def perm_sudo_add(request, res, *args): """ list sudo commands alias """ res['operator'] = u"添加别名" response = {'success': False, 'error': ''} res['emer_content'] = 6 if request.method == "POST": try: name = request.POST.get("sudo_name").strip().upper() comment = request.POST.get("sudo_comment") commands = request.POST.get("sudo_commands").strip() if not name or not commands: raise ServerError(u"sudo name 和 commands是必填项!") pattern = re.compile(r'[\n,\r]') deal_space_commands = list_drop_str(pattern.split(commands), u'') deal_all_commands = map(trans_all, deal_space_commands) commands = ', '.join(deal_all_commands) logger.debug(u'添加sudo %s: %s' % (name, commands)) sudo_name_test = get_object(PermSudo, name=name) if sudo_name_test: raise ServerError(u"别名[%s]已存在" % name) sudo_uuid = str(uuid.uuid1()) # TODO 保存数据到magicstack sudo = PermSudo.objects.create(uuid_id=sudo_uuid, name=name.strip(), comment=comment, commands=commands) # TODO 保存数据到proxy上的数据库 proxy_list = Proxy.objects.all() data = { 'uuid_id': sudo_uuid, 'id': sudo.id, 'name': name, 'comment': comment, 'commands': commands } data = json.dumps(data) execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermSudo', data, obj_uuid=sudo.uuid_id, action='add') res['content'] = u"添加Sudo命令别名[%s]成功" % name res['emer_status'] = u"添加Sudo命令别名[%s]成功" % name response['success'] = True except ServerError as e: res['flag'] = 'false' res['content'] = e.message res['emer_status'] = u"添加Sudo命令别名失败:%s" % (e.message) response['error'] = res['emer_status'] return HttpResponse(json.dumps(response), content_type='application/json')
def download(self): while True: if not self.user_perm: self.user_perm = get_group_user_perm(self.user) try: print "进入批量下载模式" print "请输入主机名或ansible支持的pattern, 多个主机:分隔,q退出" pattern = raw_input("\033[1;32mPattern>:\033[0m ").strip() if pattern == 'q': break else: assets = self.user_perm.get('asset').keys() res = gen_resource({'user': self.user, 'asset': assets}, perm=self.user_perm) runner = MyRunner(res) asset_name_str = '' print "匹配主机:\n" for inv in runner.inventory.get_hosts(pattern=pattern): asset_name_str += '%s ' % inv.name print ' %s' % inv.name if not asset_name_str: color_print('没有匹配主机') continue print while True: tmp_dir = get_tmp_dir() logger.debug('Download tmp dir: %s' % tmp_dir) print "请输入文件路径(不支持目录)" file_path = raw_input("\033[1;32mPath>:\033[0m ").strip() if file_path == 'q': break if not file_path: color_print("文件路径为空") continue runner.run('fetch', module_args='src=%s dest=%s' % (file_path, tmp_dir), pattern=pattern) ret = runner.results FileLog(user=self.user.name, host=asset_name_str, filename=file_path, type='download', remote_ip=remote_ip, result=ret).save() logger.debug('Download file result: %s' % ret) os.chdir('/tmp') tmp_dir_name = os.path.basename(tmp_dir) if not os.listdir(tmp_dir): color_print('下载全部失败') continue bash('tar czf %s.tar.gz %s && sz %s.tar.gz' % (tmp_dir, tmp_dir_name, tmp_dir)) if ret.get('failed'): error = '文件名称: %s \n下载失败: [ %s ] \n下载成功 [ %s ]' % \ ('%s.tar.gz' % tmp_dir_name, ', '.join(ret.get('failed').keys()), ', '.join(ret.get('ok').keys())) color_print(error) else: msg = '文件名称: %s \n下载成功 [ %s ]' % ('%s.tar.gz' % tmp_dir_name, ', '.join(ret.get('ok').keys())) color_print(msg, 'green') print except IndexError: pass
def perm_role_edit(request, res, *args): """ edit role page """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户编辑" res['operator'] = path2 # 渲染数据 role_id = request.GET.get("id") role = PermRole.objects.get(id=role_id) role_pass = CRYPTOR.decrypt(role.password) sudo_all = PermSudo.objects.all() role_sudos = role.sudo.all() sudo_all = PermSudo.objects.all() if request.method == "GET": return my_render('permManage/perm_role_edit.html', locals(), request) if request.method == "POST": # 获取 POST 数据 role_name = request.POST.get("role_name") role_password = request.POST.get("role_password") role_comment = request.POST.get("role_comment") role_sudo_names = request.POST.getlist("sudo_name") role_sudos = [PermSudo.objects.get(id=sudo_id) for sudo_id in role_sudo_names] key_content = request.POST.get("role_key", "") try: if not role: raise ServerError('该系统用户不能存在') if role_name == "root": raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!') if role_password: encrypt_pass = CRYPTOR.encrypt(role_password) role.password = encrypt_pass # 生成随机密码,生成秘钥对 if key_content: try: key_path = gen_keys(key=key_content, key_path_dir=role.key_path) except SSHException: raise ServerError('输入的密钥不合法') logger.debug('Recreate role key: %s' % role.key_path) # 写入数据库 role.name = role_name role.comment = role_comment role.sudo = role_sudos role.save() msg = u"更新系统用户: %s" % role.name res['content'] = msg return HttpResponseRedirect(reverse('role_list')) except ServerError, e: error = e res['flag'] = 'false' res['content'] = e
def req_del(self, data): try: req = requests.delete(self.url, headers=self.header, data=data) codes = req.status_code msg = req.json() logger.debug("msg:%s status_codes:%s" % (msg, codes)) except Exception as e: logger.error(e) codes = 500 msg = e.message return msg, codes
def get_connect_info(self): """ 获取需要登陆的主机的信息和映射用户的账号密码 """ asset_info = get_asset_info(self.asset) role_key = get_role_key(self.user, self.role) # 获取角色的key,因为ansible需要权限是600,所以统一生成用户_角色key role_pass = CRYPTOR.decrypt(self.role.password) connect_info = {'user': self.user, 'asset': self.asset, 'ip': asset_info.get('ip'), 'port': int(asset_info.get('port')), 'role_name': self.role.name, 'role_pass': role_pass, 'role_key': role_key} logger.debug(connect_info) return connect_info
def perm_role_get(request): asset_id = request.GET.get('id', 0) if asset_id: asset = get_object(Asset, id=asset_id) if asset: role = user_have_perm(request.user, asset=asset) logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role])) return HttpResponse(','.join([i.name for i in role])) else: roles = get_group_user_perm(request.user).get('role').keys() return HttpResponse(','.join([i.name for i in roles])) return HttpResponse('error')
def perm_role_get(request): response = {'role_id': '', 'proxy_url': '', 'user_id': request.user.id, 'role_name': '', 'id_unique': '', 'role_id_name':[]} asset_id = request.GET.get('id', 0) if asset_id: asset = get_object(Asset, id=asset_id) if asset: role = user_have_perm(request.user, asset=asset) logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role])) response['role_name'] = ','.join([i.name for i in role]) response['role_id'] = ','.join([str(i.id) for i in role]) response['proxy_url'] = asset.proxy.url response['id_unique'] = asset.id_unique return HttpResponse(json.dumps(response)) return HttpResponse('error')
def perm_sudo_add(request, res, *args): """ list sudo commands alias """ res['operator'] = u"添加别名" response ={'success': False, 'error': ''} res['emer_content'] = 6 if request.method == "POST": try: name = request.POST.get("sudo_name").strip().upper() comment = request.POST.get("sudo_comment") commands = request.POST.get("sudo_commands").strip() if not name or not commands: raise ServerError(u"sudo name 和 commands是必填项!") pattern = re.compile(r'[\n,\r]') deal_space_commands = list_drop_str(pattern.split(commands), u'') deal_all_commands = map(trans_all, deal_space_commands) commands = ', '.join(deal_all_commands) logger.debug(u'添加sudo %s: %s' % (name, commands)) sudo_name_test = get_object(PermSudo, name=name) if sudo_name_test: raise ServerError(u"别名[%s]已存在" %name) sudo_uuid = str(uuid.uuid1()) # TODO 保存数据到magicstack sudo = PermSudo.objects.create(uuid_id=sudo_uuid, name=name.strip(), comment=comment, commands=commands) # TODO 保存数据到proxy上的数据库 proxy_list = Proxy.objects.all() data = {'uuid_id': sudo_uuid, 'id': sudo.id, 'name': name, 'comment': comment, 'commands': commands} data = json.dumps(data) execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermSudo', data, obj_uuid=sudo.uuid_id, action='add') res['content'] = u"添加Sudo命令别名[%s]成功" % name res['emer_status'] = u"添加Sudo命令别名[%s]成功" % name response['success'] = True except ServerError as e: res['flag'] = 'false' res['content'] = e.message res['emer_status'] = u"添加Sudo命令别名失败:%s" % (e.message) response['error'] = res['emer_status'] return HttpResponse(json.dumps(response), content_type='application/json')
