jumpserver/apps/perms/utils.py

# coding: utf-8

from __future__ import absolute_import, unicode_literals
import collections

from common.utils import setattr_bulk, get_logger
from .tasks import push_users
from .hands import User, UserGroup, Asset, AssetGroup, SystemUser

logger = get_logger(__file__)


def get_user_group_granted_asset_groups(user_group):
    """Return asset groups granted of the user group

    :param user_group: Instance of :class: ``UserGroup``
    :return: {asset_group1: {system_user1, },
              asset_group2: {system_user1, system_user2}}
    """
    asset_groups = {}
    asset_permissions = user_group.asset_permissions.all()

    for asset_permission in asset_permissions:
        if not asset_permission.is_valid:
            continue
        for asset_group in asset_permission.asset_groups.all():
            if asset_group in asset_groups:
                asset_groups[asset_group] |= set(asset_permission.system_users.all())
            else:
                asset_groups[asset_group] = set(asset_permission.system_users.all())
    return asset_groups


def get_user_group_granted_assets(user_group):
    """Return assets granted of the user group

    :param user_group: Instance of :class: ``UserGroup``
    :return: {asset1: {system_user1, }, asset1: {system_user1, system_user2]}
    """
    assets = {}
    asset_permissions = user_group.asset_permissions.all()

    for asset_permission in asset_permissions:
        if not asset_permission.is_valid:
            continue
        for asset in asset_permission.get_granted_assets():
            if not asset.is_active:
                continue
            if asset in assets:
                assets[asset] |= set(asset_permission.system_users.all())
            else:
                assets[asset] = set(asset_permission.system_users.all())
    return assets


def get_user_granted_assets_direct(user):
    """Return assets granted of the user directly

     :param user: Instance of :class: ``User``
     :return: {asset1: {system_user1, system_user2}, asset2: {...}}
    """
    assets = {}
    asset_permissions_direct = user.asset_permissions.all()

    for asset_permission in asset_permissions_direct:
        if not asset_permission.is_valid:
            continue
        for asset in asset_permission.get_granted_assets():
            if not asset.is_active:
                continue
            if asset in assets:
                assets[asset] |= set(asset_permission.system_users.all())
            else:
                setattr(asset, 'inherited', False)
                assets[asset] = set(asset_permission.system_users.all())
    return assets


def get_user_granted_assets_inherit_from_user_groups(user):
    """Return assets granted of the user inherit from user groups

    :param user: Instance of :class: ``User``
    :return: {asset1: {system_user1, system_user2}, asset2: {...}}
    """
    assets = {}
    user_groups = user.groups.all()

    for user_group in user_groups:
        assets_inherited = get_user_group_granted_assets(user_group)
        for asset in assets_inherited:
            if not asset.is_active:
                continue
            if asset in assets:
                assets[asset] |= assets_inherited[asset]
            else:
                setattr(asset, 'inherited', True)
                assets[asset] = assets_inherited[asset]
    return assets


def get_user_granted_assets(user):
    """Return assets granted of the user inherit from user groups

    :param user: Instance of :class: ``User``
    :return: {asset1: {system_user1, system_user2}, asset2: {...}}
    """
    assets_direct = get_user_granted_assets_direct(user)
    assets_inherited = get_user_granted_assets_inherit_from_user_groups(user)
    assets = assets_inherited

    for asset in assets_direct:
        if not asset.is_active:
            continue
        if asset in assets:
            assets[asset] |= assets_direct[asset]
        else:
            assets[asset] = assets_direct[asset]
    return assets


def get_user_granted_asset_groups(user):
    """Return asset groups with assets and system users, it's not the asset
    group direct permed in rules. We get all asset and then get it asset group

    :param user: Instance of :class: ``User``
    :return: {asset_group1: [asset1, asset2], asset_group2: []}
    """
    asset_groups = collections.defaultdict(list)
    ungroups = [AssetGroup(name="UnGrouped")]
    for asset, system_users in get_user_granted_assets(user).items():
        groups = asset.groups.all()
        if not groups:
            groups = ungroups
        for asset_group in groups:
            asset_groups[asset_group].append((asset, system_users))
    return asset_groups


def get_user_group_asset_permissions(user_group):
    permissions = user_group.asset_permissions.all()
    return permissions


def get_user_asset_permissions(user):
    user_group_permissions = set()
    direct_permissions = set(setattr_bulk(user.asset_permissions.all(), 'inherited', 0))

    for user_group in user.groups.all():
        permissions = get_user_group_asset_permissions(user_group)
        user_group_permissions |= set(permissions)
    user_group_permissions = set(setattr_bulk(user_group_permissions, 'inherited', 1))
    return direct_permissions | user_group_permissions


def get_user_granted_system_users(user):
    """
    :param user: the user
    :return: {"system_user": ["asset", "asset1"], "system_user": []}
    """
    assets = get_user_granted_assets(user)
    system_users_dict = {}
    for asset, system_users in assets.items():
        for system_user in system_users:
            if system_user in system_users_dict:
                system_users_dict[system_user].append(asset)
            else:
                system_users_dict[system_user] = [asset]
    return system_users_dict


def push_system_user(assets, system_user):
    logger.info('Push system user %s' % system_user.name)
    for asset in assets:
        logger.info('\tAsset: %s' % asset.ip)
    if not assets:
        return None

    assets = [asset._to_secret_json() for asset in assets]
    system_user = system_user._to_secret_json()
    task = push_users.delay(assets, system_user)
    return task.id


def associate_system_users_and_assets(system_users, assets, asset_groups, force=False):
    """关联系统用户和资产, 目的是保存它们的关系, 然后新加入的资产或系统
    用户时,推送系统用户到资产

    Todo: 这里需要最终Api定下来更改一下, 现在策略是以系统用户为核心推送, 一个系统用户
    推送一次
    """
    assets_all = set(assets)

    for asset_group in asset_groups:
        assets_all |= set(asset_group.assets.all())

    for system_user in system_users:
        assets_need_push = []
        if system_user.auto_push:
            if force:
                assets_need_push = assets_all
            else:
                assets_need_push.extend(
                    [asset for asset in assets_all
                     if asset not in system_user.assets.all()
                     ]
                )
        system_user.assets.add(*(tuple(assets_all)))
        push_system_user(assets_need_push, system_user)