Skip to content

J
jumpserver
Commit 49821062 authored by wangyong's avatar wangyong
Browse files
Options

Merge branch 'dev' of https://git.coding.net/jumpserver/jumpserver into dev

parents 99439be0 17ccac92
Hide whitespace changes
Inline Side-by-side
Showing with 222 additions and 110 deletions
connect.py
View file @ 49821062
......@@ -19,9 +19,10 @@ import struct, fcntl, signal, socket, select
os.environ['DJANGO_SETTINGS_MODULE'] = 'jumpserver.settings'
if django.get_version() != '1.6':
django.setup()
from jumpserver.api import ServerError, User, Asset, AssetGroup, get_object, mkdir, get_asset_info, get_role
from django.contrib.sessions.models import Session
from jumpserver.api import ServerError, User, Asset, PermRole, AssetGroup, get_object, mkdir, get_asset_info, get_role
from jumpserver.api import logger, Log, TtyLog, get_role_key
from jperm.perm_api import gen_resource, get_group_asset_perm, get_group_user_perm
from jperm.perm_api import gen_resource, get_group_asset_perm, get_group_user_perm, user_have_perm
from jumpserver.settings import LOG_DIR
from jperm.ansible_api import Command
......@@ -69,6 +70,8 @@ class Tty(object):
self.connect_info = None
self.login_type = 'ssh'
self.vim_flag = False
self.ps1_pattern = re.compile('\[.*@.*\][\$#]')
self.vim_data = ''
@staticmethod
def is_output(strings):
......@@ -155,33 +158,12 @@ class Tty(object):
""", re.X)
result_command = control_char.sub('', result_command.strip())
if not self.vim_flag:
if result_command.startswith('vi'):
if result_command.startswith('vi') or result_command.startswith('fg'):
self.vim_flag = True
return result_command.decode('utf8', "ignore")
else:
return ''
@staticmethod
def remove_control_char(str_r):
"""
处理日志特殊字符
"""
control_char = re.compile(r"""
\x1b[ #%()*+\-.\/]. |
\r | #匹配 回车符(CR)
(?:\x1b\[|\x9b) [ -?]* [@-~] | #匹配 控制顺序描述符(CSI)... Cmd
(?:\x1b\]|\x9d) .*? (?:\x1b\\|[\a\x9c]) | \x07 | #匹配 操作系统指令(OSC)...终止符或振铃符(ST|BEL)
(?:\x1b[P^_]|[\x90\x9e\x9f]) .*? (?:\x1b\\|\x9c) | #匹配 设备控制串或私讯或应用程序命令(DCS|PM|APC)...终止符(ST)
\x1b. #匹配 转义过后的字符
[\x80-\x9f] #匹配 所有控制字符
""", re.X)
backspace = re.compile(r"[^\b][\b]")
line_filtered = control_char.sub('', str_r.rstrip())
while backspace.search(line_filtered):
line_filtered = backspace.sub('', line_filtered)
return line_filtered
def get_log(self):
"""
Logging user command and output.
......@@ -312,9 +294,7 @@ class SshTty(Tty):
log_file_f, log_time_f, log = self.get_log()
old_tty = termios.tcgetattr(sys.stdin)
pre_timestamp = time.time()
pattern = re.compile('\[.*@.*\][\$#]')
data = ''
chan_str = ''
input_mode = False
try:
tty.setraw(sys.stdin.fileno())
......@@ -333,7 +313,7 @@ class SshTty(Tty):
if len(x) == 0:
break
if self.vim_flag:
chan_str += x
self.vim_data += x
sys.stdout.write(x)
sys.stdout.flush()
now_timestamp = time.time()
......@@ -352,21 +332,20 @@ class SshTty(Tty):
if sys.stdin in r:
x = os.read(sys.stdin.fileno(), 1)
input_mode = True
if str(x) in ['\r', '\n', '\r\n']:
if self.vim_flag:
match = pattern.search(chan_str)
match = self.ps1_pattern.search(self.vim_data)
if match:
self.vim_flag = False
data = self.deal_command(data)
data = self.deal_command(data)[0:200]
if len(data) > 0:
TtyLog(log=log, datetime=datetime.datetime.now(), cmd=data).save()
else:
data = self.deal_command(data)
data = self.deal_command(data)[0:200]
if len(data) > 0:
TtyLog(log=log, datetime=datetime.datetime.now(), cmd=data).save()
data = ''
chan_str = ''
self.vim_data = ''
input_mode = False
if len(x) == 0:
......@@ -456,24 +435,33 @@ class Nav(object):
def search(self, str_r=''):
gid_pattern = re.compile(r'^g\d+$')
# 获取用户授权的所有主机信息
if not self.user_perm:
self.user_perm = get_group_user_perm(self.user)
user_asset_all = self.user_perm.get('asset').keys()
# 搜索结果保存
user_asset_search = []
if str_r:
# 资产组组id匹配
if gid_pattern.match(str_r):
user_asset_search = list(Asset.objects.all())
gid = int(str_r.lstrip('g'))
# 获取资产组包含的资产
user_asset_search = get_object(AssetGroup, id=gid).asset_set.all()
else:
# 匹配 ip, hostname, 备注
for asset in user_asset_all:
if str_r in asset.ip or str_r in str(asset.comment):
if str_r in asset.ip or str_r in str(asset.hostname) or str_r in str(asset.comment):
user_asset_search.append(asset)
else:
# 如果没有输入就展现所有
user_asset_search = user_asset_all
self.search_result = dict(zip(range(len(user_asset_search)), user_asset_search))
print '\033[32m[%-3s] %-15s %-15s %-5s %-10s %s \033[0m' % ('ID', 'AssetName', 'IP', 'Port', 'Role', 'Comment')
for index, asset in self.search_result.items():
# 获取该资产信息
asset_info = get_asset_info(asset)
# 获取该资产包含的角色
role = [str(role.name) for role in self.user_perm.get('asset').get(asset).get('role')]
if asset.comment:
print '[%-3s] %-15s %-15s %-5s %-10s %s' % (index, asset.hostname, asset.ip, asset_info.get('port'),
......@@ -482,9 +470,11 @@ class Nav(object):
print '[%-3s] %-15s %-15s %-5s %-10s' % (index, asset.hostname, asset.ip, asset_info.get('port'), role)
print
@staticmethod
def print_asset_group():
user_asset_group_all = AssetGroup.objects.all()
def print_asset_group(self):
"""
打印用户授权的资产组
"""
user_asset_group_all = get_group_user_perm(self.user).get('asset_group', [])
print '\033[32m[%-3s] %-15s %s \033[0m' % ('ID', 'GroupName', 'Comment')
for asset_group in user_asset_group_all:
......@@ -495,6 +485,9 @@ class Nav(object):
print
def exec_cmd(self):
"""
批量执行命令
"""
self.search()
while True:
print "请输入主机名、IP或ansile支持的pattern, q退出"
......
jlog/urls.py
View file @ 49821062
......@@ -9,4 +9,5 @@ urlpatterns = patterns('',
url(r'^log_kill/', log_kill),
url(r'^record/$', log_record),
url(r'^web_terminal/$', web_terminal),
url(r'^get_role_name/$', get_role_name),
)
\ No newline at end of file
jlog/views.py
View file @ 49821062
......@@ -4,6 +4,7 @@ from django.template import RequestContext
from django.shortcuts import render_to_response
from jumpserver.api import *
from jperm.perm_api import user_have_perm
from django.http import HttpResponseNotFound
from jlog.log_api import renderTemplate
......@@ -103,11 +104,20 @@ def log_record(request):
return HttpResponse('无日志记录!')
@require_role('user')
def get_role_name(request):
asset_id = request.GET.get('id', 9999)
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
return HttpResponse(','.join([i.name for i in role]))
return HttpResponse('error')
@require_role('user')
def web_terminal(request):
#username = get_session.get('username', '')
token = request.COOKIES.get('sessionid')
username = request.user.username
asset_name = '127.0.0.1'
web_terminal_uri = 'ws://%s/terminal?username=%s&asset_name=%s&token=%s' % (WEB_SOCKET_HOST, username, asset_name, token)
asset_id = request.GET.get('id')
role_name = request.GET.get('role')
web_terminal_uri = 'ws://%s/terminal?id=%s&role=%s' % (WEB_SOCKET_HOST, asset_id, role_name)
return render_to_response('jlog/web_terminal.html', locals())
jperm/perm_api.py
View file @ 49821062
......@@ -132,6 +132,15 @@ def get_group_asset_perm(ob):
return perm
def user_have_perm(user, asset):
user_perm_all = get_group_user_perm(user)
user_assets = user_perm_all.get('asset').keys()
if asset in user_assets:
return user_perm_all.get('asset').get(asset).get('role')
else:
return False
def gen_resource(ob, ex='', perm=None):
"""
ob为用户或资产列表或资产queryset, 如果同时输入用户和资产,则获取用户在这些资产上的信息
......
jumpserver/api.py
View file @ 49821062
......@@ -59,7 +59,7 @@ def get_asset_info(asset):
else:
info['port'] = asset.port
info['username'] = asset.username
info['password'] = asset.password
info['password'] = CRYPTOR.decrypt(asset.password)
return info
......
jumpserver/context_processors.py
View file @ 49821062
......@@ -5,16 +5,12 @@ from jumpserver.api import *
def name_proc(request):
user_id = request.user.id
# role_id = request.session.get('role_id')
role_id = {'SU':2,'GA':1,'CU':0}.get(request.user.role,0)
# if role_id == 2:
role_id = {'SU': 2, 'GA': 1, 'CU': 0}.get(request.user.role, 0)
# role_id = 'SU'
user_total_num = User.objects.all().count()
user_active_num = User.objects.filter().count()
host_total_num = Asset.objects.all().count()
host_active_num = Asset.objects.filter(is_active=True).count()
# else:
# pass
request.session.set_expiry(3600)
info_dic = {'session_user_id': user_id,
......
jumpserver/templatetags/mytags.py
View file @ 49821062
......@@ -237,3 +237,12 @@ def key_exist(username):
return True
else:
return False
@register.filter(name='check_role')
def check_role(asset_id, user):
"""
ssh key is exist or not
"""
return user
run_websocket.py
View file @ 49821062
......@@ -7,6 +7,7 @@ import os
import sys
import os.path
import threading
import datetime
import urllib
import tornado.ioloop
......@@ -20,16 +21,10 @@ from tornado.websocket import WebSocketClosedError
from tornado.options import define, options
from pyinotify import WatchManager, Notifier, ProcessEvent, IN_DELETE, IN_CREATE, IN_MODIFY, AsyncNotifier
import select
# from gevent import monkey
# monkey.patch_all()
# import gevent
# from gevent.socket import wait_read, wait_write
import struct, fcntl, signal, socket, select, fnmatch
import paramiko
from connect import Tty
from connect import TtyLog, Log
from connect import Tty, User, Asset, PermRole, logger, get_object
from connect import TtyLog, Log, Session, user_have_perm
try:
import simplejson as json
......@@ -41,17 +36,49 @@ define("port", default=3000, help="run on the given port", type=int)
define("host", default='0.0.0.0', help="run port on", type=str)
def require_auth(func):
def _deco(request, *args, **kwargs):
username = request.get_argument('username', '')
asset_name = request.get_argument('asset_name', '')
token = request.get_argument('token', '')
print username, asset_name, token
client = tornado.httpclient.HTTPClient()
# response = client.fetch('http://some/url') + urllib.urlencode({'username': username,
# 'asset_name': asset_name, 'token': token})
# return request.close()
return func(request, *args, **kwargs)
def require_auth(role='user'):
def _deco(func):
def _deco(request, *args, **kwargs):
if request.get_cookie('sessionid'):
session_key = request.get_cookie('sessionid')
else:
session_key = request.get_secure_cookie('sessionid')
logger.debug('Websocket: session_key: ' + session_key)
if session_key:
session = get_object(Session, session_key=session_key)
if session and datetime.datetime.now() > session.expire_date:
user_id = session.get_decoded().get('_auth_user_id')
user = get_object(User, id=user_id)
if user:
logger.debug('Websocket: user [ %s ] request websocket' % user.username)
request.user = user
if role == 'admin':
if user.role in ['SU', 'GA']:
return func(request, *args, **kwargs)
logger.debug('Websocket: user [ %s ] is not admin.' % user.username)
else:
return func(request, *args, **kwargs)
request.close()
logger.warning('Websocket: Request auth failed.')
# asset_id = int(request.get_argument('id', 9999))
# print asset_id
# asset = Asset.objects.filter(id=asset_id)
# if asset:
# asset = asset[0]
# request.asset = asset
# else:
# request.close()
#
# if user:
# user = user[0]
# request.user = user
#
# else:
# print("No session user.")
# request.close()
return _deco
return _deco
......@@ -87,10 +114,10 @@ def file_monitor(path='.', client=None):
notifier = AsyncNotifier(wm, EventHandler(client))
wm.add_watch(path, mask, auto_add=True, rec=True)
if not os.path.isfile(path):
print "You should monitor a file"
logger.debug("File %s does not exist." % path)
sys.exit(3)
else:
print "now starting monitor %s." % path
logger.debug("Now starting monitor file %s." % path)
global f
f = open(path, 'r')
st_size = os.stat(path)[6]
......@@ -136,7 +163,7 @@ class MonitorHandler(tornado.websocket.WebSocketHandler):
def check_origin(self, origin):
return True
@require_auth
@require_auth('admin')
def open(self):
# 获取监控的path
self.file_path = self.get_argument('file_path', '')
......@@ -158,7 +185,8 @@ class MonitorHandler(tornado.websocket.WebSocketHandler):
MonitorHandler.clients.remove(self)
MonitorHandler.threads.remove(MonitorHandler.threads[client_index])
print len(MonitorHandler.threads), len(MonitorHandler.clients)
logger.debug("Websocket: Monitor client num: %s, thread num: %s" % (len(MonitorHandler.clients),
len(MonitorHandler.threads)))
def on_message(self, message):
# 监控日志,发生变动发向客户端
......@@ -168,10 +196,13 @@ class MonitorHandler(tornado.websocket.WebSocketHandler):
# 客户端主动关闭
# self.close()
print "Close websocket."
client_index = MonitorHandler.clients.index(self)
MonitorHandler.clients.remove(self)
MonitorHandler.threads.remove(MonitorHandler.threads[client_index])
logger.debug("Websocket: Monitor client close request")
try:
client_index = MonitorHandler.clients.index(self)
MonitorHandler.clients.remove(self)
MonitorHandler.threads.remove(MonitorHandler.threads[client_index])
except ValueError:
pass
class WebTty(Tty):
......@@ -184,6 +215,7 @@ class WebTty(Tty):
class WebTerminalKillHandler(tornado.web.RequestHandler):
@require_auth('admin')
def get(self):
ws_id = self.get_argument('id')
Log.objects.filter(id=ws_id).update(is_finished=True)
......@@ -206,6 +238,7 @@ class WebTerminalHandler(tornado.websocket.WebSocketHandler):
self.log_time_f = None
self.log = None
self.id = 0
self.user = None
super(WebTerminalHandler, self).__init__(*args, **kwargs)
def check_origin(self, origin):
......@@ -213,11 +246,28 @@ class WebTerminalHandler(tornado.websocket.WebSocketHandler):
@require_auth
def open(self):
asset_name = self.get_argument('asset_name', '')
username = self.get_argument('username', '')
token = self.get_argument('token', '')
print asset_name, username, token
self.term = WebTty('a', 'b')
role_name = self.get_argument('role', 'sb')
asset_id = self.get_argument('id', 9999)
asset = get_object(Asset, id=asset_id)
if asset:
roles = user_have_perm(self.user, asset)
login_role = ''
for role in roles:
if role.name == role_name:
login_role = role
break
if not login_role:
logger.warning('Websocket: Not that Role %s for Host: %s User: %s ' % (role_name, asset.hostname,
self.user.username))
self.close()
return
else:
logger.warning('Websocket: No that Host: %s User: %s ' % (asset_id, self.user.username))
self.close()
return
logger.debug('Websocket: request web terminal Host: %s User: %s Role: %s' % (asset.hostname, self.user.username,