def perm_role_add(request, res, *args): """ add role page """ header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户" res['operator'] = path2 sudos = PermSudo.objects.all() if request.method == "POST": name = request.POST.get("role_name", "").strip() comment = request.POST.get("role_comment", "") password = request.POST.get("role_password", "") key_content = request.POST.get("role_key", "") sudo_ids = request.POST.getlist('sudo_name') try: if get_object(PermRole, name=name): raise ServerError(u'已经存在该用户 %s' % name) if name == "root": raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!') default = get_object(Setting, name='default') if password: encrypt_pass = CRYPTOR.encrypt(password) else: encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20)) # 生成随机密码,生成秘钥对 sudos_obj = [get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids] if key_content: try: key_path = gen_keys(key=key_content) except SSHException, e: raise ServerError(e) else: key_path = gen_keys() logger.debug('generate role key: %s' % key_path) role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path) role.save() role.sudo = sudos_obj msg = u"添加系统用户: %s" % name res['content'] = msg return HttpResponseRedirect(reverse('role_list'))
def get_log(self): """ Logging user command and output. 记录用户的日志 """ tty_log_dir = os.path.join(LOG_DIR, 'tty') date_today = datetime.datetime.now() date_start = date_today.strftime('%Y%m%d') time_start = date_today.strftime('%H%M%S') today_connect_log_dir = os.path.join(tty_log_dir, date_start) log_file_path = os.path.join(today_connect_log_dir, '%s_%s_%s' % (self.username, self.asset_name, time_start)) try: mkdir(os.path.dirname(today_connect_log_dir), mode=0777) mkdir(today_connect_log_dir, mode=0777) except OSError: logger.debug('创建目录 %s 失败,请修改%s目录权限' % (today_connect_log_dir, tty_log_dir)) raise ServerError('创建目录 %s 失败,请修改%s目录权限' % (today_connect_log_dir, tty_log_dir)) try: log_file_f = open(log_file_path + '.log', 'a') log_time_f = open(log_file_path + '.time', 'a') except IOError: logger.debug('创建tty日志文件失败, 请修改目录%s权限' % today_connect_log_dir) raise ServerError('创建tty日志文件失败, 请修改目录%s权限' % today_connect_log_dir) if self.login_type == 'ssh': # 如果是ssh连接过来,记录connect.py的pid,web terminal记录为日志的id pid = os.getpid() self.remote_ip = remote_ip # 获取远端IP else: pid = 0 log = Log(user=self.username, host=self.asset_name, remote_ip=self.remote_ip, login_type=self.login_type, log_path=log_file_path, start_time=date_today, pid=pid) log.save() if self.login_type == 'web': log.pid = log.id # 设置log id为websocket的id, 然后kill时干掉websocket log.save() log_file_f.write('Start at %s\r\n' % datetime.datetime.now()) return log_file_f, log_time_f, log
def perm_role_get(request): response = { 'role_id': '', 'proxy_url': '', 'user_id': request.user.id, 'role_name': '', 'id_unique': '', 'role_id_name': [] } asset_id = request.GET.get('id', 0) if asset_id: asset = get_object(Asset, id=asset_id) if asset: role = user_have_perm(request.user, asset=asset) logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role])) response['role_name'] = ','.join([i.name for i in role]) response['role_id'] = ','.join([str(i.id) for i in role]) response['proxy_url'] = asset.proxy.url response['id_unique'] = asset.id_unique return HttpResponse(json.dumps(response)) return HttpResponse('error')
def run(self, module_name='shell', module_args='', timeout=10, forks=10, pattern='*', become=False, become_method='sudo', become_user='******', become_pass='', transport='paramiko'): """ run module from andible ad-hoc. module_name: ansible module_name module_args: ansible module args """ hoc = Runner(module_name=module_name, module_args=module_args, timeout=timeout, inventory=self.inventory, pattern=pattern, forks=forks, become=become, become_method=become_method, become_user=become_user, become_pass=become_pass, transport=transport ) self.results_raw = hoc.run() logger.debug(self.results_raw) return self.results_raw
