.rebuild_audit_auz_map()
def get_auditors(sql_filter, sql_order, sql_limit):
@ -328,7 +331,8 @@ def rank_reorder(handler, pid, new_rank, start_rank, end_rank, direct):
syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "调整审计授权策略顺序:{},从{}{}".format(p_name, p_rank, new_rank))
return TPE_OK
# return TPE_OK
return policy.rebuild_audit_auz_map()
def get_auth(auth_id):

14
server/www/teleport/webroot/app/model/group.py
View File

@ -5,6 +5,7 @@ from app.base.logger import log
from app.base.db import get_db, SQL
from app.base.utils import tp_timestamp_utc_now
from app.model import syslog
from app.model import policy
def create(handler, gtype, name, desc):
@ -189,21 +190,12 @@ def add_members(gtype, gid, members):
db = get_db()
# 1. 获取与此组相关的运维授权策略
s = SQL(get_db())
s.select_from('ops_auz', ['id', 'policy_id', 'type', 'state'], alt_name='oa')
s.where('`rtype`={gtype} AND `gid`={gid}'.format(gtype=gtype, gid=gid))
err = s.query()
if err != TPE_OK:
return err
if s.total_count > 0:
pass
sql = []
for uid in members:
sql.append('INSERT INTO `{}group_map` (`type`, `gid`, `mid`) VALUES ({}, {}, {});'.format(db.table_prefix, gtype, gid, uid))
if db.transaction(sql):
return TPE_OK
#return TPE_OK
return policy.rebuild_auz_map()
else:
return TPE_DATABASE

13
server/www/teleport/webroot/app/model/ops.py
View File

@ -6,6 +6,7 @@ from app.const import *
from app.base.logger import log
from app.base.db import get_db, SQL
from app.model import syslog
from app.model import policy
from app.base.utils import AttrDict, tp_timestamp_utc_now
@ -206,9 +207,6 @@ def add_members(handler, policy_id, policy_type, ref_type, members):
_time_now = tp_timestamp_utc_now()
sql = []
# for uid in members:
# sql.append('INSERT INTO `{}group_map` (type, gid, mid) VALUES ({}, {}, {});'.format(db.table_prefix, gtype, gid, uid))
# print(args['members'])
for m in members:
if m['id'] in exists_ids:
continue
@ -221,7 +219,8 @@ def add_members(handler, policy_id, policy_type, ref_type, members):
sql.append(str_sql)
if db.transaction(sql):
return TPE_OK
# return TPE_OK
return policy.rebuild_ops_auz_map()
else:
return TPE_DATABASE
@ -237,7 +236,8 @@ def remove_members(handler, policy_id, policy_type, ids):
if err != TPE_OK:
return err
return TPE_OK
#return TPE_OK
return policy.rebuild_ops_auz_map()
def set_flags(self, policy_id, flag_record, flag_rdp, flag_ssh):
@ -477,7 +477,8 @@ def rank_reorder(handler, pid, new_rank, start_rank, end_rank, direct):
syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "调整运维授权策略顺序:{},从{}{}".format(p_name, p_rank, new_rank))
return TPE_OK
return policy.rebuild_ops_auz_map()
# return TPE_OK
def get_auth(auth_id):

604
server/www/teleport/webroot/app/model/policy.py Normal file
View File

@ -0,0 +1,604 @@
# -*- coding: utf-8 -*-
from app.const import *
from app.base.logger import log
from app.base.db import get_db, SQL
from app.model import syslog
from app.base.utils import AttrDict, tp_timestamp_utc_now
def rebuild_ops_auz_map():
_users = {}
_hosts = {}
_accs = {}
_gusers = {}
_ghosts = {}
_gaccs = {}
_groups = {}
_policies = {}
_p_users = {}
_p_assets = {}
_map = []
db = get_db()
dbtp = db.table_prefix
db.exec('DELETE FROM {}ops_map'.format(dbtp))
s = SQL(get_db())
# 加载所有策略
err = s.reset().select_from('ops_policy', ['id', 'rank', 'state'], alt_name='p').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_policies[i.id] = i
# 加载所有的用户
err = s.reset().select_from('user', ['id', 'username', 'surname', 'state'], alt_name='u').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_users[i.id] = i
# 加载所有的主机
err = s.reset().select_from('host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'], alt_name='h').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_hosts[i.id] = i
# 加载所有的账号
err = s.reset().select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'protocol_port', 'auth_type', 'state'], alt_name='a').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_accs[i.id] = i
# 加载所有的组
err = s.reset().select_from('group', ['id', 'type', 'state'], alt_name='g').query()
if err != TPE_OK:
return err
for i in s.recorder:
_groups[i.id] = i
if i.type == TP_GROUP_USER:
_gusers[i.id] = []
elif i.type == TP_GROUP_HOST:
_ghosts[i.id] = []
elif i.type == TP_GROUP_ACCOUNT:
_gaccs[i.id] = []
# 加载所有的组
err = s.reset().select_from('group_map', ['id', 'type', 'gid', 'mid'], alt_name='g').query()
if err != TPE_OK:
return err
for g in s.recorder:
if g.type == TP_GROUP_USER:
# if g.gid not in _gusers:
# _gusers[g.gid] = []
_gusers[g.gid].append(_users[g.mid])
elif g.type == TP_GROUP_HOST:
# if g.gid not in _ghosts:
# _ghosts[g.gid] = []
_ghosts[g.gid].append(_hosts[g.mid])
elif g.type == TP_GROUP_ACCOUNT:
# if g.gid not in _gaccs:
# _gaccs[g.gid] = []
_gaccs[g.gid].append(_accs[g.mid])
# 加载所有策略明细
err = s.reset().select_from('ops_auz', ['id', 'policy_id', 'type', 'rtype', 'rid'], alt_name='o').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
# 分解各个策略中操作者和被操作资产的信息
for i in s.recorder:
if i.type == TP_POLICY_OPERATOR:
if i.policy_id not in _p_users:
_p_users[i.policy_id] = []
if i.rtype == TP_USER:
u = _users[i.rid]
_p_users[i.policy_id].append({
'u_id': i.rid,
'u_state': u.state,
'gu_id': 0,
'gu_state': 0,
'u_name': u.username,
'u_surname': u.surname,
'auth_from_': 'USER'
})
elif i.rtype == TP_GROUP_USER:
for u in _gusers[i.rid]:
_p_users[i.policy_id].append({
'u_id': u.id,
'u_state': u.state,
'gu_id': i.rid,
'gu_state': _groups[i.rid].state,
'u_name': u.username,
'u_surname': u.surname,
'auth_from_': 'gUSER'
})
else:
log.e('invalid operator type.\n')
return TPE_FAILED
elif i.type == TP_POLICY_ASSET:
if i.policy_id not in _p_assets:
_p_assets[i.policy_id] = []
if i.rtype == TP_ACCOUNT:
a = _accs[i.rid]
h = _hosts[a.host_id]
_p_assets[i.policy_id].append({
'a_id': i.rid,
'a_state': a.state,
'ga_id': 0,
'ga_state': 0,
'h_id': h.id,
'h_state': h.state,
'gh_id': 0,
'gh_state': 0,
'a_name': a.username,
'protocol_type': a.protocol_type,
'protocol_port': a.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'ACC'
})
elif i.rtype == TP_GROUP_ACCOUNT:
for a in _gaccs[i.rid]:
h = _hosts[a.host_id]
_p_assets[i.policy_id].append({
'a_id': a.id,
'a_state': a.state,
'ga_id': i.rid,
'ga_state': _groups[i.rid].state,
'h_id': h.id,
'h_state': h.state,
'gh_id': 0,
'gh_state': 0,
'a_name': a.username,
'protocol_type': a.protocol_type,
'protocol_port': a.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'gACC'
})
elif i.rtype == TP_HOST:
for aid in _accs:
if _accs[aid].host_id == i.rid:
a = _accs[aid]
h = _hosts[i.rid]
_p_assets[i.policy_id].append({
'a_id': aid,
'a_state': a.state,
'ga_id': 0,
'ga_state': 0,
'h_id': h.id,
'h_state': h.state,
'gh_id': 0,
'gh_state': 0,
'a_name': a.username,
'protocol_type': a.protocol_type,
'protocol_port': a.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'HOST'
