def create(handler, gtype, name, desc): if gtype not in TP_GROUP_TYPES: return TPE_PARAM, 0 db = get_db() _time_now = tp_timestamp_utc_now() # 1. 判断是否已经存在了 sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format(dbtp=db.table_prefix, gtype=gtype, gname=name) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 operator = handler.get_current_user() # 2. 插入记录 sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`, `desc`) VALUES ' \ '({gtype}, "{gname}", {creator_id}, {create_time}, "{desc}");' \ ''.format(dbtp=db.table_prefix, gtype=gtype, gname=name, creator_id=operator['id'], create_time=_time_now, desc=desc) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=name)) return TPE_OK, _id
def create(handler, gtype, name, desc): if gtype not in TP_GROUP_TYPES: return TPE_PARAM, 0 db = get_db() _time_now = tp_timestamp_utc_now() # 1. 判断是否已经存在了 sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format( dbtp=db.table_prefix, gtype=gtype, gname=name) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 operator = handler.get_current_user() # 2. 插入记录 sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`, `desc`) VALUES ' \ '({gtype}, "{gname}", {creator_id}, {create_time}, "{desc}");' \ ''.format(dbtp=db.table_prefix, gtype=gtype, gname=name, creator_id=operator['id'], create_time=_time_now, desc=desc) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log( operator, handler.request.remote_ip, TPE_OK, "创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=name)) return TPE_OK, _id
def add_host(handler, args): """ 添加一个远程主机 """ db = get_db() _time_now = tp_timestamp_utc_now() # 1. 判断此主机是否已经存在了 if len(args['router_ip']) > 0: sql = 'SELECT id FROM {}host WHERE ip="{}" OR (router_ip="{}" AND router_port={});'.format(db.table_prefix, args['ip'], args['router_ip'], args['router_port']) else: sql = 'SELECT id FROM {}host WHERE ip="{}";'.format(db.table_prefix, args['ip']) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 sql = 'INSERT INTO `{}host` (`type`, `os_type`, `name`, `ip`, `router_ip`, `router_port`, `state`, `creator_id`, `create_time`, `cid`, `desc`) VALUES ' \ '(1, {os_type}, "{name}", "{ip}", "{router_ip}", {router_port}, {state}, {creator_id}, {create_time}, "{cid}", "{desc}");' \ ''.format(db.table_prefix, os_type=args['os_type'], name=args['name'], ip=args['ip'], router_ip=args['router_ip'], router_port=args['router_port'], state=TP_STATE_NORMAL, creator_id=handler.get_current_user()['id'], create_time=_time_now, cid=args['cid'], desc=args['desc']) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() h_name = args['ip'] if len(args['router_ip']) > 0: h_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port']) syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建主机:{}".format(h_name)) tp_stats().host_counter_change(1) return TPE_OK, _id
def make_groups(handler, gtype, glist, failed): """ 根据传入的组列表,查询每个组的名称对应的id,如果没有,则创建之 """ db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() name_list = list() for g in glist: sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format(dbtp=db.table_prefix, gtype=gtype, gname=g) db_ret = db.query(sql) if db_ret is None or len(db_ret) == 0: # need create group. sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`) VALUES ' \ '({gtype}, "{name}", {creator_id}, {create_time});' \ ''.format(dbtp=db.table_prefix, gtype=gtype, name=g, creator_id=operator['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: failed.append({'line': 0, 'error': '创建{gtype} `{gname}` 失败,写入数据库时发生错误'.format(gtype=TP_GROUP_TYPES[gtype], gname=g)}) continue glist[g] = db.last_insert_id() name_list.append(g) else: glist[g] = db_ret[0][0] syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=','.join(name_list))) return TPE_OK
def create_users(handler, user_list, success, failed): """ 批量创建用户 """ db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() name_list = list() s = SQL(db) for i in range(len(user_list)): user = user_list[i] if 'type' not in user: user['type'] = TP_USER_TYPE_LOCAL if 'ldap_dn' not in user: user['ldap_dn'] = '' err = s.reset().select_from('user', ['id']).where('user.username="******"'.format(user['username'])).query() if err != TPE_OK: failed.append({'line': user['_line'], 'error': '数据库查询失败'}) if len(s.recorder) > 0: failed.append({'line': user['_line'], 'error': '账号 `{}` 已经存在'.format(user['username'])}) continue if user['type'] == TP_USER_TYPE_LOCAL: _password = tp_password_generate_secret(user['password']) else: _password = '' sql = 'INSERT INTO `{}user` (' \ '`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, ' \ '`state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`' \ ') VALUES (' \ '0, "{username}", "{surname}", {user_type}, "{ldap_dn}", 0, "{password}", ' \ '{state}, "{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \ ''.format(db.table_prefix, username=user['username'], surname=user['surname'], user_type=user['type'], ldap_dn=user['ldap_dn'], password=_password, state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=_time_now, desc=user['desc']) db_ret = db.exec(sql) if not db_ret: failed.append({'line': user['_line'], 'error': '写入数据库时发生错误'}) continue success.append(user['username']) name_list.append(user['username']) user['_id'] = db.last_insert_id() if len(name_list) > 0: syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "批量导入方式创建用户:{}".format(','.join(name_list))) # tp_stats().user_counter_change(len(name_list)) # calc count of users. err, cnt = s.reset().count('user') if err == TPE_OK: tp_stats().user_counter_change(cnt)
def update_login_info(handler, user_id): db = get_db() _time_now = tp_timestamp_utc_now() sql = 'UPDATE `{}user` SET fail_count=0, last_login=login_time, last_ip=login_ip, login_time={login_time}, login_ip="{ip}" WHERE id={user_id};' \ ''.format(db.table_prefix, login_time=_time_now, ip=handler.request.remote_ip, user_id=user_id ) if db.exec(sql): return TPE_OK else: return TPE_DATABASE
def create_user(handler, user): """ 创建一个用户账号 """ db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() if 'type' not in user: user['type'] = TP_USER_TYPE_LOCAL if 'ldap_dn' not in user: user['ldap_dn'] = '' # 1. 判断此账号是否已经存在了 s = SQL(db) err = s.reset().select_from('user', ['id']).where( 'user.username="******"'.format(user['username'])).query() if err != TPE_OK: return err, 0 if len(s.recorder) > 0: return TPE_EXISTS, 0 # _password = tp_password_generate_secret(user['password']) if user['type'] == TP_USER_TYPE_LOCAL: _password = tp_password_generate_secret(user['password']) else: _password = '' sql = 'INSERT INTO `{}user` (' \ '`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, `state`, ' \ '`email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`' \ ') VALUES (' \ '{role}, "{username}", "{surname}", {user_type}, "{ldap_dn}", {auth_type}, "{password}", {state}, ' \ '"{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \ ''.format(db.table_prefix, role=user['role'], username=user['username'], surname=user['surname'], user_type=user['type'], ldap_dn=user['ldap_dn'], auth_type=user['auth_type'], password=_password, state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=_time_now, desc=user['desc']) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建用户:{}".format(user['username'])) # calc count of users. err, cnt = s.reset().count('user') if err == TPE_OK: tp_stats().user_counter_change(cnt) return TPE_OK, _id
def add_account(handler, host_id, args): """ 添加一个远程账号 """ db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() # 1. 判断是否已经存在了 sql = 'SELECT id FROM {}acc WHERE host_id={} AND protocol_port={} AND username="******" AND auth_type={};'.format( db.table_prefix, host_id, args['protocol_port'], args['username'], args['auth_type']) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 sql = 'INSERT INTO `{}acc` (host_id, host_ip, router_ip, router_port, protocol_type, protocol_port, state, auth_type, username, username_prompt, password_prompt, password, pri_key, creator_id, create_time) VALUES ' \ '({host_id}, "{host_ip}", "{router_ip}", {router_port}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{username_prompt}", "{password_prompt}", "{password}", "{pri_key}", {creator_id}, {create_time});' \ ''.format(db.table_prefix, host_id=host_id, host_ip=args['host_ip'], router_ip=args['router_ip'], router_port=args['router_port'], protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL, auth_type=args['auth_type'], username=args['username'], username_prompt=args['username_prompt'], password_prompt=args['password_prompt'], password=args['password'], pri_key=args['pri_key'], creator_id=operator['id'], create_time=_time_now) # sql = 'INSERT INTO `{}acc` (host_id, protocol_type, protocol_port, state, auth_type, username, password, pri_key, creator_id, create_time) VALUES ' \ # '({host_id}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{password}", "{pri_key}", {creator_id}, {create_time});' \ # ''.format(db.table_prefix, # host_id=host_id, # protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL, # auth_type=args['auth_type'], username=args['username'], password=args['password'], pri_key=args['pri_key'], # creator_id=operator['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() acc_name = '{}@{}'.format(args['username'], args['host_ip']) if len(args['router_ip']) > 0: acc_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port']) syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建账号:{}".format(acc_name)) # 更新主机相关账号数量 sql = 'UPDATE `{}host` SET acc_count=acc_count+1 WHERE id={host_id};' \ ''.format(db.table_prefix, host_id=host_id) db_ret = db.exec(sql) # if not db_ret: # return TPE_DATABASE, 0 tp_stats().acc_counter_change(1) return TPE_OK, _id
def _make_builtin_data(self, sysadmin, email, password): _time_now = tp_timestamp_utc_now() self._db_exec( '设定数据库版本', 'INSERT INTO `{}config` (`name`, `value`) VALUES ("db_ver", "{}");' .format(self.db.table_prefix, self.db.DB_VERSION)) self._db_exec( '设置本地核心服务', 'INSERT INTO `{}core_server` (`sn`, `secret`, `ip`, `port`, `state`) VALUES ' '("0000", "", "127.0.0.1", 52080, 1);' ''.format(self.db.table_prefix)) privilege_admin = TP_PRIVILEGE_ALL privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT self._db_exec('创建默认角色', [ 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(1, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='系统管理员', privilege=privilege_admin, create_time=_time_now), 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(2, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='运维人员', privilege=privilege_ops, create_time=_time_now), 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(3, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='审计员', privilege=privilege_audit, create_time=_time_now) ]) self._db_exec( '创建系统管理员账号', 'INSERT INTO `{}user` (`type`, `auth_type`, `username`, `surname`, `password`, `role_id`, `state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`) VALUES ' '(1, {auth_type}, "{username}", "{surname}", "{password}", 1, {state}, "{email}", 0, {create_time}, {last_login}, {last_chpass});' ''.format(self.db.table_prefix, auth_type=TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, username=sysadmin, surname=sysadmin, password=tp_password_generate_secret(password), state=TP_STATE_NORMAL, email=email, create_time=_time_now, last_login=_time_now, last_chpass=_time_now))
