def post(self, request, *args, **kwargs):
session_ids = request.data
user_id = request.user.id
for session_id in session_ids:
if not is_session_approver(session_id, user_id):
return Response({}, status=status.HTTP_403_FORBIDDEN)
with tmp_to_root_org():
validated_session = kill_sessions(session_ids, request.user)
return Response({"ok": validated_session})
def create(self, request, *args, **kwargs):
serializer = super().get_serializer(data=request.data)
serializer.is_valid(raise_exception=True)
pk = kwargs.get('pk')
user = self.request.user
data = serializer.validated_data
instance_id = data.get('instance_id')
with tmp_to_root_org():
instance = get_object_or_404(SystemUser, pk=pk)
instance.set_temp_auth(instance_id, user, data)
return Response(serializer.data, status=201)
def init_assets(self):
from orgs.utils import tmp_to_root_org
self.all_nodes_assets_map = {}
self.nodes_assets_map = defaultdict(set)
with tmp_to_root_org():
queryset = Asset.objects.all().values_list('id', 'nodes__key')
invalid_assets = Asset.objects.filter(is_active=False)\
.values_list('id', flat=True)
self._invalid_assets = frozenset(invalid_assets)
for asset_id, key in queryset:
if not key:
continue
self.nodes_assets_map[key].add(asset_id)
def on_authbook_post_create(sender, instance, **kwargs):
# 去掉这个资产的管理用户
if instance.systemuser and instance.systemuser.is_admin_user:
with tmp_to_root_org():
deleted_count, other = AuthBook.objects.filter(
asset=instance.asset,
systemuser__type=SystemUser.Type.admin).exclude(
id=instance.id).delete()
logger.debug(
'Remove asset old admin user: {}'.format(deleted_count))
if not instance.systemuser:
instance.sync_to_system_user_account()
def _create_asset_permission(self):
with tmp_to_root_org():
asset_permission = AssetPermission.objects.filter(
id=self.ticket.id).first()
if asset_permission:
return asset_permission
approve_assets_id = self.ticket.meta.get('approve_assets', [])
approve_system_users_id = self.ticket.meta.get('approve_system_users',
[])
approve_actions = self.ticket.meta.get('approve_actions', Action.NONE)
approve_date_start = self.ticket.meta.get('approve_date_start')
approve_date_expired = self.ticket.meta.get('approve_date_expired')
permission_name = '{}({})'.format(
__('Created by ticket ({})'.format(self.ticket.title)),
str(self.ticket.id)[:4])
permission_comment = __('Created by the ticket, '
'ticket title: {}, '
'ticket applicant: {}, '
'ticket processor: {}, '
'ticket ID: {}'
''.format(self.ticket.title,
self.ticket.applicant_display,
self.ticket.processor_display,
str(self.ticket.id)))
permission_data = {
'id':
self.ticket.id,
'name':
permission_name,
'comment':
permission_comment,
'created_by':
'{}:{}'.format(str(self.__class__.__name__), str(self.ticket.id)),
'actions':
approve_actions,
'date_start':
approve_date_start,
'date_expired':
approve_date_expired,
}
with tmp_to_org(self.ticket.org_id):
asset_permission = AssetPermission.objects.create(
**permission_data)
asset_permission.users.add(self.ticket.applicant)
asset_permission.assets.set(approve_assets_id)
asset_permission.system_users.set(approve_system_users_id)
return asset_permission
def run_command_execution(cid, **kwargs):
with tmp_to_root_org():
execution = get_object_or_none(CommandExecution, id=cid)
if not execution:
logger.error("Not found the execution id: {}".format(cid))
return
with tmp_to_org(execution.run_as.org):
try:
os.environ.update({
"TERM_ROWS": kwargs.get("rows", ""),
"TERM_COLS": kwargs.get("cols", ""),
})
execution.run()
except SoftTimeLimitExceeded:
logger.error("Run time out")
def new(cls):
from .models import Node
from orgs.utils import tmp_to_root_org
with tmp_to_root_org():
all_nodes = Node.objects.all()
tree = cls()
tree.create_node(tag='', identifier='')
for node in all_nodes:
tree.create_node(
tag=node.value,
identifier=node.key,
parent=node.parent_key,
)
tree.init_assets()
return tree
def run_ansible_task(tid, callback=None, **kwargs):
"""
:param tid: is the tasks serialized data
:param callback: callback function name
:return:
"""
with tmp_to_root_org():
task = get_object_or_none(Task, id=tid)
if not task:
logger.error("No task found")
return
with tmp_to_org(task.org):
result = task.run()
if callback is not None:
subtask(callback).delay(result, task_name=task.name)
return result
def _create_application_permission(self):
with tmp_to_root_org():
application_permission = ApplicationPermission.objects.filter(
id=self.ticket.id).first()
if application_permission:
return application_permission
apply_category = self.ticket.meta.get('apply_category')
apply_type = self.ticket.meta.get('apply_type')
apply_permission_name = self.ticket.meta.get('apply_permission_name',
'')
apply_applications = self.ticket.meta.get('apply_applications', [])
apply_system_users = self.ticket.meta.get('apply_system_users', [])
apply_date_start = self.ticket.meta.get('apply_date_start')
apply_date_expired = self.ticket.meta.get('apply_date_expired')
permission_created_by = '{}:{}'.format(
str(self.ticket.__class__.__name__), str(self.ticket.id))
permission_comment = _('Created by the ticket, '
'ticket title: {}, '
'ticket applicant: {}, '
'ticket processor: {}, '
'ticket ID: {}').format(
self.ticket.title,
self.ticket.applicant_display, ','.join([
i['processor_display']
for i in self.ticket.process_map
]), str(self.ticket.id))
permissions_data = {
'id': self.ticket.id,
'name': apply_permission_name,
'from_ticket': True,
'category': apply_category,
'type': apply_type,
'comment': str(permission_comment),
'created_by': permission_created_by,
'date_start': apply_date_start,
'date_expired': apply_date_expired,
}
with tmp_to_org(self.ticket.org_id):
application_permission = ApplicationPermission.objects.create(
**permissions_data)
application_permission.users.add(self.ticket.applicant)
application_permission.applications.set(apply_applications)
application_permission.system_users.set(apply_system_users)
return application_permission
def on_system_user_assets_change(instance, action, model, pk_set, **kwargs):
"""
当系统用户和资产关系发生变化时,应该重新推送系统用户到新添加的资产中
"""
logger.debug("System user assets change signal recv: {}".format(instance))
if not instance:
logger.debug('No system user found')
return
if model == Asset:
system_user_ids = [instance.id]
asset_ids = pk_set
else:
system_user_ids = pk_set
asset_ids = [instance.id]
org_id = instance.org_id
# 关联创建的 authbook 没有系统用户id
with tmp_to_root_org():
authbooks = AuthBook.objects.filter(asset_id__in=asset_ids,
systemuser_id__in=system_user_ids)
if action == POST_ADD:
authbooks.update(org_id=org_id)
save_action_mapper = {
'pre_add': pre_save,
'post_add': post_save,
'pre_remove': pre_delete,
'post_remove': post_delete
}
for ab in authbooks:
ab.org_id = org_id
save_action = save_action_mapper[action]
logger.debug('Send AuthBook post save signal: {} -> {}'.format(
action, ab.id))
save_action.send(sender=AuthBook, instance=ab, created=True)
if action == POST_ADD:
for system_user_id in system_user_ids:
push_system_user_to_assets.delay(system_user_id, asset_ids)
def new(cls):
from .models import Node
from orgs.utils import tmp_to_root_org
with tmp_to_root_org():
all_nodes = list(Node.objects.all().values("key", "value"))
all_nodes.sort(key=lambda x: len(x["key"].split(":")))
tree = cls()
tree.create_node(tag='', identifier='')
for node in all_nodes:
key = node["key"]
value = node["value"]
parent_key = ":".join(key.split(":")[:-1])
tree.create_node(
tag=value, identifier=key,
parent=parent_key,
)
tree.init_assets()
return tree
def test_admin_user_connectivity_period():
"""
A period task that update the ansible task period
"""
if not const.PERIOD_TASK_ENABLED:
logger.debug('Period task off, skip')
return
key = '_JMS_TEST_ADMIN_USER_CONNECTIVITY_PERIOD'
prev_execute_time = cache.get(key)
if prev_execute_time:
logger.debug(
"Test admin user connectivity, less than 40 minutes, skip")
return
cache.set(key, 1, 60 * 40)
with tmp_to_root_org():
admin_users = AdminUser.objects.all()
for admin_user in admin_users:
task_name = _("Test admin user connectivity period: {}").format(
admin_user.name)
test_admin_user_connectivity_util(admin_user, task_name)
cache.set(key, 1, 60 * 40)
def refresh_if_need(self, force=False):
user = self.user
with tmp_to_root_org():
UserAssetGrantedTreeNodeRelation.objects.filter(user=user).exclude(org_id__in=self.org_ids).delete()
if force or self.have_need_refresh_orgs():
with UserGrantedTreeRebuildLock(user_id=user.id):
if force:
orgs = self.orgs
self.set_all_orgs_as_built()
else:
orgs = self.get_need_refresh_orgs_and_fill_up()
for org in orgs:
with tmp_to_org(org):
t_start = time.time()
logger.info(f'Rebuild user tree: user={self.user} org={current_org}')
utils = UserGrantedTreeBuildUtils(user)
utils.rebuild_user_granted_tree()
logger.info(
f'Rebuild user tree ok: cost={time.time() - t_start} user={self.user} org={current_org}')
def get_queryset(self):
with tmp_to_root_org():
return Ticket.objects.all()
def ticket(self):
with tmp_to_root_org():
return get_object_or_404(Ticket, pk=self.kwargs['pk'])
def dispatch(self, *args, **kwargs):
with tmp_to_root_org():
return super().dispatch(*args, **kwargs)
def match(self, request, *args, **kwargs):
with tmp_to_root_org():
return super().match(request, *args, **kwargs)
def on_node_update_or_created(sender, **kwargs):
# 刷新节点
Node.refresh_nodes()
with tmp_to_root_org():
Node.refresh_nodes()
def all(cls):
with tmp_to_root_org():
return Ticket.objects.all()
def get(self, request, *args, **kwargs):
with tmp_to_root_org():
return super().get(request, *args, **kwargs)
def get_online_sessions(self):
with tmp_to_root_org():
return Session.objects.filter(terminal=self, is_finished=False)
from perms import serializers
from perms.models import Action
logger = get_logger(__name__)
__all__ = [
'RefreshAssetPermissionCacheApi',
'UserGrantedAssetSystemUsersForAdminApi',
'ValidateUserAssetPermissionApi',
'GetUserAssetPermissionActionsApi',
'UserAssetPermissionsCacheApi',
'MyGrantedAssetSystemUsersApi',
]
@method_decorator(tmp_to_root_org(), name='get')
class GetUserAssetPermissionActionsApi(RetrieveAPIView):
permission_classes = (IsOrgAdminOrAppUser,)
serializer_class = serializers.ActionsSerializer
def get_user(self):
user_id = self.request.query_params.get('user_id', '')
user = get_object_or_404(User, id=user_id)
return user
def get_object(self):
asset_id = self.request.query_params.get('asset_id', '')
system_id = self.request.query_params.get('system_user_id', '')
try:
asset_id = uuid.UUID(asset_id)
def get_user_system_users(self):
from perms.utils import AssetPermissionUtil
user = self.request.user
with tmp_to_root_org():
util = AssetPermissionUtil(user)
return util.get_system_users()
def delete_related_models(self):
from orgs.utils import tmp_to_root_org
from tickets.models import TicketFlow
with tmp_to_root_org():
TicketFlow.objects.filter(org_id=self.id).delete()
def get_queryset(self):
with tmp_to_root_org():
user = self.request.user
qs = Session.objects.filter(user_id=user.id)
return qs
