async def post(self, *args, **kwargs):
# data = json.loads(self.request.body.decode("utf-8"))
nickname = self.get_current_user() # 这里使用useame 不用中文
#if not self.is_superuser: return self.write(dict(code=-1, msg='你不是超级超级管理员,不能使用WebTerminal'))
connect_server_info = dict()
connect_server_info['nickname'] = nickname
# 数据加密给Jimmy
mc = MyCryptV2()
# 加密数据
# encrypt_data = mc.my_encrypt(str(connect_server_info))
encrypt_data = mc.my_encrypt(str(connect_server_info))
print(encrypt_data)
ins_log.read_log('info', '加密后的数据是:{}'.format(encrypt_data))
try:
web_terminal_initialssh = '{0}/webterminal/initiallogin/'.format(WEB_TERMINAL)
the_body = json.dumps(encrypt_data)
http_client = httpclient.AsyncHTTPClient()
response = await http_client.fetch(web_terminal_initialssh, method="POST", body=the_body,
raise_error=False)
response_data = json.loads(response.body.decode('utf-8'))
if not response_data.get('status'):
return self.write(dict(code=1, msg=response_data.get('message')))
# 返回信息
web_terminal_key = response_data['key']
web_terminal_url = '{0}/logslist/'.format(WEB_TERMINAL)
res_data = {
"web_terminal_url": web_terminal_url,
"web_terminal_key": web_terminal_key
}
except Exception as e:
ins_log.read_log('error', '请求webterminal接口出错:{err}'.format(err=e))
return self.write(dict(code=1, msg='请求webterminal接口出错:{err}'.format(err=e)))
return self.write(dict(code=0, msg='Sucessfully', data=res_data))
def get_connect_info(self, asset_id):
"""
获取连接主机的信息,如:IP , Port , User
使用推送过去的系统用户+密钥进行链接
:return:
"""
system_user_list = self.get_system_user()
for i in system_user_list:
system_user = i.get('system_user')
mc = MyCryptV2()
_private_key_txt = mc.my_decrypt(i.get('id_rsa'))
# 这里需要写到本地文件
with DBContext('r') as session:
server_info = session.query(Server.ip, Server.port, Server.detail).filter(
Server.id == asset_id).first()
ip = server_info[0]
port = server_info[1]
detail = server_info[2]
connect_info = {
'ip': ip,
'port': port,
'system_user': system_user,
'private_key_txt': _private_key_txt,
'detail': detail
}
return connect_info
def main():
"""
从接口获取已经启用的配置
:return:
"""
mc = MyCryptV2()
huawei_configs_list = get_configs()
if not huawei_configs_list:
ins_log.read_log('error', '没有获取到华为云资产配置信息,跳过')
return False
for config in huawei_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
huawei_cloud = config.get('huawei_cloud')
project_id = config.get('project_id')
default_admin_user = config.get('default_admin_user')
obj = HuaweiEcsApi(access_id=access_id,
access_key=access_key,
region=region,
cloud=huawei_cloud,
project_id=project_id,
default_admin_user=default_admin_user)
obj.sync_cmdb()
def post(self):
ebs_list = []
mc = MyCryptV2()
aws_configs_list = get_configs()
if not aws_configs_list:
ins_log.write_log('error', '没有获取到AWS资产配置信息,跳过')
return False
for config in aws_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
default_admin_user = config.get('default_admin_user')
client = boto3.client('ec2',
region_name=region,
aws_access_key_id=access_id,
aws_secret_access_key=access_key)
paginator = client.get_paginator('describe_volumes')
page_iterator = paginator.paginate()
filtered_iterator = page_iterator.search("Volumes[]")
for i in filtered_iterator:
if i['Attachments'] == []:
i['Attachments'] = '磁盘没有被使用'
i['CreateTime'] = i['CreateTime'].strftime("%Y-%m-%d")
i['Encrypted'] = 'false' if i['Encrypted'] == 0 else 'Trues'
print(i)
ebs_list.append(i)
with DBContext('w', None, True) as session:
session.execute('''TRUNCATE TABLE Unattach_Ebs''')
session.bulk_insert_mappings(Unattach_Ebs, ebs_list)
session.commit()
self.write(dict(code=0, msg='获取并写入成功'))
def post(self, *args, **kwargs):
data = json.loads(self.request.body.decode("utf-8"))
name = data.get('name', None) # 名称,也是唯一
system_user = data.get('system_user', None) # 系统用户
platform_users = data.get('platform_users', []) # 平台用户
priority = data.get('priority', None) # 优先级
sudo_list = data.get('sudo_list', None) # sudo权限
bash_shell = data.get('bash_shell', None) # sudo权限
remarks = data.get('remarks', None) # 备注
if not name or not system_user or not priority or not sudo_list or not bash_shell:
return self.write(dict(code=-2, msg='关键参数不能为空'))
if not platform_users:
return self.write(dict(code=-2, msg='请至少选择一个关联用户'))
if not is_number(priority):
return self.write(dict(code=-2, msg='优先级必须是数字'))
with DBContext('r', None, True) as session:
exist_id = session.query(SystemUser.id).filter(SystemUser.name == name).first()
exist_priority = session.query(SystemUser.id).filter(SystemUser.priority == int(priority)).first()
if exist_id:
return self.write(dict(code=-2, msg='不要重复记录'))
if exist_priority:
return self.write(dict(code=-2, msg='优先级冲突'))
# 新建一个系统用户用来登陆主机,此用户使用密钥认证登陆主机,密钥是自动生成的,生成后保存到数据库里面
key_name = shortuuid.uuid()
init_keygen_cmd = 'ssh-keygen -t rsa -P "" -f /tmp/{}'.format(key_name)
code, ret = exec_shell(init_keygen_cmd)
if code == 0:
# 这个系统用户的公钥和私钥是根据name+system_user生成到/tmp下的
with open('/tmp/{}'.format(key_name), 'r') as id_rsa, open(
'/tmp/{}.pub'.format(key_name), 'r') as id_rsa_pub:
# 对密钥进行加密再写数据库
mc = MyCryptV2() # 实例化
_private_key = mc.my_encrypt(id_rsa.read())
_public_key = mc.my_encrypt(id_rsa_pub.read())
# print('加密后的id_rsa--->',_private_key)
# print('加密后的id_rsa_pub--->',_public_key)
# print('解密公钥', mc.my_decrypt(_public_key))
# 生成密钥对写入数据库
with DBContext('w', None, True) as session:
new_system_user = SystemUser(name=name, system_user=system_user, priority=priority,
sudo_list=sudo_list,
bash_shell=bash_shell, id_rsa=_private_key, id_rsa_pub=_public_key,
platform_users=','.join(platform_users),
remarks=remarks)
session.add(new_system_user)
return self.write(dict(code=0, msg='添加成功'))
else:
return self.write(dict(code=-4, msg=ret))
def configure_keyless(self):
"""
配置系统用户免密钥登陆
:return:
"""
# connect_server_list = [('172.16.0.93', 22, 'root'), ('172.16.0.219', 22, 'root'),
# ('2.2.2.2', 22, 'root')]
connect_server_list = self.get_asset_info()
system_user_list = self.get_system_user()
for host in connect_server_list:
ip = host[0]
user = host[2]
for data in system_user_list:
mc = MyCryptV2()
system_user = data.get('system_user')
_public_key = mc.my_decrypt(data.get('id_rsa_pub')) # 解密
# print(_public_key)
# module_args = '[ ! -d /home/{}/.ssh ] && mkdir /home/{}/.ssh && chmod 700 /home/{}/.ssh ; ' \
# '[ ! -f /home/{}/.ssh/authorized_keys ] && touch /home/{}/.ssh/authorized_keys; ' \
# ' grep -c "{}" /home/{}/.ssh/authorized_keys >> /dev/null || echo "{}" >> /home/{}/.ssh/authorized_keys && chmod 600 /home/{}/.ssh/authorized_keys && echo ok'.format(
# system_user, system_user, system_user, system_user, system_user, _public_key, system_user,
# _public_key, system_user, system_user)
module_args = '{sudo} [ ! -d /home/{system_user}/.ssh ]&& ' \
'{sudo} mkdir /home/{system_user}/.ssh &&' \
'{sudo} chmod 700 /home/{system_user}/.ssh ; ' \
'{sudo} [ ! -f /home/{system_user}/.ssh/authorized_keys ]&& ' \
'{sudo} touch /home/{system_user}/.ssh/authorized_keys; ' \
'{sudo} chown -R {system_user}.{system_user} /home/{system_user}/.ssh ; ' \
'{sudo} grep -c "{public_key}" /home/{system_user}/.ssh/authorized_keys >> /dev/null && ' \
'echo "is exist public_key, auto pass...." || ' \
'{sudo} echo "{public_key}" >> /home/{system_user}/.ssh/authorized_keys && ' \
'{sudo} chmod 600 /home/{system_user}/.ssh/authorized_keys && ' \
'echo ok'.format(sudo=self.sudo, system_user=system_user, public_key=_public_key)
# print(module_args)
result = self.run("shell", module_args, ip, user)
print(result)
if result['dark']:
self.err_msg = {
"status": False,
"ip": ip,
"msg": result['dark'][ip]['msg']
}
self.err_list.append(self.err_msg)
if self.err_list:
self.write_error_log()
def main():
"""
从接口获取已经启用的配置
:return:
"""
mc = MyCryptV2()
aliyun_configs_list = get_configs()
if not aliyun_configs_list:
ins_log.read_log('error', '没有获取到阿里云资产配置信息,跳过')
return False
for config in aliyun_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
obj = RedisApi(access_id, access_key, region)
obj.sync_cmdb()
def main():
"""
从接口获取已经启用的配置
:return:
"""
mc = MyCryptV2()
qcloud_configs_list = get_configs()
if not qcloud_configs_list:
ins_log.read_log('error', '没有获取到腾讯云资产配置信息,跳过')
return False
for config in qcloud_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
obj = CDBApi(access_id, access_key, region)
obj.index()
def main():
"""
从接口获取已经启用的配置
:return:
"""
mc = MyCryptV2()
aliyun_configs_list = get_configs()
if not aliyun_configs_list:
ins_log.read_log('error', '没有获取到阿里云资产配置信息,跳过')
return False
for config in aliyun_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
default_admin_user = config.get('default_admin_user')
obj = EcsAPi(access_id, access_key, region, default_admin_user)
obj.index()
def main():
"""
从接口获取已经启用的配置
:return:
"""
mc = MyCryptV2()
aws_configs_list = get_configs()
if not aws_configs_list:
ins_log.read_log('error', '没有获取到AWS资产配置信息,跳过')
return False
for config in aws_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
name = config.get('name') # 名称
obj = EventApi(account_name=name, access_id=access_id, access_key=access_key, region=region)
obj.send_alert()
obj.sync_cmdb()
def main():
mc = MyCryptV2()
aws_configs_list = get_configs()
if not aws_configs_list:
ins_log.write_log('error', '没有获取到AWS资产配置信息,跳过')
return False
for config in aws_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
default_admin_user = config.get('default_admin_user')
obj = ForDangersHandler(access_id, access_key, region,
default_admin_user)
result = [i for i in obj.get_tags()]
with DBContext('w', None) as session:
session.execute('''TRUNCATE TABLE asset_tag''')
session.bulk_insert_mappings(Tag, result)
session.commit()
def main():
"""
从接口获取已经启用的配置
:return:
"""
mc = MyCryptV2()
ucloud_configs_list = get_configs()
if not ucloud_configs_list:
ins_log.read_log('error', '没有获取到UCloud资产配置信息,跳过')
return False
for config in ucloud_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
default_admin_user = config.get('default_admin_user')
project_id = config.get('project_id')
obj = UHostAPI(access_id=access_id, access_key=access_key, region=region, default_admin_user=default_admin_user,
project_id=project_id)
obj.sync_cmdb()
from tornado import gen
from concurrent.futures import ThreadPoolExecutor
from tornado.concurrent import run_on_executor
from libs.base_handler import BaseHandler
from models.server import AssetConfigs, model_to_dict
from websdk.db_context import DBContext
from libs.aliyun.ecs import EcsAPi
from libs.qcloud.cvm import CVMApi
from libs.aws.ec2 import Ec2Api
from libs.aliyun.ecs import main as aliyun_update_main
from libs.qcloud.cvm import main as qcloud_update_main
from libs.aws.ec2 import main as aws_update_main
from websdk.web_logs import ins_log
from opssdk.operate import MyCryptV2
mc = MyCryptV2() # 实例化
class AssetConfigsHandler(BaseHandler):
def get(self, *args, **kwargs):
key = self.get_argument('key', default=None, strip=True)
value = self.get_argument('value', default=None, strip=True)
asset_configs_list = []
with DBContext('r') as session:
if key and value:
asset_configs_data = session.query(AssetConfigs).filter_by(
**{
key: value
}).all()
else:
asset_configs_data = session.query(AssetConfigs).all()
def post(self):
host_list = {}
mc = MyCryptV2()
aws_configs_list = get_configs()
if not aws_configs_list:
ins_log.write_log('error', '没有获取到AWS资产配置信息,跳过')
self.write(dict(code=0, msg='没有获取到AWS资产配置信息,跳过'))
for config in aws_configs_list:
access_id = config.get('access_id')
access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用
region = config.get('region')
default_admin_user = config.get('default_admin_user')
obj = ForDangersHandler(access_id, access_key, region,
default_admin_user)
server_info = obj.get_server_info()
for msg in server_info:
if not host_list.get(str(msg)):
host_list[str(msg)] = obj ## 字典去重 可能会有两个相同权限的ak/sk
if not host_list:
ins_log.read_log('info', 'Not fount server info...')
print('Not Fount Server Info')
self.write(dict(code=0, msg='没有从AWS接口里读到信息,跳过'))
else:
with DBContext('r') as session:
db_record = session.query(Security_Host.server_instance_id,
Security_Host.risk_port)
all_instance_risk_pair, all_values = yield self.AwsQueryRiskPort(
host_list)
if db_record.count() != 0:
for ins in db_record:
if ins.server_instance_id in all_instance_risk_pair.keys(
): ##数据库查到的是否在从aws取到的ID列表里
if ins.risk_port != all_instance_risk_pair[
ins.
server_instance_id]: ##如果查询后发现从aws取到的风险端口和数据库存的不一致,则updates
session.query(Security_Host).filter(
Security_Host.server_instance_id ==
ins.server_instance_id).update({
Security_Host.risk_port:
all_instance_risk_pair[
ins.server_instance_id]
})
session.commit()
del all_instance_risk_pair[
ins.server_instance_id]
else: ##如果一致 则什么都不做
del all_instance_risk_pair[
ins.
server_instance_id] ## 只要在数据库有记录的都删了 只剩下数据里没的机器 给另外一个维度的轮询用
else: ###如果数据库里查到的 不在aws里,证明这个机器已经在aws端被删除,需要在数据库里删除
ins_log.write_log(
'warning',
'no exist server will Deleted...%s' %
ins.server_instance_id)
session.query(Security_Host).filter(
Security_Host.server_instance_id ==
ins.server_instance_id).delete(
synchronize_session=False)
session.commit()
else: ##数据库里无记录
session.bulk_insert_mappings(Security_Host, all_values)
session.commit()
all_instance_risk_pair.clear()
if all_instance_risk_pair: ##如果没被删空
miss_instance = [
i for i in all_values
if i['server_instance_id'] in all_instance_risk_pair
]
print(len(miss_instance))
session.bulk_insert_mappings(Security_Host, miss_instance)
session.commit() ##AWS云里有 但是数据库里没的部分
self.write(dict(code=0, msg='获取并写入成功'))
async def post(self, *args, **kwargs):
data = json.loads(self.request.body.decode("utf-8"))
nickname = self.get_current_user() # 获取username 不用中文名
# id = self.get_argument('id', default=None, strip=True)
server_id = data.get('server_id', None)
if not server_id:
return self.write(dict(code=-1, msg='关键参数不能为空'))
server_list = []
admin_user_list = []
with DBContext('r') as session:
server_info = session.query(Server).filter(
Server.id == server_id).filter()
for msg in server_info:
data_dict = model_to_dict(msg)
server_list.append(data_dict)
data_dict['create_time'] = str(data_dict['create_time'])
data_dict['update_time'] = str(data_dict['update_time'])
if not server_list:
return self.write(dict(code=-1, msg='没有发现IP'))
if not self.is_superuser:
return self.write(
dict(code=-1, msg='你不是超级超级管理员,不能使用WebTerminal'))
admin_user = server_list[0]['admin_user']
if not admin_user:
return self.write(dict(code=-1, msg='此机器没有配置管理用户,请先配置管理用户'))
admin_user_info = session.query(AdminUser).filter(
AdminUser.admin_user == admin_user).filter()
for admin_user_msg in admin_user_info:
data_dict = model_to_dict(admin_user_msg)
data_dict['update_time'] = str(data_dict['update_time'])
admin_user_list.append(data_dict)
try:
connect_server_info = dict()
connect_server_info['nickname'] = nickname
connect_server_info['ip'] = server_list[0].get('ip')
connect_server_info['public_ip'] = server_list[0].get(
'public_ip')
connect_server_info['private_ip'] = server_list[0].get(
'private_ip')
connect_server_info['port'] = server_list[0].get('port')
connect_server_info['admin_user'] = server_list[0].get(
'admin_user')
connect_server_info['system_user'] = admin_user_list[0].get(
'system_user')
connect_server_info['user_key'] = admin_user_list[0].get(
'user_key')
except (IndexError, KeyError) as err:
ins_log.read_log('error', '解析的时候出错:{err}'.format(err=err))
return False
# print(connect_server_info)
# 数据加密给Jimmy
mc = MyCryptV2()
# 加密数据
encrypt_data = mc.my_encrypt(str(connect_server_info))
ins_log.read_log('info', '加密后的数据是:{}'.format(encrypt_data))
# # 解密方法
# decrypt_data = mc.my_decrypt(encrypt_data)
# # print(decrypt_data)
# print('解密后的数据是:{}'.format(json.dumps(str(decrypt_data))))
try:
web_terminal_initialssh = '{0}/webterminal/initialssh/'.format(
WEB_TERMINAL)
print(web_terminal_initialssh)
the_body = json.dumps(encrypt_data)
# 异步HTTPClient
http_client = httpclient.AsyncHTTPClient()
# 异步http_client请求
response = await http_client.fetch(web_terminal_initialssh,
method="POST",
body=the_body,
raise_error=False)
# 返回的数据都在body里面
response_data = json.loads(response.body.decode('utf-8'))
# print('response_data', response_data)
if not response_data.get('status'):
return self.write(
dict(code=1, msg=response_data.get('message')))
# 返回信息
web_terminal_key = response_data['key']
web_terminal_url = '{0}/webterminal/'.format(WEB_TERMINAL)
# res_list = []
res_data = {
"web_terminal_url": web_terminal_url,
"web_terminal_key": web_terminal_key
}
# res_list.append(res_data)
except Exception as e:
ins_log.read_log('error',
'请求webterminal接口出错:{err}'.format(err=e))
return self.write(
dict(code=1, msg='请求webterminal接口出错:{err}'.format(err=e)))
return self.write(dict(code=0, msg='Sucessfully', data=res_data))