login_role.name))
self.term = WebTty(self.user, self.asset, login_role)
self.term.get_connection()
self.term.channel = self.term.ssh.invoke_shell(term='xterm')
WebTerminalHandler.tasks.append(MyThread(target=self.forward_outbound))
......@@ -236,7 +286,17 @@ class WebTerminalHandler(tornado.websocket.WebSocketHandler):
if data.get('data'):
self.term.input_mode = True
if str(data['data']) in ['\r', '\n', '\r\n']:
TtyLog(log=self.log, datetime=datetime.datetime.now(), cmd=self.term.deal_command(self.term.data, self.term.ssh)).save()
if self.term.vim_flag:
match = self.term.ps1_pattern.search(self.term.vim_data)
if match:
self.term.vim_flag = False
vim_data = self.term.deal_command(self.term.vim_data)[0:200]
if len(data) > 0:
TtyLog(log=self.log, datetime=datetime.datetime.now(), cmd=vim_data).save()
TtyLog(log=self.log, datetime=datetime.datetime.now(),
cmd=self.term.deal_command(self.term.data)[0:200]).save()
self.term.vim_data = ''
self.term.data = ''
self.term.input_mode = False
self.term.channel.send(data['data'])
......@@ -267,6 +327,8 @@ class WebTerminalHandler(tornado.websocket.WebSocketHandler):
if not len(recv):
return
data += recv
if self.term.vim_flag:
self.term.vim_data += recv
try:
self.write_message(json.dumps({'data': data}))
now_timestamp = time.time()
......@@ -290,4 +352,5 @@ if __name__ == '__main__':
server.bind(options.port, options.host)
# server.listen(options.port)
server.start(num_processes=1)
print "Run server on %s:%s" % (options.host, options.port)
tornado.ioloop.IOLoop.instance().start()
templates/jasset/asset_list.html
View file @ 49821062
......@@ -130,6 +130,7 @@
<a href="/jasset/asset_detail/?id={{ asset.id }}" class="btn btn-xs btn-primary">详情</a>
{% ifnotequal session_role_id 0 %}
<a href="/jasset/asset_edit/?id={{ asset.id }}" class="btn btn-xs btn-info">编辑</a>
<a value="{{ asset.id }}" class="conn btn btn-xs btn-warning">连接</a>
<a value="/jasset/asset_del/?id={{ asset.id }}" class="btn btn-xs btn-danger asset_del">删除</a>
{% endifnotequal %}
</td>
......@@ -168,9 +169,46 @@
}
)
}
})
});
$('.conn').click(function(){
var url='/jlog/get_role_name/?id=' + $(this).attr('value');
var href = $(this).attr('href');
var new_url = '/jlog/web_terminal/?id=' + $(this).attr('value') + '&role=';
$.ajax({
type: 'GET',
url: url,
data: {},
success: function(data){
var dataArray = data.split(',');
if (dataArray.length == 1 && data != 'error'){
console.log('one');
window.open(new_url + data, '', 'height=400, width=600, top=89px, left=99px,toolbar=no,menubar=no,scrollbars=auto,resizeable=no,location=no,status=no');
} else if (dataArray.length == '1' && data == 'error'){
layer.alert('没有授权角色')
} else {
aUrl = '';
$.each(dataArray, function(index, value){
aUrl += '<a onclick="windowOpen(this); return false" class="btn btn-xs btn-primary newa" href=' + new_url + value + '>' + value + '</a> '
});
layer.alert(aUrl, {
skin: 'layui-layer-molv',
title: '多个角色,请选择一个连接',
closeBtn: 0
})
}
}
});
return false
});
});
function windowOpen(aTab){
var new_url = aTab.href;
window.open(new_url, '', 'height=400, width=600, top=89px, left=99px,toolbar=no,menubar=no,scrollbars=auto,resizeable=no,location=no,status=no');
return false
}
$(".iframe").on('click', function(){
var asset_id_all = getIDall();
if (asset_id_all == ''){
......@@ -207,6 +245,8 @@
});
});
$('#asset_del').click(function () {
var asset_id_all = getIDall();
if (asset_id_all == ''){
......
