def set_object_perm_endpoint(request): """ 设置文件对象的读写权限 :param request: WSGI request """ fields = (('*obj_id', int, (verify_pk, Objects)), ('*permission', str, (verify_in_array, ('private', 'public-read', 'public-read-write', 'authenticated')))) data = validate_post_data(request.data, fields) o = Objects.objects.select_related('bucket').select_related( 'bucket__bucket_region').get(obj_id=data['obj_id']) if o.type == 'd': raise ParseError('object is a directory') verify_file_owner_and_permission(request, PermAction.RW, o) try: # 当权限为authenticated时,不推送到后端上游服务器 if 'authenticated' not in data['permission']: s3 = s3_client(o.bucket.bucket_region.reg_id, o.bucket.user.username) s3.put_object_acl(ACL=data['permission'], Bucket=o.bucket.name, Key=o.key) o.permission = data['permission'] o.save() except Exception as e: raise ParseError(detail=str(e)) return Response({'code': 0, 'msg': 'success'})
def put(self, request): fields = ( self.pk_field[0], ('*bucket_region_id', int, (verify_pk, BucketRegion)), ) data = validate_post_data(request.body, fields) bucket_region = BucketRegion.objects.get(pk=data['bucket_region_id']) if bucket_region.state != 'e': raise ParseError('region is not enable state') b = Buckets.objects.get(pk=data['bucket_id']) if request.user != b.user: raise ParseError('user not match') if b.pid > 0: raise ParseError('bucket is backup bucket') if b.backup: raise ParseError('backup function is already enable') b.create_backup(data['bucket_region_id']) return Response({ 'code': 0, 'msg': 'success' })
def post(self, request): fields = (('*obj_id', int, (verify_pk, Objects)), ('*username', str, verify_username), ('*permission', str, (verify_in_array, ('authenticated-read', 'authenticated-read-write')))) data = validate_post_data(request.body, fields) try: self.queryset = Objects.objects.get(obj_id=int(data['obj_id'])) authorize_user = User.objects.get(username=data['username']) except Objects.DoesNotExist: raise ParseError('not found this bucket') except User.DoesNotExist: raise ParseError('not found this user') if authorize_user.profile.root_uid != request.user.username and \ authorize_user.profile.parent_uid != request.user.username: raise ParseError('only support authorized to sub user') verify_file_owner_and_permission(request, PermAction.RW, self.queryset) ObjectAcl.objects.update_or_create(object=self.queryset, user=authorize_user, permission=data['permission']) return Response( { 'code': 0, 'msg': 'success', 'data': self.queryset.json }, status=HTTP_201_CREATED)
def delete(self, request): data = validate_post_data(request.body, tuple(self.pk_field)) bucket = self.model.objects.select_related('bucket_region').get(pk=data['bucket_id']) if bucket.user != request.user and not request.user.is_superuser: raise ParseError(detail='illegal delete bucket') if bucket.pid > 0: self.model.objects.filter(pk=bucket.pid).update(backup=False) try: # ceph集群删除bucket rgw = rgw_client(bucket.bucket_region.reg_id) rgw.remove_bucket(bucket=bucket.name, purge_objects=True) # 删除数据记录 bucket.delete() except NoSuchKey: raise ParseError('delete bucket failed, purge objects not found any key') except NoSuchBucket: raise ParseError('delete bucket failed, not found this bucket') except Exception as e: raise ParseError(detail=str(e)) return Response({ 'code': 0, 'msg': 'success' })
def put(self, request): fields = (('allow_ip', str, verify_ip_addr), ) data = validate_post_data(request.body, fields) self.queryset = request.user.keys if 'allow_ip' in data: self.queryset.set_allow_access(data['allow_ip']) self.queryset.change_user_key() return Response({'code': 0, 'msg': 'success'})
def post(self, request): fields = (('*bucket_id', int, (verify_pk, Buckets)), ('*username', str, verify_username), ('*permission', str, (verify_in_array, ('authenticated-read', 'authenticated-read-write')))) data = validate_post_data(request.body, fields) try: bucket = Buckets.objects.get(bucket_id=int(data['bucket_id'])) user = User.objects.get(username=data['username']) except Buckets.DoesNotExist: raise ParseError('not found this bucket') except User.DoesNotExist: raise ParseError('not found this user') if user.profile.root_uid != request.user.username and user.profile.parent_uid != request.user.username: raise ParseError('only support authorized to sub user') if request.user != bucket.user: raise ParseError('bucket owner and user not match') self.queryset, created = self.model.objects.update_or_create( bucket=bucket, user=user, permission=data['permission']) return Response( { 'code': 0, 'msg': 'success', 'data': self.queryset.json }, status=HTTP_201_CREATED)
def post(self, request): data = validate_post_data(request.body, tuple(self.fields)) self.queryset, create = self.model.objects.update_or_create(**data) return Response({ 'code': 0, 'msg': 'success', 'data': self.queryset.values() })
def create_directory_endpoint(request): """ 在指定的bucket内创建目录 该操作仅存在本地数据库,在ceph不会有任何记录 """ validate_license_expire() req_user = request.user _fields = (('*bucket_name', str, verify_bucket_name), ('*folder_name', str, verify_object_name), ('path', str, verify_object_path)) # 检验字段 data = validate_post_data(request.body, _fields) # 检验bucket name是否为非法 try: b = Buckets.objects.select_related('bucket_region').get( name=data['bucket_name']) except Buckets.DoesNotExist: raise NotFound(detail='not fount this bucket') if b.read_only: raise ParseError('this bucket is read only') verify_bucket_owner_and_permission(request, PermAction.RW, b) try: if 'path' in data: # 验证目录是否在正确的bucket下面 data['path'] = data['path'].replace(',', '/') p = verify_path(data['path']) if not p or p.owner != req_user or p.bucket.name != data[ 'bucket_name']: raise ParseError(detail='illegal path') key = data['path'] + data['folder_name'] + '/' else: key = data['folder_name'] + '/' record_data = { 'name': data['folder_name'] + '/', 'bucket': b, 'type': 'd', 'key': key, 'root': data['path'] if 'path' in data else None, 'owner': b.user if b.permission == 'public-read-write' else req_user } Objects.objects.create(**record_data) except Exception as e: raise ParseError(detail=str(e)) return Response({'code': 0, 'msg': 'success'})
def set_default_user_role(request): if not request.user.is_superuser: raise PermissionDenied() fields = ( ('*group_id', int, (verify_pk, Group)), ) data = validate_post_data(request.body, fields) group = Group.objects.get(pk=data['group_id']) group.default_group.set_default() return Response({ 'code': 0, 'msg': 'success' })
def post(self, request): # if not verify_super_user(request): # raise PermissionDenied() data = validate_post_data(request.body, tuple(self.model_fields)) self.queryset, created = self.model.objects.update_or_create(**data) return Response( { 'code': 0, 'msg': 'success', 'data': self.queryset.json() }, status=HTTP_201_CREATED)
def get_group_and_member(request): fields = [ ('*role', str, (verify_max_length, 20)), ('*username', str, (verify_max_length, 20)) ] data = validate_post_data(request.body, tuple(fields)) try: g = Group.objects.get(name=data['role']) u = User.objects.get(username=data['username']) except Group.DoesNotExist: raise NotFound('not found this group') except User.DoesNotExist: raise NotFound('not found this user') return g, u
def put(self, request): # if not verify_super_user(request): # raise PermissionDenied() fields = self.model_fields fields.append(self.model_pk[0]) data = validate_post_data(request.body, tuple(fields)) self.queryset = self.model.objects.get(pk=data['id']) self.queryset.__dict__.update(**data) self.queryset.save() return Response({ 'code': 0, 'msg': 'success', })
def post(self, request): """ 新增一个角色 """ fields = [ ('*name', str, (verify_max_length, 20)) ] data = validate_post_data(request.body, fields) self.queryset, _ = Group.objects.update_or_create( name=data['name'] ) return Response({ 'code': 0, 'msg': 'success', }, status=HTTP_201_CREATED)
def change_password_endpoint(request): """ 修改用户名密码,如果是超级管理员则不需要提供原密码,直接更改某个用户的密码 普通用户更改密码需要提供原始密码和新密码 """ fields = [ ('*username', str, verify_username), ('*pwd1', str, (verify_max_length, 30)), ('*pwd2', str, (verify_max_length, 30)), ] if not request.user.is_superuser: fields.append(('*old_pwd', str, (verify_max_length, 30))) data = validate_post_data(request.body, tuple(fields)) # 验证两次密码是否一样 if data['pwd1'] != data['pwd2']: raise ParseError(detail='the old and new password is not match!') # 超级管理员则查询指定的用户 if request.user.is_superuser: try: user = User.objects.get(username=data['username']) except User.DoesNotExist: user = None else: user = request.user if user and user.username != data['username']: raise ParseError(detail='error username!') if request.user.is_superuser: user.set_password(data['pwd1']) if not request.user.is_superuser and authenticate( username=data['username'], password=data['old_pwd']): user.set_password(data['pwd1']) else: raise ParseError('old password is error!') user.save() return Response({'code': 0, 'msg': 'success'})
def post(self, request): data = validate_post_data(request.body, tuple(self.fields)) if query_bucket_exist(data['name']): raise ParseError(detail='the bucket is already exist!') # 判断容量是否足够 q = request.user.capacity_quota if not q or not q.valid(): raise ParseError(detail='user capacity not enough') bucket_region = BucketRegion.objects.get(pk=data['bucket_region_id']) if bucket_region.state != 'e': raise ParseError('region is not enable state') # 使用用户key创建bucket s3 = s3_client(data['bucket_region_id'], request.user.username) s3.create_bucket( Bucket=data['name'], ACL=data['permission'], ) if data['version_control']: s3.put_bucket_versioning( Bucket=data['name'], VersioningConfiguration={ 'MFADelete': 'Disabled', 'Status': 'Enabled', }, ) # 本地数据库插入记录 self.model.objects.create( name=data['name'], bucket_region_id=data['bucket_region_id'], version_control=data['version_control'], user=request.user, permission=data['permission'] ) return Response({ 'code': 0, 'msg': 'success', }, status=HTTP_201_CREATED)
def user_recharge_endpoint(request): """ 用户充值 :param request: :return: """ req_user = request.user fields = ( ('*order_id', str, (verify_length, 10)), ('*money', float, (verify_max_value, 99999.0)) ) data = validate_post_data(request.body, fields) p = req_user.profile.get() p.charge(data['money']) return Response({ 'code': 0, 'msg': 'success', 'balance': p.balance })
def get_group_and_permission(request): fields = [ ('*role', str, (verify_max_length, 20)), ('*perms', list, len) ] data = validate_post_data(request.body, tuple(fields)) try: group = Group.objects.get(name=data['role']) except Group.DoesNotExist: raise NotFound('not found this group') perms = [] for p in data['perms']: try: perm = Permission.objects.get(codename=p.split('.')[1]) except Permission.DoesNotExist: continue # raise NotFound('not found this permission object') else: perms.append(perm) return group, perms
def user_delete_endpoint(request): """ 删除指定的用户,该超作只允许超级管理员执行 :param request: :return: """ # if not request.user.is_superuser: # raise NotAuthenticated(detail='permission denied!') fields = (('*username', str, verify_username), ('*user_id', int, None)) data = validate_post_data(request.body, fields) try: u = User.objects.get(pk=data['user_id']) except User.DoesNotExist: raise NotFound(detail='not found this user') if not request.user.is_superuser and u != request.user: raise NotAuthenticated(detail='permission denied') if u.username != data['username']: raise ParseError(detail='username and user_id not match') if u.profile.phone_verify: region = BucketRegion.objects.all() # 递归删除所有区域集群上的用户 for i in region: rgw = rgw_client(i.reg_id) try: rgw.get_user(uid=u.keys.ceph_uid, stats=True) except NoSuchUser: continue else: rgw.remove_user(uid=u.keys.ceph_uid, purge_data=True) u.delete() return Response({'code': 0, 'msg': 'success'})
