diff --git a/server/www/teleport/static/js/system/role.js b/server/www/teleport/static/js/system/role.js index 2f2d1f9..7064210 100644 --- a/server/www/teleport/static/js/system/role.js +++ b/server/www/teleport/static/js/system/role.js @@ -80,7 +80,7 @@ $app.create_controls = function () { }, { t: '审计', i: [ - {n: '审计(回放操作录像)', p: TP_PRIVILEGE_AUDIT_OPS_HISTORY}, + {n: '审计(回放操作录像)', p: TP_PRIVILEGE_AUDIT}, {n: '审计授权管理', p: TP_PRIVILEGE_AUDIT_AUZ}] }, { diff --git a/server/www/teleport/static/js/tp-const.js b/server/www/teleport/static/js/tp-const.js index 555cb7e..5df2d8b 100644 --- a/server/www/teleport/static/js/tp-const.js +++ b/server/www/teleport/static/js/tp-const.js @@ -136,7 +136,7 @@ var TP_PRIVILEGE_OPS_AUZ = 0x00001000;// # 远程主机运维授权管理 var TP_PRIVILEGE_SESSION_BLOCK = 0x00002000;// # 阻断在线会话 var TP_PRIVILEGE_SESSION_VIEW = 0x00004000;// # 查看在线会话 -var TP_PRIVILEGE_AUDIT_OPS_HISTORY = 0x00008000;// # 审计(查看历史会话) +var TP_PRIVILEGE_AUDIT = 0x00008000;// # 审计(查看历史会话) var TP_PRIVILEGE_AUDIT_AUZ = 0x00010000;// # 审计策略授权管理 //var TP_PRIVILEGE_AUDIT_SYSLOG = 0x00020000;// # 查看系统日志 @@ -161,7 +161,7 @@ var TP_PRIVILEGES = [ TP_PRIVILEGE_OPS_AUZ, TP_PRIVILEGE_SESSION_BLOCK, TP_PRIVILEGE_SESSION_VIEW, - TP_PRIVILEGE_AUDIT_OPS_HISTORY, + TP_PRIVILEGE_AUDIT, TP_PRIVILEGE_AUDIT_AUZ, //TP_PRIVILEGE_AUDIT_SYSLOG, TP_PRIVILEGE_SYS_ROLE, diff --git a/server/www/teleport/view/_sidebar_nav_menu.mako b/server/www/teleport/view/_sidebar_nav_menu.mako index ced8bc7..ffb4945 100644 --- a/server/www/teleport/view/_sidebar_nav_menu.mako +++ b/server/www/teleport/view/_sidebar_nav_menu.mako @@ -98,7 +98,7 @@ 'name': '审计授权', }, { - 'privilege': const.TP_PRIVILEGE_AUDIT_OPS_HISTORY | const.TP_PRIVILEGE_OPS, + 'privilege': const.TP_PRIVILEGE_AUDIT | const.TP_PRIVILEGE_OPS, 'id': 'record', 'link': '/audit/record', 'name': '会话审计', diff --git a/server/www/teleport/webroot/app/base/database/create.py b/server/www/teleport/webroot/app/base/database/create.py index 1a91b86..de043e9 100644 --- a/server/www/teleport/webroot/app/base/database/create.py +++ b/server/www/teleport/webroot/app/base/database/create.py @@ -649,22 +649,6 @@ class DatabaseInit: # gh_id: 主机组ID f.append('`gh_id` int(11) DEFAULT 0') - # 后续字段仅用于显示 - - # u_name: 用户登录名 - f.append('`u_name` varchar(32) DEFAULT ""') - # u_surname: 用户姓名 - f.append('`u_surname` varchar(64) DEFAULT ""') - - # h_name: 主机名称 - f.append('`h_name` varchar(64) DEFAULT ""') - # ip: IP地址 - f.append('`ip` varchar(40) NOT NULL') - # router_ip: 路由IP - f.append('`router_ip` varchar(40) DEFAULT ""') - # router_port: 路由端口 - f.append('`router_port` int(11) DEFAULT 0') - self._db_exec( '创建审计授权映射表...', 'CREATE TABLE `{}audit_map` ({});'.format(self.db.table_prefix, ','.join(f)) @@ -813,7 +797,7 @@ class DatabaseInit: privilege_admin = TP_PRIVILEGE_ALL privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS - privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT_OPS_HISTORY + privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT self._db_exec( '创建默认角色', [ diff --git a/server/www/teleport/webroot/app/const.py b/server/www/teleport/webroot/app/const.py index 0c8a700..c029c0f 100644 --- a/server/www/teleport/webroot/app/const.py +++ b/server/www/teleport/webroot/app/const.py @@ -152,7 +152,7 @@ TP_PRIVILEGE_OPS_AUZ = 0x00001000 # 远程主机运维授权管理 TP_PRIVILEGE_SESSION_BLOCK = 0x00002000 # 阻断在线会话 TP_PRIVILEGE_SESSION_VIEW = 0x00004000 # 查看在线会话 -TP_PRIVILEGE_AUDIT_OPS_HISTORY = 0x00008000 # 审计(查看历史会话) +TP_PRIVILEGE_AUDIT = 0x00008000 # 审计(查看历史会话) TP_PRIVILEGE_AUDIT_AUZ = 0x00010000 # 审计策略授权管理 # TP_PRIVILEGE_AUDIT_SYSLOG = 0x00020000 # 查看系统日志 diff --git a/server/www/teleport/webroot/app/controller/audit.py b/server/www/teleport/webroot/app/controller/audit.py index 651ffa7..29eb656 100644 --- a/server/www/teleport/webroot/app/controller/audit.py +++ b/server/www/teleport/webroot/app/controller/audit.py @@ -17,7 +17,7 @@ def get_free_space_bytes(folder): """ Return folder/drive free space (in bytes) """ try: - total, used, free = shutil.disk_usage(folder) + total, _, free = shutil.disk_usage(folder) return total, free except: return 0, 0 @@ -406,7 +406,7 @@ class DoRemoveMembersHandler(TPBaseJsonHandler): class RecordHandler(TPBaseHandler): def get(self): - ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY) + ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT) if ret != TPE_OK: return @@ -426,7 +426,7 @@ class RecordHandler(TPBaseHandler): class DoGetRecordsHandler(TPBaseJsonHandler): def post(self): - ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY) + ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT) if ret != TPE_OK: return @@ -482,22 +482,13 @@ class DoGetRecordsHandler(TPBaseJsonHandler): except: return self.write_json(TPE_PARAM) - err, total, row_data = record.get_records(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude) + err, total, row_data = record.get_records(self, sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude) ret = dict() ret['page_index'] = sql_limit['page_index'] ret['total'] = total ret['data'] = row_data self.write_json(err, data=ret) - # err, total, record_list = record.get_records(filter, order, _limit) - # if err != TPE_OK: - # return self.write_json(err) - # ret = dict() - # ret['page_index'] = limit['page_index'] - # ret['total'] = total - # ret['data'] = record_list - # return self.write_json(0, data=ret) - class ReplayHandler(TPBaseHandler): def get(self, protocol, record_id): @@ -530,7 +521,7 @@ class ReplayHandler(TPBaseHandler): class ComandLogHandler(TPBaseHandler): @tornado.gen.coroutine def get(self, protocol, record_id): - ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY) + ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT) if ret != TPE_OK: return @@ -599,7 +590,7 @@ class ComandLogHandler(TPBaseHandler): class DoGetRecordHeaderHandler(TPBaseJsonHandler): @tornado.gen.coroutine def post(self): - ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY) + ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT) if ret != TPE_OK: return @@ -652,7 +643,7 @@ class DoGetFileHandler(TPBaseHandler): log.v('--{}\n'.format(self.request.uri)) - require_privilege = TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY + require_privilege = TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT # sid = self.get_argument('sid', None) # if sid is None: diff --git a/server/www/teleport/webroot/app/model/record.py b/server/www/teleport/webroot/app/model/record.py index 18bfb3f..859dda0 100644 --- a/server/www/teleport/webroot/app/model/record.py +++ b/server/www/teleport/webroot/app/model/record.py @@ -14,7 +14,52 @@ from app.base.utils import tp_timestamp_utc_now import tornado.gen -def get_records(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude): +def get_records(handler, sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude): + """ + 获取会话列表 + 会话审计列表的显示策略(下列的`审计`操作指为会话做标记、置为保留状态、写备注等): + 1. 运维权限:可以查看自己的会话,但不能审计; + 2. 运维授权权限:可以查看所有会话,但不能审计; + 3. 审计权限:可以查看被授权的主机相关的会话,且可以审计; + 4. 审计授权权限:可以查看所有会话,且可以审计。 + + :param handler: + :param sql_filter: + :param sql_order: + :param sql_limit: + :param sql_restrict: + :param sql_exclude: + :return: + """ + + allow_uid = 0 + allow_hids = list() + allow_all = False + user = handler.get_current_user() + if (user['privilege'] & TP_PRIVILEGE_OPS_AUZ) != 0 or (user['privilege'] & TP_PRIVILEGE_AUDIT_AUZ) != 0: + allow_all = True + if not allow_all: + if (user['privilege'] & TP_PRIVILEGE_OPS) != 0: + allow_uid = user.id + if (user['privilege'] & TP_PRIVILEGE_AUDIT) != 0: + s = SQL(get_db()) + s.select_from('audit_map', ['h_id'], alt_name='a') + s.where( + 'a.p_state={enable_state} AND' + '(' + '((a.policy_auth_type={U2H} OR a.policy_auth_type={U2HG}) AND a.u_state={enable_state}) OR ' + '((a.policy_auth_type={UG2H} OR a.policy_auth_type={UG2HG}) AND a.u_state={enable_state} AND a.gu_state={enable_state})' + ')'.format(enable_state=TP_STATE_NORMAL, U2H=TP_POLICY_AUTH_USER_HOST, U2HG=TP_POLICY_AUTH_USER_gHOST, UG2H=TP_POLICY_AUTH_gUSER_HOST, UG2HG=TP_POLICY_AUTH_gUSER_gHOST)) + err = s.query() + if err != TPE_OK: + return err, 0, [] + for h in s.recorder: + if h.h_id not in allow_hids: + allow_hids.append(h.h_id) + + if allow_uid == 0 and len(allow_hids) == 0: + return TPE_FAILED, 0, [] + s = SQL(get_db()) s.select_from('record', ['id', 'sid', 'user_id', 'host_id', 'acc_id', 'state', 'user_username', 'user_surname', 'host_ip', 'conn_ip', 'conn_port', 'client_ip', 'acc_username', 'protocol_type', 'protocol_sub_type', 'time_begin', 'time_end'], alt_name='r') @@ -42,6 +87,13 @@ def get_records(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude): # elif k == 'search_record': # _where.append('(h.name LIKE "%{}%" OR h.ip LIKE "%{}%" OR h.router_addr LIKE "%{}%" OR h.desc LIKE "%{}%" OR h.cid LIKE "%{}%")'.format(sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k])) + if not allow_all: + if allow_uid != 0: + _where.append('r.user_id={uid}'.format(uid=allow_uid)) + if len(allow_hids) > 0: + hids = [str(h) for h in allow_hids] + _where.append('r.host_id IN ({hids})'.format(hids=','.join(hids))) + if len(_where) > 0: str_where = '( {} )'.format(' AND '.join(_where))