templates/jlog/log_online.html
View file @ 49821062
......@@ -79,11 +79,9 @@
<th class="text-center"> 用户名 </th>
<th class="text-center"> 登录主机 </th>
<th class="text-center"> 来源IP </th>
{% ifnotequal session_role_id 0 %}
<th class="text-center"> 统计命令 </th>
<th class="text-center"> 实时监控 </th>
<th class="text-center"> 阻断 </th>
{% endifnotequal %}
<th class="text-center"> 统计命令 </th>
<th class="text-center"> 实时监控 </th>
<th class="text-center"> 阻断 </th>
<th class="text-center"> 登录时间 </th>
</tr>
......@@ -94,11 +92,9 @@
<td id="username" class="text-center"> {{ post.user }} </td>
<td id="ip" class="text-center"> {{ post.host }} </td>
<td id="remote_ip" class="text-center"> {{ post.remote_ip }} </td>
{% ifnotequal session_role_id 0 %}
<td class="text-center"><a href="/jlog/history/?id={{ post.id }}" class="log_command"> 命令统计 </a></td>
<td class="text-center"><a class="monitor" file_path="{{ post.log_path }}"> 监控 </a></td>
<td class="text-center"><input type="button" id="cut" class="btn btn-danger btn-xs" name="cut" value="阻断" onclick='cut("{{ post.pid }}", "{{ post.remote_ip }}")' /></td>
{% endifnotequal %}
<td class="text-center"><a href="/jlog/history/?id={{ post.id }}" class="log_command"> 命令统计 </a></td>
<td class="text-center"><a class="monitor" file_path="{{ post.log_path }}"> 监控 </a></td>
<td class="text-center"><input type="button" id="cut" class="btn btn-danger btn-xs" name="cut" value="阻断" onclick='cut("{{ post.pid }}", "{{ post.remote_ip }}")' /></td>
<td class="text-center" id="start_time"> {{ post.start_time|date:"Y-m-d H:i:s" }} </td>
</tr>
{% endfor %}
......@@ -188,10 +184,6 @@
}});
return false;
});
$('#test_connect').click(function(){
window.open('/jlog/web_terminal/?asset_name="hello', '播放', 'height=400, width=600, top=89px, left=99px,toolbar=no,menubar=no,scrollbars=auto,resizeable=no,location=no,status=no');
});
});
{# function log_search(){#}
......
templates/nav.html
View file @ 49821062
......@@ -36,8 +36,6 @@
<li class="role">
<a href="/jperm/role/">系统角色</a>
</li>
<li class="apply_show online"><a href="/jperm/apply_show/online/">权限审批</a></li>
<li class="apply_show online"><a href="/jperm/log/">授权记录</a></li>
</ul>
</li>
<li id="jlog">
......
templates/setting.html
View file @ 49821062
......@@ -29,7 +29,7 @@
<div class="panel-options">
<ul class="nav nav-tabs">
<li id="tab1" class="active"><a data-toggle="tab" href="#tab-default" aria-expanded="true">默认设置</a></li>
<li id="tab2" class=""><a data-toggle="tab" href="#tab-email" aria-expanded="true">邮箱设置</a></li>
{# <li id="tab2" class=""><a data-toggle="tab" href="#tab-email" aria-expanded="true">邮箱设置</a></li>#}
</ul>
</div>
</div>
......@@ -82,15 +82,15 @@
</form>
</div>
<div id="tab-email" class="tab-pane">
<table class="table table-striped table-bordered table-hover " id="editable" >
<thead>
<tr>
<th class="text-center">组名</th>
</tr>
</thead>
</table>
</div>
{# <div id="tab-email" class="tab-pane">#}
{# <table class="table table-striped table-bordered table-hover " id="editable" >#}
{# <thead>#}
{# <tr>#}
{# <th class="text-center">组名</th>#}
{# </tr>#}
{# </thead>#}
{# </table>#}
{# </div>#}
</div>
</div>
</div>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment