Merge pull request #209 from jumpserver/dev

Dev

Merge pull request #209 from jumpserver/dev
Dev
212b5b04 · 老广 · GitHub · 93f247c0 · 2d89332f · 212b5b04
Unverified Commit 212b5b04 authored Apr 30, 2019 by 老广 Committed by GitHub Apr 30, 2019
10 changed files
--- a/coco/app.py
+++ b/coco/app.py
@@ -23,7 +23,7 @@ from .session import Session
 from .models import Connection


-__version__ = '1.4.9'
+__version__ = '1.4.10'

 BASE_DIR = os.path.dirname(os.path.dirname(__file__))
 logger = get_logger(__file__)

--- a/coco/connection.py
+++ b/coco/connection.py
@@ -157,7 +157,7 @@ class TelnetConnection:
    password_pattern = re.compile(
        r'Password:?\s*$|passwd:?\s*$|密\s*码:?\s*$', re.I
    )
-    success_pattern = re.compile(r'Last\s*login|success|成功|#|\$', re.I)
+    success_pattern = re.compile(r'Last\s*login|success|成功|#|>|\$', re.I)
    custom_success_pattern = None

    def __init__(self, asset, system_user, client):

--- a/coco/const.py
+++ b/coco/const.py
+# -*- coding: utf-8 -*-
+#
+
+#
+# Permission actions choices
+#
+PERMS_ACTION_NAME_ALL = 'all'
+PERMS_ACTION_NAME_CONNECT = 'connect'
+PERMS_ACTION_NAME_UPLOAD_FILE = 'upload_file'
+PERMS_ACTION_NAME_DOWNLOAD_FILE = 'download_file'
--- a/coco/httpd/elfinder/connector.py
+++ b/coco/httpd/elfinder/connector.py
@@ -109,8 +109,8 @@ class ElFinderConnector:
        try:
            func()
        except Exception as e:
+            logger.debug(e, exc_info=True)
            self.response['error'] = '%s' % e
-            logger.error(e, exc_info=True)

    def get_request_data(self):
        data_source = {}

--- a/coco/httpd/elfinder/volumes/sftp.py
+++ b/coco/httpd/elfinder/volumes/sftp.py
@@ -140,6 +140,7 @@ class SFTPVolume(BaseVolume):
        if not many:
            names = [names]
        for name in names:
+            name = name.lstrip(self.path_sep)
            path = self._join(parent_path, name)
            remote_path = self._remote_path(path)
            self.sftp.mkdir(remote_path)
@@ -214,14 +215,11 @@ class SFTPVolume(BaseVolume):
        """ Delete a File or Directory object. """
        path = self._path(target)
        remote_path = self._remote_path(path)
-        try:
-            info = self.info(target)
-            if info['mime'] == 'directory':
-                self.sftp.rmdir(remote_path)
-            else:
-                self.sftp.unlink(remote_path)
-        except OSError:
-            raise OSError("Delete {} failed".format(self._base_name(path)))
+        info = self.info(target)
+        if info['mime'] == 'directory':
+            self.sftp.rmdir(remote_path)
+        else:
+            self.sftp.unlink(remote_path)
        return target

    def upload_as_url(self, url, parent):

--- a/coco/proxy.py
+++ b/coco/proxy.py
@@ -7,6 +7,7 @@ import time

 from .session import Session
 from .models import Server, TelnetServer
+from .const import PERMS_ACTION_NAME_CONNECT
 from .connection import SSHConnection, TelnetConnection
 from .service import app_service
 from .conf import config
@@ -93,15 +94,20 @@ class ProxyServer:
        验证用户是否有连接改资产的权限
        :return: True or False
        """
-        return app_service.validate_user_asset_permission(
-            self.client.user.id, self.asset.id, self.system_user.id
-        )
+        kwargs = {
+            'user_id': self.client.user.id,
+            'asset_id': self.asset.id,
+            'system_user_id': self.system_user.id,
+            'action_name': PERMS_ACTION_NAME_CONNECT
+        }
+        return app_service.validate_user_asset_permission(**kwargs)

    def get_server_conn(self):
        logger.info("Connect to {}:{} ...".format(self.asset.hostname, self.asset.port))
        self.send_connecting_message()
        if not self.validate_permission():
-            self.client.send_unicode(warning(_('No permission')))
+            msg = _('No permission')
+            self.client.send_unicode(warning(wr(msg, before=2, after=0)))
            server = None
        elif self.system_user.protocol == self.asset.protocol == 'telnet':
            server = self.get_telnet_server_conn()

--- a/coco/sftp.py
+++ b/coco/sftp.py
@@ -11,6 +11,10 @@ from coco.utils import get_logger
 from .conf import config
 from .service import app_service
 from .connection import SSHConnection
+from .const import (
+    PERMS_ACTION_NAME_DOWNLOAD_FILE, PERMS_ACTION_NAME_UPLOAD_FILE,
+    PERMS_ACTION_NAME_ALL,
+)

 CURRENT_DIR = os.path.dirname(__file__)
 logger = get_logger(__file__)
@@ -267,11 +271,27 @@ class SFTPServer(paramiko.SFTPServerInterface):
    def lstat(self, path):
        return self.stat(path)

