1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
# coding: utf-8
from __future__ import absolute_import, unicode_literals
import collections
from common.utils import setattr_bulk, get_logger
from .tasks import push_users
from .hands import User, UserGroup, Asset, AssetGroup, SystemUser
logger = get_logger(__file__)
def get_user_group_granted_asset_groups(user_group):
"""Return asset groups granted of the user group
:param user_group: Instance of :class: ``UserGroup``
:return: {asset_group1: {system_user1, },
asset_group2: {system_user1, system_user2}}
"""
asset_groups = {}
asset_permissions = user_group.asset_permissions.all()
for asset_permission in asset_permissions:
if not asset_permission.is_valid:
continue
for asset_group in asset_permission.asset_groups.all():
if asset_group in asset_groups:
asset_groups[asset_group] |= set(asset_permission.system_users.all())
else:
asset_groups[asset_group] = set(asset_permission.system_users.all())
return asset_groups
def get_user_group_granted_assets(user_group):
"""Return assets granted of the user group
:param user_group: Instance of :class: ``UserGroup``
:return: {asset1: {system_user1, }, asset1: {system_user1, system_user2]}
"""
assets = {}
asset_permissions = user_group.asset_permissions.all()
for asset_permission in asset_permissions:
if not asset_permission.is_valid:
continue
for asset in asset_permission.get_granted_assets():
if not asset.is_active:
continue
if asset in assets:
assets[asset] |= set(asset_permission.system_users.all())
else:
assets[asset] = set(asset_permission.system_users.all())
return assets
# def get_user_granted_asset_groups_direct(user):
# """Return asset groups granted of the user direct nor inherit from user group
#
# :param user: Instance of :class: ``User``
# :return: {asset_group: {system_user1, },
# asset_group2: {system_user1, system_user2]}
# """
# asset_groups = {}
# asset_permissions_direct = user.asset_permissions.all()
#
# for asset_permission in asset_permissions_direct:
# if not asset_permission.is_valid:
# continue
# for asset_group in asset_permission.asset_groups.all():
# if asset_group in asset_groups:
# asset_groups[asset_group] |= set(asset_permission.system_users.all())
# else:
# setattr(asset_group, 'inherited', False)
# asset_groups[asset_group] = set(asset_permission.system_users.all())
#
# return asset_groups
# def get_user_granted_asset_groups_inherit_from_user_groups(user):
# """Return asset groups granted of the user and inherit from user group
#
# :param user: Instance of :class: ``User``
# :return: {asset_group: {system_user1, },
# asset_group2: {system_user1, system_user2]}
# """
# asset_groups = {}
# user_groups = user.groups.all()
# asset_permissions = set()
#
# # Get asset permission list of user groups for this user
# for user_group in user_groups:
# asset_permissions |= set(user_group.asset_permissions.all())
#
# # Get asset groups granted from user groups
# for asset_permission in asset_permissions:
# if not asset_permission.is_valid:
# continue
# for asset_group in asset_permission.asset_groups.all():
# if asset_group in asset_groups:
# asset_groups[asset_group] |= set(asset_permission.system_users.all())
# else:
# setattr(asset_group, 'inherited', True)
# asset_groups[asset_group] = set(asset_permission.system_users.all())
#
# return asset_groups
# def get_user_granted_asset_groups(user):
# """Get user granted asset groups all, include direct and inherit from user group
#
# :param user: Instance of :class: ``User``
# :return: {asset_group1: {system_user1, system_user2}, asset_group2: {...}}
# """
#
# asset_groups_inherit_from_user_groups = \
# get_user_granted_asset_groups_inherit_from_user_groups(user)
# asset_groups_direct = get_user_granted_asset_groups_direct(user)
# asset_groups = asset_groups_inherit_from_user_groups
#
# # Merge direct granted and inherit from user group
# for asset_group, system_users in asset_groups_direct.items():
# if asset_group in asset_groups:
# asset_groups[asset_group] |= asset_groups_direct[asset_group]
# else:
# asset_groups[asset_group] = asset_groups_direct[asset_group]
# return asset_groups
def get_user_granted_assets_direct(user):
"""Return assets granted of the user directly
:param user: Instance of :class: ``User``
:return: {asset1: {system_user1, system_user2}, asset2: {...}}
"""
assets = {}
asset_permissions_direct = user.asset_permissions.all()
for asset_permission in asset_permissions_direct:
if not asset_permission.is_valid:
continue
for asset in asset_permission.get_granted_assets():
if not asset.is_active:
continue
if asset in assets:
assets[asset] |= set(asset_permission.system_users.all())
else:
setattr(asset, 'inherited', False)
assets[asset] = set(asset_permission.system_users.all())
return assets
def get_user_granted_assets_inherit_from_user_groups(user):
"""Return assets granted of the user inherit from user groups
:param user: Instance of :class: ``User``
:return: {asset1: {system_user1, system_user2}, asset2: {...}}
"""
assets = {}
user_groups = user.groups.all()
for user_group in user_groups:
assets_inherited = get_user_group_granted_assets(user_group)
for asset in assets_inherited:
if not asset.is_active:
continue
if asset in assets:
assets[asset] |= assets_inherited[asset]
else:
setattr(asset, 'inherited', True)
assets[asset] = assets_inherited[asset]
return assets
def get_user_granted_assets(user):
"""Return assets granted of the user inherit from user groups
:param user: Instance of :class: ``User``
:return: {asset1: {system_user1, system_user2}, asset2: {...}}
"""
assets_direct = get_user_granted_assets_direct(user)
assets_inherited = get_user_granted_assets_inherit_from_user_groups(user)
assets = assets_inherited
for asset in assets_direct:
if not asset.is_active:
continue
if asset in assets:
assets[asset] |= assets_direct[asset]
else:
assets[asset] = assets_direct[asset]
return assets
def get_user_granted_asset_groups(user):
"""Return asset groups with assets and system users, it's not the asset
group direct permed in rules. We get all asset and then get it asset group
:param user: Instance of :class: ``User``
:return: {asset_group1: [asset1, asset2], asset_group2: []}
"""
asset_groups = collections.defaultdict(list)
ungroups = [AssetGroup(name="UnGrouped")]
for asset, system_users in get_user_granted_assets(user).items():
groups = asset.groups.all()
if not groups:
groups = ungroups
for asset_group in groups:
asset_groups[asset_group].append((asset, system_users))
return asset_groups
def get_user_group_asset_permissions(user_group):
permissions = user_group.asset_permissions.all()
return permissions
def get_user_asset_permissions(user):
user_group_permissions = set()
direct_permissions = set(setattr_bulk(user.asset_permissions.all(), 'inherited', 0))
for user_group in user.groups.all():
permissions = get_user_group_asset_permissions(user_group)
user_group_permissions |= set(permissions)
user_group_permissions = set(setattr_bulk(user_group_permissions, 'inherited', 1))
return direct_permissions | user_group_permissions
def get_user_groups_granted_in_asset(asset):
pass
def get_users_granted_in_asset(asset):
pass
def get_user_groups_granted_in_asset_group(asset):
pass
def get_users_granted_in_asset_group(asset):
pass
def push_system_user(assets, system_user):
logger.info('Push system user %s' % system_user.name)
for asset in assets:
logger.info('\tAsset: %s' % asset.ip)
if not assets:
return None
assets = [asset._to_secret_json() for asset in assets]
system_user = system_user._to_secret_json()
task = push_users.delay(assets, system_user)
return task.id
def associate_system_users_and_assets(system_users, assets, asset_groups, force=False):
"""关联系统用户和资产, 目的是保存它们的关系, 然后新加入的资产或系统
用户时,推送系统用户到资产
Todo: 这里需要最终Api定下来更改一下, 现在策略是以系统用户为核心推送, 一个系统用户
推送一次
"""
assets_all = set(assets)
for asset_group in asset_groups:
assets_all |= set(asset_group.assets.all())
for system_user in system_users:
assets_need_push = []
if system_user.auto_push:
if force:
assets_need_push = assets_all
else:
assets_need_push.extend(
[asset for asset in assets_all
if asset not in system_user.assets.all()
]
)
system_user.assets.add(*(tuple(assets_all)))
push_system_user(assets_need_push, system_user)