mirror of
https://github.com/jumpserver/jumpserver.git
synced 2025-12-16 17:12:53 +00:00
Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
19a8a0806e | ||
|
|
49c17d18b3 | ||
|
|
02b8533ea0 | ||
|
|
5c46ff20de | ||
|
|
074121b957 | ||
|
|
0eff79c47a | ||
|
|
10ff7730ec | ||
|
4f70e313b4 | ||
|
|
c225fd584d | ||
|
|
8ed6a64a9e | ||
|
d7e97629aa |
@@ -355,3 +355,4 @@ class Asset(ProtocolsMixin, NodesRelationMixin, OrgModelMixin):
|
||||
class Meta:
|
||||
unique_together = [('org_id', 'hostname')]
|
||||
verbose_name = _("Asset")
|
||||
ordering = ['-date_created']
|
||||
|
||||
@@ -140,7 +140,7 @@ def on_system_user_groups_change(instance, action, pk_set, reverse, **kwargs):
|
||||
logger.info("System user groups update signal recv: {}".format(instance))
|
||||
|
||||
users = User.objects.filter(groups__id__in=pk_set).distinct()
|
||||
instance.users.add(users)
|
||||
instance.users.add(*users)
|
||||
|
||||
|
||||
@receiver(m2m_changed, sender=Asset.nodes.through)
|
||||
|
||||
@@ -241,8 +241,8 @@ def push_system_user_a_asset_manual(system_user, asset, username=None):
|
||||
|
||||
@shared_task(queue="ansible")
|
||||
def push_system_user_to_assets(system_user, assets, username=None):
|
||||
task_name = _("Push system users to assets: {}").format(system_user.name)
|
||||
system_user = get_object_if_need(SystemUser, system_user)
|
||||
task_name = _("Push system users to assets: {}").format(system_user.name)
|
||||
assets = get_objects_if_need(Asset, assets)
|
||||
return push_system_user_util(system_user, assets, task_name, username=username)
|
||||
|
||||
|
||||
@@ -38,10 +38,10 @@ def common_exception_handler(exc, context):
|
||||
if getattr(exc, 'wait', None):
|
||||
headers['Retry-After'] = '%d' % exc.wait
|
||||
|
||||
if isinstance(exc.detail, (list, dict)):
|
||||
data = exc.detail
|
||||
if isinstance(exc.detail, str) and isinstance(exc.get_codes(), str):
|
||||
data = {'detail': exc.detail, 'code': exc.get_codes()}
|
||||
else:
|
||||
data = {'detail': exc.detail}
|
||||
data = exc.detail
|
||||
|
||||
set_rollback()
|
||||
return Response(data, status=exc.status_code, headers=headers)
|
||||
|
||||
@@ -14,7 +14,7 @@ router = DefaultRouter()
|
||||
bulk_router = BulkRouter()
|
||||
|
||||
router.register(r'orgs', api.OrgViewSet, 'org')
|
||||
bulk_router.register(r'org-memeber-relation', api.OrgMemberRelationBulkViewSet, 'org-memeber-relation')
|
||||
bulk_router.register(r'org-member-relation', api.OrgMemberRelationBulkViewSet, 'org-member-relation')
|
||||
|
||||
old_version_urlpatterns = [
|
||||
re_path('(?P<resource>org)/.*', capi.redirect_plural_name_api)
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
from django.db.models import Q
|
||||
|
||||
from common.permissions import IsOrgAdmin
|
||||
from orgs.mixins.api import OrgModelViewSet
|
||||
from orgs.mixins.api import OrgBulkModelViewSet
|
||||
from common.utils import get_object_or_none
|
||||
from ..models import AssetPermission
|
||||
from ..hands import (
|
||||
@@ -17,7 +17,7 @@ __all__ = [
|
||||
]
|
||||
|
||||
|
||||
class AssetPermissionViewSet(OrgModelViewSet):
|
||||
class AssetPermissionViewSet(OrgBulkModelViewSet):
|
||||
"""
|
||||
资产授权列表的增删改查api
|
||||
"""
|
||||
|
||||
