def post(self, request, *args, **kwargs): session_ids = request.data user_id = request.user.id for session_id in session_ids: if not is_session_approver(session_id, user_id): return Response({}, status=status.HTTP_403_FORBIDDEN) with tmp_to_root_org(): validated_session = kill_sessions(session_ids, request.user) return Response({"ok": validated_session})
def create(self, request, *args, **kwargs): serializer = super().get_serializer(data=request.data) serializer.is_valid(raise_exception=True) pk = kwargs.get('pk') user = self.request.user data = serializer.validated_data instance_id = data.get('instance_id') with tmp_to_root_org(): instance = get_object_or_404(SystemUser, pk=pk) instance.set_temp_auth(instance_id, user, data) return Response(serializer.data, status=201)
def init_assets(self): from orgs.utils import tmp_to_root_org self.all_nodes_assets_map = {} self.nodes_assets_map = defaultdict(set) with tmp_to_root_org(): queryset = Asset.objects.all().values_list('id', 'nodes__key') invalid_assets = Asset.objects.filter(is_active=False)\ .values_list('id', flat=True) self._invalid_assets = frozenset(invalid_assets) for asset_id, key in queryset: if not key: continue self.nodes_assets_map[key].add(asset_id)
def on_authbook_post_create(sender, instance, **kwargs): # 去掉这个资产的管理用户 if instance.systemuser and instance.systemuser.is_admin_user: with tmp_to_root_org(): deleted_count, other = AuthBook.objects.filter( asset=instance.asset, systemuser__type=SystemUser.Type.admin).exclude( id=instance.id).delete() logger.debug( 'Remove asset old admin user: {}'.format(deleted_count)) if not instance.systemuser: instance.sync_to_system_user_account()
def _create_asset_permission(self): with tmp_to_root_org(): asset_permission = AssetPermission.objects.filter( id=self.ticket.id).first() if asset_permission: return asset_permission approve_assets_id = self.ticket.meta.get('approve_assets', []) approve_system_users_id = self.ticket.meta.get('approve_system_users', []) approve_actions = self.ticket.meta.get('approve_actions', Action.NONE) approve_date_start = self.ticket.meta.get('approve_date_start') approve_date_expired = self.ticket.meta.get('approve_date_expired') permission_name = '{}({})'.format( __('Created by ticket ({})'.format(self.ticket.title)), str(self.ticket.id)[:4]) permission_comment = __('Created by the ticket, ' 'ticket title: {}, ' 'ticket applicant: {}, ' 'ticket processor: {}, ' 'ticket ID: {}' ''.format(self.ticket.title, self.ticket.applicant_display, self.ticket.processor_display, str(self.ticket.id))) permission_data = { 'id': self.ticket.id, 'name': permission_name, 'comment': permission_comment, 'created_by': '{}:{}'.format(str(self.__class__.__name__), str(self.ticket.id)), 'actions': approve_actions, 'date_start': approve_date_start, 'date_expired': approve_date_expired, } with tmp_to_org(self.ticket.org_id): asset_permission = AssetPermission.objects.create( **permission_data) asset_permission.users.add(self.ticket.applicant) asset_permission.assets.set(approve_assets_id) asset_permission.system_users.set(approve_system_users_id) return asset_permission
def run_command_execution(cid, **kwargs): with tmp_to_root_org(): execution = get_object_or_none(CommandExecution, id=cid) if not execution: logger.error("Not found the execution id: {}".format(cid)) return with tmp_to_org(execution.run_as.org): try: os.environ.update({ "TERM_ROWS": kwargs.get("rows", ""), "TERM_COLS": kwargs.get("cols", ""), }) execution.run() except SoftTimeLimitExceeded: logger.error("Run time out")
def new(cls): from .models import Node from orgs.utils import tmp_to_root_org with tmp_to_root_org(): all_nodes = Node.objects.all() tree = cls() tree.create_node(tag='', identifier='') for node in all_nodes: tree.create_node( tag=node.value, identifier=node.key, parent=node.parent_key, ) tree.init_assets() return tree
def run_ansible_task(tid, callback=None, **kwargs): """ :param tid: is the tasks serialized data :param callback: callback function name :return: """ with tmp_to_root_org(): task = get_object_or_none(Task, id=tid) if not task: logger.error("No task found") return with tmp_to_org(task.org): result = task.run() if callback is not None: subtask(callback).delay(result, task_name=task.name) return result
def _create_application_permission(self): with tmp_to_root_org(): application_permission = ApplicationPermission.objects.filter( id=self.ticket.id).first() if application_permission: return application_permission apply_category = self.ticket.meta.get('apply_category') apply_type = self.ticket.meta.get('apply_type') apply_permission_name = self.ticket.meta.get('apply_permission_name', '') apply_applications = self.ticket.meta.get('apply_applications', []) apply_system_users = self.ticket.meta.get('apply_system_users', []) apply_date_start = self.ticket.meta.get('apply_date_start') apply_date_expired = self.ticket.meta.get('apply_date_expired') permission_created_by = '{}:{}'.format( str(self.ticket.__class__.__name__), str(self.ticket.id)) permission_comment = _('Created by the ticket, ' 'ticket title: {}, ' 'ticket applicant: {}, ' 'ticket processor: {}, ' 'ticket ID: {}').format( self.ticket.title, self.ticket.applicant_display, ','.join([ i['processor_display'] for i in self.ticket.process_map ]), str(self.ticket.id)) permissions_data = { 'id': self.ticket.id, 'name': apply_permission_name, 'from_ticket': True, 'category': apply_category, 'type': apply_type, 'comment': str(permission_comment), 'created_by': permission_created_by, 'date_start': apply_date_start, 'date_expired': apply_date_expired, } with tmp_to_org(self.ticket.org_id): application_permission = ApplicationPermission.objects.create( **permissions_data) application_permission.users.add(self.ticket.applicant) application_permission.applications.set(apply_applications) application_permission.system_users.set(apply_system_users) return application_permission
def on_system_user_assets_change(instance, action, model, pk_set, **kwargs): """ 当系统用户和资产关系发生变化时,应该重新推送系统用户到新添加的资产中 """ logger.debug("System user assets change signal recv: {}".format(instance)) if not instance: logger.debug('No system user found') return if model == Asset: system_user_ids = [instance.id] asset_ids = pk_set else: system_user_ids = pk_set asset_ids = [instance.id] org_id = instance.org_id # 关联创建的 authbook 没有系统用户id with tmp_to_root_org(): authbooks = AuthBook.objects.filter(asset_id__in=asset_ids, systemuser_id__in=system_user_ids) if action == POST_ADD: authbooks.update(org_id=org_id) save_action_mapper = { 'pre_add': pre_save, 'post_add': post_save, 'pre_remove': pre_delete, 'post_remove': post_delete } for ab in authbooks: ab.org_id = org_id save_action = save_action_mapper[action] logger.debug('Send AuthBook post save signal: {} -> {}'.format( action, ab.id)) save_action.send(sender=AuthBook, instance=ab, created=True) if action == POST_ADD: for system_user_id in system_user_ids: push_system_user_to_assets.delay(system_user_id, asset_ids)
def new(cls): from .models import Node from orgs.utils import tmp_to_root_org with tmp_to_root_org(): all_nodes = list(Node.objects.all().values("key", "value")) all_nodes.sort(key=lambda x: len(x["key"].split(":"))) tree = cls() tree.create_node(tag='', identifier='') for node in all_nodes: key = node["key"] value = node["value"] parent_key = ":".join(key.split(":")[:-1]) tree.create_node( tag=value, identifier=key, parent=parent_key, ) tree.init_assets() return tree
def test_admin_user_connectivity_period(): """ A period task that update the ansible task period """ if not const.PERIOD_TASK_ENABLED: logger.debug('Period task off, skip') return key = '_JMS_TEST_ADMIN_USER_CONNECTIVITY_PERIOD' prev_execute_time = cache.get(key) if prev_execute_time: logger.debug( "Test admin user connectivity, less than 40 minutes, skip") return cache.set(key, 1, 60 * 40) with tmp_to_root_org(): admin_users = AdminUser.objects.all() for admin_user in admin_users: task_name = _("Test admin user connectivity period: {}").format( admin_user.name) test_admin_user_connectivity_util(admin_user, task_name) cache.set(key, 1, 60 * 40)
def refresh_if_need(self, force=False): user = self.user with tmp_to_root_org(): UserAssetGrantedTreeNodeRelation.objects.filter(user=user).exclude(org_id__in=self.org_ids).delete() if force or self.have_need_refresh_orgs(): with UserGrantedTreeRebuildLock(user_id=user.id): if force: orgs = self.orgs self.set_all_orgs_as_built() else: orgs = self.get_need_refresh_orgs_and_fill_up() for org in orgs: with tmp_to_org(org): t_start = time.time() logger.info(f'Rebuild user tree: user={self.user} org={current_org}') utils = UserGrantedTreeBuildUtils(user) utils.rebuild_user_granted_tree() logger.info( f'Rebuild user tree ok: cost={time.time() - t_start} user={self.user} org={current_org}')
def get_queryset(self): with tmp_to_root_org(): return Ticket.objects.all()
def ticket(self): with tmp_to_root_org(): return get_object_or_404(Ticket, pk=self.kwargs['pk'])
def dispatch(self, *args, **kwargs): with tmp_to_root_org(): return super().dispatch(*args, **kwargs)
def match(self, request, *args, **kwargs): with tmp_to_root_org(): return super().match(request, *args, **kwargs)
def on_node_update_or_created(sender, **kwargs): # 刷新节点 Node.refresh_nodes() with tmp_to_root_org(): Node.refresh_nodes()
def all(cls): with tmp_to_root_org(): return Ticket.objects.all()
def get(self, request, *args, **kwargs): with tmp_to_root_org(): return super().get(request, *args, **kwargs)
def get_online_sessions(self): with tmp_to_root_org(): return Session.objects.filter(terminal=self, is_finished=False)
from perms import serializers from perms.models import Action logger = get_logger(__name__) __all__ = [ 'RefreshAssetPermissionCacheApi', 'UserGrantedAssetSystemUsersForAdminApi', 'ValidateUserAssetPermissionApi', 'GetUserAssetPermissionActionsApi', 'UserAssetPermissionsCacheApi', 'MyGrantedAssetSystemUsersApi', ] @method_decorator(tmp_to_root_org(), name='get') class GetUserAssetPermissionActionsApi(RetrieveAPIView): permission_classes = (IsOrgAdminOrAppUser,) serializer_class = serializers.ActionsSerializer def get_user(self): user_id = self.request.query_params.get('user_id', '') user = get_object_or_404(User, id=user_id) return user def get_object(self): asset_id = self.request.query_params.get('asset_id', '') system_id = self.request.query_params.get('system_user_id', '') try: asset_id = uuid.UUID(asset_id)
def get_user_system_users(self): from perms.utils import AssetPermissionUtil user = self.request.user with tmp_to_root_org(): util = AssetPermissionUtil(user) return util.get_system_users()
def delete_related_models(self): from orgs.utils import tmp_to_root_org from tickets.models import TicketFlow with tmp_to_root_org(): TicketFlow.objects.filter(org_id=self.id).delete()
def get_queryset(self): with tmp_to_root_org(): user = self.request.user qs = Session.objects.filter(user_id=user.id) return qs