def perm_sudo_add(request, res, *args): """ list sudo commands alias :param request: :return: """ # 渲染数据 header_title, path1, path2 = "Sudo命令", "别名管理", "添加别名" res['operator'] = path2 try: if request.method == "POST": # 获取参数: name, comment name = request.POST.get("sudo_name").strip().upper() comment = request.POST.get("sudo_comment").strip() commands = request.POST.get("sudo_commands").strip() if not name or not commands: raise ServerError(u"sudo name 和 commands是必填项!") pattern = re.compile(r'[\n,\r]') deal_space_commands = list_drop_str(pattern.split(commands), u'') deal_all_commands = map(trans_all, deal_space_commands) commands = ', '.join(deal_all_commands) logger.debug(u'添加sudo %s: %s' % (name, commands)) if get_object(PermSudo, name=name): error = 'Sudo别名 %s已经存在' % name res['flag'] = 'false' res['content'] = error else: sudo = PermSudo(name=name.strip(), comment=comment, commands=commands) sudo.save() msg = u"添加Sudo命令别名: %s" % name res['content'] = msg except ServerError, e: error = e res['flag'] = 'false' res['content'] = error
def perm_sudo_edit(request, res, *args): """ list sudo commands alias :param request: :return: """ # 渲染数据 header_title, path1, path2 = "Sudo命令", "别名管理", "编辑别名" res['operator'] = path2 sudo_id = request.GET.get("id") sudo = PermSudo.objects.get(id=sudo_id) try: if request.method == "POST": name = request.POST.get("sudo_name").upper() commands = request.POST.get("sudo_commands") comment = request.POST.get("sudo_comment") if not name or not commands: raise ServerError(u"sudo name 和 commands是必填项!") pattern = re.compile(r'[\n,\r]') deal_space_commands = list_drop_str(pattern.split(commands), u'') deal_all_commands = map(trans_all, deal_space_commands) commands = ', '.join(deal_all_commands).strip() logger.debug(u'添加sudo %s: %s' % (name, commands)) sudo.name = name.strip() sudo.commands = commands sudo.comment = comment sudo.save() msg = u"更新命令别名: %s" % name res['content'] = msg except ServerError, e: error = e res['flag'] = 'false' res['content'] = e
def upload(self): while True: if not self.user_perm: self.user_perm = get_group_user_perm(self.user) try: print "进入批量上传模式" print "请输入主机名或ansible支持的pattern, 多个主机:分隔 q退出" pattern = raw_input("\033[1;32mPattern>:\033[0m ").strip() if pattern == 'q': break else: assets = self.user_perm.get('asset').keys() res = gen_resource({'user': self.user, 'asset': assets}, perm=self.user_perm) runner = MyRunner(res) asset_name_str = '' print "匹配主机:" for inv in runner.inventory.get_hosts(pattern=pattern): print inv.name asset_name_str += '%s ' % inv.name if not asset_name_str: color_print('没有匹配主机') continue tmp_dir = get_tmp_dir() logger.debug('Upload tmp dir: %s' % tmp_dir) os.chdir(tmp_dir) bash('rz') filename_str = ' '.join(os.listdir(tmp_dir)) if not filename_str: color_print("上传文件为空") continue logger.debug('上传文件: %s' % filename_str) runner = MyRunner(res) runner.run('copy', module_args='src=%s dest=%s directory_mode' % (tmp_dir, '/tmp'), pattern=pattern) ret = runner.results FileLog(user=self.user.name, host=asset_name_str, filename=filename_str, remote_ip=remote_ip, type='upload', result=ret).save() logger.debug('Upload file: %s' % ret) if ret.get('failed'): error = '上传目录: %s \n上传失败: [ %s ] \n上传成功 [ %s ]' % (tmp_dir, ', '.join(ret.get('failed').keys()), ', '.join(ret.get('ok').keys())) color_print(error) else: msg = '上传目录: %s \n传送成功 [ %s ]' % (tmp_dir, ', '.join(ret.get('ok').keys())) color_print(msg, 'green') print except IndexError: pass
def perm_role_push(request, res, *args): """ the role push page """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户推送" res['operator'] = path2 role_id = request.GET.get('id') asset_ids = request.GET.get('asset_id') role = get_object(PermRole, id=role_id) assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() if asset_ids: need_push_asset = [get_object(Asset, id=asset_id) for asset_id in asset_ids.split(',')] if request.method == "POST": # 获取推荐角色的名称列表 # 计算出需要推送的资产列表 asset_ids = request.POST.getlist("assets") asset_group_ids = request.POST.getlist("asset_groups") assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids] asset_groups_obj = [AssetGroup.objects.get(id=asset_group_id) for asset_group_id in asset_group_ids] group_assets_obj = [] for asset_group in asset_groups_obj: group_assets_obj.extend(asset_group.asset_set.all()) calc_assets = list(set(assets_obj) | set(group_assets_obj)) push_resource = gen_resource(calc_assets) # 调用Ansible API 进行推送 password_push = True if request.POST.get("use_password") else False key_push = True if request.POST.get("use_publicKey") else False task = MyTask(push_resource) ret = {} # 因为要先建立用户,而push key是在 password也完成的情况下的 可选项 # 1. 以秘钥 方式推送角色 if key_push: ret["pass_push"] = task.add_user(role.name) ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub')) # 2. 推送账号密码 <为了安全 系统用户统一使用秘钥进行通信, 不再提供密码方式的推送> # elif password_push: # ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password)) # 3. 推送sudo配置文件 if key_push: sudo_list = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3) if sudo_list: ret['sudo'] = task.push_sudo_file([role], sudo_list) logger.debug('推送role结果: %s' % ret) success_asset = {} failed_asset = {} logger.debug(ret) for push_type, result in ret.items(): if result.get('failed'): for hostname, info in result.get('failed').items(): if hostname in failed_asset.keys(): if info in failed_asset.get(hostname): failed_asset[hostname] += info else: failed_asset[hostname] = info for push_type, result in ret.items(): if result.get('ok'): for hostname, info in result.get('ok').items(): if hostname in failed_asset.keys(): continue elif hostname in success_asset.keys(): if str(info) in success_asset.get(hostname, ''): success_asset[hostname] += str(info) else: success_asset[hostname] = str(info) # 推送成功 回写push表 for asset in calc_assets: push_check = PermPush.objects.filter(role=role, asset=asset) if push_check: func = push_check.update else: def func(**kwargs): PermPush(**kwargs).save() if failed_asset.get(asset.name): func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False, result=failed_asset.get(asset.name)) else: func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True) if not failed_asset: msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(success_asset.keys())) res['content'] = msg else: error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ] 进入系统用户详情,查看失败原因' % (role.name, ','.join(failed_asset.keys()), ','.join(success_asset.keys())) res['flag'] = 'false' res['content'] = error return my_render('permManage/perm_role_push.html', locals(), request)
else: return HttpResponse("filter_type: ?") except ServerError, e: res['flag'] = 'false' res['content'] = e return HttpResponse(e) if request.method == "POST": try: role_id = request.POST.get("id") role = get_object(PermRole, id=role_id) if not role: logger.warning(u"Delete Role: role_id %s not exist" % role_id) raise ServerError(u"role_id %s 无数据记录" % role_id) role_key = role.key_path recycle_assets = [push.asset for push in role.perm_push.all() if push.success] logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets)) if recycle_assets: recycle_resource = gen_resource(recycle_assets) task = MyTask(recycle_resource) try: msg_del_user = task.del_user(get_object(PermRole, id=role_id).name) msg_del_sudo = task.del_user_sudo(get_object(PermRole, id=role_id).name) except Exception, e: logger.warning(u"Recycle Role failed: %s" % e) raise ServerError(u"回收已推送的系统用户失败: %s" % e) logger.info(u"delete role %s - execute delete user: %s" % (role.name, msg_del_user)) logger.info(u"delete role %s - execute delete sudo: %s" % (role.name, msg_del_sudo)) # TODO: 判断返回结果,处理异常 # 删除存储的秘钥,以及目录 try: key_files = os.listdir(role_key)
filter_type) else: return HttpResponse("filter_type: ?") except ServerError, e: return HttpResponse(e) if request.method == "POST": try: role_id = request.POST.get("id") role = get_object(PermRole, id=int(role_id)) if not role: logger.warning(u"Delete Role: role_id %s not exist" % role_id) raise ServerError(u"role_id %s 无数据记录" % role_id) recycle_assets = [ push.asset for push in role.perm_push.all() if push.success ] logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets)) if recycle_assets: asset_proxys = gen_asset_proxy(recycle_assets) for key, value in asset_proxys.items(): proxy = Proxy.objects.filter(proxy_name=key)[0] recycle_resource = gen_resource(value) host_list = [ asset.networking.all()[0].ip_address for asset in value ] task = MyTask(recycle_resource, host_list) try: msg_del_user = task.del_user(role.name, proxy, request.user.username) msg_del_sudo = task.del_user_sudo( role.uuid_id, proxy, request.user.username) except Exception, e: