def create(handler, gtype, name, desc):
if gtype not in TP_GROUP_TYPES:
return TPE_PARAM, 0
db = get_db()
_time_now = tp_timestamp_utc_now()
# 1. 判断是否已经存在了
sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format(dbtp=db.table_prefix, gtype=gtype, gname=name)
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
operator = handler.get_current_user()
# 2. 插入记录
sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`, `desc`) VALUES ' \
'({gtype}, "{gname}", {creator_id}, {create_time}, "{desc}");' \
''.format(dbtp=db.table_prefix,
gtype=gtype, gname=name, creator_id=operator['id'],
create_time=_time_now, desc=desc)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=name))
return TPE_OK, _id
def create(handler, gtype, name, desc):
if gtype not in TP_GROUP_TYPES:
return TPE_PARAM, 0
db = get_db()
_time_now = tp_timestamp_utc_now()
# 1. 判断是否已经存在了
sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format(
dbtp=db.table_prefix, gtype=gtype, gname=name)
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
operator = handler.get_current_user()
# 2. 插入记录
sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`, `desc`) VALUES ' \
'({gtype}, "{gname}", {creator_id}, {create_time}, "{desc}");' \
''.format(dbtp=db.table_prefix,
gtype=gtype, gname=name, creator_id=operator['id'],
create_time=_time_now, desc=desc)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(
operator, handler.request.remote_ip, TPE_OK,
"创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=name))
return TPE_OK, _id
def add_host(handler, args):
"""
添加一个远程主机
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
# 1. 判断此主机是否已经存在了
if len(args['router_ip']) > 0:
sql = 'SELECT id FROM {}host WHERE ip="{}" OR (router_ip="{}" AND router_port={});'.format(db.table_prefix, args['ip'], args['router_ip'], args['router_port'])
else:
sql = 'SELECT id FROM {}host WHERE ip="{}";'.format(db.table_prefix, args['ip'])
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
sql = 'INSERT INTO `{}host` (`type`, `os_type`, `name`, `ip`, `router_ip`, `router_port`, `state`, `creator_id`, `create_time`, `cid`, `desc`) VALUES ' \
'(1, {os_type}, "{name}", "{ip}", "{router_ip}", {router_port}, {state}, {creator_id}, {create_time}, "{cid}", "{desc}");' \
''.format(db.table_prefix,
os_type=args['os_type'], name=args['name'], ip=args['ip'], router_ip=args['router_ip'], router_port=args['router_port'],
state=TP_STATE_NORMAL, creator_id=handler.get_current_user()['id'], create_time=_time_now,
cid=args['cid'], desc=args['desc'])
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
h_name = args['ip']
if len(args['router_ip']) > 0:
h_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port'])
syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建主机:{}".format(h_name))
tp_stats().host_counter_change(1)
return TPE_OK, _id
def make_groups(handler, gtype, glist, failed):
"""
根据传入的组列表,查询每个组的名称对应的id,如果没有,则创建之
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
name_list = list()
for g in glist:
sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format(dbtp=db.table_prefix, gtype=gtype, gname=g)
db_ret = db.query(sql)
if db_ret is None or len(db_ret) == 0:
# need create group.
sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`) VALUES ' \
'({gtype}, "{name}", {creator_id}, {create_time});' \
''.format(dbtp=db.table_prefix,
gtype=gtype, name=g, creator_id=operator['id'], create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
failed.append({'line': 0, 'error': '创建{gtype} `{gname}` 失败,写入数据库时发生错误'.format(gtype=TP_GROUP_TYPES[gtype], gname=g)})
continue
glist[g] = db.last_insert_id()
name_list.append(g)
else:
glist[g] = db_ret[0][0]
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=','.join(name_list)))
return TPE_OK
def create_users(handler, user_list, success, failed):
"""
批量创建用户
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
name_list = list()
s = SQL(db)
for i in range(len(user_list)):
user = user_list[i]
if 'type' not in user:
user['type'] = TP_USER_TYPE_LOCAL
if 'ldap_dn' not in user:
user['ldap_dn'] = ''
err = s.reset().select_from('user', ['id']).where('user.username="******"'.format(user['username'])).query()
if err != TPE_OK:
failed.append({'line': user['_line'], 'error': '数据库查询失败'})
if len(s.recorder) > 0:
failed.append({'line': user['_line'], 'error': '账号 `{}` 已经存在'.format(user['username'])})
continue
if user['type'] == TP_USER_TYPE_LOCAL:
_password = tp_password_generate_secret(user['password'])
else:
_password = ''
sql = 'INSERT INTO `{}user` (' \
'`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, ' \
'`state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`' \
') VALUES (' \
'0, "{username}", "{surname}", {user_type}, "{ldap_dn}", 0, "{password}", ' \
'{state}, "{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \
''.format(db.table_prefix, username=user['username'], surname=user['surname'], user_type=user['type'],
ldap_dn=user['ldap_dn'], password=_password, state=TP_STATE_NORMAL, email=user['email'],
creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=_time_now,
desc=user['desc'])
db_ret = db.exec(sql)
if not db_ret:
failed.append({'line': user['_line'], 'error': '写入数据库时发生错误'})
continue
success.append(user['username'])
name_list.append(user['username'])
user['_id'] = db.last_insert_id()
if len(name_list) > 0:
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "批量导入方式创建用户:{}".format(','.join(name_list)))
