From cb3877bbdae8347bfef98c9364ce9396606ff9ba Mon Sep 17 00:00:00 2001 From: ibuler Date: Thu, 1 Dec 2022 19:41:18 +0800 Subject: [PATCH] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20acl=20=E6=B7=BB?= =?UTF-8?q?=E5=8A=A0=E5=91=BD=E4=BB=A4=E8=BF=87=E6=BB=A4=20acl?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/acls/api/command_acl.py | 12 ++ .../migrations/0005_auto_20221201_1846.py | 35 ++++ .../0006_commandfilteracl_commandgroup.py | 61 +++++++ apps/acls/models/__init__.py | 1 + apps/acls/models/base.py | 21 ++- apps/acls/models/command_acl.py | 162 ++++++++++++++++++ apps/acls/models/login_acl.py | 24 +-- apps/acls/models/login_asset_acl.py | 22 +-- apps/acls/serializers/command_filter.py | 0 9 files changed, 294 insertions(+), 44 deletions(-) create mode 100644 apps/acls/api/command_acl.py create mode 100644 apps/acls/migrations/0005_auto_20221201_1846.py create mode 100644 apps/acls/migrations/0006_commandfilteracl_commandgroup.py create mode 100644 apps/acls/serializers/command_filter.py diff --git a/apps/acls/api/command_acl.py b/apps/acls/api/command_acl.py new file mode 100644 index 000000000..563e0c1a2 --- /dev/null +++ b/apps/acls/api/command_acl.py @@ -0,0 +1,12 @@ +from orgs.mixins.api import OrgBulkModelViewSet +from .. import models, serializers + + +__all__ = ['CommandFilterACLViewSet'] + + +class CommandFilterACLViewSet(OrgBulkModelViewSet): + model = models.CommandFilterACL + filterset_fields = ('name', ) + search_fields = filterset_fields + serializer_class = serializers.LoginAssetACLSerializer diff --git a/apps/acls/migrations/0005_auto_20221201_1846.py b/apps/acls/migrations/0005_auto_20221201_1846.py new file mode 100644 index 000000000..b69216896 --- /dev/null +++ b/apps/acls/migrations/0005_auto_20221201_1846.py @@ -0,0 +1,35 @@ +# Generated by Django 3.2.14 on 2022-12-01 10:46 + +from django.conf import settings +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + migrations.swappable_dependency(settings.AUTH_USER_MODEL), + ('acls', '0004_auto_20220831_1658'), + ] + + operations = [ + migrations.AlterField( + model_name='loginacl', + name='action', + field=models.CharField(choices=[('reject', 'Reject'), ('allow', 'Allow'), ('confirm', 'Confirm')], default='reject', max_length=64, verbose_name='Action'), + ), + migrations.AlterField( + model_name='loginacl', + name='reviewers', + field=models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Reviewers'), + ), + migrations.AlterField( + model_name='loginassetacl', + name='action', + field=models.CharField(choices=[('reject', 'Reject'), ('allow', 'Allow'), ('confirm', 'Confirm')], default='reject', max_length=64, verbose_name='Action'), + ), + migrations.AlterField( + model_name='loginassetacl', + name='reviewers', + field=models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Reviewers'), + ), + ] diff --git a/apps/acls/migrations/0006_commandfilteracl_commandgroup.py b/apps/acls/migrations/0006_commandfilteracl_commandgroup.py new file mode 100644 index 000000000..05122b733 --- /dev/null +++ b/apps/acls/migrations/0006_commandfilteracl_commandgroup.py @@ -0,0 +1,61 @@ +# Generated by Django 3.2.14 on 2022-12-01 11:39 + +from django.conf import settings +import django.core.validators +from django.db import migrations, models +import uuid + + +class Migration(migrations.Migration): + + dependencies = [ + migrations.swappable_dependency(settings.AUTH_USER_MODEL), + ('acls', '0005_auto_20221201_1846'), + ] + + operations = [ + migrations.CreateModel( + name='CommandGroup', + fields=[ + ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')), + ('updated_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Updated by')), + ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')), + ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')), + ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)), + ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')), + ('name', models.CharField(max_length=128, verbose_name='Name')), + ('type', models.CharField(choices=[('command', 'Command'), ('regex', 'Regex')], default='command', max_length=16, verbose_name='Type')), + ('content', models.TextField(help_text='One line one command', verbose_name='Content')), + ('ignore_case', models.BooleanField(default=True, verbose_name='Ignore case')), + ], + options={ + 'verbose_name': 'Command filter rule', + 'unique_together': {('org_id', 'name')}, + }, + ), + migrations.CreateModel( + name='CommandFilterACL', + fields=[ + ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')), + ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)), + ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')), + ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')), + ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')), + ('name', models.CharField(max_length=128, verbose_name='Name')), + ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority')), + ('action', models.CharField(choices=[('reject', 'Reject'), ('allow', 'Allow'), ('confirm', 'Confirm')], default='reject', max_length=64, verbose_name='Action')), + ('is_active', models.BooleanField(default=True, verbose_name='Active')), + ('comment', models.TextField(blank=True, default='', verbose_name='Comment')), + ('users', models.JSONField(verbose_name='User')), + ('accounts', models.JSONField(verbose_name='Account')), + ('assets', models.JSONField(verbose_name='Asset')), + ('commands', models.ManyToManyField(to='acls.CommandGroup', verbose_name='Commands')), + ('reviewers', models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Reviewers')), + ], + options={ + 'verbose_name': 'Command acl', + 'ordering': ('priority', '-date_updated', 'name'), + 'unique_together': {('name', 'org_id')}, + }, + ), + ] diff --git a/apps/acls/models/__init__.py b/apps/acls/models/__init__.py index 45d49c378..3c5416992 100644 --- a/apps/acls/models/__init__.py +++ b/apps/acls/models/__init__.py @@ -1,2 +1,3 @@ from .login_acl import * from .login_asset_acl import * +from .command_acl import * diff --git a/apps/acls/models/base.py b/apps/acls/models/base.py index 73ab5c59c..6bda02df8 100644 --- a/apps/acls/models/base.py +++ b/apps/acls/models/base.py @@ -4,7 +4,13 @@ from django.core.validators import MinValueValidator, MaxValueValidator from common.mixins import CommonModelMixin -__all__ = ['BaseACL', 'BaseACLQuerySet'] +__all__ = ['BaseACL', 'BaseACLQuerySet', 'ACLManager'] + + +class ActionChoices(models.TextChoices): + reject = 'reject', _('Reject') + allow = 'allow', _('Allow') + confirm = 'confirm', _('Confirm') class BaseACLQuerySet(models.QuerySet): @@ -21,6 +27,11 @@ class BaseACLQuerySet(models.QuerySet): return self.inactive() +class ACLManager(models.Manager): + def valid(self): + return self.get_queryset().valid() + + class BaseACL(CommonModelMixin): name = models.CharField(max_length=128, verbose_name=_('Name')) priority = models.IntegerField( @@ -28,8 +39,16 @@ class BaseACL(CommonModelMixin): help_text=_("1-100, the lower the value will be match first"), validators=[MinValueValidator(1), MaxValueValidator(100)] ) + action = models.CharField( + max_length=64, verbose_name=_('Action'), + choices=ActionChoices.choices, default=ActionChoices.reject + ) + reviewers = models.ManyToManyField('users.User', blank=True, verbose_name=_("Reviewers")) is_active = models.BooleanField(default=True, verbose_name=_("Active")) comment = models.TextField(default='', blank=True, verbose_name=_('Comment')) + objects = ACLManager.from_queryset(BaseACLQuerySet)() + ActionChoices = ActionChoices + class Meta: abstract = True diff --git a/apps/acls/models/command_acl.py b/apps/acls/models/command_acl.py index e69de29bb..4fba67a3d 100644 --- a/apps/acls/models/command_acl.py +++ b/apps/acls/models/command_acl.py @@ -0,0 +1,162 @@ +# -*- coding: utf-8 -*- +# +import re + +from django.db import models +from django.db.models import Q +from django.utils.translation import ugettext_lazy as _ + +from users.models import User, UserGroup +from orgs.mixins.models import JMSOrgBaseModel +from common.utils import lazyproperty, get_logger, get_object_or_none +from orgs.mixins.models import OrgModelMixin +from .base import BaseACL + +logger = get_logger(__file__) + + +class CommandGroup(JMSOrgBaseModel): + class Type(models.TextChoices): + command = 'command', _('Command') + regex = 'regex', _('Regex') + + name = models.CharField(max_length=128, verbose_name=_("Name")) + type = models.CharField(max_length=16, default=Type.command, choices=Type.choices, verbose_name=_("Type")) + content = models.TextField(verbose_name=_("Content"), help_text=_("One line one command")) + ignore_case = models.BooleanField(default=True, verbose_name=_('Ignore case')) + + class Meta: + unique_together = [('org_id', 'name')] + verbose_name = _("Command filter rule") + + @lazyproperty + def pattern(self): + if self.type == 'command': + s = self.construct_command_regex(content=self.content) + else: + s = r'{0}'.format(self.content) + return s + + @classmethod + def construct_command_regex(cls, content): + regex = [] + content = content.replace('\r\n', '\n') + for _cmd in content.split('\n'): + cmd = re.sub(r'\s+', ' ', _cmd) + cmd = re.escape(cmd) + cmd = cmd.replace('\\ ', '\s+') + + # 有空格就不能 铆钉单词了 + if ' ' in _cmd: + regex.append(cmd) + continue + + if not cmd: + continue + + # 如果是单个字符 + if cmd[-1].isalpha(): + regex.append(r'\b{0}\b'.format(cmd)) + else: + regex.append(r'\b{0}'.format(cmd)) + s = r'{}'.format('|'.join(regex)) + return s + + @staticmethod + def compile_regex(regex, ignore_case): + args = [] + if ignore_case: + args.append(re.IGNORECASE) + try: + pattern = re.compile(regex, *args) + except Exception as e: + error = _('The generated regular expression is incorrect: {}').format(str(e)) + logger.error(error) + return False, error, None + return True, '', pattern + + def match(self, data): + succeed, error, pattern = self.compile_regex(self.pattern, self.ignore_case) + if not succeed: + return False, '' + + found = pattern.search(data) + if not found: + return False, '' + else: + return True, found.group() + + def __str__(self): + return '{} % {}'.format(self.type, self.content) + + def create_command_confirm_ticket(self, run_command, session, cmd_filter_rule, org_id): + from tickets.const import TicketType + from tickets.models import ApplyCommandTicket + data = { + 'title': _('Command confirm') + ' ({})'.format(session.user), + 'type': TicketType.command_confirm, + 'applicant': session.user_obj, + 'apply_run_user_id': session.user_id, + 'apply_run_asset': str(session.asset), + 'apply_run_account': str(session.account), + 'apply_run_command': run_command[:4090], + 'apply_from_session_id': str(session.id), + 'apply_from_cmd_filter_rule_id': str(cmd_filter_rule.id), + 'apply_from_cmd_filter_id': str(cmd_filter_rule.filter.id), + 'org_id': org_id, + } + ticket = ApplyCommandTicket.objects.create(**data) + assignees = self.reviewers.all() + ticket.open_by_system(assignees) + return ticket + + @classmethod + def get_queryset( + cls, user_id=None, user_group_id=None, account=None, + asset_id=None, org_id=None + ): + from assets.models import Account + user_groups = [] + user = get_object_or_none(User, pk=user_id) + if user: + user_groups.extend(list(user.groups.all())) + user_group = get_object_or_none(UserGroup, pk=user_group_id) + if user_group: + org_id = user_group.org_id + user_groups.append(user_group) + + asset = get_object_or_none(Asset, pk=asset_id) + q = Q() + if user: + q |= Q(users=user) + if user_groups: + q |= Q(user_groups__in=set(user_groups)) + if account: + org_id = account.org_id + q |= Q(accounts__contains=account.username) | \ + Q(accounts__contains=Account.AliasAccount.ALL) + if asset: + org_id = asset.org_id + q |= Q(assets=asset) + if q: + cmd_filters = CommandFilter.objects.filter(q).filter(is_active=True) + if org_id: + cmd_filters = cmd_filters.filter(org_id=org_id) + rule_ids = cmd_filters.values_list('rules', flat=True) + rules = cls.objects.filter(id__in=rule_ids) + else: + rules = cls.objects.none() + return rules + + +class CommandFilterACL(OrgModelMixin, BaseACL): + # 条件 + users = models.JSONField(verbose_name=_('User')) + accounts = models.JSONField(verbose_name=_('Account')) + assets = models.JSONField(verbose_name=_('Asset')) + commands = models.ManyToManyField(CommandGroup, verbose_name=_('Commands')) + + class Meta: + unique_together = ('name', 'org_id') + ordering = ('priority', '-date_updated', 'name') + verbose_name = _('Command acl') diff --git a/apps/acls/models/login_acl.py b/apps/acls/models/login_acl.py index 71f202b15..aedb8aa9c 100644 --- a/apps/acls/models/login_acl.py +++ b/apps/acls/models/login_acl.py @@ -1,24 +1,14 @@ from django.db import models from django.utils.translation import ugettext_lazy as _ -from .base import BaseACL, BaseACLQuerySet + from common.utils import get_request_ip, get_ip_city from common.utils.ip import contains_ip from common.utils.time_period import contains_time_period from common.utils.timezone import local_now_display - - -class ACLManager(models.Manager): - - def valid(self): - return self.get_queryset().valid() +from .base import BaseACL class LoginACL(BaseACL): - class ActionChoices(models.TextChoices): - reject = 'reject', _('Reject') - allow = 'allow', _('Allow') - confirm = 'confirm', _('Login confirm') - # 用户 user = models.ForeignKey( 'users.User', on_delete=models.CASCADE, verbose_name=_('User'), @@ -26,16 +16,6 @@ class LoginACL(BaseACL): ) # 规则 rules = models.JSONField(default=dict, verbose_name=_('Rule')) - # 动作 - action = models.CharField( - max_length=64, verbose_name=_('Action'), - choices=ActionChoices.choices, default=ActionChoices.reject - ) - reviewers = models.ManyToManyField( - 'users.User', verbose_name=_("Reviewers"), - related_name="login_confirm_acls", blank=True - ) - objects = ACLManager.from_queryset(BaseACLQuerySet)() class Meta: ordering = ('priority', '-date_updated', 'name') diff --git a/apps/acls/models/login_asset_acl.py b/apps/acls/models/login_asset_acl.py index 842d41432..de9897c7b 100644 --- a/apps/acls/models/login_asset_acl.py +++ b/apps/acls/models/login_asset_acl.py @@ -2,7 +2,7 @@ from django.db import models from django.db.models import Q from django.utils.translation import ugettext_lazy as _ from orgs.mixins.models import OrgModelMixin, OrgManager -from .base import BaseACL, BaseACLQuerySet +from .base import BaseACL, BaseACLQuerySet, ACLManager from common.utils.ip import contains_ip @@ -32,31 +32,11 @@ class ACLQuerySet(BaseACLQuerySet): ) -class ACLManager(OrgManager): - - def valid(self): - return self.get_queryset().valid() - - class LoginAssetACL(BaseACL, OrgModelMixin): - class ActionChoices(models.TextChoices): - login_confirm = 'login_confirm', _('Login confirm') - # 条件 users = models.JSONField(verbose_name=_('User')) accounts = models.JSONField(verbose_name=_('Account')) assets = models.JSONField(verbose_name=_('Asset')) - # 动作 - action = models.CharField( - max_length=64, choices=ActionChoices.choices, default=ActionChoices.login_confirm, - verbose_name=_('Action') - ) - # 动作: 附加字段 - # - login_confirm - reviewers = models.ManyToManyField( - 'users.User', related_name='review_login_asset_acls', blank=True, - verbose_name=_("Reviewers") - ) objects = ACLManager.from_queryset(ACLQuerySet)() diff --git a/apps/acls/serializers/command_filter.py b/apps/acls/serializers/command_filter.py new file mode 100644 index 000000000..e69de29bb