def update_temp_locked_user_state(): sys_cfg = tp_cfg().sys if sys_cfg.login.lock_timeout == 0: return _lock_time = tp_timestamp_utc_now() - (sys_cfg.login.lock_timeout * 60) db = get_db() if db.need_create or db.need_upgrade: return sql = 'UPDATE `{}user` SET state={new_state}, lock_time=0, fail_count=0 WHERE (state={old_state} AND lock_time<{lock_time});' \ ''.format(db.table_prefix, new_state=TP_STATE_NORMAL, old_state=TP_STATE_LOCKED, lock_time=_lock_time) db.exec(sql)
def create_users(handler, user_list, success, failed): """ 批量创建用户 """ db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() name_list = list() s = SQL(db) for i in range(len(user_list)): user = user_list[i] err = s.reset().select_from('user', ['id']).where( 'user.username="******"'.format(user['username'])).query() if err != TPE_OK: failed.append({'line': user['_line'], 'error': '数据库查询失败'}) if len(s.recorder) > 0: failed.append({ 'line': user['_line'], 'error': '账号 `{}` 已经存在'.format(user['username']) }) continue _password = tp_password_generate_secret(user['password']) sql = 'INSERT INTO `{}user` (`type`, `auth_type`, `password`, `username`, `surname`, `role_id`, `state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`) VALUES ' \ '(1, 0, "{password}", "{username}", "{surname}", 0, {state}, "{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \ ''.format(db.table_prefix, username=user['username'], surname=user['surname'], password=_password, state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=0, desc=user['desc']) db_ret = db.exec(sql) if not db_ret: failed.append({'line': user['_line'], 'error': '写入数据库时发生错误'}) continue success.append(user['username']) name_list.append(user['username']) user['_id'] = db.last_insert_id() if len(name_list) > 0: syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "批量导入方式创建用户:{}".format(','.join(name_list))) # tp_stats().user_counter_change(len(name_list)) # calc count of users. err, cnt = s.reset().count('user') if err == TPE_OK: tp_stats().user_counter_change(cnt)
def create_user(handler, user): """ 创建一个用户账号 """ db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() if 'type' not in user: user['type'] = TP_USER_TYPE_LOCAL if 'ldap_dn' not in user: user['ldap_dn'] = '' # 1. 判断此账号是否已经存在了 s = SQL(db) err = s.reset().select_from('user', ['id']).where('user.username="******"'.format(user['username'])).query() if err != TPE_OK: return err, 0 if len(s.recorder) > 0: return TPE_EXISTS, 0 # _password = tp_password_generate_secret(user['password']) if user['type'] == TP_USER_TYPE_LOCAL: _password = tp_password_generate_secret(user['password']) else: _password = '' sql = 'INSERT INTO `{}user` (' \ '`role_id`, `username`, `surname`, `type`, `ldap_dn`, `auth_type`, `password`, `state`, ' \ '`email`, `creator_id`, `create_time`, `last_login`, `last_chpass`, `desc`' \ ') VALUES (' \ '{role}, "{username}", "{surname}", {user_type}, "{ldap_dn}", {auth_type}, "{password}", {state}, ' \ '"{email}", {creator_id}, {create_time}, {last_login}, {last_chpass}, "{desc}");' \ ''.format(db.table_prefix, role=user['role'], username=user['username'], surname=user['surname'], user_type=user['type'], ldap_dn=user['ldap_dn'], auth_type=user['auth_type'], password=_password, state=TP_STATE_NORMAL, email=user['email'], creator_id=operator['id'], create_time=_time_now, last_login=0, last_chpass=_time_now, desc=user['desc']) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建用户:{}".format(user['username'])) # calc count of users. err, cnt = s.reset().count('user') if err == TPE_OK: tp_stats().user_counter_change(cnt) return TPE_OK, _id
def update_login_info(handler, user_id): db = get_db() _time_now = tp_timestamp_utc_now() sql = 'UPDATE `{}user` SET ' \ 'fail_count=0, last_login=login_time, last_ip=login_ip, login_time={login_time},' \ ' login_ip="{ip}" WHERE id={user_id};' \ ''.format(db.table_prefix, login_time=_time_now, ip=handler.request.remote_ip, user_id=user_id ) if db.exec(sql): return TPE_OK else: return TPE_DATABASE
def add_account(handler, host_id, args): """ 添加一个远程账号 """ db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() # 1. 判断是否已经存在了 sql = 'SELECT id FROM {}acc WHERE host_id={} AND protocol_port={} AND username="******" AND auth_type={};'.format(db.table_prefix, host_id, args['protocol_port'], args['username'], args['auth_type']) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 sql = 'INSERT INTO `{}acc` (host_id, host_ip, router_ip, router_port, protocol_type, protocol_port, state, auth_type, username, username_prompt, password_prompt, password, pri_key, creator_id, create_time) VALUES ' \ '({host_id}, "{host_ip}", "{router_ip}", {router_port}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{username_prompt}", "{password_prompt}", "{password}", "{pri_key}", {creator_id}, {create_time});' \ ''.format(db.table_prefix, host_id=host_id, host_ip=args['host_ip'], router_ip=args['router_ip'], router_port=args['router_port'], protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL, auth_type=args['auth_type'], username=args['username'], username_prompt=args['username_prompt'], password_prompt=args['password_prompt'], password=args['password'], pri_key=args['pri_key'], creator_id=operator['id'], create_time=_time_now) # sql = 'INSERT INTO `{}acc` (host_id, protocol_type, protocol_port, state, auth_type, username, password, pri_key, creator_id, create_time) VALUES ' \ # '({host_id}, {protocol_type}, {protocol_port}, {state}, {auth_type}, "{username}", "{password}", "{pri_key}", {creator_id}, {create_time});' \ # ''.format(db.table_prefix, # host_id=host_id, # protocol_type=args['protocol_type'], protocol_port=args['protocol_port'], state=TP_STATE_NORMAL, # auth_type=args['auth_type'], username=args['username'], password=args['password'], pri_key=args['pri_key'], # creator_id=operator['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() acc_name = '{}@{}'.format(args['username'], args['host_ip']) if len(args['router_ip']) > 0: acc_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port']) syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建账号:{}".format(acc_name)) # 更新主机相关账号数量 sql = 'UPDATE `{}host` SET acc_count=acc_count+1 WHERE id={host_id};' \ ''.format(db.table_prefix, host_id=host_id) db_ret = db.exec(sql) # if not db_ret: # return TPE_DATABASE, 0 tp_stats().acc_counter_change(1) return TPE_OK, _id
def _make_builtin_data(self, sysadmin, email, password): _time_now = tp_timestamp_utc_now() self._db_exec( '设定数据库版本', 'INSERT INTO `{}config` (`name`, `value`) VALUES ("db_ver", "{}");'.format(self.db.table_prefix, self.db.DB_VERSION) ) self._db_exec( '设置本地核心服务', 'INSERT INTO `{}core_server` (`sn`, `secret`, `ip`, `port`, `state`) VALUES ' '("0000", "", "127.0.0.1", 52080, 1);' ''.format(self.db.table_prefix) ) privilege_admin = TP_PRIVILEGE_ALL privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT self._db_exec( '创建默认角色', [ 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(1, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='系统管理员', privilege=privilege_admin, create_time=_time_now), 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(2, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='运维人员', privilege=privilege_ops, create_time=_time_now), 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(3, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='审计员', privilege=privilege_audit, create_time=_time_now) ] ) self._db_exec( '创建系统管理员账号', 'INSERT INTO `{}user` (`type`, `auth_type`, `username`, `surname`, `password`, `role_id`, `state`, `email`, `creator_id`, `create_time`, `last_login`, `last_chpass`) VALUES ' '(1, {auth_type}, "{username}", "{surname}", "{password}", 1, {state}, "{email}", 0, {create_time}, {last_login}, {last_chpass});' ''.format(self.db.table_prefix, auth_type=TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, username=sysadmin, surname=sysadmin, password=tp_password_generate_secret(password), state=TP_STATE_NORMAL, email=email, create_time=_time_now, last_login=_time_now, last_chpass=_time_now) )
def generate_reset_password_token(handler, user_id): db = get_db() operator = handler.get_current_user() s = SQL(db) _time_now = tp_timestamp_utc_now() # 0. query user's email by user_id err = s.select_from('user', ['email'], alt_name='u').where( 'u.id={user_id}'.format(user_id=user_id)).query() if err != TPE_OK: return err, None, None if len(s.recorder) == 0: return TPE_DATABASE, None, None email = s.recorder[0].email # 1. clean all timed out tokens. s.reset().delete_from('user_rpt').where( 'create_time<{}'.format(_time_now - 24 * 60 * 60)).exec() # 2. find out if this user already have a token. err = s.reset().select_from('user_rpt', ['id'], alt_name='u').where( 'u.user_id={}'.format(user_id)).query() if err != TPE_OK: return err, None, None token = tp_generate_random(16) if len(s.recorder) == 0: sql = 'INSERT INTO `{dbtp}user_rpt` (user_id, token, create_time) VALUES ' \ '({user_id}, "{token}", {create_time});' \ ''.format(dbtp=db.table_prefix, user_id=user_id, token=token, create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, None, None else: sql = 'UPDATE `{dbtp}user_rpt` SET token="{token}", create_time={create_time} WHERE user_id={user_id};' \ ''.format(dbtp=db.table_prefix, token=token, create_time=_time_now, user_id=user_id) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, None, None # syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "为用户 {} 手动重置了密码".format(name)) return TPE_OK, email, token
def session_begin(sid, user_id, host_id, acc_id, user_username, acc_username, host_ip, conn_ip, conn_port, client_ip, auth_type, protocol_type, protocol_sub_type): db = get_db() sql = 'INSERT INTO `{}record` (sid,user_id,host_id,acc_id,state,user_username,host_ip,conn_ip,conn_port,client_ip,acc_username,auth_type,protocol_type,protocol_sub_type,time_begin,time_end) ' \ 'VALUES ("{sid}",{user_id},{host_id},{acc_id},0,"{user_username}","{host_ip}","{conn_ip}",{conn_port},"{client_ip}","{acc_username}",{auth_type},{protocol_type},{protocol_sub_type},{time_begin},0)' \ ';'.format(db.table_prefix, sid=sid, user_id=user_id, host_id=host_id, acc_id=acc_id, user_username=user_username, host_ip=host_ip, conn_ip=conn_ip, conn_port=conn_port, client_ip=client_ip, acc_username=acc_username, auth_type=auth_type, protocol_type=protocol_type, protocol_sub_type=protocol_sub_type, time_begin=tp_timestamp_utc_now()) ret = db.exec(sql) if not ret: return TPE_DATABASE, 0 record_id = db.last_insert_id() if record_id == -1: return TPE_DATABASE, 0 else: return TPE_OK, record_id
def sys_log(operator, client_ip, code, message=""): try: db = get_db() sql = 'INSERT INTO `{}syslog` (user_name,user_surname,client_ip,code,log_time,message) ' \ 'VALUES ("{user_name}","{user_surname}","{client_ip}",{code},{log_time},"{message}")' \ ';'.format(db.table_prefix, user_name=operator['username'], user_surname=operator['surname'], client_ip=client_ip, code=code, log_time=tp_timestamp_utc_now(), message=message ) ret = db.exec(sql) if not ret: return TPE_DATABASE return TPE_OK except: log.e('\n') return TPE_DATABASE
