def session_begin(sid, user_id, host_id, acc_id, user_username, acc_username,
host_ip, conn_ip, conn_port, client_ip, auth_type,
protocol_type, protocol_sub_type):
db = get_db()
sql = 'SELECT surname FROM `{tp}user` WHERE id={ph};'.format(
tp=db.table_prefix, ph=db.place_holder)
db_ret = db.query(sql, (user_id, ))
if db_ret is None or len(db_ret) == 0:
user_surname = user_username
else:
user_surname = db_ret[0][0]
sql = 'INSERT INTO `{}record` (sid,user_id,host_id,acc_id,state,user_username,user_surname,host_ip,conn_ip,conn_port,client_ip,acc_username,auth_type,protocol_type,protocol_sub_type,time_begin,time_end) ' \
'VALUES ("{sid}",{user_id},{host_id},{acc_id},0,"{user_username}","{user_surname}","{host_ip}","{conn_ip}",{conn_port},"{client_ip}","{acc_username}",{auth_type},{protocol_type},{protocol_sub_type},{time_begin},0)' \
';'.format(db.table_prefix,
sid=sid, user_id=user_id, host_id=host_id, acc_id=acc_id, user_username=user_username, user_surname=user_surname, host_ip=host_ip, conn_ip=conn_ip, conn_port=conn_port,
client_ip=client_ip, acc_username=acc_username, auth_type=auth_type, protocol_type=protocol_type, protocol_sub_type=protocol_sub_type,
time_begin=tp_timestamp_sec())
ret = db.exec(sql)
if not ret:
return TPE_DATABASE, 0
record_id = db.last_insert_id()
if record_id == -1:
return TPE_DATABASE, 0
else:
return TPE_OK, record_id
def add_role(handler, role_name, privilege):
db = get_db()
_time_now = tp_timestamp_sec()
operator = handler.get_current_user()
# 1. 判断是否已经存在了
sql = 'SELECT id FROM {}role WHERE name="{name}";'.format(db.table_prefix,
name=role_name)
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
sql = 'INSERT INTO `{}role` (name, privilege, creator_id, create_time) VALUES ' \
'("{name}", {privilege}, {creator_id}, {create_time});' \
''.format(db.table_prefix, name=role_name, privilege=privilege, creator_id=operator['id'], create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK,
"创建角色:{}".format(role_name))
return TPE_OK, _id
def add_members(handler, policy_id, policy_type, ref_type, members):
# step 1: select exists rid.
s = SQL(get_db())
s.select_from('ops_auz', ['rid'], alt_name='p')
_where = list()
_where.append('p.policy_id={}'.format(policy_id))
_where.append('p.type={}'.format(policy_type))
_where.append('p.rtype={}'.format(ref_type))
s.where('( {} )'.format(' AND '.join(_where)))
err = s.query()
if err != TPE_OK:
return err
exists_ids = [r['rid'] for r in s.recorder]
operator = handler.get_current_user()
db = get_db()
_time_now = tp_timestamp_sec()
sql = []
for m in members:
if m['id'] in exists_ids:
continue
sql_s = 'INSERT INTO `{tp}ops_auz` (`policy_id`,`type`,`rtype`,`rid`,`name`,`creator_id`,`create_time`) VALUES ' \
'({ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph});' \
''.format(tp=db.table_prefix, ph=db.place_holder)
sql_v = (policy_id, policy_type, ref_type, m['id'], m['name'],
operator['id'], _time_now)
sql.append({'s': sql_s, 'v': sql_v})
if db.transaction(sql):
# return TPE_OK
return policy.rebuild_ops_auz_map()
else:
return TPE_DATABASE
def create(handler, gtype, name, desc):
if gtype not in TP_GROUP_TYPES:
return TPE_PARAM, 0
db = get_db()
_time_now = tp_timestamp_sec()
# 1. 判断是否已经存在了
sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format(
dbtp=db.table_prefix, gtype=gtype, gname=name)
db_ret = db.query(sql)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
operator = handler.get_current_user()
# 2. 插入记录
sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`, `desc`) VALUES ' \
'({gtype}, "{gname}", {creator_id}, {create_time}, "{desc}");' \
''.format(dbtp=db.table_prefix,
gtype=gtype, gname=name, creator_id=operator['id'],
create_time=_time_now, desc=desc)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(
operator, handler.request.remote_ip, TPE_OK,
"创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=name))
return TPE_OK, _id
def add_account(handler, host_id, args):
"""
添加一个远程账号
"""
db = get_db()
_time_now = tp_timestamp_sec()
operator = handler.get_current_user()
# 1. 判断是否已经存在了
sql = 'SELECT `id` FROM `{tp}acc` WHERE `host_id`={ph} AND `protocol_port`={ph} AND `username`={ph} AND `auth_type`={ph};'.format(
tp=db.table_prefix, ph=db.place_holder)
db_ret = db.query(
sql,
(host_id, args['protocol_port'], args['username'], args['auth_type']))
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
sql_s = 'INSERT INTO `{tp}acc` (`host_id`,`host_ip`,`router_ip`,`router_port`,`protocol_type`,`protocol_port`,' \
'`state`,`auth_type`,`username`,`username_prompt`,`password_prompt`,`password`,`pri_key`,`creator_id`,`create_time`) VALUES ' \
'({ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph}, {ph});' \
''.format(tp=db.table_prefix, ph=db.place_holder)
sql_v = (host_id, args['host_ip'], args['router_ip'], args['router_port'],
args['protocol_type'], args['protocol_port'], TP_STATE_NORMAL,
args['auth_type'], args['username'], args['username_prompt'],
args['password_prompt'], args['password'], args['pri_key'],
operator['id'], _time_now)
# sql = 'INSERT INTO `{}acc` (host_id, protocol_type, protocol_port, state, auth_type, username, password, pri_key, creator_id, create_time) VALUES ' \
# '({host_id}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{password}", "{pri_key}", {creator_id}, {create_time});' \
# ''.format(db.table_prefix,
# host_id=host_id,
# protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL,
# auth_type=args['auth_type'], username=args['username'], password=args['password'], pri_key=args['pri_key'],
# creator_id=operator['id'], create_time=_time_now)
db_ret = db.exec(sql_s, sql_v)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
acc_name = '{}@{}'.format(args['username'], args['host_ip'])
if len(args['router_ip']) > 0:
acc_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port'])
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK,
"创建账号:{}".format(acc_name))
# 更新主机相关账号数量
sql = 'UPDATE `{tp}host` SET `acc_count`=`acc_count`+1 WHERE `id`={ph};' \
''.format(tp=db.table_prefix, ph=db.place_holder)
db.exec(sql, (host_id, ))
# if not db_ret:
# return TPE_DATABASE, 0
tp_stats().acc_counter_change(1)
return TPE_OK, _id
def session_fix():
db = get_db()
if db.need_create or db.need_upgrade:
return TPE_OK
sql_list = list()
sql_s = 'UPDATE `{tp}record` SET state={ph}, time_end={ph} WHERE state={ph};' \
''.format(tp=db.table_prefix, ph=db.place_holder)
sql_v = (TP_SESS_STAT_ERR_RESET, tp_timestamp_sec(), TP_SESS_STAT_RUNNING)
sql_list.append({'s': sql_s, 'v': sql_v})
sql_s = 'UPDATE `{tp}record` SET state={ph},time_end={ph} WHERE state={ph};' \
''.format(tp=db.table_prefix, ph=db.place_holder)
sql_v = (TP_SESS_STAT_ERR_RESET, tp_timestamp_sec(), TP_SESS_STAT_STARTED)
sql_list.append({'s': sql_s, 'v': sql_v})
return db.transaction(sql_list)
def _parse_api_args(handler):
raw_req = handler.request.body.decode('utf-8')
if raw_req == '':
return False, handler.write_json(TPE_PARAM)
try:
raw_req = json.loads(raw_req)
if 'auth' not in raw_req or 'arg' not in raw_req or 'sign' not in raw_req:
return False, handler.write_json(TPE_PARAM)
except:
return False, handler.write_json(TPE_JSON_FORMAT)
_auth = raw_req['auth'].split(':')
if len(_auth) <= 1:
return False, handler.write_json(TPE_PARAM)
if _auth[0] == '1': # 目前的API请求格式版本为1
if len(_auth) != 4: # VERSION:ACCESS_KEY:TIMESTAMP:EXPIRES
return False, handler.write_json(TPE_PARAM)
req_access_key = _auth[1]
req_timestamp = int(_auth[2])
req_expires = int(_auth[3])
else:
return False, handler.write_json(TPE_PARAM)
# 从数据库中根据access-key查找access-secret
sec_info = tp_ext_srv_cfg().get_secret_info(req_access_key)
if sec_info is None:
return False, handler.write_json(TPE_INVALID_API_KEY)
access_secret = sec_info['secret']
# 是否超时
if tp_timestamp_sec() > req_timestamp + req_expires:
return False, handler.write_json(TPE_EXPIRED)
# 验证
be_sign = '{}|{}'.format(raw_req['auth'], raw_req['arg'])
_h = hmac.new(tp_bin(access_secret), tp_bin(be_sign), hashlib.sha1)
_s = base64.urlsafe_b64decode(tp_bin(raw_req['sign']))
if _s != _h.digest():
return False, handler.write_json(TPE_INVALID_API_SIGN)
# 一切都OK,解码得到实际参数
_param = base64.urlsafe_b64decode(tp_bin(raw_req['arg']))
try:
args = json.loads(tp_str(_param))
except:
return False, handler.write_json(TPE_JSON_FORMAT)
args['_srv_name_'] = sec_info['name']
# log.d('api:get_host, param=', args, '\n')
return True, args
def create_user(handler, user):
"""
创建一个用户账号
"""
db = get_db()
_time_now = tp_timestamp_sec()
operator = handler.get_current_user()
if 'type' not in user:
user['type'] = TP_USER_TYPE_LOCAL
if 'ldap_dn' not in user:
user['ldap_dn'] = ''
# 1. 判断此账号是否已经存在了
s = SQL(db)
err = s.reset().select_from('user', ['id']).where(
'user.username="******"'.format(user['username'])).query()
if err != TPE_OK:
return err, 0
if len(s.recorder) > 0:
return TPE_EXISTS, 0
# _password = tp_password_generate_secret(user['password'])
if user['type'] == TP_USER_TYPE_LOCAL:
_password = tp_password_generate_secret(user['password'])
else:
_password = ''
sql = 'INSERT INTO `{}user` (' \
'`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, `state`, ' \
'`email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `valid_from`, `valid_to`, `desc`' \
') VALUES (' \
'{role}, "{username}", "{surname}", {user_type}, "{ldap_dn}", {auth_type}, "{password}", {state}, ' \
'"{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, {valid_from}, '\
'{valid_to}, "{desc}");' \
''.format(db.table_prefix, role=user['role'], username=user['username'], surname=user['surname'],
user_type=user['type'], ldap_dn=user['ldap_dn'], auth_type=user['auth_type'], password=_password,
state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now,
last_login=0, last_chpass=_time_now, valid_from=user['valid_from'], valid_to=user['valid_to'], desc=user['desc'])
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK,
"创建用户:{}".format(user['username']))
# calc count of users.
err, cnt = s.reset().count('user')
if err == TPE_OK:
tp_stats().user_counter_change(cnt)
return TPE_OK, _id
def update_temp_locked_user_state():
sys_cfg = tp_cfg().sys
if sys_cfg.login.lock_timeout == 0:
return
_lock_time = tp_timestamp_sec() - (sys_cfg.login.lock_timeout * 60)
db = get_db()
if db.need_create or db.need_upgrade:
return
sql = 'UPDATE `{}user` SET state={new_state}, lock_time=0, fail_count=0 WHERE (state={old_state} AND lock_time<{lock_time});' \
''.format(db.table_prefix, new_state=TP_STATE_NORMAL, old_state=TP_STATE_LOCKED, lock_time=_lock_time)
db.exec(sql)
def update_login_info(handler, user_id):
db = get_db()
_time_now = tp_timestamp_sec()
sql = 'UPDATE `{}user` SET ' \
'fail_count=0, last_login=login_time, last_ip=login_ip, login_time={login_time},' \
' login_ip="{ip}" WHERE id={user_id};' \
''.format(db.table_prefix,
login_time=_time_now, ip=handler.request.remote_ip, user_id=user_id
)
if db.exec(sql):
return TPE_OK
else:
return TPE_DATABASE
def _make_builtin_data(self, sysadmin, email, password):
_time_now = tp_timestamp_sec()
self._db_exec(
'设定数据库版本',
'INSERT INTO `{}config` (`name`, `value`) VALUES ("db_ver", "{}");'.format(self.db.table_prefix, self.db.DB_VERSION)
)
self._db_exec(
'设置本地核心服务',
'INSERT INTO `{}core_server` (`sn`, `secret`, `ip`, `port`, `state`) VALUES '
'("0000", "", "127.0.0.1", 52080, 1);'
''.format(self.db.table_prefix)
)
privilege_admin = TP_PRIVILEGE_ALL
privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS
privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT
self._db_exec(
'创建默认角色',
[
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(1, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='系统管理员', privilege=privilege_admin, create_time=_time_now),
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(2, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='运维人员', privilege=privilege_ops, create_time=_time_now),
'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES '
'(3, "{name}", {privilege}, 0, {create_time});'
''.format(self.db.table_prefix,
name='审计员', privilege=privilege_audit, create_time=_time_now)
]
)
self._db_exec(
'创建系统管理员账号',
'INSERT INTO `{}user` (`type`, `auth_type`, `username`, `surname`, `password`, `role_id`, `state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`) VALUES '
'(1, {auth_type}, "{username}", "{surname}", "{password}", 1, {state}, "{email}", 0, {create_time}, {last_login}, {last_chpass});'
''.format(self.db.table_prefix,
auth_type=TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA,
username=sysadmin, surname=sysadmin, password=tp_password_generate_secret(password), state=TP_STATE_NORMAL, email=email,
create_time=_time_now, last_login=_time_now, last_chpass=_time_now)
)
def set_password(handler, mode, user_id, password):
db = get_db()
operator = handler.get_current_user()
# print('----------', operator)
# 1. get user info (user name)
s = SQL(db)
err = s.reset().select_from('user', ['username', 'surname']).where(
'user.id={}'.format(user_id)).query()
if err != TPE_OK:
return err
if len(s.recorder) == 0:
return TPE_NOT_EXISTS
name = s.recorder[0]['username']
surname = s.recorder[0]['surname']
if len(surname) == 0:
surname = name
_time_now = tp_timestamp_sec()
sql = 'UPDATE `{}user` SET `password`="{password}", `last_chpass`={last_chpass} WHERE `id`={user_id};' \
''.format(db.table_prefix, password=password, last_chpass=_time_now, user_id=user_id)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE
if mode in [3, 4, 5, 6]:
if mode == 6:
syslog.sys_log({
'username': name,
'surname': surname
}, handler.request.remote_ip, TPE_OK,
"用户 {} 修改了过期的密码".format(name))
else:
syslog.sys_log({
'username': name,
'surname': surname
}, handler.request.remote_ip, TPE_OK,
"用户 {} 通过邮件方式重置了密码".format(name))
else:
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK,
"为用户 {} 手动重置了密码".format(name))
return TPE_OK
def generate_reset_password_token(handler, user_id):
db = get_db()
operator = handler.get_current_user()
s = SQL(db)
_time_now = tp_timestamp_sec()
# 0. query user's email by user_id
err = s.select_from('user', ['email'], alt_name='u').where(
'u.id={user_id}'.format(user_id=user_id)).query()
if err != TPE_OK:
return err, None, None
if len(s.recorder) == 0:
return TPE_DATABASE, None, None
email = s.recorder[0].email
# 1. clean all timed out tokens.
s.reset().delete_from('user_rpt').where(
'create_time<{}'.format(_time_now - 24 * 60 * 60)).exec()
# 2. find out if this user already have a token.
err = s.reset().select_from('user_rpt', ['id'], alt_name='u').where(
'u.user_id={}'.format(user_id)).query()
if err != TPE_OK:
return err, None, None
token = tp_generate_random(16)
if len(s.recorder) == 0:
sql = 'INSERT INTO `{dbtp}user_rpt` (user_id, token, create_time) VALUES ' \
'({user_id}, "{token}", {create_time});' \
''.format(dbtp=db.table_prefix, user_id=user_id, token=token, create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, None, None
else:
sql = 'UPDATE `{dbtp}user_rpt` SET token="{token}", create_time={create_time} WHERE user_id={user_id};' \
''.format(dbtp=db.table_prefix, token=token, create_time=_time_now, user_id=user_id)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, None, None
# syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "为用户 {} 手动重置了密码".format(name))
return TPE_OK, email, token
def sys_log(operator, client_ip, code, message=""):
try:
db = get_db()
sql_s = 'INSERT INTO `{tp}syslog` (`user_name`,`user_surname`,`client_ip`,`code`,`log_time`,`message`) ' \
'VALUES ({ph},{ph},{ph},{ph},{ph},{ph})' \
';'.format(tp=db.table_prefix, ph=db.place_holder)
sql_v = (operator['username'], operator['surname'], client_ip, code,
tp_timestamp_sec(), message)
ret = db.exec(sql_s, sql_v)
if not ret:
return TPE_DATABASE
return TPE_OK
except:
log.e('\n')
return TPE_DATABASE
def add_host(handler, args):
"""
添加一个远程主机
"""
db = get_db()
_tp = db.table_prefix
_ph = db.place_holder
_time_now = tp_timestamp_sec()
# 1. 判断此主机是否已经存在了
if len(args['router_ip']) > 0:
sql_s = 'SELECT `id` FROM `{tp}host` WHERE `ip`={ph} OR (`router_ip`={ph} AND `router_port`={ph});'.format(tp=_tp, ph=_ph)
sql_v = (args['ip'], args['router_ip'], args['router_port'])
else:
sql_s = 'SELECT `id` FROM `{tp}host` WHERE `ip`={ph};'.format(tp=_tp, ph=_ph)
sql_v = (args['ip'], )
db_ret = db.query(sql_s, sql_v)
if db_ret is not None and len(db_ret) > 0:
return TPE_EXISTS, 0
sql_s = 'INSERT INTO `{tp}host` (`type`,`os_type`,`name`,`ip`,`router_ip`,`router_port`,`state`,`creator_id`,`create_time`,`cid`,`desc`) VALUES ' \
'({ph},{ph},{ph},{ph},{ph},{ph},{ph},{ph},{ph},{ph},{ph});' \
''.format(tp=_tp, ph=_ph)
sql_v = (1, args['os_type'], args['name'], args['ip'], args['router_ip'], args['router_port'],
TP_STATE_NORMAL, handler.get_current_user()['id'], _time_now, args['cid'], args['desc'])
db_ret = db.exec(sql_s, sql_v)
if not db_ret:
return TPE_DATABASE, 0
if len(args['router_ip']) > 0:
app.base.host_alive.tp_host_alive().add_host(args['router_ip'], check_now=True)
else:
app.base.host_alive.tp_host_alive().add_host(args['ip'], check_now=True)
_id = db.last_insert_id()
h_name = args['ip']
if len(args['router_ip']) > 0:
h_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port'])
syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建主机:{}".format(h_name))
tp_stats().host_counter_change(1)
return TPE_OK, _id
def make_groups(handler, gtype, glist, failed):
"""
根据传入的组列表,查询每个组的名称对应的id,如果没有,则创建之
"""
db = get_db()
_time_now = tp_timestamp_sec()
operator = handler.get_current_user()
name_list = list()
for g in glist:
sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format(
dbtp=db.table_prefix, gtype=gtype, gname=g)
db_ret = db.query(sql)
if db_ret is None or len(db_ret) == 0:
# need create group.
sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`) VALUES ' \
'({gtype}, "{name}", {creator_id}, {create_time});' \
''.format(dbtp=db.table_prefix,
gtype=gtype, name=g, creator_id=operator['id'], create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
failed.append({
'line':
0,
'error':
'创建{gtype} `{gname}` 失败,写入数据库时发生错误'.format(
gtype=TP_GROUP_TYPES[gtype], gname=g)
})
continue
glist[g] = db.last_insert_id()
name_list.append(g)
else:
glist[g] = db_ret[0][0]
syslog.sys_log(
operator, handler.request.remote_ip, TPE_OK,
"创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype],
gname=','.join(name_list)))
return TPE_OK
