async def post(self, *args, **kwargs): # data = json.loads(self.request.body.decode("utf-8")) nickname = self.get_current_user() # 这里使用useame 不用中文 #if not self.is_superuser: return self.write(dict(code=-1, msg='你不是超级超级管理员,不能使用WebTerminal')) connect_server_info = dict() connect_server_info['nickname'] = nickname # 数据加密给Jimmy mc = MyCryptV2() # 加密数据 # encrypt_data = mc.my_encrypt(str(connect_server_info)) encrypt_data = mc.my_encrypt(str(connect_server_info)) print(encrypt_data) ins_log.read_log('info', '加密后的数据是:{}'.format(encrypt_data)) try: web_terminal_initialssh = '{0}/webterminal/initiallogin/'.format(WEB_TERMINAL) the_body = json.dumps(encrypt_data) http_client = httpclient.AsyncHTTPClient() response = await http_client.fetch(web_terminal_initialssh, method="POST", body=the_body, raise_error=False) response_data = json.loads(response.body.decode('utf-8')) if not response_data.get('status'): return self.write(dict(code=1, msg=response_data.get('message'))) # 返回信息 web_terminal_key = response_data['key'] web_terminal_url = '{0}/logslist/'.format(WEB_TERMINAL) res_data = { "web_terminal_url": web_terminal_url, "web_terminal_key": web_terminal_key } except Exception as e: ins_log.read_log('error', '请求webterminal接口出错:{err}'.format(err=e)) return self.write(dict(code=1, msg='请求webterminal接口出错:{err}'.format(err=e))) return self.write(dict(code=0, msg='Sucessfully', data=res_data))
def get_connect_info(self, asset_id): """ 获取连接主机的信息,如:IP , Port , User 使用推送过去的系统用户+密钥进行链接 :return: """ system_user_list = self.get_system_user() for i in system_user_list: system_user = i.get('system_user') mc = MyCryptV2() _private_key_txt = mc.my_decrypt(i.get('id_rsa')) # 这里需要写到本地文件 with DBContext('r') as session: server_info = session.query(Server.ip, Server.port, Server.detail).filter( Server.id == asset_id).first() ip = server_info[0] port = server_info[1] detail = server_info[2] connect_info = { 'ip': ip, 'port': port, 'system_user': system_user, 'private_key_txt': _private_key_txt, 'detail': detail } return connect_info
def main(): """ 从接口获取已经启用的配置 :return: """ mc = MyCryptV2() huawei_configs_list = get_configs() if not huawei_configs_list: ins_log.read_log('error', '没有获取到华为云资产配置信息,跳过') return False for config in huawei_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') huawei_cloud = config.get('huawei_cloud') project_id = config.get('project_id') default_admin_user = config.get('default_admin_user') obj = HuaweiEcsApi(access_id=access_id, access_key=access_key, region=region, cloud=huawei_cloud, project_id=project_id, default_admin_user=default_admin_user) obj.sync_cmdb()
def post(self): ebs_list = [] mc = MyCryptV2() aws_configs_list = get_configs() if not aws_configs_list: ins_log.write_log('error', '没有获取到AWS资产配置信息,跳过') return False for config in aws_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') default_admin_user = config.get('default_admin_user') client = boto3.client('ec2', region_name=region, aws_access_key_id=access_id, aws_secret_access_key=access_key) paginator = client.get_paginator('describe_volumes') page_iterator = paginator.paginate() filtered_iterator = page_iterator.search("Volumes[]") for i in filtered_iterator: if i['Attachments'] == []: i['Attachments'] = '磁盘没有被使用' i['CreateTime'] = i['CreateTime'].strftime("%Y-%m-%d") i['Encrypted'] = 'false' if i['Encrypted'] == 0 else 'Trues' print(i) ebs_list.append(i) with DBContext('w', None, True) as session: session.execute('''TRUNCATE TABLE Unattach_Ebs''') session.bulk_insert_mappings(Unattach_Ebs, ebs_list) session.commit() self.write(dict(code=0, msg='获取并写入成功'))
def post(self, *args, **kwargs): data = json.loads(self.request.body.decode("utf-8")) name = data.get('name', None) # 名称,也是唯一 system_user = data.get('system_user', None) # 系统用户 platform_users = data.get('platform_users', []) # 平台用户 priority = data.get('priority', None) # 优先级 sudo_list = data.get('sudo_list', None) # sudo权限 bash_shell = data.get('bash_shell', None) # sudo权限 remarks = data.get('remarks', None) # 备注 if not name or not system_user or not priority or not sudo_list or not bash_shell: return self.write(dict(code=-2, msg='关键参数不能为空')) if not platform_users: return self.write(dict(code=-2, msg='请至少选择一个关联用户')) if not is_number(priority): return self.write(dict(code=-2, msg='优先级必须是数字')) with DBContext('r', None, True) as session: exist_id = session.query(SystemUser.id).filter(SystemUser.name == name).first() exist_priority = session.query(SystemUser.id).filter(SystemUser.priority == int(priority)).first() if exist_id: return self.write(dict(code=-2, msg='不要重复记录')) if exist_priority: return self.write(dict(code=-2, msg='优先级冲突')) # 新建一个系统用户用来登陆主机,此用户使用密钥认证登陆主机,密钥是自动生成的,生成后保存到数据库里面 key_name = shortuuid.uuid() init_keygen_cmd = 'ssh-keygen -t rsa -P "" -f /tmp/{}'.format(key_name) code, ret = exec_shell(init_keygen_cmd) if code == 0: # 这个系统用户的公钥和私钥是根据name+system_user生成到/tmp下的 with open('/tmp/{}'.format(key_name), 'r') as id_rsa, open( '/tmp/{}.pub'.format(key_name), 'r') as id_rsa_pub: # 对密钥进行加密再写数据库 mc = MyCryptV2() # 实例化 _private_key = mc.my_encrypt(id_rsa.read()) _public_key = mc.my_encrypt(id_rsa_pub.read()) # print('加密后的id_rsa--->',_private_key) # print('加密后的id_rsa_pub--->',_public_key) # print('解密公钥', mc.my_decrypt(_public_key)) # 生成密钥对写入数据库 with DBContext('w', None, True) as session: new_system_user = SystemUser(name=name, system_user=system_user, priority=priority, sudo_list=sudo_list, bash_shell=bash_shell, id_rsa=_private_key, id_rsa_pub=_public_key, platform_users=','.join(platform_users), remarks=remarks) session.add(new_system_user) return self.write(dict(code=0, msg='添加成功')) else: return self.write(dict(code=-4, msg=ret))
def configure_keyless(self): """ 配置系统用户免密钥登陆 :return: """ # connect_server_list = [('172.16.0.93', 22, 'root'), ('172.16.0.219', 22, 'root'), # ('2.2.2.2', 22, 'root')] connect_server_list = self.get_asset_info() system_user_list = self.get_system_user() for host in connect_server_list: ip = host[0] user = host[2] for data in system_user_list: mc = MyCryptV2() system_user = data.get('system_user') _public_key = mc.my_decrypt(data.get('id_rsa_pub')) # 解密 # print(_public_key) # module_args = '[ ! -d /home/{}/.ssh ] && mkdir /home/{}/.ssh && chmod 700 /home/{}/.ssh ; ' \ # '[ ! -f /home/{}/.ssh/authorized_keys ] && touch /home/{}/.ssh/authorized_keys; ' \ # ' grep -c "{}" /home/{}/.ssh/authorized_keys >> /dev/null || echo "{}" >> /home/{}/.ssh/authorized_keys && chmod 600 /home/{}/.ssh/authorized_keys && echo ok'.format( # system_user, system_user, system_user, system_user, system_user, _public_key, system_user, # _public_key, system_user, system_user) module_args = '{sudo} [ ! -d /home/{system_user}/.ssh ]&& ' \ '{sudo} mkdir /home/{system_user}/.ssh &&' \ '{sudo} chmod 700 /home/{system_user}/.ssh ; ' \ '{sudo} [ ! -f /home/{system_user}/.ssh/authorized_keys ]&& ' \ '{sudo} touch /home/{system_user}/.ssh/authorized_keys; ' \ '{sudo} chown -R {system_user}.{system_user} /home/{system_user}/.ssh ; ' \ '{sudo} grep -c "{public_key}" /home/{system_user}/.ssh/authorized_keys >> /dev/null && ' \ 'echo "is exist public_key, auto pass...." || ' \ '{sudo} echo "{public_key}" >> /home/{system_user}/.ssh/authorized_keys && ' \ '{sudo} chmod 600 /home/{system_user}/.ssh/authorized_keys && ' \ 'echo ok'.format(sudo=self.sudo, system_user=system_user, public_key=_public_key) # print(module_args) result = self.run("shell", module_args, ip, user) print(result) if result['dark']: self.err_msg = { "status": False, "ip": ip, "msg": result['dark'][ip]['msg'] } self.err_list.append(self.err_msg) if self.err_list: self.write_error_log()
def main(): """ 从接口获取已经启用的配置 :return: """ mc = MyCryptV2() aliyun_configs_list = get_configs() if not aliyun_configs_list: ins_log.read_log('error', '没有获取到阿里云资产配置信息,跳过') return False for config in aliyun_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') obj = RedisApi(access_id, access_key, region) obj.sync_cmdb()
def main(): """ 从接口获取已经启用的配置 :return: """ mc = MyCryptV2() qcloud_configs_list = get_configs() if not qcloud_configs_list: ins_log.read_log('error', '没有获取到腾讯云资产配置信息,跳过') return False for config in qcloud_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') obj = CDBApi(access_id, access_key, region) obj.index()
def main(): """ 从接口获取已经启用的配置 :return: """ mc = MyCryptV2() aliyun_configs_list = get_configs() if not aliyun_configs_list: ins_log.read_log('error', '没有获取到阿里云资产配置信息,跳过') return False for config in aliyun_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') default_admin_user = config.get('default_admin_user') obj = EcsAPi(access_id, access_key, region, default_admin_user) obj.index()
def main(): """ 从接口获取已经启用的配置 :return: """ mc = MyCryptV2() aws_configs_list = get_configs() if not aws_configs_list: ins_log.read_log('error', '没有获取到AWS资产配置信息,跳过') return False for config in aws_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') name = config.get('name') # 名称 obj = EventApi(account_name=name, access_id=access_id, access_key=access_key, region=region) obj.send_alert() obj.sync_cmdb()
def main(): mc = MyCryptV2() aws_configs_list = get_configs() if not aws_configs_list: ins_log.write_log('error', '没有获取到AWS资产配置信息,跳过') return False for config in aws_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') default_admin_user = config.get('default_admin_user') obj = ForDangersHandler(access_id, access_key, region, default_admin_user) result = [i for i in obj.get_tags()] with DBContext('w', None) as session: session.execute('''TRUNCATE TABLE asset_tag''') session.bulk_insert_mappings(Tag, result) session.commit()
def main(): """ 从接口获取已经启用的配置 :return: """ mc = MyCryptV2() ucloud_configs_list = get_configs() if not ucloud_configs_list: ins_log.read_log('error', '没有获取到UCloud资产配置信息,跳过') return False for config in ucloud_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') default_admin_user = config.get('default_admin_user') project_id = config.get('project_id') obj = UHostAPI(access_id=access_id, access_key=access_key, region=region, default_admin_user=default_admin_user, project_id=project_id) obj.sync_cmdb()
from tornado import gen from concurrent.futures import ThreadPoolExecutor from tornado.concurrent import run_on_executor from libs.base_handler import BaseHandler from models.server import AssetConfigs, model_to_dict from websdk.db_context import DBContext from libs.aliyun.ecs import EcsAPi from libs.qcloud.cvm import CVMApi from libs.aws.ec2 import Ec2Api from libs.aliyun.ecs import main as aliyun_update_main from libs.qcloud.cvm import main as qcloud_update_main from libs.aws.ec2 import main as aws_update_main from websdk.web_logs import ins_log from opssdk.operate import MyCryptV2 mc = MyCryptV2() # 实例化 class AssetConfigsHandler(BaseHandler): def get(self, *args, **kwargs): key = self.get_argument('key', default=None, strip=True) value = self.get_argument('value', default=None, strip=True) asset_configs_list = [] with DBContext('r') as session: if key and value: asset_configs_data = session.query(AssetConfigs).filter_by( **{ key: value }).all() else: asset_configs_data = session.query(AssetConfigs).all()
def post(self): host_list = {} mc = MyCryptV2() aws_configs_list = get_configs() if not aws_configs_list: ins_log.write_log('error', '没有获取到AWS资产配置信息,跳过') self.write(dict(code=0, msg='没有获取到AWS资产配置信息,跳过')) for config in aws_configs_list: access_id = config.get('access_id') access_key = mc.my_decrypt(config.get('access_key')) # 解密后使用 region = config.get('region') default_admin_user = config.get('default_admin_user') obj = ForDangersHandler(access_id, access_key, region, default_admin_user) server_info = obj.get_server_info() for msg in server_info: if not host_list.get(str(msg)): host_list[str(msg)] = obj ## 字典去重 可能会有两个相同权限的ak/sk if not host_list: ins_log.read_log('info', 'Not fount server info...') print('Not Fount Server Info') self.write(dict(code=0, msg='没有从AWS接口里读到信息,跳过')) else: with DBContext('r') as session: db_record = session.query(Security_Host.server_instance_id, Security_Host.risk_port) all_instance_risk_pair, all_values = yield self.AwsQueryRiskPort( host_list) if db_record.count() != 0: for ins in db_record: if ins.server_instance_id in all_instance_risk_pair.keys( ): ##数据库查到的是否在从aws取到的ID列表里 if ins.risk_port != all_instance_risk_pair[ ins. server_instance_id]: ##如果查询后发现从aws取到的风险端口和数据库存的不一致,则updates session.query(Security_Host).filter( Security_Host.server_instance_id == ins.server_instance_id).update({ Security_Host.risk_port: all_instance_risk_pair[ ins.server_instance_id] }) session.commit() del all_instance_risk_pair[ ins.server_instance_id] else: ##如果一致 则什么都不做 del all_instance_risk_pair[ ins. server_instance_id] ## 只要在数据库有记录的都删了 只剩下数据里没的机器 给另外一个维度的轮询用 else: ###如果数据库里查到的 不在aws里,证明这个机器已经在aws端被删除,需要在数据库里删除 ins_log.write_log( 'warning', 'no exist server will Deleted...%s' % ins.server_instance_id) session.query(Security_Host).filter( Security_Host.server_instance_id == ins.server_instance_id).delete( synchronize_session=False) session.commit() else: ##数据库里无记录 session.bulk_insert_mappings(Security_Host, all_values) session.commit() all_instance_risk_pair.clear() if all_instance_risk_pair: ##如果没被删空 miss_instance = [ i for i in all_values if i['server_instance_id'] in all_instance_risk_pair ] print(len(miss_instance)) session.bulk_insert_mappings(Security_Host, miss_instance) session.commit() ##AWS云里有 但是数据库里没的部分 self.write(dict(code=0, msg='获取并写入成功'))
async def post(self, *args, **kwargs): data = json.loads(self.request.body.decode("utf-8")) nickname = self.get_current_user() # 获取username 不用中文名 # id = self.get_argument('id', default=None, strip=True) server_id = data.get('server_id', None) if not server_id: return self.write(dict(code=-1, msg='关键参数不能为空')) server_list = [] admin_user_list = [] with DBContext('r') as session: server_info = session.query(Server).filter( Server.id == server_id).filter() for msg in server_info: data_dict = model_to_dict(msg) server_list.append(data_dict) data_dict['create_time'] = str(data_dict['create_time']) data_dict['update_time'] = str(data_dict['update_time']) if not server_list: return self.write(dict(code=-1, msg='没有发现IP')) if not self.is_superuser: return self.write( dict(code=-1, msg='你不是超级超级管理员,不能使用WebTerminal')) admin_user = server_list[0]['admin_user'] if not admin_user: return self.write(dict(code=-1, msg='此机器没有配置管理用户,请先配置管理用户')) admin_user_info = session.query(AdminUser).filter( AdminUser.admin_user == admin_user).filter() for admin_user_msg in admin_user_info: data_dict = model_to_dict(admin_user_msg) data_dict['update_time'] = str(data_dict['update_time']) admin_user_list.append(data_dict) try: connect_server_info = dict() connect_server_info['nickname'] = nickname connect_server_info['ip'] = server_list[0].get('ip') connect_server_info['public_ip'] = server_list[0].get( 'public_ip') connect_server_info['private_ip'] = server_list[0].get( 'private_ip') connect_server_info['port'] = server_list[0].get('port') connect_server_info['admin_user'] = server_list[0].get( 'admin_user') connect_server_info['system_user'] = admin_user_list[0].get( 'system_user') connect_server_info['user_key'] = admin_user_list[0].get( 'user_key') except (IndexError, KeyError) as err: ins_log.read_log('error', '解析的时候出错:{err}'.format(err=err)) return False # print(connect_server_info) # 数据加密给Jimmy mc = MyCryptV2() # 加密数据 encrypt_data = mc.my_encrypt(str(connect_server_info)) ins_log.read_log('info', '加密后的数据是:{}'.format(encrypt_data)) # # 解密方法 # decrypt_data = mc.my_decrypt(encrypt_data) # # print(decrypt_data) # print('解密后的数据是:{}'.format(json.dumps(str(decrypt_data)))) try: web_terminal_initialssh = '{0}/webterminal/initialssh/'.format( WEB_TERMINAL) print(web_terminal_initialssh) the_body = json.dumps(encrypt_data) # 异步HTTPClient http_client = httpclient.AsyncHTTPClient() # 异步http_client请求 response = await http_client.fetch(web_terminal_initialssh, method="POST", body=the_body, raise_error=False) # 返回的数据都在body里面 response_data = json.loads(response.body.decode('utf-8')) # print('response_data', response_data) if not response_data.get('status'): return self.write( dict(code=1, msg=response_data.get('message'))) # 返回信息 web_terminal_key = response_data['key'] web_terminal_url = '{0}/webterminal/'.format(WEB_TERMINAL) # res_list = [] res_data = { "web_terminal_url": web_terminal_url, "web_terminal_key": web_terminal_key } # res_list.append(res_data) except Exception as e: ins_log.read_log('error', '请求webterminal接口出错:{err}'.format(err=e)) return self.write( dict(code=1, msg='请求webterminal接口出错:{err}'.format(err=e))) return self.write(dict(code=0, msg='Sucessfully', data=res_data))