def render(self, template_path, **kwargs):
if self._mode != self.MODE_HTTP:
log.w('request `{}`, should be web page request.\n'.format(
self.request.uri))
self.write_json(-1, 'should be web page request.')
return
self.finish(self.render_string(template_path, **kwargs))
def add_host(self, host_ip, method=0, param=None, check_now=False):
if not tp_cfg().common.check_host_alive:
return True
if param is None:
param = {}
# now we support PING only
if method != HostAlive.METHOD_PING:
log.e('Unknown method for check host state: {}\n'.format(method))
return False
with self._lock:
if host_ip not in self._states:
self._states[host_ip] = {
'last_online': 0,
'last_check': 0,
'method': method,
'param': param
}
else:
self._states[host_ip]['method'] = method
self._states[host_ip]['param'] = param
if check_now:
if method == HostAlive.METHOD_PING:
self._ping(host_ip)
else:
log.w('Warning: check alive method not implement.\n')
def get(self):
if self.request.uri == tp_cfg().random_exit_uri:
tornado.ioloop.IOLoop.instance().stop()
self.write('EXIT')
return
log.w('catch all, GET: {}\n'.format(self.request.uri))
self.show_error_page(TPE_HTTP_404_NOT_FOUND)
def post(self):
log.w('catch all, POST: {}\n'.format(self.request.uri))
_ret = {
'code': TPE_HTTP_404_NOT_FOUND,
'message': '错误的URI',
'data': {}
}
self.set_header("Content-Type", "application/json")
self.write(json_encode(_ret))
self.finish()
def _reconnect(self):
log.w('[mysql] lost connection, reconnect.\n')
with self._locker:
thread_id = threading.get_ident()
if thread_id not in self._connections:
log.e('[mysql] database pool internal error.\n')
return None
_conn = self._do_connect()
if _conn is not None:
self._connections[thread_id] = _conn
return _conn
else:
del self._connections[thread_id]
return None
def _reconnect(self):
log.w('[mysql] lost connection, reconnect.\n')
with self._locker:
thread_id = threading.get_ident()
if thread_id not in self._connections:
log.e('[mysql] database pool internal error.\n')
return None
_conn = self._do_connect()
if _conn is not None:
self._connections[thread_id] = _conn
return _conn
else:
del self._connections[thread_id]
return None
def _get_core_server_config(self):
cfg = tp_cfg()
try:
req = {'method': 'get_config', 'param': []}
req_data = json.dumps(req)
data = urllib.parse.quote(req_data).encode('utf-8')
req = urllib.request.Request(url=cfg.common.core_server_rpc, data=data)
rep = urllib.request.urlopen(req, timeout=3)
body = rep.read().decode()
x = json.loads(body)
if 'code' not in x or x['code'] != 0:
log.e('connect core-server for get config info failed.\n')
else:
cfg.update_core(x['data'])
log.d('get config info of core-server succeeded.\n')
except:
log.w('can not connect to core-server to get config, maybe it not start yet, ignore.\n')
def _get_core_server_config(self):
cfg = tp_cfg()
try:
req = {'method': 'get_config', 'param': []}
req_data = json.dumps(req)
data = urllib.parse.quote(req_data).encode('utf-8')
req = urllib.request.Request(url=cfg.common.core_server_rpc, data=data)
rep = urllib.request.urlopen(req, timeout=3)
body = rep.read().decode()
x = json.loads(body)
if 'code' not in x or x['code'] != 0:
log.e('connect core-server for get config info failed.\n')
else:
cfg.update_core(x['data'])
log.d('get config info of core-server succeeded.\n')
except:
log.w('can not connect to core-server to get config, maybe it not start yet, ignore.\n')
def _init_sqlite(self, db_file):
self.db_type = self.DB_TYPE_SQLITE
self.auto_increment = 'AUTOINCREMENT'
self.place_holder = '?'
self.sqlite_file = db_file
self._table_prefix = 'tp_'
self._conn_pool = TPSqlitePool(db_file)
if not os.path.exists(db_file):
p = os.path.dirname(os.path.abspath(db_file))
if not os.path.exists(p):
os.makedirs(p)
log.w('database need create.\n')
self.need_create = True
return True
return True
def write_json(self, code, message='', data=None):
if self._mode != self.MODE_JSON:
log.w('request `{}`, should be json request.\n'.format(self.request.uri))
self.write('should be json request.')
self.finish()
return
if not isinstance(code, int):
raise RuntimeError('`code` must be a integer.')
if not isinstance(message, str):
raise RuntimeError('`msg` must be a string.')
if data is None:
data = list()
_ret = {'code': code, 'message': message, 'data': data}
self.set_header("Content-Type", "application/json")
self.write(json_encode(_ret))
self.finish()
def write_json(self, code, message='', data=None):
if self._mode != self.MODE_JSON:
log.w('request `{}`, should be json request.\n'.format(self.request.uri))
self.write('should be json request.')
self.finish()
return
if not isinstance(code, int):
raise RuntimeError('`code` must be a integer.')
if not isinstance(message, str):
raise RuntimeError('`msg` must be a string.')
if data is None:
data = list()
_ret = {'code': code, 'message': message, 'data': data}
self.set_header("Content-Type", "application/json")
self.write(json_encode(_ret))
self.finish()
def _init_sqlite(self, db_file):
self.db_type = self.DB_TYPE_SQLITE
self.auto_increment = 'AUTOINCREMENT'
self.place_holder = '?'
self.sqlite_file = db_file
self._table_prefix = 'tp_'
self._conn_pool = TPSqlitePool(db_file)
if not os.path.exists(db_file):
p = os.path.dirname(os.path.abspath(db_file))
if not os.path.exists(p):
os.makedirs(p)
log.w('database need create.\n')
self.need_create = True
return True
return True
def check_status(self):
if self.need_create:
return True
# 看看数据库中是否存在指定的数据表(如果不存在,可能是一个空数据库文件),则可能是一个新安装的系统
# ret = self.query('SELECT COUNT(*) FROM `sqlite_master` WHERE `type`="table" AND `name`="{}account";'.format(self._table_prefix))
ret = self.is_table_exists('{}config'.format(self._table_prefix))
if ret is None or not ret:
log.w('database need create.\n')
self.need_create = True
return
# 尝试从配置表中读取当前数据库版本号(如果不存在,说明是比较旧的版本了)
ret = self.query('SELECT `value` FROM `{}config` WHERE `name`="db_ver";'.format(self._table_prefix))
if ret is None or 0 == len(ret):
self.current_ver = 1
else:
self.current_ver = int(ret[0][0])
if self.current_ver < self.DB_VERSION:
log.w('database need upgrade.\n')
self.need_upgrade = True
return
def check_status(self):
if self.need_create:
return True
# 看看数据库中是否存在指定的数据表(如果不存在,可能是一个空数据库文件),则可能是一个新安装的系统
# ret = self.query('SELECT COUNT(*) FROM `sqlite_master` WHERE `type`="table" AND `name`="{}account";'.format(self._table_prefix))
ret = self.is_table_exists('{}config'.format(self._table_prefix))
if ret is None or not ret:
log.w('database need create.\n')
self.need_create = True
return
# 尝试从配置表中读取当前数据库版本号(如果不存在,说明是比较旧的版本了)
ret = self.query('SELECT `value` FROM `{}config` WHERE `name`="db_ver";'.format(self._table_prefix))
if ret is None or 0 == len(ret):
self.current_ver = 1
else:
self.current_ver = int(ret[0][0])
if self.current_ver < self.DB_VERSION:
log.w('database need upgrade.\n')
self.need_upgrade = True
return
def get_hosts(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
s = SQL(get_db())
s.select_from('host', [
'id', 'type', 'os_type', 'os_ver', 'name', 'ip', 'router_ip',
'router_port', 'state', 'acc_count', 'cid', 'desc'
],
alt_name='h')
str_where = ''
_where = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'group_id':
_where.append(
'h.id IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'
.format(get_db().table_prefix, TP_GROUP_HOST,
sql_restrict[k]))
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'group_id':
_where.append(
'h.id NOT IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'
.format(get_db().table_prefix, TP_GROUP_HOST,
sql_exclude[k]))
elif k == 'ops_policy_id':
_where.append(
'h.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'
.format(dbtp=get_db().table_prefix,
pid=sql_exclude[k],
rtype=TP_HOST))
elif k == 'auditee_policy_id':
_where.append(
'h.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'
.format(dbtp=get_db().table_prefix,
pid=sql_exclude[k],
ptype=TP_POLICY_ASSET,
rtype=TP_HOST))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'state':
_where.append('h.state={}'.format(sql_filter[k]))
elif k == 'search':
_where.append(
'(h.name LIKE "%{filter}%" OR h.ip LIKE "%{filter}%" OR h.router_ip LIKE "%{filter}%" OR h.desc LIKE "%{filter}%" OR h.cid LIKE "%{filter}%")'
.format(filter=sql_filter[k]))
elif k == 'host_group':
shg = SQL(get_db())
shg.select_from('group_map', ['mid'], alt_name='g')
shg.where('g.type={} AND g.gid={}'.format(
TP_GROUP_HOST, sql_filter[k]))
err = shg.query()
if err != TPE_OK:
return err, 0, 1, []
if len(shg.recorder) == 0:
return TPE_OK, 0, 1, []
h_list = ','.join([str(i['mid']) for i in shg.recorder])
_where.append('h.id IN ({})'.format(h_list))
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'ip' == sql_order['name']:
s.order_by('h.ip', _sort)
elif 'name' == sql_order['name']:
s.order_by('h.name', _sort)
elif 'os_type' == sql_order['name']:
s.order_by('h.os_type', _sort)
elif 'cid' == sql_order['name']:
s.order_by('h.cid', _sort)
elif 'state' == sql_order['name']:
s.order_by('h.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, s.total_count, s.page_index, s.recorder
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
return err, s.total_count, s.page_index, s.recorder
def alter_table(self, table_names, field_names=None):
"""
修改表名称及字段名称
table_name: 如果是string,则指定要操作的表,如果是list,则第一个元素是要操作的表,第二个元素是此表改名的目标名称
fields_names: 如果为None,则不修改字段名,否则应该是一个list,其中每个元素是包含两个str的list,表示将此list第一个指定的字段改名为第二个指定的名称
@return: None or Boolean
"""
# TODO: 此函数尚未完成
if self.db_type == self.DB_TYPE_SQLITE:
if not isinstance(table_names, list) and field_names is None:
log.w('nothing to do.\n')
return False
if isinstance(table_names, str):
old_table_name = table_names
new_table_name = table_names
elif isinstance(table_names, list) and len(table_names) == 2:
old_table_name = table_names[0]
new_table_name = table_names[1]
else:
log.w('invalid param.\n')
return False
if isinstance(field_names, list):
for i in field_names:
if not isinstance(i, list) or 2 != len(i):
log.w('invalid param.\n')
return False
if field_names is None:
# 仅数据表改名
return self.exec('ALTER TABLE `{}` RENAME TO `{}`;'.format(old_table_name, new_table_name))
else:
# sqlite不支持字段改名,所以需要通过临时表中转一下
# 先获取数据表的字段名列表
ret = self.query('SELECT * FROM `sqlite_master` WHERE `type`="table" AND `name`="{}";'.format(old_table_name))
log.w('-----\n')
log.w(ret[0][4])
log.w('\n')
# 先将数据表改名,成为一个临时表
# tmp_table_name = '{}_sqlite_tmp'.format(old_table_name)
# ret = self.exec('ALTER TABLE `{}` RENAME TO `{}`;'.format(old_table_name, tmp_table_name))
# if ret is None or not ret:
# return ret
pass
elif self.db_type == self.DB_TYPE_MYSQL:
log.e('mysql not supported yet.\n')
return False
else:
log.e('Unknown database type.\n')
return False
def run(self):
log.i('\n')
log.i('###############################################################\n')
log.i('Load config file: {}\n'.format(self._cfg_file))
log.i('Teleport Web Server starting ...\n')
tp_cron().init()
# 尝试通过CORE-JSON-RPC获取core服务的配置(主要是ssh/rdp/telnet的端口以及录像文件存放路径)
self._get_core_server_config()
_db = get_db()
if not _db.init():
log.e('can not initialize database interface.\n')
return 0
_db.connect()
while not _db.connected:
log.w('database not connected, retry after 5 seconds.\n')
time.sleep(5)
_db.connect()
cfg = tp_cfg()
_db.check_status()
if _db.need_create or _db.need_upgrade:
cfg.app_mode = APP_MODE_MAINTENANCE
tp_cfg().update_sys(None)
else:
cfg.app_mode = APP_MODE_NORMAL
_db.load_system_config()
try:
# 将运行时配置发送给核心服务
req = {'method': 'set_config', 'param': {'noop_timeout': tp_cfg().sys.session.noop_timeout}}
req_data = json.dumps(req)
data = urllib.parse.quote(req_data).encode('utf-8')
req = urllib.request.Request(url=cfg.common.core_server_rpc, data=data)
rep = urllib.request.urlopen(req, timeout=3)
body = rep.read().decode()
x = json.loads(body)
if 'code' not in x or x['code'] != 0:
print(x)
log.e('connect core-server for set runtime-config failed.\n')
else:
log.d('set runtime-config for core-server succeeded.\n')
except:
log.w('can not connect to core-server to set runtime-config, maybe it not start yet, ignore.\n')
if not tp_session().init():
log.e('can not initialize session manager.\n')
return 0
if not tp_stats().init():
log.e('can not initialize system status collector.\n')
return 0
settings = {
#
'cookie_secret': '8946svdABGD345fg98uhIaefEBePIfegOIakjFH43oETzK',
'login_url': '/auth/login',
# 指定静态文件的路径,页面模板中可以用 {{ static_url('css/main.css') }} 的方式调用
'static_path': cfg.static_path,
# 指定模板文件的路径
'template_path': cfg.template_path,
# 防止跨站伪造请求,参见 http://old.sebug.net/paper/books/tornado/#_7
'xsrf_cookies': False,
'autoescape': 'xhtml_escape',
# 'ui_modules': ui_modules,
'debug': False,
# 不开启模板和静态文件的缓存,这样一旦模板文件和静态文件变化,刷新浏览器即可看到更新。
'compiled_template_cache': False,
'static_hash_cache': False,
}
from app.controller import controllers, fix_controller
fix_controller()
_app = tornado.web.Application(controllers, **settings)
server = tornado.httpserver.HTTPServer(_app, xheaders=True)
# server = tornado.httpserver.HTTPServer(_app, ssl_options={
# "certfile": os.path.join(cfg.data_path, 'cert', "server.pem"),
# "keyfile": os.path.join(cfg.data_path, 'cert', "server.key"),
# })
try:
server.listen(cfg.common.port, address=cfg.common.ip)
if cfg.common.ip == '0.0.0.0':
log.i('works on [http://127.0.0.1:{}]\n'.format(cfg.common.port))
else:
log.i('works on [http://{}:{}]\n'.format(cfg.common.ip, cfg.common.port))
except:
log.e('can not listen on port {}:{}, make sure it not been used by another application.\n'.format(cfg.common.ip, cfg.common.port))
return 0
# 启动定时任务调度器
tp_cron().start()
try:
tornado.ioloop.IOLoop.instance().start()
except:
log.e('\n')
tp_cron().stop()
return 0
def get_records(handler, sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
"""
获取会话列表
会话审计列表的显示策略(下列的`审计`操作指为会话做标记、置为保留状态、写备注等):
1. 运维权限:可以查看自己的会话,但不能审计;
2. 运维授权权限:可以查看所有会话,但不能审计;
3. 审计权限:可以查看被授权的主机相关的会话,且可以审计;
4. 审计授权权限:可以查看所有会话,且可以审计。
"""
allow_uid = 0
allow_hids = list()
allow_all = False
user = handler.get_current_user()
if (user['privilege'] & TP_PRIVILEGE_OPS_AUZ) != 0 or (user['privilege'] & TP_PRIVILEGE_AUDIT_AUZ) != 0:
allow_all = True
if not allow_all:
if (user['privilege'] & TP_PRIVILEGE_OPS) != 0:
allow_uid = user.id
if (user['privilege'] & TP_PRIVILEGE_AUDIT) != 0:
s = SQL(get_db())
s.select_from('audit_map', ['u_id', 'h_id', 'p_state', 'policy_auth_type', 'u_state', 'gu_state'], alt_name='a')
s.where(
'a.u_id={user_id} AND '
'a.p_state={enable_state} AND'
'('
'((a.policy_auth_type={U2H} OR a.policy_auth_type={U2HG}) AND a.u_state={enable_state}) OR '
'((a.policy_auth_type={UG2H} OR a.policy_auth_type={UG2HG}) AND a.u_state={enable_state} AND a.gu_state={enable_state})'
')'.format(enable_state=TP_STATE_NORMAL, user_id=user.id, U2H=TP_POLICY_AUTH_USER_HOST, U2HG=TP_POLICY_AUTH_USER_gHOST, UG2H=TP_POLICY_AUTH_gUSER_HOST, UG2HG=TP_POLICY_AUTH_gUSER_gHOST))
err = s.query()
if err != TPE_OK:
return err, 0, []
for h in s.recorder:
if h.h_id not in allow_hids:
allow_hids.append(h.h_id)
if len(allow_hids) == 0:
return TPE_OK, 0, []
if allow_uid == 0 and len(allow_hids) == 0:
return TPE_FAILED, 0, []
s = SQL(get_db())
s.select_from('record', ['id', 'sid', 'user_id', 'host_id', 'acc_id', 'state', 'user_username', 'user_surname', 'host_ip', 'conn_ip', 'conn_port', 'client_ip', 'acc_username', 'protocol_type', 'protocol_sub_type', 'time_begin', 'time_end'], alt_name='r')
str_where = ''
_where = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'state':
_where.append('r.state IN ({})'.format(','.join([str(state) for state in sql_restrict[k]])))
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'state':
_where.append('r.state NOT IN ({})'.format(','.join([str(state) for state in sql_exclude[k]])))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'state':
_where.append('r.state={}'.format(sql_filter[k]))
# elif k == 'search_record':
# _where.append('(h.name LIKE "%{}%" OR h.ip LIKE "%{}%" OR h.router_addr LIKE "%{}%" OR h.desc LIKE "%{}%" OR h.cid LIKE "%{}%")'.format(sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k]))
if not allow_all:
if allow_uid != 0:
_where.append('r.user_id={uid}'.format(uid=allow_uid))
if len(allow_hids) > 0:
hids = [str(h) for h in allow_hids]
_where.append('r.host_id IN ({hids})'.format(hids=','.join(hids)))
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'id' == sql_order['name']:
s.order_by('r.id', _sort)
elif 'time_begin' == sql_order['name']:
s.order_by('r.time_begin', _sort)
elif 'sid' == sql_order['name']:
s.order_by('r.sid', _sort)
# elif 'cid' == sql_order['name']:
# s.order_by('h.cid', _sort)
# elif 'state' == sql_order['name']:
# s.order_by('h.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, s.total_count, s.recorder
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
return err, s.total_count, s.recorder
def render(self, template_path, **kwargs):
if self._mode != self.MODE_HTTP:
log.w('request `{}`, should be web page request.\n'.format(self.request.uri))
self.write_json(-1, 'should be web page request.')