def session_begin(sid, user_id, host_id, acc_id, user_username, acc_username,
host_ip, conn_ip, conn_port, client_ip, auth_type,
protocol_type, protocol_sub_type):
db = get_db()
sql = 'INSERT INTO `{}record` (sid,user_id,host_id,acc_id,state,user_username,host_ip,conn_ip,conn_port,client_ip,acc_username,auth_type,protocol_type,protocol_sub_type,time_begin,time_end) ' \
'VALUES ("{sid}",{user_id},{host_id},{acc_id},0,"{user_username}","{host_ip}","{conn_ip}",{conn_port},"{client_ip}","{acc_username}",{auth_type},{protocol_type},{protocol_sub_type},{time_begin},0)' \
';'.format(db.table_prefix,
sid=sid, user_id=user_id, host_id=host_id, acc_id=acc_id, user_username=user_username, host_ip=host_ip, conn_ip=conn_ip, conn_port=conn_port,
client_ip=client_ip, acc_username=acc_username, auth_type=auth_type, protocol_type=protocol_type, protocol_sub_type=protocol_sub_type,
time_begin=tp_timestamp_sec())
ret = db.exec(sql)
if not ret:
return TPE_DATABASE, 0
record_id = db.last_insert_id()
if record_id == -1:
return TPE_DATABASE, 0
else:
return TPE_OK, record_id
def create_policy(handler, args):
"""
创建一个授权策略
"""
db = get_db()
_time_now = tp_timestamp_sec()
# 1. 判断此账号是否已经存在了
s = SQL(db)
err = s.reset().select_from('audit_policy', ['id']).where(
'audit_policy.name="{}"'.format(args['name'])).query()
if err != TPE_OK:
return err, 0
if len(s.recorder) > 0:
return TPE_EXISTS, 0
# 2. get total count
sql = 'SELECT COUNT(*) FROM {}audit_policy'.format(db.table_prefix)
db_ret = db.query(sql)
if not db_ret or len(db_ret) == 0:
return TPE_DATABASE, 0
rank = db_ret[0][0] + 1
sql = 'INSERT INTO `{}audit_policy` (`rank`, `name`, `desc`, `creator_id`, `create_time`) VALUES ' \
'({rank}, "{name}", "{desc}", {creator_id}, {create_time});' \
''.format(db.table_prefix,
rank=rank, name=args['name'], desc=args['desc'],
creator_id=handler.get_current_user()['id'],
create_time=_time_now)
db_ret = db.exec(sql)
if not db_ret:
return TPE_DATABASE, 0
_id = db.last_insert_id()
syslog.sys_log(handler.get_current_user(), handler.request.remote_ip,
TPE_OK, "创建审计授权策略:{}".format(args['name']))
return TPE_OK, _id
def update_fail_count(handler, user_info):
db = get_db()
sys_cfg = tp_cfg().sys
sql_list = []
is_locked = False
fail_count = user_info.fail_count + 1
sql_s = 'UPDATE `{tp}user` SET `fail_count`={ph} WHERE `id`={ph};' \
''.format(tp=db.table_prefix, ph=db.place_holder)
sql_v = (fail_count, user_info.id)
sql_list.append({'s': sql_s, 'v': sql_v})
if sys_cfg.login.retry != 0 and fail_count >= sys_cfg.login.retry:
is_locked = True
sql_s = 'UPDATE `{tp}user` SET `state`={ph}, `lock_time`={ph} WHERE `id`={ph};' \
''.format(tp=db.table_prefix, ph=db.place_holder)
sql_v = (TP_STATE_LOCKED, tp_timestamp_sec(), user_info.id)
sql_list.append({'s': sql_s, 'v': sql_v})
if db.transaction(sql_list):
return TPE_OK, is_locked
else:
return TPE_DATABASE, is_locked
def check_reset_token(token):
db = get_db()
# s = SQL(db)
_time_now = tp_timestamp_sec()
# 0. remove expired token (after 3 days)
sql = 'DELETE FROM `{dbtp}user_rpt` WHERE create_time<{dbph};'.format(
dbtp=db.table_prefix, dbph=db.place_holder)
db.exec(sql, (_time_now - 3 * 24 * 60 * 60, ))
# 1. query user's id
sql = 'SELECT user_id, create_time FROM `{dbtp}user_rpt` WHERE token={dbph};'.format(
dbtp=db.table_prefix, dbph=db.place_holder)
db_ret = db.query(sql, (token, ))
if db_ret is None or len(db_ret) == 0:
return TPE_NOT_EXISTS, 0
user_id = db_ret[0][0]
create_time = db_ret[0][1]
if _time_now - create_time > 24 * 60 * 60:
return TPE_EXPIRED, user_id
else:
return TPE_OK, user_id
def login(handler,
username,
password=None,
oath_code=None,
check_bind_oath=False):
sys_cfg = tp_cfg().sys
msg = ''
current_unix_time = int(time.mktime(datetime.datetime.now().timetuple()))
# log.e('current:',current_unix_time,'validfrom:', user_info['valid_from'])
err, user_info = get_by_username(username)
if err != TPE_OK:
return err, None, msg
if user_info.privilege == 0:
# 尚未为此用户设置角色
msg = '登录失败,用户尚未分配权限'
return TPE_PRIVILEGE, None, msg
