diff --git a/dist/server/script/main.py b/dist/server/script/main.py index 710c67d..f3e0c3e 100644 --- a/dist/server/script/main.py +++ b/dist/server/script/main.py @@ -566,10 +566,10 @@ class InstallerLinux(InstallerBase): os.chmod(_d[1], stat.S_IRWXU | stat.S_IRGRP | stat.S_IXGRP | stat.S_IROTH | stat.S_IXOTH) # create symbolic link - os.symlink('/etc/init.d/teleport', '/etc/rc2.d/S50teleport') - os.symlink('/etc/init.d/teleport', '/etc/rc3.d/S50teleport') - os.symlink('/etc/init.d/teleport', '/etc/rc4.d/S50teleport') - os.symlink('/etc/init.d/teleport', '/etc/rc5.d/S50teleport') + os.symlink('/etc/init.d/teleport', '/etc/rc2.d/S95teleport') + os.symlink('/etc/init.d/teleport', '/etc/rc3.d/S95teleport') + os.symlink('/etc/init.d/teleport', '/etc/rc4.d/S95teleport') + os.symlink('/etc/init.d/teleport', '/etc/rc5.d/S95teleport') def _start_service(self): cc.v('') @@ -603,6 +603,11 @@ class InstallerLinux(InstallerBase): utils.remove('/etc/rc3.d/S50teleport') utils.remove('/etc/rc4.d/S50teleport') utils.remove('/etc/rc5.d/S50teleport') + # from 3.0.0.3, the start order changed from 50 to 95 for MySQL compatible, because start order of MySQL is 64. + utils.remove('/etc/rc2.d/S95teleport') + utils.remove('/etc/rc3.d/S95teleport') + utils.remove('/etc/rc4.d/S95teleport') + utils.remove('/etc/rc5.d/S95teleport') def _check_service(self): cc.v('') diff --git a/server/www/teleport/static/js/user/user-group-list.js b/server/www/teleport/static/js/user/user-group-list.js index 19da6bf..5c6acd6 100644 --- a/server/www/teleport/static/js/user/user-group-list.js +++ b/server/www/teleport/static/js/user/user-group-list.js @@ -158,7 +158,7 @@ $app.create_controls = function (cb_stack) { // $app.dom.btn_unlock_group.click(function () { // $app.on_btn_unlock_group_click(); // }); - $app.dom.btn_remove_group.click(function(){ + $app.dom.btn_remove_group.click(function () { $app.on_btn_remove_group_click(); }); @@ -274,14 +274,33 @@ $app.on_table_groups_render_created = function (render) { if (_.isUndefined(fields.members)) return ''; + console.log(fields.members); + var ret = []; for (var i = 0; i < fields.members.length; ++i) { - ret.push('
'); - // ret.push(' ' + fields.members[i].surname); - ret.push(fields.members[i].surname); - // ret.push(''); - // ret.push(',' + fields.members[i].account + '<' + fields.members[i].email + '>'); + var surname = fields.members[i].surname; + var email = fields.members[i].email; + if (email.length !== 0) { + email = '<' + email + '>'; + } + + var u_info = '账号:' + fields.members[i].username; + if (email.length > 0) + u_info += '\n邮箱:' + email; + + if (surname.length === 0) { + surname = fields.members[i].username; + } + ret.push(''); + + // ret.push(''); } if (fields.member_count > 5) { @@ -440,7 +459,7 @@ $app.on_btn_remove_group_click = function (_row_id) { var cb_stack = CALLBACK_STACK.create(); var _msg_remove = '您确定要移除此用户组吗?'; - if(group_list.length > 1) + if (group_list.length > 1) _msg_remove = '您确定要移除选定的 ' + group_list.length + '个 用户组吗?'; $tp.dlg_confirm(cb_stack, { msg: '

注意:删除操作不可恢复!!

删除用户组将同时删除所有分配给此用户组的授权!

删除用户组不会删除组内的用户账号!