# tp_stats().user_counter_change(len(name_list))
# calc count of users.
err, cnt = s.reset().count('user')
if err == TPE_OK:
tp_stats().user_counter_change(cnt)
def update_login_info(handler, user_id):
db = get_db()
_time_now = tp_timestamp_utc_now()
sql = 'UPDATE `{}user` SET fail_count=0, last_login=login_time, last_ip=login_ip, login_time={login_time}, login_ip="{ip}" WHERE id={user_id};' \
''.format(db.table_prefix,
login_time=_time_now, ip=handler.request.remote_ip, user_id=user_id
)
if db.exec(sql):
return TPE_OK
else:
return TPE_DATABASE
def create_user(handler, user):
"""
创建一个用户账号
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
if 'type' not in user:
user['type'] = TP_USER_TYPE_LOCAL
if 'ldap_dn' not in user:
user['ldap_dn'] = ''
# 1. 判断此账号是否已经存在了
s = SQL(db)
err = s.reset().select_from('user', ['id']).where(
'user.username="******"'.format(user['username'])).query()
if err != TPE_OK:
return err, 0
if len(s.recorder) > 0:
return TPE_EXISTS, 0
# _password = tp_password_generate_secret(user['password'])
if user['type'] == TP_USER_TYPE_LOCAL:
_password = tp_password_generate_secret(user['password'])
else:
_password = ''
sql = 'INSERT INTO `{}user` (' \
'`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, `state`, ' \
'`email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`' \
') VALUES (' \
'{role}, "{username}", "{surname}", {user_type}, "{ldap_dn}", {auth_type}, "{password}", {state}, ' \
'"{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \
''.format(db.table_prefix, role=user['role'], username=user['username'], surname=user['surname'],
user_type=user['type'], ldap_dn=user['ldap_dn'], auth_type=user['auth_type'], password=_password,
state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now,
last_login=0, last_chpass=_time_now, desc=user['desc'])
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK,
"创建用户:{}".format(user['username']))
# calc count of users.
err, cnt = s.reset().count('user')
if err == TPE_OK:
tp_stats().user_counter_change(cnt)
return TPE_OK, _id
def add_account(handler, host_id, args):
"""
添加一个远程账号
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
# 1. 判断是否已经存在了
sql = 'SELECT id FROM {}acc WHERE host_id={} AND protocol_port={} AND username="******" AND auth_type={};'.format(
db.table_prefix, host_id, args['protocol_port'], args['username'],
args['auth_type'])
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
sql = 'INSERT INTO `{}acc` (host_id, host_ip, router_ip, router_port, protocol_type, protocol_port, state, auth_type, username, username_prompt, password_prompt, password, pri_key, creator_id, create_time) VALUES ' \
'({host_id}, "{host_ip}", "{router_ip}", {router_port}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{username_prompt}", "{password_prompt}", "{password}", "{pri_key}", {creator_id}, {create_time});' \
''.format(db.table_prefix,
host_id=host_id, host_ip=args['host_ip'], router_ip=args['router_ip'], router_port=args['router_port'],
protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL,
auth_type=args['auth_type'], username=args['username'], username_prompt=args['username_prompt'], password_prompt=args['password_prompt'],
password=args['password'], pri_key=args['pri_key'], creator_id=operator['id'], create_time=_time_now)
# sql = 'INSERT INTO `{}acc` (host_id, protocol_type, protocol_port, state, auth_type, username, password, pri_key, creator_id, create_time) VALUES ' \
# '({host_id}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{password}", "{pri_key}", {creator_id}, {create_time});' \
# ''.format(db.table_prefix,
# host_id=host_id,
# protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL,
# auth_type=args['auth_type'], username=args['username'], password=args['password'], pri_key=args['pri_key'],
# creator_id=operator['id'], create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
acc_name = '{}@{}'.format(args['username'], args['host_ip'])
if len(args['router_ip']) > 0:
acc_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port'])
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK,
"创建账号:{}".format(acc_name))
# 更新主机相关账号数量
sql = 'UPDATE `{}host` SET acc_count=acc_count+1 WHERE id={host_id};' \
''.format(db.table_prefix, host_id=host_id)
db_ret = db.exec(sql)
# if not db_ret:
# return TPE_DATABASE, 0
tp_stats().acc_counter_change(1)
return TPE_OK, _id
def _make_builtin_data(self, sysadmin, email, password):
_time_now = tp_timestamp_utc_now()
self._db_exec(
'设定数据库版本',
'INSERT INTO `{}config` (`name`, `value`) VALUES ("db_ver", "{}");'
.format(self.db.table_prefix, self.db.DB_VERSION))
self._db_exec(
'设置本地核心服务',
'INSERT INTO `{}core_server` (`sn`, `secret`, `ip`, `port`, `state`) VALUES '
'("0000", "", "127.0.0.1", 52080, 1);'
''.format(self.db.table_prefix))
privilege_admin = TP_PRIVILEGE_ALL
privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS
privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT
self._db_exec('创建默认角色', [
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(1, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='系统管理员',
privilege=privilege_admin,
create_time=_time_now),
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(2, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='运维人员',
privilege=privilege_ops,
create_time=_time_now),
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(3, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='审计员',
privilege=privilege_audit,
create_time=_time_now)
])
self._db_exec(
'创建系统管理员账号',
'INSERT INTO `{}user` (`type`, `auth_type`, `username`, `surname`, `password`, `role_id`, `state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`) VALUES '
'(1, {auth_type}, "{username}", "{surname}", "{password}", 1, {state}, "{email}", 0, {create_time}, {last_login}, {last_chpass});'
''.format(self.db.table_prefix,
auth_type=TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA,
username=sysadmin,
surname=sysadmin,
password=tp_password_generate_secret(password),
state=TP_STATE_NORMAL,
email=email,
create_time=_time_now,
last_login=_time_now,
last_chpass=_time_now))
def update_temp_locked_user_state():
sys_cfg = tp_cfg().sys
if sys_cfg.login.lock_timeout == 0:
return
_lock_time = tp_timestamp_utc_now() - (sys_cfg.login.lock_timeout * 60)
db = get_db()
if db.need_create or db.need_upgrade:
return
sql = 'UPDATE `{}user` SET state={new_state}, lock_time=0, fail_count=0 WHERE (state={old_state} AND lock_time<{lock_time});' \
''.format(db.table_prefix, new_state=TP_STATE_NORMAL, old_state=TP_STATE_LOCKED, lock_time=_lock_time)
db.exec(sql)
def update_temp_locked_user_state():
sys_cfg = tp_cfg().sys
if sys_cfg.login.lock_timeout == 0:
return
_lock_time = tp_timestamp_utc_now() - (sys_cfg.login.lock_timeout * 60)
db = get_db()
if db.need_create or db.need_upgrade:
return
sql = 'UPDATE `{}user` SET state={new_state}, lock_time=0, fail_count=0 WHERE (state={old_state} AND lock_time<{lock_time});' \
''.format(db.table_prefix, new_state=TP_STATE_NORMAL, old_state=TP_STATE_LOCKED, lock_time=_lock_time)
db.exec(sql)
def create_users(handler, user_list, success, failed):
"""
批量创建用户
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
name_list = list()
s = SQL(db)
for i in range(len(user_list)):
user = user_list[i]
err = s.reset().select_from('user', ['id']).where(
'user.username="******"'.format(user['username'])).query()
if err != TPE_OK:
failed.append({'line': user['_line'], 'error': '数据库查询失败'})
if len(s.recorder) > 0:
failed.append({
'line': user['_line'],
'error': '账号 `{}` 已经存在'.format(user['username'])
})
continue
_password = tp_password_generate_secret(user['password'])
sql = 'INSERT INTO `{}user` (`type`, `auth_type`, `password`, `username`, `surname`, `role_id`, `state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`) VALUES ' \
'(1, 0, "{password}", "{username}", "{surname}", 0, {state}, "{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \
''.format(db.table_prefix,
username=user['username'], surname=user['surname'], password=_password, state=TP_STATE_NORMAL, email=user['email'],
creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=0, desc=user['desc'])
db_ret = db.exec(sql)
if not db_ret:
failed.append({'line': user['_line'], 'error': '写入数据库时发生错误'})
continue
success.append(user['username'])
name_list.append(user['username'])
user['_id'] = db.last_insert_id()
if len(name_list) > 0:
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK,
"批量导入方式创建用户:{}".format(','.join(name_list)))
