diff --git a/connect.py b/connect.py index 62849f99d..b815d8898 100755 --- a/connect.py +++ b/connect.py @@ -174,7 +174,6 @@ def get_user_host(username): def get_connect_item(username, ip): - cryptor = PyCrypt(KEY) asset = get_object(Asset, ip=ip) port = asset.port @@ -192,12 +191,12 @@ def get_connect_item(username, ip): } if asset.login_type in login_type_dict: - password = cryptor.decrypt(login_type_dict[asset.login_type]) + password = CRYPTOR.decrypt(login_type_dict[asset.login_type]) return username, password, ip, port elif asset.login_type == 'M': username = asset.username - password = cryptor.decrypt(asset.password) + password = CRYPTOR.decrypt(asset.password) return username, password, ip, port else: @@ -286,7 +285,7 @@ def remote_exec_cmd(ip, port, username, password, cmd): stdin, stdout, stderr = ssh.exec_command("bash -l -c '%s'" % cmd) out = stdout.readlines() err = stderr.readlines() - color_print('%s:' %ip, 'blue') + color_print('%s:' % ip, 'blue') for i in out: color_print(" " * 4 + i.strip(), 'green') for j in err: diff --git a/jumpserver/api.py b/jumpserver/api.py index 497f076d3..4743cca19 100644 --- a/jumpserver/api.py +++ b/jumpserver/api.py @@ -128,6 +128,14 @@ class PyCrypt(object): ciphertext = cryptor.encrypt(text) return b2a_hex(ciphertext) + def decrypt(self, text): + cryptor = AES.new(self.key, self.mode, b'0000000000000000') + try: + plain_text = cryptor.decrypt(a2b_hex(text)) + except TypeError: + raise ServerError('Decrypt password error, TYpe error.') + return plain_text.rstrip('\0') + CRYPTOR = PyCrypt(KEY) diff --git a/jumpserver/templatetags/mytags.py b/jumpserver/templatetags/mytags.py index 97fa3d800..96ee67b19 100644 --- a/jumpserver/templatetags/mytags.py +++ b/jumpserver/templatetags/mytags.py @@ -6,7 +6,7 @@ import time from django import template from juser.models import User, UserGroup, DEPT from jasset.models import BisGroup -from jumpserver.api import user_perm_asset_api +from jumpserver.api import * register = template.Library() @@ -78,6 +78,16 @@ def bool2str(value): return u'否' +@register.filter(name='user_readonly') +def user_readonly(user_id): + user = User.objects.filter(id=user_id) + if user: + user = user[0] + if user.role == 'CU': + return False + return True + + @register.filter(name='member_count') def member_count(group_id): group = UserGroup.objects.get(id=group_id) diff --git a/juser/urls.py b/juser/urls.py index 55a017b1c..2a66f78ed 100644 --- a/juser/urls.py +++ b/juser/urls.py @@ -13,18 +13,19 @@ urlpatterns = patterns('juser.views', (r'^dept_detail/$', 'dept_detail'), (r'^dept_del_ajax/$', 'dept_del_ajax'), (r'^dept_edit/$', 'dept_edit'), - (r'^group_add/$', 'group_add'), + (r'^dept_user_ajax/$', 'dept_user_ajax'), + (r'^group_add/$', view_splitter, {'su': group_add, 'adm': group_add_adm}), (r'^group_list/$', view_splitter, {'su': group_list, 'adm': group_list_adm}), (r'^group_detail/$', 'group_detail'), - (r'^group_del/$', 'group_del'), + (r'^group_del/$', view_splitter, {'su': group_del, 'adm': group_del_adm}), (r'^group_del_ajax/$', 'group_del_ajax'), (r'^group_edit/$', view_splitter, {'su': group_edit, 'adm': group_edit_adm}), (r'^user_add/$', 'user_add'), - (r'^user_list/$', 'user_list'), + (r'^user_list/$', view_splitter, {'su': user_list, 'adm': user_list_adm}), (r'^user_detail/$', 'user_detail'), (r'^user_del/$', 'user_del'), (r'^user_del_ajax/$', 'user_del_ajax'), - (r'^user_edit/$', 'user_edit'), + (r'^user_edit/$', view_splitter, {'su': user_edit, 'adm': user_edit_adm}), (r'^profile/$', 'profile'), (r'^chg_pass/$', 'chg_pass'), ) diff --git a/juser/views.py b/juser/views.py index c09f5d463..57a9e2276 100644 --- a/juser/views.py +++ b/juser/views.py @@ -97,11 +97,12 @@ def db_add_user(**kwargs): def db_update_user(**kwargs): groups_post = kwargs.pop('groups') - username = kwargs.get('username') - user = User.objects.filter(username=username) - user.update(**kwargs) - user = User.objects.get(username=username) - user.save() + user_id = kwargs.pop('user_id') + user = User.objects.filter(id=user_id) + if user: + user.update(**kwargs) + user = User.objects.get(id=user_id) + user.save() if groups_post: group_select = [] @@ -336,7 +337,21 @@ def dept_edit(request): return render_to_response('juser/dept_edit.html', locals(), context_instance=RequestContext(request)) -@require_admin +def dept_user_ajax(request): + dept_id = request.GET.get('id', '4') + if dept_id not in ['1', '2']: + dept = DEPT.objects.filter(id=dept_id) + if dept: + dept = dept[0] + users = dept.user_set.all() + else: + users = User.objects.all() + + return render_to_response('juser/dept_user_ajax.html', locals()) + + + +@require_super_user def group_add(request): error = '' msg = '' @@ -372,6 +387,37 @@ def group_add(request): return render_to_response('juser/group_add.html', locals(), context_instance=RequestContext(request)) +@require_admin +def group_add_adm(request): + error = '' + msg = '' + header_title, path1, path2 = '添加小组', '用户管理', '添加小组' + user, dept = get_session_user_dept(request) + user_all = dept.user_set.all() + + if request.method == 'POST': + group_name = request.POST.get('group_name', '') + users_selected = request.POST.getlist('users_selected', '') + comment = request.POST.get('comment', '') + + try: + if not validate(request, user=users_selected): + raise AddError('没有某用户权限') + if '' in [group_name]: + error = u'组名不能为空' + raise AddError(error) + + db_add_group(name=group_name, users=users_selected, dept=dept, comment=comment) + except AddError: + pass + except TypeError: + error = u'保存小组失败' + else: + msg = u'添加组 %s 成功' % group_name + + return render_to_response('juser/group_add.html', locals(), context_instance=RequestContext(request)) + + @require_super_user def group_list(request): header_title, path1, path2 = '查看小组', '用户管理', '查看小组' @@ -417,7 +463,7 @@ def group_detail(request): return render_to_response('juser/group_detail.html', locals(), context_instance=RequestContext(request)) -@require_admin +@require_super_user def group_del(request): group_id = request.GET.get('id', '') if not group_id: @@ -426,10 +472,25 @@ def group_del(request): return HttpResponseRedirect('/juser/group_list/') +@require_admin +def group_del_adm(request): + group_id = request.GET.get('id', '') + if not validate(request, user_group=[group_id]): + return HttpResponseRedirect('/juser/group_list/') + if not group_id: + return HttpResponseRedirect('/') + UserGroup.objects.filter(id=group_id).delete() + return HttpResponseRedirect('/juser/group_list/') + + @require_admin def group_del_ajax(request): group_ids = request.POST.get('group_ids') - for group_id in group_ids.split(','): + group_ids = group_ids.split(',') + if request.session.get('role_id') == 1: + if not validate(request, user_group=group_ids): + return "error" + for group_id in group_ids: UserGroup.objects.filter(id=group_id).delete() return HttpResponse('删除成功') @@ -497,6 +558,7 @@ def group_edit_adm(request): error = '' msg = '' header_title, path1, path2 = '修改小组信息', '用户管理', '编辑小组' + user, dept = get_session_user_dept(request) if request.method == 'GET': group_id = request.GET.get('id', '') if not validate(request, user_group=[group_id]): @@ -504,8 +566,7 @@ def group_edit_adm(request): group = UserGroup.objects.filter(id=group_id) if group: group = group[0] - dept_all = DEPT.objects.all() - users_all = User.objects.all() + users_all = dept.user_set.all() users_selected = group.user_set.all() users = [user for user in users_all if user not in users_selected] @@ -513,19 +574,17 @@ def group_edit_adm(request): else: group_id = request.POST.get('group_id', '') group_name = request.POST.get('group_name', '') - dept_id = request.POST.get('dept_id', '') comment = request.POST.get('comment', '') users_selected = request.POST.getlist('users_selected') users = [] try: - if '' in [group_id, group_name]: - raise AddError('组名不能为空') - dept = DEPT.objects.filter(id=dept_id) - if dept: - dept = dept[0] - else: - raise AddError('部门不存在') + if not validate(request, user=users_selected): + raise AddError(u'右侧非部门用户') + + if not validate(request, user_group=[group_id]): + raise AddError(u'没有权限修改本组') + for user_id in users_selected: users.extend(User.objects.filter(id=user_id)) @@ -609,7 +668,7 @@ def user_add(request): return render_to_response('juser/user_add.html', locals(), context_instance=RequestContext(request)) -@require_admin +@require_super_user def user_list(request): user_role = {'SU': u'超级管理员', 'GA': u'组管理员', 'CU': u'普通用户'} header_title, path1, path2 = '查看用户', '用户管理', '用户列表' @@ -638,11 +697,39 @@ def user_list(request): return render_to_response('juser/user_list.html', locals(), context_instance=RequestContext(request)) +@require_admin +def user_list_adm(request): + user_role = {'SU': u'超级管理员', 'GA': u'组管理员', 'CU': u'普通用户'} + header_title, path1, path2 = '查看用户', '用户管理', '用户列表' + keyword = request.GET.get('keyword', '') + user, dept = get_session_user_dept(request) + gid = request.GET.get('gid', '') + contact_list = dept.user_set.all().order_by('name') + + if gid: + if not validate(request, user_group=[gid]): + return HttpResponseRedirect('/juser/user_list/') + user_group = UserGroup.objects.filter(id=gid) + if user_group: + user_group = user_group[0] + contact_list = user_group.user_set.all() + + if keyword: + contact_list = contact_list.filter(Q(username__icontains=keyword) | Q(name__icontains=keyword)).order_by('name') + + contact_list, p, contacts, page_range, current_page, show_first, show_end = pages(contact_list, request) + + return render_to_response('juser/user_list.html', locals(), context_instance=RequestContext(request)) + + @require_admin def user_detail(request): user_id = request.GET.get('id', '') if not user_id: return HttpResponseRedirect('/juser/user_list/') + if request.session.get('role_id', '') == '1': + if not validate(request, user=[user_id]): + return HttpResponseRedirect('/juser/user_list/') user = User.objects.filter(id=user_id) if user: user = user[0] @@ -655,7 +742,12 @@ def user_detail(request): def user_del(request): user_id = request.GET.get('id', '') if not user_id: - return HttpResponseRedirect('/') + return HttpResponseRedirect('/juser/user_list/') + + if request.session.get('role_id', '') == '1': + if not validate(request, user=[user_id]): + return HttpResponseRedirect('/juser/user_list/') + user = User.objects.filter(id=user_id) if user: user = user[0] @@ -669,7 +761,11 @@ def user_del(request): @require_admin def user_del_ajax(request): user_ids = request.POST.get('ids') - for user_id in user_ids.split(','): + user_ids = user_ids.split(',') + if request.session.get('role_id', '') == 1: + if not validate(request, user=user_ids): + return "error" + for user_id in user_ids: user = User.objects.filter(id=user_id) if user: user = user[0] @@ -681,7 +777,7 @@ def user_del_ajax(request): return HttpResponse('删除成功') -@require_admin +@require_super_user def user_edit(request): header_title, path1, path2 = '编辑用户', '用户管理', '用户编辑' if request.method == 'GET': @@ -698,7 +794,7 @@ def user_edit(request): groups_str = ' '.join([str(group.id) for group in user.group.all()]) else: - username = request.POST.get('username', '') + user_id = request.GET.get('user_id', '') password = request.POST.get('password', '') name = request.POST.get('name', '') email = request.POST.get('email', '') @@ -715,8 +811,8 @@ def user_edit(request): else: dept = DEPT.objects.get(id='1') - if username: - user = User.objects.filter(username=username) + if user_id: + user = User.objects.filter(id=user_id) if user: user = user[0] else: @@ -728,7 +824,7 @@ def user_edit(request): if ssh_key_pwd != user.ssh_key_pwd: ssh_key_pwd = CRYPTOR.encrypt(ssh_key_pwd) - db_update_user(username=username, + db_update_user(user_id=user_id, password=password, name=name, email=email, @@ -743,6 +839,62 @@ def user_edit(request): return render_to_response('juser/user_edit.html', locals(), context_instance=RequestContext(request)) +@require_admin +def user_edit_adm(request): + header_title, path1, path2 = '编辑用户', '用户管理', '用户编辑' + user, dept = get_session_user_dept(request) + if request.method == 'GET': + user_id = request.GET.get('id', '') + if not user_id: + return HttpResponseRedirect('/juser/user_list/') + + if not validate(request, user=[user_id]): + return HttpResponseRedirect('/juser/user_list/') + + user = User.objects.filter(id=user_id) + dept_all = DEPT.objects.all() + group_all = dept.usergroup_set.all() + if user: + user = user[0] + groups_str = ' '.join([str(group.id) for group in user.group.all()]) + + else: + user_id = request.POST.get('user_id', '') + password = request.POST.get('password', '') + name = request.POST.get('name', '') + email = request.POST.get('email', '') + groups = request.POST.getlist('groups', []) + ssh_key_pwd = request.POST.get('ssh_key_pwd', '') + is_active = True if request.POST.get('is_active', '1') == '1' else False + + if not validate(request, user=[user_id], user_group=groups): + return HttpResponseRedirect('/juser/user_edit/') + if user_id: + user = User.objects.filter(id=user_id) + if user: + user = user[0] + else: + return HttpResponseRedirect('/juser/user_list/') + + if password != user.password: + password = md5_crypt(password) + + if ssh_key_pwd != user.ssh_key_pwd: + ssh_key_pwd = CRYPTOR.encrypt(ssh_key_pwd) + + db_update_user(user_id=user_id, + password=password, + name=name, + email=email, + groups=groups, + is_active=is_active, + ssh_key_pwd=ssh_key_pwd) + + return HttpResponseRedirect('/juser/user_list/') + + return render_to_response('juser/user_edit.html', locals(), context_instance=RequestContext(request)) + + def profile(request): user_id = request.session.get('user_id') if not user_id: diff --git a/templates/juser/dept_user_ajax.html b/templates/juser/dept_user_ajax.html new file mode 100644 index 000000000..3d73f4eae --- /dev/null +++ b/templates/juser/dept_user_ajax.html @@ -0,0 +1,3 @@ +{% for user in users %} + +{% endfor %} \ No newline at end of file diff --git a/templates/juser/group_add.html b/templates/juser/group_add.html index 099e4ac9f..c6867e08c 100644 --- a/templates/juser/group_add.html +++ b/templates/juser/group_add.html @@ -40,17 +40,19 @@ + {% ifequal session_role_id 2 %}
- {% for dept in dept_all %} {% endfor %}
+ {% endifequal %}
@@ -127,6 +129,16 @@ function change_type(type){ }) } + +function change_dept(dept_id){ + $.get('/juser/dept_user_ajax/', + {'id': dept_id}, + function(data){ + $('#users').html(data) + }) +} + + $(document).ready(function(){ $("#submit_button").click(function(){ $('#users_selected option').each(function(){ diff --git a/templates/juser/group_edit.html b/templates/juser/group_edit.html index 37d2d2d26..bd31d7abb 100644 --- a/templates/juser/group_edit.html +++ b/templates/juser/group_edit.html @@ -46,7 +46,7 @@
- {% for dept in dept_all %} {% ifequal group.dept.id dept.id %} @@ -88,7 +88,7 @@
- +
@@ -145,6 +145,16 @@ $(document).ready(function(){ }) }) +function change_dept(dept_id){ + $.get('/juser/dept_user_ajax/', + {'id': dept_id}, + function(data){ + $('#users').html(data); + $('#users_selected').html('') + + }) +} + {% endblock %} \ No newline at end of file diff --git a/templates/juser/user_edit.html b/templates/juser/user_edit.html index a02638aba..ee30e9c36 100644 --- a/templates/juser/user_edit.html +++ b/templates/juser/user_edit.html @@ -39,6 +39,7 @@
+
@@ -70,6 +71,7 @@
+ {% ifequal session_role_id 2 %}
@@ -85,6 +87,7 @@
+ {% endifequal %}
@@ -99,6 +102,7 @@
+ {% ifequal session_role_id 2 %}
@@ -114,6 +118,7 @@
+ {% endifequal %}
diff --git a/templates/juser/user_list.html b/templates/juser/user_list.html index 1b44755ba..6f2389e04 100644 --- a/templates/juser/user_list.html +++ b/templates/juser/user_list.html @@ -73,8 +73,14 @@ {{ user.is_active|bool2str }} 详情 + {% ifequal session_role_id 2 %} 编辑 删除 + {% else %} + 编辑 + 删除 + {% endifequal %} + {% endfor %} diff --git a/templates/nav.html b/templates/nav.html index e8841b50c..d397ea1ed 100644 --- a/templates/nav.html +++ b/templates/nav.html @@ -91,7 +91,7 @@ 用户管理