@@ -9,16 +9,16 @@ from common.permissions import IsValidUser
|
||||
from common.utils import get_logger, get_object_or_none
|
||||
from .mixin import UserNodeGrantStatusDispatchMixin, ForUserMixin, ForAdminMixin
|
||||
from ...utils.user_asset_permission import (
|
||||
get_user_resources_q_granted_by_permissions,
|
||||
get_indirect_granted_node_children, UNGROUPED_NODE_KEY, FAVORITE_NODE_KEY,
|
||||
get_user_direct_granted_assets, get_top_level_granted_nodes,
|
||||
get_user_granted_nodes_list_via_mapping_node,
|
||||
get_user_granted_all_assets, rebuild_user_tree_if_need,
|
||||
get_user_all_assetpermission_ids,
|
||||
get_user_all_assetpermissions_id,
|
||||
)
|
||||
|
||||
from assets.models import Asset, FavoriteAsset
|
||||
from assets.api import SerializeToTreeNodeMixin
|
||||
from orgs.utils import tmp_to_root_org
|
||||
from ...hands import Node
|
||||
|
||||
logger = get_logger(__name__)
|
||||
@@ -27,6 +27,7 @@ logger = get_logger(__name__)
|
||||
class MyGrantedNodesWithAssetsAsTreeApi(SerializeToTreeNodeMixin, ListAPIView):
|
||||
permission_classes = (IsValidUser,)
|
||||
|
||||
@tmp_to_root_org()
|
||||
def list(self, request: Request, *args, **kwargs):
|
||||
"""
|
||||
此算法依赖 UserGrantedMappingNode
|
||||
@@ -64,7 +65,7 @@ class UserGrantedNodeChildrenWithAssetsAsTreeForAdminApi(ForAdminMixin, UserNode
|
||||
|
||||
def get_data_on_node_indirect_granted(self, key):
|
||||
user = self.user
|
||||
asset_perm_ids = get_user_all_assetpermission_ids(user)
|
||||
asset_perm_ids = get_user_all_assetpermissions_id(user)
|
||||
|
||||
nodes = get_indirect_granted_node_children(user, key)
|
||||
|
||||
|
||||
@@ -43,12 +43,14 @@ class AssetPermissionSerializer(BulkOrgResourceModelSerializer):
|
||||
model = AssetPermission
|
||||
mini_fields = ['id', 'name']
|
||||
small_fields = mini_fields + [
|
||||
'is_active', 'is_expired', 'is_valid', 'actions', 'created_by', 'date_created',
|
||||
'date_expired', 'date_start', 'comment'
|
||||
'is_active', 'is_expired', 'is_valid', 'actions',
|
||||
'created_by', 'date_created', 'date_expired',
|
||||
'date_start', 'comment'
|
||||
]
|
||||
m2m_fields = [
|
||||
'users', 'user_groups', 'assets', 'nodes', 'system_users',
|
||||
'users_amount', 'user_groups_amount', 'assets_amount', 'nodes_amount', 'system_users_amount',
|
||||
'users_amount', 'user_groups_amount', 'assets_amount',
|
||||
'nodes_amount', 'system_users_amount',
|
||||
]
|
||||
fields = small_fields + m2m_fields
|
||||
read_only_fields = ['created_by', 'date_created']
|
||||
|
||||
@@ -11,16 +11,19 @@ logger = get_logger(__file__)
|
||||
|
||||
|
||||
def get_asset_system_users_id_with_actions(asset_perm_queryset: BasePermissionQuerySet, asset: Asset):
|
||||
asset_perms_id = set(asset_perm_queryset.values_list('id', flat=True))
|
||||
|
||||
nodes = asset.get_nodes()
|
||||
node_keys = set()
|
||||
for node in nodes:
|
||||
ancestor_keys = node.get_ancestor_keys(with_self=True)
|
||||
node_keys.update(ancestor_keys)
|
||||
|
||||
queryset = asset_perm_queryset.filter(
|
||||
queryset = AssetPermission.objects.filter(id__in=asset_perms_id).filter(
|
||||
Q(assets=asset) |
|
||||
Q(nodes__key__in=node_keys)
|
||||
)
|
||||
|
||||
asset_protocols = asset.protocols_as_dict.keys()
|
||||
values = queryset.filter(