# tp_stats().user_counter_change(len(name_list))
# calc count of users.
err, cnt = s.reset().count('user')
if err == TPE_OK:
tp_stats().user_counter_change(cnt)
def create_user(handler, user):
"""
创建一个用户账号
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
if 'type' not in user:
user['type'] = TP_USER_TYPE_LOCAL
if 'ldap_dn' not in user:
user['ldap_dn'] = ''
# 1. 判断此账号是否已经存在了
s = SQL(db)
err = s.reset().select_from('user', ['id']).where('user.username="******"'.format(user['username'])).query()
if err != TPE_OK:
return err, 0
if len(s.recorder) > 0:
return TPE_EXISTS, 0
# _password = tp_password_generate_secret(user['password'])
if user['type'] == TP_USER_TYPE_LOCAL:
_password = tp_password_generate_secret(user['password'])
else:
_password = ''
sql = 'INSERT INTO `{}user` (' \
'`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, `state`, ' \
'`email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`' \
') VALUES (' \
'{role}, "{username}", "{surname}", {user_type}, "{ldap_dn}", {auth_type}, "{password}", {state}, ' \
'"{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \
''.format(db.table_prefix, role=user['role'], username=user['username'], surname=user['surname'],
user_type=user['type'], ldap_dn=user['ldap_dn'], auth_type=user['auth_type'], password=_password,
state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now,
last_login=0, last_chpass=_time_now, desc=user['desc'])
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建用户:{}".format(user['username']))
# calc count of users.
err, cnt = s.reset().count('user')
if err == TPE_OK:
tp_stats().user_counter_change(cnt)
return TPE_OK, _id
def update_login_info(handler, user_id):
db = get_db()
_time_now = tp_timestamp_utc_now()
sql = 'UPDATE `{}user` SET ' \
'fail_count=0, last_login=login_time, last_ip=login_ip, login_time={login_time},' \
' login_ip="{ip}" WHERE id={user_id};' \
''.format(db.table_prefix,
login_time=_time_now, ip=handler.request.remote_ip, user_id=user_id
)
if db.exec(sql):
return TPE_OK
else:
return TPE_DATABASE
def add_account(handler, host_id, args):
"""
添加一个远程账号
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
# 1. 判断是否已经存在了
sql = 'SELECT id FROM {}acc WHERE host_id={} AND protocol_port={} AND username="******" AND auth_type={};'.format(db.table_prefix, host_id, args['protocol_port'], args['username'], args['auth_type'])
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
sql = 'INSERT INTO `{}acc` (host_id, host_ip, router_ip, router_port, protocol_type, protocol_port, state, auth_type, username, username_prompt, password_prompt, password, pri_key, creator_id, create_time) VALUES ' \
'({host_id}, "{host_ip}", "{router_ip}", {router_port}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{username_prompt}", "{password_prompt}", "{password}", "{pri_key}", {creator_id}, {create_time});' \
''.format(db.table_prefix,
host_id=host_id, host_ip=args['host_ip'], router_ip=args['router_ip'], router_port=args['router_port'],
protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL,
auth_type=args['auth_type'], username=args['username'], username_prompt=args['username_prompt'], password_prompt=args['password_prompt'],
password=args['password'], pri_key=args['pri_key'], creator_id=operator['id'], create_time=_time_now)
# sql = 'INSERT INTO `{}acc` (host_id, protocol_type, protocol_port, state, auth_type, username, password, pri_key, creator_id, create_time) VALUES ' \
# '({host_id}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{password}", "{pri_key}", {creator_id}, {create_time});' \
# ''.format(db.table_prefix,
# host_id=host_id,
# protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL,
# auth_type=args['auth_type'], username=args['username'], password=args['password'], pri_key=args['pri_key'],
# creator_id=operator['id'], create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
acc_name = '{}@{}'.format(args['username'], args['host_ip'])
if len(args['router_ip']) > 0:
acc_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port'])
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建账号:{}".format(acc_name))
# 更新主机相关账号数量
sql = 'UPDATE `{}host` SET acc_count=acc_count+1 WHERE id={host_id};' \
''.format(db.table_prefix, host_id=host_id)
db_ret = db.exec(sql)
# if not db_ret:
# return TPE_DATABASE, 0
tp_stats().acc_counter_change(1)
return TPE_OK, _id
def _make_builtin_data(self, sysadmin, email, password):
_time_now = tp_timestamp_utc_now()
self._db_exec(
'设定数据库版本',
'INSERT INTO `{}config` (`name`, `value`) VALUES ("db_ver", "{}");'.format(self.db.table_prefix, self.db.DB_VERSION)
)
self._db_exec(
'设置本地核心服务',
'INSERT INTO `{}core_server` (`sn`, `secret`, `ip`, `port`, `state`) VALUES '
'("0000", "", "127.0.0.1", 52080, 1);'
''.format(self.db.table_prefix)
)
privilege_admin = TP_PRIVILEGE_ALL
privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS
privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT
self._db_exec(
'创建默认角色',
[
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(1, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='系统管理员', privilege=privilege_admin, create_time=_time_now),
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(2, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='运维人员', privilege=privilege_ops, create_time=_time_now),
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(3, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='审计员', privilege=privilege_audit, create_time=_time_now)
]
)
self._db_exec(
'创建系统管理员账号',
'INSERT INTO `{}user` (`type`, `auth_type`, `username`, `surname`, `password`, `role_id`, `state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`) VALUES '
'(1, {auth_type}, "{username}", "{surname}", "{password}", 1, {state}, "{email}", 0, {create_time}, {last_login}, {last_chpass});'
''.format(self.db.table_prefix,
auth_type=TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA,
username=sysadmin, surname=sysadmin, password=tp_password_generate_secret(password), state=TP_STATE_NORMAL, email=email,
create_time=_time_now, last_login=_time_now, last_chpass=_time_now)
)
def generate_reset_password_token(handler, user_id):
db = get_db()
operator = handler.get_current_user()
s = SQL(db)
_time_now = tp_timestamp_utc_now()
# 0. query user's email by user_id
err = s.select_from('user', ['email'], alt_name='u').where(
'u.id={user_id}'.format(user_id=user_id)).query()
if err != TPE_OK:
return err, None, None
if len(s.recorder) == 0:
return TPE_DATABASE, None, None
email = s.recorder[0].email
# 1. clean all timed out tokens.
s.reset().delete_from('user_rpt').where(
'create_time<{}'.format(_time_now - 24 * 60 * 60)).exec()
# 2. find out if this user already have a token.
err = s.reset().select_from('user_rpt', ['id'], alt_name='u').where(
'u.user_id={}'.format(user_id)).query()
if err != TPE_OK:
return err, None, None
token = tp_generate_random(16)
if len(s.recorder) == 0:
sql = 'INSERT INTO `{dbtp}user_rpt` (user_id, token, create_time) VALUES ' \
'({user_id}, "{token}", {create_time});' \
''.format(dbtp=db.table_prefix, user_id=user_id, token=token, create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, None, None
else:
sql = 'UPDATE `{dbtp}user_rpt` SET token="{token}", create_time={create_time} WHERE user_id={user_id};' \
''.format(dbtp=db.table_prefix, token=token, create_time=_time_now, user_id=user_id)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, None, None
# syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "为用户 {} 手动重置了密码".format(name))
return TPE_OK, email, token
def session_begin(sid, user_id, host_id, acc_id, user_username, acc_username, host_ip, conn_ip, conn_port, client_ip, auth_type, protocol_type, protocol_sub_type):
db = get_db()
sql = 'INSERT INTO `{}record` (sid,user_id,host_id,acc_id,state,user_username,host_ip,conn_ip,conn_port,client_ip,acc_username,auth_type,protocol_type,protocol_sub_type,time_begin,time_end) ' \
'VALUES ("{sid}",{user_id},{host_id},{acc_id},0,"{user_username}","{host_ip}","{conn_ip}",{conn_port},"{client_ip}","{acc_username}",{auth_type},{protocol_type},{protocol_sub_type},{time_begin},0)' \
';'.format(db.table_prefix,
sid=sid, user_id=user_id, host_id=host_id, acc_id=acc_id, user_username=user_username, host_ip=host_ip, conn_ip=conn_ip, conn_port=conn_port,
client_ip=client_ip, acc_username=acc_username, auth_type=auth_type, protocol_type=protocol_type, protocol_sub_type=protocol_sub_type,
time_begin=tp_timestamp_utc_now())
ret = db.exec(sql)
if not ret:
return TPE_DATABASE, 0
record_id = db.last_insert_id()
if record_id == -1:
return TPE_DATABASE, 0
else:
return TPE_OK, record_id
def sys_log(operator, client_ip, code, message=""):
try:
db = get_db()
sql = 'INSERT INTO `{}syslog` (user_name,user_surname,client_ip,code,log_time,message) ' \
'VALUES ("{user_name}","{user_surname}","{client_ip}",{code},{log_time},"{message}")' \
';'.format(db.table_prefix,
user_name=operator['username'], user_surname=operator['surname'], client_ip=client_ip, code=code,
log_time=tp_timestamp_utc_now(), message=message
)
ret = db.exec(sql)
if not ret:
return TPE_DATABASE
return TPE_OK
except:
log.e('\n')
return TPE_DATABASE
def make_groups(handler, gtype, glist, failed):
"""
根据传入的组列表,查询每个组的名称对应的id,如果没有,则创建之
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
name_list = list()
for g in glist:
sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format(
dbtp=db.table_prefix, gtype=gtype, gname=g)
db_ret = db.query(sql)
if db_ret is None or len(db_ret) == 0:
# need create group.
sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`) VALUES ' \
'({gtype}, "{name}", {creator_id}, {create_time});' \
''.format(dbtp=db.table_prefix,
gtype=gtype, name=g, creator_id=operator['id'], create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
failed.append({
'line':
0,
'error':
'创建{gtype} `{gname}` 失败,写入数据库时发生错误'.format(
gtype=TP_GROUP_TYPES[gtype], gname=g)
})
continue
glist[g] = db.last_insert_id()
name_list.append(g)
else:
glist[g] = db_ret[0][0]
syslog.sys_log(
operator, handler.request.remote_ip, TPE_OK,
"创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype],
gname=','.join(name_list)))
return TPE_OK
def sys_log(operator, client_ip, code, message=""):
try:
db = get_db()
sql = 'INSERT INTO `{}syslog` (user_name,user_surname,client_ip,code,log_time,message) ' \
'VALUES ("{user_name}","{user_surname}","{client_ip}",{code},{log_time},"{message}")' \
';'.format(db.table_prefix,
user_name=operator['username'], user_surname=operator['surname'], client_ip=client_ip, code=code,
log_time=tp_timestamp_utc_now(), message=message
)
ret = db.exec(sql)
if not ret:
return TPE_DATABASE
return TPE_OK
except:
log.e('\n')
return TPE_DATABASE
def generate_reset_password_token(handler, user_id):
db = get_db()
operator = handler.get_current_user()
s = SQL(db)
_time_now = tp_timestamp_utc_now()
# 0. query user's email by user_id
err = s.select_from('user', ['email'], alt_name='u').where('u.id={user_id}'.format(user_id=user_id)).query()
if err != TPE_OK:
return err, None, None
if len(s.recorder) == 0:
return TPE_DATABASE, None, None
email = s.recorder[0].email
# 1. clean all timed out tokens.
s.reset().delete_from('user_rpt').where('create_time<{}'.format(_time_now - 24 * 60 * 60)).exec()
# 2. find out if this user already have a token.
err = s.reset().select_from('user_rpt', ['id'], alt_name='u').where('u.user_id={}'.format(user_id)).query()
if err != TPE_OK:
return err, None, None
token = tp_generate_random(16)
if len(s.recorder) == 0:
sql = 'INSERT INTO `{dbtp}user_rpt` (user_id, token, create_time) VALUES ' \
'({user_id}, "{token}", {create_time});' \
''.format(dbtp=db.table_prefix, user_id=user_id, token=token, create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, None, None
else:
sql = 'UPDATE `{dbtp}user_rpt` SET token="{token}", create_time={create_time} WHERE user_id={user_id};' \
''.format(dbtp=db.table_prefix, token=token, create_time=_time_now, user_id=user_id)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, None, None
# syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "为用户 {} 手动重置了密码".format(name))
return TPE_OK, email, token
def update_fail_count(handler, user_info):
db = get_db()
sys_cfg = tp_cfg().sys
sql_list = []
is_locked = False
fail_count = user_info.fail_count + 1
sql = 'UPDATE `{}user` SET fail_count={count} WHERE id={uid};' \
''.format(db.table_prefix, count=fail_count, uid=user_info.id)
sql_list.append(sql)
if sys_cfg.login.retry != 0 and fail_count >= sys_cfg.login.retry:
is_locked = True
sql = 'UPDATE `{}user` SET state={state}, lock_time={lock_time} WHERE id={uid};' \
''.format(db.table_prefix, state=TP_STATE_LOCKED, lock_time=tp_timestamp_utc_now(), uid=user_info.id)
sql_list.append(sql)
if db.transaction(sql_list):
return TPE_OK, is_locked
else:
return TPE_DATABASE, is_locked
def update_fail_count(handler, user_info):
db = get_db()
sys_cfg = tp_cfg().sys
sql_list = []
is_locked = False
fail_count = user_info.fail_count + 1
sql = 'UPDATE `{}user` SET fail_count={count} WHERE id={uid};' \
''.format(db.table_prefix, count=fail_count, uid=user_info.id)
sql_list.append(sql)
if sys_cfg.login.retry != 0 and fail_count >= sys_cfg.login.retry:
is_locked = True
sql = 'UPDATE `{}user` SET state={state}, lock_time={lock_time} WHERE id={uid};' \
''.format(db.table_prefix, state=TP_STATE_LOCKED, lock_time=tp_timestamp_utc_now(), uid=user_info.id)
sql_list.append(sql)
if db.transaction(sql_list):
return TPE_OK, is_locked
else:
return TPE_DATABASE, is_locked
def add_host(handler, args):
"""
添加一个远程主机
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
# 1. 判断此主机是否已经存在了
if len(args['router_ip']) > 0:
sql = 'SELECT id FROM {}host WHERE ip="{}" OR (router_ip="{}" AND router_port={});'.format(
db.table_prefix, args['ip'], args['router_ip'],
args['router_port'])
else:
sql = 'SELECT id FROM {}host WHERE ip="{}";'.format(
db.table_prefix, args['ip'])
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
sql = 'INSERT INTO `{}host` (`type`, `os_type`, `name`, `ip`, `router_ip`, `router_port`, `state`, `creator_id`, `create_time`, `cid`, `desc`) VALUES ' \
'(1, {os_type}, "{name}", "{ip}", "{router_ip}", {router_port}, {state}, {creator_id}, {create_time}, "{cid}", "{desc}");' \
''.format(db.table_prefix,
os_type=args['os_type'], name=args['name'], ip=args['ip'], router_ip=args['router_ip'], router_port=args['router_port'],
state=TP_STATE_NORMAL, creator_id=handler.get_current_user()['id'], create_time=_time_now,
cid=args['cid'], desc=args['desc'])
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
h_name = args['ip']
if len(args['router_ip']) > 0:
h_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port'])
syslog.sys_log(handler.get_current_user(), handler.request.remote_ip,
TPE_OK, "创建主机:{}".format(h_name))
tp_stats().host_counter_change(1)
return TPE_OK, _id
def add_members(handler, policy_id, policy_type, ref_type, members):
# step 1: select exists rid.
s = SQL(get_db())
s.select_from('audit_auz', ['rid'], alt_name='p')
_where = list()
_where.append('p.policy_id={}'.format(policy_id))
_where.append('p.type={}'.format(policy_type))
_where.append('p.rtype={}'.format(ref_type))
s.where('( {} )'.format(' AND '.join(_where)))
err = s.query()
if err != TPE_OK:
return err
exists_ids = [r['rid'] for r in s.recorder]
operator = handler.get_current_user()
db = get_db()
_time_now = tp_timestamp_utc_now()
sql = []
# for uid in members:
# sql.append('INSERT INTO `{}group_map` (type, gid, mid) VALUES ({}, {}, {});'.format(db.table_prefix, gtype, gid, uid))
# print(args['members'])
for m in members:
if m['id'] in exists_ids:
continue
str_sql = 'INSERT INTO `{}audit_auz` (policy_id, type, rtype, rid, `name`, creator_id, create_time) VALUES ' \
'({pid}, {t}, {rtype}, {rid}, "{name}", {creator_id}, {create_time});' \
''.format(db.table_prefix,
pid=policy_id, t=policy_type, rtype=ref_type,
rid=m['id'], name=m['name'],
creator_id=operator['id'], create_time=_time_now)
sql.append(str_sql)
if db.transaction(sql):
# return TPE_OK
return policy.rebuild_audit_auz_map()
else:
return TPE_DATABASE
def create_policy(handler, args):
"""
创建一个授权策略
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
# 1. 判断此账号是否已经存在了
s = SQL(db)
err = s.reset().select_from('audit_policy', ['id']).where(
'audit_policy.name="{}"'.format(args['name'])).query()
if err != TPE_OK:
return err, 0
if len(s.recorder) > 0:
return TPE_EXISTS, 0
# 2. get total count
sql = 'SELECT COUNT(*) FROM {}audit_policy'.format(db.table_prefix)
db_ret = db.query(sql)
if not db_ret or len(db_ret) == 0:
return TPE_DATABASE, 0
rank = db_ret[0][0] + 1
sql = 'INSERT INTO `{}audit_policy` (`rank`, `name`, `desc`, `creator_id`, `create_time`) VALUES ' \
'({rank}, "{name}", "{desc}", {creator_id}, {create_time});' \
''.format(db.table_prefix,
rank=rank, name=args['name'], desc=args['desc'],
creator_id=handler.get_current_user()['id'],
create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(handler.get_current_user(), handler.request.remote_ip,
TPE_OK, "创建审计授权策略:{}".format(args['name']))
return TPE_OK, _id
def add_members(handler, policy_id, policy_type, ref_type, members):
# step 1: select exists rid.
s = SQL(get_db())
s.select_from('audit_auz', ['rid'], alt_name='p')
_where = list()
_where.append('p.policy_id={}'.format(policy_id))
_where.append('p.type={}'.format(policy_type))
_where.append('p.rtype={}'.format(ref_type))
s.where('( {} )'.format(' AND '.join(_where)))
err = s.query()
if err != TPE_OK:
return err
exists_ids = [r['rid'] for r in s.recorder]
operator = handler.get_current_user()
db = get_db()
_time_now = tp_timestamp_utc_now()
sql = []
# for uid in members:
# sql.append('INSERT INTO `{}group_map` (type, gid, mid) VALUES ({}, {}, {});'.format(db.table_prefix, gtype, gid, uid))
# print(args['members'])
for m in members:
if m['id'] in exists_ids:
continue
str_sql = 'INSERT INTO `{}audit_auz` (policy_id, type, rtype, rid, `name`, creator_id, create_time) VALUES ' \
'({pid}, {t}, {rtype}, {rid}, "{name}", {creator_id}, {create_time});' \
''.format(db.table_prefix,
pid=policy_id, t=policy_type, rtype=ref_type,
rid=m['id'], name=m['name'],
creator_id=operator['id'], create_time=_time_now)
sql.append(str_sql)
if db.transaction(sql):
# return TPE_OK
return policy.rebuild_audit_auz_map()
else:
return TPE_DATABASE
def check_reset_token(token):
db = get_db()
# s = SQL(db)
_time_now = tp_timestamp_utc_now()
# 0. remove expired token (after 3 days)
sql = 'DELETE FROM `{dbtp}user_rpt` WHERE create_time<{dbph};'.format(dbtp=db.table_prefix, dbph=db.place_holder)
db.exec(sql, (_time_now - 3 * 24 * 60 * 60,))
# 1. query user's id
sql = 'SELECT user_id, create_time FROM `{dbtp}user_rpt` WHERE token={dbph};'.format(dbtp=db.table_prefix,
dbph=db.place_holder)
db_ret = db.query(sql, (token,))
if db_ret is None or len(db_ret) == 0:
return TPE_NOT_EXISTS, 0
user_id = db_ret[0][0]
create_time = db_ret[0][1]
if _time_now - create_time > 24 * 60 * 60:
return TPE_EXPIRED, user_id
else:
return TPE_OK, user_id
def add_role(handler, role_name, privilege):
db = get_db()
_time_now = tp_timestamp_utc_now()
operator = handler.get_current_user()
# 1. 判断是否已经存在了
sql = 'SELECT id FROM {}role WHERE name="{name}";'.format(db.table_prefix, name=role_name)
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
sql = 'INSERT INTO `{}role` (name, privilege, creator_id, create_time) VALUES ' \
'("{name}", {privilege}, {creator_id}, {create_time});' \
''.format(db.table_prefix, name=role_name, privilege=privilege, creator_id=operator['id'], create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建角色:{}".format(role_name))
return TPE_OK, _id
def create_policy(handler, args):
"""
创建一个授权策略
"""
db = get_db()
_time_now = tp_timestamp_utc_now()
# 1. 判断此账号是否已经存在了
s = SQL(db)
err = s.reset().select_from('ops_policy', ['id']).where('ops_policy.name="{}"'.format(args['name'])).query()
if err != TPE_OK:
return err, 0
if len(s.recorder) > 0:
return TPE_EXISTS, 0
# 2. get total count
sql = 'SELECT COUNT(*) FROM {}ops_policy'.format(db.table_prefix)
db_ret = db.query(sql)
if not db_ret or len(db_ret) == 0:
return TPE_DATABASE, 0
rank = db_ret[0][0] + 1
sql = 'INSERT INTO `{}ops_policy` (`rank`, `name`, `desc`, `creator_id`, `create_time`) VALUES ' \
'({rank}, "{name}", "{desc}", {creator_id}, {create_time});' \
''.format(db.table_prefix,
rank=rank, name=args['name'], desc=args['desc'],
creator_id=handler.get_current_user()['id'],
create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建运维授权策略:{}".format(args['name']))
return TPE_OK, _id
def _make_builtin_data(self, sysadmin, email, password):
_time_now = tp_timestamp_utc_now()
self._db_exec(
'设定数据库版本',
'INSERT INTO `{}config` (`name`, `value`) VALUES ("db_ver", "{}");'
.format(self.db.table_prefix, self.db.DB_VERSION))
self._db_exec(
'设置本地核心服务',
'INSERT INTO `{}core_server` (`sn`, `secret`, `ip`, `port`, `state`) VALUES '
'("0000", "", "127.0.0.1", 52080, 1);'
''.format(self.db.table_prefix))
privilege_admin = TP_PRIVILEGE_ALL
privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS
privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT
self._db_exec('创建默认角色', [
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(1, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='系统管理员',
privilege=privilege_admin,
create_time=_time_now),
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(2, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='运维人员',
privilege=privilege_ops,
create_time=_time_now),
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(3, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='审计员',
privilege=privilege_audit,
create_time=_time_now)
])
def check_reset_token(token):
db = get_db()
# s = SQL(db)
_time_now = tp_timestamp_utc_now()
# 0. remove expired token (after 3 days)
sql = 'DELETE FROM `{dbtp}user_rpt` WHERE create_time<{dbph};'.format(
dbtp=db.table_prefix, dbph=db.place_holder)
db.exec(sql, (_time_now - 3 * 24 * 60 * 60, ))
# 1. query user's id
sql = 'SELECT user_id, create_time FROM `{dbtp}user_rpt` WHERE token={dbph};'.format(
dbtp=db.table_prefix, dbph=db.place_holder)
db_ret = db.query(sql, (token, ))
if db_ret is None or len(db_ret) == 0:
return TPE_NOT_EXISTS, 0
user_id = db_ret[0][0]
create_time = db_ret[0][1]