})
elif i.rtype == TP_GROUP_HOST:
for h in _ghosts[i.rid]:
for aid in _accs:
if _accs[aid].host_id == h.id:
a = _accs[aid]
_p_assets[i.policy_id].append({
'a_id': aid,
'a_state': a.state,
'ga_id': 0,
'ga_state': 0,
'h_id': h.id,
'h_state': h.state,
'gh_id': i.rid,
'gh_state': _groups[i.rid].state,
'a_name': a.username,
'protocol_type': a.protocol_type,
'protocol_port': a.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'gHOST'
})
else:
log.e('invalid asset type.\n')
return TPE_FAILED
else:
return TPE_FAILED
# 3. 建立所有一一对应的映射关系
for pid in _policies:
if pid not in _p_users:
continue
for u in _p_users[pid]:
if pid not in _p_assets:
continue
for a in _p_assets[pid]:
x = AttrDict()
x.update({
'p_id': pid,
'p_rank': _policies[pid].rank,
'p_state': _policies[pid].state
})
x.update(u)
x.update(a)
x.uni_id = '{}-{}-{}-{}-{}-{}-{}'.format(x.p_id, x.gu_id, x.u_id, x.gh_id, x.h_id, x.ga_id, x.a_id)
x.ua_id = 'u{}-a{}'.format(x.u_id, x.a_id)
x.policy_auth_type = TP_POLICY_AUTH_UNKNOWN
if u['auth_from_'] == 'USER' and a['auth_to_'] == 'ACC':
x.policy_auth_type = TP_POLICY_AUTH_USER_ACC
elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gACC':
x.policy_auth_type = TP_POLICY_AUTH_USER_gACC
elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'HOST':
x.policy_auth_type = TP_POLICY_AUTH_USER_HOST
elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gHOST':
x.policy_auth_type = TP_POLICY_AUTH_USER_gHOST
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'ACC':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_ACC
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gACC':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_gACC
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'HOST':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_HOST
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gHOST':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_gHOST
_map.append(x)
if len(_map) == 0:
return TPE_OK
values = []
for i in _map:
v = '("{uni_id}","{ua_id}",{p_id},{p_rank},{p_state},{policy_auth_type},{u_id},{u_state},{gu_id},{gu_state},{h_id},{h_state},{gh_id},{gh_state},{a_id},{a_state},{ga_id},{ga_state},' \
'"{u_name}","{u_surname}","{h_name}","{ip}","{router_ip}",{router_port},"{a_name}",{protocol_type},{protocol_port})' \
''.format(uni_id=i.uni_id, ua_id=i.ua_id, p_id=i.p_id, p_rank=i.p_rank, p_state=i.p_state, policy_auth_type=i.policy_auth_type,
u_id=i.u_id, u_state=i.u_state, gu_id=i.gu_id, gu_state=i.gu_state, h_id=i.h_id, h_state=i.h_state,
gh_id=i.gh_id, gh_state=i.gh_state, a_id=i.a_id, a_state=i.a_state, ga_id=i.ga_id, ga_state=i.ga_state,
u_name=i.u_name, u_surname=i.u_surname, h_name=i.h_name, ip=i.ip, router_ip=i.router_ip, router_port=i.router_port,
a_name=i.a_name, protocol_type=i.protocol_type, protocol_port=i.protocol_port)
values.append(v)
sql = 'INSERT INTO `{dbtp}ops_map` (uni_id,ua_id,p_id,p_rank,p_state,policy_auth_type,u_id,u_state,gu_id,gu_state,h_id,h_state,gh_id,gh_state,a_id,a_state,ga_id,ga_state,' \
'u_name,u_surname,h_name,ip,router_ip,router_port,a_name,protocol_type,protocol_port) VALUES \n{values};' \
''.format(dbtp=dbtp, values=',\n'.join(values))
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE
return TPE_OK
def rebuild_audit_auz_map():
_users = {}
_hosts = {}
# _accs = {}
_gusers = {}
_ghosts = {}
# _gaccs = {}
_groups = {}
_policies = {}
_p_users = {}
_p_assets = {}
_map = []
db = get_db()
dbtp = db.table_prefix
db.exec('DELETE FROM {}audit_map'.format(dbtp))
s = SQL(get_db())
# 加载所有策略
err = s.reset().select_from('audit_policy', ['id', 'rank', 'state'], alt_name='p').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_policies[i.id] = i
# 加载所有的用户
err = s.reset().select_from('user', ['id', 'username', 'surname', 'state'], alt_name='u').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_users[i.id] = i
# 加载所有的主机
err = s.reset().select_from('host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'], alt_name='h').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_hosts[i.id] = i
# # 加载所有的账号
# err = s.reset().select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'protocol_port', 'auth_type', 'state'], alt_name='a').query()
# if err != TPE_OK:
# return err
# if 0 == len(s.recorder):
# return TPE_OK
# for i in s.recorder:
# _accs[i.id] = i
# 加载所有的组
err = s.reset().select_from('group', ['id', 'type', 'state'], alt_name='g').query()
if err != TPE_OK:
return err
for i in s.recorder:
_groups[i.id] = i
if i.type == TP_GROUP_USER:
_gusers[i.id] = []
elif i.type == TP_GROUP_HOST:
_ghosts[i.id] = []
# elif i.type == TP_GROUP_ACCOUNT:
# _gaccs[i.id] = []
# 加载所有的组
err = s.reset().select_from('group_map', ['id', 'type', 'gid', 'mid'], alt_name='g').query()
if err != TPE_OK:
return err
for g in s.recorder:
if g.type == TP_GROUP_USER:
# if g.gid not in _gusers:
# _gusers[g.gid] = []
_gusers[g.gid].append(_users[g.mid])
elif g.type == TP_GROUP_HOST:
# if g.gid not in _ghosts:
# _ghosts[g.gid] = []
_ghosts[g.gid].append(_hosts[g.mid])
# elif g.type == TP_GROUP_ACCOUNT:
# # if g.gid not in _gaccs:
# # _gaccs[g.gid] = []
# _gaccs[g.gid].append(_accs[g.mid])
# 加载所有策略明细
err = s.reset().select_from('audit_auz', ['id', 'policy_id', 'type', 'rtype', 'rid'], alt_name='o').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
# 分解各个策略中操作者和被操作资产的信息
for i in s.recorder:
if i.type == TP_POLICY_OPERATOR:
if i.policy_id not in _p_users:
_p_users[i.policy_id] = []
if i.rtype == TP_USER:
u = _users[i.rid]
_p_users[i.policy_id].append({
'u_id': i.rid,
'u_state': u.state,
'gu_id': 0,
'gu_state': 0,
'u_name': u.username,
'u_surname': u.surname,
'auth_from_': 'USER'
})
elif i.rtype == TP_GROUP_USER:
for u in _gusers[i.rid]:
_p_users[i.policy_id].append({
'u_id': u.id,
'u_state': u.state,
'gu_id': i.rid,
'gu_state': _groups[i.rid].state,
'u_name': u.username,
'u_surname': u.surname,
'auth_from_': 'gUSER'
})
else:
log.e('invalid operator type.\n')
return TPE_FAILED
elif i.type == TP_POLICY_ASSET:
if i.policy_id not in _p_assets:
_p_assets[i.policy_id] = []
# if i.rtype == TP_ACCOUNT:
# a = _accs[i.rid]
# h = _hosts[a.host_id]
# _p_assets[i.policy_id].append({
# 'a_id': i.rid,
# 'a_state': a.state,
# 'ga_id': 0,
# 'ga_state': 0,
# 'h_id': h.id,
# 'h_state': h.state,
# 'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
# 'h_name': h.name,
# 'ip': h.ip,
# 'router_ip': h.router_ip,
# 'router_port': h.router_port,
# 'auth_to_': 'ACC'
# })
# elif i.rtype == TP_GROUP_ACCOUNT:
# for a in _gaccs[i.rid]:
# h = _hosts[a.host_id]
# _p_assets[i.policy_id].append({
# 'a_id': a.id,
# 'a_state': a.state,
# 'ga_id': i.rid,
# 'ga_state': _groups[i.rid].state,
# 'h_id': h.id,
# 'h_state': h.state,
# 'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
# 'h_name': h.name,
# 'ip': h.ip,
# 'router_ip': h.router_ip,
# 'router_port': h.router_port,
# 'auth_to_': 'gACC'
# })
# el
if i.rtype == TP_HOST:
# for aid in _accs:
# if _accs[aid].host_id == i.rid:
# a = _accs[aid]
h = _hosts[i.rid]
_p_assets[i.policy_id].append({
# 'a_id': aid,
# 'a_state': a.state,
# 'ga_id': 0,
# 'ga_state': 0,
'h_id': h.id,
# 'h_state': h.state,
'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': h.protocol_type,
# 'protocol_port': h.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'HOST'
})
elif i.rtype == TP_GROUP_HOST:
for h in _ghosts[i.rid]:
# for aid in _accs:
# if _accs[aid].host_id == h.id:
# a = _accs[aid]
_p_assets[i.policy_id].append({
# 'a_id': aid,
# 'a_state': a.state,
'ga_id': 0,
'ga_state': 0,
'h_id': h.id,
# 'h_state': h.state,
'gh_id': i.rid,
# 'gh_state': _groups[i.rid].state,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'gHOST'
})
else:
log.e('invalid asset type.\n')
return TPE_FAILED
else:
return TPE_FAILED
# 3. 建立所有一一对应的映射关系
for pid in _policies:
if pid not in _p_users:
continue
for u in _p_users[pid]:
if pid not in _p_assets:
continue
for a in _p_assets[pid]:
x = AttrDict()
x.update({
'p_id': pid,
'p_rank': _policies[pid].rank,
'p_state': _policies[pid].state
})
x.update(u)
x.update(a)
x.uni_id = '{}-{}-{}-{}-{}'.format(x.p_id, x.gu_id, x.u_id, x.gh_id, x.h_id)
x.uh_id = 'u{}-h{}'.format(x.u_id, x.h_id)
x.policy_auth_type = TP_POLICY_AUTH_UNKNOWN
# if u['auth_from_'] == 'USER' and a['auth_to_'] == 'ACC':
# x.policy_auth_type = TP_POLICY_AUTH_USER_ACC
# elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gACC':
# x.policy_auth_type = TP_POLICY_AUTH_USER_gACC
# el
if u['auth_from_'] == 'USER' and a['auth_to_'] == 'HOST':
x.policy_auth_type = TP_POLICY_AUTH_USER_HOST
elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gHOST':
x.policy_auth_type = TP_POLICY_AUTH_USER_gHOST
# elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'ACC':
# x.policy_auth_type = TP_POLICY_AUTH_gUSER_ACC
# elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gACC':
# x.policy_auth_type = TP_POLICY_AUTH_gUSER_gACC
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'HOST':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_HOST
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gHOST':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_gHOST
else:
log.w('invalid policy data.\n')
continue
_map.append(x)
if len(_map) == 0:
return TPE_OK
values = []
for i in _map:
v = '("{uni_id}","{uh_id}",{p_id},{p_rank},{p_state},{policy_auth_type},{u_id},{u_state},{gu_id},{gu_state},{h_id},{gh_id},' \
'"{u_name}","{u_surname}","{h_name}","{ip}","{router_ip}",{router_port})' \
''.format(uni_id=i.uni_id, uh_id=i.uh_id, p_id=i.p_id, p_rank=i.p_rank, p_state=i.p_state, policy_auth_type=i.policy_auth_type,
u_id=i.u_id, u_state=i.u_state, gu_id=i.gu_id, gu_state=i.gu_state, h_id=i.h_id,gh_id=i.gh_id,
u_name=i.u_name, u_surname=i.u_surname, h_name=i.h_name, ip=i.ip, router_ip=i.router_ip, router_port=i.router_port)
values.append(v)
sql = 'INSERT INTO `{dbtp}audit_map` (uni_id,uh_id,p_id,p_rank,p_state,policy_auth_type,u_id,u_state,gu_id,gu_state,h_id,gh_id,' \
'u_name,u_surname,h_name,ip,router_ip,router_port) VALUES \n{values};' \
''.format(dbtp=dbtp, values=',\n'.join(values))
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE
return TPE_OK
def rebuild_auz_map():
ret = rebuild_ops_auz_map()
if ret != TPE_OK:
return ret
return rebuild_audit_auz_map()