def make_groups(handler, gtype, glist, failed): """ 根据传入的组列表,查询每个组的名称对应的id,如果没有,则创建之 """ db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() name_list = list() for g in glist: sql = 'SELECT id FROM {dbtp}group WHERE type={gtype} AND name="{gname}";'.format( dbtp=db.table_prefix, gtype=gtype, gname=g) db_ret = db.query(sql) if db_ret is None or len(db_ret) == 0: # need create group. sql = 'INSERT INTO `{dbtp}group` (`type`, `name`, `creator_id`, `create_time`) VALUES ' \ '({gtype}, "{name}", {creator_id}, {create_time});' \ ''.format(dbtp=db.table_prefix, gtype=gtype, name=g, creator_id=operator['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: failed.append({ 'line': 0, 'error': '创建{gtype} `{gname}` 失败,写入数据库时发生错误'.format( gtype=TP_GROUP_TYPES[gtype], gname=g) }) continue glist[g] = db.last_insert_id() name_list.append(g) else: glist[g] = db_ret[0][0] syslog.sys_log( operator, handler.request.remote_ip, TPE_OK, "创建{gtype}:{gname}".format(gtype=TP_GROUP_TYPES[gtype], gname=','.join(name_list))) return TPE_OK
def generate_reset_password_token(handler, user_id): db = get_db() operator = handler.get_current_user() s = SQL(db) _time_now = tp_timestamp_utc_now() # 0. query user's email by user_id err = s.select_from('user', ['email'], alt_name='u').where('u.id={user_id}'.format(user_id=user_id)).query() if err != TPE_OK: return err, None, None if len(s.recorder) == 0: return TPE_DATABASE, None, None email = s.recorder[0].email # 1. clean all timed out tokens. s.reset().delete_from('user_rpt').where('create_time<{}'.format(_time_now - 24 * 60 * 60)).exec() # 2. find out if this user already have a token. err = s.reset().select_from('user_rpt', ['id'], alt_name='u').where('u.user_id={}'.format(user_id)).query() if err != TPE_OK: return err, None, None token = tp_generate_random(16) if len(s.recorder) == 0: sql = 'INSERT INTO `{dbtp}user_rpt` (user_id, token, create_time) VALUES ' \ '({user_id}, "{token}", {create_time});' \ ''.format(dbtp=db.table_prefix, user_id=user_id, token=token, create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, None, None else: sql = 'UPDATE `{dbtp}user_rpt` SET token="{token}", create_time={create_time} WHERE user_id={user_id};' \ ''.format(dbtp=db.table_prefix, token=token, create_time=_time_now, user_id=user_id) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, None, None # syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "为用户 {} 手动重置了密码".format(name)) return TPE_OK, email, token
def update_fail_count(handler, user_info): db = get_db() sys_cfg = tp_cfg().sys sql_list = [] is_locked = False fail_count = user_info.fail_count + 1 sql = 'UPDATE `{}user` SET fail_count={count} WHERE id={uid};' \ ''.format(db.table_prefix, count=fail_count, uid=user_info.id) sql_list.append(sql) if sys_cfg.login.retry != 0 and fail_count >= sys_cfg.login.retry: is_locked = True sql = 'UPDATE `{}user` SET state={state}, lock_time={lock_time} WHERE id={uid};' \ ''.format(db.table_prefix, state=TP_STATE_LOCKED, lock_time=tp_timestamp_utc_now(), uid=user_info.id) sql_list.append(sql) if db.transaction(sql_list): return TPE_OK, is_locked else: return TPE_DATABASE, is_locked
def add_host(handler, args): """ 添加一个远程主机 """ db = get_db() _time_now = tp_timestamp_utc_now() # 1. 判断此主机是否已经存在了 if len(args['router_ip']) > 0: sql = 'SELECT id FROM {}host WHERE ip="{}" OR (router_ip="{}" AND router_port={});'.format( db.table_prefix, args['ip'], args['router_ip'], args['router_port']) else: sql = 'SELECT id FROM {}host WHERE ip="{}";'.format( db.table_prefix, args['ip']) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 sql = 'INSERT INTO `{}host` (`type`, `os_type`, `name`, `ip`, `router_ip`, `router_port`, `state`, `creator_id`, `create_time`, `cid`, `desc`) VALUES ' \ '(1, {os_type}, "{name}", "{ip}", "{router_ip}", {router_port}, {state}, {creator_id}, {create_time}, "{cid}", "{desc}");' \ ''.format(db.table_prefix, os_type=args['os_type'], name=args['name'], ip=args['ip'], router_ip=args['router_ip'], router_port=args['router_port'], state=TP_STATE_NORMAL, creator_id=handler.get_current_user()['id'], create_time=_time_now, cid=args['cid'], desc=args['desc']) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() h_name = args['ip'] if len(args['router_ip']) > 0: h_name += '(由{}:{}路由)'.format(args['router_ip'], args['router_port']) syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建主机:{}".format(h_name)) tp_stats().host_counter_change(1) return TPE_OK, _id
def add_members(handler, policy_id, policy_type, ref_type, members): # step 1: select exists rid. s = SQL(get_db()) s.select_from('audit_auz', ['rid'], alt_name='p') _where = list() _where.append('p.policy_id={}'.format(policy_id)) _where.append('p.type={}'.format(policy_type)) _where.append('p.rtype={}'.format(ref_type)) s.where('( {} )'.format(' AND '.join(_where))) err = s.query() if err != TPE_OK: return err exists_ids = [r['rid'] for r in s.recorder] operator = handler.get_current_user() db = get_db() _time_now = tp_timestamp_utc_now() sql = [] # for uid in members: # sql.append('INSERT INTO `{}group_map` (type, gid, mid) VALUES ({}, {}, {});'.format(db.table_prefix, gtype, gid, uid)) # print(args['members']) for m in members: if m['id'] in exists_ids: continue str_sql = 'INSERT INTO `{}audit_auz` (policy_id, type, rtype, rid, `name`, creator_id, create_time) VALUES ' \ '({pid}, {t}, {rtype}, {rid}, "{name}", {creator_id}, {create_time});' \ ''.format(db.table_prefix, pid=policy_id, t=policy_type, rtype=ref_type, rid=m['id'], name=m['name'], creator_id=operator['id'], create_time=_time_now) sql.append(str_sql) if db.transaction(sql): # return TPE_OK return policy.rebuild_audit_auz_map() else: return TPE_DATABASE
def create_policy(handler, args): """ 创建一个授权策略 """ db = get_db() _time_now = tp_timestamp_utc_now() # 1. 判断此账号是否已经存在了 s = SQL(db) err = s.reset().select_from('audit_policy', ['id']).where( 'audit_policy.name="{}"'.format(args['name'])).query() if err != TPE_OK: return err, 0 if len(s.recorder) > 0: return TPE_EXISTS, 0 # 2. get total count sql = 'SELECT COUNT(*) FROM {}audit_policy'.format(db.table_prefix) db_ret = db.query(sql) if not db_ret or len(db_ret) == 0: return TPE_DATABASE, 0 rank = db_ret[0][0] + 1 sql = 'INSERT INTO `{}audit_policy` (`rank`, `name`, `desc`, `creator_id`, `create_time`) VALUES ' \ '({rank}, "{name}", "{desc}", {creator_id}, {create_time});' \ ''.format(db.table_prefix, rank=rank, name=args['name'], desc=args['desc'], creator_id=handler.get_current_user()['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建审计授权策略:{}".format(args['name'])) return TPE_OK, _id
def check_reset_token(token): db = get_db() # s = SQL(db) _time_now = tp_timestamp_utc_now() # 0. remove expired token (after 3 days) sql = 'DELETE FROM `{dbtp}user_rpt` WHERE create_time<{dbph};'.format(dbtp=db.table_prefix, dbph=db.place_holder) db.exec(sql, (_time_now - 3 * 24 * 60 * 60,)) # 1. query user's id sql = 'SELECT user_id, create_time FROM `{dbtp}user_rpt` WHERE token={dbph};'.format(dbtp=db.table_prefix, dbph=db.place_holder) db_ret = db.query(sql, (token,)) if db_ret is None or len(db_ret) == 0: return TPE_NOT_EXISTS, 0 user_id = db_ret[0][0] create_time = db_ret[0][1] if _time_now - create_time > 24 * 60 * 60: return TPE_EXPIRED, user_id else: return TPE_OK, user_id
def add_role(handler, role_name, privilege): db = get_db() _time_now = tp_timestamp_utc_now() operator = handler.get_current_user() # 1. 判断是否已经存在了 sql = 'SELECT id FROM {}role WHERE name="{name}";'.format(db.table_prefix, name=role_name) db_ret = db.query(sql) if db_ret is not None and len(db_ret) > 0: return TPE_EXISTS, 0 sql = 'INSERT INTO `{}role` (name, privilege, creator_id, create_time) VALUES ' \ '("{name}", {privilege}, {creator_id}, {create_time});' \ ''.format(db.table_prefix, name=role_name, privilege=privilege, creator_id=operator['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(operator, handler.request.remote_ip, TPE_OK, "创建角色:{}".format(role_name)) return TPE_OK, _id
def create_policy(handler, args): """ 创建一个授权策略 """ db = get_db() _time_now = tp_timestamp_utc_now() # 1. 判断此账号是否已经存在了 s = SQL(db) err = s.reset().select_from('ops_policy', ['id']).where('ops_policy.name="{}"'.format(args['name'])).query() if err != TPE_OK: return err, 0 if len(s.recorder) > 0: return TPE_EXISTS, 0 # 2. get total count sql = 'SELECT COUNT(*) FROM {}ops_policy'.format(db.table_prefix) db_ret = db.query(sql) if not db_ret or len(db_ret) == 0: return TPE_DATABASE, 0 rank = db_ret[0][0] + 1 sql = 'INSERT INTO `{}ops_policy` (`rank`, `name`, `desc`, `creator_id`, `create_time`) VALUES ' \ '({rank}, "{name}", "{desc}", {creator_id}, {create_time});' \ ''.format(db.table_prefix, rank=rank, name=args['name'], desc=args['desc'], creator_id=handler.get_current_user()['id'], create_time=_time_now) db_ret = db.exec(sql) if not db_ret: return TPE_DATABASE, 0 _id = db.last_insert_id() syslog.sys_log(handler.get_current_user(), handler.request.remote_ip, TPE_OK, "创建运维授权策略:{}".format(args['name'])) return TPE_OK, _id
def _make_builtin_data(self, sysadmin, email, password): _time_now = tp_timestamp_utc_now() self._db_exec( '设定数据库版本', 'INSERT INTO `{}config` (`name`, `value`) VALUES ("db_ver", "{}");' .format(self.db.table_prefix, self.db.DB_VERSION)) self._db_exec( '设置本地核心服务', 'INSERT INTO `{}core_server` (`sn`, `secret`, `ip`, `port`, `state`) VALUES ' '("0000", "", "127.0.0.1", 52080, 1);' ''.format(self.db.table_prefix)) privilege_admin = TP_PRIVILEGE_ALL privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT self._db_exec('创建默认角色', [ 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(1, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='系统管理员', privilege=privilege_admin, create_time=_time_now), 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(2, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='运维人员', privilege=privilege_ops, create_time=_time_now), 'INSERT INTO `{}role` (`id`, `name`, `privilege`, `creator_id`, `create_time`) VALUES ' '(3, "{name}", {privilege}, 0, {create_time});' ''.format(self.db.table_prefix, name='审计员', privilege=privilege_audit, create_time=_time_now) ])
def check_reset_token(token): db = get_db() # s = SQL(db) _time_now = tp_timestamp_utc_now() # 0. remove expired token (after 3 days) sql = 'DELETE FROM `{dbtp}user_rpt` WHERE create_time<{dbph};'.format( dbtp=db.table_prefix, dbph=db.place_holder) db.exec(sql, (_time_now - 3 * 24 * 60 * 60, )) # 1. query user's id sql = 'SELECT user_id, create_time FROM `{dbtp}user_rpt` WHERE token={dbph};'.format( dbtp=db.table_prefix, dbph=db.place_holder) db_ret = db.query(sql, (token, )) if db_ret is None or len(db_ret) == 0: return TPE_NOT_EXISTS, 0 user_id = db_ret[0][0] create_time = db_ret[0][1] if _time_now - create_time > 24 * 60 * 60: return TPE_EXPIRED, user_id else: return TPE_OK, user_id
def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys err, user_info = get_by_username(username) if err != TPE_OK: # if err == TPE_NOT_EXISTS: # syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS, # '用户身份验证失败,用户`{}`不存在'.format(username)) return err, None if user_info.privilege == 0: # 尚未为此用户设置角色 return TPE_PRIVILEGE, None if check_bind_oath and len(user_info['oath_secret']) != 0: return TPE_OATH_ALREADY_BIND, None if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 if sys_cfg.login.lock_timeout != 0: if tp_timestamp_utc_now() - user_info.lock_time > sys_cfg.login.lock_timeout * 60: user_info.fail_count = 0 user_info.state = TP_STATE_NORMAL if user_info['state'] == TP_STATE_LOCKED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定') return TPE_USER_LOCKED, None elif user_info['state'] == TP_STATE_DISABLED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用') return TPE_USER_DISABLED, None elif user_info['state'] != TP_STATE_NORMAL: syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常') return TPE_FAILED, None err_msg = '' if password is not None: if user_info['type'] == TP_USER_TYPE_LOCAL: # 如果系统配置了密码有效期,则检查用户的密码是否失效 if sys_cfg.password.timeout != 0: _time_now = tp_timestamp_utc_now() if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,用户密码已过期') return TPE_USER_AUTH, None if not tp_password_verify(password, user_info['password']): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None elif user_info['type'] == TP_USER_TYPE_LDAP: try: if len(tp_cfg().sys_ldap_password) == 0: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码') return TPE_USER_AUTH, None else: _ldap_password = tp_cfg().sys_ldap_password _ldap_server = tp_cfg().sys.ldap.server _ldap_port = tp_cfg().sys.ldap.port _ldap_base_dn = tp_cfg().sys.ldap.base_dn except: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置') return TPE_USER_AUTH, None try: ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn) ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password) if ret != TPE_OK: if ret == TPE_USER_AUTH: err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None else: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,{}'.format(err_msg)) return TPE_USER_AUTH, None except: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误') return TPE_USER_AUTH, None else: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,系统内部错误') return TPE_USER_AUTH, None if oath_code is not None: # use oath if len(user_info['oath_secret']) == 0: return TPE_OATH_MISMATCH, None if not tp_oath_verify_code(user_info['oath_secret'], oath_code): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定!' syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, "登录失败,身份验证器动态验证码错误{}".format(err_msg)) return TPE_OATH_MISMATCH, None del user_info['password'] del user_info['oath_secret'] if len(user_info['surname']) == 0: user_info['surname'] = user_info['username'] return TPE_OK, user_info
def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys err, user_info = get_by_username(username) if err != TPE_OK: # if err == TPE_NOT_EXISTS: # syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS, '用户身份验证失败,用户`{}`不存在'.format(username)) return err, None if user_info.privilege == 0: # 尚未为此用户设置角色 return TPE_PRIVILEGE, None if check_bind_oath == True and len(user_info['oath_secret']) != 0: return TPE_OATH_ALREADY_BIND, None if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 if sys_cfg.login.lock_timeout != 0: if tp_timestamp_utc_now( ) - user_info.lock_time > sys_cfg.login.lock_timeout * 60: user_info.fail_count = 0 user_info.state = TP_STATE_NORMAL if user_info['state'] == TP_STATE_LOCKED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定') return TPE_USER_LOCKED, None elif user_info['state'] == TP_STATE_DISABLED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用') return TPE_USER_DISABLED, None elif user_info['state'] != TP_STATE_NORMAL: syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常') return TPE_FAILED, None err_msg = '' if password is not None: # 如果系统配置了密码有效期,则检查用户的密码是否失效 if sys_cfg.password.timeout != 0: pass if not tp_password_verify(password, user_info['password']): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None if oath_code is not None: # use oath if len(user_info['oath_secret']) == 0: return TPE_OATH_MISMATCH, None if not tp_oath_verify_code(user_info['oath_secret'], oath_code): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定!' syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, "登录失败,身份验证器动态验证码错误{}".format(err_msg)) return TPE_OATH_MISMATCH, None del user_info['password'] del user_info['oath_secret'] if len(user_info['surname']) == 0: user_info['surname'] = user_info['username'] return TPE_OK, user_info
def cleanup_storage(handler): # storage config sto = tp_cfg().sys.storage db = get_db() _now = tp_timestamp_utc_now() msg = [] have_error = False s = SQL(db) chk_time = _now - sto.keep_log * 24 * 60 * 60 if sto.keep_log > 0: # find out all sys-log to be remove s.select_from('syslog', ['id'], alt_name='s') s.where('s.log_time<{chk_time}'.format(chk_time=chk_time)) err = s.query() if err != TPE_OK: have_error = True msg.append('清理系统日志时发生错误:无法获取系统日志信息!') # return err, msg else: removed_log = len(s.recorder) if 0 == removed_log: msg.append('没有满足条件的系统日志需要清除!') else: s.reset().delete_from('syslog').where('log_time<{chk_time}'.format(chk_time=chk_time)) err = s.exec() if err != TPE_OK: have_error = True msg.append('清理系统日志时发生错误:无法清除指定的系统日志!') else: msg.append('{} 条系统日志已清除!'.format(removed_log)) if sto.keep_record > 0: core_cfg = tp_cfg().core if not core_cfg.detected: have_error = True msg.append('清除指定会话录像失败:未能检测到核心服务!') else: replay_path = core_cfg.replay_path if not os.path.exists(replay_path): have_error = True msg.append('清除指定会话录像失败:会话录像路径不存在({})!'.format(replay_path)) else: # find out all record to be remove s.reset().select_from('record', ['id', 'protocol_type'], alt_name='r') s.where('r.time_begin<{chk_time}'.format(chk_time=chk_time)) err = s.query() if err != TPE_OK: have_error = True msg.append('清除指定会话录像失败:无法获取会话录像信息!') elif len(s.recorder) == 0: msg.append('没有满足条件的会话录像需要清除!') else: record_removed = 0 for r in s.recorder: if r.protocol_type == TP_PROTOCOL_TYPE_RDP: path_remove = os.path.join(replay_path, 'rdp', '{:09d}'.format(r.id)) elif r.protocol_type == TP_PROTOCOL_TYPE_SSH: path_remove = os.path.join(replay_path, 'ssh', '{:09d}'.format(r.id)) elif r.protocol_type == TP_PROTOCOL_TYPE_TELNET: path_remove = os.path.join(replay_path, 'telnet', '{:09d}'.format(r.id)) else: have_error = True msg.append('会话录像记录编号 {},未知远程访问协议!'.format(r.id)) continue if os.path.exists(path_remove): # print('remove path', path_remove) try: shutil.rmtree(path_remove) except: have_error = True msg.append('会话录像记录 {} 清除失败,无法删除目录 {}!'.format(r.id, path_remove)) ss = SQL(db) ss.delete_from('record').where('id={rid}'.format(rid=r.id)) ss.exec() record_removed += 1 msg.append('{} 条会话录像数据已清除!'.format(record_removed)) if have_error: return TPE_FAILED, msg else: return TPE_OK, msg
def session_end(record_id, ret_code): db = get_db() sql = 'UPDATE `{}record` SET state={}, time_end={} WHERE id={};'.format(db.table_prefix, int(ret_code), tp_timestamp_utc_now(), int(record_id)) return db.exec(sql)
def session_fix(): db = get_db() if db.need_create or db.need_upgrade: return TPE_OK sql_list = [] sql = 'UPDATE `{dbtp}record` SET state={new_state}, time_end={time_end} WHERE state={old_state};' \ ''.format(dbtp=db.table_prefix, new_state=TP_SESS_STAT_ERR_RESET, old_state=TP_SESS_STAT_RUNNING, time_end=tp_timestamp_utc_now()) sql_list.append(sql) sql = 'UPDATE `{dbtp}record` SET state={new_state},time_end={time_end} WHERE state={old_state};' \ ''.format(dbtp=db.table_prefix, new_state=TP_SESS_STAT_ERR_START_RESET, old_state=TP_SESS_STAT_STARTED, time_end=tp_timestamp_utc_now()) sql_list.append(sql) return db.transaction(sql_list)
def login(handler, username, password=None, oath_code=None, check_bind_oath=False): sys_cfg = tp_cfg().sys err, user_info = get_by_username(username) if err != TPE_OK: # if err == TPE_NOT_EXISTS: # syslog.sys_log({'username': username, 'surname': username}, handler.request.remote_ip, TPE_NOT_EXISTS, # '用户身份验证失败,用户`{}`不存在'.format(username)) return err, None if user_info.privilege == 0: # 尚未为此用户设置角色 return TPE_PRIVILEGE, None if check_bind_oath and len(user_info['oath_secret']) != 0: return TPE_OATH_ALREADY_BIND, None if user_info['state'] == TP_STATE_LOCKED: # 用户已经被锁定,如果系统配置为一定时间后自动解锁,则更新一下用户信息 if sys_cfg.login.lock_timeout != 0: if tp_timestamp_utc_now( ) - user_info.lock_time > sys_cfg.login.lock_timeout * 60: user_info.fail_count = 0 user_info.state = TP_STATE_NORMAL if user_info['state'] == TP_STATE_LOCKED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_LOCKED, '登录失败,用户已被临时锁定') return TPE_USER_LOCKED, None elif user_info['state'] == TP_STATE_DISABLED: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_DISABLED, '登录失败,用户已被禁用') return TPE_USER_DISABLED, None elif user_info['state'] != TP_STATE_NORMAL: syslog.sys_log(user_info, handler.request.remote_ip, TPE_FAILED, '登录失败,用户状态异常') return TPE_FAILED, None err_msg = '' if password is not None: if user_info['type'] == TP_USER_TYPE_LOCAL: # 如果系统配置了密码有效期,则检查用户的密码是否失效 if sys_cfg.password.timeout != 0: _time_now = tp_timestamp_utc_now() if user_info['last_chpass'] + (sys_cfg.password.timeout * 60 * 60 * 24) < _time_now: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,用户密码已过期') return TPE_USER_AUTH, None if not tp_password_verify(password, user_info['password']): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None elif user_info['type'] == TP_USER_TYPE_LDAP: try: if len(tp_cfg().sys_ldap_password) == 0: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置,需要管理员密码') return TPE_USER_AUTH, None else: _ldap_password = tp_cfg().sys_ldap_password _ldap_server = tp_cfg().sys.ldap.server _ldap_port = tp_cfg().sys.ldap.port _ldap_base_dn = tp_cfg().sys.ldap.base_dn except: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP未能正确配置') return TPE_USER_AUTH, None try: ldap = Ldap(_ldap_server, _ldap_port, _ldap_base_dn) ret, err_msg = ldap.valid_user(user_info['ldap_dn'], password) if ret != TPE_OK: if ret == TPE_USER_AUTH: err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定' syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,密码错误{}'.format(err_msg)) return TPE_USER_AUTH, None else: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,{}'.format(err_msg)) return TPE_USER_AUTH, None except: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, 'LDAP用户登录失败,发生内部错误') return TPE_USER_AUTH, None else: syslog.sys_log(user_info, handler.request.remote_ip, TPE_USER_AUTH, '登录失败,系统内部错误') return TPE_USER_AUTH, None if oath_code is not None: # use oath if len(user_info['oath_secret']) == 0: return TPE_OATH_MISMATCH, None if not tp_oath_verify_code(user_info['oath_secret'], oath_code): err, is_locked = update_fail_count(handler, user_info) if is_locked: err_msg = ',用户已被临时锁定!' syslog.sys_log(user_info, handler.request.remote_ip, TPE_OATH_MISMATCH, "登录失败,身份验证器动态验证码错误{}".format(err_msg)) return TPE_OATH_MISMATCH, None del user_info['password'] del user_info['oath_secret'] if len(user_info['surname']) == 0: user_info['surname'] = user_info['username'] return TPE_OK, user_info