def session_begin(sid, user_id, host_id, acc_id, user_username, acc_username, host_ip, conn_ip, conn_port, client_ip, auth_type, protocol_type, protocol_sub_type): db = get_db() sql = 'SELECT surname FROM `{tp}user` WHERE id={ph};'.format( tp=db.table_prefix, ph=db.place_holder) db_ret = db.query(sql, (user_id, )) if db_ret is None or len(db_ret) == 0: user_surname = user_username else: user_surname = db_ret[0][0] sql = 'INSERT INTO `{}record` (sid,user_id,host_id,acc_id,state,user_username,user_surname,host_ip,conn_ip,conn_port,client_ip,acc_username,auth_type,protocol_type,protocol_sub_type,time_begin,time_end) ' \ 'VALUES ("{sid}",{user_id},{host_id},{acc_id},0,"{user_username}","{user_surname}","{host_ip}","{conn_ip}",{conn_port},"{client_ip}","{acc_username}",{auth_type},{protocol_type},{protocol_sub_type},{time_begin},0)' \ ';'.format(db.table_prefix, sid=sid, user_id=user_id, host_id=host_id, acc_id=acc_id, user_username=user_username, user_surname=user_surname, host_ip=host_ip, conn_ip=conn_ip, conn_port=conn_port, client_ip=client_ip, acc_username=acc_username, auth_type=auth_type, protocol_type=protocol_type, protocol_sub_type=protocol_sub_type, time_begin=tp_timestamp_sec()) ret = db.exec(sql) if not ret: return TPE_DATABASE, 0 record_id = db.last_insert_id() if record_id == -1: return TPE_DATABASE, 0 else: return TPE_OK, record_id
def add_role(handler, role_name, privilege): db = get_db() _time_now = tp_timestamp_sec() operator = handler.get_current_user() # 1. 判断是否已经存在了 sql = 'SELECT id FROM {}role WHERE name="{name}";'.format(db.table_prefix, name=role_name) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 sql = 'INSERT INTO `{}role` (name, privilege, creator_id, create_time) VALUES ' \ '("{name}", {privilege}, {creator_id}, {create_time});' \ ''.format(db.table_prefix, name=role_name, privilege=privilege, creator_id=operator['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建角色:{}".format(role_name)) return TPE_OK, _id
def add_members(handler, policy_id, policy_type, ref_type, members): # step 1: select exists rid. s = SQL(get_db()) s.select_from('ops_auz', ['rid'], alt_name='p') _where = list() _where.append('p.policy_id={}'.format(policy_id)) _where.append('p.type={}'.format(policy_type)) _where.append('p.rtype={}'.format(ref_type)) s.where('( {} )'.format(' AND '.join(_where))) err = s.query() if err != TPE_OK: return err exists_ids = [r['rid'] for r in s.recorder] operator = handler.get_current_user() db = get_db() _time_now = tp_timestamp_sec() sql = [] for m in members: if m['id'] in exists_ids: continue sql_s = 'INSERT INTO `{tp}ops_auz` (`policy_id`,`type`,`rtype`,`rid`,`name`,`creator_id`,`create_time`) VALUES ' \ '({ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph});' \ ''.format(tp=db.table_prefix, ph=db.place_holder) sql_v = (policy_id, policy_type, ref_type, m['id'], m['name'], operator['id'], _time_now) sql.append({'s': sql_s, 'v': sql_v}) if db.transaction(sql): # return TPE_OK return policy.rebuild_ops_auz_map() else: return TPE_DATABASE
def create(handler, gtype, name, desc): if gtype not in TP_GROUP_TYPES: return TPE_PARAM, 0 db = get_db() _time_now = tp_timestamp_sec() # 1. 判断是否已经存在了 sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format( dbtp=db.table_prefix, gtype=gtype, gname=name) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 operator = handler.get_current_user() # 2. 插入记录 sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`, `desc`) VALUES ' \ '({gtype}, "{gname}", {creator_id}, {create_time}, "{desc}");' \ ''.format(dbtp=db.table_prefix, gtype=gtype, gname=name, creator_id=operator['id'], create_time=_time_now, desc=desc) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log( operator, handler.request.remote_ip, TPE_OK, "创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=name)) return TPE_OK, _id
def add_account(handler, host_id, args): """ 添加一个远程账号 """ db = get_db() _time_now = tp_timestamp_sec() operator = handler.get_current_user() # 1. 判断是否已经存在了 sql = 'SELECT `id` FROM `{tp}acc` WHERE `host_id`={ph} AND `protocol_port`={ph} AND `username`={ph} AND `auth_type`={ph};'.format( tp=db.table_prefix, ph=db.place_holder) db_ret = db.query( sql, (host_id, args['protocol_port'], args['username'], args['auth_type'])) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 sql_s = 'INSERT INTO `{tp}acc` (`host_id`,`host_ip`,`router_ip`,`router_port`,`protocol_type`,`protocol_port`,' \ '`state`,`auth_type`,`username`,`username_prompt`,`password_prompt`,`password`,`pri_key`,`creator_id`,`create_time`) VALUES ' \ '({ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph});' \ ''.format(tp=db.table_prefix, ph=db.place_holder) sql_v = (host_id, args['host_ip'], args['router_ip'], args['router_port'], args['protocol_type'], args['protocol_port'], TP_STATE_NORMAL, args['auth_type'], args['username'], args['username_prompt'], args['password_prompt'], args['password'], args['pri_key'], operator['id'], _time_now) # sql = 'INSERT INTO `{}acc` (host_id, protocol_type, protocol_port, state, auth_type, username, password, pri_key, creator_id, create_time) VALUES ' \ # '({host_id}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{password}", "{pri_key}", {creator_id}, {create_time});' \ # ''.format(db.table_prefix, # host_id=host_id, # protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL, # auth_type=args['auth_type'], username=args['username'], password=args['password'], pri_key=args['pri_key'], # creator_id=operator['id'], create_time=_time_now) db_ret = db.exec(sql_s, sql_v) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() acc_name = '{}@{}'.format(args['username'], args['host_ip']) if len(args['router_ip']) > 0: acc_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port']) syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建账号:{}".format(acc_name)) # 更新主机相关账号数量 sql = 'UPDATE `{tp}host` SET `acc_count`=`acc_count`+1 WHERE `id`={ph};' \ ''.format(tp=db.table_prefix, ph=db.place_holder) db.exec(sql, (host_id, )) # if not db_ret: # return TPE_DATABASE, 0 tp_stats().acc_counter_change(1) return TPE_OK, _id
def session_fix(): db = get_db() if db.need_create or db.need_upgrade: return TPE_OK sql_list = list() sql_s = 'UPDATE `{tp}record` SET state={ph}, time_end={ph} WHERE state={ph};' \ ''.format(tp=db.table_prefix, ph=db.place_holder) sql_v = (TP_SESS_STAT_ERR_RESET, tp_timestamp_sec(), TP_SESS_STAT_RUNNING) sql_list.append({'s': sql_s, 'v': sql_v}) sql_s = 'UPDATE `{tp}record` SET state={ph},time_end={ph} WHERE state={ph};' \ ''.format(tp=db.table_prefix, ph=db.place_holder) sql_v = (TP_SESS_STAT_ERR_RESET, tp_timestamp_sec(), TP_SESS_STAT_STARTED) sql_list.append({'s': sql_s, 'v': sql_v}) return db.transaction(sql_list)
def _parse_api_args(handler): raw_req = handler.request.body.decode('utf-8') if raw_req == '': return False, handler.write_json(TPE_PARAM) try: raw_req = json.loads(raw_req) if 'auth' not in raw_req or 'arg' not in raw_req or 'sign' not in raw_req: return False, handler.write_json(TPE_PARAM) except: return False, handler.write_json(TPE_JSON_FORMAT) _auth = raw_req['auth'].split(':') if len(_auth) <= 1: return False, handler.write_json(TPE_PARAM) if _auth[0] == '1': # 目前的API请求格式版本为1 if len(_auth) != 4: # VERSION:ACCESS_KEY:TIMESTAMP:EXPIRES return False, handler.write_json(TPE_PARAM) req_access_key = _auth[1] req_timestamp = int(_auth[2]) req_expires = int(_auth[3]) else: return False, handler.write_json(TPE_PARAM) # 从数据库中根据access-key查找access-secret sec_info = tp_ext_srv_cfg().get_secret_info(req_access_key) if sec_info is None: return False, handler.write_json(TPE_INVALID_API_KEY) access_secret = sec_info['secret'] # 是否超时 if tp_timestamp_sec() > req_timestamp + req_expires: return False, handler.write_json(TPE_EXPIRED) # 验证 be_sign = '{}|{}'.format(raw_req['auth'], raw_req['arg']) _h = hmac.new(tp_bin(access_secret), tp_bin(be_sign), hashlib.sha1) _s = base64.urlsafe_b64decode(tp_bin(raw_req['sign'])) if _s != _h.digest(): return False, handler.write_json(TPE_INVALID_API_SIGN) # 一切都OK,解码得到实际参数 _param = base64.urlsafe_b64decode(tp_bin(raw_req['arg'])) try: args = json.loads(tp_str(_param)) except: return False, handler.write_json(TPE_JSON_FORMAT) args['_srv_name_'] = sec_info['name'] # log.d('api:get_host, param=', args, '\n') return True, args
def create_user(handler, user): """ 创建一个用户账号 """ db = get_db() _time_now = tp_timestamp_sec() operator = handler.get_current_user() if 'type' not in user: user['type'] = TP_USER_TYPE_LOCAL if 'ldap_dn' not in user: user['ldap_dn'] = '' # 1. 判断此账号是否已经存在了 s = SQL(db) err = s.reset().select_from('user', ['id']).where( 'user.username="******"'.format(user['username'])).query() if err != TPE_OK: return err, 0 if len(s.recorder) > 0: return TPE_EXISTS, 0 # _password = tp_password_generate_secret(user['password']) if user['type'] == TP_USER_TYPE_LOCAL: _password = tp_password_generate_secret(user['password']) else: _password = '' sql = 'INSERT INTO `{}user` (' \ '`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, `state`, ' \ '`email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `valid_from`, `valid_to`, `desc`' \ ') VALUES (' \ '{role}, "{username}", "{surname}", {user_type}, "{ldap_dn}", {auth_type}, "{password}", {state}, ' \ '"{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, {valid_from}, '\ '{valid_to}, "{desc}");' \ ''.format(db.table_prefix, role=user['role'], username=user['username'], surname=user['surname'], user_type=user['type'], ldap_dn=user['ldap_dn'], auth_type=user['auth_type'], password=_password, state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=_time_now, valid_from=user['valid_from'], valid_to=user['valid_to'], desc=user['desc']) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建用户:{}".format(user['username'])) # calc count of users. err, cnt = s.reset().count('user') if err == TPE_OK: tp_stats().user_counter_change(cnt) return TPE_OK, _id
def update_temp_locked_user_state(): sys_cfg = tp_cfg().sys if sys_cfg.login.lock_timeout == 0: return _lock_time = tp_timestamp_sec() - (sys_cfg.login.lock_timeout * 60) db = get_db() if db.need_create or db.need_upgrade: return sql = 'UPDATE `{}user` SET state={new_state}, lock_time=0, fail_count=0 WHERE (state={old_state} AND lock_time<{lock_time});' \ ''.format(db.table_prefix, new_state=TP_STATE_NORMAL, old_state=TP_STATE_LOCKED, lock_time=_lock_time) db.exec(sql)
def update_login_info(handler, user_id): db = get_db() _time_now = tp_timestamp_sec() sql = 'UPDATE `{}user` SET ' \ 'fail_count=0, last_login=login_time, last_ip=login_ip, login_time={login_time},' \ ' login_ip="{ip}" WHERE id={user_id};' \ ''.format(db.table_prefix, login_time=_time_now, ip=handler.request.remote_ip, user_id=user_id ) if db.exec(sql): return TPE_OK else: return TPE_DATABASE