' + _msg_remove + '

', diff --git a/server/www/teleport/webroot/app/model/audit.py b/server/www/teleport/webroot/app/model/audit.py index 2291d37..b0527e2 100644 --- a/server/www/teleport/webroot/app/model/audit.py +++ b/server/www/teleport/webroot/app/model/audit.py @@ -4,6 +4,7 @@ from app.const import * from app.base.logger import log from app.base.db import get_db, SQL from app.model import syslog +from app.model import policy from app.base.utils import AttrDict, tp_timestamp_utc_now @@ -193,7 +194,8 @@ def add_members(handler, policy_id, policy_type, ref_type, members): sql.append(str_sql) if db.transaction(sql): - return TPE_OK + # return TPE_OK + return policy.rebuild_audit_auz_map() else: return TPE_DATABASE @@ -209,7 +211,8 @@ def remove_members(handler, policy_id, policy_type, ids): if err != TPE_OK: return err - return TPE_OK + # return TPE_OK + return policy.rebuild_audit_auz_map() def get_auditors(sql_filter, sql_order, sql_limit): @@ -328,7 +331,8 @@ def rank_reorder(handler, pid, new_rank, start_rank, end_rank, direct): syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "调整审计授权策略顺序:{},从{}到{}".format(p_name, p_rank, new_rank)) - return TPE_OK + # return TPE_OK + return policy.rebuild_audit_auz_map() def get_auth(auth_id): diff --git a/server/www/teleport/webroot/app/model/group.py b/server/www/teleport/webroot/app/model/group.py index 1992865..9e4cfc9 100644 --- a/server/www/teleport/webroot/app/model/group.py +++ b/server/www/teleport/webroot/app/model/group.py @@ -5,6 +5,7 @@ from app.base.logger import log from app.base.db import get_db, SQL from app.base.utils import tp_timestamp_utc_now from app.model import syslog +from app.model import policy def create(handler, gtype, name, desc): @@ -189,21 +190,12 @@ def add_members(gtype, gid, members): db = get_db() - # 1. 获取与此组相关的运维授权策略 - s = SQL(get_db()) - s.select_from('ops_auz', ['id', 'policy_id', 'type', 'state'], alt_name='oa') - s.where('`rtype`={gtype} AND `gid`={gid}'.format(gtype=gtype, gid=gid)) - err = s.query() - if err != TPE_OK: - return err - if s.total_count > 0: - pass - sql = [] for uid in members: sql.append('INSERT INTO `{}group_map` (`type`, `gid`, `mid`) VALUES ({}, {}, {});'.format(db.table_prefix, gtype, gid, uid)) if db.transaction(sql): - return TPE_OK + #return TPE_OK + return policy.rebuild_auz_map() else: return TPE_DATABASE diff --git a/server/www/teleport/webroot/app/model/ops.py b/server/www/teleport/webroot/app/model/ops.py index 249e019..fe6a815 100644 --- a/server/www/teleport/webroot/app/model/ops.py +++ b/server/www/teleport/webroot/app/model/ops.py @@ -6,6 +6,7 @@ from app.const import * from app.base.logger import log from app.base.db import get_db, SQL from app.model import syslog +from app.model import policy from app.base.utils import AttrDict, tp_timestamp_utc_now @@ -206,9 +207,6 @@ def add_members(handler, policy_id, policy_type, ref_type, members): _time_now = tp_timestamp_utc_now() sql = [] - # for uid in members: - # sql.append('INSERT INTO `{}group_map` (type, gid, mid) VALUES ({}, {}, {});'.format(db.table_prefix, gtype, gid, uid)) - # print(args['members']) for m in members: if m['id'] in exists_ids: continue @@ -221,7 +219,8 @@ def add_members(handler, policy_id, policy_type, ref_type, members): sql.append(str_sql) if db.transaction(sql): - return TPE_OK + # return TPE_OK + return