mirror of
https://github.com/veops/cmdb.git
synced 2025-08-08 18:33:46 +08:00
acl done and bugfix
This commit is contained in:
pycook
@@ -6,54 +6,83 @@ import six
|
||||
from flask import current_app, g, request
|
||||
from flask import session, abort
|
||||
|
||||
from api.lib.cmdb.const import ResourceTypeEnum as CmdbResourceType
|
||||
from api.lib.cmdb.const import RoleEnum
|
||||
from api.lib.perm.acl.cache import AppCache
|
||||
from api.models.acl import ResourceType
|
||||
from api.models.acl import Resource
|
||||
from api.lib.perm.acl.cache import UserCache
|
||||
from api.lib.perm.acl.permission import PermissionCRUD
|
||||
from api.lib.perm.acl.resource import ResourceCRUD
|
||||
from api.lib.perm.acl.role import RoleCRUD
|
||||
from api.models.acl import Resource
|
||||
from api.models.acl import ResourceGroup
|
||||
from api.models.acl import ResourceType
|
||||
from api.models.acl import Role
|
||||
|
||||
CMDB_RESOURCE_TYPES = CmdbResourceType.all()
|
||||
|
||||
|
||||
class ACLManager(object):
|
||||
def __init__(self):
|
||||
self.user_info = session["acl"] if "acl" in session else {}
|
||||
self.app_id = AppCache.get('cmdb')
|
||||
if not self.app_id:
|
||||
raise Exception("cmdb not in acl apps")
|
||||
self.app_id = self.app_id.id
|
||||
|
||||
def _get_resource(self, name, resource_type_name):
|
||||
resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False)
|
||||
resource_type or abort(404, "ResourceType <{0}> cannot be found".format(resource_type_name))
|
||||
|
||||
return Resource.get_by(resource_type_id=resource_type.id,
|
||||
app_id=self.app_id,
|
||||
name=name,
|
||||
first=True,
|
||||
to_dict=False)
|
||||
|
||||
def _get_resource_group(self, name):
|
||||
return ResourceGroup.get_by(
|
||||
app_id=self.app_id,
|
||||
name=name,
|
||||
first=True,
|
||||
to_dict=False
|
||||
)
|
||||
|
||||
def _get_role(self, name):
|
||||
user = UserCache.get(name)
|
||||
if user:
|
||||
return Role.get_by(name=name, uid=user.uid, first=True, to_dict=False)
|
||||
|
||||
return Role.get_by(name=name, app_id=self.app_id, first=True, to_dict=False)
|
||||
|
||||
def add_resource(self, name, resource_type_name=None):
|
||||
resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False)
|
||||
if resource_type:
|
||||
return abort(400, "ResourceType <{0}> cannot be found".format(resource_type_name))
|
||||
resource_type or abort(404, "ResourceType <{0}> cannot be found".format(resource_type_name))
|
||||
|
||||
ResourceCRUD.add(name, resource_type.id, self.app_id)
|
||||
|
||||
def grant_resource_to_role(self, name, role, resource_type_name=None):
|
||||
resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False)
|
||||
if resource_type:
|
||||
return abort(400, "ResourceType <{0}> cannot be found".format(resource_type_name))
|
||||
def grant_resource_to_role(self, name, role, resource_type_name=None, permissions=None):
|
||||
resource = self._get_resource(name, resource_type_name)
|
||||
|
||||
role = self._get_role(role)
|
||||
|
||||
if resource:
|
||||
PermissionCRUD.grant(role.id, permissions, resource_id=resource.id)
|
||||
else:
|
||||
group = self._get_resource_group(name)
|
||||
if group:
|
||||
PermissionCRUD.grant(role.id, permissions, group_id=group.id)
|
||||
|
||||
def del_resource(self, name, resource_type_name=None):
|
||||
resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False)
|
||||
if resource_type:
|
||||
return abort(400, "ResourceType <{0}> cannot be found".format(resource_type_name))
|
||||
|
||||
resource = Resource.get_by(resource_type_id=resource_type.id,
|
||||
app_id=self.app_id,
|
||||
name=name,
|
||||
first=True,
|
||||
to_dict=False)
|
||||
resource = self._get_resource(name, resource_type_name)
|
||||
if resource:
|
||||
ResourceCRUD.delete(resource.id)
|
||||
|
||||
def get_resources(self, resource_type_name=None):
|
||||
if "acl" not in session:
|
||||
abort(405)
|
||||
return []
|
||||
|
||||
def has_permission(self, resource_name, resource_type, perm):
|
||||
if "acl" not in session:
|
||||
abort(405)
|
||||
return True
|
||||
|
||||
role = self._get_role(g.user.username)
|
||||
|
||||
role or abort(404, "Role <{0}> is not found".format(g.user.username))
|
||||
|
||||
return RoleCRUD.has_permission(role.id, resource_name, resource_type, self.app_id, perm)
|
||||
|
||||
|
||||
def validate_permission(resources, resource_type, perm):
|
||||
@@ -70,24 +99,6 @@ def validate_permission(resources, resource_type, perm):
|
||||
return abort(403, "has no permission")
|
||||
|
||||
|
||||
def can_access_resources(resource_type):
|
||||
def decorator_can_access_resources(func):
|
||||
@functools.wraps(func)
|
||||
def wrapper_can_access_resources(*args, **kwargs):
|
||||
if current_app.config.get("USE_ACL"):
|
||||
res = ACLManager().get_resources(resource_type)
|
||||
result = {i.get("name"): i.get("permissions") for i in res}
|
||||
if hasattr(g, "resources"):
|
||||
g.resources.update({resource_type: result})
|
||||
else:
|
||||
g.resources = {resource_type: result}
|
||||
return func(*args, **kwargs)
|
||||
|
||||
return wrapper_can_access_resources
|
||||
|
||||
return decorator_can_access_resources
|
||||
|
||||
|
||||
def has_perm(resources, resource_type, perm):
|
||||
def decorator_has_perm(func):
|
||||
@functools.wraps(func)
|
||||
@@ -96,6 +107,9 @@ def has_perm(resources, resource_type, perm):
|
||||
return
|
||||
|
||||
if current_app.config.get("USE_ACL"):
|
||||
if is_app_admin():
|
||||
return func(*args, **kwargs)
|
||||
|
||||
validate_permission(resources, resource_type, perm)
|
||||
|
||||
return func(*args, **kwargs)
|
||||
@@ -105,6 +119,13 @@ def has_perm(resources, resource_type, perm):
|
||||
return decorator_has_perm
|
||||
|
||||
|
||||
def is_app_admin():
|
||||
if RoleEnum.CONFIG in session.get("acl", {}).get("parentRoles", []):
|
||||
return True
|
||||
|
||||
return False
|
||||
|
||||
|
||||
def has_perm_from_args(arg_name, resource_type, perm, callback=None):
|
||||
def decorator_has_perm(func):
|
||||
@functools.wraps(func)
|
||||
@@ -116,6 +137,9 @@ def has_perm_from_args(arg_name, resource_type, perm, callback=None):
|
||||
resource = callback(resource)
|
||||
|
||||
if current_app.config.get("USE_ACL") and resource:
|
||||
if is_app_admin():
|
||||
return func(*args, **kwargs)
|
||||
|
||||
validate_permission(resource, resource_type, perm)
|
||||
|
||||
return func(*args, **kwargs)
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
# -*- coding:utf-8 -*-
|
||||
|
||||
from api.lib.cmdb.const import CMDB_QUEUE
|
||||
|
||||
ACL_QUEUE = "acl_async"
|
||||
ACL_QUEUE = CMDB_QUEUE
|
||||
|
||||
@@ -3,7 +3,9 @@
|
||||
|
||||
from api.lib.perm.acl.cache import PermissionCache
|
||||
from api.lib.perm.acl.cache import RoleCache
|
||||
from api.lib.perm.acl.const import ACL_QUEUE
|
||||
from api.models.acl import RolePermission
|
||||
from api.tasks.acl import role_rebuild
|
||||
|
||||
|
||||
class PermissionCRUD(object):
|
||||
@@ -29,6 +31,8 @@ class PermissionCRUD(object):
|
||||
existed = RolePermission.get_by(rid=rid, perm_id=perm.id, group_id=group_id, resource_id=resource_id)
|
||||
existed or RolePermission.create(rid=rid, perm_id=perm.id, group_id=group_id, resource_id=resource_id)
|
||||
|
||||
role_rebuild.apply_async(args=(rid,), queue=ACL_QUEUE)
|
||||
|
||||
@staticmethod
|
||||
def revoke(rid, perms, resource_id=None, group_id=None):
|
||||
for perm in perms:
|
||||
@@ -40,3 +44,5 @@ class PermissionCRUD(object):
|
||||
first=True,
|
||||
to_dict=False)
|
||||
existed and existed.soft_delete()
|
||||
|
||||
role_rebuild.apply_async(args=(rid,), queue=ACL_QUEUE)
|
||||
|
||||
@@ -4,11 +4,14 @@
|
||||
from flask import abort
|
||||
|
||||
from api.extensions import db
|
||||
from api.lib.perm.acl.const import ACL_QUEUE
|
||||
from api.models.acl import Permission
|
||||
from api.models.acl import Resource
|
||||
from api.models.acl import ResourceGroup
|
||||
from api.models.acl import ResourceGroupItems
|
||||
from api.models.acl import ResourceType
|
||||
from api.models.acl import RolePermission
|
||||
from api.tasks.acl import role_rebuild
|
||||
|
||||
|
||||
class ResourceTypeCRUD(object):
|
||||
@@ -134,6 +137,10 @@ class ResourceGroupCRUD(object):
|
||||
for item in items:
|
||||
item.soft_delete()
|
||||
|
||||
for i in RolePermission.get_by(group_id=rg_id, to_dict=False):
|
||||
i.soft_delete()
|
||||
role_rebuild.apply_async(args=(i.rid,), queue=ACL_QUEUE)
|
||||
|
||||
|
||||
class ResourceCRUD(object):
|
||||
@staticmethod
|
||||
@@ -173,3 +180,7 @@ class ResourceCRUD(object):
|
||||
resource = Resource.get_by_id(_id) or abort(404, "Resource <{0}> is not found".format(_id))
|
||||
|
||||
resource.soft_delete()
|
||||
|
||||
for i in RolePermission.get_by(resource_id=_id, to_dict=False):
|
||||
i.soft_delete()
|
||||
role_rebuild.apply_async(args=(i.rid,), queue=ACL_QUEUE)
|
||||
|
||||
@@ -10,6 +10,7 @@ from api.lib.perm.acl.cache import RoleRelationCache
|
||||
from api.lib.perm.acl.const import ACL_QUEUE
|
||||
from api.models.acl import Resource
|
||||
from api.models.acl import ResourceGroupItems
|
||||
from api.models.acl import ResourceType
|
||||
from api.models.acl import Role
|
||||
from api.models.acl import RolePermission
|
||||
from api.models.acl import RoleRelation
|
||||
@@ -44,7 +45,7 @@ class RoleRelationCRUD(object):
|
||||
|
||||
@staticmethod
|
||||
def get_child_ids(rid):
|
||||
res = RoleRelation.get_by(child_id=rid, to_dict=False)
|
||||
res = RoleRelation.get_by(parent_id=rid, to_dict=False)
|
||||
|
||||
return [i.parent_id for i in res]
|
||||
|
||||
@@ -82,27 +83,37 @@ class RoleRelationCRUD(object):
|
||||
|
||||
return RoleRelation.create(parent_id=parent_id, child_id=child_id)
|
||||
|
||||
@staticmethod
|
||||
def delete(_id):
|
||||
@classmethod
|
||||
def delete(cls, _id):
|
||||
existed = RoleRelation.get_by_id(_id) or abort(400, "RoleRelation <{0}> does not exist".format(_id))
|
||||
|
||||
child_ids = cls.recursive_child_ids(existed.child_id)
|
||||
for child_id in child_ids:
|
||||
role_rebuild.apply_async(args=(child_id,), queue=ACL_QUEUE)
|
||||
|
||||
existed.soft_delete()
|
||||
|
||||
@staticmethod
|
||||
def delete2(parent_id, child_id):
|
||||
@classmethod
|
||||
def delete2(cls, parent_id, child_id):
|
||||
existed = RoleRelation.get_by(parent_id=parent_id, child_id=child_id, first=True, to_dict=False)
|
||||
existed or abort(400, "RoleRelation < {0} -> {1} > does not exist".format(parent_id, child_id))
|
||||
|
||||
child_ids = cls.recursive_child_ids(existed.child_id)
|
||||
for child_id in child_ids:
|
||||
role_rebuild.apply_async(args=(child_id,), queue=ACL_QUEUE)
|
||||
|
||||
existed.soft_delete()
|
||||
|
||||
|
||||
class RoleCRUD(object):
|
||||
@staticmethod
|
||||
def search(q, app_id, page=1, page_size=None, user_role=False):
|
||||
query = db.session.query(Role).filter(Role.deleted.is_(False)).filter(Role.app_id == app_id)
|
||||
def search(q, app_id, page=1, page_size=None, user_role=True):
|
||||
query = db.session.query(Role).filter(Role.deleted.is_(False))
|
||||
query = query.filter(Role.app_id == app_id).filter(Role.uid.is_(None))
|
||||
|
||||
if not user_role:
|
||||
query = query.filter(Role.uid.is_(None))
|
||||
if user_role:
|
||||
query1 = db.session.query(Role).filter(Role.deleted.is_(False)).filter(Role.uid.isnot(None))
|
||||
query = query.union(query1)
|
||||
|
||||
if q:
|
||||
query = query.filter(Role.name.ilike('%{0}%'.format(q)))
|
||||
@@ -134,9 +145,6 @@ class RoleCRUD(object):
|
||||
def delete_role(cls, rid):
|
||||
role = Role.get_by_id(rid) or abort(404, "Role <{0}> does not exist".format(rid))
|
||||
|
||||
parent_ids = RoleRelationCRUD.get_parent_ids(rid)
|
||||
child_ids = RoleRelationCRUD.get_child_ids(rid)
|
||||
|
||||
for i in RoleRelation.get_by(parent_id=rid, to_dict=False):
|
||||
i.soft_delete()
|
||||
for i in RoleRelation.get_by(child_id=rid, to_dict=False):
|
||||
@@ -145,7 +153,7 @@ class RoleCRUD(object):
|
||||
for i in RolePermission.get_by(rid=rid, to_dict=False):
|
||||
i.soft_delete()
|
||||
|
||||
role_rebuild.apply_async(args=(parent_ids + child_ids,), queue=ACL_QUEUE)
|
||||
role_rebuild.apply_async(args=(list(RoleRelationCRUD.recursive_child_ids(rid)), ), queue=ACL_QUEUE)
|
||||
|
||||
RoleCache.clean(rid)
|
||||
RoleRelationCache.clean(rid)
|
||||
@@ -166,20 +174,21 @@ class RoleCRUD(object):
|
||||
|
||||
@staticmethod
|
||||
def get_group_ids(resource_id):
|
||||
return [i.group_id for i in ResourceGroupItems.get_by(resource_id, to_dict=False)]
|
||||
return [i.group_id for i in ResourceGroupItems.get_by(resource_id=resource_id, to_dict=False)]
|
||||
|
||||
@classmethod
|
||||
def has_permission(cls, rid, resource_name, perm):
|
||||
resource = Resource.get_by(name=resource_name, first=True, to_dict=False)
|
||||
def has_permission(cls, rid, resource_name, resource_type, app_id, perm):
|
||||
resource_type = ResourceType.get_by(app_id=app_id, name=resource_type, first=True, to_dict=False)
|
||||
resource_type or abort(404, "ResourceType <{0}> is not found".format(resource_type))
|
||||
type_id = resource_type.id
|
||||
resource = Resource.get_by(name=resource_name, resource_type_id=type_id, first=True, to_dict=False)
|
||||
resource = resource or abort(403, "Resource <{0}> is not in ACL".format(resource_name))
|
||||
|
||||
parent_ids = RoleRelationCRUD.recursive_parent_ids(rid)
|
||||
|
||||
group_ids = cls.get_group_ids(resource.id)
|
||||
|
||||
for parent_id in parent_ids:
|
||||
id2perms = RoleRelationCache.get_resources(parent_id)
|
||||
|
||||
perms = id2perms['id2perms'].get(resource.id, [])
|
||||
if perms and {perm}.issubset(set(perms)):
|
||||
return True
|
||||
|
||||
Reference in New Issue
Block a user