def _make_builtin_data(self, sysadmin, email, password): _time_now = tp_timestamp_sec() self._db_exec( '设定数据库版本', 'INSERT INTO `{}config` (`name`, `value`) VALUES ("db_ver", "{}");'.format(self.db.table_prefix, self.db.DB_VERSION) ) self._db_exec( '设置本地核心服务', 'INSERT INTO `{}core_server` (`sn`, `secret`, `ip`, `port`, `state`) VALUES ' '("0000", "", "127.0.0.1", 52080, 1);' ''.format(self.db.table_prefix) ) privilege_admin = TP_PRIVILEGE_ALL privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT self._db_exec( '创建默认角色', [ 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(1, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='系统管理员', privilege=privilege_admin, create_time=_time_now), 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(2, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='运维人员', privilege=privilege_ops, create_time=_time_now), 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(3, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='审计员', privilege=privilege_audit, create_time=_time_now) ] ) self._db_exec( '创建系统管理员账号', 'INSERT INTO `{}user` (`type`, `auth_type`, `username`, `surname`, `password`, `role_id`, `state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`) VALUES ' '(1, {auth_type}, "{username}", "{surname}", "{password}", 1, {state}, "{email}", 0, {create_time}, {last_login}, {last_chpass});' ''.format(self.db.table_prefix, auth_type=TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, username=sysadmin, surname=sysadmin, password=tp_password_generate_secret(password), state=TP_STATE_NORMAL, email=email, create_time=_time_now, last_login=_time_now, last_chpass=_time_now) )
def set_password(handler, mode, user_id, password): db = get_db() operator = handler.get_current_user() # print('----------', operator) # 1. get user info (user name) s = SQL(db) err = s.reset().select_from('user', ['username', 'surname']).where( 'user.id={}'.format(user_id)).query() if err != TPE_OK: return err if len(s.recorder) == 0: return TPE_NOT_EXISTS name = s.recorder[0]['username'] surname = s.recorder[0]['surname'] if len(surname) == 0: surname = name _time_now = tp_timestamp_sec() sql = 'UPDATE `{}user` SET `password`="{password}", `last_chpass`={last_chpass} WHERE `id`={user_id};' \ ''.format(db.table_prefix, password=password, last_chpass=_time_now, user_id=user_id) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE if mode in [3, 4, 5, 6]: if mode == 6: syslog.sys_log({ 'username': name, 'surname': surname }, handler.request.remote_ip, TPE_OK, "用户 {} 修改了过期的密码".format(name)) else: syslog.sys_log({ 'username': name, 'surname': surname }, handler.request.remote_ip, TPE_OK, "用户 {} 通过邮件方式重置了密码".format(name)) else: syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "为用户 {} 手动重置了密码".format(name)) return TPE_OK
def generate_reset_password_token(handler, user_id): db = get_db() operator = handler.get_current_user() s = SQL(db) _time_now = tp_timestamp_sec() # 0. query user's email by user_id err = s.select_from('user', ['email'], alt_name='u').where( 'u.id={user_id}'.format(user_id=user_id)).query() if err != TPE_OK: return err, None, None if len(s.recorder) == 0: return TPE_DATABASE, None, None email = s.recorder[0].email # 1. clean all timed out tokens. s.reset().delete_from('user_rpt').where( 'create_time<{}'.format(_time_now - 24 * 60 * 60)).exec() # 2. find out if this user already have a token. err = s.reset().select_from('user_rpt', ['id'], alt_name='u').where( 'u.user_id={}'.format(user_id)).query() if err != TPE_OK: return err, None, None token = tp_generate_random(16) if len(s.recorder) == 0: sql = 'INSERT INTO `{dbtp}user_rpt` (user_id, token, create_time) VALUES ' \ '({user_id}, "{token}", {create_time});' \ ''.format(dbtp=db.table_prefix, user_id=user_id, token=token, create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, None, None else: sql = 'UPDATE `{dbtp}user_rpt` SET token="{token}", create_time={create_time} WHERE user_id={user_id};' \ ''.format(dbtp=db.table_prefix, token=token, create_time=_time_now, user_id=user_id) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, None, None # syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "为用户 {} 手动重置了密码".format(name)) return TPE_OK, email, token
def sys_log(operator, client_ip, code, message=""): try: db = get_db() sql_s = 'INSERT INTO `{tp}syslog` (`user_name`,`user_surname`,`client_ip`,`code`,`log_time`,`message`) ' \ 'VALUES ({ph},{ph},{ph},{ph},{ph},{ph})' \ ';'.format(tp=db.table_prefix, ph=db.place_holder) sql_v = (operator['username'], operator['surname'], client_ip, code, tp_timestamp_sec(), message) ret = db.exec(sql_s, sql_v) if not ret: return TPE_DATABASE return TPE_OK except: log.e('\n') return TPE_DATABASE
def add_host(handler, args): """ 添加一个远程主机 """ db = get_db() _tp = db.table_prefix _ph = db.place_holder _time_now = tp_timestamp_sec() # 1. 判断此主机是否已经存在了 if len(args['router_ip']) > 0: sql_s = 'SELECT `id` FROM `{tp}host` WHERE `ip`={ph} OR (`router_ip`={ph} AND `router_port`={ph});'.format(tp=_tp, ph=_ph) sql_v = (args['ip'], args['router_ip'], args['router_port']) else: sql_s = 'SELECT `id` FROM `{tp}host` WHERE `ip`={ph};'.format(tp=_tp, ph=_ph) sql_v = (args['ip'], ) db_ret = db.query(sql_s, sql_v) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 sql_s = 'INSERT INTO `{tp}host` (`type`,`os_type`,`name`,`ip`,`router_ip`,`router_port`,`state`,`creator_id`,`create_time`,`cid`,`desc`) VALUES ' \ '({ph},{ph},{ph},{ph},{ph},{ph},{ph},{ph},{ph},{ph},{ph});' \ ''.format(tp=_tp, ph=_ph) sql_v = (1, args['os_type'], args['name'], args['ip'], args['router_ip'], args['router_port'], TP_STATE_NORMAL, handler.get_current_user()['id'], _time_now, args['cid'], args['desc']) db_ret = db.exec(sql_s, sql_v) if not db_ret: return TPE_DATABASE, 0 if len(args['router_ip']) > 0: app.base.host_alive.tp_host_alive().add_host(args['router_ip'], check_now=True) else: app.base.host_alive.tp_host_alive().add_host(args['ip'], check_now=True) _id = db.last_insert_id() h_name = args['ip'] if len(args['router_ip']) > 0: h_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port']) syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建主机:{}".format(h_name)) tp_stats().host_counter_change(1) return TPE_OK, _id
def make_groups(handler, gtype, glist, failed): """ 根据传入的组列表,查询每个组的名称对应的id,如果没有,则创建之 """ db = get_db() _time_now = tp_timestamp_sec() operator = handler.get_current_user() name_list = list() for g in glist: sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format( dbtp=db.table_prefix, gtype=gtype, gname=g) db_ret = db.query(sql) if db_ret is None or len(db_ret) == 0: # need create group. sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`) VALUES ' \ '({gtype}, "{name}", {creator_id}, {create_time});' \ ''.format(dbtp=db.table_prefix, gtype=gtype, name=g, creator_id=operator['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: failed.append({ 'line': 0, 'error': '创建{gtype} `{gname}` 失败,写入数据库时发生错误'.format( gtype=TP_GROUP_TYPES[gtype], gname=g) }) continue glist[g] = db.last_insert_id() name_list.append(g) else: glist[g] = db_ret[0][0] syslog.sys_log( operator, handler.request.remote_ip, TPE_OK, "创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=','.join(name_list))) return TPE_OK
def session_begin(sid, user_id, host_id, acc_id, user_username, acc_username, host_ip, conn_ip, conn_port, client_ip, auth_type, protocol_type, protocol_sub_type): db = get_db() sql = 'INSERT INTO `{}record` (sid,user_id,host_id,acc_id,state,user_username,host_ip,conn_ip,conn_port,client_ip,acc_username,auth_type,protocol_type,protocol_sub_type,time_begin,time_end) ' \ 'VALUES ("{sid}",{user_id},{host_id},{acc_id},0,"{user_username}","{host_ip}","{conn_ip}",{conn_port},"{client_ip}","{acc_username}",{auth_type},{protocol_type},{protocol_sub_type},{time_begin},0)' \ ';'.format(db.table_prefix, sid=sid, user_id=user_id, host_id=host_id, acc_id=acc_id, user_username=user_username, host_ip=host_ip, conn_ip=conn_ip, conn_port=conn_port, client_ip=client_ip, acc_username=acc_username, auth_type=auth_type, protocol_type=protocol_type, protocol_sub_type=protocol_sub_type, time_begin=tp_timestamp_sec()) ret = db.exec(sql) if not ret: return TPE_DATABASE, 0 record_id = db.last_insert_id() if record_id == -1: return TPE_DATABASE, 0 else: return TPE_OK, record_id
def create_policy(handler, args): """ 创建一个授权策略 """ db = get_db() _time_now = tp_timestamp_sec() # 1. 判断此账号是否已经存在了 s = SQL(db) err = s.reset().select_from('audit_policy', ['id']).where( 'audit_policy.name="{}"'.format(args['name'])).query() if err != TPE_OK: return err, 0 if len(s.recorder) > 0: return TPE_EXISTS, 0 # 2. get total count sql = 'SELECT COUNT(*) FROM {}audit_policy'.format(db.table_prefix) db_ret = db.query(sql) if not db_ret or len(db_ret) == 0: return TPE_DATABASE, 0 rank = db_ret[0][0] + 1 sql = 'INSERT INTO `{}audit_policy` (`rank`, `name`, `desc`, `creator_id`, `create_time`) VALUES ' \ '({rank}, "{name}", "{desc}", {creator_id}, {create_time});' \ ''.format(db.table_prefix, rank=rank, name=args['name'], desc=args['desc'], creator_id=handler.get_current_user()['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建审计授权策略:{}".format(args['name'])) return TPE_OK, _id
def update_fail_count(handler, user_info): db = get_db() sys_cfg = tp_cfg().sys sql_list = [] is_locked = False fail_count = user_info.fail_count + 1 sql_s = 'UPDATE `{tp}user` SET `fail_count`={ph} WHERE `id`={ph};' \ ''.format(tp=db.table_prefix, ph=db.place_holder) sql_v = (fail_count, user_info.id) sql_list.append({'s': sql_s, 'v': sql_v}) if sys_cfg.login.retry != 0 and fail_count >= sys_cfg.login.retry: is_locked = True sql_s = 'UPDATE `{tp}user` SET `state`={ph}, `lock_time`={ph} WHERE `id`={ph};' \ ''.format(tp=db.table_prefix, ph=db.place_holder) sql_v = (TP_STATE_LOCKED, tp_timestamp_sec(), user_info.id) sql_list.append({'s': sql_s, 'v': sql_v}) if db.transaction(sql_list): return TPE_OK, is_locked else: return TPE_DATABASE, is_locked
def check_reset_token(token): db = get_db() # s = SQL(db) _time_now = tp_timestamp_sec() # 0. remove expired token (after 3 days) sql = 'DELETE FROM `{dbtp}user_rpt` WHERE create_time<{dbph};'.format( dbtp=db.table_prefix, dbph=db.place_holder) db.exec(sql, (_time_now - 3 * 24 * 60 * 60, )) # 1. query user's id sql = 'SELECT user_id, create_time FROM `{dbtp}user_rpt` WHERE token={dbph};'.format( dbtp=db.table_prefix, dbph=db.place_holder) db_ret = db.query(sql, (token, )) if db_ret is None or len(db_ret) == 0: return TPE_NOT_EXISTS, 0 user_id = db_ret[0][0] create_time = db_ret[0][1] if _time_now - create_time > 24 * 60 * 60: return TPE_EXPIRED, user_id else: return TPE_OK, user_id
def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys msg = '' current_unix_time = int(time.mktime(datetime.datetime.now().timetuple())) # log.e('current:',current_unix_time,'validfrom:', user_info['valid_from']) err, user_info = get_by_username(username) if err != TPE_OK: return err, None, msg if user_info.privilege == 0: # 尚未为此用户设置角色 msg = '登录失败,用户尚未分配权限' return TPE_PRIVILEGE, None, msg if check_bind_oath and len(user_info['oath_secret']) != 0: return TPE_OATH_ALREADY_BIND, None, msg if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 if sys_cfg.login.lock_timeout != 0: if tp_timestamp_sec( ) - user_info.lock_time > sys_cfg.login.lock_timeout * 60: user_info.fail_count = 0 user_info.state = TP_STATE_NORMAL if user_info['state'] == TP_STATE_LOCKED: msg = '登录失败,用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, msg) return TPE_USER_LOCKED, None, msg elif user_info['state'] == TP_STATE_DISABLED: msg = '登录失败,用户已被禁用' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, msg) return TPE_USER_DISABLED, None, msg elif user_info['state'] != TP_STATE_NORMAL: msg = '登录失败,用户状态异常' syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg) return TPE_FAILED, None, msg elif current_unix_time < user_info['valid_from'] or ( current_unix_time > user_info['valid_to'] and user_info['valid_to'] != 0): msg = '登录失败,用户已过期' syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg) return TPE_FAILED, None, msg err_msg = '' if password is not None: if user_info['type'] == TpUserType.LOCAL: # 如果系统配置了密码有效期,则检查用户的密码是否失效 if sys_cfg.password.timeout != 0: _time_now = tp_timestamp_sec() if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now: msg = '登录失败,用户密码已过期' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_EXPIRED, None, msg if not tp_password_verify(password, user_info['password']): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' msg = '登录失败,密码错误{}'.format(err_msg) syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg elif user_info['type'] == TP_USER_TYPE_LDAP: try: if len(tp_cfg().sys_ldap_password) == 0: msg = 'LDAP尚未配置' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg else: _ldap_password = tp_cfg().sys_ldap_password _ldap_server = tp_cfg().sys.ldap.server _ldap_port = tp_cfg().sys.ldap.port _ldap_base_dn = tp_cfg().sys.ldap.base_dn except: msg = 'LDAP尚未正确配置' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg try: ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn) ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password) if ret != TPE_OK: if ret == TPE_USER_AUTH: err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' msg = 'LDAP用户验证失败{}'.format(err_msg) syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg else: msg = 'LDAP用户登录失败,{}'.format(err_msg) syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg except: msg = 'LDAP用户登录失败,发生内部错误' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg else: msg = '登录失败,系统内部错误' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, msg) return TPE_USER_AUTH, None, msg if oath_code is not None: # use oath if len(user_info['oath_secret']) == 0: return TPE_OATH_MISMATCH, None, msg if not tp_oath_verify_code(user_info['oath_secret'], oath_code): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定!' msg = '登录失败,身份验证器动态验证码错误{}'.format(err_msg) syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, msg) return TPE_OATH_MISMATCH, None, msg del user_info['password'] del user_info['oath_secret'] if len(user_info['surname']) == 0: user_info['surname'] = user_info['username'] return TPE_OK, user_info, msg
def session_end(record_id, ret_code): db = get_db() sql = 'UPDATE `{}record` SET state={}, time_end={} WHERE id={};'.format( db.table_prefix, int(ret_code), tp_timestamp_sec(), int(record_id)) return db.exec(sql)
def cleanup_storage(handler): # storage config sto = tp_cfg().sys.storage db = get_db() _now = tp_timestamp_sec() msg = [] have_error = False s = SQL(db) chk_time = _now - sto.keep_log * 24 * 60 * 60 if sto.keep_log > 0: # find out all sys-log to be remove s.select_from('syslog', ['id'], alt_name='s') s.where('s.log_time<{chk_time}'.format(chk_time=chk_time)) err = s.query() if err != TPE_OK: have_error = True msg.append('清理系统日志时发生错误:无法获取系统日志信息!') # return err, msg else: removed_log = len(s.recorder) if 0 == removed_log: msg.append('没有满足条件的系统日志需要清除!') else: s.reset().delete_from('syslog').where( 'log_time<{chk_time}'.format(chk_time=chk_time)) err = s.exec() if err != TPE_OK: have_error = True msg.append('清理系统日志时发生错误:无法清除指定的系统日志!') else: msg.append('{} 条系统日志已清除!'.format(removed_log)) if sto.keep_record > 0: core_cfg = tp_cfg().core if not core_cfg.detected: have_error = True msg.append('清除指定会话录像失败:未能检测到核心服务!') else: replay_path = core_cfg.replay_path if not os.path.exists(replay_path): have_error = True msg.append('清除指定会话录像失败:会话录像路径不存在({})!'.format(replay_path)) else: # find out all record to be remove s.reset().select_from('record', ['id', 'protocol_type'], alt_name='r') s.where('r.time_begin<{chk_time}'.format(chk_time=chk_time)) err = s.query() if err != TPE_OK: have_error = True msg.append('清除指定会话录像失败:无法获取会话录像信息!') elif len(s.recorder) == 0: msg.append('没有满足条件的会话录像需要清除!') else: record_removed = 0 for r in s.recorder: if r.protocol_type == TP_PROTOCOL_TYPE_RDP: path_remove = os.path.join(replay_path, 'rdp', '{:09d}'.format(r.id)) elif r.protocol_type == TP_PROTOCOL_TYPE_SSH: path_remove = os.path.join(replay_path, 'ssh', '{:09d}'.format(r.id)) elif r.protocol_type == TP_PROTOCOL_TYPE_TELNET: path_remove = os.path.join(replay_path, 'telnet', '{:09d}'.format(r.id)) else: have_error = True msg.append('会话录像记录编号 {},未知远程访问协议!'.format(r.id)) continue if os.path.exists(path_remove): # print('remove path', path_remove) try: shutil.rmtree(path_remove) except: have_error = True msg.append('会话录像记录 {} 清除失败,无法删除目录 {}!'.format( r.id, path_remove)) ss = SQL(db) ss.delete_from('record').where( 'id={rid}'.format(rid=r.id)) ss.exec() record_removed += 1 msg.append('{} 条会话录像数据已清除!'.format(record_removed)) if have_error: return TPE_FAILED, msg else: return TPE_OK, msg
def create_users(handler, user_list, success, failed): """ 批量创建用户 """ db = get_db() _time_now = tp_timestamp_sec() operator = handler.get_current_user() name_list = list() s = SQL(db) for i in range(len(user_list)): user = user_list[i] if 'type' not in user: user['type'] = TP_USER_TYPE_LOCAL if 'ldap_dn' not in user: user['ldap_dn'] = '' err = s.reset().select_from('user', ['id']).where( 'user.username="******"'.format(user['username'])).query() if err != TPE_OK: failed.append({'line': user['_line'], 'error': '数据库查询失败'}) if len(s.recorder) > 0: failed.append({ 'line': user['_line'], 'error': '账号 `{}` 已经存在'.format(user['username']) }) continue if user['type'] == TP_USER_TYPE_LOCAL: _password = tp_password_generate_secret(user['password']) else: _password = '' sql = 'INSERT INTO `{}user` (' \ '`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, ' \ '`state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`' \ ') VALUES (' \ '0, "{username}", "{surname}", {user_type}, "{ldap_dn}", 0, "{password}", ' \ '{state}, "{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \ ''.format(db.table_prefix, username=user['username'], surname=user['surname'], user_type=user['type'], ldap_dn=user['ldap_dn'], password=_password, state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=_time_now, desc=user['desc']) db_ret = db.exec(sql) if not db_ret: failed.append({'line': user['_line'], 'error': '写入数据库时发生错误'}) continue success.append(user['username']) name_list.append(user['username']) user['_id'] = db.last_insert_id() if len(name_list) > 0: syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "批量导入方式创建用户:{}".format(','.join(name_list))) # tp_stats().user_counter_change(len(name_list)) # calc count of users. err, cnt = s.reset().count('user') if err == TPE_OK: tp_stats().user_counter_change(cnt)
def post(self): # time_now = int(datetime.datetime.timestamp()) self.write_json(TPE_OK, data=tp_timestamp_sec())