if check_bind_oath and len(user_info['oath_secret']) != 0:
return TPE_OATH_ALREADY_BIND, None, msg
if user_info['state'] == TP_STATE_LOCKED:
# 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息
if sys_cfg.login.lock_timeout != 0:
if tp_timestamp_sec(
) - user_info.lock_time > sys_cfg.login.lock_timeout * 60:
user_info.fail_count = 0
user_info.state = TP_STATE_NORMAL
if user_info['state'] == TP_STATE_LOCKED:
msg = '登录失败,用户已被临时锁定'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_LOCKED, msg)
return TPE_USER_LOCKED, None, msg
elif user_info['state'] == TP_STATE_DISABLED:
msg = '登录失败,用户已被禁用'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED,
msg)
return TPE_USER_DISABLED, None, msg
elif user_info['state'] != TP_STATE_NORMAL:
msg = '登录失败,用户状态异常'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg)
return TPE_FAILED, None, msg
elif current_unix_time < user_info['valid_from'] or (
current_unix_time > user_info['valid_to']
and user_info['valid_to'] != 0):
msg = '登录失败,用户已过期'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, msg)
return TPE_FAILED, None, msg
err_msg = ''
if password is not None:
if user_info['type'] == TpUserType.LOCAL:
# 如果系统配置了密码有效期,则检查用户的密码是否失效
if sys_cfg.password.timeout != 0:
_time_now = tp_timestamp_sec()
if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 *
60 * 24) < _time_now:
msg = '登录失败,用户密码已过期'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_EXPIRED, None, msg
if not tp_password_verify(password, user_info['password']):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
msg = '登录失败,密码错误{}'.format(err_msg)
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
elif user_info['type'] == TP_USER_TYPE_LDAP:
try:
if len(tp_cfg().sys_ldap_password) == 0:
msg = 'LDAP尚未配置'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
else:
_ldap_password = tp_cfg().sys_ldap_password
_ldap_server = tp_cfg().sys.ldap.server
_ldap_port = tp_cfg().sys.ldap.port
_ldap_base_dn = tp_cfg().sys.ldap.base_dn
except:
msg = 'LDAP尚未正确配置'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
try:
ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn)
ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password)
if ret != TPE_OK:
if ret == TPE_USER_AUTH:
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定'
msg = 'LDAP用户验证失败{}'.format(err_msg)
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
else:
msg = 'LDAP用户登录失败,{}'.format(err_msg)
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
except:
msg = 'LDAP用户登录失败,发生内部错误'
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_USER_AUTH, msg)
return TPE_USER_AUTH, None, msg
else:
msg = '登录失败,系统内部错误'
syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH,
msg)
return TPE_USER_AUTH, None, msg
if oath_code is not None:
# use oath
if len(user_info['oath_secret']) == 0:
return TPE_OATH_MISMATCH, None, msg
if not tp_oath_verify_code(user_info['oath_secret'], oath_code):
err, is_locked = update_fail_count(handler, user_info)
if is_locked:
err_msg = ',用户已被临时锁定!'
msg = '登录失败,身份验证器动态验证码错误{}'.format(err_msg)
syslog.sys_log(user_info, handler.request.remote_ip,
TPE_OATH_MISMATCH, msg)
return TPE_OATH_MISMATCH, None, msg
del user_info['password']
del user_info['oath_secret']
if len(user_info['surname']) == 0:
user_info['surname'] = user_info['username']
return TPE_OK, user_info, msg
def session_end(record_id, ret_code):
db = get_db()
sql = 'UPDATE `{}record` SET state={}, time_end={} WHERE id={};'.format(
db.table_prefix, int(ret_code), tp_timestamp_sec(), int(record_id))
return db.exec(sql)
def cleanup_storage(handler):
# storage config
sto = tp_cfg().sys.storage
db = get_db()
_now = tp_timestamp_sec()
msg = []
have_error = False
s = SQL(db)
chk_time = _now - sto.keep_log * 24 * 60 * 60
if sto.keep_log > 0:
# find out all sys-log to be remove
s.select_from('syslog', ['id'], alt_name='s')
s.where('s.log_time<{chk_time}'.format(chk_time=chk_time))
err = s.query()
if err != TPE_OK:
have_error = True
msg.append('清理系统日志时发生错误:无法获取系统日志信息!')
# return err, msg
else:
removed_log = len(s.recorder)
if 0 == removed_log:
msg.append('没有满足条件的系统日志需要清除!')
else:
s.reset().delete_from('syslog').where(
'log_time<{chk_time}'.format(chk_time=chk_time))
err = s.exec()
if err != TPE_OK:
have_error = True
msg.append('清理系统日志时发生错误:无法清除指定的系统日志!')
else:
msg.append('{} 条系统日志已清除!'.format(removed_log))
if sto.keep_record > 0:
core_cfg = tp_cfg().core
if not core_cfg.detected:
have_error = True
msg.append('清除指定会话录像失败:未能检测到核心服务!')
else:
replay_path = core_cfg.replay_path
if not os.path.exists(replay_path):
have_error = True
msg.append('清除指定会话录像失败:会话录像路径不存在({})!'.format(replay_path))
else:
# find out all record to be remove
s.reset().select_from('record', ['id', 'protocol_type'],
alt_name='r')
s.where('r.time_begin<{chk_time}'.format(chk_time=chk_time))
err = s.query()
if err != TPE_OK:
have_error = True
msg.append('清除指定会话录像失败:无法获取会话录像信息!')
elif len(s.recorder) == 0:
msg.append('没有满足条件的会话录像需要清除!')
else:
record_removed = 0
for r in s.recorder:
if r.protocol_type == TP_PROTOCOL_TYPE_RDP:
path_remove = os.path.join(replay_path, 'rdp',
'{:09d}'.format(r.id))
elif r.protocol_type == TP_PROTOCOL_TYPE_SSH:
path_remove = os.path.join(replay_path, 'ssh',
'{:09d}'.format(r.id))
elif r.protocol_type == TP_PROTOCOL_TYPE_TELNET:
path_remove = os.path.join(replay_path, 'telnet',
'{:09d}'.format(r.id))
else:
have_error = True
msg.append('会话录像记录编号 {},未知远程访问协议!'.format(r.id))
continue
if os.path.exists(path_remove):
# print('remove path', path_remove)
try:
shutil.rmtree(path_remove)
except:
have_error = True
msg.append('会话录像记录 {} 清除失败,无法删除目录 {}!'.format(
r.id, path_remove))
ss = SQL(db)
ss.delete_from('record').where(
'id={rid}'.format(rid=r.id))
ss.exec()
record_removed += 1
msg.append('{} 条会话录像数据已清除!'.format(record_removed))
if have_error:
return TPE_FAILED, msg
else:
return TPE_OK, msg
def create_users(handler, user_list, success, failed):
"""
批量创建用户
"""
db = get_db()
_time_now = tp_timestamp_sec()
operator = handler.get_current_user()
name_list = list()
s = SQL(db)
for i in range(len(user_list)):
user = user_list[i]
if 'type' not in user:
user['type'] = TP_USER_TYPE_LOCAL
if 'ldap_dn' not in user:
user['ldap_dn'] = ''
err = s.reset().select_from('user', ['id']).where(
'user.username="******"'.format(user['username'])).query()
if err != TPE_OK:
failed.append({'line': user['_line'], 'error': '数据库查询失败'})
if len(s.recorder) > 0:
failed.append({
'line': user['_line'],
'error': '账号 `{}` 已经存在'.format(user['username'])
})
continue
if user['type'] == TP_USER_TYPE_LOCAL:
_password = tp_password_generate_secret(user['password'])
else:
_password = ''
sql = 'INSERT INTO `{}user` (' \
'`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, ' \
'`state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`' \
') VALUES (' \
'0, "{username}", "{surname}", {user_type}, "{ldap_dn}", 0, "{password}", ' \
'{state}, "{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \
''.format(db.table_prefix, username=user['username'], surname=user['surname'], user_type=user['type'],
ldap_dn=user['ldap_dn'], password=_password, state=TP_STATE_NORMAL, email=user['email'],
creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=_time_now,
desc=user['desc'])
db_ret = db.exec(sql)
if not db_ret:
failed.append({'line': user['_line'], 'error': '写入数据库时发生错误'})
continue
success.append(user['username'])
name_list.append(user['username'])
user['_id'] = db.last_insert_id()
if len(name_list) > 0:
syslog.sys_log(operator, handler.request.remote_ip, TPE_OK,
"批量导入方式创建用户:{}".format(','.join(name_list)))
# tp_stats().user_counter_change(len(name_list))
# calc count of users.
err, cnt = s.reset().count('user')
if err == TPE_OK:
tp_stats().user_counter_change(cnt)
def post(self):
# time_now = int(datetime.datetime.timestamp())
self.write_json(TPE_OK, data=tp_timestamp_sec())