policy.rebuild_ops_auz_map() else: return TPE_DATABASE @@ -237,7 +236,8 @@ def remove_members(handler, policy_id, policy_type, ids): if err != TPE_OK: return err - return TPE_OK + #return TPE_OK + return policy.rebuild_ops_auz_map() def set_flags(self, policy_id, flag_record, flag_rdp, flag_ssh): @@ -477,7 +477,8 @@ def rank_reorder(handler, pid, new_rank, start_rank, end_rank, direct): syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "调整运维授权策略顺序:{},从{}到{}".format(p_name, p_rank, new_rank)) - return TPE_OK + return policy.rebuild_ops_auz_map() + # return TPE_OK def get_auth(auth_id): diff --git a/server/www/teleport/webroot/app/model/policy.py b/server/www/teleport/webroot/app/model/policy.py new file mode 100644 index 0000000..8b0efe8 --- /dev/null +++ b/server/www/teleport/webroot/app/model/policy.py @@ -0,0 +1,604 @@ +# -*- coding: utf-8 -*- + +from app.const import * +from app.base.logger import log +from app.base.db import get_db, SQL +from app.model import syslog +from app.base.utils import AttrDict, tp_timestamp_utc_now + + +def rebuild_ops_auz_map(): + _users = {} + _hosts = {} + _accs = {} + _gusers = {} + _ghosts = {} + _gaccs = {} + _groups = {} + _policies = {} + + _p_users = {} + _p_assets = {} + + _map = [] + + db = get_db() + dbtp = db.table_prefix + db.exec('DELETE FROM {}ops_map'.format(dbtp)) + + s = SQL(get_db()) + + # 加载所有策略 + err = s.reset().select_from('ops_policy', ['id', 'rank', 'state'], alt_name='p').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + for i in s.recorder: + _policies[i.id] = i + + # 加载所有的用户 + err = s.reset().select_from('user', ['id', 'username', 'surname', 'state'], alt_name='u').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + for i in s.recorder: + _users[i.id] = i + + # 加载所有的主机 + err = s.reset().select_from('host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'], alt_name='h').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + for i in s.recorder: + _hosts[i.id] = i + + # 加载所有的账号 + err = s.reset().select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'protocol_port', 'auth_type', 'state'], alt_name='a').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + for i in s.recorder: + _accs[i.id] = i + + # 加载所有的组 + err = s.reset().select_from('group', ['id', 'type', 'state'], alt_name='g').query() + if err != TPE_OK: + return err + for i in s.recorder: + _groups[i.id] = i + if i.type == TP_GROUP_USER: + _gusers[i.id] = [] + elif i.type == TP_GROUP_HOST: + _ghosts[i.id] = [] + elif i.type == TP_GROUP_ACCOUNT: + _gaccs[i.id] = [] + + # 加载所有的组 + err = s.reset().select_from('group_map', ['id', 'type', 'gid', 'mid'], alt_name='g').query() + if err != TPE_OK: + return err + for g in s.recorder: + if g.type == TP_GROUP_USER: + # if g.gid not in _gusers: + # _gusers[g.gid] = [] + _gusers[g.gid].append(_users[g.mid]) + elif g.type == TP_GROUP_HOST: + # if g.gid not in _ghosts: + # _ghosts[g.gid] = [] + _ghosts[g.gid].append(_hosts[g.mid]) + elif g.type == TP_GROUP_ACCOUNT: + # if g.gid not in _gaccs: + # _gaccs[g.gid] = [] + _gaccs[g.gid].append(_accs[g.mid]) + + # 加载所有策略明细 + err = s.reset().select_from('ops_auz', ['id', 'policy_id', 'type', 'rtype', 'rid'], alt_name='o').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + + # 分解各个策略中操作者和被操作资产的信息 + for i in s.recorder: + if i.type == TP_POLICY_OPERATOR: + + if i.policy_id not in _p_users: + _p_users[i.policy_id] = [] + + if i.rtype == TP_USER: + u = _users[i.rid] + _p_users[i.policy_id].append({ + 'u_id': i.rid, + 'u_state': u.state, + 'gu_id': 0, + 'gu_state': 0, + 'u_name': u.username, + 'u_surname': u.surname, + 'auth_from_': 'USER' + }) + elif i.rtype == TP_GROUP_USER: + for u in _gusers[i.rid]: + _p_users[i.policy_id].append({ + 'u_id': u.id, + 'u_state': u.state, + 'gu_id': i.rid, + 'gu_state': _groups[i.rid].state, + 'u_name': u.username, + 'u_surname': u.surname, + 'auth_from_': 'gUSER' + }) + else: + log.e('invalid operator type.\n') + return TPE_FAILED + + elif i.type == TP_POLICY_ASSET: + + if i.policy_id not in _p_assets: + _p_assets[i.policy_id] = [] + + if i.rtype == TP_ACCOUNT: + a = _accs[i.rid] + h = _hosts[a.host_id] + _p_assets[i.policy_id].append({ + 'a_id': i.rid, + 'a_state': a.state, + 'ga_id': 0, + 'ga_state': 0, + 'h_id': h.id, + 'h_state': h.state, + 'gh_id': 0, + 'gh_state': 0, + 'a_name': a.username, + 'protocol_type': a.protocol_type, + 'protocol_port': a.protocol_port, + 'h_name': h.name, + 'ip': h.ip, + 'router_ip': h.router_ip, + 'router_port': h.router_port, + 'auth_to_': 'ACC' + }) + elif i.rtype == TP_GROUP_ACCOUNT: + for a in _gaccs[i.rid]: + h = _hosts[a.host_id] + _p_assets[i.policy_id].append({ + 'a_id': a.id, + 'a_state': a.state, + 'ga_id': i.rid, + 'ga_state': _groups[i.rid].state, + 'h_id': h.id, + 'h_state': h.state, + 'gh_id': 0, + 'gh_state': 0, + 'a_name': a.username, + 'protocol_type': a.protocol_type, + 'protocol_port': a.protocol_port, + 'h_name': h.name, + 'ip': h.ip, + 'router_ip': h.router_ip, + 'router_port': h.router_port, + 'auth_to_': 'gACC' + }) + elif i.rtype == TP_HOST: + for aid in _accs: + if _accs[aid].host_id == i.rid: + a = _accs[aid] + h = _hosts[i.rid] + _p_assets[i.policy_id].append({ + 'a_id': aid, + 'a_state': a.state, + 'ga_id': 0, + 'ga_state': 0, + 'h_id': h.id, + 'h_state': h.state, + 'gh_id': 0, + 'gh_state': 0, + 'a_name': a.username, + 'protocol_type': a.protocol_type, + 'protocol_port': a.protocol_port, + 'h_name': h.name, + 'ip': h.ip, + 'router_ip': h.router_ip, + 'router_port': h.router_port, + 'auth_to_': 'HOST' + }) + elif i.rtype == TP_GROUP_HOST: + for h in _ghosts[i.rid]: + for aid in _accs: + if _accs[aid].host_id == h.id: + a = _accs[aid] + _p_assets[i.policy_id].append({ + 'a_id': aid, + 'a_state': a.state, + 'ga_id': 0, + 'ga_state': 0, + 'h_id': h.id, + 'h_state': h.state, + 'gh_id': i.rid, + 'gh_state': _groups[i.rid].state, + 'a_name': a.username, + 'protocol_type': a.protocol_type, + 'protocol_port': a.protocol_port, + 'h_name': h.name, + 'ip': h.ip, + 'router_ip': h.router_ip, + 'router_port': h.router_port, + 'auth_to_': 'gHOST' + }) + else: + log.e('invalid asset type.\n') + return TPE_FAILED + + else: + return TPE_FAILED + + # 3. 建立所有一一对应的映射关系 + for pid in _policies: + if pid not in _p_users: + continue + for u in _p_users[pid]: + if pid not in _p_assets: + continue + for a in _p_assets[pid]: + x = AttrDict() + x.update({ + 'p_id': pid, + 'p_rank': _policies[pid].rank, + 'p_state': _policies[pid].state + }) + x.update(u) + x.update(a) + + x.uni_id = '{}-{}-{}-{}-{}-{}-{}'.format(x.p_id, x.gu_id, x.u_id, x.gh_id, x.h_id, x.ga_id, x.a_id) + x.ua_id = 'u{}-a{}'.format(x.u_id, x.a_id) + + x.policy_auth_type = TP_POLICY_AUTH_UNKNOWN + if u['auth_from_'] == 'USER' and a['auth_to_'] == 'ACC': + x.policy_auth_type = TP_POLICY_AUTH_USER_ACC + elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gACC': + x.policy_auth_type = TP_POLICY_AUTH_USER_gACC + elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'HOST': + x.policy_auth_type = TP_POLICY_AUTH_USER_HOST + elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gHOST': + x.policy_auth_type = TP_POLICY_AUTH_USER_gHOST + elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'ACC': + x.policy_auth_type = TP_POLICY_AUTH_gUSER_ACC + elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gACC': + x.policy_auth_type = TP_POLICY_AUTH_gUSER_gACC + elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'HOST': + x.policy_auth_type = TP_POLICY_AUTH_gUSER_HOST + elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gHOST': + x.policy_auth_type = TP_POLICY_AUTH_gUSER_gHOST + + _map.append(x) + + if len(_map) == 0: + return TPE_OK + + values = [] + for i in _map: + v = '("{uni_id}","{ua_id}",{p_id},{p_rank},{p_state},{policy_auth_type},{u_id},{u_state},{gu_id},{gu_state},{h_id},{h_state},{gh_id},{gh_state},{a_id},{a_state},{ga_id},{ga_state},' \ + '"{u_name}","{u_surname}","{h_name}","{ip}","{router_ip}",{router_port},"{a_name}",{protocol_type},{protocol_port})' \ + ''.format(uni_id=i.uni_id, ua_id=i.ua_id, p_id=i.p_id, p_rank=i.p_rank, p_state=i.p_state, policy_auth_type=i.policy_auth_type, + u_id=i.u_id, u_state=i.u_state, gu_id=i.gu_id, gu_state=i.gu_state, h_id=i.h_id, h_state=i.h_state, + gh_id=i.gh_id, gh_state=i.gh_state, a_id=i.a_id, a_state=i.a_state, ga_id=i.ga_id, ga_state=i.ga_state, + u_name=i.u_name, u_surname=i.u_surname, h_name=i.h_name, ip=i.ip, router_ip=i.router_ip, router_port=i.router_port, + a_name=i.a_name, protocol_type=i.protocol_type, protocol_port=i.protocol_port) + values.append(v) + + sql = 'INSERT INTO `{dbtp}ops_map` (uni_id,ua_id,p_id,p_rank,p_state,policy_auth_type,u_id,u_state,gu_id,gu_state,h_id,h_state,gh_id,gh_state,a_id,a_state,ga_id,ga_state,' \ + 'u_name,u_surname,h_name,ip,router_ip,router_port,a_name,protocol_type,protocol_port) VALUES \n{values};' \ + ''.format(dbtp=dbtp, values=',\n'.join(values)) + + db_ret = db.exec(sql) + if not db_ret: + return TPE_DATABASE + + return TPE_OK + + +def rebuild_audit_auz_map(): + _users = {} + _hosts = {} + # _accs = {} + _gusers = {} + _ghosts = {} + # _gaccs = {} + _groups = {} + _policies = {} + + _p_users = {} + _p_assets = {} + + _map = [] + + db = get_db() + dbtp = db.table_prefix + db.exec('DELETE FROM {}audit_map'.format(dbtp)) + + s = SQL(get_db()) + + # 加载所有策略 + err = s.reset().select_from('audit_policy', ['id', 'rank', 'state'], alt_name='p').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + for i in s.recorder: + _policies[i.id] = i + + # 加载所有的用户 + err = s.reset().select_from('user', ['id', 'username', 'surname', 'state'], alt_name='u').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + for i in s.recorder: + _users[i.id] = i + + # 加载所有的主机 + err = s.reset().select_from('host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'], alt_name='h').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + for i in s.recorder: + _hosts[i.id] = i + + # # 加载所有的账号 + # err = s.reset().select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'protocol_port', 'auth_type', 'state'], alt_name='a').query() + # if err != TPE_OK: + # return err + # if 0 == len(s.recorder): + # return TPE_OK + # for i in s.recorder: + # _accs[i.id] = i + + # 加载所有的组 + err = s.reset().select_from('group', ['id', 'type', 'state'], alt_name='g').query() + if err != TPE_OK: + return err + for i in s.recorder: + _groups[i.id] = i + if i.type == TP_GROUP_USER: + _gusers[i.id] = [] + elif i.type == TP_GROUP_HOST: + _ghosts[i.id] = [] + # elif i.type == TP_GROUP_ACCOUNT: + # _gaccs[i.id] = [] + + # 加载所有的组 + err = s.reset().select_from('group_map', ['id', 'type', 'gid', 'mid'], alt_name='g').query() + if err != TPE_OK: + return err + for g in s.recorder: + if g.type == TP_GROUP_USER: + # if g.gid not in _gusers: + # _gusers[g.gid] = [] + _gusers[g.gid].append(_users[g.mid]) + elif g.type == TP_GROUP_HOST: + # if g.gid not in _ghosts: + # _ghosts[g.gid] = [] + _ghosts[g.gid].append(_hosts[g.mid]) + # elif g.type == TP_GROUP_ACCOUNT: + # # if g.gid not in _gaccs: + # # _gaccs[g.gid] = [] + # _gaccs[g.gid].append(_accs[g.mid]) + + # 加载所有策略明细 + err = s.reset().select_from('audit_auz', ['id', 'policy_id', 'type', 'rtype', 'rid'], alt_name='o').query() + if err != TPE_OK: + return err + if 0 == len(s.recorder): + return TPE_OK + + # 分解各个策略中操作者和被操作资产的信息 + for i in s.recorder: + if i.type == TP_POLICY_OPERATOR: + + if i.policy_id not in _p_users: + _p_users[i.policy_id] = [] + + if i.rtype == TP_USER: + u = _users[i.rid] + _p_users[i.policy_id].append({ + 'u_id': i.rid, + 'u_state': u.state, + 'gu_id': 0, + 'gu_state': 0, + 'u_name': u.username, + 'u_surname': u.surname, + 'auth_from_': 'USER' + }) + elif i.rtype == TP_GROUP_USER: + for u in _gusers[i.rid]: + _p_users[i.policy_id].append({ + 'u_id': u.id, + 'u_state': u.state, + 'gu_id': i.rid, + 'gu_state': _groups[i.rid].state, + 'u_name': u.username, + 'u_surname': u.surname, + 'auth_from_': 'gUSER' + }) + else: + log.e('invalid operator type.\n') + return TPE_FAILED + + elif i.type == TP_POLICY_ASSET: + + if i.policy_id not in _p_assets: + _p_assets[i.policy_id] = [] + + # if i.rtype == TP_ACCOUNT: + # a = _accs[i.rid] + # h = _hosts[a.host_id] + # _p_assets[i.policy_id].append({ + # 'a_id': i.rid, + # 'a_state': a.state, + # 'ga_id': 0, + # 'ga_state': 0, + # 'h_id': h.id, + # 'h_state': h.state, + # 'gh_id': 0, + # 'gh_state': 0, + # 'a_name': a.username, + # 'protocol_type': a.protocol_type, + # 'protocol_port': a.protocol_port, + # 'h_name': h.name, + # 'ip': h.ip, + # 'router_ip': h.router_ip, + # 'router_port': h.router_port, + # 'auth_to_': 'ACC' + # }) + # elif i.rtype == TP_GROUP_ACCOUNT: + # for a in _gaccs[i.rid]: + # h = _hosts[a.host_id] + # _p_assets[i.policy_id].append({ + # 'a_id': a.id, + # 'a_state': a.state, + # 'ga_id': i.rid, + # 'ga_state': _groups[i.rid].state, + # 'h_id': h.id, + # 'h_state': h.state, + # 'gh_id': 0, + # 'gh_state': 0, + # 'a_name': a.username, + # 'protocol_type': a.protocol_type, + # 'protocol_port': a.protocol_port, + # 'h_name': h.name, + # 'ip': h.ip, + # 'router_ip': h.router_ip, + # 'router_port': h.router_port, + # 'auth_to_': 'gACC' + # }) + # el + if i.rtype == TP_HOST: + # for aid in _accs: + # if _accs[aid].host_id == i.rid: + # a = _accs[aid] + h = _hosts[i.rid] + _p_assets[i.policy_id].append({ + # 'a_id': aid, + # 'a_state': a.state, + # 'ga_id': 0, + # 'ga_state': 0, + 'h_id': h.id, + # 'h_state': h.state, + 'gh_id': 0, + # 'gh_state': 0, + # 'a_name': a.username, + # 'protocol_type': h.protocol_type, + # 'protocol_port': h.protocol_port, + 'h_name': h.name, + 'ip': h.ip, + 'router_ip': h.router_ip, + 'router_port': h.router_port, + 'auth_to_': 'HOST' + }) + elif i.rtype == TP_GROUP_HOST: + for h in _ghosts[i.rid]: + # for aid in _accs: + # if _accs[aid].host_id == h.id: + # a = _accs[aid] + _p_assets[i.policy_id].append({ + # 'a_id': aid, + # 'a_state': a.state, + 'ga_id': 0, + 'ga_state': 0, + 'h_id': h.id, + # 'h_state': h.state, + 'gh_id': i.rid, + # 'gh_state': _groups[i.rid].state, + # 'a_name': a.username, + # 'protocol_type': a.protocol_type, + # 'protocol_port': a.protocol_port, + 'h_name': h.name, + 'ip': h.ip, + 'router_ip': h.router_ip, + 'router_port': h.router_port, + 'auth_to_': 'gHOST' + }) + else: + log.e('invalid asset type.\n') + return TPE_FAILED + + else: + return TPE_FAILED + + # 3. 建立所有一一对应的映射关系 + for pid in _policies: + if pid not in _p_users: + continue + for u in _p_users[pid]: + if pid not in _p_assets: + continue + for a in _p_assets[pid]: + x = AttrDict() + x.update({ + 'p_id': pid, + 'p_rank': _policies[pid].rank, + 'p_state': _policies[pid].state + }) + x.update(u) + x.update(a) + + x.uni_id = '{}-{}-{}-{}-{}'.format(x.p_id, x.gu_id, x.u_id, x.gh_id, x.h_id) + x.uh_id = 'u{}-h{}'.format(x.u_id, x.h_id) + + x.policy_auth_type = TP_POLICY_AUTH_UNKNOWN + # if u['auth_from_'] == 'USER' and a['auth_to_'] == 'ACC': + # x.policy_auth_type = TP_POLICY_AUTH_USER_ACC + # elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gACC': + # x.policy_auth_type = TP_POLICY_AUTH_USER_gACC + # el + if u['auth_from_'] == 'USER' and a['auth_to_'] == 'HOST': + x.policy_auth_type = TP_POLICY_AUTH_USER_HOST + elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gHOST': + x.policy_auth_type = TP_POLICY_AUTH_USER_gHOST + # elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'ACC': + # x.policy_auth_type = TP_POLICY_AUTH_gUSER_ACC + # elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gACC': + # x.policy_auth_type = TP_POLICY_AUTH_gUSER_gACC + elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'HOST': + x.policy_auth_type = TP_POLICY_AUTH_gUSER_HOST + elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gHOST': + x.policy_auth_type = TP_POLICY_AUTH_gUSER_gHOST + else: + log.w('invalid policy data.\n') + continue + + _map.append(x) + + if len(_map) == 0: + return TPE_OK + + values = [] + for i in _map: + v = '("{uni_id}","{uh_id}",{p_id},{p_rank},{p_state},{policy_auth_type},{u_id},{u_state},{gu_id},{gu_state},{h_id},{gh_id},' \ + '"{u_name}","{u_surname}","{h_name}","{ip}","{router_ip}",{router_port})' \ + ''.format(uni_id=i.uni_id, uh_id=i.uh_id, p_id=i.p_id, p_rank=i.p_rank, p_state=i.p_state, policy_auth_type=i.policy_auth_type, + u_id=i.u_id, u_state=i.u_state, gu_id=i.gu_id, gu_state=i.gu_state, h_id=i.h_id,gh_id=i.gh_id, + u_name=i.u_name, u_surname=i.u_surname, h_name=i.h_name, ip=i.ip, router_ip=i.router_ip, router_port=i.router_port) + values.append(v) + + sql = 'INSERT INTO `{dbtp}audit_map` (uni_id,uh_id,p_id,p_rank,p_state,policy_auth_type,u_id,u_state,gu_id,gu_state,h_id,gh_id,' \ + 'u_name,u_surname,h_name,ip,router_ip,router_port) VALUES \n{values};' \ + ''.format(dbtp=dbtp, values=',\n'.join(values)) + + db_ret = db.exec(sql) + if not db_ret: + return TPE_DATABASE + + return TPE_OK + + +def rebuild_auz_map(): + ret = rebuild_ops_auz_map() + if ret != TPE_OK: + return ret + return rebuild_audit_auz_map() +