+    @staticmethod
+    def validate_permission(system_user, action):
+        check_actions = [PERMS_ACTION_NAME_ALL, action]
+        granted_actions = getattr(system_user, 'actions', [])
+        actions = list(set(granted_actions).intersection(set(check_actions)))
+        return bool(actions)
+
+    def check_action(self, path, action):
+        request = self.parse_path(path)
+        host, su = request['host'], request['su']
+        system_user = self.hosts.get(host, {}).get('system_users', {}).get(su)
+        if not system_user:
+            raise PermissionError("No system user explicit")
+
+        if not self.validate_permission(system_user, action):
+            raise PermissionError("Permission deny")
+
    @convert_error
    def open(self, path, flags, attr=None):
        binary_flag = getattr(os, 'O_BINARY', 0)
        flags |= binary_flag
-        success = False

        if flags & os.O_WRONLY:
            if flags & os.O_APPEND:
@@ -288,12 +308,17 @@ class SFTPServer(paramiko.SFTPServerInterface):

        if 'r' in mode:
            operate = "Download"
+            action = PERMS_ACTION_NAME_DOWNLOAD_FILE
        elif 'a' in mode:
            operate = "Append"
+            action = PERMS_ACTION_NAME_UPLOAD_FILE
        else:
            operate = "Upload"
+            action = PERMS_ACTION_NAME_UPLOAD_FILE

+        success = False
        try:
+            self.check_action(path, action)
            client, rpath = self.get_sftp_client_rpath(path)
            f = client.open(rpath, mode, bufsize=4096)
            f.prefetch()
@@ -309,6 +334,7 @@ class SFTPServer(paramiko.SFTPServerInterface):

    @convert_error
    def remove(self, path):
+        self.check_action(path, action=PERMS_ACTION_NAME_UPLOAD_FILE)
        client, rpath = self.get_sftp_client_rpath(path)
        success = False

@@ -321,6 +347,7 @@ class SFTPServer(paramiko.SFTPServerInterface):

    @convert_error
    def rename(self, src, dest):
+        self.check_action(src, action=PERMS_ACTION_NAME_UPLOAD_FILE)
        client, rsrc = self.get_sftp_client_rpath(src)
        client2, rdest = self.get_sftp_client_rpath(dest)
        success = False
@@ -338,6 +365,7 @@ class SFTPServer(paramiko.SFTPServerInterface):

    @convert_error
    def mkdir(self, path, attr=0o755):
+        self.check_action(path, action=PERMS_ACTION_NAME_UPLOAD_FILE)
        client, rpath = self.get_sftp_client_rpath(path)
        success = False

@@ -352,6 +380,7 @@ class SFTPServer(paramiko.SFTPServerInterface):

    @convert_error
    def rmdir(self, path):
+        self.check_action(path, action=PERMS_ACTION_NAME_UPLOAD_FILE)
        client, rpath = self.get_sftp_client_rpath(path)
        success = False

@@ -405,10 +434,14 @@ class InternalSFTPClient(SFTPServer):
        client, rpath = self.get_sftp_client_rpath(path)
        if 'r' in mode:
            operate = "Download"
+            action = PERMS_ACTION_NAME_DOWNLOAD_FILE
        else:
            operate = "Upload"
+            action = PERMS_ACTION_NAME_UPLOAD_FILE
+
        success = False
        try:
+            self.check_action(path, action=action)
            f = client.open(rpath, mode, bufsize=4096)
            success = True
            return f
@@ -423,6 +456,12 @@ class InternalSFTPClient(SFTPServer):
        attr = super(InternalSFTPClient, self).lstat.__wrapped__(self, path)
        return attr

+    def rename(self, src, dest):
+        return super(InternalSFTPClient, self).rename.__wrapped__(self, src, dest)
+
+    def mkdir(self, path, attr=0o755):
+        return super(InternalSFTPClient, self).mkdir.__wrapped__(self, path, attr)
+
    def rmdir(self, path):
        return super(InternalSFTPClient, self).rmdir.__wrapped__(self, path)

@@ -430,9 +469,10 @@ class InternalSFTPClient(SFTPServer):
        return FakeChannel.new()

    def unlink(self, path):
-        return self.remove(path)
+        return super(InternalSFTPClient, self).remove.__wrapped__(self, path)

    def putfo(self, f, path, callback=None, confirm=True):
+        self.check_action(path, action=PERMS_ACTION_NAME_UPLOAD_FILE)
        client, rpath = self.get_sftp_client_rpath(path)
        success = False
        try:

--- a/locale/zh_CN/LC_MESSAGES/coco.mo
+++ b/locale/zh_CN/LC_MESSAGES/coco.mo
--- a/locale/zh_CN/LC_MESSAGES/coco.po
+++ b/locale/zh_CN/LC_MESSAGES/coco.po
@@ -83,7 +83,7 @@ msgstr "{T}7) 输入 {green}h{end} 帮助.{R}"
 #: coco/interactive.py:96
 #, python-brace-format
 msgid "{T}8) Enter {green}r{end} to refresh your assets and nodes.{R}"
-msgstr "{T}0) 输入 {green}r{end} 刷新最新的机器和节点信息.{R}"
+msgstr "{T}8) 输入 {green}r{end} 刷新最新的机器和节点信息.{R}"

 #: coco/interactive.py:97
 #, python-brace-format

--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -19,7 +19,7 @@ itsdangerous==0.24
 Jinja2==2.10
 jmespath==0.9.3
 jms-storage==0.0.22
-jumpserver-python-sdk==0.0.57
+jumpserver-python-sdk==0.0.58
 MarkupSafe==1.0
 oss2==2.4.0
 paramiko==2.4.1