def filter_asset(cls, asset, queryset): queryset = queryset.filter( Q(assets__hostname_group__contains=asset.hostname) | Q(assets__hostname_group__contains='*') ) ids = [q.id for q in queryset if contains_ip(asset.ip, q.assets.get('ip_group', []))] queryset = cls.objects.filter(id__in=ids) return queryset
def allow_user_to_login(user, ip): acl = user.login_acls.valid().first() if not acl: return True is_contained = contains_ip(ip, acl.ip_group) if acl.action_allow and is_contained: return True if acl.action_reject and not is_contained: return True return False
def allow_user_confirm_if_need(user, ip): acl = LoginACL.filter_acl(user).filter( action=LoginACL.ActionChoices.confirm).first() acl = acl if acl and acl.reviewers.exists() else None if not acl: return False, acl ip_group = acl.rules.get('ip_group') time_periods = acl.rules.get('time_period') is_contain_ip = contains_ip(ip, ip_group) is_contain_time_period = contains_time_period(time_periods) return is_contain_ip and is_contain_time_period, acl
def match(cls, target_ip, protocol): for endpoint_rule in cls.objects.all().prefetch_related('endpoint'): if not contains_ip(target_ip, endpoint_rule.ip_group): continue if not endpoint_rule.endpoint: continue if endpoint_rule.endpoint.is_default(): return endpoint_rule if not endpoint_rule.endpoint.host: continue if endpoint_rule.endpoint.get_port(protocol) == 0: continue return endpoint_rule
def allow_user_to_login(user, ip): acl = LoginACL.filter_acl(user).exclude( action=LoginACL.ActionChoices.confirm).first() if not acl: return True, '' ip_group = acl.rules.get('ip_group') time_periods = acl.rules.get('time_period') is_contain_ip = contains_ip(ip, ip_group) is_contain_time_period = contains_time_period(time_periods) reject_type = '' if is_contain_ip and is_contain_time_period: # 满足条件 allow = acl.action_allow if not allow: reject_type = 'ip' if is_contain_ip else 'time' else: # 不满足条件 # 如果acl本身允许,那就拒绝;如果本身拒绝,那就允许 allow = not acl.action_allow if not allow: reject_type = 'ip' if not is_contain_ip else 'time' return allow, reject_type
def ip_in_white_list(self): return ip.contains_ip(self.ip, settings.SECURITY_LOGIN_IP_WHITE_LIST)
def ip_in_black_list(self): return ip.contains_ip(self.ip, settings.SECURITY_LOGIN_IP_BLACK_LIST)