return
self.finish(self.render_string(template_path, **kwargs))
def rebuild_audit_auz_map():
_users = {}
_hosts = {}
# _accs = {}
_gusers = {}
_ghosts = {}
# _gaccs = {}
_groups = {}
_policies = {}
_p_users = {}
_p_assets = {}
_map = []
db = get_db()
dbtp = db.table_prefix
db.exec('DELETE FROM {}audit_map'.format(dbtp))
s = SQL(get_db())
# 加载所有策略
err = s.reset().select_from('audit_policy', ['id', 'rank', 'state'],
alt_name='p').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_policies[i.id] = i
# 加载所有的用户
err = s.reset().select_from('user', ['id', 'username', 'surname', 'state'],
alt_name='u').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_users[i.id] = i
# 加载所有的主机
err = s.reset().select_from(
'host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'],
alt_name='h').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_hosts[i.id] = i
# # 加载所有的账号
# err = s.reset().select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'protocol_port', 'auth_type', 'state'], alt_name='a').query()
# if err != TPE_OK:
# return err
# if 0 == len(s.recorder):
# return TPE_OK
# for i in s.recorder:
# _accs[i.id] = i
# 加载所有的组
err = s.reset().select_from('group', ['id', 'type', 'state'],
alt_name='g').query()
if err != TPE_OK:
return err
for i in s.recorder:
_groups[i.id] = i
if i.type == TP_GROUP_USER:
_gusers[i.id] = []
elif i.type == TP_GROUP_HOST:
_ghosts[i.id] = []
# elif i.type == TP_GROUP_ACCOUNT:
# _gaccs[i.id] = []
# 加载所有的组
err = s.reset().select_from('group_map', ['id', 'type', 'gid', 'mid'],
alt_name='g').query()
if err != TPE_OK:
return err
for g in s.recorder:
if g.type == TP_GROUP_USER:
# if g.gid not in _gusers:
# _gusers[g.gid] = []
_gusers[g.gid].append(_users[g.mid])
elif g.type == TP_GROUP_HOST:
# if g.gid not in _ghosts:
# _ghosts[g.gid] = []
_ghosts[g.gid].append(_hosts[g.mid])
# elif g.type == TP_GROUP_ACCOUNT:
# # if g.gid not in _gaccs:
# # _gaccs[g.gid] = []
# _gaccs[g.gid].append(_accs[g.mid])
# 加载所有策略明细
err = s.reset().select_from('audit_auz',
['id', 'policy_id', 'type', 'rtype', 'rid'],
alt_name='o').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
# 分解各个策略中操作者和被操作资产的信息
for i in s.recorder:
if i.type == TP_POLICY_OPERATOR:
if i.policy_id not in _p_users:
_p_users[i.policy_id] = []
if i.rtype == TP_USER:
u = _users[i.rid]
_p_users[i.policy_id].append({
'u_id': i.rid,
'u_state': u.state,
'gu_id': 0,
'gu_state': 0,
'u_name': u.username,
'u_surname': u.surname,
'auth_from_': 'USER'
})
elif i.rtype == TP_GROUP_USER:
for u in _gusers[i.rid]:
_p_users[i.policy_id].append({
'u_id': u.id,
'u_state': u.state,
'gu_id': i.rid,
'gu_state': _groups[i.rid].state,
'u_name': u.username,
'u_surname': u.surname,
'auth_from_': 'gUSER'
})
else:
log.e('invalid operator type.\n')
return TPE_FAILED
elif i.type == TP_POLICY_ASSET:
if i.policy_id not in _p_assets:
_p_assets[i.policy_id] = []
# if i.rtype == TP_ACCOUNT:
# a = _accs[i.rid]
# h = _hosts[a.host_id]
# _p_assets[i.policy_id].append({
# 'a_id': i.rid,
# 'a_state': a.state,
# 'ga_id': 0,
# 'ga_state': 0,
# 'h_id': h.id,
# 'h_state': h.state,
# 'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
# 'h_name': h.name,
# 'ip': h.ip,
# 'router_ip': h.router_ip,
# 'router_port': h.router_port,
# 'auth_to_': 'ACC'
# })
# elif i.rtype == TP_GROUP_ACCOUNT:
# for a in _gaccs[i.rid]:
# h = _hosts[a.host_id]
# _p_assets[i.policy_id].append({
# 'a_id': a.id,
# 'a_state': a.state,
# 'ga_id': i.rid,
# 'ga_state': _groups[i.rid].state,
# 'h_id': h.id,
# 'h_state': h.state,
# 'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
# 'h_name': h.name,
# 'ip': h.ip,
# 'router_ip': h.router_ip,
# 'router_port': h.router_port,
# 'auth_to_': 'gACC'
# })
# el
if i.rtype == TP_HOST:
# for aid in _accs:
# if _accs[aid].host_id == i.rid:
# a = _accs[aid]
h = _hosts[i.rid]
_p_assets[i.policy_id].append({
# 'a_id': aid,
# 'a_state': a.state,
# 'ga_id': 0,
# 'ga_state': 0,
'h_id': h.id,
# 'h_state': h.state,
'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': h.protocol_type,
# 'protocol_port': h.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'HOST'
})
elif i.rtype == TP_GROUP_HOST:
for h in _ghosts[i.rid]:
# for aid in _accs:
# if _accs[aid].host_id == h.id:
# a = _accs[aid]
_p_assets[i.policy_id].append({
# 'a_id': aid,
# 'a_state': a.state,
'ga_id': 0,
'ga_state': 0,
'h_id': h.id,
# 'h_state': h.state,
'gh_id': i.rid,
# 'gh_state': _groups[i.rid].state,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'gHOST'
})
else:
log.e('invalid asset type.\n')
return TPE_FAILED
else:
return TPE_FAILED
# 3. 建立所有一一对应的映射关系
for pid in _policies:
if pid not in _p_users:
continue
for u in _p_users[pid]:
if pid not in _p_assets:
continue
for a in _p_assets[pid]:
x = AttrDict()
x.update({
'p_id': pid,
'p_rank': _policies[pid].rank,
'p_state': _policies[pid].state
})
x.update(u)
x.update(a)
x.uni_id = '{}-{}-{}-{}-{}'.format(x.p_id, x.gu_id, x.u_id,
x.gh_id, x.h_id)
x.uh_id = 'u{}-h{}'.format(x.u_id, x.h_id)
x.policy_auth_type = TP_POLICY_AUTH_UNKNOWN
# if u['auth_from_'] == 'USER' and a['auth_to_'] == 'ACC':
# x.policy_auth_type = TP_POLICY_AUTH_USER_ACC
# elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gACC':
# x.policy_auth_type = TP_POLICY_AUTH_USER_gACC
# el
if u['auth_from_'] == 'USER' and a['auth_to_'] == 'HOST':
x.policy_auth_type = TP_POLICY_AUTH_USER_HOST
elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gHOST':
x.policy_auth_type = TP_POLICY_AUTH_USER_gHOST
# elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'ACC':
# x.policy_auth_type = TP_POLICY_AUTH_gUSER_ACC
# elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gACC':
# x.policy_auth_type = TP_POLICY_AUTH_gUSER_gACC
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'HOST':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_HOST
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gHOST':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_gHOST
else:
log.w('invalid policy data.\n')
continue
_map.append(x)
if len(_map) == 0:
return TPE_OK
values = []
for i in _map:
v = '("{uni_id}","{uh_id}",{p_id},{p_rank},{p_state},{policy_auth_type},{u_id},{u_state},{gu_id},{gu_state},{h_id},{gh_id},' \
'"{u_name}","{u_surname}","{h_name}","{ip}","{router_ip}",{router_port})' \
''.format(uni_id=i.uni_id, uh_id=i.uh_id, p_id=i.p_id, p_rank=i.p_rank, p_state=i.p_state, policy_auth_type=i.policy_auth_type,
u_id=i.u_id, u_state=i.u_state, gu_id=i.gu_id, gu_state=i.gu_state, h_id=i.h_id,gh_id=i.gh_id,
u_name=i.u_name, u_surname=i.u_surname, h_name=i.h_name, ip=i.ip, router_ip=i.router_ip, router_port=i.router_port)
values.append(v)
sql = 'INSERT INTO `{dbtp}audit_map` (uni_id,uh_id,p_id,p_rank,p_state,policy_auth_type,u_id,u_state,gu_id,gu_state,h_id,gh_id,' \
'u_name,u_surname,h_name,ip,router_ip,router_port) VALUES \n{values};' \
''.format(dbtp=dbtp, values=',\n'.join(values))
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE
return TPE_OK
def get_groups(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
dbtp = get_db().table_prefix
s = SQL(get_db())
s.select_from('group', ['id', 'state', 'name', 'desc'], alt_name='g')
str_where = ''
_where = list()
# if len(sql_restrict) > 0:
# for k in sql_restrict:
# if k == 'ops_policy_id':
# _where.append('g.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype=2)'.format(dbtp=dbtp, pid=sql_exclude[k]))
# else:
# log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
# if k == 'group_id':
# _where.append('u.id NOT IN (SELECT mid FROM {dbtp}group_map WHERE type={gtype} AND gid={gid})'.format(dbtp=dbtp, gtype=TP_GROUP_USER, gid=sql_exclude[k]))
if k == 'ops_policy_id':
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append('g.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'.format(dbtp=dbtp, pid=pid, rtype=gtype))
elif k == 'auditor_policy_id':
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append('g.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'.format(dbtp=dbtp, pid=pid, ptype=TP_POLICY_OPERATOR, rtype=gtype))
elif k == 'auditee_policy_id':
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append('g.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'.format(dbtp=dbtp, pid=pid, ptype=TP_POLICY_ASSET, rtype=gtype))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'type':
_where.append('g.type={filter}'.format(filter=sql_filter[k]))
elif k == 'state':
_where.append('g.state={filter}'.format(filter=sql_filter[k]))
elif k == 'search':
_where.append('(g.name LIKE "%{filter}%" OR g.desc LIKE "%{filter}%")'.format(filter=sql_filter[k]))
else:
log.e('unknown filter field: {}\n'.format(k))
return TPE_PARAM, 0, 0, {}
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'name' == sql_order['name']:
s.order_by('g.name', _sort)
elif 'state' == sql_order['name']:
s.order_by('g.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, 0, 0, {}
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
return err, s.total_count, s.page_index, s.recorder
def rebuild_audit_auz_map():
_users = {}
_hosts = {}
# _accs = {}
_gusers = {}
_ghosts = {}
# _gaccs = {}
_groups = {}
_policies = {}
_p_users = {}
_p_assets = {}
_map = []
db = get_db()
dbtp = db.table_prefix
db.exec('DELETE FROM {}audit_map'.format(dbtp))
s = SQL(get_db())
# 加载所有策略
err = s.reset().select_from('audit_policy', ['id', 'rank', 'state'], alt_name='p').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_policies[i.id] = i
# 加载所有的用户
err = s.reset().select_from('user', ['id', 'username', 'surname', 'state'], alt_name='u').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_users[i.id] = i
# 加载所有的主机
err = s.reset().select_from('host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'], alt_name='h').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
for i in s.recorder:
_hosts[i.id] = i
# # 加载所有的账号
# err = s.reset().select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'protocol_port', 'auth_type', 'state'], alt_name='a').query()
# if err != TPE_OK:
# return err
# if 0 == len(s.recorder):
# return TPE_OK
# for i in s.recorder:
# _accs[i.id] = i
# 加载所有的组
err = s.reset().select_from('group', ['id', 'type', 'state'], alt_name='g').query()
if err != TPE_OK:
return err
for i in s.recorder:
_groups[i.id] = i
if i.type == TP_GROUP_USER:
_gusers[i.id] = []
elif i.type == TP_GROUP_HOST:
_ghosts[i.id] = []
# elif i.type == TP_GROUP_ACCOUNT:
# _gaccs[i.id] = []
# 加载所有的组
err = s.reset().select_from('group_map', ['id', 'type', 'gid', 'mid'], alt_name='g').query()
if err != TPE_OK:
return err
for g in s.recorder:
if g.type == TP_GROUP_USER:
# if g.gid not in _gusers:
# _gusers[g.gid] = []
_gusers[g.gid].append(_users[g.mid])
elif g.type == TP_GROUP_HOST:
# if g.gid not in _ghosts:
# _ghosts[g.gid] = []
_ghosts[g.gid].append(_hosts[g.mid])
# elif g.type == TP_GROUP_ACCOUNT:
# # if g.gid not in _gaccs:
# # _gaccs[g.gid] = []
# _gaccs[g.gid].append(_accs[g.mid])
# 加载所有策略明细
err = s.reset().select_from('audit_auz', ['id', 'policy_id', 'type', 'rtype', 'rid'], alt_name='o').query()
if err != TPE_OK:
return err
if 0 == len(s.recorder):
return TPE_OK
# 分解各个策略中操作者和被操作资产的信息
for i in s.recorder:
if i.type == TP_POLICY_OPERATOR:
if i.policy_id not in _p_users:
_p_users[i.policy_id] = []
if i.rtype == TP_USER:
u = _users[i.rid]
_p_users[i.policy_id].append({
'u_id': i.rid,
'u_state': u.state,
'gu_id': 0,
'gu_state': 0,
'u_name': u.username,
'u_surname': u.surname,
'auth_from_': 'USER'
})
elif i.rtype == TP_GROUP_USER:
for u in _gusers[i.rid]:
_p_users[i.policy_id].append({
'u_id': u.id,
'u_state': u.state,
'gu_id': i.rid,
'gu_state': _groups[i.rid].state,
'u_name': u.username,
'u_surname': u.surname,
'auth_from_': 'gUSER'
})
else:
log.e('invalid operator type.\n')
return TPE_FAILED
elif i.type == TP_POLICY_ASSET:
if i.policy_id not in _p_assets:
_p_assets[i.policy_id] = []
# if i.rtype == TP_ACCOUNT:
# a = _accs[i.rid]
# h = _hosts[a.host_id]
# _p_assets[i.policy_id].append({
# 'a_id': i.rid,
# 'a_state': a.state,
# 'ga_id': 0,
# 'ga_state': 0,
# 'h_id': h.id,
# 'h_state': h.state,
# 'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
# 'h_name': h.name,
# 'ip': h.ip,
# 'router_ip': h.router_ip,
# 'router_port': h.router_port,
# 'auth_to_': 'ACC'
# })
# elif i.rtype == TP_GROUP_ACCOUNT:
# for a in _gaccs[i.rid]:
# h = _hosts[a.host_id]
# _p_assets[i.policy_id].append({
# 'a_id': a.id,
# 'a_state': a.state,
# 'ga_id': i.rid,
# 'ga_state': _groups[i.rid].state,
# 'h_id': h.id,
# 'h_state': h.state,
# 'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
# 'h_name': h.name,
# 'ip': h.ip,
# 'router_ip': h.router_ip,
# 'router_port': h.router_port,
# 'auth_to_': 'gACC'
# })
# el
if i.rtype == TP_HOST:
# for aid in _accs:
# if _accs[aid].host_id == i.rid:
# a = _accs[aid]
h = _hosts[i.rid]
_p_assets[i.policy_id].append({
# 'a_id': aid,
# 'a_state': a.state,
# 'ga_id': 0,
# 'ga_state': 0,
'h_id': h.id,
# 'h_state': h.state,
'gh_id': 0,
# 'gh_state': 0,
# 'a_name': a.username,
# 'protocol_type': h.protocol_type,
# 'protocol_port': h.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'HOST'
})
elif i.rtype == TP_GROUP_HOST:
for h in _ghosts[i.rid]:
# for aid in _accs:
# if _accs[aid].host_id == h.id:
# a = _accs[aid]
_p_assets[i.policy_id].append({
# 'a_id': aid,
# 'a_state': a.state,
'ga_id': 0,
'ga_state': 0,
'h_id': h.id,
# 'h_state': h.state,
'gh_id': i.rid,
# 'gh_state': _groups[i.rid].state,
# 'a_name': a.username,
# 'protocol_type': a.protocol_type,
# 'protocol_port': a.protocol_port,
'h_name': h.name,
'ip': h.ip,
'router_ip': h.router_ip,
'router_port': h.router_port,
'auth_to_': 'gHOST'
})
else:
log.e('invalid asset type.\n')
return TPE_FAILED
else:
return TPE_FAILED
# 3. 建立所有一一对应的映射关系
for pid in _policies:
if pid not in _p_users:
continue
for u in _p_users[pid]:
if pid not in _p_assets:
continue
for a in _p_assets[pid]:
x = AttrDict()
x.update({
'p_id': pid,
'p_rank': _policies[pid].rank,
'p_state': _policies[pid].state
})
x.update(u)
x.update(a)
x.uni_id = '{}-{}-{}-{}-{}'.format(x.p_id, x.gu_id, x.u_id, x.gh_id, x.h_id)
x.uh_id = 'u{}-h{}'.format(x.u_id, x.h_id)
x.policy_auth_type = TP_POLICY_AUTH_UNKNOWN
# if u['auth_from_'] == 'USER' and a['auth_to_'] == 'ACC':
# x.policy_auth_type = TP_POLICY_AUTH_USER_ACC
# elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gACC':
# x.policy_auth_type = TP_POLICY_AUTH_USER_gACC
# el
if u['auth_from_'] == 'USER' and a['auth_to_'] == 'HOST':
x.policy_auth_type = TP_POLICY_AUTH_USER_HOST
elif u['auth_from_'] == 'USER' and a['auth_to_'] == 'gHOST':
x.policy_auth_type = TP_POLICY_AUTH_USER_gHOST
# elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'ACC':
# x.policy_auth_type = TP_POLICY_AUTH_gUSER_ACC
# elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gACC':
# x.policy_auth_type = TP_POLICY_AUTH_gUSER_gACC
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'HOST':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_HOST
elif u['auth_from_'] == 'gUSER' and a['auth_to_'] == 'gHOST':
x.policy_auth_type = TP_POLICY_AUTH_gUSER_gHOST
else:
log.w('invalid policy data.\n')
continue
_map.append(x)
if len(_map) == 0:
return TPE_OK
values = []
for i in _map:
v = '("{uni_id}","{uh_id}",{p_id},{p_rank},{p_state},{policy_auth_type},{u_id},{u_state},{gu_id},{gu_state},{h_id},{gh_id},' \
'"{u_name}","{u_surname}","{h_name}","{ip}","{router_ip}",{router_port})' \
''.format(uni_id=i.uni_id, uh_id=i.uh_id, p_id=i.p_id, p_rank=i.p_rank, p_state=i.p_state, policy_auth_type=i.policy_auth_type,
u_id=i.u_id, u_state=i.u_state, gu_id=i.gu_id, gu_state=i.gu_state, h_id=i.h_id,gh_id=i.gh_id,
u_name=i.u_name, u_surname=i.u_surname, h_name=i.h_name, ip=i.ip, router_ip=i.router_ip, router_port=i.router_port)
values.append(v)
sql = 'INSERT INTO `{dbtp}audit_map` (uni_id,uh_id,p_id,p_rank,p_state,policy_auth_type,u_id,u_state,gu_id,gu_state,h_id,gh_id,' \
'u_name,u_surname,h_name,ip,router_ip,router_port) VALUES \n{values};' \
''.format(dbtp=dbtp, values=',\n'.join(values))
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE
return TPE_OK
def get_hosts(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
db = get_db()
_tp = db.table_prefix
_ph = db.place_holder
s = SQL(get_db())
s.select_from('host', ['id', 'type', 'os_type', 'os_ver', 'name', 'ip', 'router_ip', 'router_port', 'state', 'acc_count', 'cid', 'desc'], alt_name='h')
str_where = ''
_where = list()
_sql_v = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'group_id':
_where.append('h.id IN (SELECT `mid` FROM `{tp}group_map` WHERE `type`={ph} AND gid={ph})'.format(tp=_tp, ph=_ph))
_sql_v.append(TP_GROUP_HOST)
_sql_v.append(sql_restrict[k])
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'group_id':
_where.append('h.id NOT IN (SELECT `mid` FROM `{tp}group_map` WHERE `gid`={ph} AND `type`={ph})'.format(tp=_tp, ph=_ph))
_sql_v.append(sql_exclude[k])
_sql_v.append(TP_GROUP_HOST)
elif k == 'ops_policy_id':
_where.append('h.id NOT IN (SELECT `rid` FROM `{tp}ops_auz` WHERE `policy_id`={ph} AND `rtype`={ph})'.format(tp=_tp, ph=_ph))
_sql_v.append(sql_exclude[k])
_sql_v.append(TP_HOST)
elif k == 'auditee_policy_id':
_where.append('h.id NOT IN (SELECT `rid` FROM `{tp}audit_auz` WHERE `policy_id`={ph} AND `type`={ph} AND `rtype`={ph})'.format(tp=_tp, ph=_ph))
_sql_v.append(sql_exclude[k])
_sql_v.append(TP_POLICY_ASSET)
_sql_v.append(TP_HOST)
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'state':
_where.append('h.state={ph}'.format(ph=_ph))
_sql_v.append(sql_filter[k])
elif k == 'search':
# _where.append('(h.name LIKE "%{filter}%" OR h.ip LIKE "%{filter}%" OR h.router_ip LIKE "%{filter}%" OR h.desc LIKE "%{filter}%" OR h.cid LIKE "%{filter}%")'.format(filter=sql_filter[k]))
_where.append('(h.name LIKE {ph} OR h.ip LIKE {ph} OR h.router_ip LIKE {ph} OR h.desc LIKE {ph} OR h.cid LIKE {ph})'.format(ph=_ph))
_f = '%{filter}%'.format(filter=sql_filter[k])
_sql_v.extend([_f, ] * 5)
elif k == 'host_group':
shg = SQL(db)
shg.select_from('group_map', ['mid'], alt_name='g')
shg.where('g.type={ph} AND g.gid={ph}'.format(ph=_ph))
err = shg.query((TP_GROUP_HOST, sql_filter[k]))
if err != TPE_OK:
return err, 0, 1, []
if len(shg.recorder) == 0:
return TPE_OK, 0, 1, []
h_list = ','.join([str(i['mid']) for i in shg.recorder])
_where.append('h.id IN ({})'.format(h_list))
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'ip' == sql_order['name']:
s.order_by('h.ip', _sort)
elif 'name' == sql_order['name']:
s.order_by('h.name', _sort)
elif 'os_type' == sql_order['name']:
s.order_by('h.os_type', _sort)
elif 'cid' == sql_order['name']:
s.order_by('h.cid', _sort)
elif 'state' == sql_order['name']:
s.order_by('h.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, s.total_count, s.page_index, s.recorder
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query(_sql_v)
return err, s.total_count, s.page_index, s.recorder
def alter_table(self, table_names, field_names=None):
"""
修改表名称及字段名称
table_name: 如果是string,则指定要操作的表,如果是list,则第一个元素是要操作的表,第二个元素是此表改名的目标名称
fields_names: 如果为None,则不修改字段名,否则应该是一个list,其中每个元素是包含两个str的list,表示将此list第一个指定的字段改名为第二个指定的名称
@return: None or Boolean
"""
# TODO: 此函数尚未完成
if self.db_type == self.DB_TYPE_SQLITE:
if not isinstance(table_names, list) and field_names is None:
log.w('nothing to do.\n')
return False
if isinstance(table_names, str):
old_table_name = table_names
new_table_name = table_names
elif isinstance(table_names, list) and len(table_names) == 2:
old_table_name = table_names[0]
new_table_name = table_names[1]
else:
log.w('invalid param.\n')
return False
if isinstance(field_names, list):
for i in field_names:
if not isinstance(i, list) or 2 != len(i):
log.w('invalid param.\n')
return False
if field_names is None:
# 仅数据表改名
return self.exec('ALTER TABLE `{}` RENAME TO `{}`;'.format(
old_table_name, new_table_name))
else:
# sqlite不支持字段改名,所以需要通过临时表中转一下
# 先获取数据表的字段名列表
ret = self.query(
'SELECT * FROM `sqlite_master` WHERE `type`="table" AND `name`="{}";'
.format(old_table_name))
log.w('-----\n')
log.w(ret[0][4])
log.w('\n')
# 先将数据表改名,成为一个临时表
# tmp_table_name = '{}_sqlite_tmp'.format(old_table_name)
# ret = self.exec('ALTER TABLE `{}` RENAME TO `{}`;'.format(old_table_name, tmp_table_name))
# if ret is None or not ret:
# return ret
pass
elif self.db_type == self.DB_TYPE_MYSQL:
log.e('mysql not supported yet.\n')
return False
else:
log.e('Unknown database type.\n')
return False
def get_groups(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
dbtp = get_db().table_prefix
s = SQL(get_db())
s.select_from('group', ['id', 'state', 'name', 'desc'], alt_name='g')
str_where = ''
_where = list()
# if len(sql_restrict) > 0:
# for k in sql_restrict:
# if k == 'ops_policy_id':
# _where.append('g.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype=2)'.format(dbtp=dbtp, pid=sql_exclude[k]))
# else:
# log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
# if k == 'group_id':
# _where.append('u.id NOT IN (SELECT mid FROM {dbtp}group_map WHERE type={gtype} AND gid={gid})'.format(dbtp=dbtp, gtype=TP_GROUP_USER, gid=sql_exclude[k]))
if k == 'ops_policy_id':
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append(
'g.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'
.format(dbtp=dbtp, pid=pid, rtype=gtype))
elif k == 'auditor_policy_id':
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append(
'g.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'
.format(dbtp=dbtp,
pid=pid,
ptype=TP_POLICY_OPERATOR,
rtype=gtype))
elif k == 'auditee_policy_id':
pid = sql_exclude[k]['pid']
gtype = sql_exclude[k]['gtype']
_where.append(
'g.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'
.format(dbtp=dbtp,
pid=pid,
ptype=TP_POLICY_ASSET,
rtype=gtype))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'type':
_where.append('g.type={filter}'.format(filter=sql_filter[k]))
elif k == 'state':
_where.append('g.state={filter}'.format(filter=sql_filter[k]))
elif k == 'search':
_where.append(
'(g.name LIKE "%{filter}%" OR g.desc LIKE "%{filter}%")'.
format(filter=sql_filter[k]))
else:
log.e('unknown filter field: {}\n'.format(k))
return TPE_PARAM, 0, 0, {}
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'name' == sql_order['name']:
s.order_by('g.name', _sort)
elif 'state' == sql_order['name']:
s.order_by('g.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, 0, 0, {}
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
return err, s.total_count, s.page_index, s.recorder
def get_hosts(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
s = SQL(get_db())
s.select_from('host', ['id', 'type', 'os_type', 'os_ver', 'name', 'ip', 'router_ip', 'router_port', 'state', 'acc_count', 'cid', 'desc'], alt_name='h')
str_where = ''
_where = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'group_id':
_where.append('h.id IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'.format(get_db().table_prefix, TP_GROUP_HOST, sql_restrict[k]))
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'group_id':
_where.append('h.id NOT IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'.format(get_db().table_prefix, TP_GROUP_HOST, sql_exclude[k]))
elif k == 'ops_policy_id':
_where.append('h.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'.format(dbtp=get_db().table_prefix, pid=sql_exclude[k], rtype=TP_HOST))
elif k == 'auditee_policy_id':
_where.append('h.id NOT IN (SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} AND `type`={ptype} AND rtype={rtype})'.format(dbtp=get_db().table_prefix, pid=sql_exclude[k], ptype=TP_POLICY_ASSET, rtype=TP_HOST))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'state':
_where.append('h.state={}'.format(sql_filter[k]))
elif k == 'search':
_where.append('(h.name LIKE "%{filter}%" OR h.ip LIKE "%{filter}%" OR h.router_ip LIKE "%{filter}%" OR h.desc LIKE "%{filter}%" OR h.cid LIKE "%{filter}%")'.format(filter=sql_filter[k]))
elif k == 'host_group':
shg = SQL(get_db())
shg.select_from('group_map', ['mid'], alt_name='g')
shg.where('g.type={} AND g.gid={}'.format(TP_GROUP_HOST, sql_filter[k]))
err = shg.query()
if err != TPE_OK:
return err, 0, 1, []
if len(shg.recorder) == 0:
return TPE_OK, 0, 1, []
h_list = ','.join([str(i['mid']) for i in shg.recorder])
_where.append('h.id IN ({})'.format(h_list))
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'ip' == sql_order['name']:
s.order_by('h.ip', _sort)
elif 'name' == sql_order['name']:
s.order_by('h.name', _sort)
elif 'os_type' == sql_order['name']:
s.order_by('h.os_type', _sort)
elif 'cid' == sql_order['name']:
s.order_by('h.cid', _sort)
elif 'state' == sql_order['name']:
s.order_by('h.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, s.total_count, s.page_index, s.recorder
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
return err, s.total_count, s.page_index, s.recorder
def get_users(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
dbtp = get_db().table_prefix
s = SQL(get_db())
s.select_from('user', ['id', 'type', 'auth_type', 'username', 'surname', 'role_id', 'state', 'email', 'last_login'],
alt_name='u')
s.left_join('role', ['name', 'privilege'], join_on='r.id=u.role_id', alt_name='r', out_map={'name': 'role'})
_where = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'group_id':
_sql = 'u.id IN (SELECT mid FROM {dbtp}group_map WHERE type={gtype} AND gid={gid})'
_where.append(_sql.format(dbtp=dbtp, gtype=TP_GROUP_USER, gid=sql_restrict[k]))
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'group_id':
_where.append(
'u.id NOT IN ('
'SELECT mid FROM {dbtp}group_map WHERE type={gtype} AND gid={gid})'
''.format(dbtp=dbtp, gtype=TP_GROUP_USER, gid=sql_exclude[k]))
elif k == 'ops_policy_id':
_where.append(
'u.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'
''.format(dbtp=dbtp, pid=sql_exclude[k], rtype=TP_USER))
elif k == 'auditor_policy_id':
_where.append(
'u.id NOT IN ('
'SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} '
'AND `type`={ptype} AND rtype={rtype}'
')'.format(dbtp=dbtp, pid=sql_exclude[k], ptype=TP_POLICY_OPERATOR, rtype=TP_USER))
elif k == 'auditee_policy_id':
_where.append(
'u.id NOT IN ('
'SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} '
'AND `type`={ptype} AND rtype={rtype}'
')'.format(dbtp=dbtp, pid=sql_exclude[k], ptype=TP_POLICY_ASSET, rtype=TP_USER))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'role':
_where.append('u.role_id={filter}'.format(filter=sql_filter[k]))
elif k == 'type':
_where.append('u.type={filter}'.format(filter=sql_filter[k]))
elif k == 'state':
_where.append('u.state={filter}'.format(filter=sql_filter[k]))
elif k == 'search':
_where.append('('
'u.username LIKE "%{filter}%" '
'OR u.surname LIKE "%{filter}%" '
'OR u.email LIKE "%{filter}%" '
'OR u.desc LIKE "%{filter}%"'
')'.format(filter=sql_filter[k]))
if len(_where) > 0:
s.where('( {} )'.format(' AND '.join(_where)))
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'username' == sql_order['name']:
s.order_by('u.username', _sort)
elif 'surname' == sql_order['name']:
s.order_by('u.surname', _sort)
elif 'role_id' == sql_order['name']:
s.order_by('u.role_id', _sort)
elif 'state' == sql_order['name']:
s.order_by('u.state', _sort)
elif 'type' == sql_order['name']:
s.order_by('u.type', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, 0, 0, {}
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
return err, s.total_count, s.page_index, s.recorder
def _run_loop(self):
ext_srv_cfg = tp_ext_srv_cfg()
if not ext_srv_cfg.init():
return 0
log.i('Teleport Web Server starting ...\n')
tp_cron().init()
# 尝试通过CORE-JSON-RPC获取core服务的配置(主要是ssh/rdp/telnet的端口以及录像文件存放路径)
self._get_core_server_config()
_db = get_db()
if not _db.init():
log.e('can not initialize database interface.\n')
return 0
_db.connect()
while not _db.connected:
log.w('database not connected, retry after 5 seconds.\n')
time.sleep(5)
_db.connect()
cfg = tp_cfg()
_db.check_status()
if _db.need_create or _db.need_upgrade:
cfg.app_mode = APP_MODE_MAINTENANCE
tp_cfg().update_sys(None)
else:
cfg.app_mode = APP_MODE_NORMAL
_db.load_system_config()
try:
# 将运行时配置发送给核心服务
req = {'method': 'set_config', 'param': {'noop_timeout': tp_cfg().sys.session.noop_timeout}}
req_data = json.dumps(req)
data = urllib.parse.quote(req_data).encode('utf-8')
req = urllib.request.Request(url=cfg.common.core_server_rpc, data=data)
rep = urllib.request.urlopen(req, timeout=3)
body = rep.read().decode()
x = json.loads(body)
if 'code' not in x or x['code'] != 0:
print(x)
log.e('connect core-server for set runtime-config failed.\n')
else:
log.d('set runtime-config for core-server succeeded.\n')
except:
log.w('can not connect to core-server to set runtime-config, maybe it not start yet, ignore.\n')
if not tp_session().init():
log.e('can not initialize session manager.\n')
return 0
if not tp_stats().init():
log.e('can not initialize system status collector.\n')
return 0
if cfg.common.check_host_alive:
if not tp_host_alive().init():
log.e('can not initialize host state inspector.\n')
return 0
settings = {
#
'cookie_secret': '8946svdABGD345fg98uhIaefEBePIfegOIakjFH43oETzK',
'login_url': '/auth/login',
# 指定静态文件的路径,页面模板中可以用 {{ static_url('css/main.css') }} 的方式调用
'static_path': cfg.static_path,
# 指定模板文件的路径
'template_path': cfg.template_path,
# 防止跨站伪造请求,参见 http://old.sebug.net/paper/books/tornado/#_7
'xsrf_cookies': False,
'autoescape': 'xhtml_escape',
# 'ui_modules': ui_modules,
'debug': False,
# 不开启模板和静态文件的缓存,这样一旦模板文件和静态文件变化,刷新浏览器即可看到更新。
'compiled_template_cache': False,
'static_hash_cache': False,
}
from app.controller import controllers, fix_controller
fix_controller()
_app = tornado.web.Application(controllers, **settings)
server = tornado.httpserver.HTTPServer(_app, xheaders=True)
# server = tornado.httpserver.HTTPServer(_app, xheaders=True, ssl_options={
# "certfile": os.path.join(cfg.data_path, 'cert', "server.pem"),
# "keyfile": os.path.join(cfg.data_path, 'cert', "server.key"),
# })
try:
server.listen(cfg.common.port, address=cfg.common.ip)
if cfg.common.ip == '0.0.0.0':
log.i('works on [http://127.0.0.1:{}]\n'.format(cfg.common.port))
else:
log.i('works on [http://{}:{}]\n'.format(cfg.common.ip, cfg.common.port))
except:
log.e('can not listen on port {}:{}, make sure it not been used by another application.\n'.format(cfg.common.ip, cfg.common.port))
return 0
# 启动定时任务调度器
tp_cron().start()
try:
tornado.ioloop.IOLoop.instance().start()
except:
log.e('\n')
if tp_cfg().common.check_host_alive:
tp_host_alive().stop()
tp_cron().stop()
return 0
def get_accounts(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
db = get_db()
dbtp = db.table_prefix
s = SQL(db)
# s.select_from('acc', ['id', 'host_id', 'host_ip', 'router_ip', 'router_port', 'username', 'protocol_type', 'auth_type', 'state'], alt_name='a')
s.select_from('acc', ['id', 'host_id', 'username', 'protocol_type', 'auth_type', 'state', 'username_prompt', 'password_prompt'], alt_name='a')
str_where = ''
_where = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'group_id':
_where.append('a.id IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'.format(dbtp, TP_GROUP_ACCOUNT, sql_restrict[k]))
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'group_id':
_where.append('a.id NOT IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'.format(dbtp, TP_GROUP_ACCOUNT, sql_exclude[k]))
elif k == 'ops_policy_id':
_where.append('a.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'.format(dbtp=dbtp, pid=sql_exclude[k], rtype=TP_ACCOUNT))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'search':
_where.append('(a.username LIKE "%{filter}%" OR a.host_ip LIKE "%{filter}%" OR a.router_ip LIKE "%{filter}%")'.format(filter=sql_filter[k]))
# _where.append('(a.username LIKE "%{filter}%")'.format(filter=sql_filter[k]))
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'username' == sql_order['name']:
s.order_by('a.username', _sort)
elif 'protocol_type' == sql_order['name']:
s.order_by('a.protocol_type', _sort)
elif 'state' == sql_order['name']:
s.order_by('a.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, s.total_count, 1, s.recorder
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
if err != TPE_OK:
return err, 0, 1, None
# 得到主机id列表,然后查询相关主机的详细信息
host_ids = []
for _acc in s.recorder:
if _acc.host_id not in host_ids:
host_ids.append(_acc.host_id)
if len(host_ids) == 0:
return TPE_OK, 0, 1, None
s_host = SQL(db)
s_host.select_from('host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'], alt_name='h')
str_host_ids = ','.join([str(i) for i in host_ids])
s_host.where('h.id IN ({ids})'.format(ids=str_host_ids))
err = s_host.query()
if err != TPE_OK:
return err, 0, None
hosts = {}
for _host in s_host.recorder:
if _host.id not in hosts:
hosts[_host.id] = _host
for _acc in s.recorder:
_acc['_host'] = hosts[_acc.host_id]
return err, s.total_count, s.page_index, s.recorder
def get_accounts(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
db = get_db()
dbtp = db.table_prefix
s = SQL(db)
# s.select_from('acc', ['id', 'host_id', 'host_ip', 'router_ip', 'router_port', 'username', 'protocol_type', 'auth_type', 'state'], alt_name='a')
s.select_from('acc', [
'id', 'host_id', 'username', 'protocol_type', 'auth_type', 'state',
'username_prompt', 'password_prompt'
],
alt_name='a')
str_where = ''
_where = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'group_id':
_where.append(
'a.id IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'
.format(dbtp, TP_GROUP_ACCOUNT, sql_restrict[k]))
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'group_id':
_where.append(
'a.id NOT IN (SELECT mid FROM {}group_map WHERE type={} AND gid={})'
.format(dbtp, TP_GROUP_ACCOUNT, sql_exclude[k]))
elif k == 'ops_policy_id':
_where.append(
'a.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'
.format(dbtp=dbtp, pid=sql_exclude[k], rtype=TP_ACCOUNT))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'search':
_where.append(
'(a.username LIKE "%{filter}%" OR a.host_ip LIKE "%{filter}%" OR a.router_ip LIKE "%{filter}%")'
.format(filter=sql_filter[k]))
# _where.append('(a.username LIKE "%{filter}%")'.format(filter=sql_filter[k]))
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'username' == sql_order['name']:
s.order_by('a.username', _sort)
elif 'protocol_type' == sql_order['name']:
s.order_by('a.protocol_type', _sort)
elif 'state' == sql_order['name']:
s.order_by('a.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, s.total_count, 1, s.recorder
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
if err != TPE_OK:
return err, 0, 1, None
# 得到主机id列表,然后查询相关主机的详细信息
host_ids = []
for _acc in s.recorder:
if _acc.host_id not in host_ids:
host_ids.append(_acc.host_id)
s_host = SQL(db)
s_host.select_from(
'host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'],
alt_name='h')
str_host_ids = ','.join([str(i) for i in host_ids])
s_host.where('h.id IN ({ids})'.format(ids=str_host_ids))
err = s_host.query()
if err != TPE_OK:
return err, 0, None
hosts = {}
for _host in s_host.recorder:
if _host.id not in hosts:
hosts[_host.id] = _host
for _acc in s.recorder:
_acc['_host'] = hosts[_acc.host_id]
return err, s.total_count, s.page_index, s.recorder
def get_users(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
dbtp = get_db().table_prefix
s = SQL(get_db())
s.select_from('user', [
'id', 'type', 'auth_type', 'username', 'surname', 'role_id', 'state',
'email', 'last_login', 'valid_from', 'valid_to'
],
alt_name='u')
s.left_join('role', ['name', 'privilege'],
join_on='r.id=u.role_id',
alt_name='r',
out_map={'name': 'role'})
_where = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'group_id':
_sql = 'u.id IN (SELECT mid FROM {dbtp}group_map WHERE type={gtype} AND gid={gid})'
_where.append(
_sql.format(dbtp=dbtp,
gtype=TP_GROUP_USER,
gid=sql_restrict[k]))
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'group_id':
_where.append(
'u.id NOT IN ('
'SELECT mid FROM {dbtp}group_map WHERE type={gtype} AND gid={gid})'
''.format(dbtp=dbtp,
gtype=TP_GROUP_USER,
gid=sql_exclude[k]))
elif k == 'ops_policy_id':
_where.append(
'u.id NOT IN (SELECT rid FROM {dbtp}ops_auz WHERE policy_id={pid} AND rtype={rtype})'
''.format(dbtp=dbtp, pid=sql_exclude[k], rtype=TP_USER))
elif k == 'auditor_policy_id':
_where.append(
'u.id NOT IN ('
'SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} '
'AND `type`={ptype} AND rtype={rtype}'
')'.format(dbtp=dbtp,
pid=sql_exclude[k],
ptype=TP_POLICY_OPERATOR,
rtype=TP_USER))
elif k == 'auditee_policy_id':
_where.append(
'u.id NOT IN ('
'SELECT rid FROM {dbtp}audit_auz WHERE policy_id={pid} '
'AND `type`={ptype} AND rtype={rtype}'
')'.format(dbtp=dbtp,
pid=sql_exclude[k],
ptype=TP_POLICY_ASSET,
rtype=TP_USER))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'role':
_where.append(
'u.role_id={filter}'.format(filter=sql_filter[k]))
elif k == 'type':
_where.append('u.type={filter}'.format(filter=sql_filter[k]))
elif k == 'state':
_where.append('u.state={filter}'.format(filter=sql_filter[k]))
elif k == 'search':
_where.append('('
'u.username LIKE "%{filter}%" '
'OR u.surname LIKE "%{filter}%" '
'OR u.email LIKE "%{filter}%" '
'OR u.desc LIKE "%{filter}%"'
')'.format(filter=sql_filter[k]))
if len(_where) > 0:
s.where('( {} )'.format(' AND '.join(_where)))
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'username' == sql_order['name']:
s.order_by('u.username', _sort)
elif 'surname' == sql_order['name']:
s.order_by('u.surname', _sort)
elif 'role_id' == sql_order['name']:
s.order_by('u.role_id', _sort)
elif 'state' == sql_order['name']:
s.order_by('u.state', _sort)
elif 'type' == sql_order['name']:
s.order_by('u.type', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, 0, 0, {}
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
return err, s.total_count, s.page_index, s.recorder
def get_records(handler, sql_filter, sql_order, sql_limit, sql_restrict,
sql_exclude):
"""
获取会话列表
会话审计列表的显示策略(下列的`审计`操作指为会话做标记、置为保留状态、写备注等):
1. 运维权限:可以查看自己的会话,但不能审计;
2. 运维授权权限:可以查看所有会话,但不能审计;
3. 审计权限:可以查看被授权的主机相关的会话,且可以审计;
4. 审计授权权限:可以查看所有会话,且可以审计。
"""
allow_uid = 0
allow_hids = list()
allow_all = False
user = handler.get_current_user()
if (user['privilege'] & TP_PRIVILEGE_OPS_AUZ) != 0 or (
user['privilege'] & TP_PRIVILEGE_AUDIT_AUZ) != 0:
allow_all = True
if not allow_all:
if (user['privilege'] & TP_PRIVILEGE_OPS) != 0:
allow_uid = user.id
if (user['privilege'] & TP_PRIVILEGE_AUDIT) != 0:
s = SQL(get_db())
s.select_from('audit_map', [
'u_id', 'h_id', 'p_state', 'policy_auth_type', 'u_state',
'gu_state'
],
alt_name='a')
s.where(
'a.u_id={user_id} AND '
'a.p_state={enable_state} AND'
'('
'((a.policy_auth_type={U2H} OR a.policy_auth_type={U2HG}) AND a.u_state={enable_state}) OR '
'((a.policy_auth_type={UG2H} OR a.policy_auth_type={UG2HG}) AND a.u_state={enable_state} AND a.gu_state={enable_state})'
')'.format(enable_state=TP_STATE_NORMAL,
user_id=user.id,
U2H=TP_POLICY_AUTH_USER_HOST,
U2HG=TP_POLICY_AUTH_USER_gHOST,
UG2H=TP_POLICY_AUTH_gUSER_HOST,
UG2HG=TP_POLICY_AUTH_gUSER_gHOST))
err = s.query()
if err != TPE_OK:
return err, 0, []
for h in s.recorder:
if h.h_id not in allow_hids:
allow_hids.append(h.h_id)
if len(allow_hids) == 0:
return TPE_OK, 0, []
if allow_uid == 0 and len(allow_hids) == 0:
return TPE_FAILED, 0, []
s = SQL(get_db())
s.select_from('record', [
'id', 'sid', 'user_id', 'host_id', 'acc_id', 'state', 'user_username',
'user_surname', 'host_ip', 'conn_ip', 'conn_port', 'client_ip',
'acc_username', 'protocol_type', 'protocol_sub_type', 'time_begin',
'time_end'
],
alt_name='r')
str_where = ''
_where = list()
if len(sql_restrict) > 0:
for k in sql_restrict:
if k == 'state':
_where.append('r.state IN ({})'.format(','.join(
[str(state) for state in sql_restrict[k]])))
else:
log.w('unknown restrict field: {}\n'.format(k))
if len(sql_exclude) > 0:
for k in sql_exclude:
if k == 'state':
_where.append('r.state NOT IN ({})'.format(','.join(
[str(state) for state in sql_exclude[k]])))
else:
log.w('unknown exclude field: {}\n'.format(k))
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'state':
_where.append('r.state={}'.format(sql_filter[k]))
# elif k == 'search_record':
# _where.append('(h.name LIKE "%{}%" OR h.ip LIKE "%{}%" OR h.router_addr LIKE "%{}%" OR h.desc LIKE "%{}%" OR h.cid LIKE "%{}%")'.format(sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k]))
if not allow_all:
if allow_uid != 0:
_where.append('r.user_id={uid}'.format(uid=allow_uid))
if len(allow_hids) > 0:
hids = [str(h) for h in allow_hids]
_where.append('r.host_id IN ({hids})'.format(hids=','.join(hids)))
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'id' == sql_order['name']:
s.order_by('r.id', _sort)
elif 'time_begin' == sql_order['name']:
s.order_by('r.time_begin', _sort)
elif 'sid' == sql_order['name']:
s.order_by('r.sid', _sort)
# elif 'cid' == sql_order['name']:
# s.order_by('h.cid', _sort)
# elif 'state' == sql_order['name']:
# s.order_by('h.state', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, s.total_count, s.recorder
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
return err, s.total_count, s.recorder
def run(self):
log.i('\n')
log.i(
'###############################################################\n'
)
log.i('Load config file: {}\n'.format(self._cfg_file))
log.i('Teleport Web Server starting ...\n')
# 尝试通过CORE-JSON-RPC获取core服务的配置(主要是ssh/rdp/telnet的端口以及录像文件存放路径)
# self._get_core_server_config()
_db = get_db()
if not _db.init():
log.e('can not initialize database interface.\n')
return 0
_db.connect()
while not _db.connected:
log.w('database not connected, retry after 5 seconds.\n')
time.sleep(5)
_db.connect()
cfg = tp_cfg()
_db.check_status()
if _db.need_create or _db.need_upgrade:
cfg.app_mode = APP_MODE_MAINTENANCE
else:
cfg.app_mode = APP_MODE_NORMAL
if not tp_session().init():
log.e('can not initialize session manager.\n')
return 0
# if not tp_stats().init():
# log.e('can not initialize system status collector.\n')
# return 0
settings = {
#
'cookie_secret': '8946svdABGD345fg98uhIaefEBePIfegOIakjFH43oETzK',
'login_url': '/auth/login',
# 指定静态文件的路径,页面模板中可以用 {{ static_url('css/main.css') }} 的方式调用
'static_path': cfg.static_path,
# 指定模板文件的路径
'template_path': cfg.template_path,
# 防止跨站伪造请求,参见 http://old.sebug.net/paper/books/tornado/#_7
'xsrf_cookies': False,
'autoescape': 'xhtml_escape',
# 'ui_modules': ui_modules,
'debug': False,
# 不开启模板和静态文件的缓存,这样一旦模板文件和静态文件变化,刷新浏览器即可看到更新。
'compiled_template_cache': False,
'static_hash_cache': False,
}
from app.controller import controllers
_app = tornado.web.Application(controllers, **settings)
server = tornado.httpserver.HTTPServer(_app, xheaders=True)
# server = tornado.httpserver.HTTPServer(_app, ssl_options={
# "certfile": os.path.join(cfg.data_path, 'cert', "server.pem"),
# "keyfile": os.path.join(cfg.data_path, 'cert', "server.key"),
# })
try:
server.listen(cfg.common.port, address=cfg.common.ip)
if cfg.common.ip == '0.0.0.0':
log.i('works on [http://127.0.0.1:{}]\n'.format(
cfg.common.port))
else:
log.i('works on [http://{}:{}]\n'.format(
cfg.common.ip, cfg.common.port))
except:
log.e(
'can not listen on port {}:{}, make sure it not been used by another application.\n'
.format(cfg.common.ip, cfg.common.port))
return 0
try:
tornado.ioloop.IOLoop.instance().start()
except:
log.e('\n')
return 0
def get(self):
log.w('catch all, GET: {}\n'.format(self.request.uri))
self.show_error_page(TPE_HTTP_404_NOT_FOUND)