if _time_now - create_time > 24 * 60 * 60:
return TPE_EXPIRED, user_id
else:
return TPE_OK, user_id
def login(handler, username, password=None, oath_code=None, check_bind_oath=False):
sys_cfg = tp_cfg().sys
err, user_info = get_by_username(username)
if err != TPE_OK:
# if err == TPE_NOT_EXISTS:
# syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS,
# '用户身份验证失败,用户`{}`不存在'.format(username))
return err, None
if user_info.privilege == 0:
# 尚未为此用户设置角色
return TPE_PRIVILEGE, None
if check_bind_oath and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:
if tp_timestamp_utc_now() - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
user_info.fail_count = 0
user_info.state = TP_STATE_NORMAL
if user_info['state'] == TP_STATE_LOCKED:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定')
return TPE_USER_LOCKED, None
elif user_info['state'] == TP_STATE_DISABLED:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用')
return TPE_USER_DISABLED, None
elif user_info['state'] != TP_STATE_NORMAL:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常')
return TPE_FAILED, None
err_msg = ''
if password is not None:
if user_info['type'] == TP_USER_TYPE_LOCAL:
# 如果系统配置了密码有效期,则检查用户的密码是否失效
if sys_cfg.password.timeout != 0:
_time_now = tp_timestamp_utc_now()
if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,用户密码已过期')
return TPE_USER_AUTH, None
if not tp_password_verify(password, user_info['password']):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
elif user_info['type'] == TP_USER_TYPE_LDAP:
try:
if len(tp_cfg().sys_ldap_password) == 0:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码')
return TPE_USER_AUTH, None
else:
_ldap_password = tp_cfg().sys_ldap_password
_ldap_server = tp_cfg().sys.ldap.server
_ldap_port = tp_cfg().sys.ldap.port
_ldap_base_dn = tp_cfg().sys.ldap.base_dn
except:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置')
return TPE_USER_AUTH, None
try:
ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
if ret != TPE_OK:
if ret == TPE_USER_AUTH:
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
'LDAP用户登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
else:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
'LDAP用户登录失败,{}'.format(err_msg))
return TPE_USER_AUTH, None
except:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误')
return TPE_USER_AUTH, None
else:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,系统内部错误')
return TPE_USER_AUTH, None
if oath_code is not None:
# use oath
if len(user_info['oath_secret']) == 0:
return TPE_OATH_MISMATCH, None
if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定!'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH,
"登录失败,身份验证器动态验证码错误{}".format(err_msg))
return TPE_OATH_MISMATCH, None
del user_info['password']
del user_info['oath_secret']
if len(user_info['surname']) == 0:
user_info['surname'] = user_info['username']
return TPE_OK, user_info
def login(handler,
username,
password=None,
oath_code=None,
check_bind_oath=False):
sys_cfg = tp_cfg().sys
err, user_info = get_by_username(username)
if err != TPE_OK:
# if err == TPE_NOT_EXISTS:
# syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS, '用户身份验证失败,用户`{}`不存在'.format(username))
return err, None
if user_info.privilege == 0:
# 尚未为此用户设置角色
return TPE_PRIVILEGE, None
if check_bind_oath == True and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:
if tp_timestamp_utc_now(
) - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
user_info.fail_count = 0
user_info.state = TP_STATE_NORMAL
if user_info['state'] == TP_STATE_LOCKED:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_LOCKED, '登录失败,用户已被临时锁定')
return TPE_USER_LOCKED, None
elif user_info['state'] == TP_STATE_DISABLED:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED,
'登录失败,用户已被禁用')
return TPE_USER_DISABLED, None
elif user_info['state'] != TP_STATE_NORMAL:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED,
'登录失败,用户状态异常')
return TPE_FAILED, None
err_msg = ''
if password is not None:
# 如果系统配置了密码有效期,则检查用户的密码是否失效
if sys_cfg.password.timeout != 0:
pass
if not tp_password_verify(password, user_info['password']):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
'登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
if oath_code is not None:
# use oath
if len(user_info['oath_secret']) == 0:
return TPE_OATH_MISMATCH, None
if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定!'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_OATH_MISMATCH,
"登录失败,身份验证器动态验证码错误{}".format(err_msg))
return TPE_OATH_MISMATCH, None
del user_info['password']
del user_info['oath_secret']
if len(user_info['surname']) == 0:
user_info['surname'] = user_info['username']
return TPE_OK, user_info
def cleanup_storage(handler):
# storage config
sto = tp_cfg().sys.storage
db = get_db()
_now = tp_timestamp_utc_now()
msg = []
have_error = False
s = SQL(db)
chk_time = _now - sto.keep_log * 24 * 60 * 60
if sto.keep_log > 0:
# find out all sys-log to be remove
s.select_from('syslog', ['id'], alt_name='s')
s.where('s.log_time<{chk_time}'.format(chk_time=chk_time))
err = s.query()
if err != TPE_OK:
have_error = True
msg.append('清理系统日志时发生错误:无法获取系统日志信息!')