|
||||
system_users__protocol__in=asset_protocols
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
from functools import reduce, wraps
|
||||
from operator import or_, and_
|
||||
from operator import or_
|
||||
from uuid import uuid4
|
||||
import threading
|
||||
import inspect
|
||||
@@ -32,27 +32,6 @@ TMP_ASSET_GRANTED_FIELD = '_asset_granted'
|
||||
TMP_GRANTED_ASSETS_AMOUNT_FIELD = '_granted_assets_amount'
|
||||
|
||||
|
||||
# 使用场景
|
||||
# Asset.objects.filter(get_user_resources_q_granted_by_permissions(user))
|
||||
def get_user_resources_q_granted_by_permissions(user: User):
|
||||
"""
|
||||
获取用户关联的 asset permission 或者 用户组关联的 asset permission 获取规则,
|
||||
前提 AssetPermission 对象中的 related_name 为 granted_by_permissions
|
||||
:param user:
|
||||
:return:
|
||||
"""
|
||||
_now = now()
|
||||
return reduce(and_, (
|
||||
Q(granted_by_permissions__date_start__lt=_now),
|
||||
Q(granted_by_permissions__date_expired__gt=_now),
|
||||
Q(granted_by_permissions__is_active=True),
|
||||
(
|
||||
Q(granted_by_permissions__users=user) |
|
||||
Q(granted_by_permissions__user_groups__users=user)
|
||||
)
|
||||
))
|
||||
|
||||
|
||||
# 使用场景
|
||||
# `Node.objects.annotate(**node_annotate_mapping_node)`
|
||||
node_annotate_mapping_node = {
|
||||
@@ -147,12 +126,15 @@ def rebuild_user_mapping_nodes_with_lock(user: User):
|
||||
|
||||
|
||||
@tmp_to_root_org()
|
||||
def compute_tmp_mapping_node_from_perm(user: User):
|
||||
def compute_tmp_mapping_node_from_perm(user: User, asset_perms_id=None):
|
||||
node_only_fields = ('id', 'key', 'parent_key', 'assets_amount')
|
||||
|
||||
if asset_perms_id is None:
|
||||
asset_perms_id = get_user_all_assetpermissions_id(user)
|
||||
|
||||
# 查询直接授权节点
|
||||
nodes = Node.objects.filter(
|
||||
get_user_resources_q_granted_by_permissions(user)
|
||||
granted_by_permissions__id__in=asset_perms_id
|
||||
).distinct().only(*node_only_fields)
|
||||
granted_key_set = {_node.key for _node in nodes}
|
||||
|
||||
@@ -178,7 +160,7 @@ def compute_tmp_mapping_node_from_perm(user: User):
|
||||
def process_direct_granted_assets():
|
||||
# 查询直接授权资产
|
||||
asset_ids = Asset.objects.filter(
|
||||
get_user_resources_q_granted_by_permissions(user)
|
||||
granted_by_permissions__id__in=asset_perms_id
|
||||
).distinct().values_list('id', flat=True)
|
||||
# 查询授权资产关联的节点设置
|
||||
granted_asset_nodes = Node.objects.filter(
|
||||
@@ -211,7 +193,7 @@ def compute_tmp_mapping_node_from_perm(user: User):
|
||||
return [*leaf_nodes, *ancestors]
|
||||
|
||||
|
||||
def create_mapping_nodes(user, nodes, clear=True):
|
||||
def create_mapping_nodes(user, nodes):
|
||||
to_create = []
|
||||
for node in nodes:
|
||||
_granted = getattr(node, TMP_GRANTED_FIELD, False)
|
||||
@@ -227,12 +209,10 @@ def create_mapping_nodes(user, nodes, clear=True):
|
||||
assets_amount=_granted_assets_amount,
|
||||
))
|
||||
|
||||
if clear:
|
||||
UserGrantedMappingNode.objects.filter(user=user).delete()
|
||||
UserGrantedMappingNode.objects.bulk_create(to_create)
|
||||
|
||||
|
||||
def set_node_granted_assets_amount(user, node):
|
||||
def set_node_granted_assets_amount(user, node, asset_perms_id=None):
|
||||
"""
|
||||
不依赖`UserGrantedMappingNode`直接查询授权计算资产数量
|
||||
"""
|
||||
@@ -241,17 +221,25 @@ def set_node_granted_assets_amount(user, node):
|
||||
assets_amount = node.assets_amount
|
||||
else:
|
||||
if settings.PERM_SINGLE_ASSET_TO_UNGROUP_NODE:
|
||||
assets_amount = count_direct_granted_node_assets(user, node.key)
|
||||
assets_amount = count_direct_granted_node_assets(user, node.key, asset_perms_id)
|
||||
else:
|
||||
assets_amount = count_node_all_granted_assets(user, node.key)
|
||||
assets_amount = count_node_all_granted_assets(user, node.key, asset_perms_id)
|
||||
setattr(node, TMP_GRANTED_ASSETS_AMOUNT_FIELD, assets_amount)
|
||||
|
||||
|
||||
@tmp_to_root_org()
|
||||
def rebuild_user_mapping_nodes(user):
|
||||
logger.info(f'>>> {dt_formater(now())} start rebuild {user} mapping nodes')
|
||||
tmp_nodes = compute_tmp_mapping_node_from_perm(user)
|
||||
|
||||
# 先删除用户旧的授权树🌲
|
||||
UserGrantedMappingNode.objects.filter(user=user).delete()
|
||||
asset_perms_id = get_user_all_assetpermissions_id(user)
|
||||
if not asset_perms_id:
|
||||
# 没有授权直接返回
|
||||
return
|
||||
tmp_nodes = compute_tmp_mapping_node_from_perm(user, asset_perms_id)
|
||||
for _node in tmp_nodes:
|
||||
set_node_granted_assets_amount(user, _node)
|
||||
set_node_granted_assets_amount(user, _node, asset_perms_id)
|
||||
create_mapping_nodes(user, tmp_nodes)
|
||||
logger.info(f'>>> {dt_formater(now())} end rebuild {user} mapping nodes')
|
||||
|
||||
@@ -303,7 +291,7 @@ def get_user_granted_nodes_list_via_mapping_node(user):
|
||||
|
||||
|
||||
def get_user_granted_all_assets(user, via_mapping_node=True):
|
||||
asset_perm_ids = get_user_all_assetpermission_ids(user)
|
||||
asset_perm_ids = get_user_all_assetpermissions_id(user)
|
||||
if via_mapping_node:
|
||||
granted_node_keys = UserGrantedMappingNode.objects.filter(
|
||||
user=user, granted=True,
|
||||
@@ -365,7 +353,8 @@ def get_node_all_granted_assets(user: User, key):
|
||||
|
||||
if only_asset_granted_nodes_qs:
|
||||
only_asset_granted_nodes_q = reduce(or_, only_asset_granted_nodes_qs)
|
||||
only_asset_granted_nodes_q &= get_user_resources_q_granted_by_permissions(user)
|
||||
asset_perms_id = get_user_all_assetpermissions_id(user)
|
||||
only_asset_granted_nodes_q &= Q(granted_by_permissions__id__in=asset_perms_id)
|
||||
q.append(only_asset_granted_nodes_q)
|
||||
|
||||
if q:
|
||||
@@ -373,13 +362,16 @@ def get_node_all_granted_assets(user: User, key):
|
||||
return assets
|
||||
|
||||
|
||||
def get_direct_granted_node_ids(user: User, key):
|
||||
granted_q = get_user_resources_q_granted_by_permissions(user)
|
||||
def get_direct_granted_node_ids(user: User, key, asset_perms_id=None):
|
||||
if asset_perms_id is None:
|
||||
asset_perms_id = get_user_all_assetpermissions_id(user)
|
||||
|
||||
# 先查出该节点下的直接授权节点
|
||||
granted_nodes = Node.objects.filter(
|
||||
Q(key__startswith=f'{key}:') | Q(key=key)
|
||||
).filter(granted_q).distinct().only('id', 'key')
|
||||
).filter(
|
||||
granted_by_permissions__id__in=asset_perms_id
|
||||
).distinct().only('id', 'key')
|
||||
|
||||
node_ids = set()
|
||||
# 根据直接授权节点查询他们的子节点
|
||||
@@ -394,33 +386,38 @@ def get_direct_granted_node_ids(user: User, key):
|
||||
return node_ids
|
||||
|
||||
|
||||
def get_node_all_granted_assets_from_perm(user: User, key):
|
||||
def get_node_all_granted_assets_from_perm(user: User, key, asset_perms_id=None):
|
||||
"""
|
||||
此算法依据 `AssetPermission` 的数据查询
|
||||
1. 查询该节点下的直接授权节点
|
||||
2. 查询该节点下授权资产关联的节点
|
||||
"""
|
||||
granted_q = get_user_resources_q_granted_by_permissions(user)
|
||||
if asset_perms_id is None:
|
||||
asset_perms_id = get_user_all_assetpermissions_id(user)
|
||||
|
||||
# 直接授权资产查询条件
|
||||
q = (Q(nodes__key__startswith=f'{key}:') | Q(nodes__key=key)) & granted_q
|
||||
node_ids = get_direct_granted_node_ids(user, key)
|
||||
q = (
|
||||
Q(nodes__key__startswith=f'{key}:') | Q(nodes__key=key)
|
||||
) & Q(granted_by_permissions__id__in=asset_perms_id)
|
||||
|
||||
node_ids = get_direct_granted_node_ids(user, key, asset_perms_id)
|
||||
q |= Q(nodes__id__in=node_ids)
|
||||
asset_qs = Asset.objects.filter(q).distinct()
|
||||
return asset_qs
|
||||
|
||||
|
||||
def get_direct_granted_node_assets_from_perm(user: User, key):
|
||||
node_ids = get_direct_granted_node_ids(user, key)
|
||||
def get_direct_granted_node_assets_from_perm(user: User, key, asset_perms_id=None):
|
||||
node_ids = get_direct_granted_node_ids(user, key, asset_perms_id)
|
||||
asset_qs = Asset.objects.filter(nodes__id__in=node_ids).distinct()
|
||||
return asset_qs
|
||||
|
||||
|
||||
def count_node_all_granted_assets(user: User, key):
|
||||
return get_node_all_granted_assets_from_perm(user, key).count()
|
||||
def count_node_all_granted_assets(user: User, key, asset_perms_id=None):
|
||||
return get_node_all_granted_assets_from_perm(user, key, asset_perms_id).count()
|
||||
|
||||
|
||||
def count_direct_granted_node_assets(user: User, key):
|
||||
return get_direct_granted_node_assets_from_perm(user, key).count()
|
||||
def count_direct_granted_node_assets(user: User, key, asset_perms_id=None):
|
||||
return get_direct_granted_node_assets_from_perm(user, key, asset_perms_id).count()
|
||||
|
||||
|
||||
def get_indirect_granted_node_children(user, key=''):
|
||||
@@ -453,7 +450,7 @@ def get_top_level_granted_nodes(user):
|
||||
return nodes
|
||||
|
||||
|
||||
def get_user_all_assetpermission_ids(user: User):
|
||||
def get_user_all_assetpermissions_id(user: User):
|
||||
asset_perm_ids = set()
|
||||
asset_perm_ids.update(
|
||||
AssetPermission.objects.valid().filter(users=user).distinct().values_list('id', flat=True)
|
||||
@@ -466,7 +463,7 @@ def get_user_all_assetpermission_ids(user: User):
|
||||
|
||||
def get_user_direct_granted_assets(user, asset_perm_ids=None):
|
||||
if asset_perm_ids is None:
|
||||
asset_perm_ids = get_user_all_assetpermission_ids(user)
|
||||
asset_perm_ids = get_user_all_assetpermissions_id(user)
|
||||
assets = Asset.org_objects.filter(granted_by_permissions__id__in=asset_perm_ids).distinct()
|
||||
return assets
|
||||
|
||||
@@ -507,4 +504,7 @@ def rebuild_user_tree_if_need(request, user):
|
||||
rebuild_user_mapping_nodes_with_lock(user)
|
||||
except lock.SomeoneIsDoingThis:
|
||||
# 您的数据正在初始化,请稍等
|
||||
raise lock.SomeoneIsDoingThis(detail=_('Please wait while your data is being initialized'))
|
||||
raise lock.SomeoneIsDoingThis(
|
||||
detail=_('Please wait while your data is being initialized'),
|
||||
code='rebuild_tree_conflict'
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user