def delete(self, request): data = validate_post_data(request.body, self.pk_field) self.model.objects.get(pk=data['bucket_type_id']).delete() return Response({'code': 0, 'msg': 'success'})
def put(self, request): self.fields.append(self.pk_field[0]) data = validate_post_data(request.body, tuple(self.fields)) self.queryset = self.model.objects.filter(pk=data['bucket_type_id']) self.queryset.update(**data) return Response({'code': 0, 'msg': 'success'})
def create_user_endpoint(request): """ 创建用户 请求参数sub_user为1时则创建子用户 创建子用户只能是一个已经登陆的普通用户 :param request: :return: """ try: sub_user = int(request.GET.get('sub_user', False)) except ValueError: sub_user = 0 sub_user = True if sub_user == 1 else False req_user = request.user if sub_user and isinstance(req_user, AnonymousUser): raise ParseError(detail='create sub user need a already exist user') if sub_user and not isinstance( req_user, AnonymousUser) and req_user.profile.level >= 3: raise ParseError('sub user already max level') fields = ( ('*username', str, verify_username), ('*pwd', str, (verify_max_length, 30)), # ('*pwd2', str, None), ('*email', str, verify_mail), ('*first_name', str, (verify_max_length, 8)), ('*phone', str, verify_phone), ('verify_code', str, verify_img_verification_code)) data = validate_post_data(request.body, fields) try: User.objects.get(username=data['username']) except User.DoesNotExist: pass else: raise ParseError(detail='the user is already exist') try: User.objects.get(email=data['email']) except User.DoesNotExist: pass else: raise ParseError(detail='the email is already exist') try: Profile.objects.get(phone=data['phone']) except Profile.DoesNotExist: pass else: raise ParseError(detail='the phone number already exist') try: user = User.objects.create_user( username=data['username'], password=data['pwd'], email=data['email'], first_name=data['first_name'], ) p = user.profile p.phone = data['phone'] if sub_user: p.is_subuser = True p.parent_uid = request.user.username p.root_uid = request.user.profile.root_uid p.level = request.user.profile.level + 1 p.save() p.save() except Exception as e: raise ParseError(detail=str(e)) # 新注册用户加入默认用户角色 try: dg = DefaultGroup.objects.get(default=True) except DefaultGroup.DoesNotExist: pass else: dg.group.user_set.add(user) return Response({'code': 0, 'msg': 'success'}, status=HTTP_201_CREATED)
def user_login_endpoint(request): """ 使用用户名和密码登陆 """ fields = (('*username', str, verify_username), ('*password', str, (verify_max_length, 30)), ('*verify_code', str, (verify_length, 6))) data = validate_post_data(request.body, fields) # 因为用户名与手机号码均为唯一字段,所以一下条件只会有一个成立 try: u = User.objects.select_related('profile').get( username=data['username']) except User.DoesNotExist: u = None try: p = Profile.objects.select_related('user').get(phone=data['username']) except Profile.DoesNotExist: p = None if not u and not p: raise NotFound('not found this user') user = None if u: user = u if p: user = p.user if not user.is_active: raise ParseError('user is inactive') if not authenticate(username=user.username, password=data['password']): raise ParseError('username or password is wrong') # if not verify_phone_verification_code(data['verify_code'], user.profile.phone): # raise ParseError('phone verification code is wrong!') try: t = Token.objects.get(user=user) tk = t.key t.delete() cache.delete('token_%s' % tk) except Token.DoesNotExist: pass finally: tk, create = Token.objects.update_or_create(user=user) cache_request_user_meta_info(tk, request) # 首次登陆将生成access_key, secret_key, ceph_uid if not user.profile.phone_verify: user.keys.init() # 使用django login方法登陆,不然没有登陆记录,但是不需要任何session login(request, user=user) request.session.clear() logout(request) return Response({ 'code': 0, 'msg': 'success', 'data': { 'token': tk.key, 'user_id': user.pk, 'username': user.username, 'phone_verify': user.profile.phone_verify, 'phone_number': user.profile.phone, 'user_type': 'superuser' if user.is_superuser else 'normal', 'is_subuser': user.profile.is_subuser, 'level': user.profile.level, } })