# return err, msg
else:
removed_log = len(s.recorder)
if 0 == removed_log:
msg.append('没有满足条件的系统日志需要清除!')
else:
s.reset().delete_from('syslog').where('log_time<{chk_time}'.format(chk_time=chk_time))
err = s.exec()
if err != TPE_OK:
have_error = True
msg.append('清理系统日志时发生错误:无法清除指定的系统日志!')
else:
msg.append('{} 条系统日志已清除!'.format(removed_log))
if sto.keep_record > 0:
core_cfg = tp_cfg().core
if not core_cfg.detected:
have_error = True
msg.append('清除指定会话录像失败:未能检测到核心服务!')
else:
replay_path = core_cfg.replay_path
if not os.path.exists(replay_path):
have_error = True
msg.append('清除指定会话录像失败:会话录像路径不存在({})!'.format(replay_path))
else:
# find out all record to be remove
s.reset().select_from('record', ['id', 'protocol_type'], alt_name='r')
s.where('r.time_begin<{chk_time}'.format(chk_time=chk_time))
err = s.query()
if err != TPE_OK:
have_error = True
msg.append('清除指定会话录像失败:无法获取会话录像信息!')
elif len(s.recorder) == 0:
msg.append('没有满足条件的会话录像需要清除!')
else:
record_removed = 0
for r in s.recorder:
if r.protocol_type == TP_PROTOCOL_TYPE_RDP:
path_remove = os.path.join(replay_path, 'rdp', '{:09d}'.format(r.id))
elif r.protocol_type == TP_PROTOCOL_TYPE_SSH:
path_remove = os.path.join(replay_path, 'ssh', '{:09d}'.format(r.id))
elif r.protocol_type == TP_PROTOCOL_TYPE_TELNET:
path_remove = os.path.join(replay_path, 'telnet', '{:09d}'.format(r.id))
else:
have_error = True
msg.append('会话录像记录编号 {},未知远程访问协议!'.format(r.id))
continue
if os.path.exists(path_remove):
# print('remove path', path_remove)
try:
shutil.rmtree(path_remove)
except:
have_error = True
msg.append('会话录像记录 {} 清除失败,无法删除目录 {}!'.format(r.id, path_remove))
ss = SQL(db)
ss.delete_from('record').where('id={rid}'.format(rid=r.id))
ss.exec()
record_removed += 1
msg.append('{} 条会话录像数据已清除!'.format(record_removed))
if have_error:
return TPE_FAILED, msg
else:
return TPE_OK, msg
def session_end(record_id, ret_code):
db = get_db()
sql = 'UPDATE `{}record` SET state={}, time_end={} WHERE id={};'.format(db.table_prefix, int(ret_code), tp_timestamp_utc_now(), int(record_id))
return db.exec(sql)
def session_fix():
db = get_db()
if db.need_create or db.need_upgrade:
return TPE_OK
sql_list = []
sql = 'UPDATE `{dbtp}record` SET state={new_state}, time_end={time_end} WHERE state={old_state};' \
''.format(dbtp=db.table_prefix, new_state=TP_SESS_STAT_ERR_RESET, old_state=TP_SESS_STAT_RUNNING, time_end=tp_timestamp_utc_now())
sql_list.append(sql)
sql = 'UPDATE `{dbtp}record` SET state={new_state},time_end={time_end} WHERE state={old_state};' \
''.format(dbtp=db.table_prefix, new_state=TP_SESS_STAT_ERR_START_RESET, old_state=TP_SESS_STAT_STARTED, time_end=tp_timestamp_utc_now())
sql_list.append(sql)
return db.transaction(sql_list)
def login(handler,
username,
password=None,
oath_code=None,
check_bind_oath=False):
sys_cfg = tp_cfg().sys
err, user_info = get_by_username(username)
if err != TPE_OK:
# if err == TPE_NOT_EXISTS:
# syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS,
# '用户身份验证失败,用户`{}`不存在'.format(username))
return err, None
if user_info.privilege == 0:
# 尚未为此用户设置角色
return TPE_PRIVILEGE, None
if check_bind_oath and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:
if tp_timestamp_utc_now(
) - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
user_info.fail_count = 0
user_info.state = TP_STATE_NORMAL
if user_info['state'] == TP_STATE_LOCKED:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_LOCKED, '登录失败,用户已被临时锁定')
return TPE_USER_LOCKED, None
elif user_info['state'] == TP_STATE_DISABLED:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED,
'登录失败,用户已被禁用')
return TPE_USER_DISABLED, None
elif user_info['state'] != TP_STATE_NORMAL:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED,
'登录失败,用户状态异常')
return TPE_FAILED, None
err_msg = ''
if password is not None:
if user_info['type'] == TP_USER_TYPE_LOCAL:
# 如果系统配置了密码有效期,则检查用户的密码是否失效
if sys_cfg.password.timeout != 0:
_time_now = tp_timestamp_utc_now()
if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 *
60 * 24) < _time_now:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, '登录失败,用户密码已过期')
return TPE_USER_AUTH, None
if not tp_password_verify(password, user_info['password']):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
elif user_info['type'] == TP_USER_TYPE_LDAP:
try:
if len(tp_cfg().sys_ldap_password) == 0:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码')
return TPE_USER_AUTH, None
else:
_ldap_password = tp_cfg().sys_ldap_password
_ldap_server = tp_cfg().sys.ldap.server
_ldap_port = tp_cfg().sys.ldap.port
_ldap_base_dn = tp_cfg().sys.ldap.base_dn
except:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, 'LDAP未能正确配置')
return TPE_USER_AUTH, None
try:
ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
if ret != TPE_OK:
if ret == TPE_USER_AUTH:
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH,
'LDAP用户登录失败,密码错误{}'.format(err_msg))
return TPE_USER_AUTH, None
else:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH,
'LDAP用户登录失败,{}'.format(err_msg))
return TPE_USER_AUTH, None
except:
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误')
return TPE_USER_AUTH, None
else:
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
'登录失败,系统内部错误')
return TPE_USER_AUTH, None
if oath_code is not None:
# use oath
if len(user_info['oath_secret']) == 0:
return TPE_OATH_MISMATCH, None
if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定!'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_OATH_MISMATCH,
"登录失败,身份验证器动态验证码错误{}".format(err_msg))
return TPE_OATH_MISMATCH, None
del user_info['password']
del user_info['oath_secret']
if len(user_info['surname']) == 0:
user_info['surname'] = user_info['username']
return TPE_OK, user_info
