feat(api): Replace imp with importlib

feat(ui): update relative views menu display

.env

@@ -0,0 +1,6 @@
+ MYSQL_ROOT_PASSWORD='123456'
+ MYSQL_HOST='mysql'
+ MYSQL_PORT=3306
+ MYSQL_USER='cmdb'
+ MYSQL_DATABASE='cmdb'
+ MYSQL_PASSWORD='123456'

.gitattributes

@@ -1,2 +1 @@
-* linguist-language=python
-
+*.vue linguist-language=python

.github/ISSUE_TEMPLATE/1bug.yaml

@@ -0,0 +1,60 @@
+name: Bug Report
+description: File a bug report
+title: "[Bug]: "
+labels: ["☢️ bug"]
+assignees:
+  - Selina316
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. email@example.com
+    validations:
+      required: false
+  - type: dropdown
+    id: aspects
+    attributes:
+      label: This bug is related to UI or API?
+      multiple: true
+      options:
+        - UI
+        - API
+  - type: textarea
+    id: happened
+    attributes:
+      label: What happened?
+      description: Also tell us, what did you expect to happen?
+      placeholder: Tell us what you see!
+      value: "A bug happened!"
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: What version of our software are you running?
+      value: "newest"
+    validations:
+      required: true
+  - type: dropdown
+    id: browsers
+    attributes:
+      label: What browsers are you seeing the problem on?
+      multiple: true
+      options:
+        - Firefox
+        - Chrome
+        - Safari
+        - Microsoft Edge
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+      render: shell

.github/ISSUE_TEMPLATE/2feature.yaml

@@ -0,0 +1,44 @@
+name: Feature wanted
+description: A new feature would be good
+title: "[Feature]: "
+labels: ["✏️ feature"]
+assignees:
+  - pycook
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for your feature suggestion; we will evaluate it carefully!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. email@example.com
+    validations:
+      required: false
+  - type: dropdown
+    id: aspects
+    attributes:
+      label: feature is related to UI or API aspects?
+      multiple: true
+      options:
+        - UI
+        - API
+  - type: textarea
+    id: feature
+    attributes:
+      label: What is your advice?
+      description: Also tell us, what did you expect to happen?
+      placeholder: Tell us what you want!
+      value: "everyone wants this feature!"
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: What version of our software are you running?
+      value: "newest"
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/3consultation.yaml

@@ -0,0 +1,36 @@
+name: Help wanted
+description: I have a question
+title: "[help wanted]: "
+labels: ["help wanted"]
+assignees:
+  - ivonGwy
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please tell us what's you need!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. email@example.com
+    validations:
+      required: false
+  - type: textarea
+    id: question
+    attributes:
+      label: What is your question?
+      description: Also tell us, how can we help?
+      placeholder: Tell us what you need!
+      value: "i have a question!"
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: What version of our software are you running?
+      value: "newest"
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/bug.yaml

@@ -0,0 +1,60 @@
+name: Bug Report
+description: File a bug report
+title: "[Bug]: "
+labels: ["bug"]
+assignees:
+  - pycook
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. email@example.com
+    validations:
+      required: false
+  - type: dropdown
+      id: type
+      attributes:
+        label: bug is related to UI or API aspects?
+        multiple: true
+        options:
+          - UI
+          - API
+    - type: textarea
+      id: what-happened
+      attributes:
+        label: What happened?
+        description: Also tell us, what did you expect to happen?
+        placeholder: Tell us what you see!
+        value: "A bug happened!"
+      validations:
+        required: true
+    - type: textarea
+      id: version
+      attributes:
+        label: Version
+        description: What version of our software are you running?
+        default: 2.3.5
+      validations:
+        required: true
+    - type: dropdown
+      id: browsers
+      attributes:
+        label: What browsers are you seeing the problem on?
+        multiple: true
+        options:
+          - Firefox
+          - Chrome
+          - Safari
+          - Microsoft Edge
+    - type: textarea
+      id: logs
+      attributes:
+        label: Relevant log output
+        description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks.
+        render: shell

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,6 @@
+blank_issues_enabled: false
+contact_links:
+  - name: veops official website
+    url: https://veops.cn/#hero
+    about: you can contact us here.
+

.github/ISSUE_TEMPLATE/feature.yaml

@@ -0,0 +1,44 @@
+name: Feature wanted
+description: A new feature would be good
+title: "[Feature]: "
+labels: ["feature"]
+assignees:
+  - pycook
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for your feature suggestion; we will evaluate it carefully!
+  - type: input
+    id: contact
+    attributes:
+      label: Contact Details
+      description: How can we get in touch with you if we need more info?
+      placeholder: ex. email@example.com
+    validations:
+      required: false
+  - type: dropdown
+      id: type
+      attributes:
+        label: feature is related to UI or API aspects?
+        multiple: true
+        options:
+          - UI
+          - API
+    - type: textarea
+      id: describe the feature
+      attributes:
+        label: What is your advice?
+        description: Also tell us, what did you expect to happen?
+        placeholder: Tell us what you want!
+        value: "everyone wants this feature!"
+      validations:
+        required: true
+    - type: textarea
+      id: version
+      attributes:
+        label: Version
+        description: What version of our software are you running?
+        default: 2.3.5
+      validations:
+        required: true

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,67 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '20 3 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/docker-build-and-release.yaml

@@ -0,0 +1,79 @@
+name: docker-images-build-and-release
+
+on:
+  push:
+    branches:
+      - master
+    tags: ["v*"]
+#  pull_request:
+#    branches:
+#      - master
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY_SERVER_ADDRESS: ghcr.io/veops
+  TAG: ${{ github.sha }}
+
+jobs:
+  setup-environment:
+    timeout-minutes: 30
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+  release-api-images:
+    runs-on: ubuntu-latest
+    needs: [setup-environment]
+    permissions:
+      contents: read
+      packages: write
+    timeout-minutes: 90
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+      - name: Login to GitHub Package Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push CMDB-API Docker image
+        uses: docker/build-push-action@v6
+        with:
+          file: docker/Dockerfile-API
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.REGISTRY_SERVER_ADDRESS }}/cmdb-api:${{ env.TAG }}
+#  release-ui-images:
+#    runs-on: ubuntu-latest
+#    needs: [setup-environment]
+#    permissions:
+#      contents: read
+#      packages: write
+#    timeout-minutes: 90
+#    steps:
+#      - name: Checkout Repo
+#        uses: actions/checkout@v4
+#      - name: Login to GitHub Package Registry
+#        uses: docker/login-action@v2
+#        with:
+#          registry: ghcr.io
+#          username: ${{ github.repository_owner }}
+#          password: ${{ secrets.GITHUB_TOKEN }}
+#      - name: Set up QEMU
+#        uses: docker/setup-qemu-action@v3
+#      - name: Set up Docker Buildx
+#        uses: docker/setup-buildx-action@v3
+#      - name: Build and push CMDB-UI Docker image
+#        uses: docker/build-push-action@v6
+#        with:
+#          file: docker/Dockerfile-UI
+#          context: .
+#          platforms: linux/amd64,linux/arm64
+#          push: true
+#          tags: ${{ env.REGISTRY_SERVER_ADDRESS }}/cmdb-ui:${{ env.TAG }}

.gitignore

@@ -38,9 +38,13 @@ pip-log.txt
 .tox
 nosetests.xml
 .pytest_cache
+cmdb-api/test-output
+cmdb-api/api/uploaded_files
+cmdb-api/migrations/versions
 
 # Translations
-*.mo
+#*.mo
+messages.pot
 
 # Mr Developer
 .mr.developer.cfg
@@ -67,6 +71,7 @@ settings.py
 # UI
 cmdb-ui/node_modules
 cmdb-ui/dist
+cmdb-ui/yarn.lock
 
 # Log files
 cmdb-ui/npm-debug.log*

CODE_OF_CONDUCT.md

@@ -0,0 +1,13 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of the level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, age, or religion.
+
+Examples of unacceptable behavior by participants include the use of sexual language or imagery, derogatory comments or personal attacks, trolling, public or private harassment, insults, or other unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. Project maintainers who do not follow the Code of Conduct may be removed from the project team.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://contributor-covenant.org), version 1.0.0, available at [http://contributor-covenant.org/version/1/0/0/](http://contributor-covenant.org/version/1/0/0/)

Dockerfile

@@ -1,45 +0,0 @@
-# ================================= UI ================================
-FROM node:alpine AS builder
-
-LABEL description="cmdb-ui"
-
-COPY cmdb-ui /data/apps/cmdb-ui
-
-WORKDIR /data/apps/cmdb-ui
-
-RUN sed -i "s#http://127.0.0.1:5000##g" .env && yarn install  && yarn build
-
-
-FROM nginx:alpine AS cmdb-ui
-
-RUN mkdir /etc/nginx/html && rm -f /etc/nginx/conf.d/default.conf
-
-COPY --from=builder /data/apps/cmdb-ui/dist /etc/nginx/html/
-
-
-# ================================= API ================================
-FROM python:3.7-alpine AS cmdb-api
-
-LABEL description="Python3.7,cmdb"
-
-COPY cmdb-api /data/apps/cmdb
-
-WORKDIR /data/apps/cmdb
-
-RUN apk add --no-cache tzdata gcc musl-dev libffi-dev
-
-ENV TZ=Asia/Shanghai
-
-RUN pip install  --no-cache-dir -r requirements.txt \
-    && cp ./settings.py.example settings.py \
-    && sed -i "s#{user}:{password}@127.0.0.1:3306/{db}#cmdb:123456@mysql:3306/cmdb#g" settings.py \
-    && sed -i "s#redis://127.0.0.1#redis://redis#g" settings.py \
-    && sed -i 's#CACHE_REDIS_HOST = "127.0.0.1"#CACHE_REDIS_HOST = "redis"#g' settings.py
-
-CMD ["bash", "-c", "flask run"]
-
-
-# ================================= Search ================================
-FROM docker.elastic.co/elasticsearch/elasticsearch:7.4.2 AS cmdb-search
-
-RUN yes | ./bin/elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v7.4.2/elasticsearch-analysis-ik-7.4.2.zip

LICENSE

@@ -1,125 +1,661 @@
-GNU GENERAL PUBLIC LICENSE
-Version 2, June 1991
+GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
 
-Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
 
-Everyone is permitted to copy and distribute verbatim copies
-of this license document, but changing it is not allowed.
-Preamble
-The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too.
+                            Preamble
 
-When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
 
-To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
 
-For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
 
-We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
 
-Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
 
-Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
 
-The precise terms and conditions for copying, distribution and modification follow.
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
 
-TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".
+  The precise terms and conditions for copying, distribution and
+modification follow.
 
-Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
+                       TERMS AND CONDITIONS
 
-1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
+  0. Definitions.
 
-You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
+  "This License" refers to version 3 of the GNU Affero General Public License.
 
-2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
 
-a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
-b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
-c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
-These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
 
-Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
 
-In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
 
-3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
 
-a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
-b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
-c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
-The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
 
-If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
 
-4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
+  1. Source Code.
 
-5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
 
-6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
 
-7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
 
-If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
 
-It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
 
-This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
+  The Corresponding Source for a work in source code form is that
+same work.
 
-8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
+  2. Basic Permissions.
 
-9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
 
-Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
 
-10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
 
-NO WARRANTY
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
 
-11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
 
-12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
 
-END OF TERMS AND CONDITIONS
-How to Apply These Terms to Your New Programs
-If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
+  4. Conveying Verbatim Copies.
 
-To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
 
-one line to give the program's name and an idea of what it does.
-Copyright (C) yyyy  name of author
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
 
-This program is free software; you can redistribute it and/or
-modify it under the terms of the GNU General Public License
-as published by the Free Software Foundation; either version 2
-of the License, or (at your option) any later version.
+  5. Conveying Modified Source Versions.
 
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 
-You should have received a copy of the GNU General Public License
-along with this program; if not, write to the Free Software
-Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 Also add information on how to contact you by electronic and paper mail.
 
-If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
 
-Gnomovision version 69, Copyright (C) year name of author
-Gnomovision comes with ABSOLUTELY NO WARRANTY; for details
-type `show w'.  This is free software, and you are welcome
-to redistribute it under certain conditions; type `show c'
-for details.
-The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:
-
-Yoyodyne, Inc., hereby disclaims all copyright
-interest in the program `Gnomovision'
-(which makes passes at compilers) written
-by James Hacker.
-
-signature of Ty Coon, 1 April 1989
-Ty Coon, President of Vice
-This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License.
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.

Makefile

@@ -1,37 +1,72 @@
-.PHONY: env clean api ui worker
+include ./Makefile.variable
 
-help:
-	@echo "  env         create a development environment using pipenv"
-	@echo "  deps        install dependencies using pip"
-	@echo "  clean       remove unwanted files like .pyc's"
-	@echo "  lint        check style with flake8"
-	@echo "  api         start api server"
-	@echo "  ui          start ui  server"
-	@echo "  worker      start async tasks worker"
+default: help
+help:  ## display this help
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+.PHONY: help
 
-env:
+env: ## create a development environment using pipenv
 	sudo easy_install pip && \
-	pip install pipenv -i https://pypi.douban.com/simple && \
+	pip install pipenv -i https://repo.huaweicloud.com/repository/pypi/simple && \
 	npm install yarn && \
 	make deps
+.PHONY: env
 
-deps:
+docker-mysql: ## deploy MySQL use docker
+	@docker run --name mysql -p ${MYSQL_PORT}:3306 -e MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD} -d mysql:latest
+.PHONY: docker-mysql
+
+docker-redis: ## deploy Redis use docker
+	@docker run --name redis -p ${REDIS_PORT}:6379 -d redis:latest
+.PHONY: docker-redis
+
+deps: ## install dependencies using pip
+	cd cmdb-api && \
 	pipenv install --dev && \
 	pipenv run flask db-setup && \
-	pipenv run flask init-cache && \
+	pipenv run flask cmdb-init-cache && \
+	cd .. && \
     cd cmdb-ui && yarn install && cd ..
+.PHONY: deps
 
-api:
+api: ## start api server
 	cd cmdb-api && pipenv run flask run -h 0.0.0.0
+.PHONY: api
 
-worker:
-	cd cmdb-api && pipenv run celery worker -A celery_worker.celery -E -Q cmdb_async --concurrency=1
+worker: ## start async tasks worker
+	cd cmdb-api && pipenv run celery -A celery_worker.celery worker -E -Q one_cmdb_async --autoscale=5,2 --logfile=one_cmdb_async.log -D && pipenv run celery -A celery_worker.celery worker -E -Q acl_async --autoscale=2,1 --logfile=one_acl_async.log -D
+.PHONY: worker
 
-ui:
+ui: ## start ui server
 	cd cmdb-ui && yarn run serve
+.PHONY: ui
 
-clean:
+clean: ## remove unwanted files like .pyc's
 	pipenv run flask clean
+.PHONY: clean
 
-lint:
+lint: ## check style with flake8
 	flake8 --exclude=env .
+.PHONY: lint
+
+api-docker-build:
+	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
+	! ( docker buildx ls | grep multi-platform-builder ) && docker buildx create --use --platform=$(BUILD_ARCH) --name multi-platform-builder ;\
+	docker buildx build \
+    			--builder multi-platform-builder \
+    			--platform=$(BUILD_ARCH) \
+    			--tag $(REGISTRY)/cmdb-api:$(CMDB_DOCKER_VERSION)  \
+    			--tag $(REGISTRY)/cmdb-api:latest  \
+    			-f docker/Dockerfile-API \
+    			.
+
+ui-docker-build:
+	export DOCKER_CLI_EXPERIMENTAL=enabled ;\
+	! ( docker buildx ls | grep multi-platform-builder ) && docker buildx create --use --platform=$(BUILD_ARCH) --name multi-platform-builder ;\
+	docker buildx build \
+    			--builder multi-platform-builder \
+    			--platform=$(BUILD_ARCH) \
+    			--tag $(REGISTRY)/cmdb-ui:$(CMDB_DOCKER_VERSION)  \
+    			--tag $(REGISTRY)/cmdb-ui:latest  \
+    			-f docker/Dockerfile-UI \
+    			.

Makefile.variable

@@ -0,0 +1,21 @@
+SHELL := /bin/bash -o pipefail
+
+MYSQL_ROOT_PASSWORD ?= root
+MYSQL_PORT ?= 3306
+REDIS_PORT ?= 6379
+
+LATEST_TAG_DIFF:=$(shell git describe --tags --abbrev=8)
+LATEST_COMMIT:=$(VERSION)-dev-$(shell git rev-parse --short=8 HEAD)
+BUILD_ARCH ?= linux/amd64,linux/arm64
+
+# Set your version by env or using latest tags from git
+CMDB_VERSION?=$(LATEST_TAG_DIFF)
+ifeq ($(CMDB_VERSION),)
+ 	#fall back to last commit
+	CMDB_VERSION=$(LATEST_COMMIT)
+endif
+COMMIT_VERSION:=$(LATEST_COMMIT)
+CMDB_DOCKER_VERSION:=${CMDB_VERSION}
+CMDB_CHART_VERSION:=$(shell echo ${CMDB_VERSION} | sed  's/^v//g' )
+
+REGISTRY ?= local

README.md

@@ -1,112 +1,138 @@
-<h1 align="center">CMDB</h1>
-<div align="center">
-尽可能实现比较通用的运维资产数据的配置和管理
-</div>
 
-<div align="center">
+<p align="center">
+  <a href="https://veops.cn">
+    <img src="https://github.com/user-attachments/assets/c5cfb272-899b-418d-9e69-8e1dd07db0f6" alt="维易CMDB"/>
+  </a>
+</p>
 
-[![License](https://img.shields.io/badge/License-GPLv2-brightgreen)](https://github.com/pycook/cmdb/blob/master/LICENSE)
-[![UI](https://img.shields.io/badge/UI-Ant%20Design%20Pro%20Vue-brightgreen)](https://github.com/sendya/ant-design-pro-vue) 
-[![API](https://img.shields.io/badge/API-Flask-brightgreen)](https://github.com/pallets/flask) 
+<h4 align="center">简单、轻量、通用的运维配置管理数据库</h4>
 
-</div>
+<p align="center">
+  <a href="https://github.com/veops/cmdb/blob/master/LICENSE"><img src="https://img.shields.io/badge/License-AGPLv3-brightgreen" alt="License: GPLv3"></a>
+  <a href="https://github.com/veops/cmdb/releases"><img alt="the latest release version" src="https://img.shields.io/github/v/release/veops/cmdb?color=75C1C4&include_prereleases&label=Release&logo=github&logoColor=white"></a>
+  <a href="https:https://github.com/sendya/ant-design-pro-vue"><img src="https://img.shields.io/badge/UI-Ant%20Design%20Pro%20Vue-green" alt="UI"></a>
+  <a href="https://github.com/pallets/flask"><img src="https://img.shields.io/badge/API-Flask-bright" alt="API"></a>
+  <a href="https://github.com/veops/cmdb/stargazers"><img src="https://img.shields.io/github/stars/veops/cmdb" alt="Stars Badge"/></a>
+  <a href="https://github.com/veops/cmdb"><img src="https://img.shields.io/github/forks/veops/cmdb" alt="Forks Badge"/></a>
+</p>
+<p align="center">
+  中文(简体) · <a href="docs/README_en.md">English</a>
+</p>
 
+## 系统介绍
 
+维易CMDB是一个简洁、轻量且高度可定制的运维配置管理数据库（CMDB）。它支持灵活的模型配置和资源自动发现，旨在为企业提供便捷的资产管理解决方案，帮助运维团队高效地管理 IT 基础设施和服务。
 
-- 在线预览: [CMDB](http://121.42.12.46:8000)
-    - username: demo
-    - password: 123456
-    
-> **重要提示**: `master` 分支在开发过程中可能处于 *不稳定的状态* 。
-请通过[releases](https://github.com/pycook/cmdb/releases)获取
-    
-Overview
-----
-### 3种类型视图
-1. 资源视图 - 模型的实例数据, 用户可订阅
-2. 树形视图 - 模型按字段分级, 用树形图方式展示, 用户可订阅
-3. 关系视图 - 模型之间的关系, 用树形图方式展示, **管理员可配置**
+- 产品文档：[https://veops.cn/docs/](https://veops.cn/docs/)
+- 在线体验：[https://cmdb.veops.cn](https://cmdb.veops.cn)
+  - 用户名：demo 或者 admin
+  - 密码：123456
+- **重要提示**：`master` 分支在开发过程中可能处于**不稳定的状态**。请通过 [releases](https://github.com/veops/cmdb/releases) 获取最新稳定版本。
 
-##### 资源视图
-![基础资源视图](https://raw.githubusercontent.com/pycook/cmdb/master/cmdb-ui/public/cmdb-ci.jpeg) 
+### 主要功能
 
-##### 树形视图
-![树形视图](https://raw.githubusercontent.com/pycook/cmdb/master/cmdb-ui/public/cmdb-tree.jpeg) 
+- **自定义模型和模型关系**：支持模型属性的自定义，包括下拉列表、字体颜色、计算属性等高级功能，满足不同业务需求。
+- **自动发现资源**：支持计算机、网络设备、存储设备、数据库、中间件、公有云资源等自动发现。
+- **多维度视图展示**：包括资源视图、层级视图、关系视图等，帮助运维人员全面管理资源。
+- **细粒度权限控制**：通过精确的访问控制和完备的操作日志保障系统的安全性。
+- **全面的资源搜索功能**：支持灵活的资源和关系搜索，快速定位和操作资源。
+- **集成 IP 地址管理（IPAM）和数据中心基础设施管理（DCIM）**：简化网络资源和数据中心设备的管理。
 
-##### 关系视图
-![关系视图](https://raw.githubusercontent.com/pycook/cmdb/master/cmdb-ui/public/cmdb-relation.jpeg) 
+更多详细功能，请移步 [维易科技官网](https://veops.cn) 进行了解。
 
-##### 用户订阅
-![用户订阅](https://raw.githubusercontent.com/pycook/cmdb/master/cmdb-ui/public/cmdb-preference.jpeg)
+### 系统优势
 
-##### 关系视图配置
-![关系视图配置](https://raw.githubusercontent.com/pycook/cmdb/master/cmdb-ui/public/cmdb-relation-define.jpeg)
+- 灵活性
+  + 无需指定固定运维场景，支持自由配置并内置多种模板
+  + 支持自动发现和入库 IT 资产，快速搭建资产管理系统
+- 安全性
+  + 细粒度的权限控制机制，确保资源管理的安全性
+  + 完整的操作日志记录，便于审计和问题追踪
+- 多应用
+  + 提供多种视图展示方式，满足不同场景的需求
+  + 强大的 API 接口，支持深度集成
+  + 支持定义属性触发器和计算属性，增强数据处理能力
 
-Docker一键快速构建
-----
-- 进入主目录（先安装docker环境）
-```
-    docker-compose up -d
-```
+### 技术栈
 
-- 浏览器打开: [http://127.0.0.1:8000](http://127.0.0.1:8000)
++ 后端：Python [3.8-3.11]
++ 数据存储：MySQL、Redis
++ 前端：Vue.js
++ UI组件库：Ant Design Vue
 
+### 系统概览
 
-本地搭建: 环境和依赖
-----
-- 存储: mysql, redis
-- python版本: python2.7, >=python3.6
+<table style="border-collapse: collapse;">
+  <tr>
+    <td style="padding: 5px;background-color:#fff;">
+      <img width="400" src="https://github.com/user-attachments/assets/6d2df835-ae93-4d91-9bd9-213c270eca7a"/>
+    </td>
+    <td style="padding: 5px;background-color:#fff;">
+      <img width="400" src="https://github.com/user-attachments/assets/cb8b598a-a1f9-4c74-adf1-6e59aea2c9b3"/>
+    </td>
+  </tr>
 
-Install
-----
-- 启动mysql服务, redis服务
+  <tr>
+    <td style="padding: 5px;background-color:#fff;">
+      <img width="400" src="https://github.com/user-attachments/assets/b440224f-53c3-4b7f-a9be-285d7a4b848f"/>
+    </td>
+    <td style="padding: 5px;background-color:#fff;">
+      <img width="400" src="https://github.com/user-attachments/assets/f457d5a0-b60b-4949-b94e-020f4c61444b"/>
+    </td>
+  </tr>
+</table>
 
-- 创建数据库cmdb
-- 拉取代码
-```bash
-git clone https://github.com/pycook/cmdb.git
-cd cmdb
-cp cmdb-api/settings.py.example cmdb-api/settings.py
-```
-**设置cmdb-api/settings.py里的database**
+## 关注我们
 
-- 安装库
-  - 后端: ```cd cmdb-api && pipenv run pipenv install && cd ..```
-  - 前端: ```cd cmdb-ui && yarn install && cd ..```
-  
-- 创建数据库表 ```pipenv run flask db-setup && pipenv run flask init-cache```
-- 可以将docs/cmdb.sql导入到数据库里，登录用户和密码分别是:demo/123456
-  
-- 启动服务
-  - 后端: 进入**cmdb-api**目录执行 ```pipenv run flask run -h 0.0.0.0```
-  - 前端: 进入**cmdb-ui**目录执行```yarn run serve```
-  - worker: 进入**cmdb-api**目录执行 ```pipenv run celery worker -A celery_worker.celery -E -Q cmdb_async --concurrency=1```
-  
-  - 浏览器打开:  [http://127.0.0.1:8000](http://127.0.0.1:8000)
-    - 如果是非本机访问, 要修改**cmdb-ui/.env**里**VUE_APP_API_BASE_URL**里的IP地址为后端服务的ip地址
+欢迎 Star 加关注，第一时间获取更新动态！
 
+![star us](https://github.com/user-attachments/assets/f9056d5a-171c-4f53-9fec-d40c9e5ff94d)
 
-Install by Makefile
-----
-- 启动mysql服务, redis服务
+## 快速开始
 
-- 创建数据库cmdb
-- 拉取代码
-```bash
-git clone https://github.com/pycook/cmdb.git
-cd cmdb
-cp cmdb-api/settings.py.example cmdb-api/settings.py
-```
-**cmdb-api/settings.py里的database**
+### 1. 搭建
 
-- 顺序在cmdb目录下执行
-    - 环境: ```make env```
-    - 启动API: ```make api```
-    - 启动UI: ```make ui```
-    - 启动worker: ```make worker```
++ 方案一：Docker 一键快速构建
 
+  - 第1步: 安装 Docker 环境和 Docker Compose（v2）
+  - 第2步: 拷贝项目代码, `git clone https://github.com/veops/cmdb.git`
+  - 第3步：进入主目录并启动, `docker compose up -d`
 
-----
-_**欢迎加入CMDB运维开发QQ群（336164978）**_
++ 方案二：[本地开发环境搭建](docs/local.md)
++ 方案三：[Makefile 安装](docs/makefile.md)
 
-![QQ群](cmdb-ui/public/qr_code.jpg)
+### 2. 访问
+- 打开浏览器并访问: [http://127.0.0.1:8000](http://127.0.0.1:8000)
+- 用户名: demo 或者 admin
+- 密码: 123456
+
+## 接入公司
+
++ 欢迎使用开源CMDB的公司和团队，在 [#112](https://github.com/veops/cmdb/issues/112) 登记
+
+## 代码贡献
+我们欢迎所有开发者贡献代码，改善和扩展这个项目。请先阅读我们的[贡献指南](docs/CONTRIBUTING.md)。此外，您还可以通过社交媒体、活动和分享来支持 Veops 的开源。
+
+<a href="https://github.com/veops/cmdb/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=veops/cmdb" />
+</a>
+
+## 更多开源
+
+- [OneTerm](https://github.com/veops/oneterm): 一款简单、轻量、灵活的堡垒机服务。
+- [messenger](https://github.com/veops/messenger): 一个简单轻量的消息发送服务。
+- [ACL](https://github.com/veops/acl): 一个简单通用的权限管理系统设计与实践。
+
+## 相关文章
+
+- <a href="https://mp.weixin.qq.com/s/v3eANth64UBW5xdyOkK3tg" target="_blank">尽可能通用的运维CMDB的设计与实践(Ⅰ) - 概览</a>
+- <a href="https://mp.weixin.qq.com/s/rQaf4AES7YJsyNQG_MKOLg" target="_blank">尽可能通用的运维CMDB的设计与实践(ⅠⅠ) - 自动发现</a>
+- <a href="https://github.com/veops/cmdb/tree/master/docs/cmdb_api.md" target="_blank">CMDB接口文档</a>
+
+更多文章可以在公众号 **维易科技OneOps** 里查看
+
+## 与我联系
+
++ 邮箱: <a href="mailto:bd@veops.cn">bd@veops.cn</a>
++ 公众号：**维易科技OneOps**。关注后可以加入微信群，参与产品和技术交流  
+  <img src="docs/images/wechat.png" alt="公众号: 维易科技OneOps" />

cmdb-api/.ruff.toml

@@ -0,0 +1,79 @@
+line-length = 120
+cache-dir = ".ruff_cache"
+target-version = "py310"
+unsafe-fixes = true
+show-fixes = true
+
+[lint]
+select = [
+    "E",
+    "F",
+    "I",
+    "TCH",
+    # W
+    "W505",
+    # PT
+    "PT018",
+    # SIM
+    "SIM101",
+    "SIM114",
+    # PGH
+    "PGH004",
+    # PL
+    "PLE1142",
+    # RUF
+    "RUF100",
+    # UP
+    "UP007"
+]
+preview = true
+ignore = ["FURB101"]
+
+[lint.flake8-pytest-style]
+mark-parentheses = false
+parametrize-names-type = "list"
+parametrize-values-row-type = "list"
+parametrize-values-type = "tuple"
+
+[lint.flake8-unused-arguments]
+ignore-variadic-names = true
+
+[lint.isort]
+lines-between-types = 1
+order-by-type = true
+
+[lint.per-file-ignores]
+"**/api/v1/*.py" = ["TCH"]
+"**/model/*.py" = ["TCH003"]
+"**/models/__init__.py" = ["F401", "F403"]
+"**/tests/*.py" = ["E402"]
+"celery_worker.py" = ["F401"]
+"api/views/entry.py" = ["I001"]
+"migrations/*.py" = ["I001", "E402"]
+"*.py" = ["I001"]
+"api/views/common_setting/department.py" = ["F841"]
+"api/lib/common_setting/upload_file.py" = ["F841"]
+"api/lib/common_setting/acl.py" = ["F841"]
+"**/__init__.py" = ["F822"]
+"api/tasks/*.py" = ["E722"]
+"api/views/cmdb/*.py" = ["E722"]
+"api/views/acl/*.py" = ["E722"]
+"api/lib/secrets/*.py" = ["E722", "F841"]
+"api/lib/utils.py" = ["E722", "E731"]
+"api/lib/perm/authentication/cas/*" = ["E113", "F841"]
+"api/lib/perm/acl/*" = ["E722"]
+"api/lib/*" = ["E721", "F722"]
+"api/lib/cmdb/*" = ["F722", "E722"]
+"api/lib/cmdb/search/ci/es/search.py" = ["F841", "SIM114"]
+"api/lib/cmdb/search/ci/db/search.py" = ["F841"]
+"api/lib/cmdb/value.py" = ["F841"]
+"api/lib/cmdb/history.py" = ["E501"]
+"api/commands/common.py" = ["E722"]
+"api/commands/click_cmdb.py" = ["E722"]
+"api/lib/perm/auth.py" = ["SIM114"]
+
+[format]
+preview = true
+quote-style = "single"
+docstring-code-format = true
+skip-magic-trailing-comma = false

cmdb-api/Pipfile

@@ -5,42 +5,71 @@ name = "pypi"
 
 [packages]
 # Flask
-Flask = "==1.0.3"
-Werkzeug = "==0.15.4"
+Flask = "==2.2.5"
+Werkzeug = "==2.2.3"
 click = ">=5.0"
 # Api
-Flask-RESTful = "==0.3.7"
+Flask-RESTful = "==0.3.10"
 # Database
-Flask-SQLAlchemy = "==2.4.0"
-SQLAlchemy = "==1.3.5"
-PyMySQL = "==0.9.3"
-redis = "==3.2.1"
+Flask-SQLAlchemy = "==3.0.5"
+SQLAlchemy = "==1.4.49"
+PyMySQL = "==1.1.0"
+redis = "==4.6.0"
+python-redis-lock = "==4.0.0"
 # Migrations
 Flask-Migrate = "==2.5.2"
 # Deployment
-gevent = "==1.4.0"
-gunicorn = "==19.5.0"
+gunicorn = "==21.0.1"
 supervisor = "==4.0.3"
 # Auth
-Flask-Login = "==0.4.1"
-Flask-Bcrypt = "==0.7.1"
+Flask-Login = ">=0.6.2"
+Flask-Bcrypt = "==1.0.1"
 Flask-Cors = ">=3.0.8"
+ldap3 = "==2.9.1"
+pycryptodome = "==3.12.0"
+cryptography = ">=41.0.2"
+# i18n
+flask-babel = "==4.0.0"
 # Caching
 Flask-Caching = ">=1.0.0"
 # Environment variable parsing
 environs = "==4.2.0"
 marshmallow = "==2.20.2"
 # async tasks
-celery = "==4.3.0"
+celery = "==5.3.1"
+celery_once = "==3.0.1"
 more-itertools = "==5.0.0"
-kombu = "==4.4.0"
+kombu = ">=5.3.1"
+# common setting
+timeout-decorator = "==0.5.0"
+WTForms = "==3.0.0"
+email-validator = "==1.3.1"
+treelib = "==1.6.1"
+flasgger = "==0.9.5"
+Pillow = ">=10.0.1"
 # other
-six = "==1.12.0"
+six = "==1.16.0"
 bs4 = ">=0.0.1"
 toposort = ">=1.5"
 requests = ">=2.22.0"
-PyJWT = ">=1.7.1"
-elasticsearch = "==7.0.4"
+requests_oauthlib = "==1.3.1"
+markdownify = "==0.11.6"
+PyJWT = "==2.4.0"
+elasticsearch = "==7.17.9"
+future = "==0.18.3"
+itsdangerous = "==2.1.2"
+Jinja2 = "==3.1.2"
+jinja2schema = "==0.1.4"
+msgpack-python = "==0.5.6"
+alembic = "==1.7.7"
+hvac = "==2.0.0"
+colorama = ">=0.4.6"
+pycryptodomex = ">=3.19.0"
+lz4 = ">=4.3.2"
+python-magic = "==0.4.27"
+jsonpath = "==0.82.2"
+networkx = ">=3.1"
+ipaddress = ">=1.0.23"
 
 [dev-packages]
 # Testing
@@ -57,4 +86,3 @@ flake8-isort = "==2.7.0"
 isort = "==4.3.21"
 pep8-naming = "==0.8.2"
 pydocstyle = "==3.0.0"
-

cmdb-api/api/app.py

@@ -1,40 +1,40 @@
 # -*- coding: utf-8 -*-
 """The app module, containing the app factory function."""
+import datetime
+import decimal
 import logging
 import os
 import sys
 from inspect import getmembers
 from logging.handlers import RotatingFileHandler
+from pathlib import Path
 
-from api.flask_cas import CAS
 from flask import Flask
-from flask import make_response, jsonify
+from flask import jsonify
+from flask import make_response
+from flask import request
 from flask.blueprints import Blueprint
 from flask.cli import click
+from flask.json.provider import DefaultJSONProvider
+from flask_babel.speaklater import LazyString
 
-import api.views
-from api.extensions import (
-    bcrypt,
-    cors,
-    cache,
-    db,
-    login_manager,
-    migrate,
-    celery,
-    rd,
-    es
-)
-from .models.acl import User
+import api.views.entry
+from api.extensions import (bcrypt, babel, cache, celery, cors, db, es, login_manager, migrate, rd)
+from api.extensions import inner_secrets
+from api.lib.perm.authentication.cas import CAS
+from api.lib.perm.authentication.oauth2 import OAuth2
+from api.lib.secrets.secrets import InnerKVManger
+from api.models.acl import User
 
 HERE = os.path.abspath(os.path.dirname(__file__))
 PROJECT_ROOT = os.path.join(HERE, os.pardir)
-API_PACKAGE = "api"
+BASE_DIR = Path(__file__).resolve().parent.parent
 
 
 @login_manager.user_loader
 def load_user(user_id):
     """Load user by ID."""
-    return User.get_by(uid=int(user_id), first=True, to_dict=False)
+    return User.get_by_id(int(user_id))
 
 
 class ReverseProxy(object):
@@ -72,40 +72,79 @@ class ReverseProxy(object):
         return self.app(environ, start_response)
 
 
+class MyJSONEncoder(DefaultJSONProvider):
+    def default(self, o):
+        if isinstance(o, (decimal.Decimal, datetime.date, datetime.time, LazyString)):
+            return str(o)
+
+        if isinstance(o, datetime.datetime):
+            return o.strftime('%Y-%m-%d %H:%M:%S')
+
+        return o
+
+
 def create_app(config_object="settings"):
     """Create application factory, as explained here: http://flask.pocoo.org/docs/patterns/appfactories/.
 
     :param config_object: The configuration object to use.
     """
     app = Flask(__name__.split(".")[0])
+
     app.config.from_object(config_object)
+    app.json = MyJSONEncoder(app)
+    configure_logger(app)
     register_extensions(app)
     register_blueprints(app)
     register_error_handlers(app)
     register_shell_context(app)
     register_commands(app)
-    configure_logger(app)
     CAS(app)
+    OAuth2(app)
     app.wsgi_app = ReverseProxy(app.wsgi_app)
+    configure_upload_dir(app)
+
     return app
 
 
+def configure_upload_dir(app):
+    upload_dir = app.config.get('UPLOAD_DIRECTORY', 'uploaded_files')
+    common_setting_path = os.path.join(HERE, upload_dir)
+    for path in [common_setting_path]:
+        if not os.path.exists(path):
+            app.logger.warning(f"{path}, not exist, create...")
+            os.makedirs(path)
+
+    app.config['UPLOAD_DIRECTORY_FULL'] = common_setting_path
+
+
 def register_extensions(app):
     """Register Flask extensions."""
+
+    def get_locale():
+        accept_languages = app.config.get('ACCEPT_LANGUAGES', ['en', 'zh'])
+        return request.accept_languages.best_match(accept_languages)
+
     bcrypt.init_app(app)
+    babel.init_app(app, locale_selector=get_locale)
     cache.init_app(app)
     db.init_app(app)
     cors.init_app(app)
     login_manager.init_app(app)
-    migrate.init_app(app, db)
+    migrate.init_app(app, db, directory=f"{BASE_DIR}/migrations")
     rd.init_app(app)
-    if app.config.get("USE_ES"):
+    if app.config.get('USE_ES'):
         es.init_app(app)
+
+    app.config.update(app.config.get("CELERY"))
     celery.conf.update(app.config)
 
+    if app.config.get('SECRETS_ENGINE') == 'inner':
+        with app.app_context():
+            inner_secrets.init_app(app, InnerKVManger())
+
 
 def register_blueprints(app):
-    for item in getmembers(api.views):
+    for item in getmembers(api.views.entry):
         if item[0].startswith("blueprint") and isinstance(item[1], Blueprint):
             app.register_blueprint(item[1])
 
@@ -118,10 +157,14 @@ def register_error_handlers(app):
         import traceback
         app.logger.error(traceback.format_exc())
         error_code = getattr(error, "code", 500)
+        if not str(error_code).isdigit():
+            error_code = 400
+
         return make_response(jsonify(message=str(error)), error_code)
 
     for errcode in app.config.get("ERROR_CODES") or [400, 401, 403, 404, 405, 500, 502]:
         app.errorhandler(errcode)(render_error)
+
     app.handle_exception = render_error
 
 
@@ -140,9 +183,8 @@ def register_commands(app):
     for root, _, files in os.walk(os.path.join(HERE, "commands")):
         for filename in files:
             if not filename.startswith("_") and filename.endswith("py"):
-                module_path = os.path.join(API_PACKAGE, root[root.index("commands"):])
-                if module_path not in sys.path:
-                    sys.path.insert(1, module_path)
+                if root not in sys.path:
+                    sys.path.insert(1, root)
                 command = __import__(os.path.splitext(filename)[0])
                 func_list = [o[0] for o in getmembers(command) if isinstance(o[1], click.core.Command)]
                 for func_name in func_list:
@@ -160,10 +202,11 @@ def configure_logger(app):
         app.logger.addHandler(handler)
 
     log_file = app.config['LOG_PATH']
-    file_handler = RotatingFileHandler(log_file,
-                                       maxBytes=2 ** 30,
-                                       backupCount=7)
-    file_handler.setLevel(getattr(logging, app.config['LOG_LEVEL']))
-    file_handler.setFormatter(formatter)
-    app.logger.addHandler(file_handler)
+    if log_file and log_file != "/dev/stdout":
+        file_handler = RotatingFileHandler(log_file,
+                                           maxBytes=2 ** 30,
+                                           backupCount=7)
+        file_handler.setLevel(getattr(logging, app.config['LOG_LEVEL']))
+        file_handler.setFormatter(formatter)
+        app.logger.addHandler(file_handler)
     app.logger.setLevel(getattr(logging, app.config['LOG_LEVEL']))

cmdb-api/api/commands/click_acl.py

@@ -0,0 +1,56 @@
+import click
+from flask.cli import with_appcontext
+
+from api.lib.perm.acl.user import UserCRUD
+
+
+@click.command()
+@with_appcontext
+def init_acl():
+    """
+    acl init
+    """
+    from api.models.acl import Role
+    from api.models.acl import App
+    from api.tasks.acl import role_rebuild
+    from api.lib.perm.acl.const import ACL_QUEUE
+
+    roles = Role.get_by(to_dict=False)
+    apps = App.get_by(to_dict=False)
+    for role in roles:
+        if role.app_id:
+            role_rebuild.apply_async(args=(role.id, role.app_id), queue=ACL_QUEUE)
+        else:
+            for app in apps:
+                role_rebuild.apply_async(args=(role.id, app.id), queue=ACL_QUEUE)
+
+
+@click.command()
+@with_appcontext
+def add_user():
+    """
+    create a user
+
+    is_admin: default is False
+
+    """
+
+    from api.models.acl import App
+    from api.lib.perm.acl.cache import AppCache
+    from api.lib.perm.acl.cache import RoleCache
+    from api.lib.perm.acl.role import RoleCRUD
+    from api.lib.perm.acl.role import RoleRelationCRUD
+
+    username = click.prompt('Enter username', confirmation_prompt=False)
+    password = click.prompt('Enter password', hide_input=True, confirmation_prompt=True)
+    email = click.prompt('Enter email   ', confirmation_prompt=False)
+    is_admin = click.prompt('Admin (Y/N)   ', confirmation_prompt=False, type=bool, default=False)
+
+    UserCRUD.add(username=username, password=password, email=email)
+
+    if is_admin:
+        app = AppCache.get('acl') or App.create(name='acl')
+        acl_admin = RoleCache.get_by_name(app.id, 'acl_admin') or RoleCRUD.add_role('acl_admin', app.id, True)
+        rid = RoleCache.get_by_name(None, username).id
+
+        RoleRelationCRUD.add(acl_admin, acl_admin.id, [rid], app.id)

cmdb-api/api/commands/click_cmdb.py

@@ -1,39 +1,75 @@
 # -*- coding:utf-8 -*-
 
 
-import json
-
 import click
+import copy
+import datetime
+import json
+import requests
+import time
+import uuid
 from flask import current_app
 from flask.cli import with_appcontext
+from flask_login import login_user
 
 import api.lib.cmdb.ci
 from api.extensions import db
 from api.extensions import rd
+from api.lib.cmdb.cache import AttributeCache
 from api.lib.cmdb.const import PermEnum
 from api.lib.cmdb.const import REDIS_PREFIX_CI
 from api.lib.cmdb.const import REDIS_PREFIX_CI_RELATION
+from api.lib.cmdb.const import REDIS_PREFIX_CI_RELATION2
 from api.lib.cmdb.const import ResourceTypeEnum
 from api.lib.cmdb.const import RoleEnum
 from api.lib.cmdb.const import ValueTypeEnum
+from api.lib.cmdb.dcim.rack import RackManager
 from api.lib.exception import AbortException
 from api.lib.perm.acl.acl import ACLManager
+from api.lib.perm.acl.acl import UserCache
 from api.lib.perm.acl.cache import AppCache
 from api.lib.perm.acl.resource import ResourceCRUD
 from api.lib.perm.acl.resource import ResourceTypeCRUD
 from api.lib.perm.acl.role import RoleCRUD
+from api.lib.secrets.inner import KeyManage
+from api.lib.secrets.inner import global_key_threshold
+from api.lib.secrets.secrets import InnerKVManger
+from api.models.acl import App
 from api.models.acl import ResourceType
+from api.models.cmdb import Attribute
+from api.models.cmdb import AttributeHistory
 from api.models.cmdb import CI
 from api.models.cmdb import CIRelation
 from api.models.cmdb import CIType
+from api.models.cmdb import CITypeTrigger
+from api.models.cmdb import OperationRecord
 from api.models.cmdb import PreferenceRelationView
+from api.tasks.cmdb import batch_ci_cache
 
 
 @click.command()
 @with_appcontext
-def init_cache():
+def cmdb_init_cache():
     db.session.remove()
 
+    ci_relations = CIRelation.get_by(to_dict=False)
+    relations = dict()
+    relations2 = dict()
+    for cr in ci_relations:
+        relations.setdefault(cr.first_ci_id, {}).update({cr.second_ci_id: cr.second_ci.type_id})
+        if cr.ancestor_ids:
+            relations2.setdefault('{},{}'.format(cr.ancestor_ids, cr.first_ci_id), {}).update(
+                {cr.second_ci_id: cr.second_ci.type_id})
+    for i in relations:
+        relations[i] = json.dumps(relations[i])
+    for i in relations2:
+        relations2[i] = json.dumps(relations2[i])
+    if relations:
+        rd.create_or_update(relations, REDIS_PREFIX_CI_RELATION)
+    if relations2:
+        rd.create_or_update(relations2, REDIS_PREFIX_CI_RELATION2)
+
+    es = None
     if current_app.config.get("USE_ES"):
         from api.extensions import es
         from api.models.cmdb import Attribute
@@ -76,26 +112,29 @@ def init_cache():
         else:
             rd.create_or_update({ci.id: json.dumps(ci_dict)}, REDIS_PREFIX_CI)
 
-    ci_relations = CIRelation.get_by(to_dict=False)
-    relations = dict()
-    for cr in ci_relations:
-        relations.setdefault(cr.first_ci_id, {}).update({cr.second_ci_id: cr.second_ci.type_id})
-    for i in relations:
-        relations[i] = json.dumps(relations[i])
-    if relations:
-        rd.create_or_update(relations, REDIS_PREFIX_CI_RELATION)
-
     db.session.remove()
 
 
 @click.command()
 @with_appcontext
-def init_acl():
-    app_id = AppCache.get('cmdb').id
+def cmdb_init_acl():
+    _app = AppCache.get('cmdb') or App.create(name='cmdb')
+    app_id = _app.id
+
+    current_app.test_request_context().push()
+
     # 1. add resource type
     for resource_type in ResourceTypeEnum.all():
         try:
-            ResourceTypeCRUD.add(app_id, resource_type, '', PermEnum.all())
+            perms = PermEnum.all()
+            if resource_type in (ResourceTypeEnum.CI_FILTER, ResourceTypeEnum.PAGE):
+                perms = [PermEnum.READ]
+            elif resource_type == ResourceTypeEnum.CI_TYPE_RELATION:
+                perms = [PermEnum.ADD, PermEnum.DELETE, PermEnum.GRANT]
+            elif resource_type in (ResourceTypeEnum.RELATION_VIEW, ResourceTypeEnum.TOPOLOGY_VIEW):
+                perms = [PermEnum.READ, PermEnum.UPDATE, PermEnum.DELETE, PermEnum.GRANT]
+
+            ResourceTypeCRUD.add(app_id, resource_type, '', perms)
         except AbortException:
             pass
 
@@ -111,10 +150,10 @@ def init_acl():
 
     # 3. add resource and grant
     ci_types = CIType.get_by(to_dict=False)
-    type_id = ResourceType.get_by(name=ResourceTypeEnum.CI, first=True, to_dict=False).id
+    resource_type_id = ResourceType.get_by(name=ResourceTypeEnum.CI, first=True, to_dict=False).id
     for ci_type in ci_types:
         try:
-            ResourceCRUD.add(ci_type.name, type_id, app_id)
+            ResourceCRUD.add(ci_type.name, resource_type_id, app_id)
         except AbortException:
             pass
 
@@ -124,10 +163,10 @@ def init_acl():
                                             [PermEnum.READ])
 
     relation_views = PreferenceRelationView.get_by(to_dict=False)
-    type_id = ResourceType.get_by(name=ResourceTypeEnum.RELATION_VIEW, first=True, to_dict=False).id
+    resource_type_id = ResourceType.get_by(name=ResourceTypeEnum.RELATION_VIEW, first=True, to_dict=False).id
     for view in relation_views:
         try:
-            ResourceCRUD.add(view.name, type_id, app_id)
+            ResourceCRUD.add(view.name, resource_type_id, app_id)
         except AbortException:
             pass
 
@@ -135,3 +174,414 @@ def init_acl():
                                             RoleEnum.CMDB_READ_ALL,
                                             ResourceTypeEnum.RELATION_VIEW,
                                             [PermEnum.READ])
+
+
+@click.command()
+@with_appcontext
+def cmdb_counter():
+    """
+    Dashboard calculations
+    """
+    from api.lib.cmdb.cache import CMDBCounterCache
+
+    current_app.test_request_context().push()
+    if not UserCache.get('worker'):
+        from api.lib.perm.acl.user import UserCRUD
+
+        UserCRUD.add(username='worker', password=uuid.uuid4().hex, email='worker@xxx.com')
+
+    login_user(UserCache.get('worker'))
+
+    i = 0
+    today = datetime.date.today()
+    while True:
+        try:
+            db.session.commit()
+
+            CMDBCounterCache.reset()
+
+            if i % 5 == 0:
+                CMDBCounterCache.flush_adc_counter()
+                i = 0
+
+            if datetime.date.today() != today:
+                CMDBCounterCache.clear_ad_exec_history()
+                today = datetime.date.today()
+
+            CMDBCounterCache.flush_sub_counter()
+
+            RackManager().check_u_slot()
+
+            i += 1
+        except:
+            import traceback
+            print(traceback.format_exc())
+
+        time.sleep(60)
+
+
+@click.command()
+@with_appcontext
+def cmdb_trigger():
+    """
+    Trigger execution for date attribute
+    """
+    from api.lib.cmdb.ci import CITriggerManager
+
+    current_app.test_request_context().push()
+    if not UserCache.get('worker'):
+        from api.lib.perm.acl.user import UserCRUD
+        UserCRUD.add(username='worker', password=uuid.uuid4().hex, email='worker@xxx.com')
+    login_user(UserCache.get('worker'))
+
+    current_day = datetime.datetime.today().strftime("%Y-%m-%d")
+    trigger2cis = dict()
+    trigger2completed = dict()
+
+    i = 0
+    while True:
+        try:
+            db.session.remove()
+
+            if datetime.datetime.today().strftime("%Y-%m-%d") != current_day:
+                trigger2cis = dict()
+                trigger2completed = dict()
+                current_day = datetime.datetime.today().strftime("%Y-%m-%d")
+
+            if i == 3 or i == 0:
+                i = 0
+                triggers = CITypeTrigger.get_by(to_dict=False, __func_isnot__key_attr_id=None)
+                for trigger in triggers:
+                    try:
+                        ready_cis = CITriggerManager.waiting_cis(trigger)
+                    except Exception as e:
+                        print(e)
+                        continue
+
+                    if trigger.id not in trigger2cis:
+                        trigger2cis[trigger.id] = (trigger, ready_cis)
+                    else:
+                        cur = trigger2cis[trigger.id]
+                        cur_ci_ids = {_ci.ci_id for _ci in cur[1]}
+                        trigger2cis[trigger.id] = (
+                            trigger, cur[1] + [_ci for _ci in ready_cis if _ci.ci_id not in cur_ci_ids
+                                               and _ci.ci_id not in trigger2completed.get(trigger.id, {})])
+
+            for tid in trigger2cis:
+                trigger, cis = trigger2cis[tid]
+                for ci in copy.deepcopy(cis):
+                    if CITriggerManager.trigger_notify(trigger, ci):
+                        trigger2completed.setdefault(trigger.id, set()).add(ci.ci_id)
+
+                        for _ci in cis:
+                            if _ci.ci_id == ci.ci_id:
+                                cis.remove(_ci)
+
+            i += 1
+            time.sleep(10)
+        except Exception as e:
+            import traceback
+            print(traceback.format_exc())
+            current_app.logger.error("cmdb trigger exception: {}".format(e))
+            time.sleep(60)
+
+
+@click.command()
+@with_appcontext
+def cmdb_index_table_upgrade():
+    """
+    Migrate data from tables c_value_integers, c_value_floats, and c_value_datetime
+    """
+    for attr in Attribute.get_by(to_dict=False):
+        if attr.value_type not in {ValueTypeEnum.TEXT, ValueTypeEnum.JSON} and not attr.is_index:
+            attr.update(is_index=True)
+            AttributeCache.clean(attr)
+
+    from api.models.cmdb import CIValueInteger, CIIndexValueInteger
+    from api.models.cmdb import CIValueFloat, CIIndexValueFloat
+    from api.models.cmdb import CIValueDateTime, CIIndexValueDateTime
+
+    for i in CIValueInteger.get_by(to_dict=False):
+        CIIndexValueInteger.create(ci_id=i.ci_id, attr_id=i.attr_id, value=i.value, commit=False)
+        i.delete(commit=False)
+    db.session.commit()
+
+    for i in CIValueFloat.get_by(to_dict=False):
+        CIIndexValueFloat.create(ci_id=i.ci_id, attr_id=i.attr_id, value=i.value, commit=False)
+        i.delete(commit=False)
+    db.session.commit()
+
+    for i in CIValueDateTime.get_by(to_dict=False):
+        CIIndexValueDateTime.create(ci_id=i.ci_id, attr_id=i.attr_id, value=i.value, commit=False)
+        i.delete(commit=False)
+    db.session.commit()
+
+
+def valid_address(address):
+    if not address:
+        return False
+
+    if not address.startswith(("http://127.0.0.1", "https://127.0.0.1")):
+        response = {
+            "message": "Address should start with http://127.0.0.1 or https://127.0.0.1",
+            "status": "failed"
+        }
+        KeyManage.print_response(response)
+        return False
+    return True
+
+
+@click.command()
+@click.option(
+    '-a',
+    '--address',
+    help='inner cmdb api, http://127.0.0.1:8000',
+)
+@with_appcontext
+def cmdb_inner_secrets_init(address):
+    """
+    init inner secrets for password feature
+    """
+    res, ok = KeyManage(backend=InnerKVManger()).init()
+    if not ok:
+        if res.get("status") == "failed":
+            KeyManage.print_response(res)
+            return
+
+    token = res.get("details", {}).get("root_token", "")
+    if valid_address(address):
+        token = current_app.config.get("INNER_TRIGGER_TOKEN", "") if not token else token
+        if not token:
+            token = click.prompt('Enter root token', hide_input=True, confirmation_prompt=False)
+        assert token is not None
+        resp = requests.post("{}/api/v0.1/secrets/auto_seal".format(address.strip("/")),
+                             headers={"Inner-Token": token})
+        if resp.status_code == 200:
+            KeyManage.print_response(resp.json())
+        else:
+            KeyManage.print_response({"message": resp.text or resp.status_code, "status": "failed"})
+    else:
+        KeyManage.print_response(res)
+
+
+@click.command()
+@click.option(
+    '-a',
+    '--address',
+    help='inner cmdb api, http://127.0.0.1:8000',
+    required=True,
+)
+@with_appcontext
+def cmdb_inner_secrets_unseal(address):
+    """
+    unseal the secrets feature
+    """
+    # if not valid_address(address):
+    #     return
+    address = "{}/api/v0.1/secrets/unseal".format(address.strip("/"))
+    for i in range(global_key_threshold):
+        token = click.prompt(f'Enter unseal token {i + 1}', hide_input=True, confirmation_prompt=False)
+        assert token is not None
+        resp = requests.post(address, headers={"Unseal-Token": token}, timeout=5)
+        if resp.status_code == 200:
+            KeyManage.print_response(resp.json())
+            if resp.json().get("status") in ["success", "skip"]:
+                return
+        else:
+            KeyManage.print_response({"message": resp.status_code, "status": "failed"})
+            return
+
+
+@click.command()
+@click.option(
+    '-a',
+    '--address',
+    help='inner cmdb api, http://127.0.0.1:8000',
+    required=True,
+)
+@click.option(
+    '-k',
+    '--token',
+    help='root token',
+    prompt=True,
+    hide_input=True,
+)
+@with_appcontext
+def cmdb_inner_secrets_seal(address, token):
+    """
+    seal the secrets feature
+    """
+    assert address is not None
+    assert token is not None
+    if not valid_address(address):
+        return
+    address = "{}/api/v0.1/secrets/seal".format(address.strip("/"))
+    resp = requests.post(address, headers={
+        "Inner-Token": token,
+    })
+    if resp.status_code == 200:
+        KeyManage.print_response(resp.json())
+    else:
+        KeyManage.print_response({"message": resp.status_code, "status": "failed"})
+
+
+@click.command()
+@with_appcontext
+def cmdb_password_data_migrate():
+    """
+    Migrate CI password data, version >= v2.3.6
+    """
+    from api.models.cmdb import CIIndexValueText
+    from api.models.cmdb import CIValueText
+    from api.lib.secrets.inner import InnerCrypt
+    from api.lib.secrets.vault import VaultClient
+
+    attrs = Attribute.get_by(to_dict=False)
+    for attr in attrs:
+        if attr.is_password:
+
+            value_table = CIIndexValueText if attr.is_index else CIValueText
+
+            failed = False
+            for i in value_table.get_by(attr_id=attr.id, to_dict=False):
+                if current_app.config.get("SECRETS_ENGINE", 'inner') == 'inner':
+                    _, status = InnerCrypt().decrypt(i.value)
+                    if status:
+                        continue
+
+                    encrypt_value, status = InnerCrypt().encrypt(i.value)
+                    if status:
+                        CIValueText.create(ci_id=i.ci_id, attr_id=attr.id, value=encrypt_value)
+                    else:
+                        failed = True
+                        continue
+                elif current_app.config.get("SECRETS_ENGINE") == 'vault':
+                    if i.value == '******':
+                        continue
+
+                    vault = VaultClient(current_app.config.get('VAULT_URL'), current_app.config.get('VAULT_TOKEN'))
+                    try:
+                        vault.update("/{}/{}".format(i.ci_id, i.attr_id), dict(v=i.value))
+                    except Exception as e:
+                        print('save password to vault failed: {}'.format(e))
+                        failed = True
+                        continue
+                else:
+                    continue
+
+                i.delete()
+
+                if not failed and attr.is_index:
+                    attr.update(is_index=False)
+
+
+@click.command()
+@with_appcontext
+def cmdb_agent_init():
+    """
+    Initialize the agent's permissions and obtain the key and secret
+    """
+
+    from api.models.acl import User
+
+    user = User.get_by(username="cmdb_agent", first=True, to_dict=False)
+    if user is None:
+        click.echo(
+            click.style('user cmdb_agent does not exist, please use flask add-user to create it first', fg='red'))
+        return
+
+    # grant
+    _app = AppCache.get('cmdb') or App.create(name='cmdb')
+    app_id = _app.id
+
+    ci_types = CIType.get_by(to_dict=False)
+    resource_type_id = ResourceType.get_by(name=ResourceTypeEnum.CI, first=True, to_dict=False).id
+    for ci_type in ci_types:
+        try:
+            ResourceCRUD.add(ci_type.name, resource_type_id, app_id)
+        except AbortException:
+            pass
+
+        ACLManager().grant_resource_to_role(ci_type.name,
+                                            "cmdb_agent",
+                                            ResourceTypeEnum.CI,
+                                            [PermEnum.READ, PermEnum.UPDATE, PermEnum.ADD, PermEnum.DELETE])
+
+    click.echo("Key   : {}".format(click.style(user.key, bg='red')))
+    click.echo("Secret: {}".format(click.style(user.secret, bg='red')))
+
+
+@click.command()
+@click.option(
+    '-v',
+    '--version',
+    help='input cmdb version, e.g. 2.4.6',
+    required=True,
+)
+@with_appcontext
+def cmdb_patch(version):
+    """
+    CMDB upgrade patch
+    """
+
+    version = version[1:] if version.lower().startswith("v") else version
+
+    try:
+        if version >= '2.4.6':
+
+            from api.models.cmdb import CITypeRelation
+            for cr in CITypeRelation.get_by(to_dict=False):
+                if hasattr(cr, 'parent_attr_id') and cr.parent_attr_id and not cr.parent_attr_ids:
+                    parent_attr_ids, child_attr_ids = [cr.parent_attr_id], [cr.child_attr_id]
+                    cr.update(parent_attr_ids=parent_attr_ids, child_attr_ids=child_attr_ids, commit=False)
+            db.session.commit()
+
+            from api.models.cmdb import AutoDiscoveryCIType, AutoDiscoveryCITypeRelation
+            from api.lib.cmdb.cache import CITypeCache, AttributeCache
+            for adt in AutoDiscoveryCIType.get_by(to_dict=False):
+                if adt.relation:
+                    if not AutoDiscoveryCITypeRelation.get_by(ad_type_id=adt.type_id):
+                        peer_type = CITypeCache.get(list(adt.relation.values())[0]['type_name'])
+                        peer_type_id = peer_type and peer_type.id
+                        peer_attr = AttributeCache.get(list(adt.relation.values())[0]['attr_name'])
+                        peer_attr_id = peer_attr and peer_attr.id
+                        if peer_type_id and peer_attr_id:
+                            AutoDiscoveryCITypeRelation.create(ad_type_id=adt.type_id,
+                                                               ad_key=list(adt.relation.keys())[0],
+                                                               peer_type_id=peer_type_id,
+                                                               peer_attr_id=peer_attr_id,
+                                                               commit=False)
+                if hasattr(adt, 'interval') and adt.interval and not adt.cron:
+                    adt.cron = "*/{} * * * *".format(adt.interval // 60 or 1)
+
+            db.session.commit()
+
+        if version >= "2.4.7":
+            from api.lib.cmdb.auto_discovery.const import DEFAULT_INNER
+            from api.models.cmdb import AutoDiscoveryRule
+            for i in DEFAULT_INNER:
+                existed = AutoDiscoveryRule.get_by(name=i['name'], first=True, to_dict=False)
+                if existed is not None:
+                    if "en" in i['option'] and 'en' not in (existed.option or {}):
+                        option = copy.deepcopy(existed.option)
+                        option['en'] = i['option']['en']
+                        existed.update(option=option, commit=False)
+
+            db.session.commit()
+
+        if version >= "2.4.14":  # update ci columns: updated_at and updated_by
+            ci_ids = []
+            for i in CI.get_by(only_query=True).filter(CI.updated_at.is_(None)):
+                hist = AttributeHistory.get_by(ci_id=i.id, only_query=True).order_by(AttributeHistory.id.desc()).first()
+                if hist is not None:
+                    record = OperationRecord.get_by_id(hist.record_id)
+                    if record is not None:
+                        u = UserCache.get(record.uid)
+                        i.update(updated_at=record.created_at, updated_by=u and u.nickname, flush=True)
+                        ci_ids.append(i.id)
+
+            db.session.commit()
+
+            batch_ci_cache.apply_async(args=(ci_ids,))
+    except Exception as e:
+        print("cmdb patch failed: {}".format(e))

cmdb-api/api/commands/click_common_setting.py

@@ -0,0 +1,230 @@
+import click
+from flask import current_app
+from flask.cli import with_appcontext
+from werkzeug.datastructures import MultiDict
+
+from api.lib.common_setting.acl import ACLManager
+from api.lib.common_setting.employee import EmployeeAddForm, GrantEmployeeACLPerm
+from api.lib.common_setting.resp_format import ErrFormat
+from api.lib.common_setting.utils import CheckNewColumn
+from api.models.common_setting import Employee, Department
+
+
+class InitEmployee(object):
+
+    def __init__(self):
+        self.log = current_app.logger
+
+    def import_user_from_acl(self):
+        """
+        Import users from ACL
+        """
+
+        InitDepartment().init()
+        acl = ACLManager('acl')
+        user_list = acl.get_all_users()
+
+        username_list = [e['username'] for e in Employee.get_by()]
+
+        for user in user_list:
+            acl_uid = user['uid']
+            block = 1 if user['block'] else 0
+            acl_rid = self.get_rid_by_uid(acl_uid)
+            if user['username'] in username_list:
+                existed = Employee.get_by(first=True, username=user['username'], to_dict=False)
+                if existed:
+                    existed.update(
+                        acl_uid=acl_uid,
+                        acl_rid=acl_rid,
+                        block=block,
+                    )
+                continue
+            try:
+                form = EmployeeAddForm(MultiDict(user))
+                if not form.validate():
+                    raise Exception(
+                        ','.join(['{}: {}'.format(filed, ','.join(msg)) for filed, msg in form.errors.items()]))
+                data = form.data
+                data['acl_uid'] = acl_uid
+                data['acl_rid'] = acl_rid
+                data['block'] = block
+                data.pop('password')
+                Employee.create(
+                    **data
+                )
+            except Exception as e:
+                self.log.error(ErrFormat.acl_import_user_failed.format(user['username'], str(e)))
+                self.log.error(e)
+
+    @staticmethod
+    def get_rid_by_uid(uid):
+        from api.models.acl import Role
+        role = Role.get_by(first=True, uid=uid)
+        return role['id'] if role is not None else 0
+
+
+class InitDepartment(object):
+    def __init__(self):
+        self.log = current_app.logger
+
+    def init(self):
+        self.init_wide_company()
+
+    @staticmethod
+    def hard_delete(department_id, department_name):
+        existed_deleted_list = Department.query.filter(
+            Department.department_name == department_name,
+            Department.department_id == department_id,
+            Department.deleted == 1,
+        ).all()
+        for existed in existed_deleted_list:
+            existed.delete()
+
+    @staticmethod
+    def get_department(department_name):
+        return Department.query.filter(
+            Department.department_name == department_name,
+            Department.deleted == 0,
+        ).first()
+
+    def run(self, department_id, department_name, department_parent_id):
+        self.hard_delete(department_id, department_name)
+
+        res = self.get_department(department_name)
+        if res:
+            if res.department_id == department_id:
+                return
+            else:
+                res.update(
+                    department_id=department_id,
+                    department_parent_id=department_parent_id,
+                )
+                return
+
+        Department.create(
+            department_id=department_id,
+            department_name=department_name,
+            department_parent_id=department_parent_id,
+        )
+        new_d = self.get_department(department_name)
+
+        if new_d.department_id != department_id:
+            new_d.update(
+                department_id=department_id,
+                department_parent_id=department_parent_id,
+            )
+        self.log.info(f"init {department_name} success.")
+
+    def run_common(self, department_id, department_name, department_parent_id):
+        try:
+            self.run(department_id, department_name, department_parent_id)
+        except Exception as e:
+            current_app.logger.error(f"init {department_name} err:")
+            current_app.logger.error(e)
+            raise Exception(e)
+
+    def init_wide_company(self):
+        department_id = 0
+        department_name = '全公司'
+        department_parent_id = -1
+
+        self.run_common(department_id, department_name, department_parent_id)
+
+    @staticmethod
+    def create_acl_role_with_department():
+        acl = ACLManager('acl')
+        role_name_map = {role['name']: role for role in acl.get_all_roles()}
+
+        d_list = Department.query.filter(
+            Department.deleted == 0, Department.department_parent_id != -1).all()
+        for department in d_list:
+            if department.acl_rid > 0:
+                continue
+
+            role = role_name_map.get(department.department_name)
+            if not role:
+                payload = {
+                    'app_id': 'acl',
+                    'name': department.department_name,
+                }
+                role = acl.create_role(payload)
+
+            acl_rid = role.get('id') if role else 0
+
+            department.update(
+                acl_rid=acl_rid
+            )
+            info = f"update department acl_rid: {acl_rid}"
+            current_app.logger.info(info)
+
+    def init_backend_resource(self):
+        acl = self.check_app('backend')
+        acl_rid = self.get_admin_user_rid()
+
+        if acl_rid == 0:
+            return
+        GrantEmployeeACLPerm(acl).grant_by_rid(acl_rid, True)
+
+    @staticmethod
+    def check_app(app_name):
+        acl = ACLManager(app_name)
+        payload = dict(
+            name=app_name,
+            description=app_name
+        )
+        app = acl.validate_app()
+        if not app:
+            acl.create_app(payload)
+        return acl
+
+    @staticmethod
+    def get_admin_user_rid():
+        admin = Employee.get_by(first=True, username='admin', to_dict=False)
+        return admin.acl_rid if admin else 0
+
+
+@click.command()
+@with_appcontext
+def init_import_user_from_acl():
+    """
+    Import users from ACL
+    """
+    InitEmployee().import_user_from_acl()
+
+
+@click.command()
+@with_appcontext
+def init_department():
+    """
+    Department initialization
+    """
+    cli = InitDepartment()
+    cli.init_wide_company()
+    cli.create_acl_role_with_department()
+    cli.init_backend_resource()
+
+
+@click.command()
+@with_appcontext
+def common_check_new_columns():
+    """
+    add new columns to tables
+    """
+    CheckNewColumn().run()
+
+
+@click.command()
+@with_appcontext
+def common_sync_file_to_db():
+    from api.lib.common_setting.upload_file import CommonFileCRUD
+    CommonFileCRUD.sync_file_to_db()
+
+
+@click.command()
+@with_appcontext
+@click.option('--value', type=click.INT, default=-1)
+def set_auth_auto_redirect_enable(value):
+    if value < 0:
+        return
+    from api.lib.common_setting.common_data import CommonDataCRUD
+    CommonDataCRUD.set_auth_auto_redirect_enable(value)

cmdb-api/api/commands/common.py

@@ -5,9 +5,7 @@ from glob import glob
 from subprocess import call
 
 import click
-from flask import current_app
 from flask.cli import with_appcontext
-from werkzeug.exceptions import MethodNotAllowed, NotFound
 
 from api.extensions import db
 
@@ -78,75 +76,65 @@ def clean():
     """
     for dirpath, dirnames, filenames in os.walk("."):
         for filename in filenames:
-            if filename.endswith(".pyc") or filename.endswith(".pyo"):
+            if filename.endswith(".pyc") or filename.endswith(".pyo") or filename.endswith(".c"):
                 full_pathname = os.path.join(dirpath, filename)
                 click.echo("Removing {}".format(full_pathname))
                 os.remove(full_pathname)
 
 
-@click.command()
-@click.option("--url", default=None, help="Url to test (ex. /static/image.png)")
-@click.option(
-    "--order", default="rule", help="Property on Rule to order by (default: rule)"
-)
-@with_appcontext
-def urls(url, order):
-    """Display all of the url matching routes for the project.
-
-    Borrowed from Flask-Script, converted to use Click.
-    """
-    rows = []
-    column_headers = ("Rule", "Endpoint", "Arguments")
-
-    if url:
-        try:
-            rule, arguments = current_app.url_map.bind("localhost").match(
-                url, return_rule=True
-            )
-            rows.append((rule.rule, rule.endpoint, arguments))
-            column_length = 3
-        except (NotFound, MethodNotAllowed) as e:
-            rows.append(("<{}>".format(e), None, None))
-            column_length = 1
-    else:
-        rules = sorted(
-            current_app.url_map.iter_rules(), key=lambda x: getattr(x, order)
-        )
-        for rule in rules:
-            rows.append((rule.rule, rule.endpoint, None))
-        column_length = 2
-
-    str_template = ""
-    table_width = 0
-
-    if column_length >= 1:
-        max_rule_length = max(len(r[0]) for r in rows)
-        max_rule_length = max_rule_length if max_rule_length > 4 else 4
-        str_template += "{:" + str(max_rule_length) + "}"
-        table_width += max_rule_length
-
-    if column_length >= 2:
-        max_endpoint_length = max(len(str(r[1])) for r in rows)
-        max_endpoint_length = max_endpoint_length if max_endpoint_length > 8 else 8
-        str_template += "  {:" + str(max_endpoint_length) + "}"
-        table_width += 2 + max_endpoint_length
-
-    if column_length >= 3:
-        max_arguments_length = max(len(str(r[2])) for r in rows)
-        max_arguments_length = max_arguments_length if max_arguments_length > 9 else 9
-        str_template += "  {:" + str(max_arguments_length) + "}"
-        table_width += 2 + max_arguments_length
-
-    click.echo(str_template.format(*column_headers[:column_length]))
-    click.echo("-" * table_width)
-
-    for row in rows:
-        click.echo(str_template.format(*row[:column_length]))
-
-
 @click.command()
 @with_appcontext
 def db_setup():
     """create tables
     """
     db.create_all()
+
+    try:
+        db.session.execute("set global sql_mode='STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,"
+                           "ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION'")
+        db.session.commit()
+    except:
+        pass
+
+    try:
+        db.session.execute("set global tidb_enable_noop_functions='ON'")
+        db.session.commit()
+    except:
+        pass
+
+
+@click.group()
+def translate():
+    """Translation and localization commands."""
+
+
+@translate.command()
+@click.argument('lang')
+def init(lang):
+    """Initialize a new language."""
+
+    if os.system('pybabel extract -F babel.cfg -k _l -o messages.pot .'):
+        raise RuntimeError('extract command failed')
+    if os.system(
+            'pybabel init -i messages.pot -d api/translations -l ' + lang):
+        raise RuntimeError('init command failed')
+    os.remove('messages.pot')
+
+
+@translate.command()
+def update():
+    """Update all languages."""
+
+    if os.system('pybabel extract -F babel.cfg -k _l -o messages.pot .'):
+        raise RuntimeError('extract command failed')
+    if os.system('pybabel update -i messages.pot -d api/translations'):
+        raise RuntimeError('update command failed')
+    os.remove('messages.pot')
+
+
+@translate.command()
+def compile():
+    """Compile all languages."""
+
+    if os.system('pybabel compile -d api/translations'):
+        raise RuntimeError('compile command failed')

cmdb-api/api/extensions.py

@@ -2,6 +2,7 @@
 
 
 from celery import Celery
+from flask_babel import Babel
 from flask_bcrypt import Bcrypt
 from flask_caching import Cache
 from flask_cors import CORS
@@ -9,15 +10,18 @@ from flask_login import LoginManager
 from flask_migrate import Migrate
 from flask_sqlalchemy import SQLAlchemy
 
+from api.lib.secrets.inner import KeyManage
 from api.lib.utils import ESHandler
 from api.lib.utils import RedisHandler
 
 bcrypt = Bcrypt()
+babel = Babel()
 login_manager = LoginManager()
-db = SQLAlchemy()
+db = SQLAlchemy(session_options={"autoflush": False})
 migrate = Migrate()
 cache = Cache()
 celery = Celery()
 cors = CORS(supports_credentials=True)
 rd = RedisHandler()
 es = ESHandler()
+inner_secrets = KeyManage()

cmdb-api/api/lib/cmdb/attribute.py

@@ -1,15 +1,32 @@
-# -*- coding:utf-8 -*- 
+# -*- coding:utf-8 -*-
 
 from flask import abort
 from flask import current_app
+from flask import session
+from flask_login import current_user
 
 from api.extensions import db
 from api.lib.cmdb.cache import AttributeCache
+from api.lib.cmdb.cache import CITypeAttributesCache
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.const import BUILTIN_KEYWORDS
+from api.lib.cmdb.const import CITypeOperateType
+from api.lib.cmdb.const import CMDB_QUEUE
+from api.lib.cmdb.const import PermEnum
+from api.lib.cmdb.const import ResourceTypeEnum
+from api.lib.cmdb.const import RoleEnum
 from api.lib.cmdb.const import ValueTypeEnum
+from api.lib.cmdb.history import CITypeHistoryManager
+from api.lib.cmdb.resp_format import ErrFormat
 from api.lib.cmdb.utils import ValueTypeMap
 from api.lib.decorator import kwargs_required
+from api.lib.perm.acl.acl import is_app_admin
+from api.lib.perm.acl.acl import validate_permission
+from api.lib.webhook import webhook_request
 from api.models.cmdb import Attribute
+from api.models.cmdb import CIType
 from api.models.cmdb import CITypeAttribute
+from api.models.cmdb import CITypeAttributeGroupItem
 from api.models.cmdb import PreferenceShowAttributes
 
 
@@ -17,35 +34,124 @@ class AttributeManager(object):
     """
     CI attributes manager
     """
+    cls = Attribute
 
     def __init__(self):
         pass
 
     @staticmethod
-    def get_choice_values(attr_id, value_type):
-        choice_table = ValueTypeMap.choice.get(value_type)
-        choice_values = choice_table.get_by(fl=["value"], attr_id=attr_id)
-        return [choice_value["value"] for choice_value in choice_values]
+    def _get_choice_values_from_webhook(choice_webhook, payload=None):
+        ret_key = choice_webhook.get('ret_key')
+
+        try:
+            res = webhook_request(choice_webhook, payload or {}).json()
+            if ret_key:
+                ret_key_list = ret_key.strip().split("##")
+                for key in ret_key_list[:-1]:
+                    if key in res:
+                        res = res[key]
+                if isinstance(res, list):
+                    return [[i[ret_key_list[-1]], {}] for i in res if i.get(ret_key_list[-1])]
+
+                return [[i, {}] for i in (res.get(ret_key_list[-1]) or [])]
+
+        except Exception as e:
+            current_app.logger.error("get choice values failed: {}".format(e))
+            return []
 
     @staticmethod
-    def _add_choice_values(_id, value_type, choice_values):
+    def _get_choice_values_from_other(choice_other):
+        from api.lib.cmdb.search import SearchError
+        from api.lib.cmdb.search.ci import search
+
+        if choice_other.get('type_ids'):
+            type_ids = choice_other.get('type_ids')
+            attr_id = choice_other.get('attr_id')
+            other_filter = choice_other.get('filter') or ''
+
+            query = "_type:({}),{}".format(";".join(map(str, type_ids)), other_filter)
+            s = search(query, fl=[str(attr_id)], facet=[str(attr_id)], count=1)
+            try:
+                _, _, _, _, _, facet = s.search()
+                return [[i[0], {}] for i in (list(facet.values()) or [[]])[0]]
+            except SearchError as e:
+                current_app.logger.error("get choice values from other ci failed: {}".format(e))
+                return []
+
+        elif choice_other.get('script'):
+            try:
+                x = compile(choice_other['script'], '', "exec")
+                local_ns = {}
+                exec(x, {}, local_ns)
+                res = local_ns['ChoiceValue']().values() or []
+                return [[i, {}] for i in res]
+            except Exception as e:
+                current_app.logger.error("get choice values from script: {}".format(e))
+                return []
+
+    @classmethod
+    def get_choice_values(cls, attr_id, value_type, choice_web_hook, choice_other,
+                          choice_web_hook_parse=True, choice_other_parse=True):
+        if choice_web_hook:
+            if choice_web_hook_parse and isinstance(choice_web_hook, dict):
+                return cls._get_choice_values_from_webhook(choice_web_hook)
+            else:
+                return []
+        elif choice_other:
+            if choice_other_parse and isinstance(choice_other, dict):
+                return cls._get_choice_values_from_other(choice_other)
+            else:
+                return []
+
+        choice_table = ValueTypeMap.choice.get(value_type)
+        if not choice_table:
+            return []
+        choice_values = choice_table.get_by(fl=["value", "option"], attr_id=attr_id)
+
+        return [[ValueTypeMap.serialize[value_type](choice_value['value']), choice_value['option'] or
+                 {"label": ValueTypeMap.serialize[value_type](choice_value['value'])}]
+                for choice_value in choice_values]
+
+    @staticmethod
+    def add_choice_values(_id, value_type, choice_values):
+        choice_table = ValueTypeMap.choice.get(value_type)
+        if choice_table is None:
+            return
+
+        choice_table.get_by(attr_id=_id, only_query=True).delete()
+
+        for v, option in choice_values:
+            choice_table.create(attr_id=_id, value=v, option=option, commit=False)
+
+        try:
+            db.session.flush()
+        except Exception as e:
+            current_app.logger.warning("add choice values failed: {}".format(e))
+            return abort(400, ErrFormat.invalid_choice_values)
+
+    @staticmethod
+    def _del_choice_values(_id, value_type):
         choice_table = ValueTypeMap.choice.get(value_type)
 
-        db.session.query(choice_table).filter(choice_table.attr_id == _id).delete()
-        db.session.flush()
-        choice_values = choice_values
-        for v in choice_values:
-            table = choice_table(attr_id=_id, value=v)
-            db.session.add(table)
+        choice_table and choice_table.get_by(attr_id=_id, only_query=True).delete()
         db.session.flush()
 
+    @classmethod
+    def get_enum_map(cls, _attr_id, _attr=None):
+        attr = AttributeCache.get(_attr_id) if _attr_id else _attr
+        if attr and attr.is_choice:
+            choice_values = cls.get_choice_values(attr.id, attr.value_type, None, None)
+            return {i[0]: i[1]['label'] for i in choice_values if i[1] and i[1].get('label')}
+
+        return {}
+
     @classmethod
     def search_attributes(cls, name=None, alias=None, page=1, page_size=None):
         """
-        :param name: 
-        :param alias: 
-        :param page: 
-        :param page_size: 
+        :param name:
+        :param alias:
+        :param page:
+        :param page_size:
         :return: attribute, if name is None, then return all attributes
         """
         if name is not None:
@@ -59,62 +165,127 @@ class AttributeManager(object):
         attrs = attrs[(page - 1) * page_size:][:page_size]
         res = list()
         for attr in attrs:
-            attr["is_choice"] and attr.update(dict(choice_value=cls.get_choice_values(attr["id"], attr["value_type"])))
+            attr["is_choice"] and attr.update(
+                dict(choice_value=cls.get_choice_values(attr["id"], attr["value_type"],
+                                                        attr["choice_web_hook"], attr.get("choice_other"))))
+            attr['is_choice'] and attr.pop('choice_web_hook', None)
+
             res.append(attr)
 
         return numfound, res
 
     def get_attribute_by_name(self, name):
         attr = Attribute.get_by(name=name, first=True)
-        if attr and attr["is_choice"]:
-            attr.update(dict(choice_value=self.get_choice_values(attr["id"], attr["value_type"])))
+        if attr.get("is_choice"):
+            attr["choice_value"] = self.get_choice_values(attr["id"],
+                                                          attr["value_type"],
+                                                          attr["choice_web_hook"],
+                                                          attr.get("choice_other"))
+
         return attr
 
     def get_attribute_by_alias(self, alias):
         attr = Attribute.get_by(alias=alias, first=True)
-        if attr and attr["is_choice"]:
-            attr.update(dict(choice_value=self.get_choice_values(attr["id"], attr["value_type"])))
+        if attr.get("is_choice"):
+            attr["choice_value"] = self.get_choice_values(attr["id"],
+                                                          attr["value_type"],
+                                                          attr["choice_web_hook"],
+                                                          attr.get("choice_other"))
+
         return attr
 
     def get_attribute_by_id(self, _id):
         attr = Attribute.get_by_id(_id).to_dict()
-        if attr and attr["is_choice"]:
-            attr.update(dict(choice_value=self.get_choice_values(attr["id"], attr["value_type"])))
+        if attr.get("is_choice"):
+            attr["choice_value"] = self.get_choice_values(attr["id"],
+                                                          attr["value_type"],
+                                                          attr["choice_web_hook"],
+                                                          attr.get("choice_other"))
+
         return attr
 
-    def get_attribute(self, key):
-        attr = AttributeCache.get(key).to_dict()
-        if attr and attr["is_choice"]:
-            attr.update(dict(choice_value=self.get_choice_values(attr["id"], attr["value_type"])))
+    def get_attribute(self, key, choice_web_hook_parse=True, choice_other_parse=True):
+        attr = AttributeCache.get(key) or dict()
+        attr = attr and attr.to_dict()
+        if attr.get("is_choice"):
+            attr["choice_value"] = self.get_choice_values(
+                attr["id"],
+                attr["value_type"],
+                attr["choice_web_hook"],
+                attr.get("choice_other"),
+                choice_web_hook_parse=choice_web_hook_parse,
+                choice_other_parse=choice_other_parse,
+            )
+
         return attr
 
+    @staticmethod
+    def can_create_computed_attribute():
+        if RoleEnum.CONFIG not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin('cmdb'):
+            return abort(403, ErrFormat.role_required.format(RoleEnum.CONFIG))
+
+    @classmethod
+    def calc_computed_attribute(cls, attr_id):
+        """
+        calculate computed attribute for all ci
+        :param attr_id:
+        :return:
+        """
+        cls.can_create_computed_attribute()
+
+        from api.tasks.cmdb import calc_computed_attribute
+
+        calc_computed_attribute.apply_async(args=(attr_id, current_user.uid), queue=CMDB_QUEUE)
+
     @classmethod
     @kwargs_required("name")
     def add(cls, **kwargs):
         choice_value = kwargs.pop("choice_value", [])
         kwargs.pop("is_choice", None)
-        is_choice = True if choice_value else False
+        is_choice = True if choice_value or kwargs.get('choice_web_hook') or kwargs.get('choice_other') else False
+
         name = kwargs.pop("name")
+        if name in BUILTIN_KEYWORDS or kwargs.get('alias') in BUILTIN_KEYWORDS:
+            return abort(400, ErrFormat.attribute_name_cannot_be_builtin)
+
+        while kwargs.get('choice_other'):
+            if isinstance(kwargs['choice_other'], dict):
+                if kwargs['choice_other'].get('script'):
+                    break
+
+                if kwargs['choice_other'].get('type_ids') and kwargs['choice_other'].get('attr_id'):
+                    break
+
+            return abort(400, ErrFormat.attribute_choice_other_invalid)
+
         alias = kwargs.pop("alias", "")
         alias = name if not alias else alias
-        Attribute.get_by(name=name, first=True) and abort(400, "attribute name <{0}> is duplicated".format(name))
-        Attribute.get_by(alias=alias, first=True) and abort(400, "attribute alias <{0}> is duplicated".format(name))
+        Attribute.get_by(name=name, first=True) and abort(400, ErrFormat.attribute_name_duplicate.format(name))
+
+        if kwargs.get('default') and not (isinstance(kwargs['default'], dict) and 'default' in kwargs['default']):
+            kwargs['default'] = dict(default=kwargs['default'])
+
+        kwargs.get('is_computed') and cls.can_create_computed_attribute()
+
+        kwargs.get('choice_other') and kwargs['choice_other'].get('script') and cls.can_create_computed_attribute()
 
         attr = Attribute.create(flush=True,
                                 name=name,
                                 alias=alias,
                                 is_choice=is_choice,
+                                uid=current_user.uid,
                                 **kwargs)
 
         if choice_value:
-            cls._add_choice_values(attr.id, attr.value_type, choice_value)
+            cls.add_choice_values(attr.id, attr.value_type, choice_value)
 
         try:
             db.session.commit()
         except Exception as e:
             db.session.rollback()
             current_app.logger.error("add attribute error, {0}".format(str(e)))
-            return abort(400, "add attribute <{0}> failed".format(name))
+
+            return abort(400, ErrFormat.add_attribute_failed.format(name))
 
         AttributeCache.clean(attr)
 
@@ -136,55 +307,158 @@ class AttributeManager(object):
 
         return attr.id
 
+    @staticmethod
+    def _clean_ci_type_attributes_cache(attr_id):
+        for i in CITypeAttribute.get_by(attr_id=attr_id, to_dict=False):
+            CITypeAttributesCache.clean(i.type_id)
+
+    @staticmethod
+    def _change_index(attr, old, new):
+        from api.lib.cmdb.utils import TableMap
+        from api.tasks.cmdb import batch_ci_cache
+        from api.lib.cmdb.const import CMDB_QUEUE
+
+        old_table = TableMap(attr=attr, is_index=old).table
+        new_table = TableMap(attr=attr, is_index=new).table
+
+        ci_ids = []
+        for i in old_table.get_by(attr_id=attr.id, to_dict=False):
+            new_table.create(ci_id=i.ci_id, attr_id=attr.id, value=i.value, flush=True)
+            ci_ids.append(i.ci_id)
+
+        old_table.get_by(attr_id=attr.id, only_query=True).delete()
+
+        try:
+            db.session.commit()
+        except Exception as e:
+            db.session.rollback()
+            current_app.logger.error(str(e))
+            return abort(400, ErrFormat.attribute_index_change_failed)
+
+        batch_ci_cache.apply_async(args=(ci_ids,), queue=CMDB_QUEUE)
+
+    @staticmethod
+    def _can_edit_attribute(attr):
+        from api.lib.cmdb.ci_type import CITypeManager
+
+        if attr.uid == current_user.uid:
+            return True
+
+        for i in CITypeAttribute.get_by(attr_id=attr.id, to_dict=False):
+            resource = CITypeManager.get_name_by_id(i.type_id)
+            if resource:
+                validate_permission(resource, ResourceTypeEnum.CI, PermEnum.CONFIG, "cmdb")
+
+        return True
+
     def update(self, _id, **kwargs):
-        attr = Attribute.get_by_id(_id) or abort(404, "Attribute <{0}> does not exist".format(_id))
+        attr = Attribute.get_by_id(_id) or abort(404, ErrFormat.attribute_not_found.format("id={}".format(_id)))
 
         if kwargs.get("name"):
             other = Attribute.get_by(name=kwargs['name'], first=True, to_dict=False)
             if other and other.id != attr.id:
-                return abort(400, "Attribute name <{0}> cannot be duplicate!".format(kwargs['name']))
-        if kwargs.get("alias"):
-            other = Attribute.get_by(alias=kwargs['alias'], first=True, to_dict=False)
-            if other and other.id != attr.id:
-                return abort(400, "Attribute alias <{0}> cannot be duplicate!".format(kwargs['alias']))
+                return abort(400, ErrFormat.attribute_name_duplicate.format(kwargs['name']))
+
+        if attr.value_type != kwargs.get('value_type'):
+            return abort(400, ErrFormat.attribute_value_type_cannot_change)
+
+        if "is_list" in kwargs and kwargs['is_list'] != attr.is_list:
+            return abort(400, ErrFormat.attribute_list_value_cannot_change)
+
+        if "is_index" in kwargs and kwargs['is_index'] != attr.is_index:
+            if not is_app_admin("cmdb"):
+                return abort(400, ErrFormat.attribute_index_cannot_change)
+
+            self._change_index(attr, attr.is_index, kwargs['is_index'])
+
+        while kwargs.get('choice_other'):
+            if isinstance(kwargs['choice_other'], dict):
+                if kwargs['choice_other'].get('script'):
+                    break
+
+                if kwargs['choice_other'].get('type_ids') and kwargs['choice_other'].get('attr_id'):
+                    break
+
+            return abort(400, ErrFormat.attribute_choice_other_invalid)
+
+        existed2 = attr.to_dict()
+        if not existed2['choice_web_hook'] and not existed2.get('choice_other') and existed2['is_choice']:
+            existed2['choice_value'] = self.get_choice_values(attr.id, attr.value_type, None, None)
 
         choice_value = kwargs.pop("choice_value", False)
-        is_choice = True if choice_value else False
+        is_choice = True if choice_value or kwargs.get('choice_web_hook') or kwargs.get('choice_other') else False
+        kwargs['is_choice'] = is_choice
 
-        attr.update(flush=True, **kwargs)
+        if kwargs.get('default') and not (isinstance(kwargs['default'], dict) and 'default' in kwargs['default']):
+            kwargs['default'] = dict(default=kwargs['default'])
 
-        if is_choice:
-            self._add_choice_values(attr.id, attr.value_type, choice_value)
+        kwargs.get('is_computed') and self.can_create_computed_attribute()
+
+        is_changed = False
+        for k in kwargs:
+            if kwargs[k] != getattr(attr, k, None):
+                is_changed = True
+
+        if is_changed and not self._can_edit_attribute(attr):
+            return abort(403, ErrFormat.cannot_edit_attribute)
+
+        attr.update(flush=True, filter_none=False, **kwargs)
+
+        if is_choice and choice_value:
+            self.add_choice_values(attr.id, attr.value_type, choice_value)
+        elif existed2['is_choice']:
+            self._del_choice_values(attr.id, attr.value_type)
 
         try:
             db.session.commit()
         except Exception as e:
             db.session.rollback()
             current_app.logger.error("update attribute error, {0}".format(str(e)))
-            return abort(400, "update attribute <{0}> failed".format(_id))
+
+            return abort(400, ErrFormat.update_attribute_failed.format(("id={}".format(_id))))
+
+        new = attr.to_dict()
+        if not new['choice_web_hook'] and new['is_choice']:
+            new['choice_value'] = choice_value
+        CITypeHistoryManager.add(CITypeOperateType.UPDATE_ATTRIBUTE, None, attr_id=attr.id,
+                                 change=dict(old=existed2, new=new))
 
         AttributeCache.clean(attr)
 
+        self._clean_ci_type_attributes_cache(_id)
+
         return attr.id
 
     @staticmethod
     def delete(_id):
-        attr = Attribute.get_by_id(_id) or abort(404, "Attribute <{0}> does not exist".format(_id))
+        attr = Attribute.get_by_id(_id) or abort(404, ErrFormat.attribute_not_found.format("id={}".format(_id)))
         name = attr.name
 
+        if CIType.get_by(unique_id=attr.id, first=True, to_dict=False) is not None:
+            return abort(400, ErrFormat.attribute_is_unique_id)
+
+        ref = CITypeAttribute.get_by(attr_id=_id, to_dict=False, first=True)
+        if ref is not None:
+            ci_type = CITypeCache.get(ref.type_id)
+            return abort(400, ErrFormat.attribute_is_ref_by_type.format(ci_type and ci_type.alias or ref.type_id))
+
+        if attr.uid != current_user.uid and not is_app_admin('cmdb'):
+            return abort(403, ErrFormat.cannot_delete_attribute)
+
         if attr.is_choice:
             choice_table = ValueTypeMap.choice.get(attr.value_type)
-            db.session.query(choice_table).filter(choice_table.attr_id == _id).delete()  # FIXME: session conflict
-            db.session.flush()
-
-        AttributeCache.clean(attr)
+            choice_table.get_by(attr_id=_id, only_query=True).delete()
 
         attr.soft_delete()
 
-        for i in CITypeAttribute.get_by(attr_id=_id, to_dict=False):
-            i.soft_delete()
+        AttributeCache.clean(attr)
 
         for i in PreferenceShowAttributes.get_by(attr_id=_id, to_dict=False):
-            i.soft_delete()
+            i.soft_delete(commit=False)
+
+        for i in CITypeAttributeGroupItem.get_by(attr_id=_id, to_dict=False):
+            i.soft_delete(commit=False)
+
+        db.session.commit()
 
         return name

cmdb-api/api/lib/cmdb/auto_discovery/__init__.py

@@ -0,0 +1 @@
+# -*- coding:utf-8 -*-

cmdb-api/api/lib/cmdb/auto_discovery/auto_discovery.py

@@ -0,0 +1,996 @@
+# -*- coding:utf-8 -*-
+import copy
+import datetime
+import json
+import jsonpath
+import os
+from flask import abort
+from flask import current_app
+from flask_login import current_user
+from sqlalchemy import func
+
+from api.extensions import db
+from api.lib.cmdb.auto_discovery.const import CLOUD_MAP
+from api.lib.cmdb.auto_discovery.const import DEFAULT_INNER
+from api.lib.cmdb.auto_discovery.const import PRIVILEGED_USERS
+from api.lib.cmdb.cache import AttributeCache
+from api.lib.cmdb.cache import AutoDiscoveryMappingCache
+from api.lib.cmdb.cache import CITypeAttributeCache
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIManager
+from api.lib.cmdb.ci_type import CITypeGroupManager
+from api.lib.cmdb.const import AutoDiscoveryType
+from api.lib.cmdb.const import CMDB_QUEUE
+from api.lib.cmdb.const import PermEnum
+from api.lib.cmdb.const import ResourceTypeEnum
+from api.lib.cmdb.custom_dashboard import SystemConfigManager
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.cmdb.search import SearchError
+from api.lib.cmdb.search.ci import search as ci_search
+from api.lib.common_setting.role_perm_base import CMDBApp
+from api.lib.mixin import DBMixin
+from api.lib.perm.acl.acl import ACLManager
+from api.lib.perm.acl.acl import is_app_admin
+from api.lib.perm.acl.acl import validate_permission
+from api.lib.utils import AESCrypto
+from api.models.cmdb import AutoDiscoveryAccount
+from api.models.cmdb import AutoDiscoveryCI
+from api.models.cmdb import AutoDiscoveryCIType
+from api.models.cmdb import AutoDiscoveryCITypeRelation
+from api.models.cmdb import AutoDiscoveryCounter
+from api.models.cmdb import AutoDiscoveryExecHistory
+from api.models.cmdb import AutoDiscoveryRule
+from api.models.cmdb import AutoDiscoveryRuleSyncHistory
+from api.tasks.cmdb import build_relations_for_ad_accept
+from api.tasks.cmdb import write_ad_rule_sync_history
+
+PWD = os.path.abspath(os.path.dirname(__file__))
+app_cli = CMDBApp()
+
+
+def parse_plugin_script(script):
+    attributes = []
+    try:
+        x = compile(script, '', "exec")
+        local_ns = {}
+        exec(x, {}, local_ns)
+        unique_key = local_ns['AutoDiscovery']().unique_key
+        attrs = local_ns['AutoDiscovery']().attributes() or []
+    except Exception as e:
+        return abort(400, str(e))
+
+    if not isinstance(attrs, list):
+        return abort(400, ErrFormat.adr_plugin_attributes_list_required)
+
+    for i in attrs:
+        if len(i) == 3:
+            name, _type, desc = i
+        elif len(i) == 2:
+            name, _type = i
+            desc = ""
+        else:
+            continue
+        attributes.append(dict(name=name, type=_type, desc=desc))
+
+    return unique_key, attributes
+
+
+def check_plugin_script(**kwargs):
+    kwargs['unique_key'], kwargs['attributes'] = parse_plugin_script(kwargs['plugin_script'])
+
+    if not kwargs.get('unique_key'):
+        return abort(400, ErrFormat.adr_unique_key_required)
+
+    if not kwargs.get('attributes'):
+        return abort(400, ErrFormat.adr_plugin_attributes_list_no_empty)
+
+    return kwargs
+
+
+class AutoDiscoveryRuleCRUD(DBMixin):
+    cls = AutoDiscoveryRule
+
+    @classmethod
+    def get_by_name(cls, name):
+        return cls.cls.get_by(name=name, first=True, to_dict=False)
+
+    @classmethod
+    def get_by_id(cls, _id):
+        return cls.cls.get_by_id(_id)
+
+    def get_by_inner(self):
+        return self.cls.get_by(is_inner=True, to_dict=True)
+
+    def import_template(self, rules):
+        for rule in rules:
+            rule.pop("id", None)
+            rule.pop("created_at", None)
+            rule.pop("updated_at", None)
+
+            existed = self.cls.get_by(name=rule['name'], first=True, to_dict=False)
+            if existed is not None:
+                existed.update(**rule)
+            else:
+                self.cls.create(**rule)
+
+    def _can_add(self, valid=True, **kwargs):
+        self.cls.get_by(name=kwargs['name']) and abort(400, ErrFormat.adr_duplicate.format(kwargs['name']))
+        if kwargs.get('is_plugin') and kwargs.get('plugin_script') and valid:
+            kwargs = check_plugin_script(**kwargs)
+            acl = ACLManager(app_cli.app_name)
+            has_perm = True
+            try:
+                if not acl.has_permission(app_cli.op.Auto_Discovery,
+                                          app_cli.resource_type_name,
+                                          app_cli.op.create_plugin) and not is_app_admin(app_cli.app_name):
+                    has_perm = False
+            except Exception:
+                if not is_app_admin(app_cli.app_name):
+                    return abort(403, ErrFormat.role_required.format(app_cli.admin_name))
+
+            if not has_perm:
+                return abort(403, ErrFormat.no_permission.format(
+                    app_cli.op.Auto_Discovery, app_cli.op.create_plugin))
+
+        kwargs['owner'] = current_user.uid
+
+        return kwargs
+
+    def _can_update(self, valid=True, **kwargs):
+        existed = self.cls.get_by_id(kwargs['_id']) or abort(
+            404, ErrFormat.adr_not_found.format("id={}".format(kwargs['_id'])))
+
+        if 'name' in kwargs and not kwargs['name']:
+            return abort(400, ErrFormat.argument_value_required.format('name'))
+
+        if kwargs.get('name'):
+            other = self.cls.get_by(name=kwargs['name'], first=True, to_dict=False)
+            if other and other.id != existed.id:
+                return abort(400, ErrFormat.adr_duplicate.format(kwargs['name']))
+
+        if existed.is_plugin and valid:
+            acl = ACLManager(app_cli.app_name)
+            has_perm = True
+            try:
+                if not acl.has_permission(app_cli.op.Auto_Discovery,
+                                          app_cli.resource_type_name,
+                                          app_cli.op.update_plugin) and not is_app_admin(app_cli.app_name):
+                    has_perm = False
+            except Exception:
+                if not is_app_admin(app_cli.app_name):
+                    return abort(403, ErrFormat.role_required.format(app_cli.admin_name))
+
+            if not has_perm:
+                return abort(403, ErrFormat.no_permission.format(
+                    app_cli.op.Auto_Discovery, app_cli.op.update_plugin))
+
+        return existed
+
+    def update(self, _id, **kwargs):
+
+        if kwargs.get('is_plugin') and kwargs.get('plugin_script'):
+            kwargs = check_plugin_script(**kwargs)
+
+            for item in AutoDiscoveryCIType.get_by(adr_id=_id, to_dict=False):
+                item.update(updated_at=datetime.datetime.now())
+
+        return super(AutoDiscoveryRuleCRUD, self).update(_id, filter_none=False, **kwargs)
+
+    def _can_delete(self, **kwargs):
+        if AutoDiscoveryCIType.get_by(adr_id=kwargs['_id'], first=True):
+            return abort(400, ErrFormat.adr_referenced)
+
+        existed = self.cls.get_by_id(kwargs['_id']) or abort(
+            404, ErrFormat.adr_not_found.format("id={}".format(kwargs['_id'])))
+
+        if existed.is_plugin:
+            acl = ACLManager(app_cli.app_name)
+            has_perm = True
+            try:
+                if not acl.has_permission(app_cli.op.Auto_Discovery,
+                                          app_cli.resource_type_name,
+                                          app_cli.op.delete_plugin) and not is_app_admin(app_cli.app_name):
+                    has_perm = False
+            except Exception:
+                if not is_app_admin(app_cli.app_name):
+                    return abort(403, ErrFormat.role_required.format(app_cli.admin_name))
+
+            if not has_perm:
+                return abort(403, ErrFormat.no_permission.format(
+                    app_cli.op.Auto_Discovery, app_cli.op.delete_plugin))
+
+        return existed
+
+
+class AutoDiscoveryCITypeCRUD(DBMixin):
+    cls = AutoDiscoveryCIType
+
+    @classmethod
+    def get_all(cls, type_ids=None):
+        res = cls.cls.get_by(to_dict=False)
+        return [i for i in res if type_ids is None or i.type_id in type_ids]
+
+    @classmethod
+    def get_by_id(cls, _id):
+        return cls.cls.get_by_id(_id)
+
+    @classmethod
+    def get_by_type_id(cls, type_id):
+        return cls.cls.get_by(type_id=type_id, to_dict=False)
+
+    @classmethod
+    def get_ad_attributes(cls, type_id):
+        result = []
+        adts = cls.get_by_type_id(type_id)
+        for adt in adts:
+            adr = AutoDiscoveryRuleCRUD.get_by_id(adt.adr_id)
+            if not adr:
+                continue
+            if adr.type == AutoDiscoveryType.HTTP:
+                for i in DEFAULT_INNER:
+                    if adr.name == i['name']:
+                        attrs = AutoDiscoveryHTTPManager.get_attributes(
+                            i['en'], (adt.extra_option or {}).get('category')) or []
+                        result.extend([i.get('name') for i in attrs])
+                        break
+            elif adr.type == AutoDiscoveryType.SNMP:
+                attributes = AutoDiscoverySNMPManager.get_attributes()
+                result.extend([i.get('name') for i in (attributes or [])])
+            else:
+                result.extend([i.get('name') for i in (adr.attributes or [])])
+
+        return sorted(list(set(result)))
+
+    @classmethod
+    def get(cls, ci_id, oneagent_id, oneagent_name, last_update_at=None):
+        """
+        OneAgent sync rules
+        :param ci_id:
+        :param oneagent_id:
+        :param oneagent_name:
+        :param last_update_at:
+        :return:
+        """
+        result = []
+        rules = cls.cls.get_by(to_dict=True)
+
+        for rule in rules:
+            if not rule['enabled']:
+                continue
+
+            if isinstance(rule.get("extra_option"), dict):
+                decrypt_account(rule['extra_option'], rule['uid'])
+
+                if rule['extra_option'].get('_reference'):
+                    rule['extra_option'].pop('password', None)
+                    rule['extra_option'].pop('secret', None)
+                    rule['extra_option'].update(
+                        AutoDiscoveryAccountCRUD().get_config_by_id(rule['extra_option']['_reference']))
+
+            if oneagent_id and rule['agent_id'] == oneagent_id:
+                result.append(rule)
+            elif rule['query_expr']:
+                query = rule['query_expr'].lstrip('q').lstrip('=')
+                s = ci_search(query, fl=['_id'], count=1000000)
+                try:
+                    response, _, _, _, _, _ = s.search()
+                except SearchError as e:
+                    return abort(400, str(e))
+
+                for i in (response or []):
+                    if i.get('_id') == ci_id:
+                        result.append(rule)
+                        break
+            elif not rule['agent_id'] and not rule['query_expr'] and rule['adr_id']:
+                try:
+                    if not int(oneagent_id, 16):  # excludes master
+                        continue
+                except Exception:
+                    pass
+
+                adr = AutoDiscoveryRuleCRUD.get_by_id(rule['adr_id'])
+                if not adr:
+                    continue
+                if adr.type in (AutoDiscoveryType.SNMP, AutoDiscoveryType.HTTP):
+                    continue
+
+                result.append(rule)
+
+        ad_rules_updated_at = (SystemConfigManager.get('ad_rules_updated_at') or {}).get('option', {}).get('v') or ""
+        new_last_update_at = ""
+        for i in result:
+            i['adr'] = AutoDiscoveryRule.get_by_id(i['adr_id']).to_dict()
+            i['adr'].pop("attributes", None)
+            __last_update_at = max([i['updated_at'] or "", i['created_at'] or "",
+                                    i['adr']['created_at'] or "", i['adr']['updated_at'] or "", ad_rules_updated_at])
+            if new_last_update_at < __last_update_at:
+                new_last_update_at = __last_update_at
+
+        write_ad_rule_sync_history.apply_async(args=(result, oneagent_id, oneagent_name, datetime.datetime.now()),
+                                               queue=CMDB_QUEUE)
+        if not last_update_at or new_last_update_at > last_update_at:
+            return result, new_last_update_at
+        else:
+            return [], new_last_update_at
+
+    @staticmethod
+    def __valid_exec_target(agent_id, query_expr):
+        _is_app_admin = is_app_admin("cmdb")
+        if not agent_id and not query_expr and not _is_app_admin:
+            return abort(403, ErrFormat.adt_target_all_no_permission)
+
+        if _is_app_admin:
+            return
+
+        if agent_id and isinstance(agent_id, str) and agent_id.startswith("0x"):
+            agent_id = agent_id.strip()
+            q = "op_duty:{0},-rd_duty:{0},oneagent_id:{1}"
+
+            s = ci_search(q.format(current_user.username, agent_id.strip()))
+            try:
+                response, _, _, _, _, _ = s.search()
+                if response:
+                    return
+            except SearchError as e:
+                current_app.logger.warning(e)
+                return abort(400, str(e))
+
+            s = ci_search(q.format(current_user.nickname, agent_id.strip()))
+            try:
+                response, _, _, _, _, _ = s.search()
+                if response:
+                    return
+            except SearchError as e:
+                current_app.logger.warning(e)
+                return abort(400, str(e))
+
+        if query_expr.strip():
+            query_expr = query_expr.strip()
+            if query_expr.startswith('q='):
+                query_expr = query_expr[2:]
+
+            s = ci_search(query_expr, count=1000000)
+            try:
+                response, _, _, _, _, _ = s.search()
+                for i in response:
+                    if (current_user.username not in (i.get('rd_duty') or []) and
+                            current_user.username not in (i.get('op_duty') or []) and
+                            current_user.nickname not in (i.get('rd_duty') or []) and
+                            current_user.nickname not in (i.get('op_duty') or [])):
+                        return abort(403, ErrFormat.adt_target_expr_no_permission.format(
+                            i.get("{}_name".format(i.get('ci_type')))))
+            except SearchError as e:
+                current_app.logger.warning(e)
+                return abort(400, str(e))
+
+    @staticmethod
+    def _can_add(**kwargs):
+
+        if kwargs.get('adr_id'):
+            adr = AutoDiscoveryRule.get_by_id(kwargs['adr_id']) or abort(
+                404, ErrFormat.adr_not_found.format("id={}".format(kwargs['adr_id'])))
+            if adr.type == AutoDiscoveryType.HTTP:
+                kwargs.setdefault('extra_option', dict())
+                en_name = None
+                for i in DEFAULT_INNER:
+                    if i['name'] == adr.name:
+                        en_name = i['en']
+                        break
+                if en_name and kwargs['extra_option'].get('category'):
+                    for item in CLOUD_MAP[en_name]:
+                        if item["collect_key_map"].get(kwargs['extra_option']['category']):
+                            kwargs["extra_option"]["collect_key"] = item["collect_key_map"][
+                                kwargs['extra_option']['category']]
+                            kwargs["extra_option"]["provider"] = en_name
+                            break
+
+            if adr.type == AutoDiscoveryType.COMPONENTS and kwargs.get('extra_option'):
+                for i in DEFAULT_INNER:
+                    if i['name'] == adr.name:
+                        kwargs['extra_option']['collect_key'] = i['option'].get('collect_key')
+                        break
+
+        if kwargs.get('is_plugin') and kwargs.get('plugin_script'):
+            kwargs = check_plugin_script(**kwargs)
+
+        encrypt_account(kwargs.get('extra_option'))
+
+        ci_type = CITypeCache.get(kwargs['type_id'])
+        unique = AttributeCache.get(ci_type.unique_id)
+        if unique and unique.name not in (kwargs.get('attributes') or {}).values():
+            current_app.logger.warning((unique.name, kwargs.get('attributes'), ci_type.alias))
+            return abort(400, ErrFormat.ad_not_unique_key.format(unique.name))
+
+        kwargs['uid'] = current_user.uid
+
+        return kwargs
+
+    def _can_update(self, **kwargs):
+        existed = self.cls.get_by_id(kwargs['_id']) or abort(
+            404, ErrFormat.ad_not_found.format("id={}".format(kwargs['_id'])))
+
+        adr = AutoDiscoveryRule.get_by_id(existed.adr_id) or abort(
+            404, ErrFormat.adr_not_found.format("id={}".format(existed.adr_id)))
+        if adr.type == AutoDiscoveryType.HTTP:
+            kwargs.setdefault('extra_option', dict())
+            en_name = None
+            for i in DEFAULT_INNER:
+                if i['name'] == adr.name:
+                    en_name = i['en']
+                    break
+            if en_name and kwargs['extra_option'].get('category'):
+                for item in CLOUD_MAP[en_name]:
+                    if item["collect_key_map"].get(kwargs['extra_option']['category']):
+                        kwargs["extra_option"]["collect_key"] = item["collect_key_map"][
+                            kwargs['extra_option']['category']]
+                        kwargs["extra_option"]["provider"] = en_name
+                        break
+
+        if adr.type == AutoDiscoveryType.COMPONENTS and kwargs.get('extra_option'):
+            for i in DEFAULT_INNER:
+                if i['name'] == adr.name:
+                    kwargs['extra_option']['collect_key'] = i['option'].get('collect_key')
+                    break
+
+        if 'attributes' in kwargs:
+            self.__valid_exec_target(kwargs.get('agent_id'), kwargs.get('query_expr'))
+
+            ci_type = CITypeCache.get(existed.type_id)
+            unique = AttributeCache.get(ci_type.unique_id)
+            if unique and unique.name not in (kwargs.get('attributes') or {}).values():
+                current_app.logger.warning((unique.name, kwargs.get('attributes'), ci_type.alias))
+                return abort(400, ErrFormat.ad_not_unique_key.format(unique.name))
+
+        if isinstance(kwargs.get('extra_option'), dict) and kwargs['extra_option'].get('secret'):
+            if current_user.uid != existed.uid:
+                return abort(403, ErrFormat.adt_secret_no_permission)
+        if isinstance(kwargs.get('extra_option'), dict) and kwargs['extra_option'].get('password'):
+            if current_user.uid != existed.uid:
+                return abort(403, ErrFormat.adt_secret_no_permission)
+
+        return existed
+
+    def update(self, _id, **kwargs):
+
+        if kwargs.get('is_plugin') and kwargs.get('plugin_script'):
+            kwargs = check_plugin_script(**kwargs)
+
+        encrypt_account(kwargs.get('extra_option'))
+
+        inst = self._can_update(_id=_id, **kwargs)
+        if len(kwargs) == 1 and 'enabled' in kwargs:  # enable or disable
+            pass
+        elif inst.agent_id != kwargs.get('agent_id') or inst.query_expr != kwargs.get('query_expr'):
+            for item in AutoDiscoveryRuleSyncHistory.get_by(adt_id=inst.id, to_dict=False):
+                item.delete(commit=False)
+            db.session.commit()
+
+            SystemConfigManager.create_or_update("ad_rules_updated_at",
+                                                 dict(v=datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")))
+
+        obj = inst.update(_id=_id, filter_none=False, **kwargs)
+
+        return obj
+
+    def _can_delete(self, **kwargs):
+        if AutoDiscoveryCICRUD.get_by_adt_id(kwargs['_id']):
+            return abort(400, ErrFormat.cannot_delete_adt)
+
+        existed = self.cls.get_by_id(kwargs['_id']) or abort(
+            404, ErrFormat.ad_not_found.format("id={}".format(kwargs['_id'])))
+
+        return existed
+
+    def delete(self, _id):
+        inst = self._can_delete(_id=_id)
+
+        inst.soft_delete()
+
+        for item in AutoDiscoveryRuleSyncHistory.get_by(adt_id=inst.id, to_dict=False):
+            item.delete(commit=False)
+        db.session.commit()
+
+        attributes = self.get_ad_attributes(inst.type_id)
+        for item in AutoDiscoveryCITypeRelationCRUD.get_by_type_id(inst.type_id):
+            if item.ad_key not in attributes:
+                item.soft_delete()
+
+        return inst
+
+
+class AutoDiscoveryCITypeRelationCRUD(DBMixin):
+    cls = AutoDiscoveryCITypeRelation
+
+    @classmethod
+    def get_all(cls, type_ids=None):
+        res = cls.cls.get_by(to_dict=False)
+        return [i for i in res if type_ids is None or i.ad_type_id in type_ids]
+
+    @classmethod
+    def get_by_type_id(cls, type_id, to_dict=False):
+        return cls.cls.get_by(ad_type_id=type_id, to_dict=to_dict)
+
+    def upsert(self, ad_type_id, relations):
+        existed = self.cls.get_by(ad_type_id=ad_type_id, to_dict=False)
+        existed = {(i.ad_key, i.peer_type_id, i.peer_attr_id): i for i in existed}
+
+        new = []
+        for r in relations:
+            k = (r.get('ad_key'), r.get('peer_type_id'), r.get('peer_attr_id'))
+            if len(list(filter(lambda x: x, k))) == 3 and k not in existed:
+                self.cls.create(ad_type_id=ad_type_id, **r)
+
+            new.append(k)
+
+        for deleted in set(existed.keys()) - set(new):
+            existed[deleted].soft_delete()
+
+        return self.get_by_type_id(ad_type_id, to_dict=True)
+
+    def _can_add(self, **kwargs):
+        pass
+
+    def _can_update(self, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        pass
+
+
+class AutoDiscoveryCICRUD(DBMixin):
+    cls = AutoDiscoveryCI
+
+    @classmethod
+    def get_by_adt_id(cls, adt_id):
+        return cls.cls.get_by(adt_id=adt_id, to_dict=False)
+
+    @classmethod
+    def get_type_name(cls, adc_id):
+        adc = cls.cls.get_by_id(adc_id) or abort(404, ErrFormat.adc_not_found)
+
+        ci_type = CITypeCache.get(adc.type_id)
+
+        return ci_type and ci_type.name
+
+    @staticmethod
+    def get_ci_types(need_other):
+        result = CITypeGroupManager.get(need_other, False)
+        adt = {i.type_id for i in AutoDiscoveryCITypeCRUD.get_all()}
+        for item in result:
+            item['ci_types'] = [i for i in (item.get('ci_types') or []) if i['id'] in adt]
+
+        return result
+
+    @staticmethod
+    def get_attributes_by_type_id(type_id):
+        from api.lib.cmdb.ci_type import CITypeAttributeManager
+        attributes = [i for i in CITypeAttributeManager.get_attributes_by_type_id(type_id) or []]
+
+        attr_names = set()
+        adts = AutoDiscoveryCITypeCRUD.get_by_type_id(type_id)
+        for adt in adts:
+            attr_names |= set((adt.attributes or {}).values())
+        return [attr for attr in attributes if attr['name'] in attr_names]
+
+    @classmethod
+    def search(cls, page, page_size, fl=None, **kwargs):
+        type_id = kwargs['type_id']
+        adts = AutoDiscoveryCITypeCRUD.get_by_type_id(type_id)
+        if not adts:
+            return 0, []
+        adt2attr_map = {i.id: i.attributes or {} for i in adts}
+
+        query = db.session.query(cls.cls).filter(cls.cls.deleted.is_(False))
+
+        count_query = db.session.query(func.count(cls.cls.id)).filter(cls.cls.deleted.is_(False))
+
+        for k in kwargs:
+            if hasattr(cls.cls, k):
+                query = query.filter(getattr(cls.cls, k) == kwargs[k])
+                count_query = count_query.filter(getattr(cls.cls, k) == kwargs[k])
+
+        query = query.order_by(cls.cls.is_accept.desc()).order_by(cls.cls.id.desc())
+
+        result = []
+        for i in query.offset((page - 1) * page_size).limit(page_size):
+            item = i.to_dict()
+            adt_id = item['adt_id']
+            item['instance'] = {adt2attr_map[adt_id][k]: v for k, v in item.get('instance').items()
+                                if (not fl or k in fl) and adt2attr_map.get(adt_id, {}).get(k)}
+            result.append(item)
+
+        numfound = query.count()
+
+        return numfound, result
+
+    @staticmethod
+    def _get_unique_key(type_id):
+        ci_type = CITypeCache.get(type_id)
+        if ci_type:
+            attr = CITypeAttributeCache.get(type_id, ci_type.unique_id)
+            return attr and attr.name
+
+    def _can_add(self, **kwargs):
+        pass
+
+    def upsert(self, **kwargs):
+
+        adt = AutoDiscoveryCIType.get_by_id(kwargs['adt_id']) or abort(404, ErrFormat.adt_not_found)
+
+        existed = self.cls.get_by(type_id=kwargs['type_id'],
+                                  unique_value=kwargs.get("unique_value"),
+                                  first=True, to_dict=False)
+        changed = False
+        if existed is not None:
+            if existed.instance != kwargs['instance']:
+                instance = copy.deepcopy(existed.instance) or {}
+                instance.update(kwargs['instance'])
+                kwargs['instance'] = instance
+                existed.update(filter_none=False, **kwargs)
+                AutoDiscoveryExecHistoryCRUD().add(type_id=adt.type_id,
+                                                   stdout="update resource: {}".format(kwargs.get('unique_value')))
+                changed = True
+        else:
+            existed = self.cls.create(**kwargs)
+            AutoDiscoveryExecHistoryCRUD().add(type_id=adt.type_id,
+                                               stdout="add resource: {}".format(kwargs.get('unique_value')))
+            changed = True
+
+        if adt.auto_accept and changed:
+            try:
+                self.accept(existed)
+            except Exception as e:
+                current_app.logger.error(e)
+                return abort(400, str(e))
+        elif changed:
+            existed.update(is_accept=False, accept_time=None, accept_by=None, filter_none=False)
+
+        return existed
+
+    def _can_update(self, **kwargs):
+        existed = self.cls.get_by_id(kwargs['_id']) or abort(404, ErrFormat.adc_not_found)
+
+        return existed
+
+    def _can_delete(self, **kwargs):
+        return self._can_update(**kwargs)
+
+    def delete(self, _id):
+        inst = self._can_delete(_id=_id)
+
+        inst.delete()
+
+        adt = AutoDiscoveryCIType.get_by_id(inst.adt_id)
+        if adt:
+            adt.update(updated_at=datetime.datetime.now())
+
+        AutoDiscoveryExecHistoryCRUD().add(type_id=inst.type_id,
+                                           stdout="delete resource: {}".format(inst.unique_value))
+
+        self._after_delete(inst)
+
+        return inst
+
+    @classmethod
+    def delete2(cls, type_id, unique_value):
+        existed = cls.cls.get_by(type_id=type_id, unique_value=unique_value, first=True, to_dict=False) or abort(
+            404, ErrFormat.adc_not_found)
+
+        if current_app.config.get("USE_ACL"):
+            ci_type = CITypeCache.get(type_id) or abort(404, ErrFormat.ci_type_not_found)
+
+            not is_app_admin("cmdb") and validate_permission(ci_type.name, ResourceTypeEnum.CI, PermEnum.DELETE, "cmdb")
+
+        existed.delete()
+
+        adt = AutoDiscoveryCIType.get_by_id(existed.adt_id)
+        if adt:
+            adt.update(updated_at=datetime.datetime.now())
+
+        AutoDiscoveryExecHistoryCRUD().add(type_id=type_id,
+                                           stdout="delete resource: {}".format(unique_value))
+        # TODO: delete ci
+
+    @classmethod
+    def accept(cls, adc, adc_id=None, nickname=None):
+        if adc_id is not None:
+            adc = cls.cls.get_by_id(adc_id) or abort(404, ErrFormat.adc_not_found)
+
+        adt = AutoDiscoveryCITypeCRUD.get_by_id(adc.adt_id) or abort(404, ErrFormat.adt_not_found)
+
+        ci_id = None
+
+        ad_key2attr = adt.attributes or {}
+        if ad_key2attr:
+            ci_dict = {ad_key2attr[k]: None if not v and isinstance(v, (list, dict)) else v
+                       for k, v in adc.instance.items() if k in ad_key2attr}
+            extra_option = adt.extra_option or {}
+            mapping, path_mapping = AutoDiscoveryHTTPManager.get_predefined_value_mapping(
+                extra_option.get('provider'), extra_option.get('category'))
+            if mapping:
+                ci_dict = {k: (mapping.get(k) or {}).get(str(v), v) for k, v in ci_dict.items()}
+            if path_mapping:
+                ci_dict = {k: jsonpath.jsonpath(v, path_mapping[k]) if k in path_mapping else v
+                           for k, v in ci_dict.items()}
+            ci_id = CIManager.add(adc.type_id, is_auto_discovery=True, _is_admin=True, **ci_dict)
+            AutoDiscoveryExecHistoryCRUD().add(type_id=adt.type_id,
+                                               stdout="accept resource: {}".format(adc.unique_value))
+
+        build_relations_for_ad_accept.apply_async(args=(adc.to_dict(), ci_id, ad_key2attr), queue=CMDB_QUEUE)
+
+        adc.update(is_accept=True,
+                   accept_by=nickname or current_user.nickname,
+                   accept_time=datetime.datetime.now(),
+                   ci_id=ci_id)
+
+
+class AutoDiscoveryHTTPManager(object):
+    @staticmethod
+    def get_categories(name):
+        categories = (CLOUD_MAP.get(name) or {}) or []
+        for item in copy.deepcopy(categories):
+            item.pop('map', None)
+            item.pop('collect_key_map', None)
+
+        return categories
+
+    def get_resources(self, name):
+        en_name = None
+        for i in DEFAULT_INNER:
+            if i['name'] == name:
+                en_name = i['en']
+                break
+
+        if en_name:
+            categories = self.get_categories(en_name)
+
+            return [j for i in categories for j in i['items']]
+
+        return []
+
+    @staticmethod
+    def get_attributes(provider, resource):
+        for item in (CLOUD_MAP.get(provider) or {}):
+            for _resource in (item.get('map') or {}):
+                if _resource == resource:
+                    tpt = item['map'][_resource]
+                    if isinstance(tpt, dict):
+                        tpt = tpt.get('template')
+                    if tpt and os.path.exists(os.path.join(PWD, tpt)):
+                        with open(os.path.join(PWD, tpt)) as f:
+                            return json.loads(f.read())
+
+        return []
+
+    @staticmethod
+    def get_mapping(provider, resource):
+        for item in (CLOUD_MAP.get(provider) or {}):
+            for _resource in (item.get('map') or {}):
+                if _resource == resource:
+                    mapping = item['map'][_resource]
+                    if not isinstance(mapping, dict):
+                        return {}
+                    name = mapping.get('mapping')
+                    mapping = AutoDiscoveryMappingCache.get(name)
+                    if isinstance(mapping, dict):
+                        return {mapping[key][provider]['key'].split('.')[0]: key for key in mapping if
+                                (mapping[key].get(provider) or {}).get('key')}
+
+        return {}
+
+    @staticmethod
+    def get_predefined_value_mapping(provider, resource):
+        for item in (CLOUD_MAP.get(provider) or {}):
+            for _resource in (item.get('map') or {}):
+                if _resource == resource:
+                    mapping = item['map'][_resource]
+                    if not isinstance(mapping, dict):
+                        return {}, {}
+                    name = mapping.get('mapping')
+                    mapping = AutoDiscoveryMappingCache.get(name)
+                    if isinstance(mapping, dict):
+                        return ({key: mapping[key][provider].get('map') for key in mapping if
+                                 mapping[key].get(provider, {}).get('map')},
+                                {key: mapping[key][provider]['key'].split('.', 1)[1] for key in mapping if
+                                 ((mapping[key].get(provider) or {}).get('key') or '').split('.')[1:]})
+
+        return {}, {}
+
+
+class AutoDiscoverySNMPManager(object):
+
+    @staticmethod
+    def get_attributes():
+        if os.path.exists(os.path.join(PWD, "templates/net_device.json")):
+            with open(os.path.join(PWD, "templates/net_device.json")) as f:
+                return json.loads(f.read())
+
+        return []
+
+
+class AutoDiscoveryComponentsManager(object):
+
+    @staticmethod
+    def get_attributes(name):
+        if os.path.exists(os.path.join(PWD, "templates/{}.json".format(name))):
+            with open(os.path.join(PWD, "templates/{}.json".format(name))) as f:
+                return json.loads(f.read())
+
+        return []
+
+
+class AutoDiscoveryRuleSyncHistoryCRUD(DBMixin):
+    cls = AutoDiscoveryRuleSyncHistory
+
+    def _can_add(self, **kwargs):
+        pass
+
+    def _can_update(self, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        pass
+
+    def upsert(self, **kwargs):
+        existed = self.cls.get_by(adt_id=kwargs.get('adt_id'),
+                                  oneagent_id=kwargs.get('oneagent_id'),
+                                  oneagent_name=kwargs.get('oneagent_name'),
+                                  first=True,
+                                  to_dict=False)
+
+        if existed is not None:
+            existed.update(**kwargs)
+        else:
+            self.cls.create(**kwargs)
+
+
+class AutoDiscoveryExecHistoryCRUD(DBMixin):
+    cls = AutoDiscoveryExecHistory
+
+    def _can_add(self, **kwargs):
+        pass
+
+    def _can_update(self, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        pass
+
+
+class AutoDiscoveryCounterCRUD(DBMixin):
+    cls = AutoDiscoveryCounter
+
+    def get(self, type_id):
+        res = self.cls.get_by(type_id=type_id, first=True, to_dict=True)
+        if res is None:
+            return dict(rule_count=0, exec_target_count=0, instance_count=0, accept_count=0,
+                        this_month_count=0, this_week_count=0, last_month_count=0, last_week_count=0)
+
+        return res
+
+    def _can_add(self, **kwargs):
+        pass
+
+    def _can_update(self, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        pass
+
+
+def encrypt_account(config):
+    if isinstance(config, dict):
+        if config.get('secret'):
+            config['secret'] = AESCrypto.encrypt(config['secret'])
+        if config.get('password'):
+            config['password'] = AESCrypto.encrypt(config['password'])
+
+
+def decrypt_account(config, uid):
+    if isinstance(config, dict):
+        if config.get('password'):
+            if not (current_user.username in PRIVILEGED_USERS or current_user.uid == uid):
+                config.pop('password', None)
+            else:
+                try:
+                    config['password'] = AESCrypto.decrypt(config['password'])
+                except Exception as e:
+                    current_app.logger.error('decrypt account failed: {}'.format(e))
+
+        if config.get('secret'):
+            if not (current_user.username in PRIVILEGED_USERS or current_user.uid == uid):
+                config.pop('secret', None)
+            else:
+                try:
+                    config['secret'] = AESCrypto.decrypt(config['secret'])
+                except Exception as e:
+                    current_app.logger.error('decrypt account failed: {}'.format(e))
+
+
+class AutoDiscoveryAccountCRUD(DBMixin):
+    cls = AutoDiscoveryAccount
+
+    def get(self, adr_id):
+        res = self.cls.get_by(adr_id=adr_id, to_dict=True)
+
+        for i in res:
+            decrypt_account(i.get('config'), i['uid'])
+
+        return res
+
+    def get_config_by_id(self, _id):
+        res = self.cls.get_by_id(_id)
+        if not res:
+            return {}
+
+        config = res.to_dict().get('config') or {}
+
+        decrypt_account(config, res.uid)
+
+        return config
+
+    def _can_add(self, **kwargs):
+        encrypt_account(kwargs.get('config'))
+
+        kwargs['uid'] = current_user.uid
+
+        return kwargs
+
+    def upsert(self, adr_id, accounts):
+        existed_all = self.cls.get_by(adr_id=adr_id, to_dict=False)
+        account_names = {i['name'] for i in accounts}
+
+        name_changed = dict()
+        for account in accounts:
+            existed = None
+            if account.get('id'):
+                existed = self.cls.get_by_id(account.get('id'))
+                if existed is None:
+                    continue
+
+                account.pop('id')
+                name_changed[existed.name] = account.get('name')
+            else:
+                account = self._can_add(**account)
+
+            if existed is not None:
+                if current_user.uid == existed.uid:
+                    config = copy.deepcopy(existed.config) or {}
+                    config.update(account.get('config') or {})
+                    account['config'] = config
+                    existed.update(**account)
+            else:
+                self.cls.create(adr_id=adr_id, **account)
+
+        for item in existed_all:
+            if name_changed.get(item.name, item.name) not in account_names:
+                if current_user.uid == item.uid:
+                    item.soft_delete()
+
+    def _can_update(self, **kwargs):
+        existed = self.cls.get_by_id(kwargs['_id']) or abort(404, ErrFormat.not_found)
+
+        if isinstance(kwargs.get('config'), dict) and kwargs['config'].get('secret'):
+            if current_user.uid != existed.uid:
+                return abort(403, ErrFormat.adt_secret_no_permission)
+        if isinstance(kwargs.get('config'), dict) and kwargs['config'].get('password'):
+            if current_user.uid != existed.uid:
+                return abort(403, ErrFormat.adt_secret_no_permission)
+
+        return existed
+
+    def update(self, _id, **kwargs):
+
+        if kwargs.get('is_plugin') and kwargs.get('plugin_script'):
+            kwargs = check_plugin_script(**kwargs)
+
+        encrypt_account(kwargs.get('config'))
+
+        inst = self._can_update(_id=_id, **kwargs)
+
+        obj = inst.update(_id=_id, filter_none=False, **kwargs)
+
+        return obj
+
+    def _can_delete(self, **kwargs):
+        pass

cmdb-api/api/lib/cmdb/auto_discovery/const.py

@@ -0,0 +1,351 @@
+# -*- coding:utf-8 -*-
+
+from api.lib.cmdb.const import AutoDiscoveryType
+
+PRIVILEGED_USERS = ("cmdb_agent", "worker", "admin")
+
+DEFAULT_INNER = [
+    dict(name="阿里云", en="aliyun", type=AutoDiscoveryType.HTTP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-aliyun'}, "en": "aliyun"}),
+    dict(name="腾讯云", en="tencentcloud", type=AutoDiscoveryType.HTTP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-tengxunyun'}, "en": "tencentcloud"}),
+    dict(name="华为云", en="huaweicloud", type=AutoDiscoveryType.HTTP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-huaweiyun'}, "en": "huaweicloud"}),
+    dict(name="AWS", en="aws", type=AutoDiscoveryType.HTTP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-aws'}, "en": "aws"}),
+
+    dict(name="VCenter", en="vcenter", type=AutoDiscoveryType.HTTP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'cmdb-vcenter'}, "category": "private_cloud", "en": "vcenter"}),
+    dict(name="KVM", en="kvm", type=AutoDiscoveryType.HTTP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'ops-KVM'}, "category": "private_cloud", "en": "kvm"}),
+
+
+    dict(name="Nginx", en="nginx", type=AutoDiscoveryType.COMPONENTS, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-nginx'}, "en": "nginx", "collect_key": "nginx"}),
+    dict(name="Apache", en="apache", type=AutoDiscoveryType.COMPONENTS, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-apache'}, "en": "apache", "collect_key": "apache"}),
+    dict(name="Tomcat", en="tomcat", type=AutoDiscoveryType.COMPONENTS, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-tomcat'}, "en": "tomcat", "collect_key": "tomcat"}),
+    dict(name="MySQL", en="mysql", type=AutoDiscoveryType.COMPONENTS, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-mySQL'}, "en": "mysql", "collect_key": "mysql"}),
+    dict(name="MSSQL", en="mssql", type=AutoDiscoveryType.COMPONENTS, is_inner=True, is_plugin=False,
+             option={'icon': {'name': 'caise-SQLServer'}, "en": "mssql", "collect_key": "sqlserver"}),
+    dict(name="Oracle", en="oracle", type=AutoDiscoveryType.COMPONENTS, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-oracle'}, "en": "oracle", "collect_key": "oracle"}),
+    dict(name="Redis", en="redis", type=AutoDiscoveryType.COMPONENTS, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-redis'}, "en": "redis", "collect_key": "redis"}),
+
+    dict(name="交换机", type=AutoDiscoveryType.SNMP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-jiaohuanji'}}),
+    dict(name="路由器", type=AutoDiscoveryType.SNMP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-luyouqi'}}),
+    dict(name="防火墙", type=AutoDiscoveryType.SNMP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-fanghuoqiang'}}),
+    dict(name="打印机", type=AutoDiscoveryType.SNMP, is_inner=True, is_plugin=False,
+         option={'icon': {'name': 'caise-dayinji'}}),
+]
+
+CLOUD_MAP = {
+    "aliyun": [
+        {
+            "category": "计算",
+            "items": ["云服务器 ECS", "云服务器 Disk"],
+            "map": {
+                "云服务器 ECS": {"template": "templates/aliyun_ecs.json", "mapping": "ecs"},
+                "云服务器 Disk": {"template": "templates/aliyun_ecs_disk.json", "mapping": "evs"},
+            },
+            "collect_key_map": {
+                "云服务器 ECS": "ali.ecs",
+                "云服务器 Disk": "ali.ecs_disk",
+            },
+        },
+        {
+            "category": "网络与CDN",
+            "items": [
+                "内容分发CDN",
+                "负载均衡SLB",
+                "专有网络VPC",
+                "交换机Switch",
+            ],
+            "map": {
+                "内容分发CDN": {"template": "templates/aliyun_cdn.json", "mapping": "CDN"},
+                "负载均衡SLB": {"template": "templates/aliyun_slb.json", "mapping": "loadbalancer"},
+                "专有网络VPC": {"template": "templates/aliyun_vpc.json", "mapping": "vpc"},
+                "交换机Switch": {"template": "templates/aliyun_switch.json", "mapping": "vswitch"},
+            },
+            "collect_key_map": {
+                "内容分发CDN": "ali.cdn",
+                "负载均衡SLB": "ali.slb",
+                "专有网络VPC": "ali.vpc",
+                "交换机Switch": "ali.switch",
+            },
+        },
+        {
+            "category": "存储",
+            "items": ["块存储EBS", "对象存储OSS"],
+            "map": {
+                "块存储EBS": {"template": "templates/aliyun_ebs.json", "mapping": "evs"},
+                "对象存储OSS": {"template": "templates/aliyun_oss.json", "mapping": "objectStorage"},
+            },
+            "collect_key_map": {
+                "块存储EBS": "ali.ebs",
+                "对象存储OSS": "ali.oss",
+            },
+        },
+        {
+            "category": "数据库",
+            "items": ["云数据库RDS MySQL", "云数据库RDS PostgreSQL", "云数据库 Redis"],
+            "map": {
+                "云数据库RDS MySQL": {"template": "templates/aliyun_rds_mysql.json", "mapping": "mysql"},
+                "云数据库RDS PostgreSQL": {"template": "templates/aliyun_rds_postgre.json", "mapping": "postgresql"},
+                "云数据库 Redis": {"template": "templates/aliyun_redis.json", "mapping": "redis"},
+            },
+            "collect_key_map": {
+                "云数据库RDS MySQL": "ali.rds_mysql",
+                "云数据库RDS PostgreSQL": "ali.rds_postgre",
+                "云数据库 Redis": "ali.redis",
+            },
+        },
+    ],
+    "tencentcloud": [
+        {
+            "category": "计算",
+            "items": ["云服务器 CVM"],
+            "map": {
+                "云服务器 CVM": {"template": "templates/tencent_cvm.json", "mapping": "ecs"},
+            },
+            "collect_key_map": {
+                "云服务器 CVM": "tencent.cvm",
+            },
+        },
+        {
+            "category": "CDN与边缘",
+            "items": ["内容分发CDN"],
+            "map": {
+                "内容分发CDN": {"template": "templates/tencent_cdn.json", "mapping": "CDN"},
+            },
+            "collect_key_map": {
+                "内容分发CDN": "tencent.cdn",
+            },
+        },
+        {
+            "category": "网络",
+            "items": ["负载均衡CLB", "私有网络VPC", "子网"],
+            "map": {
+                "负载均衡CLB": {"template": "templates/tencent_clb.json", "mapping": "loadbalancer"},
+                "私有网络VPC": {"template": "templates/tencent_vpc.json", "mapping": "vpc"},
+                "子网": {"template": "templates/tencent_subnet.json", "mapping": "vswitch"},
+            },
+            "collect_key_map": {
+                "负载均衡CLB": "tencent.clb",
+                "私有网络VPC": "tencent.vpc",
+                "子网": "tencent.subnet",
+            },
+        },
+        {
+            "category": "存储",
+            "items": ["云硬盘CBS", "对象存储COS"],
+            "map": {
+                "云硬盘CBS": {"template": "templates/tencent_cbs.json", "mapping": "evs"},
+                "对象存储COS": {"template": "templates/tencent_cos.json", "mapping": "objectStorage"},
+            },
+            "collect_key_map": {
+                "云硬盘CBS": "tencent.cbs",
+                "对象存储COS": "tencent.cos",
+            },
+        },
+        {
+            "category": "数据库",
+            "items": ["云数据库 MySQL", "云数据库 PostgreSQL", "云数据库 Redis"],
+            "map": {
+                "云数据库 MySQL": {"template": "templates/tencent_rdb.json", "mapping": "mysql"},
+                "云数据库 PostgreSQL": {"template": "templates/tencent_postgres.json", "mapping": "postgresql"},
+                "云数据库 Redis": {"template": "templates/tencent_redis.json", "mapping": "redis"},
+            },
+            "collect_key_map": {
+                "云数据库 MySQL": "tencent.rdb",
+                "云数据库 PostgreSQL": "tencent.rds_postgres",
+                "云数据库 Redis": "tencent.redis",
+            },
+        },
+    ],
+    "huaweicloud": [
+        {
+            "category": "计算",
+            "items": ["云服务器 ECS"],
+            "map": {
+                "云服务器 ECS": {"template": "templates/huaweicloud_ecs.json", "mapping": "ecs"},
+            },
+            "collect_key_map": {
+                "云服务器 ECS": "huawei.ecs",
+            },
+        },
+        {
+            "category": "CDN与智能边缘",
+            "items": ["内容分发网络CDN"],
+            "map": {
+                "内容分发网络CDN": {"template": "templates/huawei_cdn.json", "mapping": "CDN"},
+            },
+            "collect_key_map": {
+                "内容分发网络CDN": "huawei.cdn",
+            },
+        },
+        {
+            "category": "网络",
+            "items": ["弹性负载均衡ELB", "虚拟私有云VPC", "子网"],
+            "map": {
+                "弹性负载均衡ELB": {"template": "templates/huawei_elb.json", "mapping": "loadbalancer"},
+                "虚拟私有云VPC": {"template": "templates/huawei_vpc.json", "mapping": "vpc"},
+                "子网": {"template": "templates/huawei_subnet.json", "mapping": "vswitch"},
+            },
+            "collect_key_map": {
+                "弹性负载均衡ELB": "huawei.elb",
+                "虚拟私有云VPC": "huawei.vpc",
+                "子网": "huawei.subnet",
+            },
+        },
+        {
+            "category": "存储",
+            "items": ["云硬盘EVS", "对象存储OBS"],
+            "map": {
+                "云硬盘EVS": {"template": "templates/huawei_evs.json", "mapping": "evs"},
+                "对象存储OBS": {"template": "templates/huawei_obs.json", "mapping": "objectStorage"},
+            },
+            "collect_key_map": {
+                "云硬盘EVS": "huawei.evs",
+                "对象存储OBS": "huawei.obs",
+            },
+        },
+        {
+            "category": "数据库",
+            "items": ["云数据库RDS MySQL", "云数据库RDS PostgreSQL"],
+            "map": {
+                "云数据库RDS MySQL": {"template": "templates/huawei_rds_mysql.json", "mapping": "mysql"},
+                "云数据库RDS PostgreSQL": {"template": "templates/huawei_rds_postgre.json", "mapping": "postgresql"},
+            },
+            "collect_key_map": {
+                "云数据库RDS MySQL": "huawei.rds_mysql",
+                "云数据库RDS PostgreSQL": "huawei.rds_postgre",
+            },
+        },
+        {
+            "category": "应用中间件",
+            "items": ["分布式缓存Redis"],
+            "map": {
+                "分布式缓存Redis": {"template": "templates/huawei_dcs.json", "mapping": "redis"},
+            },
+            "collect_key_map": {
+                "分布式缓存Redis": "huawei.dcs",
+            },
+        },
+    ],
+    "aws": [
+        {
+            "category": "计算",
+            "items": ["云服务器 EC2"],
+            "map": {
+                "云服务器 EC2": {"template": "templates/aws_ec2.json", "mapping": "ecs"},
+            },
+            "collect_key_map": {
+                "云服务器 EC2": "aws.ec2",
+            },
+        },
+        {"category": "网络与CDN", "items": [], "map": {}, "collect_key_map": {}},
+    ],
+    "vcenter": [
+        {
+            "category": "计算",
+            "items": [
+                "主机",
+                "虚拟机",
+                "主机集群"
+            ],
+            "map": {
+                "主机": "templates/vsphere_host.json",
+                "虚拟机": "templates/vsphere_vm.json",
+                "主机集群": "templates/vsphere_cluster.json",
+            },
+            "collect_key_map": {
+                "主机": "vsphere.host",
+                "虚拟机": "vsphere.vm",
+                "主机集群": "vsphere.cluster",
+            },
+        },
+        {
+            "category": "网络",
+            "items": [
+                "网络",
+                "标准交换机",
+                "分布式交换机",
+            ],
+            "map": {
+                "网络": "templates/vsphere_network.json",
+                "标准交换机": "templates/vsphere_standard_switch.json",
+                "分布式交换机": "templates/vsphere_distributed_switch.json",
+            },
+            "collect_key_map": {
+                "网络": "vsphere.network",
+                "标准交换机": "vsphere.standard_switch",
+                "分布式交换机": "vsphere.distributed_switch",
+            },
+        },
+        {
+            "category": "存储",
+            "items": ["数据存储", "数据存储集群"],
+            "map": {
+                "数据存储": "templates/vsphere_datastore.json",
+                "数据存储集群": "templates/vsphere_storage_pod.json",
+            },
+            "collect_key_map": {
+                "数据存储": "vsphere.datastore",
+                "数据存储集群": "vsphere.storage_pod",
+            },
+        },
+        {
+            "category": "其他",
+            "items": ["资源池", "数据中心", "文件夹"],
+            "map": {
+                "资源池": "templates/vsphere_pool.json",
+                "数据中心": "templates/vsphere_datacenter.json",
+                "文件夹": "templates/vsphere_folder.json",
+            },
+            "collect_key_map": {
+                "资源池": "vsphere.pool",
+                "数据中心": "vsphere.datacenter",
+                "文件夹": "vsphere.folder",
+            },
+        },
+    ],
+    "kvm": [
+        {
+            "category": "计算",
+            "items": ["虚拟机"],
+            "map": {
+                "虚拟机": "templates/kvm_vm.json",
+            },
+            "collect_key_map": {
+                "虚拟机": "kvm.vm",
+            },
+        },
+        {
+            "category": "存储",
+            "items": ["存储"],
+            "map": {
+                "存储": "templates/kvm_storage.json",
+            },
+            "collect_key_map": {
+                "存储": "kvm.storage",
+            },
+        },
+        {
+            "category": "network",
+            "items": ["网络"],
+            "map": {
+                "网络": "templates/kvm_network.json",
+            },
+            "collect_key_map": {
+                "网络": "kvm.network",
+            },
+        },
+    ],
+}

cmdb-api/api/lib/cmdb/auto_discovery/templates/aliyun_ecs.json

@@ -0,0 +1,386 @@
+[
+    {
+        "name": "CreationTime",
+        "type": "string",
+        "desc": "实例创建时间。以ISO 8601为标准，并使用UTC+0时间，格式为yyyy-MM-ddTHH:mmZ。更多信息，请参见[ISO 8601](~~25696~~)。",
+        "example": "2017-12-10T04:04Z"
+    },
+    {
+        "name": "SerialNumber",
+        "type": "string",
+        "desc": "实例序列号。",
+        "example": "51d1353b-22bf-4567-a176-8b3e12e4****"
+    },
+    {
+        "name": "Status",
+        "type": "string",
+        "desc": "实例状态。",
+        "example": "Running"
+    },
+    {
+        "name": "DeploymentSetId",
+        "type": "string",
+        "desc": "部署集ID。",
+        "example": "ds-bp67acfmxazb4p****"
+    },
+    {
+        "name": "KeyPairName",
+        "type": "string",
+        "desc": "密钥对名称。",
+        "example": "testKeyPairName"
+    },
+    {
+        "name": "SaleCycle",
+        "type": "string",
+        "desc": "> 该参数已弃用，不再返回有意义的数据。",
+        "example": "month"
+    },
+    {
+        "name": "SpotStrategy",
+        "type": "string",
+        "desc": "按量实例的竞价策略。可能值：\n\n- NoSpot：正常按量付费实例。\n- SpotWithPriceLimit：设置上限价格的抢占式实例。\n- SpotAsPriceGo：系统自动出价，最高按量付费价格的抢占式实例。",
+        "example": "NoSpot"
+    },
+    {
+        "name": "DeviceAvailable",
+        "type": "boolean",
+        "desc": "实例是否可以挂载数据盘。\n\n- true：可以挂载数据盘。\n- false：不可以挂载数据盘。",
+        "example": "true"
+    },
+    {
+        "name": "LocalStorageCapacity",
+        "type": "integer",
+        "desc": "实例挂载的本地存储容量。单位：GiB。",
+        "example": "1000"
+    },
+    {
+        "name": "Description",
+        "type": "string",
+        "desc": "实例描述。",
+        "example": "testDescription"
+    },
+    {
+        "name": "SpotDuration",
+        "type": "integer",
+        "desc": "抢占式实例的保留时长，单位为小时。可能值：\n\n- 1：创建后阿里云会保证实例运行1小时不会被自动释放；超过1小时后，系统会自动比较出价与市场价格、检查资源库存，来决定实例的持有和回收。\n- 0：创建后，阿里云不保证实例运行1小时，系统会自动比较出价与市场价格、检查资源库存，来决定实例的持有和回收。\n\n实例回收前5分钟阿里云会通过ECS系统事件向您发送通知。抢占式实例按秒计费，建议您结合具体任务执行耗时来选择合适的保留时长。\n\n>当SpotStrategy值为SpotWithPriceLimit或SpotAsPriceGo时返回该参数。",
+        "example": "1"
+    },
+    {
+        "name": "InstanceNetworkType",
+        "type": "string",
+        "desc": "实例网络类型。可能值：\n\n- classic：经典网络。\n- vpc：专有网络VPC。",
+        "example": "vpc"
+    },
+    {
+        "name": "InstanceName",
+        "type": "string",
+        "desc": "实例名称。",
+        "example": "InstanceNameTest"
+    },
+    {
+        "name": "OSNameEn",
+        "type": "string",
+        "desc": "实例操作系统的英文名称。",
+        "example": "CentOS  7.4 64 bit"
+    },
+    {
+        "name": "HpcClusterId",
+        "type": "string",
+        "desc": "实例所属的HPC集群ID。",
+        "example": "hpc-bp67acfmxazb4p****"
+    },
+    {
+        "name": "SpotPriceLimit",
+        "type": "number",
+        "desc": "实例的每小时最高价格。支持最大3位小数，参数SpotStrategy=SpotWithPriceLimit时，该参数生效。",
+        "example": "0.98"
+    },
+    {
+        "name": "Memory",
+        "type": "integer",
+        "desc": "内存大小，单位为MiB。",
+        "example": "16384"
+    },
+    {
+        "name": "OSName",
+        "type": "string",
+        "desc": "实例的操作系统名称。",
+        "example": "CentOS  7.4 64 位"
+    },
+    {
+        "name": "DeploymentSetGroupNo",
+        "type": "integer",
+        "desc": "ECS实例绑定部署集分散部署时，实例在部署集中的分组位置。",
+        "example": "1"
+    },
+    {
+        "name": "ImageId",
+        "type": "string",
+        "desc": "实例运行的镜像ID。",
+        "example": "m-bp67acfmxazb4p****"
+    },
+    {
+        "name": "VlanId",
+        "type": "string",
+        "desc": "实例的VLAN ID。\n\n>该参数即将被弃用，为提高兼容性，请尽量使用其他参数。",
+        "example": "10"
+    },
+    {
+        "name": "ClusterId",
+        "type": "string",
+        "desc": "实例所在的集群ID。\n\n>该参数即将被弃用，为提高兼容性，请尽量使用其他参数。",
+        "example": "c-bp67acfmxazb4p****"
+    },
+    {
+        "name": "GPUSpec",
+        "type": "string",
+        "desc": "实例规格附带的GPU类型。",
+        "example": "NVIDIA V100"
+    },
+    {
+        "name": "AutoReleaseTime",
+        "type": "string",
+        "desc": "按量付费实例的自动释放时间。",
+        "example": "2017-12-10T04:04Z"
+    },
+    {
+        "name": "DeletionProtection",
+        "type": "boolean",
+        "desc": "实例释放保护属性，指定是否支持通过控制台或API（DeleteInstance）释放实例。\n\n- true：已开启实例释放保护。\n- false：未开启实例释放保护。\n\n> 该属性仅适用于按量付费实例，且只能限制手动释放操作，对系统释放操作不生效。",
+        "example": "false"
+    },
+    {
+        "name": "StoppedMode",
+        "type": "string",
+        "desc": "实例停机后是否继续收费。可能值：\n\n- KeepCharging：停机后继续收费，为您继续保留库存资源。\n- StopCharging：停机后不收费。停机后，我们释放实例对应的资源，例如vCPU、内存和公网IP等资源。重启是否成功依赖于当前地域中是否仍有资源库存。\n- Not-applicable：本实例不支持停机不收费功能。",
+        "example": "KeepCharging"
+    },
+    {
+        "name": "GPUAmount",
+        "type": "integer",
+        "desc": "实例规格附带的GPU数量。",
+        "example": "4"
+    },
+    {
+        "name": "HostName",
+        "type": "string",
+        "desc": "实例主机名。",
+        "example": "testHostName"
+    },
+    {
+        "name": "InstanceId",
+        "type": "string",
+        "desc": "实例ID。",
+        "example": "i-bp67acfmxazb4p****"
+    },
+    {
+        "name": "InternetMaxBandwidthOut",
+        "type": "integer",
+        "desc": "公网出带宽最大值，单位：Mbit/s。",
+        "example": "5"
+    },
+    {
+        "name": "InternetMaxBandwidthIn",
+        "type": "integer",
+        "desc": "公网入带宽最大值，单位：Mbit/s。",
+        "example": "50"
+    },
+    {
+        "name": "InstanceType",
+        "type": "string",
+        "desc": "实例规格。",
+        "example": "ecs.g5.large"
+    },
+    {
+        "name": "InstanceChargeType",
+        "type": "string",
+        "desc": "实例的计费方式。可能值：\n\n- PrePaid：包年包月。\n- PostPaid：按量付费。",
+        "example": "PostPaid"
+    },
+    {
+        "name": "RegionId",
+        "type": "string",
+        "desc": "实例所属地域ID。",
+        "example": "cn-hangzhou"
+    },
+    {
+        "name": "IoOptimized",
+        "type": "boolean",
+        "desc": "是否为I/O优化型实例。\n\n- true：是。\n- false：否。",
+        "example": "true"
+    },
+    {
+        "name": "StartTime",
+        "type": "string",
+        "desc": "实例最近一次的启动时间。以ISO 8601为标准，并使用UTC+0时间，格式为yyyy-MM-ddTHH:mmZ。更多信息，请参见[ISO 8601](~~25696~~)。",
+        "example": "2017-12-10T04:04Z"
+    },
+    {
+        "name": "Cpu",
+        "type": "integer",
+        "desc": "vCPU数。",
+        "example": "8"
+    },
+    {
+        "name": "LocalStorageAmount",
+        "type": "integer",
+        "desc": "实例挂载的本地存储数量。",
+        "example": "2"
+    },
+    {
+        "name": "ExpiredTime",
+        "type": "string",
+        "desc": "过期时间。以ISO 8601为标准，并使用UTC+0时间，格式为yyyy-MM-ddTHH:mmZ。更多信息，请参见[ISO 8601](~~25696~~)。",
+        "example": "2017-12-10T04:04Z"
+    },
+    {
+        "name": "ResourceGroupId",
+        "type": "string",
+        "desc": "实例所属的企业资源组ID。",
+        "example": "rg-bp67acfmxazb4p****"
+    },
+    {
+        "name": "InternetChargeType",
+        "type": "string",
+        "desc": "网络计费类型。可能值：\n\n- PayByBandwidth：按固定带宽计费。\n- PayByTraffic：按使用流量计费。",
+        "example": "PayByTraffic"
+    },
+    {
+        "name": "ZoneId",
+        "type": "string",
+        "desc": "实例所属可用区。",
+        "example": "cn-hangzhou-g"
+    },
+    {
+        "name": "Recyclable",
+        "type": "boolean",
+        "desc": "实例是否可以回收。",
+        "example": "false"
+    },
+    {
+        "name": "ISP",
+        "type": "string",
+        "desc": "> 该参数正在邀测中，暂未开放使用。",
+        "example": "null"
+    },
+    {
+        "name": "CreditSpecification",
+        "type": "string",
+        "desc": "突发性能实例的运行模式。可能值：\n\n- Standard：标准模式。有关实例性能的更多信息，请参见[什么是突发性能实例](~~59977~~)中的性能约束模式章节。\n- Unlimited：无性能约束模式，有关实例性能的更多信息，请参见[什么是突发性能实例](~~59977~~)中的无性能约束模式章节。",
+        "example": "Standard"
+    },
+    {
+        "name": "InstanceTypeFamily",
+        "type": "string",
+        "desc": "实例规格族。",
+        "example": "ecs.g5"
+    },
+    {
+        "name": "OSType",
+        "type": "string",
+        "desc": "实例的操作系统类型，分为Windows Server和Linux两种。可能值：\n\n- windows。\n- linux。",
+        "example": "linux"
+    },
+    {
+        "name": "NetworkInterfaces",
+        "type": "array",
+        "desc": "实例包含的弹性网卡集合。",
+        "example": ""
+    },
+    {
+        "name": "OperationLocks",
+        "type": "array",
+        "desc": "实例的锁定原因。",
+        "example": ""
+    },
+    {
+        "name": "Tags",
+        "type": "array",
+        "desc": "实例的标签集合。",
+        "example": ""
+    },
+    {
+        "name": "RdmaIpAddress",
+        "type": "array",
+        "desc": "HPC实例的RDMA网络IP列表。",
+        "example": ""
+    },
+    {
+        "name": "SecurityGroupIds",
+        "type": "array",
+        "desc": "实例所属安全组ID列表。",
+        "example": ""
+    },
+    {
+        "name": "PublicIpAddress",
+        "type": "array",
+        "desc": "实例公网IP地址列表。",
+        "example": ""
+    },
+    {
+        "name": "InnerIpAddress",
+        "type": "array",
+        "desc": "经典网络类型实例的内网IP地址列表。",
+        "example": ""
+    },
+    {
+        "name": "VpcAttributes",
+        "type": "object",
+        "desc": "专有网络VPC属性。",
+        "example": ""
+    },
+    {
+        "name": "EipAddress",
+        "type": "object",
+        "desc": "弹性公网IP绑定信息。",
+        "example": ""
+    },
+    {
+        "name": "HibernationOptions",
+        "type": "object",
+        "desc": "> 该参数正在邀测中，暂未开放使用。",
+        "example": ""
+    },
+    {
+        "name": "DedicatedHostAttribute",
+        "type": "object",
+        "desc": "由专有宿主机集群ID（DedicatedHostClusterId）、专有宿主机ID（DedicatedHostId）和名称（DedicatedHostName）组成的宿主机属性数组。",
+        "example": ""
+    },
+    {
+        "name": "EcsCapacityReservationAttr",
+        "type": "object",
+        "desc": "云服务器ECS的容量预留相关参数。",
+        "example": ""
+    },
+    {
+        "name": "DedicatedInstanceAttribute",
+        "type": "object",
+        "desc": "专有宿主机实例的属性。",
+        "example": ""
+    },
+    {
+        "name": "CpuOptions",
+        "type": "object",
+        "desc": "CPU配置详情。",
+        "example": ""
+    },
+    {
+        "name": "MetadataOptions",
+        "type": "object",
+        "desc": "元数据选项集合。",
+        "example": ""
+    },
+    {
+        "name": "ImageOptions",
+        "type": "object",
+        "desc": "镜像相关属性信息。",
+        "example": ""
+    },
+    {
+        "name": "SpotInterruptionBehavior",
+        "type": "string",
+        "desc": "平台发起抢占式实例中断时，抢占式实例的中断模式。可能值：\n\n- Terminate：释放。\n\n- Stop：节省停机。",
+        "example": "Terminate"
+    }
+]

cmdb-api/api/lib/cmdb/auto_discovery/templates/aws_ec2.json

@@ -0,0 +1,344 @@
+[
+    {
+        "name": "amiLaunchIndex",
+        "type": "Integer",
+        "desc": "The AMI launch index, which can be used to find this instance in the launch group.",
+        "example": ""
+    },
+    {
+        "name": "architecture",
+        "type": "String",
+        "desc": "The architecture of the image.",
+        "example": "i386"
+    },
+    {
+        "name": "blockDeviceMapping",
+        "type": "Array of InstanceBlockDeviceMapping objects",
+        "desc": "Any block device mapping entries for the instance.",
+        "example": ""
+    },
+    {
+        "name": "bootMode",
+        "type": "String",
+        "desc": "The boot mode that was specified by the AMI. If the value is uefi-preferred, the AMI supports both UEFI and Legacy BIOS. The currentInstanceBootMode parameter is the boot mode that is used to boot the instance at launch or start. For more information, see Boot modes in the Amazon EC2 User Guide.",
+        "example": "legacy-bios"
+    },
+    {
+        "name": "capacityReservationId",
+        "type": "String",
+        "desc": "The ID of the Capacity Reservation.",
+        "example": ""
+    },
+    {
+        "name": "capacityReservationSpecification",
+        "type": "CapacityReservationSpecificationResponse object",
+        "desc": "Information about the Capacity Reservation targeting option.",
+        "example": ""
+    },
+    {
+        "name": "clientToken",
+        "type": "String",
+        "desc": "The idempotency token you provided when you launched the instance, if applicable.",
+        "example": ""
+    },
+    {
+        "name": "cpuOptions",
+        "type": "CpuOptions object",
+        "desc": "The CPU options for the instance.",
+        "example": ""
+    },
+    {
+        "name": "currentInstanceBootMode",
+        "type": "String",
+        "desc": "The boot mode that is used to boot the instance at launch or start. For more information, see Boot modes in the Amazon EC2 User Guide.",
+        "example": "legacy-bios"
+    },
+    {
+        "name": "dnsName",
+        "type": "String",
+        "desc": "[IPv4 only] The public DNS name assigned to the instance. This name is not available until the instance enters the running state. This name is only available if you've enabled DNS hostnames for your VPC.",
+        "example": ""
+    },
+    {
+        "name": "ebsOptimized",
+        "type": "Boolean",
+        "desc": "Indicates whether the instance is optimized for Amazon EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS Optimized instance.",
+        "example": ""
+    },
+    {
+        "name": "elasticGpuAssociationSet",
+        "type": "Array of ElasticGpuAssociation objects",
+        "desc": "The Elastic GPU associated with the instance.",
+        "example": ""
+    },
+    {
+        "name": "elasticInferenceAcceleratorAssociationSet",
+        "type": "Array of ElasticInferenceAcceleratorAssociation objects",
+        "desc": "The elastic inference accelerator associated with the instance.",
+        "example": ""
+    },
+    {
+        "name": "enaSupport",
+        "type": "Boolean",
+        "desc": "Specifies whether enhanced networking with ENA is enabled.",
+        "example": ""
+    },
+    {
+        "name": "enclaveOptions",
+        "type": "EnclaveOptions object",
+        "desc": "Indicates whether the instance is enabled for AWS Nitro Enclaves.",
+        "example": ""
+    },
+    {
+        "name": "groupSet",
+        "type": "Array of GroupIdentifier objects",
+        "desc": "The security groups for the instance.",
+        "example": ""
+    },
+    {
+        "name": "hibernationOptions",
+        "type": "HibernationOptions object",
+        "desc": "Indicates whether the instance is enabled for hibernation.",
+        "example": ""
+    },
+    {
+        "name": "hypervisor",
+        "type": "String",
+        "desc": "The hypervisor type of the instance. The value xen is used for both Xen and Nitro hypervisors.",
+        "example": "ovm"
+    },
+    {
+        "name": "iamInstanceProfile",
+        "type": "IamInstanceProfile object",
+        "desc": "The IAM instance profile associated with the instance, if applicable.",
+        "example": ""
+    },
+    {
+        "name": "imageId",
+        "type": "String",
+        "desc": "The ID of the AMI used to launch the instance.",
+        "example": ""
+    },
+    {
+        "name": "instanceId",
+        "type": "String",
+        "desc": "The ID of the instance.",
+        "example": ""
+    },
+    {
+        "name": "instanceLifecycle",
+        "type": "String",
+        "desc": "Indicates whether this is a Spot Instance or a Scheduled Instance.",
+        "example": "spot"
+    },
+    {
+        "name": "instanceState",
+        "type": "InstanceState object",
+        "desc": "The current state of the instance.",
+        "example": ""
+    },
+    {
+        "name": "instanceType",
+        "type": "String",
+        "desc": "The instance type.",
+        "example": "a1.medium"
+    },
+    {
+        "name": "ipAddress",
+        "type": "String",
+        "desc": "The public IPv4 address, or the Carrier IP address assigned to the instance, if applicable. A Carrier IP address only applies to an instance launched in a subnet associated with a Wavelength Zone.",
+        "example": "Required: No"
+    },
+    {
+        "name": "ipv6Address",
+        "type": "String",
+        "desc": "The IPv6 address assigned to the instance.",
+        "example": ""
+    },
+    {
+        "name": "kernelId",
+        "type": "String",
+        "desc": "The kernel associated with this instance, if applicable.",
+        "example": ""
+    },
+    {
+        "name": "keyName",
+        "type": "String",
+        "desc": "The name of the key pair, if this instance was launched with an associated key pair.",
+        "example": ""
+    },
+    {
+        "name": "launchTime",
+        "type": "Timestamp",
+        "desc": "The time the instance was launched.",
+        "example": ""
+    },
+    {
+        "name": "licenseSet",
+        "type": "Array of LicenseConfiguration objects",
+        "desc": "The license configurations for the instance.",
+        "example": ""
+    },
+    {
+        "name": "maintenanceOptions",
+        "type": "InstanceMaintenanceOptions object",
+        "desc": "Provides information on the recovery and maintenance options of your instance.",
+        "example": ""
+    },
+    {
+        "name": "metadataOptions",
+        "type": "InstanceMetadataOptionsResponse object",
+        "desc": "The metadata options for the instance.",
+        "example": ""
+    },
+    {
+        "name": "monitoring",
+        "type": "Monitoring object",
+        "desc": "The monitoring for the instance.",
+        "example": ""
+    },
+    {
+        "name": "networkInterfaceSet",
+        "type": "Array of InstanceNetworkInterface objects",
+        "desc": "The network interfaces for the instance.",
+        "example": ""
+    },
+    {
+        "name": "outpostArn",
+        "type": "String",
+        "desc": "The Amazon Resource Name (ARN) of the Outpost.",
+        "example": ""
+    },
+    {
+        "name": "placement",
+        "type": "Placement object",
+        "desc": "The location where the instance launched, if applicable.",
+        "example": ""
+    },
+    {
+        "name": "platform",
+        "type": "String",
+        "desc": "The platform. This value is windows for Windows instances; otherwise, it is empty.",
+        "example": "windows"
+    },
+    {
+        "name": "platformDetails",
+        "type": "String",
+        "desc": "The platform details value for the instance. For more information, see AMI billing information fields in the Amazon EC2 User Guide.",
+        "example": ""
+    },
+    {
+        "name": "privateDnsName",
+        "type": "String",
+        "desc": "[IPv4 only] The private DNS hostname name assigned to the instance. This DNS hostname can only be used inside the Amazon EC2 network. This name is not available until the instance enters the running state. The Amazon-provided DNS server resolves Amazon-provided private DNS hostnames if you've enabled DNS resolution and DNS hostnames in your VPC. If you are not using the Amazon-provided DNS server in your VPC, your custom domain name servers must resolve the hostname as appropriate.",
+        "example": "Required: No"
+    },
+    {
+        "name": "privateDnsNameOptions",
+        "type": "PrivateDnsNameOptionsResponse object",
+        "desc": "The options for the instance hostname.",
+        "example": ""
+    },
+    {
+        "name": "privateIpAddress",
+        "type": "String",
+        "desc": "The private IPv4 address assigned to the instance.",
+        "example": ""
+    },
+    {
+        "name": "productCodes",
+        "type": "Array of ProductCode objects",
+        "desc": "The product codes attached to this instance, if applicable.",
+        "example": ""
+    },
+    {
+        "name": "ramdiskId",
+        "type": "String",
+        "desc": "The RAM disk associated with this instance, if applicable.",
+        "example": ""
+    },
+    {
+        "name": "reason",
+        "type": "String",
+        "desc": "The reason for the most recent state transition. This might be an empty string.",
+        "example": ""
+    },
+    {
+        "name": "rootDeviceName",
+        "type": "String",
+        "desc": "The device name of the root device volume (for example, /dev/sda1).",
+        "example": ""
+    },
+    {
+        "name": "rootDeviceType",
+        "type": "String",
+        "desc": "The root device type used by the AMI. The AMI can use an EBS volume or an instance store volume.",
+        "example": "ebs"
+    },
+    {
+        "name": "sourceDestCheck",
+        "type": "Boolean",
+        "desc": "Indicates whether source/destination checking is enabled.",
+        "example": ""
+    },
+    {
+        "name": "spotInstanceRequestId",
+        "type": "String",
+        "desc": "If the request is a Spot Instance request, the ID of the request.",
+        "example": ""
+    },
+    {
+        "name": "sriovNetSupport",
+        "type": "String",
+        "desc": "Specifies whether enhanced networking with the Intel 82599 Virtual Function interface is enabled.",
+        "example": ""
+    },
+    {
+        "name": "stateReason",
+        "type": "StateReason object",
+        "desc": "The reason for the most recent state transition.",
+        "example": ""
+    },
+    {
+        "name": "subnetId",
+        "type": "String",
+        "desc": "The ID of the subnet in which the instance is running.",
+        "example": ""
+    },
+    {
+        "name": "tagSet",
+        "type": "Array of Tag objects",
+        "desc": "Any tags assigned to the instance.",
+        "example": ""
+    },
+    {
+        "name": "tpmSupport",
+        "type": "String",
+        "desc": "If the instance is configured for NitroTPM support, the value is v2.0. For more information, see NitroTPM in the Amazon EC2 User Guide.",
+        "example": ""
+    },
+    {
+        "name": "usageOperation",
+        "type": "String",
+        "desc": "The usage operation value for the instance. For more information, see AMI billing information fields in the Amazon EC2 User Guide.",
+        "example": ""
+    },
+    {
+        "name": "usageOperationUpdateTime",
+        "type": "Timestamp",
+        "desc": "The time that the usage operation was last updated.",
+        "example": ""
+    },
+    {
+        "name": "virtualizationType",
+        "type": "String",
+        "desc": "The virtualization type of the instance.",
+        "example": "hvm"
+    },
+    {
+        "name": "vpcId",
+        "type": "String",
+        "desc": "The ID of the VPC in which the instance is running.",
+        "example": ""
+    }
+]

cmdb-api/api/lib/cmdb/auto_discovery/templates/huaweicloud_ecs.json

@@ -0,0 +1,284 @@
+[
+    {
+        "name": "status",
+        "type": "string",
+        "desc": "弹性云服务器状态。\n\n取值范围:\n\nACTIVE、BUILD、DELETED、ERROR、HARD_REBOOT、MIGRATING、PAUSED、REBOOT、REBUILD、RESIZE、REVERT_RESIZE、SHUTOFF、SHELVED、SHELVED_OFFLOADED、SOFT_DELETED、SUSPENDED、VERIFY_RESIZE\n\n弹性云服务器状态说明请参考[云服务器状态](https://support.huaweicloud.com/api-ecs/ecs_08_0002.html)",
+        "example": "ACTIVE"
+    },
+    {
+        "name": "updated",
+        "type": "string",
+        "desc": "弹性云服务器更新时间。\n\n时间格式例如:2019-05-22T03:30:52Z",
+        "example": "2019-05-22T03:30:52Z"
+    },
+    {
+        "name": "auto_terminate_time",
+        "type": "string",
+        "desc": "弹性云服务器定时删除时间。\n\n时间格式例如:2020-01-19T03:30:52Z",
+        "example": "2020-01-19T03:30:52Z"
+    },
+    {
+        "name": "hostId",
+        "type": "string",
+        "desc": "弹性云服务器所在主机的主机ID。",
+        "example": "c7145889b2e3202cd295ceddb1742ff8941b827b586861fd0acedf64"
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:host",
+        "type": "string",
+        "desc": "弹性云服务器所在主机的主机名称。",
+        "example": "pod01.cn-north-1c"
+    },
+    {
+        "name": "addresses",
+        "type": "object",
+        "desc": "弹性云服务器的网络属性。",
+        "example": ""
+    },
+    {
+        "name": "key_name",
+        "type": "string",
+        "desc": "弹性云服务器使用的密钥对名称。",
+        "example": "KeyPair-test"
+    },
+    {
+        "name": "image",
+        "type": "",
+        "desc": "弹性云服务器镜像信息。",
+        "example": ""
+    },
+    {
+        "name": "OS-EXT-STS:task_state",
+        "type": "string",
+        "desc": "扩展属性,弹性云服务器当前任务的状态。\n\n取值范围请参考[云服务器状态](https://support.huaweicloud.com/api-ecs/ecs_08_0002.html)表3。",
+        "example": "rebooting"
+    },
+    {
+        "name": "OS-EXT-STS:vm_state",
+        "type": "string",
+        "desc": "扩展属性,弹性云服务器当前状态。\n\n云服务器状态说明请参考[云服务器状态](https://support.huaweicloud.com/api-ecs/ecs_08_0002.html)。",
+        "example": "active"
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:instance_name",
+        "type": "string",
+        "desc": "扩展属性,弹性云服务器别名。",
+        "example": "instance-0048a91b"
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:hypervisor_hostname",
+        "type": "string",
+        "desc": "扩展属性,弹性云服务器所在虚拟化主机名。",
+        "example": "nova022@36"
+    },
+    {
+        "name": "flavor",
+        "type": "",
+        "desc": "弹性云服务器规格信息。",
+        "example": ""
+    },
+    {
+        "name": "id",
+        "type": "string",
+        "desc": "弹性云服务器ID,格式为UUID。",
+        "example": "4f4b3dfa-eb70-47cf-a60a-998a53bd6666"
+    },
+    {
+        "name": "security_groups",
+        "type": "array",
+        "desc": "弹性云服务器所属安全组列表。",
+        "example": ""
+    },
+    {
+        "name": "OS-EXT-AZ:availability_zone",
+        "type": "string",
+        "desc": "扩展属性,弹性云服务器所在可用区名称。",
+        "example": "cn-north-1c"
+    },
+    {
+        "name": "user_id",
+        "type": "string",
+        "desc": "创建弹性云服务器的用户ID,格式为UUID。",
+        "example": "05498fe56b8010d41f7fc01e280b6666"
+    },
+    {
+        "name": "name",
+        "type": "string",
+        "desc": "弹性云服务器名称。",
+        "example": "ecs-test-server"
+    },
+    {
+        "name": "created",
+        "type": "string",
+        "desc": "弹性云服务器创建时间。\n\n时间格式例如:2019-05-22T03:19:19Z",
+        "example": "2017-07-15T11:30:52Z"
+    },
+    {
+        "name": "tenant_id",
+        "type": "string",
+        "desc": "弹性云服务器所属租户ID,即项目id,和project_id表示相同的概念,格式为UUID。",
+        "example": "743b4c0428d94531b9f2add666646666"
+    },
+    {
+        "name": "OS-DCF:diskConfig",
+        "type": "string",
+        "desc": "扩展属性, diskConfig的类型。\n\n- MANUAL,镜像空间不会扩展。\n- AUTO,系统盘镜像空间会自动扩展为与flavor大小一致。",
+        "example": "AUTO"
+    },
+    {
+        "name": "accessIPv4",
+        "type": "string",
+        "desc": "预留属性。",
+        "example": ""
+    },
+    {
+        "name": "accessIPv6",
+        "type": "string",
+        "desc": "预留属性。",
+        "example": ""
+    },
+    {
+        "name": "fault",
+        "type": "",
+        "desc": "弹性云服务器故障信息。\n\n可选参数,在弹性云服务器状态为ERROR且存在异常的情况下返回。",
+        "example": ""
+    },
+    {
+        "name": "progress",
+        "type": "integer",
+        "desc": "弹性云服务器进度。",
+        "example": 0
+    },
+    {
+        "name": "OS-EXT-STS:power_state",
+        "type": "integer",
+        "desc": "扩展属性,弹性云服务器电源状态。",
+        "example": 4
+    },
+    {
+        "name": "config_drive",
+        "type": "string",
+        "desc": "config drive信息。",
+        "example": ""
+    },
+    {
+        "name": "metadata",
+        "type": "object",
+        "desc": "弹性云服务器元数据。\n\n> 说明:\n> \n> 元数据包含系统默认添加字段和用户设置的字段。\n\n系统默认添加字段\n\n1. charging_mode\n云服务器的计费类型。\n\n- “0”:按需计费(即postPaid-后付费方式)。\n- “1”:按包年包月计费(即prePaid-预付费方式)。\"2\":竞价实例计费\n\n2. metering.order_id\n按“包年/包月”计费的云服务器对应的订单ID。\n\n3. metering.product_id\n按“包年/包月”计费的云服务器对应的产品ID。\n\n4. vpc_id\n云服务器所属的虚拟私有云ID。\n\n5. EcmResStatus\n云服务器的冻结状态。\n\n- normal:云服务器正常状态(未被冻结)。\n- freeze:云服务器被冻结。\n\n> 当云服务器被冻结或者解冻后,系统默认添加该字段,且该字段必选。\n\n6. metering.image_id\n云服务器操作系统对应的镜像ID\n\n7.  metering.imagetype\n镜像类型,目前支持:\n\n- 公共镜像(gold)\n- 私有镜像(private)\n- 共享镜像(shared)\n\n8. metering.resourcespeccode\n云服务器对应的资源规格。\n\n9. image_name\n云服务器操作系统对应的镜像名称。\n\n10. os_bit\n操作系统位数,一般取值为“32”或者“64”。\n\n11. lockCheckEndpoint\n回调URL,用于检查弹性云服务器的加锁是否有效。\n\n- 如果有效,则云服务器保持锁定状态。\n- 如果无效,解除锁定状态,删除失效的锁。\n\n12. lockSource\n弹性云服务器来自哪个服务。订单加锁(ORDER)\n\n13. lockSourceId\n弹性云服务器的加锁来自哪个ID。lockSource为“ORDER”时,lockSourceId为订单ID。\n\n14. lockScene\n弹性云服务器的加锁类型。\n\n- 按需转包周期(TO_PERIOD_LOCK)\n\n15. virtual_env_type\n\n- IOS镜像创建虚拟机,\"virtual_env_type\": \"IsoImage\" 属性;\n- 非IOS镜像创建虚拟机,在19.5.0版本以后创建的虚拟机将不会添加virtual_env_type 属性,而在此之前的版本创建的虚拟机可能会返回\"virtual_env_type\": \"FusionCompute\"属性 。\n\n> virtual_env_type属性不允许用户增加、删除和修改。\n\n16. metering.resourcetype\n云服务器对应的资源类型。\n\n17. os_type\n操作系统类型,取值为:Linux、Windows。\n\n18. cascaded.instance_extrainfo\n系统内部虚拟机扩展信息。\n\n19. __support_agent_list\n云服务器是否支持企业主机安全、主机监控。\n\n- “hss”:企业主机安全\n-  “ces”:主机监控\n\n20. agency_name\n委托的名称。\n\n委托是由租户管理员在统一身份认证服务(Identity and Access Management,IAM)上创建的,可以为弹性云服务器提供访问云服务的临时凭证。",
+        "example": ""
+    },
+    {
+        "name": "OS-SRV-USG:launched_at",
+        "type": "string",
+        "desc": "弹性云服务器启动时间。时间格式例如:2019-05-22T03:23:59.000000",
+        "example": "2018-08-15T14:21:22.000000"
+    },
+    {
+        "name": "OS-SRV-USG:terminated_at",
+        "type": "string",
+        "desc": "弹性云服务器删除时间。\n\n时间格式例如:2019-05-22T03:23:59.000000",
+        "example": "2019-05-22T03:23:59.000000"
+    },
+    {
+        "name": "os-extended-volumes:volumes_attached",
+        "type": "array",
+        "desc": "挂载到弹性云服务器上的磁盘。",
+        "example": ""
+    },
+    {
+        "name": "description",
+        "type": "string",
+        "desc": "弹性云服务器的描述信息。",
+        "example": "ecs description"
+    },
+    {
+        "name": "host_status",
+        "type": "string",
+        "desc": "nova-compute状态。\n\n- UP:服务正常\n- UNKNOWN:状态未知\n- DOWN:服务异常\n- MAINTENANCE:维护状态\n- 空字符串:弹性云服务器无主机信息",
+        "example": "UP"
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:hostname",
+        "type": "string",
+        "desc": "弹性云服务器的主机名。",
+        "example": ""
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:reservation_id",
+        "type": "string",
+        "desc": "批量创建场景,弹性云服务器的预留ID。",
+        "example": "r-f06p3js8"
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:launch_index",
+        "type": "integer",
+        "desc": "批量创建场景,弹性云服务器的启动顺序。",
+        "example": 0
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:kernel_id",
+        "type": "string",
+        "desc": "若使用AMI格式的镜像,则表示kernel image的UUID;否则,留空。",
+        "example": ""
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:ramdisk_id",
+        "type": "string",
+        "desc": "若使用AMI格式镜像,则表示ramdisk image的UUID;否则,留空。",
+        "example": ""
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:root_device_name",
+        "type": "string",
+        "desc": "弹性云服务器系统盘的设备名称。",
+        "example": "/dev/vda"
+    },
+    {
+        "name": "OS-EXT-SRV-ATTR:user_data",
+        "type": "string",
+        "desc": "创建弹性云服务器时指定的user_data。",
+        "example": "IyEvYmluL2Jhc2gKZWNobyAncm9vdDokNiRjcGRkSjckWm5WZHNiR253Z0l0SGlxUjZxbWtLTlJaeU9lZUtKd3dPbG9XSFdUeGFzWjA1STYwdnJYRTdTUTZGbEpFbWlXZ21WNGNmZ1pac1laN1BkMTBLRndyeC8nIHwgY2hwYXNzd2Q6666"
+    },
+    {
+        "name": "locked",
+        "type": "boolean",
+        "desc": "弹性云服务器是否为锁定状态。\n\n- true:锁定\n- false:未锁定",
+        "example": false
+    },
+    {
+        "name": "tags",
+        "type": "array",
+        "desc": "弹性云服务器标签。",
+        "example": ""
+    },
+    {
+        "name": "os:scheduler_hints",
+        "type": "",
+        "desc": "弹性云服务器调度信息",
+        "example": ""
+    },
+    {
+        "name": "enterprise_project_id",
+        "type": "string",
+        "desc": "弹性云服务器所属的企业项目ID。",
+        "example": "0"
+    },
+    {
+        "name": "sys_tags",
+        "type": "array",
+        "desc": "弹性云服务器系统标签。",
+        "example": ""
+    },
+    {
+        "name": "cpu_options",
+        "type": "",
+        "desc": "自定义CPU选项。",
+        "example": ""
+    },
+    {
+        "name": "hypervisor",
+        "type": "",
+        "desc": "hypervisor信息。",
+        "example": ""
+    }
+]

cmdb-api/api/lib/cmdb/auto_discovery/templates/net_device.json

@@ -0,0 +1,37 @@
+[{
+  "name":"manufacturer",
+  "type": "文本",
+  "example":"HUAWEI Technology Co.,Ltd",
+  "desc":"制造产商"
+},{
+  "name":"sn",
+  "type": "文本",
+  "example":"102030059898",
+  "desc":"设备序列号"
+},{
+  "name":"device_name",
+  "type": "文本",
+  "example":"USG6525E",
+  "desc":"设备名称"
+},{
+  "name":"device_model",
+  "type": "文本",
+  "example":"2011.2.321.1.205",
+  "desc":"设备细分类型 结合相关产商获取相应的产品类型"
+},{
+  "name":"description",
+  "type": "文本",
+  "example":"Huawei Vwersatile Routing Platform Software",
+  "desc":"设备描述"
+},{
+  "name":"manager_ip",
+  "type": "文本",
+  "example":"192.168.1.1",
+  "desc":"管理ip"
+}, {
+  "name":"ips",
+  "type": "文本、多值",
+  "example":"192.168.1.1, 192.168.1.2",
+  "desc":"ips"
+}
+]

cmdb-api/api/lib/cmdb/auto_discovery/templates/tencent_cvm.json

@@ -0,0 +1,248 @@
+[
+    {
+        "name": "Placement",
+        "type": "Placement",
+        "desc": "实例所在的位置。",
+        "example": ""
+    },
+    {
+        "name": "InstanceId",
+        "type": "String",
+        "desc": "实例ID。",
+        "example": "ins-9bxebleo"
+    },
+    {
+        "name": "InstanceType",
+        "type": "String",
+        "desc": "实例机型。",
+        "example": "S1.SMALL1"
+    },
+    {
+        "name": "CPU",
+        "type": "Integer",
+        "desc": "实例的CPU核数，单位：核。",
+        "example": "1"
+    },
+    {
+        "name": "Memory",
+        "type": "Integer",
+        "desc": "实例内存容量，单位：GB。",
+        "example": "1"
+    },
+    {
+        "name": "RestrictState",
+        "type": "String",
+        "desc": "NORMAL：表示正常状态的实例\nEXPIRED：表示过期的实例\nPROTECTIVELY_ISOLATED：表示被安全隔离的实例。",
+        "example": "NORMAL"
+    },
+    {
+        "name": "InstanceName",
+        "type": "String",
+        "desc": "实例名称。",
+        "example": "测试实例"
+    },
+    {
+        "name": "InstanceChargeType",
+        "type": "String",
+        "desc": "PREPAID：表示预付费，即包年包月\nPOSTPAID_BY_HOUR：表示后付费，即按量计费\nCDHPAID：专用宿主机付费，即只对专用宿主机计费，不对专用宿主机上的实例计费。\nSPOTPAID：表示竞价实例付费。",
+        "example": "PREPAID"
+    },
+    {
+        "name": "SystemDisk",
+        "type": "SystemDisk",
+        "desc": "实例系统盘信息。",
+        "example": ""
+    },
+    {
+        "name": "DataDisks",
+        "type": "Array of DataDisk",
+        "desc": "实例数据盘信息。",
+        "example": ""
+    },
+    {
+        "name": "PrivateIpAddresses",
+        "type": "Array of String",
+        "desc": "实例主网卡的内网IP列表。",
+        "example": "[\"172.16.32.78\"]"
+    },
+    {
+        "name": "PublicIpAddresses",
+        "type": "Array of String",
+        "desc": "实例主网卡的公网IP列表。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "[\"123.207.11.190\"]"
+    },
+    {
+        "name": "InternetAccessible",
+        "type": "InternetAccessible",
+        "desc": "实例带宽信息。",
+        "example": ""
+    },
+    {
+        "name": "VirtualPrivateCloud",
+        "type": "VirtualPrivateCloud",
+        "desc": "实例所属虚拟私有网络信息。",
+        "example": ""
+    },
+    {
+        "name": "ImageId",
+        "type": "String",
+        "desc": "生产实例所使用的镜像ID。",
+        "example": "img-9qabwvbn"
+    },
+    {
+        "name": "RenewFlag",
+        "type": "String",
+        "desc": "NOTIFY_AND_MANUAL_RENEW：表示通知即将过期，但不自动续费\nNOTIFY_AND_AUTO_RENEW：表示通知即将过期，而且自动续费\nDISABLE_NOTIFY_AND_MANUAL_RENEW：表示不通知即将过期，也不自动续费。\n注意：后付费模式本项为null",
+        "example": "NOTIFY_AND_MANUAL_RENEW"
+    },
+    {
+        "name": "CreatedTime",
+        "type": "Timestamp ISO8601",
+        "desc": "创建时间。按照ISO8601标准表示，并且使用UTC时间。格式为：YYYY-MM-DDThh:mm:ssZ。",
+        "example": "2020-03-10T02:43:51Z"
+    },
+    {
+        "name": "ExpiredTime",
+        "type": "Timestamp ISO8601",
+        "desc": "到期时间。按照ISO8601标准表示，并且使用UTC时间。格式为：YYYY-MM-DDThh:mm:ssZ。注意：后付费模式本项为null",
+        "example": "2020-04-10T02:47:36Z"
+    },
+    {
+        "name": "OsName",
+        "type": "String",
+        "desc": "操作系统名称。",
+        "example": "CentOS 7.6 64bit"
+    },
+    {
+        "name": "SecurityGroupIds",
+        "type": "Array of String",
+        "desc": "实例所属安全组。该参数可以通过调用 DescribeSecurityGroups 的返回值中的sgId字段来获取。",
+        "example": "[\"sg-p1ezv4wz\"]"
+    },
+    {
+        "name": "LoginSettings",
+        "type": "LoginSettings",
+        "desc": "实例登录设置。目前只返回实例所关联的密钥。",
+        "example": ""
+    },
+    {
+        "name": "InstanceState",
+        "type": "String",
+        "desc": "PENDING：表示创建中\nLAUNCH_FAILED：表示创建失败\nRUNNING：表示运行中\nSTOPPED：表示关机\nSTARTING：表示开机中\nSTOPPING：表示关机中\nREBOOTING：表示重启中\nSHUTDOWN：表示停止待销毁\nTERMINATING：表示销毁中。",
+        "example": ""
+    },
+    {
+        "name": "Tags",
+        "type": "Array of Tag",
+        "desc": "实例关联的标签列表。",
+        "example": ""
+    },
+    {
+        "name": "StopChargingMode",
+        "type": "String",
+        "desc": "KEEP_CHARGING：关机继续收费\nSTOP_CHARGING：关机停止收费\nNOT_APPLICABLE：实例处于非关机状态或者不适用关机停止计费的条件",
+        "example": "NOT_APPLICABLE"
+    },
+    {
+        "name": "Uuid",
+        "type": "String",
+        "desc": "实例全局唯一ID",
+        "example": "68b510db-b4c1-4630-a62b-73d0c7c970f9"
+    },
+    {
+        "name": "LatestOperation",
+        "type": "String",
+        "desc": "实例的最新操作。例：StopInstances、ResetInstance。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "RenewInstances"
+    },
+    {
+        "name": "LatestOperationState",
+        "type": "String",
+        "desc": "SUCCESS：表示操作成功\nOPERATING：表示操作执行中\nFAILED：表示操作失败注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "SUCCESS"
+    },
+    {
+        "name": "LatestOperationRequestId",
+        "type": "String",
+        "desc": "实例最新操作的唯一请求 ID。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "3554eb5b-1cfa-471a-ae76-dc436c9d43e8"
+    },
+    {
+        "name": "DisasterRecoverGroupId",
+        "type": "String",
+        "desc": "分散置放群组ID。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "null"
+    },
+    {
+        "name": "IPv6Addresses",
+        "type": "Array of String",
+        "desc": "实例的IPv6地址。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "null"
+    },
+    {
+        "name": "CamRoleName",
+        "type": "String",
+        "desc": "CAM角色名。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "null"
+    },
+    {
+        "name": "HpcClusterId",
+        "type": "String",
+        "desc": "高性能计算集群ID。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "null"
+    },
+    {
+        "name": "RdmaIpAddresses",
+        "type": "Array of String",
+        "desc": "高性能计算集群IP列表。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "null"
+    },
+    {
+        "name": "DedicatedClusterId",
+        "type": "String",
+        "desc": "实例所在的专用集群ID。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "cluster-du3jken"
+    },
+    {
+        "name": "IsolatedSource",
+        "type": "String",
+        "desc": "ARREAR：表示欠费隔离\nEXPIRE：表示到期隔离\nMANMADE：表示主动退还隔离\nNOTISOLATED：表示未隔离",
+        "example": ""
+    },
+    {
+        "name": "GPUInfo",
+        "type": "GPUInfo",
+        "desc": "GPU信息。如果是gpu类型子机，该值会返回GPU信息，如果是其他类型子机则不返回。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": ""
+    },
+    {
+        "name": "LicenseType",
+        "type": "String",
+        "desc": "实例的操作系统许可类型，默认为TencentCloud",
+        "example": "TencentCloud"
+    },
+    {
+        "name": "DisableApiTermination",
+        "type": "Boolean",
+        "desc": "TRUE：表示开启实例保护，不允许通过api接口删除实例\nFALSE：表示关闭实例保护，允许通过api接口删除实例默认取值：FALSE。",
+        "example": "false"
+    },
+    {
+        "name": "DefaultLoginUser",
+        "type": "String",
+        "desc": "默认登录用户。",
+        "example": "root"
+    },
+    {
+        "name": "DefaultLoginPort",
+        "type": "Integer",
+        "desc": "默认登录端口。",
+        "example": "22"
+    },
+    {
+        "name": "LatestOperationErrorMsg",
+        "type": "String",
+        "desc": "实例的最新操作错误信息。注意：此字段可能返回 null，表示取不到有效值。",
+        "example": "None"
+    }
+]

cmdb-api/api/lib/cmdb/cache.py

@@ -2,10 +2,27 @@
 
 from __future__ import unicode_literals
 
+from collections import defaultdict
+
+import datetime
+import os
+import yaml
+from flask import current_app
+import json
 from api.extensions import cache
-from api.models.cmdb import Attribute
+from api.extensions import db
+from api.lib.cmdb.custom_dashboard import CustomDashboardManager
+from api.models.cmdb import Attribute, AutoDiscoveryExecHistory
+from api.models.cmdb import AutoDiscoveryCI
+from api.models.cmdb import AutoDiscoveryCIType
+from api.models.cmdb import AutoDiscoveryCITypeRelation
+from api.models.cmdb import AutoDiscoveryCounter
+from api.models.cmdb import AutoDiscoveryRuleSyncHistory
+from api.models.cmdb import CI
 from api.models.cmdb import CIType
 from api.models.cmdb import CITypeAttribute
+from api.models.cmdb import PreferenceShowAttributes
+from api.models.cmdb import PreferenceTreeView
 from api.models.cmdb import RelationType
 
 
@@ -28,6 +45,7 @@ class AttributeCache(object):
             attr = attr or Attribute.get_by(alias=key, first=True, to_dict=False)
             if attr is not None:
                 cls.set(attr)
+
         return attr
 
     @classmethod
@@ -61,6 +79,7 @@ class CITypeCache(object):
             ct = ct or CIType.get_by(alias=key, first=True, to_dict=False)
             if ct is not None:
                 cls.set(ct)
+
         return ct
 
     @classmethod
@@ -92,6 +111,7 @@ class RelationTypeCache(object):
             ct = RelationType.get_by(name=key, first=True, to_dict=False) or RelationType.get_by_id(key)
             if ct is not None:
                 cls.set(ct)
+
         return ct
 
     @classmethod
@@ -107,13 +127,16 @@ class RelationTypeCache(object):
             cache.delete(cls.PREFIX_ID.format(ct.id))
 
 
-class CITypeAttributeCache(object):
+class CITypeAttributesCache(object):
     """
     key is type_id or type_name
     """
 
-    PREFIX_ID = "CITypeAttribute::ID::{0}"
-    PREFIX_NAME = "CITypeAttribute::Name::{0}"
+    PREFIX_ID = "CITypeAttributes::TypeID::{0}"
+    PREFIX_NAME = "CITypeAttributes::TypeName::{0}"
+
+    PREFIX_ID2 = "CITypeAttributes2::TypeID::{0}"
+    PREFIX_NAME2 = "CITypeAttributes2::TypeName::{0}"
 
     @classmethod
     def get(cls, key):
@@ -124,12 +147,41 @@ class CITypeAttributeCache(object):
         attrs = attrs or cache.get(cls.PREFIX_ID.format(key))
         if not attrs:
             attrs = CITypeAttribute.get_by(type_id=key, to_dict=False)
+
             if not attrs:
                 ci_type = CIType.get_by(name=key, first=True, to_dict=False)
                 if ci_type is not None:
                     attrs = CITypeAttribute.get_by(type_id=ci_type.id, to_dict=False)
+
             if attrs is not None:
                 cls.set(key, attrs)
+
+        return attrs
+
+    @classmethod
+    def get2(cls, key):
+        """
+        return [(type_attr, attr), ]
+        :param key:
+        :return:
+        """
+        if key is None:
+            return
+
+        attrs = cache.get(cls.PREFIX_NAME2.format(key))
+        attrs = attrs or cache.get(cls.PREFIX_ID2.format(key))
+        if not attrs:
+            attrs = CITypeAttribute.get_by(type_id=key, to_dict=False)
+
+            if not attrs:
+                ci_type = CIType.get_by(name=key, first=True, to_dict=False)
+                if ci_type is not None:
+                    attrs = CITypeAttribute.get_by(type_id=ci_type.id, to_dict=False)
+
+            if attrs is not None:
+                attrs = [(i, AttributeCache.get(i.attr_id)) for i in attrs]
+                cls.set2(key, attrs)
+
         return attrs
 
     @classmethod
@@ -139,6 +191,13 @@ class CITypeAttributeCache(object):
             cache.set(cls.PREFIX_ID.format(ci_type.id), values)
             cache.set(cls.PREFIX_NAME.format(ci_type.name), values)
 
+    @classmethod
+    def set2(cls, key, values):
+        ci_type = CITypeCache.get(key)
+        if ci_type is not None:
+            cache.set(cls.PREFIX_ID2.format(ci_type.id), values)
+            cache.set(cls.PREFIX_NAME2.format(ci_type.name), values)
+
     @classmethod
     def clean(cls, key):
         ci_type = CITypeCache.get(key)
@@ -146,3 +205,394 @@ class CITypeAttributeCache(object):
         if attrs is not None and ci_type:
             cache.delete(cls.PREFIX_ID.format(ci_type.id))
             cache.delete(cls.PREFIX_NAME.format(ci_type.name))
+
+        attrs2 = cls.get2(key)
+        if attrs2 is not None and ci_type:
+            cache.delete(cls.PREFIX_ID2.format(ci_type.id))
+            cache.delete(cls.PREFIX_NAME2.format(ci_type.name))
+
+
+class CITypeAttributeCache(object):
+    """
+    key is type_id  & attr_id
+    """
+
+    PREFIX_ID = "CITypeAttribute::TypeID::{0}::AttrID::{1}"
+
+    @classmethod
+    def get(cls, type_id, attr_id):
+        attr = cache.get(cls.PREFIX_ID.format(type_id, attr_id))
+        attr = attr or cache.get(cls.PREFIX_ID.format(type_id, attr_id))
+        attr = attr or CITypeAttribute.get_by(type_id=type_id, attr_id=attr_id, first=True, to_dict=False)
+
+        if attr is not None:
+            cls.set(type_id, attr_id, attr)
+
+        return attr
+
+    @classmethod
+    def set(cls, type_id, attr_id, attr):
+        cache.set(cls.PREFIX_ID.format(type_id, attr_id), attr)
+
+    @classmethod
+    def clean(cls, type_id, attr_id):
+        cache.delete(cls.PREFIX_ID.format(type_id, attr_id))
+
+
+class CMDBCounterCache(object):
+    KEY = 'CMDB::Counter::dashboard'
+    KEY2 = 'CMDB::Counter::adc'
+    KEY3 = 'CMDB::Counter::sub'
+
+    @classmethod
+    def get(cls):
+        result = cache.get(cls.KEY) or {}
+
+        if not result:
+            result = cls.reset()
+
+        return result
+
+    @classmethod
+    def set(cls, result):
+        cache.set(cls.KEY, json.loads(json.dumps(result)), timeout=0)
+
+    @classmethod
+    def reset(cls):
+        customs = CustomDashboardManager.get()
+        result = {}
+        for custom in customs:
+            if custom['category'] == 0:
+                res = cls.sum_counter(custom)
+            elif custom['category'] == 1:
+                res = cls.attribute_counter(custom)
+            else:
+                res = cls.relation_counter(custom.get('type_id'),
+                                           custom.get('level'),
+                                           custom.get('options', {}).get('filter', ''),
+                                           custom.get('options', {}).get('type_ids', ''))
+
+            if res:
+                result[custom['id']] = res
+
+        cls.set(result)
+
+        return json.loads(json.dumps(result))
+
+    @classmethod
+    def update(cls, custom, flush=True):
+        result = cache.get(cls.KEY) or {}
+        if not result:
+            result = cls.reset()
+
+        if custom['category'] == 0:
+            res = cls.sum_counter(custom)
+        elif custom['category'] == 1:
+            res = cls.attribute_counter(custom)
+        else:
+            res = cls.relation_counter(custom.get('type_id'),
+                                       custom.get('level'),
+                                       custom.get('options', {}).get('filter', ''),
+                                       custom.get('options', {}).get('type_ids', ''))
+
+        if res and flush:
+            result[custom['id']] = res
+            cls.set(result)
+
+        return json.loads(json.dumps(res))
+
+    @classmethod
+    def relation_counter(cls, type_id, level, other_filer, type_ids):
+        from api.lib.cmdb.search.ci_relation.search import Search as RelSearch
+        from api.lib.cmdb.search import SearchError
+        from api.lib.cmdb.search.ci import search
+        from api.lib.cmdb.attribute import AttributeManager
+
+        query = "_type:{}".format(type_id)
+        if other_filer:
+            query = "{},{}".format(query, other_filer)
+        s = search(query, count=1000000)
+        try:
+            type_names, _, _, _, _, _ = s.search()
+        except SearchError as e:
+            current_app.logger.error(e)
+            return
+        root_type = CITypeCache.get(type_id)
+        show_attr_id = root_type and root_type.show_id
+        show_attr = AttributeCache.get(show_attr_id)
+
+        type_id_names = []
+        for i in type_names:
+            attr_value = i.get(show_attr and show_attr.name) or i.get(i.get('unique'))
+            enum_map = AttributeManager.get_enum_map(show_attr_id or i.get('unique'))
+
+            type_id_names.append((str(i.get('_id')), enum_map.get(attr_value, attr_value)))
+
+        s = RelSearch([i[0] for i in type_id_names], level)
+        try:
+            stats = s.statistics(type_ids, need_filter=False)
+        except SearchError as e:
+            current_app.logger.error(e)
+            return
+
+        id2name = dict(type_id_names)
+        type_ids = set()
+        for i in (stats.get('detail') or []):
+            for j in stats['detail'][i]:
+                type_ids.add(j)
+        for type_id in type_ids:
+            _type = CITypeCache.get(type_id)
+            id2name[type_id] = _type and _type.alias
+
+        result = dict(summary={}, detail={})
+        for i in stats:
+            if i == "detail":
+                for j in stats['detail']:
+                    if id2name[j]:
+                        result['detail'][id2name[j]] = stats['detail'][j]
+                        result['detail'][id2name[j]] = dict()
+                        for _j in stats['detail'][j]:
+                            result['detail'][id2name[j]][id2name[_j]] = stats['detail'][j][_j]
+            elif id2name.get(i):
+                result['summary'][id2name[i]] = stats[i]
+
+        return result
+
+    @classmethod
+    def attribute_counter(cls, custom):
+        from api.lib.cmdb.search import SearchError
+        from api.lib.cmdb.search.ci import search
+        from api.lib.cmdb.utils import ValueTypeMap
+        from api.lib.cmdb.attribute import AttributeManager
+
+        custom.setdefault('options', {})
+        type_id = custom.get('type_id')
+        attr_id = custom.get('attr_id')
+        type_ids = custom['options'].get('type_ids') or (type_id and [type_id])
+        attr_ids = list(map(str, custom['options'].get('attr_ids') or (attr_id and [attr_id])))
+        try:
+            attr2value_type = [AttributeCache.get(i).value_type for i in attr_ids]
+        except AttributeError:
+            return
+
+        other_filter = custom['options'].get('filter')
+        other_filter = "{}".format(other_filter) if other_filter else ''
+
+        if custom['options'].get('ret') == 'cis':
+            enum_map = {}
+            for _attr_id in attr_ids:
+                _attr = AttributeCache.get(_attr_id)
+                if _attr:
+                    enum_map[_attr.alias] = AttributeManager.get_enum_map(_attr_id)
+
+            query = "_type:({}),{}".format(";".join(map(str, type_ids)), other_filter)
+            s = search(query, fl=attr_ids, ret_key='alias', count=100)
+            try:
+                cis, _, _, _, _, _ = s.search()
+                cis = [{k: (enum_map.get(k) or {}).get(v, v) for k, v in ci.items()} for ci in cis]
+            except SearchError as e:
+                current_app.logger.error(e)
+                return
+
+            return cis
+
+        origin_result = dict()
+        result = dict()
+        # level = 1
+        query = "_type:({}),{}".format(";".join(map(str, type_ids)), other_filter)
+        s = search(query, fl=attr_ids, facet=[attr_ids[0]], count=1)
+        try:
+            _, _, _, _, _, facet = s.search()
+        except SearchError as e:
+            current_app.logger.error(e)
+            return
+
+        enum_map1 = AttributeManager.get_enum_map(attr_ids[0])
+        for i in (list(facet.values()) or [[]])[0]:
+            k = ValueTypeMap.serialize2[attr2value_type[0]](str(i[0]))
+            result[enum_map1.get(k, k)] = i[1]
+            origin_result[k] = i[1]
+        if len(attr_ids) == 1:
+            return result
+
+        # level = 2
+        enum_map2 = AttributeManager.get_enum_map(attr_ids[1])
+        for v in origin_result:
+            query = "_type:({}),{},{}:{}".format(";".join(map(str, type_ids)), other_filter, attr_ids[0], v)
+            s = search(query, fl=attr_ids, facet=[attr_ids[1]], count=1)
+            try:
+                _, _, _, _, _, facet = s.search()
+            except SearchError as e:
+                current_app.logger.error(e)
+                return
+            result[enum_map1.get(v, v)] = dict()
+            origin_result[v] = dict()
+            for i in (list(facet.values()) or [[]])[0]:
+                k = ValueTypeMap.serialize2[attr2value_type[1]](str(i[0]))
+                result[enum_map1.get(v, v)][enum_map2.get(k, k)] = i[1]
+                origin_result[v][k] = i[1]
+
+        if len(attr_ids) == 2:
+            return result
+
+        # level = 3
+        enum_map3 = AttributeManager.get_enum_map(attr_ids[2])
+        for v1 in origin_result:
+            if not isinstance(result[enum_map1.get(v1, v1)], dict):
+                continue
+            for v2 in origin_result[v1]:
+                query = "_type:({}),{},{}:{},{}:{}".format(";".join(map(str, type_ids)), other_filter,
+                                                           attr_ids[0], v1, attr_ids[1], v2)
+                s = search(query, fl=attr_ids, facet=[attr_ids[2]], count=1)
+                try:
+                    _, _, _, _, _, facet = s.search()
+                except SearchError as e:
+                    current_app.logger.error(e)
+                    return
+                result[enum_map1.get(v1, v1)][enum_map2.get(v2, v2)] = dict()
+                for i in (list(facet.values()) or [[]])[0]:
+                    k = ValueTypeMap.serialize2[attr2value_type[2]](str(i[0]))
+                    result[enum_map1.get(v1, v1)][enum_map2.get(v2, v2)][enum_map3.get(k, k)] = i[1]
+
+        return result
+
+    @staticmethod
+    def sum_counter(custom):
+        from api.lib.cmdb.search import SearchError
+        from api.lib.cmdb.search.ci import search
+
+        custom.setdefault('options', {})
+        type_id = custom.get('type_id')
+        type_ids = custom['options'].get('type_ids') or (type_id and [type_id])
+        other_filter = custom['options'].get('filter') or ''
+
+        query = "_type:({}),{}".format(";".join(map(str, type_ids)), other_filter)
+        s = search(query, count=1)
+        try:
+            _, _, _, _, numfound, _ = s.search()
+        except SearchError as e:
+            current_app.logger.error(e)
+            return
+
+        return numfound
+
+    @classmethod
+    def flush_adc_counter(cls):
+        res = db.session.query(CI.type_id, CI.is_auto_discovery)
+        result = dict()
+        for i in res:
+            result.setdefault(i.type_id, dict(total=0, auto_discovery=0))
+            result[i.type_id]['total'] += 1
+            if i.is_auto_discovery:
+                result[i.type_id]['auto_discovery'] += 1
+
+        cache.set(cls.KEY2, result, timeout=0)
+
+        res = db.session.query(AutoDiscoveryCI.created_at,
+                               AutoDiscoveryCI.updated_at,
+                               AutoDiscoveryCI.adt_id,
+                               AutoDiscoveryCI.type_id,
+                               AutoDiscoveryCI.is_accept).filter(AutoDiscoveryCI.deleted.is_(False))
+
+        today = datetime.datetime.today()
+        this_month = datetime.datetime(today.year, today.month, 1)
+        last_month = this_month - datetime.timedelta(days=1)
+        last_month = datetime.datetime(last_month.year, last_month.month, 1)
+        this_week = today - datetime.timedelta(days=datetime.date.weekday(today))
+        this_week = datetime.datetime(this_week.year, this_week.month, this_week.day)
+        last_week = this_week - datetime.timedelta(days=7)
+        last_week = datetime.datetime(last_week.year, last_week.month, last_week.day)
+        result = dict()
+        for i in res:
+            if i.type_id not in result:
+                result[i.type_id] = dict(instance_count=0, accept_count=0,
+                                         this_month_count=0, this_week_count=0, last_month_count=0, last_week_count=0)
+
+                adts = AutoDiscoveryCIType.get_by(type_id=i.type_id, to_dict=False)
+                result[i.type_id]['rule_count'] = len(adts) + AutoDiscoveryCITypeRelation.get_by(
+                    ad_type_id=i.type_id, only_query=True).count()
+                result[i.type_id]['exec_target_count'] = len(
+                    set([j.oneagent_id for adt in adts for j in db.session.query(
+                        AutoDiscoveryRuleSyncHistory.oneagent_id).filter(
+                        AutoDiscoveryRuleSyncHistory.adt_id == adt.id)]))
+
+            result[i.type_id]['instance_count'] += 1
+            if i.is_accept:
+                result[i.type_id]['accept_count'] += 1
+
+            if last_month <= i.created_at < this_month:
+                result[i.type_id]['last_month_count'] += 1
+            elif i.created_at >= this_month:
+                result[i.type_id]['this_month_count'] += 1
+
+            if last_week <= i.created_at < this_week:
+                result[i.type_id]['last_week_count'] += 1
+            elif i.created_at >= this_week:
+                result[i.type_id]['this_week_count'] += 1
+
+        for type_id in result:
+            existed = AutoDiscoveryCounter.get_by(type_id=type_id, first=True, to_dict=False)
+            if existed is None:
+                AutoDiscoveryCounter.create(type_id=type_id, **result[type_id])
+            else:
+                existed.update(**result[type_id])
+
+        for i in AutoDiscoveryCounter.get_by(to_dict=False):
+            if i.type_id not in result:
+                i.delete()
+
+    @classmethod
+    def clear_ad_exec_history(cls):
+        ci_types = CIType.get_by(to_dict=False)
+        for ci_type in ci_types:
+            for i in AutoDiscoveryExecHistory.get_by(type_id=ci_type.id, only_query=True).order_by(
+                    AutoDiscoveryExecHistory.id.desc()).offset(50000):
+                i.delete(commit=False)
+            db.session.commit()
+
+    @classmethod
+    def get_adc_counter(cls):
+        return cache.get(cls.KEY2) or cls.flush_adc_counter()
+
+    @classmethod
+    def flush_sub_counter(cls):
+        result = dict(type_id2users=defaultdict(list))
+
+        types = db.session.query(PreferenceShowAttributes.type_id,
+                                 PreferenceShowAttributes.uid, PreferenceShowAttributes.created_at).filter(
+            PreferenceShowAttributes.deleted.is_(False)).group_by(
+            PreferenceShowAttributes.uid, PreferenceShowAttributes.type_id)
+        for i in types:
+            result['type_id2users'][i.type_id].append(i.uid)
+
+        types = PreferenceTreeView.get_by(to_dict=False)
+        for i in types:
+
+            if i.uid not in result['type_id2users'][i.type_id]:
+                result['type_id2users'][i.type_id].append(i.uid)
+
+        cache.set(cls.KEY3, result, timeout=0)
+
+        return result
+
+    @classmethod
+    def get_sub_counter(cls):
+        return cache.get(cls.KEY3) or cls.flush_sub_counter()
+
+
+class AutoDiscoveryMappingCache(object):
+    PREFIX = 'CMDB::AutoDiscovery::Mapping::{}'
+
+    @classmethod
+    def get(cls, name):
+        res = cache.get(cls.PREFIX.format(name)) or {}
+        if not res:
+            path = os.path.join(os.path.abspath(os.path.dirname(__file__)),
+                                "auto_discovery/mapping/{}.yaml".format(name))
+            if os.path.exists(path):
+                with open(path, 'r') as f:
+                    mapping = yaml.safe_load(f)
+                    res = mapping.get('mapping') or {}
+                    res and cache.set(cls.PREFIX.format(name), res, timeout=0)
+
+        return res

cmdb-api/api/lib/cmdb/const.py

@@ -1,6 +1,8 @@
 # -*- coding:utf-8 -*- 
 
 
+from flask_babel import lazy_gettext as _l
+
 from api.lib.utils import BaseEnum
 
 
@@ -11,6 +13,17 @@ class ValueTypeEnum(BaseEnum):
     DATETIME = "3"
     DATE = "4"
     TIME = "5"
+    JSON = "6"
+    PASSWORD = TEXT
+    LINK = TEXT
+    BOOL = "7"
+    REFERENCE = INT
+
+
+class ConstraintEnum(BaseEnum):
+    One2Many = "0"
+    One2One = "1"
+    Many2Many = "2"
 
 
 class CIStatusEnum(BaseEnum):
@@ -31,6 +44,26 @@ class OperateType(BaseEnum):
     UPDATE = "2"
 
 
+class CITypeOperateType(BaseEnum):
+    ADD = "0"  # add CIType
+    UPDATE = "1"  # update CIType
+    DELETE = "2"  # delete CIType
+    ADD_ATTRIBUTE = "3"
+    UPDATE_ATTRIBUTE = "4"
+    DELETE_ATTRIBUTE = "5"
+    ADD_TRIGGER = "6"
+    UPDATE_TRIGGER = "7"
+    DELETE_TRIGGER = "8"
+    ADD_UNIQUE_CONSTRAINT = "9"
+    UPDATE_UNIQUE_CONSTRAINT = "10"
+    DELETE_UNIQUE_CONSTRAINT = "11"
+    ADD_RELATION = "12"
+    DELETE_RELATION = "13"
+    ADD_RECONCILIATION = "14"
+    UPDATE_RECONCILIATION = "15"
+    DELETE_RECONCILIATION = "16"
+
+
 class RetKey(BaseEnum):
     ID = "id"
     NAME = "name"
@@ -39,21 +72,87 @@ class RetKey(BaseEnum):
 
 class ResourceTypeEnum(BaseEnum):
     CI = "CIType"
-    RELATION_VIEW = "RelationView"
+    CI_TYPE = "CIType"  # create/update/delete/read/config/grant
+    CI_TYPE_RELATION = "CITypeRelation"  # create/delete/grant
+    RELATION_VIEW = "RelationView"  # read/update/delete/grant
+    CI_FILTER = "CIFilter"  # read
+    PAGE = "page"  # read
+    TOPOLOGY_VIEW = "TopologyView"  # read/update/delete/grant
 
 
 class PermEnum(BaseEnum):
-    ADD = "add"
+    ADD = "create"
     UPDATE = "update"
     DELETE = "delete"
     READ = "read"
+    CONFIG = "config"
+    GRANT = "grant"
 
 
 class RoleEnum(BaseEnum):
-    CONFIG = "admin"
+    CONFIG = "cmdb_admin"
     CMDB_READ_ALL = "CMDB_READ_ALL"
 
 
-CMDB_QUEUE = "cmdb_async"
-REDIS_PREFIX_CI = "CMDB_CI"
+class AutoDiscoveryType(BaseEnum):
+    AGENT = "agent"
+    SNMP = "snmp"
+    HTTP = "http"  # cloud
+    COMPONENTS = "components"
+
+
+class AttributeDefaultValueEnum(BaseEnum):
+    CREATED_AT = "$created_at"
+    UPDATED_AT = "$updated_at"
+    AUTO_INC_ID = "$auto_inc_id"
+
+
+class ExecuteStatusEnum(BaseEnum):
+    COMPLETED = '0'
+    FAILED = '1'
+    RUNNING = '2'
+
+
+class RelationSourceEnum(BaseEnum):
+    ATTRIBUTE_VALUES = "0"
+    AUTO_DISCOVERY = "1"
+
+
+class BuiltinModelEnum(BaseEnum):
+    IPAM_SUBNET = "ipam_subnet"
+    IPAM_ADDRESS = "ipam_address"
+    IPAM_SCOPE = "ipam_scope"
+
+    DCIM_REGION = "dcim_region"
+    DCIM_IDC = "dcim_idc"
+    DCIM_SERVER_ROOM = "dcim_server_room"
+    DCIM_RACK = "dcim_rack"
+
+
+BUILTIN_ATTRIBUTES = {
+    "_updated_at": _l("Update Time"),
+    "_updated_by": _l("Updated By"),
+}
+
+CMDB_QUEUE = "one_cmdb_async"
+REDIS_PREFIX_CI = "ONE_CMDB"
 REDIS_PREFIX_CI_RELATION = "CMDB_CI_RELATION"
+REDIS_PREFIX_CI_RELATION2 = "CMDB_CI_RELATION2"
+
+BUILTIN_KEYWORDS = {'id', '_id', 'ci_id', 'type', '_type', 'ci_type', 'ticket_id', *BUILTIN_ATTRIBUTES.keys()}
+
+
+class SysComputedAttributes(object):
+    from api.lib.cmdb.ipam.const import SubnetBuiltinAttributes
+    type2attr = {
+        BuiltinModelEnum.IPAM_SUBNET: {
+            SubnetBuiltinAttributes.HOSTS_COUNT,
+            SubnetBuiltinAttributes.ASSIGN_COUNT,
+            SubnetBuiltinAttributes.USED_COUNT,
+            SubnetBuiltinAttributes.FREE_COUNT
+        }
+    }
+
+
+L_TYPE = None
+L_CI = None

cmdb-api/api/lib/cmdb/custom_dashboard.py

@@ -0,0 +1,82 @@
+# -*- coding:utf-8 -*-
+
+from flask import abort
+
+from api.lib.cmdb.resp_format import ErrFormat
+from api.models.cmdb import CustomDashboard
+from api.models.cmdb import SystemConfig
+
+
+class CustomDashboardManager(object):
+    cls = CustomDashboard
+
+    @staticmethod
+    def get():
+        return sorted(CustomDashboard.get_by(to_dict=True), key=lambda x: (x["category"], x['order']))
+
+    @staticmethod
+    def preview(**kwargs):
+        from api.lib.cmdb.cache import CMDBCounterCache
+
+        res = CMDBCounterCache.update(kwargs, flush=False)
+
+        return res
+
+    @staticmethod
+    def add(**kwargs):
+        from api.lib.cmdb.cache import CMDBCounterCache
+
+        if kwargs.get('name'):
+            CustomDashboard.get_by(name=kwargs['name']) and abort(400, ErrFormat.custom_name_duplicate)
+
+        new = CustomDashboard.create(**kwargs)
+
+        res = CMDBCounterCache.update(new.to_dict())
+
+        return new, res
+
+    @staticmethod
+    def update(_id, **kwargs):
+        from api.lib.cmdb.cache import CMDBCounterCache
+
+        existed = CustomDashboard.get_by_id(_id) or abort(404, ErrFormat.not_found)
+
+        new = existed.update(**kwargs)
+
+        res = CMDBCounterCache.update(new.to_dict())
+
+        return new, res
+
+    @staticmethod
+    def batch_update(id2options):
+        for _id in id2options:
+            existed = CustomDashboard.get_by_id(_id) or abort(404, ErrFormat.not_found)
+            existed.update(options=id2options[_id])
+
+    @staticmethod
+    def delete(_id):
+        existed = CustomDashboard.get_by_id(_id) or abort(404, ErrFormat.not_found)
+
+        existed.soft_delete()
+
+
+class SystemConfigManager(object):
+    cls = SystemConfig
+
+    @staticmethod
+    def get(name):
+        return SystemConfig.get_by(name=name, first=True, to_dict=True)
+
+    @staticmethod
+    def create_or_update(name, option):
+        existed = SystemConfig.get_by(name=name, first=True, to_dict=False)
+        if existed is not None:
+            return existed.update(option=option)
+        else:
+            return SystemConfig.create(name=name, option=option)
+
+    @staticmethod
+    def delete(name):
+        existed = SystemConfig.get_by(name=name, first=True, to_dict=False) or abort(404, ErrFormat.not_found)
+
+        existed.soft_delete()

cmdb-api/api/lib/cmdb/dcim/__init__.py

@@ -0,0 +1 @@
+# -*- coding:utf-8 -*-

cmdb-api/api/lib/cmdb/dcim/base.py

@@ -0,0 +1,33 @@
+# -*- coding:utf-8 -*-
+
+from api.lib.cmdb.ci import CIManager
+from api.lib.cmdb.ci import CIRelationManager
+from api.lib.cmdb.const import ExistPolicy
+
+
+class DCIMBase(object):
+    def __init__(self):
+        self.type_id = None
+
+    @staticmethod
+    def add_relation(parent_id, child_id):
+        if not parent_id or not child_id:
+            return
+
+        CIRelationManager().add(parent_id, child_id, valid=False, apply_async=False)
+
+    def add(self, parent_id, **kwargs):
+        ci_id = CIManager().add(self.type_id, exist_policy=ExistPolicy.REJECT, **kwargs)
+
+        if parent_id:
+            self.add_relation(parent_id, ci_id)
+
+        return ci_id
+
+    @classmethod
+    def update(cls, _id, **kwargs):
+        CIManager().update(_id, **kwargs)
+
+    @classmethod
+    def delete(cls, _id):
+        CIManager().delete(_id)

cmdb-api/api/lib/cmdb/dcim/const.py

@@ -0,0 +1,17 @@
+# -*- coding:utf-8 -*-
+
+
+from api.lib.utils import BaseEnum
+
+
+class RackBuiltinAttributes(BaseEnum):
+    U_COUNT = 'u_count'
+    U_START = 'u_start'
+    FREE_U_COUNT = 'free_u_count'
+    U_SLOT_ABNORMAL = 'u_slot_abnormal'
+
+
+class OperateTypeEnum(BaseEnum):
+    ADD_DEVICE = "0"
+    REMOVE_DEVICE = "1"
+    MOVE_DEVICE = "2"

cmdb-api/api/lib/cmdb/dcim/history.py

@@ -0,0 +1,40 @@
+from flask_login import current_user
+
+from api.lib.cmdb.cache import AttributeCache
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIManager
+from api.lib.mixin import DBMixin
+from api.models.cmdb import DCIMOperationHistory
+
+
+class OperateHistoryManager(DBMixin):
+    cls = DCIMOperationHistory
+
+    @classmethod
+    def search(cls, page, page_size, fl=None, only_query=False, reverse=False, count_query=False,
+               last_size=None, **kwargs):
+        numfound, result = super(OperateHistoryManager, cls).search(page, page_size, fl, only_query, reverse,
+                                                                    count_query, last_size, **kwargs)
+
+        ci_ids = [i['ci_id'] for i in result]
+        id2ci = {i['_id']: i for i in (CIManager.get_cis_by_ids(ci_ids) or []) if i}
+        type2show_key = dict()
+        for i in id2ci.values():
+            if i.get('_type') not in type2show_key:
+                ci_type = CITypeCache.get(i.get('_type'))
+                if ci_type:
+                    show_key = AttributeCache.get(ci_type.show_id or ci_type.unique_id)
+                    type2show_key[i['_type']] = show_key and show_key.name
+
+        return numfound, result, id2ci, type2show_key
+
+    def _can_add(self, **kwargs):
+        kwargs['uid'] = current_user.uid
+
+        return kwargs
+
+    def _can_update(self, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        pass

cmdb-api/api/lib/cmdb/dcim/idc.py

@@ -0,0 +1,19 @@
+# -*- coding:utf-8 -*-
+
+
+from flask import abort
+
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.const import BuiltinModelEnum
+from api.lib.cmdb.dcim.base import DCIMBase
+from api.lib.cmdb.resp_format import ErrFormat
+
+
+class IDCManager(DCIMBase):
+    def __init__(self):
+        super(IDCManager, self).__init__()
+
+        self.ci_type = CITypeCache.get(BuiltinModelEnum.DCIM_IDC) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_IDC))
+
+        self.type_id = self.ci_type.id

cmdb-api/api/lib/cmdb/dcim/rack.py

@@ -0,0 +1,182 @@
+# -*- coding:utf-8 -*-
+
+import itertools
+import redis_lock
+from flask import abort
+
+from api.extensions import rd
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIManager
+from api.lib.cmdb.ci import CIRelationManager
+from api.lib.cmdb.const import BuiltinModelEnum
+from api.lib.cmdb.dcim.base import DCIMBase
+from api.lib.cmdb.dcim.const import OperateTypeEnum
+from api.lib.cmdb.dcim.const import RackBuiltinAttributes
+from api.lib.cmdb.dcim.history import OperateHistoryManager
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.cmdb.search.ci.db.search import Search as SearchFromDB
+from api.lib.cmdb.search.ci_relation.search import Search as RelationSearch
+
+
+class RackManager(DCIMBase):
+    def __init__(self):
+        super(RackManager, self).__init__()
+
+        self.ci_type = CITypeCache.get(BuiltinModelEnum.DCIM_RACK) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_RACK))
+
+        self.type_id = self.ci_type.id
+
+    @classmethod
+    def update(cls, _id, **kwargs):
+        if RackBuiltinAttributes.U_COUNT in kwargs:
+            devices, _, _, _, _, _ = RelationSearch(
+                [_id],
+                level=[1],
+                fl=[RackBuiltinAttributes.U_COUNT, RackBuiltinAttributes.U_START],
+                count=1000000).search()
+            for device in devices:
+                u_start = device.get(RackBuiltinAttributes.U_START)
+                u_count = device.get(RackBuiltinAttributes.U_COUNT) or 2
+                if u_start and u_start + u_count - 1 > kwargs[RackBuiltinAttributes.U_COUNT]:
+                    return abort(400, ErrFormat.dcim_rack_u_count_invalid)
+
+        CIManager().update(_id, _sync=True, **kwargs)
+
+        if RackBuiltinAttributes.U_COUNT in kwargs:
+            payload = {RackBuiltinAttributes.FREE_U_COUNT: cls.calc_u_free_count(_id)}
+
+            CIManager().update(_id, _sync=True, **payload)
+
+    def delete(self, _id):
+        super(RackManager, self).delete(_id)
+
+        payload = {RackBuiltinAttributes.U_START: None}
+        _, _, second_cis = CIRelationManager.get_second_cis(_id, per_page='all')
+        for ci in second_cis:
+            CIManager().update(ci['_id'], **payload)
+
+    @staticmethod
+    def calc_u_free_count(rack_id, device_id=None, u_start=None, u_count=None):
+        rack = CIManager.get_ci_by_id(rack_id, need_children=False)
+        if not rack.get(RackBuiltinAttributes.U_COUNT):
+            return 0
+
+        if device_id is not None and u_count is None:
+            ci = CIManager().get_ci_by_id(device_id, need_children=False)
+            u_count = ci.get(RackBuiltinAttributes.U_COUNT) or 2
+
+        if u_start and u_start + u_count - 1 > rack.get(RackBuiltinAttributes.U_COUNT):
+            return abort(400, ErrFormat.dcim_rack_u_slot_invalid)
+
+        devices, _, _, _, _, _ = RelationSearch(
+            [rack_id],
+            level=[1],
+            fl=[RackBuiltinAttributes.U_COUNT, RackBuiltinAttributes.U_START],
+            count=1000000).search()
+
+        u_count_sum = 0
+        for device in devices:
+            u_count_sum += (device.get(RackBuiltinAttributes.U_COUNT) or 2)
+            if device_id is not None:
+                _u_start = device.get(RackBuiltinAttributes.U_START)
+                _u_count = device.get(RackBuiltinAttributes.U_COUNT) or 2
+                if not _u_start:
+                    continue
+
+                if device.get('_id') != device_id and set(range(u_start, u_start + u_count)) & set(
+                        range(_u_start, _u_start + _u_count)):
+                    return abort(400, ErrFormat.dcim_rack_u_slot_invalid)
+
+        return rack[RackBuiltinAttributes.U_COUNT] - u_count_sum
+
+    def check_u_slot(self):
+        racks, _, _, _, _, _ = SearchFromDB(
+            "_type:{}".format(self.type_id),
+            count=10000000,
+            fl=[RackBuiltinAttributes.U_START, RackBuiltinAttributes.U_COUNT, RackBuiltinAttributes.U_SLOT_ABNORMAL],
+            parent_node_perm_passed=True).search()
+
+        for rack in racks:
+            devices, _, _, _, _, _ = RelationSearch(
+                [rack['_id']],
+                level=[1],
+                fl=[RackBuiltinAttributes.U_COUNT, RackBuiltinAttributes.U_START],
+                count=1000000).search()
+
+            u_slot_sets = []
+            for device in devices:
+                u_start = device.get(RackBuiltinAttributes.U_START)
+                u_count = device.get(RackBuiltinAttributes.U_COUNT) or 2
+                if u_start is not None and str(u_start).isdigit():
+                    u_slot_sets.append(set(range(u_start, u_start + u_count)))
+
+            if len(u_slot_sets) > 1:
+                u_slot_abnormal = False
+                for a, b in itertools.combinations(u_slot_sets, 2):
+                    if a.intersection(b):
+                        u_slot_abnormal = True
+                        break
+                if u_slot_abnormal != rack.get(RackBuiltinAttributes.U_SLOT_ABNORMAL):
+                    payload = {RackBuiltinAttributes.U_SLOT_ABNORMAL: u_slot_abnormal}
+                    CIManager().update(rack['_id'], **payload)
+
+    def add_device(self, rack_id, device_id, u_start, u_count=None):
+        with (redis_lock.Lock(rd.r, "DCIM_RACK_OPERATE_{}".format(rack_id), expire=10)):
+            self.calc_u_free_count(rack_id, device_id, u_start, u_count)
+
+            self.add_relation(rack_id, device_id)
+
+            payload = {RackBuiltinAttributes.U_START: u_start}
+            if u_count:
+                payload[RackBuiltinAttributes.U_COUNT] = u_count
+            CIManager().update(device_id, _sync=True, **payload)
+
+            payload = {
+                RackBuiltinAttributes.FREE_U_COUNT: self.calc_u_free_count(rack_id, device_id, u_start, u_count)}
+            CIManager().update(rack_id, _sync=True, **payload)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.ADD_DEVICE, rack_id=rack_id, ci_id=device_id)
+
+    def remove_device(self, rack_id, device_id):
+        with (redis_lock.Lock(rd.r, "DCIM_RACK_OPERATE_{}".format(rack_id), expire=10)):
+            CIRelationManager.delete_3(rack_id, device_id, apply_async=False, valid=False)
+
+            payload = {RackBuiltinAttributes.FREE_U_COUNT: self.calc_u_free_count(rack_id)}
+            CIManager().update(rack_id, _sync=True, **payload)
+
+            payload = {RackBuiltinAttributes.U_START: None}
+            CIManager().update(device_id, _sync=True, **payload)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.REMOVE_DEVICE, rack_id=rack_id, ci_id=device_id)
+
+    def move_device(self, rack_id, device_id, to_u_start):
+        with (redis_lock.Lock(rd.r, "DCIM_RACK_OPERATE_{}".format(rack_id), expire=10)):
+            payload = {RackBuiltinAttributes.FREE_U_COUNT: self.calc_u_free_count(rack_id, device_id, to_u_start)}
+            CIManager().update(rack_id, _sync=True, **payload)
+
+            CIManager().update(device_id, _sync=True, **{RackBuiltinAttributes.U_START: to_u_start})
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.MOVE_DEVICE, rack_id=rack_id, ci_id=device_id)
+
+    def migrate_device(self, rack_id, device_id, to_rack_id, to_u_start):
+        with (redis_lock.Lock(rd.r, "DCIM_RACK_OPERATE_{}".format(rack_id), expire=10)):
+            self.calc_u_free_count(to_rack_id, device_id, to_u_start)
+
+            if rack_id != to_rack_id:
+                CIRelationManager.delete_3(rack_id, device_id, apply_async=False, valid=False)
+
+                self.add_relation(to_rack_id, device_id)
+
+                payload = {
+                    RackBuiltinAttributes.FREE_U_COUNT: self.calc_u_free_count(to_rack_id, device_id, to_u_start)}
+                CIManager().update(to_rack_id, _sync=True, **payload)
+
+            CIManager().update(device_id, _sync=True, **{RackBuiltinAttributes.U_START: to_u_start})
+
+            if rack_id != to_rack_id:
+                payload = {RackBuiltinAttributes.FREE_U_COUNT: self.calc_u_free_count(rack_id)}
+                CIManager().update(rack_id, _sync=True, **payload)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.REMOVE_DEVICE, rack_id=rack_id, ci_id=device_id)
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.ADD_DEVICE, rack_id=to_rack_id, ci_id=device_id)

cmdb-api/api/lib/cmdb/dcim/region.py

@@ -0,0 +1,29 @@
+# -*- coding:utf-8 -*-
+
+
+from flask import abort
+
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIManager
+from api.lib.cmdb.const import BuiltinModelEnum
+from api.lib.cmdb.const import ExistPolicy
+from api.lib.cmdb.resp_format import ErrFormat
+
+
+class RegionManager(object):
+    def __init__(self):
+        self.ci_type = CITypeCache.get(BuiltinModelEnum.DCIM_REGION) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_REGION))
+
+        self.type_id = self.ci_type.id
+
+    def add(self, **kwargs):
+        return CIManager().add(self.type_id, exist_policy=ExistPolicy.REJECT, **kwargs)
+
+    @classmethod
+    def update(cls, _id, **kwargs):
+        CIManager().update(_id, **kwargs)
+
+    @classmethod
+    def delete(cls, _id):
+        CIManager().delete(_id)

cmdb-api/api/lib/cmdb/dcim/server_room.py

@@ -0,0 +1,56 @@
+# -*- coding:utf-8 -*-
+
+
+from flask import abort
+
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.const import BuiltinModelEnum
+from api.lib.cmdb.dcim.base import DCIMBase
+from api.lib.cmdb.dcim.const import RackBuiltinAttributes
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.cmdb.search.ci.db.search import Search as SearchFromDB
+from api.models.cmdb import CI
+from api.models.cmdb import CIRelation
+
+
+class ServerRoomManager(DCIMBase):
+    def __init__(self):
+        super(ServerRoomManager, self).__init__()
+
+        self.ci_type = CITypeCache.get(BuiltinModelEnum.DCIM_SERVER_ROOM) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_SERVER_ROOM))
+        self.type_id = self.ci_type.id
+
+    @staticmethod
+    def get_racks(_id, q=None):
+        rack_type = CITypeCache.get(BuiltinModelEnum.DCIM_RACK) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_RACK))
+
+        relations = CIRelation.get_by(first_ci_id=_id, only_query=True).join(
+            CI, CI.id == CIRelation.second_ci_id).filter(CI.type_id == rack_type.id)
+        rack_ids = [i.second_ci_id for i in relations]
+
+        q = "_type:{}".format(rack_type.id) if not q else "_type:{},{}".format(rack_type.id, q)
+        if rack_ids:
+            response, _, _, _, numfound, _ = SearchFromDB(
+                q,
+                ci_ids=list(rack_ids),
+                count=1000000,
+                parent_node_perm_passed=True).search()
+        else:
+            response, numfound = [], 0
+
+        counter = dict(rack_count=numfound)
+        u_count = 0
+        free_u_count = 0
+        for i in response:
+            _u_count = i.get(RackBuiltinAttributes.U_COUNT) or 0
+            u_count += _u_count
+            free_u_count += (_u_count if i.get(RackBuiltinAttributes.FREE_U_COUNT) is None else
+                             i.get(RackBuiltinAttributes.FREE_U_COUNT))
+        counter["u_count"] = u_count
+        counter["u_used_count"] = u_count - free_u_count
+        counter["device_count"] = CIRelation.get_by(only_query=True).filter(
+            CIRelation.first_ci_id.in_(rack_ids)).count()
+
+        return counter, response

cmdb-api/api/lib/cmdb/dcim/tree_view.py

@@ -0,0 +1,85 @@
+# -*- coding:utf-8 -*-
+
+from collections import defaultdict
+
+from flask import abort
+
+from api.lib.cmdb.cache import AttributeCache
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.const import BuiltinModelEnum
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.cmdb.search.ci.db.search import Search as SearchFromDB
+from api.models.cmdb import CI
+from api.models.cmdb import CIRelation
+
+
+class TreeViewManager(object):
+    @classmethod
+    def get(cls):
+        region_type = CITypeCache.get(BuiltinModelEnum.DCIM_REGION) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_REGION))
+
+        idc_type = CITypeCache.get(BuiltinModelEnum.DCIM_IDC) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_IDC))
+
+        server_room_type = CITypeCache.get(BuiltinModelEnum.DCIM_SERVER_ROOM) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_SERVER_ROOM))
+
+        rack_type = CITypeCache.get(BuiltinModelEnum.DCIM_RACK) or abort(
+            404, ErrFormat.dcim_builtin_model_not_found.format(BuiltinModelEnum.DCIM_RACK))
+
+        relations = defaultdict(set)
+        ids = set()
+        has_parent_ids = set()
+
+        for i in CIRelation.get_by(only_query=True).join(CI, CI.id == CIRelation.first_ci_id).filter(
+                CI.type_id.in_([region_type.id, idc_type.id])):
+            relations[i.first_ci_id].add(i.second_ci_id)
+            ids.add(i.first_ci_id)
+            ids.add(i.second_ci_id)
+            has_parent_ids.add(i.second_ci_id)
+
+        for i in CIRelation.get_by(only_query=True).join(
+                CI, CI.id == CIRelation.second_ci_id).filter(CI.type_id.in_([idc_type.id, server_room_type.id])):
+            relations[i.first_ci_id].add(i.second_ci_id)
+            ids.add(i.first_ci_id)
+            ids.add(i.second_ci_id)
+            has_parent_ids.add(i.second_ci_id)
+
+        for i in CI.get_by(only_query=True).filter(CI.type_id.in_([region_type.id, idc_type.id])):
+            ids.add(i.id)
+
+        for _id in ids:
+            if _id not in has_parent_ids:
+                relations[None].add(_id)
+
+        type2name = dict()
+        type2name[region_type.id] = AttributeCache.get(region_type.show_id or region_type.unique_id).name
+        type2name[idc_type.id] = AttributeCache.get(idc_type.show_id or idc_type.unique_id).name
+        type2name[server_room_type.id] = AttributeCache.get(server_room_type.show_id or server_room_type.unique_id).name
+
+        response, _, _, _, _, _ = SearchFromDB(
+            "_type:({})".format(";".join(map(str, [region_type.id, idc_type.id, server_room_type.id]))),
+            ci_ids=list(ids),
+            count=1000000,
+            fl=list(type2name.values()),
+            parent_node_perm_passed=True).search()
+        id2ci = {i['_id']: i for i in response}
+
+        def _build_tree(_tree, parent_id=None):
+            tree = []
+            for child_id in _tree.get(parent_id, []):
+                children = sorted(_build_tree(_tree, child_id), key=lambda x: x['_id'])
+                if not id2ci.get(child_id):
+                    continue
+                ci = id2ci[child_id]
+                if ci['ci_type'] == BuiltinModelEnum.DCIM_SERVER_ROOM:
+                    ci['rack_count'] = CIRelation.get_by(first_ci_id=child_id, only_query=True).join(
+                        CI, CI.id == CIRelation.second_ci_id).filter(CI.type_id == rack_type.id).count()
+
+                tree.append({'children': children, **ci})
+            return tree
+
+        result = sorted(_build_tree(relations), key=lambda x: x['_id'])
+
+        return result, type2name

cmdb-api/api/lib/cmdb/history.py

@@ -1,87 +1,218 @@
-# -*- coding:utf-8 -*- 
+# -*- coding:utf-8 -*-
 
 
+import json
+
 from flask import abort
-from flask import g
+from flask_login import current_user
 
 from api.extensions import db
 from api.lib.cmdb.cache import AttributeCache
 from api.lib.cmdb.cache import RelationTypeCache
 from api.lib.cmdb.const import OperateType
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.perms import CIFilterPermsCRUD
+from api.lib.cmdb.resp_format import ErrFormat
 from api.lib.perm.acl.cache import UserCache
+from api.models.cmdb import CI
 from api.models.cmdb import Attribute
 from api.models.cmdb import AttributeHistory
 from api.models.cmdb import CIRelationHistory
+from api.models.cmdb import CITriggerHistory
+from api.models.cmdb import CITypeHistory
+from api.models.cmdb import CITypeTrigger
+from api.models.cmdb import CITypeUniqueConstraint
 from api.models.cmdb import OperationRecord
+from api.lib.cmdb.utils import TableMap
 
 
 class AttributeHistoryManger(object):
     @staticmethod
-    def get_records(start, end, username, page, page_size):
-        records = db.session.query(OperationRecord).filter(OperationRecord.deleted.is_(False))
-        numfound = db.session.query(db.func.count(OperationRecord.id)).filter(OperationRecord.deleted.is_(False))
+    def get_records_for_attributes(start, end, username, page, page_size, operate_type, type_id,
+                                   ci_id=None, attr_id=None, ci_ids=None, more=False):
+
+        records = db.session.query(OperationRecord, AttributeHistory).join(
+            AttributeHistory, OperationRecord.id == AttributeHistory.record_id)
         if start:
             records = records.filter(OperationRecord.created_at >= start)
-            numfound = numfound.filter(OperationRecord.created_at >= start)
         if end:
             records = records.filter(OperationRecord.created_at <= end)
-            numfound = records.filter(OperationRecord.created_at <= end)
+        if type_id:
+            records = records.filter(OperationRecord.type_id == type_id)
         if username:
             user = UserCache.get(username)
             if user:
                 records = records.filter(OperationRecord.uid == user.uid)
             else:
-                return abort(404, "User <{0}> is not found".format(username))
+                return abort(404, ErrFormat.user_not_found.format(username))
+        if operate_type:
+            records = records.filter(AttributeHistory.operate_type == operate_type)
 
-        records = records.order_by(-OperationRecord.id).offset(page_size * (page - 1)).limit(page_size).all()
+        if ci_id is not None:
+            records = records.filter(AttributeHistory.ci_id == ci_id)
+
+        if ci_ids and isinstance(ci_ids, list):
+            records = records.filter(AttributeHistory.ci_id.in_(ci_ids))
+
+        if attr_id is not None:
+            records = records.filter(AttributeHistory.attr_id == attr_id)
+
+        records = records.order_by(AttributeHistory.id.desc()).offset(page_size * (page - 1)).limit(page_size).all()
         total = len(records)
-        numfound = numfound.first()[0]
-        res = []
+
+        res = {}
+        show_attr_set = {}
+        show_attr_cache = {}
         for record in records:
-            _res = record.to_dict()
-            _res["user"] = UserCache.get(_res.get("uid")).nickname or UserCache.get(_res.get("uid")).username
+            record_id = record.OperationRecord.id
+            type_id = record.OperationRecord.type_id
+            ci_id = record.AttributeHistory.ci_id
+            show_attr_set[ci_id] = None
+            show_attr = show_attr_cache.setdefault(
+                type_id, 
+                AttributeCache.get(
+                    CITypeCache.get(type_id).show_id or CITypeCache.get(type_id).unique_id) if CITypeCache.get(type_id) else None
+            )
+            if show_attr:
+                attr_table = TableMap(attr=show_attr).table
+                attr_record = attr_table.get_by(attr_id=show_attr.id, ci_id=ci_id, first=True, to_dict=False)
+                show_attr_set[ci_id] = attr_record.value if attr_record else None
+    
+            attr_hist = record.AttributeHistory.to_dict()
+            attr_hist['attr'] = AttributeCache.get(attr_hist['attr_id'])
+            if attr_hist['attr']:
+                attr_hist['attr_name'] = attr_hist['attr'].name
+                attr_hist['attr_alias'] = attr_hist['attr'].alias
+                if more:
+                    attr_hist['is_list'] = attr_hist['attr'].is_list
+                    attr_hist['is_computed'] = attr_hist['attr'].is_computed
+                    attr_hist['is_password'] = attr_hist['attr'].is_password
+                    attr_hist['default'] = attr_hist['attr'].default
+                attr_hist['value_type'] = attr_hist['attr'].value_type
+                attr_hist.pop("attr")
 
-            attr_history = AttributeHistory.get_by(record_id=_res.get("id"), to_dict=False)
-            _res["attr_history"] = [AttributeCache.get(h.attr_id).attr_alias for h in attr_history]
+            if record_id not in res:
+                record_dict = record.OperationRecord.to_dict()
+                record_dict['show_attr_value'] = show_attr_set.get(ci_id)
+                record_dict["user"] = UserCache.get(record_dict.get("uid"))
+                if record_dict["user"]:
+                    record_dict['user'] = record_dict['user'].nickname
 
-            rel_history = CIRelationHistory.get_by(record_id=_res.get("id"), to_dict=False)
-            rel_statis = {}
-            for rel in rel_history:
-                if rel.operate_type not in rel_statis:
-                    rel_statis[rel.operate_type] = 1
-                else:
-                    rel_statis[rel.operate_type] += 1
-            _res["rel_history"] = rel_statis
-            res.append(_res)
+                res[record_id] = [record_dict, [attr_hist]]
+            else:
+                res[record_id][1].append(attr_hist)
 
-        return numfound, total, res
+        attr_filter = CIFilterPermsCRUD.get_attr_filter(type_id)
+        if attr_filter:
+            res = [i for i in res if i.get('attr_name') in attr_filter]
+
+        res = [res[i] for i in sorted(res.keys(), reverse=True)]
+
+        return total, res
+
+    @staticmethod
+    def get_records_for_relation(start, end, username, page, page_size, operate_type, type_id,
+                                 first_ci_id=None, second_ci_id=None):
+
+        records = db.session.query(OperationRecord, CIRelationHistory).join(
+            CIRelationHistory, OperationRecord.id == CIRelationHistory.record_id)
+        if start:
+            records = records.filter(OperationRecord.created_at >= start)
+        if end:
+            records = records.filter(OperationRecord.created_at <= end)
+        if type_id:
+            records = records.filter(OperationRecord.type_id == type_id)
+        if username:
+            user = UserCache.get(username)
+            if user:
+                records = records.filter(OperationRecord.uid == user.uid)
+            else:
+                return abort(404, ErrFormat.user_not_found.format(username))
+        if operate_type:
+            records = records.filter(CIRelationHistory.operate_type == operate_type)
+
+        if first_ci_id is not None:
+            records = records.filter(CIRelationHistory.first_ci_id == first_ci_id)
+
+        if second_ci_id is not None:
+            records = records.filter(CIRelationHistory.second_ci_id == second_ci_id)
+
+        records = records.order_by(CIRelationHistory.id.desc()).offset(page_size * (page - 1)).limit(page_size).all()
+        total = len(records)
+
+        res = {}
+        ci_ids = set()
+        for record in records:
+            record_id = record.OperationRecord.id
+            rel_hist = record.CIRelationHistory.to_dict()
+
+            ci_ids.add(rel_hist['first_ci_id'])
+            ci_ids.add(rel_hist['second_ci_id'])
+            if record_id not in res:
+                record_dict = record.OperationRecord.to_dict()
+                record_dict["user"] = UserCache.get(record_dict.get("uid"))
+                if record_dict["user"]:
+                    record_dict['user'] = record_dict['user'].nickname
+
+                res[record_id] = [record_dict, [rel_hist]]
+            else:
+                res[record_id][1].append(rel_hist)
+
+        res = [res[i] for i in sorted(res.keys(), reverse=True)]
+
+        from api.lib.cmdb.ci import CIManager
+        cis = CIManager().get_cis_by_ids(list(ci_ids),
+                                         unique_required=True)
+        cis = {i['_id']: i for i in cis if i}
+
+        return total, res, cis
 
     @staticmethod
     def get_by_ci_id(ci_id):
         res = db.session.query(AttributeHistory, Attribute, OperationRecord).join(
             Attribute, Attribute.id == AttributeHistory.attr_id).join(
             OperationRecord, OperationRecord.id == AttributeHistory.record_id).filter(
-            AttributeHistory.ci_id == ci_id).order_by(OperationRecord.id.desc())
-        return [dict(attr_name=i.Attribute.name,
-                     attr_alias=i.Attribute.alias,
-                     operate_type=i.AttributeHistory.operate_type,
-                     username=UserCache.get(i.OperationRecord.uid).nickname,
-                     old=i.AttributeHistory.old,
-                     new=i.AttributeHistory.new,
-                     created_at=i.OperationRecord.created_at.strftime('%Y-%m-%d %H:%M:%S'),
-                     record_id=i.OperationRecord.id,
-                     hid=i.AttributeHistory.id
-                     ) for i in res]
+            AttributeHistory.ci_id == ci_id).order_by(AttributeHistory.id.desc())
+
+        from api.lib.cmdb.ci import CIManager
+        ci = CIManager.get_by_id(ci_id)
+
+        attr_filter = CIFilterPermsCRUD.get_attr_filter(ci.type_id) if ci else None
+        result = []
+        for i in res:
+            attr = i.Attribute
+            if attr_filter and attr.name not in attr_filter:
+                continue
+
+            user = UserCache.get(i.OperationRecord.uid)
+            hist = i.AttributeHistory
+            record = i.OperationRecord
+            item = dict(attr_name=attr.name,
+                        attr_alias=attr.alias,
+                        value_type=attr.value_type,
+                        operate_type=hist.operate_type,
+                        username=user and user.nickname,
+                        old=hist.old,
+                        new=hist.new,
+                        created_at=record.created_at.strftime('%Y-%m-%d %H:%M:%S'),
+                        record_id=record.id,
+                        ticket_id=record.ticket_id,
+                        hid=hist.id
+                        )
+            result.append(item)
+
+        return result
 
     @staticmethod
     def get_record_detail(record_id):
         from api.lib.cmdb.ci import CIManager
 
-        record = OperationRecord.get_by_id(record_id) or abort(404, "Record <{0}> is not found".format(record_id))
+        record = (OperationRecord.get_by_id(record_id) or
+                  abort(404, ErrFormat.record_not_found.format("id={}".format(record_id))))
 
         username = UserCache.get(record.uid).nickname or UserCache.get(record.uid).username
         timestamp = record.created_at.strftime("%Y-%m-%d %H:%M:%S")
-        attr_history = AttributeHistory.get_By(record_id=record_id, to_dict=False)
+        attr_history = AttributeHistory.get_by(record_id=record_id, to_dict=False)
         rel_history = CIRelationHistory.get_by(record_id=record_id, to_dict=False)
 
         attr_dict, rel_dict = dict(), {"add": [], "delete": []}
@@ -99,22 +230,28 @@ class AttributeHistoryManger(object):
         return username, timestamp, attr_dict, rel_dict
 
     @staticmethod
-    def add(ci_id, history_list):
-        record = OperationRecord.create(uid=g.user.uid)
+    def add(record_id, ci_id, history_list, type_id=None, ticket_id=None, flush=False, commit=True):
+        if record_id is None:
+            record = OperationRecord.create(uid=current_user.uid, type_id=type_id, ticket_id=ticket_id)
+            record_id = record.id
 
         for attr_id, operate_type, old, new in history_list or []:
             AttributeHistory.create(attr_id=attr_id,
                                     operate_type=operate_type,
-                                    old=old,
-                                    new=new,
+                                    old=json.dumps(old) if isinstance(old, (dict, list)) else old,
+                                    new=json.dumps(new) if isinstance(new, (dict, list)) else new,
                                     ci_id=ci_id,
-                                    record_id=record.id)
+                                    record_id=record_id,
+                                    flush=flush,
+                                    commit=commit)
+
+        return record_id
 
 
 class CIRelationHistoryManager(object):
     @staticmethod
-    def add(rel_obj, operate_type=OperateType.ADD):
-        record = OperationRecord.create(uid=g.user.uid)
+    def add(rel_obj, operate_type=OperateType.ADD, uid=None):
+        record = OperationRecord.create(uid=uid or current_user.uid)
 
         CIRelationHistory.create(relation_id=rel_obj.id,
                                  record_id=record.id,
@@ -122,3 +259,127 @@ class CIRelationHistoryManager(object):
                                  first_ci_id=rel_obj.first_ci_id,
                                  second_ci_id=rel_obj.second_ci_id,
                                  relation_type_id=rel_obj.relation_type_id)
+
+
+class CITypeHistoryManager(object):
+    @staticmethod
+    def get(page, page_size, username=None, type_id=None, operate_type=None):
+        query = CITypeHistory.get_by(only_query=True)
+        if type_id is not None:
+            query = query.filter(CITypeHistory.type_id == type_id)
+
+        if username:
+            user = UserCache.get(username)
+            if user:
+                query = query.filter(CITypeHistory.uid == user.uid)
+            else:
+                return abort(404, ErrFormat.user_not_found.format(username))
+
+        if operate_type is not None:
+            query = query.filter(CITypeHistory.operate_type == operate_type)
+
+        numfound = query.count()
+
+        query = query.order_by(CITypeHistory.id.desc())
+        result = query.offset((page - 1) * page_size).limit(page_size)
+        result = [i.to_dict() for i in result]
+        for res in result:
+            res["user"] = UserCache.get(res.get("uid"))
+            if res["user"]:
+                res['user'] = res['user'].nickname
+            if res.get('attr_id'):
+                attr = AttributeCache.get(res['attr_id'])
+                res['attr'] = attr and attr.to_dict()
+            elif res.get('trigger_id'):
+                trigger = CITypeTrigger.get_by_id(res['trigger_id'])
+                res['trigger'] = trigger and trigger.to_dict()
+            elif res.get('unique_constraint_id'):
+                unique_constraint = CITypeUniqueConstraint.get_by_id(res['unique_constraint_id'])
+                res['unique_constraint'] = unique_constraint and unique_constraint.to_dict()
+
+        return numfound, result
+
+    @staticmethod
+    def add(operate_type, type_id, attr_id=None, trigger_id=None, unique_constraint_id=None, change=None, rc_id=None):
+        if type_id is None and attr_id is not None:
+            from api.models.cmdb import CITypeAttribute
+            type_ids = [i.type_id for i in CITypeAttribute.get_by(attr_id=attr_id, to_dict=False)]
+        else:
+            type_ids = [type_id]
+
+        for _type_id in type_ids:
+            payload = dict(operate_type=operate_type,
+                           type_id=_type_id,
+                           uid=current_user.uid,
+                           attr_id=attr_id,
+                           trigger_id=trigger_id,
+                           rc_id=rc_id,
+                           unique_constraint_id=unique_constraint_id,
+                           change=change)
+
+            CITypeHistory.create(**payload)
+
+
+class CITriggerHistoryManager(object):
+    @staticmethod
+    def get(page, page_size, type_id=None, trigger_id=None, operate_type=None):
+        query = CITriggerHistory.get_by(only_query=True)
+        if type_id:
+            query = query.join(CI, CI.id == CITriggerHistory.ci_id).filter(CI.type_id == type_id)
+
+        if trigger_id:
+            query = query.filter(CITriggerHistory.trigger_id == trigger_id)
+
+        if operate_type:
+            query = query.filter(CITriggerHistory.operate_type == operate_type)
+
+        numfound = query.count()
+
+        query = query.order_by(CITriggerHistory.id.desc())
+        result = query.offset((page - 1) * page_size).limit(page_size)
+        result = [i.to_dict() for i in result]
+        for res in result:
+            if res.get('trigger_id'):
+                trigger = CITypeTrigger.get_by_id(res['trigger_id'])
+                res['trigger'] = trigger and trigger.to_dict()
+
+        return numfound, result
+
+    @staticmethod
+    def get_by_ci_id(ci_id):
+        res = db.session.query(CITriggerHistory, CITypeTrigger).join(
+            CITypeTrigger, CITypeTrigger.id == CITriggerHistory.trigger_id).filter(
+            CITriggerHistory.ci_id == ci_id).order_by(CITriggerHistory.id.desc())
+
+        result = []
+        id2trigger = dict()
+        for i in res:
+            hist = i.CITriggerHistory
+            item = dict(is_ok=hist.is_ok,
+                        operate_type=hist.operate_type,
+                        notify=hist.notify,
+                        trigger_id=hist.trigger_id,
+                        trigger_name=hist.trigger_name,
+                        webhook=hist.webhook,
+                        created_at=hist.created_at.strftime('%Y-%m-%d %H:%M:%S'),
+                        record_id=hist.record_id,
+                        hid=hist.id
+                        )
+            if i.CITypeTrigger.id not in id2trigger:
+                id2trigger[i.CITypeTrigger.id] = i.CITypeTrigger.to_dict()
+
+            result.append(item)
+
+        return dict(items=result, id2trigger=id2trigger)
+
+    @staticmethod
+    def add(operate_type, record_id, ci_id, trigger_id, trigger_name, is_ok=False, notify=None, webhook=None):
+
+        CITriggerHistory.create(operate_type=operate_type,
+                                record_id=record_id,
+                                ci_id=ci_id,
+                                trigger_id=trigger_id,
+                                trigger_name=trigger_name,
+                                is_ok=is_ok,
+                                notify=notify,
+                                webhook=webhook)

cmdb-api/api/lib/cmdb/ipam/__init__.py

@@ -0,0 +1 @@
+# -*- coding:utf-8 -*-

cmdb-api/api/lib/cmdb/ipam/address.py

@@ -0,0 +1,132 @@
+# -*- coding:utf-8 -*-
+
+import redis_lock
+from flask import abort
+
+from api.extensions import rd
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIManager
+from api.lib.cmdb.ci import CIRelationManager
+from api.lib.cmdb.const import BuiltinModelEnum
+from api.lib.cmdb.ipam.const import IPAddressAssignStatus
+from api.lib.cmdb.ipam.const import IPAddressBuiltinAttributes
+from api.lib.cmdb.ipam.const import OperateTypeEnum
+from api.lib.cmdb.ipam.const import SubnetBuiltinAttributes
+from api.lib.cmdb.ipam.history import OperateHistoryManager
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.cmdb.search.ci.db.search import Search as SearchFromDB
+from api.lib.cmdb.search.ci_relation.search import Search as RelationSearch
+
+
+class IpAddressManager(object):
+    def __init__(self):
+        self.ci_type = CITypeCache.get(BuiltinModelEnum.IPAM_ADDRESS) or abort(
+            404, ErrFormat.ipam_address_model_not_found.format(BuiltinModelEnum.IPAM_ADDRESS))
+
+        self.type_id = self.ci_type.id
+
+    @staticmethod
+    def list_ip_address(parent_id):
+        numfound, _, result = CIRelationManager.get_second_cis(parent_id, per_page="all")
+
+        return numfound, result
+
+    def _get_cis(self, subnet_id, ips):
+
+        q = "_type:{},{}:({})".format(self.type_id, IPAddressBuiltinAttributes.IP, ";".join(ips or []))
+
+        response, _, _, _, _, _ = RelationSearch([subnet_id], level=[1], query=q, count=1000000).search()
+
+        return response
+
+    @staticmethod
+    def _add_relation(parent_id, child_id):
+        if not parent_id or not child_id:
+            return
+
+        CIRelationManager().add(parent_id, child_id, valid=False, apply_async=False)
+
+    @staticmethod
+    def calc_used_count(subnet_id):
+        q = "{}:(0;2),-{}:true".format(IPAddressBuiltinAttributes.ASSIGN_STATUS, IPAddressBuiltinAttributes.IS_USED)
+
+        return len(set(RelationSearch([subnet_id], level=[1], query=q, count=1000000).search(only_ids=True) or []))
+
+    @staticmethod
+    def _calc_assign_count(subnet_id):
+        q = "{}:(0;2)".format(IPAddressBuiltinAttributes.ASSIGN_STATUS)
+
+        return len(set(RelationSearch([subnet_id], level=[1], query=q, count=1000000).search(only_ids=True) or []))
+
+    def _update_subnet_count(self, subnet_id, assign_count_computed, used_count=None):
+        payload = {}
+
+        cur = CIManager.get_ci_by_id(subnet_id, need_children=False)
+        if assign_count_computed:
+            payload[SubnetBuiltinAttributes.ASSIGN_COUNT] = self._calc_assign_count(subnet_id)
+        if used_count is not None:
+            payload[SubnetBuiltinAttributes.USED_COUNT] = used_count
+
+        payload[SubnetBuiltinAttributes.FREE_COUNT] = (cur[SubnetBuiltinAttributes.HOSTS_COUNT] -
+                                                       self.calc_used_count(subnet_id))
+        CIManager().update(subnet_id, **payload)
+
+    def assign_ips(self, ips, subnet_id, cidr, **kwargs):
+        """
+
+        :param ips: ip list
+        :param subnet_id: subnet id
+        :param cidr: subnet cidr
+        :param kwargs: other attributes for ip address
+        :return:
+        """
+        if subnet_id is not None:
+            subnet = CIManager.get_ci_by_id(subnet_id)
+        else:
+            cis, _, _, _, _, _ = SearchFromDB("_type:{},{}:{}".format(
+                BuiltinModelEnum.IPAM_SUBNET, SubnetBuiltinAttributes.CIDR, cidr),
+                parent_node_perm_passed=True).search()
+            if cis:
+                subnet = cis[0]
+                subnet_id = subnet['_id']
+            else:
+                return abort(400, ErrFormat.ipam_address_model_not_found)
+
+        with (redis_lock.Lock(rd.r, "IPAM_ASSIGN_ADDRESS_{}".format(subnet_id), expire=10)):
+            cis = self._get_cis(subnet_id, ips)
+            ip2ci = {ci[IPAddressBuiltinAttributes.IP]: ci for ci in cis}
+
+            ci_ids = []
+            for ip in ips:
+                kwargs['name'] = ip
+                kwargs[IPAddressBuiltinAttributes.IP] = ip
+                if ip not in ip2ci:
+                    ci_id = CIManager.add(self.type_id, _sync=True, **kwargs)
+                else:
+                    ci_id = ip2ci[ip]['_id']
+                    CIManager().update(ci_id, _sync=True, **kwargs)
+                ci_ids.append(ci_id)
+
+                self._add_relation(subnet_id, ci_id)
+
+            if ips and IPAddressBuiltinAttributes.ASSIGN_STATUS in kwargs:
+                self._update_subnet_count(subnet_id, True)
+
+            if ips and IPAddressBuiltinAttributes.IS_USED in kwargs:
+                q = "{}:true".format(IPAddressBuiltinAttributes.IS_USED)
+                cur_used_ids = RelationSearch([subnet_id], level=[1], query=q).search(only_ids=True)
+                for _id in set(cur_used_ids) - set(ci_ids):
+                    CIManager().update(_id, **{IPAddressBuiltinAttributes.IS_USED: False})
+
+                self._update_subnet_count(subnet_id, False, used_count=len(ips))
+
+        if kwargs.get(IPAddressBuiltinAttributes.ASSIGN_STATUS) in (
+                IPAddressAssignStatus.ASSIGNED, IPAddressAssignStatus.RESERVED):
+            OperateHistoryManager().add(operate_type=OperateTypeEnum.ASSIGN_ADDRESS,
+                                        cidr=subnet.get(SubnetBuiltinAttributes.CIDR),
+                                        description=" | ".join(ips))
+
+        elif kwargs.get(IPAddressBuiltinAttributes.ASSIGN_STATUS) == IPAddressAssignStatus.UNASSIGNED:
+            OperateHistoryManager().add(operate_type=OperateTypeEnum.REVOKE_ADDRESS,
+                                        cidr=subnet.get(SubnetBuiltinAttributes.CIDR),
+                                        description=" | ".join(ips))

cmdb-api/api/lib/cmdb/ipam/const.py

@@ -0,0 +1,35 @@
+# -*- coding:utf-8 -*-
+
+from api.lib.utils import BaseEnum
+
+
+class IPAddressAssignStatus(BaseEnum):
+    ASSIGNED = 0
+    UNASSIGNED = 1
+    RESERVED = 2
+
+
+class OperateTypeEnum(BaseEnum):
+    ADD_SCOPE = "0"
+    UPDATE_SCOPE = "1"
+    DELETE_SCOPE = "2"
+    ADD_SUBNET = "3"
+    UPDATE_SUBNET = "4"
+    DELETE_SUBNET = "5"
+    ASSIGN_ADDRESS = "6"
+    REVOKE_ADDRESS = "7"
+
+
+class SubnetBuiltinAttributes(BaseEnum):
+    NAME = 'name'
+    CIDR = 'cidr'
+    HOSTS_COUNT = 'hosts_count'
+    ASSIGN_COUNT = 'assign_count'
+    USED_COUNT = 'used_count'
+    FREE_COUNT = 'free_count'
+
+
+class IPAddressBuiltinAttributes(BaseEnum):
+    IP = 'ip'
+    ASSIGN_STATUS = 'assign_status'  # enum: 0 - assigned   1 - unassigned   2 - reserved
+    IS_USED = 'is_used'  # bool

cmdb-api/api/lib/cmdb/ipam/history.py

@@ -0,0 +1,61 @@
+# -*- coding:utf-8 -*-
+
+from flask_login import current_user
+
+from api.lib.cmdb.ipam.const import IPAddressBuiltinAttributes
+from api.lib.mixin import DBMixin
+from api.models.cmdb import IPAMOperationHistory
+from api.models.cmdb import IPAMSubnetScan
+from api.models.cmdb import IPAMSubnetScanHistory
+
+
+class OperateHistoryManager(DBMixin):
+    cls = IPAMOperationHistory
+
+    def _can_add(self, **kwargs):
+        kwargs['uid'] = current_user.uid
+
+        return kwargs
+
+    def _can_update(self, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        pass
+
+
+class ScanHistoryManager(DBMixin):
+    cls = IPAMSubnetScanHistory
+
+    def _can_add(self, **kwargs):
+        return kwargs
+
+    def add(self, **kwargs):
+        kwargs.pop('_key', None)
+        kwargs.pop('_secret', None)
+        ci_id = kwargs.pop('ci_id', None)
+
+        existed = self.cls.get_by(exec_id=kwargs['exec_id'], first=True, to_dict=False)
+        if existed is None:
+            self.cls.create(**kwargs)
+        else:
+            existed.update(**kwargs)
+
+        if kwargs.get('ips'):
+            from api.lib.cmdb.ipam.address import IpAddressManager
+            IpAddressManager().assign_ips(kwargs['ips'], ci_id, kwargs.get('cidr'),
+                                          **{IPAddressBuiltinAttributes.IS_USED: 1})
+
+            scan_rule = IPAMSubnetScan.get_by(ci_id=ci_id, first=True, to_dict=False)
+            if scan_rule is not None:
+                scan_rule.update(last_scan_time=kwargs.get('start_at'))
+
+        for i in self.cls.get_by(subnet_scan_id=kwargs.get('subnet_scan_id'), only_query=True).order_by(
+                self.cls.id.desc()).offset(100):
+            i.delete()
+
+    def _can_update(self, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        pass

cmdb-api/api/lib/cmdb/ipam/stats.py

@@ -0,0 +1,104 @@
+# -*- coding:utf-8 -*-
+
+
+import json
+from flask import abort
+
+from api.extensions import rd
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIManager
+from api.lib.cmdb.const import BuiltinModelEnum
+from api.lib.cmdb.const import REDIS_PREFIX_CI_RELATION
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.cmdb.search.ci.db.search import Search as SearchFromDB
+from api.models.cmdb import CI
+from api.models.cmdb import CIRelation
+from api.models.cmdb import IPAMSubnetScan
+
+
+class Stats(object):
+    def __init__(self):
+        self.address_type = CITypeCache.get(BuiltinModelEnum.IPAM_ADDRESS) or abort(
+            404, ErrFormat.ipam_address_model_not_found.format(BuiltinModelEnum.IPAM_ADDRESS))
+
+        self.address_type_id = self.address_type.id
+
+        self.subnet_type = CITypeCache.get(BuiltinModelEnum.IPAM_SUBNET) or abort(
+            404, ErrFormat.ipam_address_model_not_found.format(BuiltinModelEnum.IPAM_ADDRESS))
+
+        self.subnet_type_id = self.subnet_type.id
+
+    def leaf_nodes(self, parent_id):
+        if str(parent_id) == '0':  # all
+            ci_ids = [i.id for i in CI.get_by(type_id=self.subnet_type_id, to_dict=False)]
+            has_children_ci_ids = [i.first_ci_id for i in CIRelation.get_by(
+                only_query=True).join(CI, CIRelation.second_ci_id == CI.id).filter(
+                CIRelation.first_ci_id.in_(ci_ids)).filter(CI.type_id == self.subnet_type_id)]
+
+            return list(set(ci_ids) - set(has_children_ci_ids))
+
+        else:
+            _type = CIManager().get_by_id(parent_id)
+            if not _type:
+                return abort(404, ErrFormat.ipam_subnet_not_found)
+            key = [(str(parent_id), _type.type_id)]
+            result = []
+            while True:
+                res = [json.loads(x).items() for x in [i or '{}' for i in rd.get(
+                    [i[0] for i in key], REDIS_PREFIX_CI_RELATION) or []]]
+
+                for idx, i in enumerate(res):
+                    if (not i or list(i)[0][1] == self.address_type_id) and key[idx][1] == self.subnet_type_id:
+                        result.append(int(key[idx][0]))
+
+                res = [j for i in res for j in i]  # [(id, type_id)]
+
+                if not res:
+                    return result
+
+                key = res
+
+    def statistic_subnets(self, subnet_ids):
+        if subnet_ids:
+            response, _, _, _, _, _ = SearchFromDB(
+                "_type:{}".format(self.subnet_type_id),
+                ci_ids=subnet_ids,
+                count=1000000,
+                parent_node_perm_passed=True,
+            ).search()
+        else:
+            response = []
+
+        scans = IPAMSubnetScan.get_by(only_query=True).filter(IPAMSubnetScan.ci_id.in_(list(map(int, subnet_ids))))
+        id2scan = {i.ci_id: i for i in scans}
+
+        address_num, address_free_num, address_assign_num, address_used_num = 0, 0, 0, 0
+        for subnet in response:
+            address_num += (subnet.get('hosts_count') or 0)
+            address_free_num += (subnet.get('free_count') or 0)
+            address_assign_num += (subnet.get('assign_count') or 0)
+            address_used_num += (subnet.get('used_count') or 0)
+
+            if id2scan.get(subnet['_id']):
+                subnet['scan_enabled'] = id2scan[subnet['_id']].scan_enabled
+                subnet['last_scan_time'] = id2scan[subnet['_id']].last_scan_time
+            else:
+                subnet['scan_enabled'] = False
+                subnet['last_scan_time'] = None
+
+        return response, address_num, address_free_num, address_assign_num, address_used_num
+
+    def summary(self, parent_id):
+        subnet_ids = self.leaf_nodes(parent_id)
+
+        subnets, address_num, address_free_num, address_assign_num, address_used_num = (
+            self.statistic_subnets(subnet_ids))
+
+        return dict(subnet_num=len(subnets),
+                    address_num=address_num,
+                    address_free_num=address_free_num,
+                    address_assign_num=address_assign_num,
+                    address_unassign_num=address_num - address_assign_num,
+                    address_used_num=address_used_num,
+                    address_used_free_num=address_num - address_used_num,
+                    subnets=subnets)

cmdb-api/api/lib/cmdb/ipam/subnet.py

@@ -0,0 +1,355 @@
+# -*- coding:utf-8 -*-
+
+from collections import defaultdict
+
+import datetime
+import ipaddress
+from flask import abort
+
+from api.lib.cmdb.cache import AttributeCache
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIManager
+from api.lib.cmdb.ci import CIRelationManager
+from api.lib.cmdb.const import BuiltinModelEnum
+from api.lib.cmdb.ipam.const import OperateTypeEnum
+from api.lib.cmdb.ipam.const import SubnetBuiltinAttributes
+from api.lib.cmdb.ipam.history import OperateHistoryManager
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.cmdb.search.ci.db.search import Search as SearchFromDB
+from api.models.cmdb import CI
+from api.models.cmdb import CIRelation
+from api.models.cmdb import IPAMSubnetScan
+
+
+class SubnetManager(object):
+    def __init__(self):
+        self.ci_type = CITypeCache.get(BuiltinModelEnum.IPAM_SUBNET) or abort(
+            404, ErrFormat.ipam_subnet_model_not_found.format(BuiltinModelEnum.IPAM_SUBNET))
+
+        self.type_id = self.ci_type.id
+
+    def scan_rules(self, oneagent_id, last_update_at=None):
+        result = []
+        rules = IPAMSubnetScan.get_by(agent_id=oneagent_id, to_dict=True)
+        ci_ids = [i['ci_id'] for i in rules]
+        if ci_ids:
+            response, _, _, _, _, _ = SearchFromDB("_type:{}".format(self.type_id),
+                                                   ci_ids=list(ci_ids),
+                                                   count=1000000,
+                                                   fl=[SubnetBuiltinAttributes.CIDR],
+                                                   parent_node_perm_passed=True).search()
+            id2ci = {i['_id']: i for i in response}
+
+            for rule in rules:
+                if rule['ci_id'] in id2ci:
+                    rule[SubnetBuiltinAttributes.CIDR] = id2ci[rule['ci_id']][SubnetBuiltinAttributes.CIDR]
+                    result.append(rule)
+
+        new_last_update_at = ""
+        for i in result:
+            __last_update_at = max([i['rule_updated_at'] or "", i['created_at'] or ""])
+            if new_last_update_at < __last_update_at:
+                new_last_update_at = __last_update_at
+
+        if not last_update_at or new_last_update_at > last_update_at:
+            return result, new_last_update_at
+        else:
+            return [], new_last_update_at
+
+    @staticmethod
+    def get_hosts(cidr):
+        try:
+            return list(map(str, ipaddress.ip_network(cidr).hosts()))
+        except ValueError:
+            return []
+
+    def get_by_id(self, subnet_id):
+        response, _, _, _, _, _ = SearchFromDB("_type:{}".format(self.type_id),
+                                               ci_ids=[subnet_id],
+                                               parent_node_perm_passed=True).search()
+        scan_rule = IPAMSubnetScan.get_by(ci_id=subnet_id, first=True, to_dict=True)
+        if scan_rule and response:
+            scan_rule.update(response[0])
+
+        return scan_rule
+
+    def tree_view(self):
+        scope = CITypeCache.get(BuiltinModelEnum.IPAM_SCOPE)
+        ci_types = scope and [scope.id, self.type_id] or [self.type_id]
+
+        relations = defaultdict(set)
+        ids = set()
+        has_parent_ids = set()
+        for i in CIRelation.get_by(only_query=True).join(
+                CI, CI.id == CIRelation.first_ci_id).filter(CI.type_id.in_(ci_types)):
+            relations[i.first_ci_id].add(i.second_ci_id)
+            ids.add(i.first_ci_id)
+            ids.add(i.second_ci_id)
+            has_parent_ids.add(i.second_ci_id)
+        for i in CIRelation.get_by(only_query=True).join(
+                CI, CI.id == CIRelation.second_ci_id).filter(CI.type_id.in_(ci_types)):
+            relations[i.first_ci_id].add(i.second_ci_id)
+            ids.add(i.first_ci_id)
+            ids.add(i.second_ci_id)
+            has_parent_ids.add(i.second_ci_id)
+
+        for i in CI.get_by(only_query=True).filter(CI.type_id.in_(ci_types)):
+            ids.add(i.id)
+
+        for _id in ids:
+            if _id not in has_parent_ids:
+                relations[None].add(_id)
+
+        type2name = dict()
+        type2name[self.type_id] = AttributeCache.get(self.ci_type.show_id or self.ci_type.unique_id).name
+
+        fl = [type2name[self.type_id]]
+        if scope:
+            type2name[scope.id] = AttributeCache.get(scope.show_id or scope.unique_id).name
+            fl.append(type2name[scope.id])
+
+        response, _, _, _, _, _ = SearchFromDB("_type:({})".format(";".join(map(str, ci_types))),
+                                               ci_ids=list(ids),
+                                               count=1000000,
+                                               fl=list(set(fl + [SubnetBuiltinAttributes.CIDR])),
+                                               parent_node_perm_passed=True).search()
+        id2ci = {i['_id']: i for i in response}
+
+        def _build_tree(_tree, parent_id=None):
+            tree = []
+            for child_id in _tree.get(parent_id, []):
+                children = sorted(_build_tree(_tree, child_id), key=lambda x: x['_id'])
+                if not id2ci.get(child_id):
+                    continue
+                tree.append({'children': children, **id2ci[child_id]})
+            return tree
+
+        result = sorted(_build_tree(relations), key=lambda x: x['_id'])
+
+        return result, type2name
+
+    @staticmethod
+    def _is_valid_cidr(cidr):
+        try:
+            cidr = ipaddress.ip_network(cidr)
+            if not (8 <= cidr.prefixlen <= 31):
+                raise ValueError
+
+            return str(cidr)
+        except ValueError:
+            return abort(400, ErrFormat.ipam_cidr_invalid_notation.format(cidr))
+
+    def _check_root_node_is_overlapping(self, cidr, _id=None):
+        none_root_nodes = [i.id for i in CI.get_by(only_query=True).join(
+            CIRelation, CIRelation.second_ci_id == CI.id).filter(CI.type_id == self.type_id)]
+        all_nodes = [i.id for i in CI.get_by(type_id=self.type_id, to_dict=False, fl=['id'])]
+
+        root_nodes = set(all_nodes) - set(none_root_nodes) - set(_id and [_id] or [])
+        response, _, _, _, _, _ = SearchFromDB("_type:{}".format(self.type_id),
+                                               ci_ids=list(root_nodes),
+                                               count=1000000,
+                                               parent_node_perm_passed=True).search()
+
+        cur_subnet = ipaddress.ip_network(cidr)
+        for item in response:
+            if item['_id'] == _id:
+                continue
+
+            if cur_subnet.overlaps(ipaddress.ip_network(item.get(SubnetBuiltinAttributes.CIDR))):
+                return abort(400, ErrFormat.ipam_subnet_overlapped.format(cidr, item.get(SubnetBuiltinAttributes.CIDR)))
+
+        return cidr
+
+    def _check_child_node_is_overlapping(self, parent_id, cidr, _id=None):
+        child_nodes = [i.second_ci_id for i in CIRelation.get_by(
+            first_ci_id=parent_id, to_dict=False, fl=['second_ci_id']) if i.second_ci_id != _id]
+        if not child_nodes:
+            return
+
+        response, _, _, _, _, _ = SearchFromDB("_type:{}".format(self.type_id),
+                                               ci_ids=list(child_nodes),
+                                               count=1000000,
+                                               parent_node_perm_passed=True).search()
+
+        cur_subnet = ipaddress.ip_network(cidr)
+        for item in response:
+            if item['_id'] == _id:
+                continue
+
+            if cur_subnet.overlaps(ipaddress.ip_network(item.get(SubnetBuiltinAttributes.CIDR))):
+                return abort(400, ErrFormat.ipam_subnet_overlapped.format(cidr, item.get(SubnetBuiltinAttributes.CIDR)))
+
+    def validate_cidr(self, parent_id, cidr, _id=None):
+        cidr = self._is_valid_cidr(cidr)
+
+        if not parent_id:
+            return self._check_root_node_is_overlapping(cidr, _id)
+
+        parent_subnet = CIManager().get_ci_by_id(parent_id, need_children=False)
+        if parent_subnet['ci_type'] == BuiltinModelEnum.IPAM_SUBNET:
+            if parent_subnet.get(SubnetBuiltinAttributes.CIDR):
+                prefix = int(cidr.split('/')[1])
+                if int(parent_subnet[SubnetBuiltinAttributes.CIDR].split('/')[1]) >= prefix:
+                    return abort(400, ErrFormat.ipam_subnet_prefix_length_invalid.format(prefix))
+
+                valid_subnets = [str(i) for i in
+                                 ipaddress.ip_network(parent_subnet[SubnetBuiltinAttributes.CIDR]).subnets(
+                                     new_prefix=prefix)]
+                if cidr not in valid_subnets:
+                    return abort(400, ErrFormat.ipam_cidr_invalid_subnet.format(cidr, valid_subnets))
+            else:
+                return abort(400, ErrFormat.ipam_parent_subnet_node_cidr_cannot_empty)
+
+        self._check_child_node_is_overlapping(parent_id, cidr, _id)
+
+        return cidr
+
+    def _add_subnet(self, cidr, **kwargs):
+        kwargs[SubnetBuiltinAttributes.HOSTS_COUNT] = len(list(ipaddress.ip_network(cidr).hosts()))
+        kwargs[SubnetBuiltinAttributes.USED_COUNT] = 0
+        kwargs[SubnetBuiltinAttributes.ASSIGN_COUNT] = 0
+        kwargs[SubnetBuiltinAttributes.FREE_COUNT] = kwargs[SubnetBuiltinAttributes.HOSTS_COUNT]
+
+        return CIManager().add(self.type_id, cidr=cidr, **kwargs)
+
+    @staticmethod
+    def _add_scan_rule(ci_id, agent_id, cron, scan_enabled=True):
+        IPAMSubnetScan.create(ci_id=ci_id, agent_id=agent_id, cron=cron, scan_enabled=scan_enabled)
+
+    @staticmethod
+    def _add_relation(parent_id, child_id):
+        if not parent_id or not child_id:
+            return
+
+        CIRelationManager().add(parent_id, child_id, valid=False)
+
+    def add(self, cidr, parent_id, agent_id, cron, scan_enabled=True, **kwargs):
+        cidr = self.validate_cidr(parent_id, cidr)
+
+        ci_id = self._add_subnet(cidr, **kwargs)
+
+        self._add_scan_rule(ci_id, agent_id, cron, scan_enabled)
+
+        self._add_relation(parent_id, ci_id)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.ADD_SUBNET,
+                                    cidr=cidr,
+                                    description=cidr)
+
+        return ci_id
+
+    @staticmethod
+    def _update_subnet(_id, **kwargs):
+        return CIManager().update(_id, **kwargs)
+
+    @staticmethod
+    def _update_scan_rule(ci_id, agent_id, cron, scan_enabled=True):
+        existed = IPAMSubnetScan.get_by(ci_id=ci_id, first=True, to_dict=False)
+        if existed is not None:
+            existed.update(ci_id=ci_id, agent_id=agent_id, cron=cron, scan_enabled=scan_enabled,
+                           rule_updated_at=datetime.datetime.now())
+        else:
+            IPAMSubnetScan.create(ci_id=ci_id, agent_id=agent_id, cron=cron, scan_enabled=scan_enabled)
+
+    def update(self, _id, **kwargs):
+        kwargs[SubnetBuiltinAttributes.CIDR] = self.validate_cidr(kwargs.pop('parent_id', None),
+                                                                  kwargs.get(SubnetBuiltinAttributes.CIDR), _id)
+
+        agent_id = kwargs.pop('agent_id', None)
+        cron = kwargs.pop('cron', None)
+        scan_enabled = kwargs.pop('scan_enabled', True)
+
+        cur = CIManager.get_ci_by_id(_id, need_children=False)
+
+        self._update_subnet(_id, **kwargs)
+
+        self._update_scan_rule(_id, agent_id, cron, scan_enabled)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.UPDATE_SUBNET,
+                                    cidr=cur.get(SubnetBuiltinAttributes.CIDR),
+                                    description="{} -> {}".format(cur.get(SubnetBuiltinAttributes.CIDR),
+                                                                  kwargs.get(SubnetBuiltinAttributes.CIDR)))
+
+        return _id
+
+    @classmethod
+    def delete(cls, _id):
+        if CIRelation.get_by(only_query=True).filter(CIRelation.first_ci_id == _id).first():
+            return abort(400, ErrFormat.ipam_subnet_cannot_delete)
+
+        existed = IPAMSubnetScan.get_by(ci_id=_id, first=True, to_dict=False)
+        existed and existed.delete()
+
+        delete_ci_ids = []
+        for i in CIRelation.get_by(first_ci_id=_id, to_dict=False):
+            delete_ci_ids.append(i.second_ci_id)
+            i.delete()
+
+        cur = CIManager.get_ci_by_id(_id, need_children=False)
+
+        CIManager().delete(_id)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.DELETE_SUBNET,
+                                    cidr=cur.get(SubnetBuiltinAttributes.CIDR),
+                                    description=cur.get(SubnetBuiltinAttributes.CIDR))
+
+        # batch_delete_ci.apply_async(args=(delete_ci_ids,))
+
+        return _id
+
+
+class SubnetScopeManager(object):
+    def __init__(self):
+        self.ci_type = CITypeCache.get(BuiltinModelEnum.IPAM_SCOPE)
+        not self.ci_type and abort(400, ErrFormat.ipam_subnet_model_not_found.format(
+            BuiltinModelEnum.IPAM_SCOPE))
+
+        self.type_id = self.ci_type.id
+
+    def _add_scope(self, name):
+        return CIManager().add(self.type_id, name=name)
+
+    @staticmethod
+    def _add_relation(parent_id, child_id):
+        if not parent_id or not child_id:
+            return
+
+        CIRelationManager().add(parent_id, child_id, valid=False)
+
+    def add(self, parent_id, name):
+        ci_id = self._add_scope(name)
+
+        self._add_relation(parent_id, ci_id)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.ADD_SCOPE,
+                                    description=name)
+
+        return ci_id
+
+    @staticmethod
+    def _update_scope(_id, name):
+        return CIManager().update(_id, name=name)
+
+    def update(self, _id, name):
+        cur = CIManager.get_ci_by_id(_id, need_children=False)
+
+        res = self._update_scope(_id, name)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.UPDATE_SCOPE,
+                                    description="{} -> {}".format(cur.get('name'), name))
+
+        return res
+
+    @staticmethod
+    def delete(_id):
+        if CIRelation.get_by(first_ci_id=_id, first=True, to_dict=False):
+            return abort(400, ErrFormat.ipam_scope_cannot_delete)
+
+        cur = CIManager.get_ci_by_id(_id, need_children=False)
+
+        CIManager().delete(_id)
+
+        OperateHistoryManager().add(operate_type=OperateTypeEnum.DELETE_SCOPE,
+                                    description=cur.get('name'))
+
+        return _id

cmdb-api/api/lib/cmdb/perms.py

@@ -0,0 +1,339 @@
+# -*- coding:utf-8 -*-
+import copy
+import functools
+import redis_lock
+from flask import abort
+from flask import current_app
+from flask import request
+from flask_login import current_user
+
+from api.extensions import db
+from api.extensions import rd
+from api.lib.cmdb.const import BUILTIN_ATTRIBUTES
+from api.lib.cmdb.const import ResourceTypeEnum
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.mixin import DBMixin
+from api.lib.perm.acl.acl import ACLManager
+from api.lib.perm.acl.acl import is_app_admin
+from api.lib.perm.acl.acl import validate_permission
+from api.models.cmdb import CIFilterPerms
+
+
+class CIFilterPermsCRUD(DBMixin):
+    cls = CIFilterPerms
+
+    def get(self, type_id):
+        res = self.cls.get_by(type_id=type_id, to_dict=True)
+        result = {}
+        for i in res:
+            if i['attr_filter']:
+                i['attr_filter'] = i['attr_filter'].split(',') + list(BUILTIN_ATTRIBUTES.keys())
+
+            if i['rid'] not in result:
+                result[i['rid']] = i
+            else:
+                if i['attr_filter']:
+                    if not result[i['rid']]['attr_filter']:
+                        result[i['rid']]['attr_filter'] = []
+
+                    result[i['rid']]['attr_filter'] += i['attr_filter']
+                    result[i['rid']]['attr_filter'] = list(set(i['attr_filter']))
+                if i['ci_filter']:
+                    if not result[i['rid']]['ci_filter']:
+                        result[i['rid']]['ci_filter'] = ""
+                    result[i['rid']]['ci_filter'] += (i['ci_filter'] or "")
+
+                if i['id_filter']:
+                    if not result[i['rid']]['id_filter']:
+                        result[i['rid']]['id_filter'] = {}
+                    result[i['rid']]['id_filter'].update(i['id_filter'] or {})
+
+        return result
+
+    def get_by_ids(self, _ids, type_id=None):
+        if not _ids:
+            return {}
+
+        if type_id is not None:
+            res = self.cls.get_by(type_id=type_id, __func_in___key_id=_ids, to_dict=True)
+        else:
+            res = self.cls.get_by(__func_in___key_id=_ids, to_dict=True)
+
+        result = {}
+        for i in res:
+            if i['attr_filter']:
+                i['attr_filter'] = i['attr_filter'].split(',') + list(BUILTIN_ATTRIBUTES.keys())
+
+            if i['type_id'] not in result:
+                result[i['type_id']] = i
+            else:
+                if i['attr_filter']:
+                    if not result[i['type_id']]['attr_filter']:
+                        result[i['type_id']]['attr_filter'] = []
+
+                    result[i['type_id']]['attr_filter'] += i['attr_filter']
+                    result[i['type_id']]['attr_filter'] = list(set(i['attr_filter']))
+                if i['ci_filter']:
+                    if not result[i['type_id']]['ci_filter']:
+                        result[i['type_id']]['ci_filter'] = ""
+                    result[i['type_id']]['ci_filter'] += (i['ci_filter'] or "")
+
+                if i['id_filter']:
+                    if not result[i['type_id']]['id_filter']:
+                        result[i['type_id']]['id_filter'] = {}
+                    result[i['type_id']]['id_filter'].update(i['id_filter'] or {})
+
+        return result
+
+    @classmethod
+    def get_attr_filter(cls, type_id):
+        if is_app_admin('cmdb') or current_user.username in ('worker', 'cmdb_agent'):
+            return []
+
+        res2 = ACLManager('cmdb').get_resources(ResourceTypeEnum.CI_FILTER)
+        if res2:
+            type2filter_perms = cls().get_by_ids(list(map(int, [i['name'] for i in res2])), type_id=type_id)
+            return type2filter_perms.get(type_id, {}).get('attr_filter') or []
+
+    def _revoke_children(self, rid, id_filter, rebuild=True):
+        items = self.cls.get_by(rid=rid, ci_filter=None, attr_filter=None, to_dict=False)
+        for item in items:
+            changed, item_id_filter = False, copy.deepcopy(item.id_filter)
+            for prefix in id_filter:
+                for k, v in copy.deepcopy((item.id_filter or {})).items():
+                    if k.startswith(prefix) and k != prefix:
+                        item_id_filter.pop(k)
+                        changed = True
+
+            if not item_id_filter and current_app.config.get('USE_ACL'):
+                item.soft_delete(commit=False)
+                ACLManager().del_resource(str(item.id), ResourceTypeEnum.CI_FILTER, rebuild=rebuild)
+            elif changed:
+                item.update(id_filter=item_id_filter, commit=False)
+
+        db.session.commit()
+
+    def _revoke_parent(self, rid, parent_path, rebuild=True):
+        parent_path = [i for i in parent_path.split(',') if i] or []
+        revoke_nodes = [','.join(parent_path[:i]) for i in range(len(parent_path), 0, -1)]
+        for node_path in revoke_nodes:
+            delete_item, can_deleted = None, True
+            items = self.cls.get_by(rid=rid, ci_filter=None, attr_filter=None, to_dict=False)
+            for item in items:
+                if node_path in item.id_filter:
+                    delete_item = item
+                if any(filter(lambda x: x.startswith(node_path) and x != node_path, item.id_filter.keys())):
+                    can_deleted = False
+                    break
+
+            if can_deleted and delete_item:
+                id_filter = copy.deepcopy(delete_item.id_filter)
+                id_filter.pop(node_path)
+                delete_item = delete_item.update(id_filter=id_filter, filter_none=False)
+
+                if current_app.config.get('USE_ACL') and not id_filter:
+                    ACLManager().del_resource(str(delete_item.id), ResourceTypeEnum.CI_FILTER, rebuild=False)
+                    delete_item.soft_delete()
+                    items.remove(delete_item)
+
+        if rebuild:
+            from api.tasks.acl import role_rebuild
+            from api.lib.perm.acl.const import ACL_QUEUE
+            from api.lib.perm.acl.cache import AppCache
+
+            role_rebuild.apply_async(args=(rid, AppCache.get('cmdb').id), queue=ACL_QUEUE)
+
+    def _can_add(self, **kwargs):
+        ci_filter = kwargs.get('ci_filter')
+        attr_filter = kwargs.get('attr_filter') or ""
+
+        if 'attr_filter' in kwargs:
+            kwargs['attr_filter'] = kwargs['attr_filter'] or None
+
+        if attr_filter:
+            kwargs['attr_filter'] = ','.join(attr_filter or [])
+
+        if ci_filter and not kwargs.get('name'):
+            return abort(400, ErrFormat.ci_filter_name_cannot_be_empty)
+
+        if ci_filter and ci_filter.startswith('q='):
+            kwargs['ci_filter'] = kwargs['ci_filter'][2:]
+
+        return kwargs
+
+    def add(self, **kwargs):
+        kwargs = self._can_add(**kwargs) or kwargs
+        with redis_lock.Lock(rd.r, 'CMDB_FILTER_{}_{}'.format(kwargs['type_id'], kwargs['rid']), expire=10):
+            request_id_filter = {}
+            if kwargs.get('id_filter'):
+                obj = self.cls.get_by(type_id=kwargs.get('type_id'),
+                                      rid=kwargs.get('rid'),
+                                      ci_filter=None,
+                                      attr_filter=None,
+                                      first=True, to_dict=False)
+
+                for _id, v in (kwargs.get('id_filter') or {}).items():
+                    key = ",".join(([v['parent_path']] if v.get('parent_path') else []) + [str(_id)])
+                    request_id_filter[key] = v['name']
+
+            else:
+                obj = self.cls.get_by(type_id=kwargs.get('type_id'),
+                                      rid=kwargs.get('rid'),
+                                      id_filter=None,
+                                      first=True, to_dict=False)
+
+            is_recursive = kwargs.pop('is_recursive', 0)
+            if obj is not None:
+                if obj.id_filter and isinstance(kwargs.get('id_filter'), dict):
+                    obj_id_filter = copy.deepcopy(obj.id_filter)
+
+                    for k, v in request_id_filter.items():
+                        obj_id_filter[k] = v
+
+                    kwargs['id_filter'] = obj_id_filter
+
+                obj = obj.update(filter_none=False, **kwargs)
+
+                if not obj.attr_filter and not obj.ci_filter and not obj.id_filter:
+                    if current_app.config.get('USE_ACL'):
+                        ACLManager().del_resource(str(obj.id), ResourceTypeEnum.CI_FILTER, rebuild=False)
+
+                    obj.soft_delete()
+
+                if not is_recursive and request_id_filter:
+                    self._revoke_children(obj.rid, request_id_filter, rebuild=False)
+
+                return
+
+            else:
+                if not kwargs.get('ci_filter') and not kwargs.get('attr_filter') and not kwargs.get('id_filter'):
+                    return
+
+                if request_id_filter:
+                    kwargs['id_filter'] = request_id_filter
+
+                obj = self.cls.create(**kwargs)
+
+                if current_app.config.get('USE_ACL'):  # new resource
+                    try:
+                        ACLManager().add_resource(obj.id, ResourceTypeEnum.CI_FILTER)
+                    except:
+                        pass
+                    ACLManager().grant_resource_to_role_by_rid(obj.id,
+                                                               kwargs.get('rid'),
+                                                               ResourceTypeEnum.CI_FILTER)
+
+                return obj
+
+    def _can_update(self, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        pass
+
+    def delete(self, **kwargs):
+        with redis_lock.Lock(rd.r, 'CMDB_FILTER_{}_{}'.format(kwargs['type_id'], kwargs['rid']), expire=10):
+            obj = self.cls.get_by(type_id=kwargs.get('type_id'),
+                                  rid=kwargs.get('rid'),
+                                  id_filter=None,
+                                  first=True, to_dict=False)
+
+            if obj is not None:
+                resource = None
+                if current_app.config.get('USE_ACL'):
+                    resource = ACLManager().del_resource(str(obj.id), ResourceTypeEnum.CI_FILTER)
+
+                obj.soft_delete()
+
+                return resource
+
+    def delete2(self, **kwargs):
+
+        with redis_lock.Lock(rd.r, 'CMDB_FILTER_{}_{}'.format(kwargs['type_id'], kwargs['rid']), expire=10):
+            obj = self.cls.get_by(type_id=kwargs.get('type_id'),
+                                  rid=kwargs.get('rid'),
+                                  ci_filter=None,
+                                  attr_filter=None,
+                                  first=True, to_dict=False)
+
+            request_id_filter = {}
+            for _id, v in (kwargs.get('id_filter') or {}).items():
+                key = ",".join(([v['parent_path']] if v.get('parent_path') else []) + [str(_id)])
+                request_id_filter[key] = v['name']
+
+            resource = None
+            if obj is not None:
+
+                id_filter = {}
+                for k, v in copy.deepcopy(obj.id_filter or {}).items():  # important
+                    if k not in request_id_filter:
+                        id_filter[k] = v
+
+                if not id_filter and current_app.config.get('USE_ACL'):
+                    resource = ACLManager().del_resource(str(obj.id), ResourceTypeEnum.CI_FILTER, rebuild=False)
+                    obj.soft_delete()
+                    db.session.commit()
+
+                else:
+                    obj.update(id_filter=id_filter)
+
+                self._revoke_children(kwargs.get('rid'), request_id_filter, rebuild=False)
+                self._revoke_parent(kwargs.get('rid'), kwargs.get('parent_path'))
+
+            return resource
+
+    def delete_id_filter_by_ci_id(self, ci_id):
+        items = self.cls.get_by(ci_filter=None, attr_filter=None, to_dict=False)
+
+        rebuild_roles = set()
+        for item in items:
+            id_filter = copy.deepcopy(item.id_filter)
+            changed = False
+            for node_path in item.id_filter:
+                if str(ci_id) in node_path:
+                    id_filter.pop(node_path)
+                    changed = True
+
+            if changed:
+                rebuild_roles.add(item.rid)
+                if not id_filter:
+                    item.soft_delete(commit=False)
+                else:
+                    item.update(id_filter=id_filter, commit=False)
+
+        db.session.commit()
+
+        if rebuild_roles:
+            from api.tasks.acl import role_rebuild
+            from api.lib.perm.acl.const import ACL_QUEUE
+            from api.lib.perm.acl.cache import AppCache
+            for rid in rebuild_roles:
+                role_rebuild.apply_async(args=(rid, AppCache.get('cmdb').id), queue=ACL_QUEUE)
+
+
+def has_perm_for_ci(arg_name, resource_type, perm, callback=None, app=None):
+    def decorator_has_perm(func):
+        @functools.wraps(func)
+        def wrapper_has_perm(*args, **kwargs):
+            if not arg_name:
+                return
+            resource = request.view_args.get(arg_name) or request.values.get(arg_name)
+            if callback is not None and resource:
+                resource = callback(resource)
+
+            if current_app.config.get("USE_ACL") and resource:
+                if current_user.username == "worker" or current_user.username == "cmdb_agent":
+                    request.values['__is_admin'] = True
+                    return func(*args, **kwargs)
+
+                if is_app_admin(app):
+                    request.values['__is_admin'] = True
+                    return func(*args, **kwargs)
+
+                validate_permission(resource.name, resource_type, perm, app)
+
+            return func(*args, **kwargs)
+
+        return wrapper_has_perm
+
+    return decorator_has_perm

cmdb-api/api/lib/cmdb/preference.py

@@ -1,121 +1,275 @@
 # -*- coding:utf-8 -*-
 
+from collections import defaultdict
 
 import copy
-import json
-
 import six
 import toposort
 from flask import abort
 from flask import current_app
-from flask import g
+from flask_login import current_user
 
 from api.extensions import db
 from api.lib.cmdb.attribute import AttributeManager
 from api.lib.cmdb.cache import AttributeCache
-from api.lib.cmdb.cache import CITypeAttributeCache
+from api.lib.cmdb.cache import CITypeAttributesCache
 from api.lib.cmdb.cache import CITypeCache
-from api.lib.cmdb.const import ResourceTypeEnum, RoleEnum, PermEnum
+from api.lib.cmdb.cache import CMDBCounterCache
+from api.lib.cmdb.ci_type import CITypeAttributeManager
+from api.lib.cmdb.const import BUILTIN_ATTRIBUTES
+from api.lib.cmdb.const import ConstraintEnum
+from api.lib.cmdb.const import PermEnum
+from api.lib.cmdb.const import ResourceTypeEnum
+from api.lib.cmdb.const import RoleEnum
+from api.lib.cmdb.const import SysComputedAttributes
+from api.lib.cmdb.perms import CIFilterPermsCRUD
+from api.lib.cmdb.resp_format import ErrFormat
 from api.lib.exception import AbortException
 from api.lib.perm.acl.acl import ACLManager
-from api.models.cmdb import CITypeAttribute
+from api.models.cmdb import CITypeGroup
+from api.models.cmdb import CITypeGroupItem
 from api.models.cmdb import CITypeRelation
+from api.models.cmdb import PreferenceCITypeOrder
 from api.models.cmdb import PreferenceRelationView
+from api.models.cmdb import PreferenceSearchOption
 from api.models.cmdb import PreferenceShowAttributes
 from api.models.cmdb import PreferenceTreeView
 
 
 class PreferenceManager(object):
+    pref_attr_cls = PreferenceShowAttributes
+    pref_tree_cls = PreferenceTreeView
+    pref_rel_cls = PreferenceRelationView
+    pre_so_cls = PreferenceSearchOption
+
     @staticmethod
     def get_types(instance=False, tree=False):
+        ci_type_order = sorted(PreferenceCITypeOrder.get_by(uid=current_user.uid, to_dict=False), key=lambda x: x.order)
+
+        type2group = {}
+        for i in db.session.query(CITypeGroupItem, CITypeGroup).join(
+                CITypeGroup, CITypeGroup.id == CITypeGroupItem.group_id).filter(
+                CITypeGroup.deleted.is_(False)).filter(CITypeGroupItem.deleted.is_(False)):
+            type2group[i.CITypeGroupItem.type_id] = i.CITypeGroup.to_dict()
+
         types = db.session.query(PreferenceShowAttributes.type_id).filter(
-            PreferenceShowAttributes.uid == g.user.uid).filter(
-            PreferenceShowAttributes.deleted.is_(False)).group_by(PreferenceShowAttributes.type_id).all() \
-            if instance else []
-        tree_types = PreferenceTreeView.get_by(uid=g.user.uid, to_dict=False) if tree else []
-        type_ids = list(set([i.type_id for i in types + tree_types]))
-        return [CITypeCache.get(type_id).to_dict() for type_id in type_ids]
+            PreferenceShowAttributes.uid == current_user.uid).filter(
+            PreferenceShowAttributes.deleted.is_(False)).group_by(
+            PreferenceShowAttributes.type_id).all() if instance else []
+        types = sorted(types, key=lambda x: {i.type_id: idx for idx, i in enumerate(
+            ci_type_order) if not i.is_tree}.get(x.type_id, 1))
+        group_types = []
+        other_types = []
+        group2idx = {}
+        type_ids = set()
+        for ci_type in types:
+            type_id = ci_type.type_id
+            type_ids.add(type_id)
+            type_dict = CITypeCache.get(type_id).to_dict()
+            if type_id not in type2group:
+                other_types.append(type_dict)
+            else:
+                group = type2group[type_id]
+                if group['id'] not in group2idx:
+                    group_types.append(type2group[type_id])
+                    group2idx[group['id']] = len(group_types) - 1
+                group_types[group2idx[group['id']]].setdefault('ci_types', []).append(type_dict)
+        if other_types:
+            group_types.append(dict(ci_types=other_types))
+
+        tree_types = PreferenceTreeView.get_by(uid=current_user.uid, to_dict=False) if tree else []
+        tree_types = sorted(tree_types, key=lambda x: {i.type_id: idx for idx, i in enumerate(
+            ci_type_order) if i.is_tree}.get(x.type_id, 1))
+
+        tree_types = [CITypeCache.get(_type.type_id).to_dict() for _type in tree_types]
+        for _type in tree_types:
+            type_ids.add(_type['id'])
+
+        return dict(group_types=group_types, tree_types=tree_types, type_ids=list(type_ids))
+
+    @staticmethod
+    def get_types2(instance=False, tree=False):
+        """
+        {
+            self: {instance: [], tree: [], type_id2subs_time: {type_id: subs_time}},
+            type_id2users: {type_id: []}
+        }
+        :param instance:
+        :param tree:
+        :return:
+        """
+        result = dict(self=dict(instance=[], tree=[], type_id2subs_time=dict()))
+
+        result.update(CMDBCounterCache.get_sub_counter())
+
+        ci_type_order = sorted(PreferenceCITypeOrder.get_by(uid=current_user.uid, to_dict=False), key=lambda x: x.order)
+        if instance:
+            types = db.session.query(PreferenceShowAttributes.type_id,
+                                     PreferenceShowAttributes.uid, PreferenceShowAttributes.created_at).filter(
+                PreferenceShowAttributes.deleted.is_(False)).filter(
+                PreferenceShowAttributes.uid == current_user.uid).group_by(
+                PreferenceShowAttributes.uid, PreferenceShowAttributes.type_id)
+            for i in types:
+                result['self']['instance'].append(i.type_id)
+                if str(i.created_at) > str(result['self']['type_id2subs_time'].get(i.type_id, "")):
+                    result['self']['type_id2subs_time'][i.type_id] = i.created_at
+
+            instance_order = [i.type_id for i in ci_type_order if not i.is_tree]
+            if len(instance_order) == len(result['self']['instance']):
+                result['self']['instance'] = instance_order
+
+        if tree:
+            types = PreferenceTreeView.get_by(uid=current_user.uid, to_dict=False)
+            for i in types:
+                result['self']['tree'].append(i.type_id)
+                if str(i.created_at) > str(result['self']['type_id2subs_time'].get(i.type_id, "")):
+                    result['self']['type_id2subs_time'][i.type_id] = i.created_at
+
+            tree_order = [i.type_id for i in ci_type_order if i.is_tree]
+            if len(tree_order) == len(result['self']['tree']):
+                result['self']['tree'] = tree_order
+
+        return result
 
     @staticmethod
     def get_show_attributes(type_id):
-        if not isinstance(type_id, six.integer_types):
-            type_id = CITypeCache.get(type_id).id
+        _type = CITypeCache.get(type_id) or abort(404, ErrFormat.ci_type_not_found)
+        type_id = _type and _type.id
+
+        if not isinstance(type_id, six.integer_types):
+            _type = CITypeCache.get(type_id)
+            type_id = _type and _type.id
+
+        attrs = PreferenceShowAttributes.get_by(uid=current_user.uid, type_id=type_id, to_dict=False)
+
+        result = []
+        for i in sorted(attrs, key=lambda x: x.order):
+            if i.attr_id:
+                item = i.attr.to_dict()
+            elif i.builtin_attr:
+                item = dict(name=i.builtin_attr, alias=BUILTIN_ATTRIBUTES[i.builtin_attr])
+            else:
+                item = dict(name="", alias="")
+            item.update(dict(is_fixed=i.is_fixed))
+            result.append(item)
 
-        attrs = db.session.query(PreferenceShowAttributes, CITypeAttribute.order).join(
-            CITypeAttribute, CITypeAttribute.attr_id == PreferenceShowAttributes.attr_id).filter(
-            PreferenceShowAttributes.uid == g.user.uid).filter(
-            PreferenceShowAttributes.type_id == type_id).filter(
-            PreferenceShowAttributes.deleted.is_(False)).filter(CITypeAttribute.deleted.is_(False)).filter(
-            CITypeAttribute.type_id == type_id).order_by(
-            CITypeAttribute.order).all()
-        result = [i.PreferenceShowAttributes.attr.to_dict() for i in attrs]
         is_subscribed = True
         if not attrs:
-            attrs = db.session.query(CITypeAttribute).filter(
-                CITypeAttribute.type_id == type_id).filter(
-                CITypeAttribute.deleted.is_(False)).filter(
-                CITypeAttribute.default_show.is_(True)).order_by(CITypeAttribute.order)
-            result = [i.attr.to_dict() for i in attrs]
+            result = CITypeAttributeManager.get_attributes_by_type_id(type_id,
+                                                                      choice_web_hook_parse=False,
+                                                                      choice_other_parse=False)
+            result = [i for i in result if i['default_show']]
+
+            for i in BUILTIN_ATTRIBUTES:
+                result.append(dict(name=i, alias=BUILTIN_ATTRIBUTES[i]))
+
             is_subscribed = False
 
         for i in result:
-            if i["is_choice"]:
-                i.update(dict(choice_value=AttributeManager.get_choice_values(i["id"], i["value_type"])))
+            if i.get("is_choice"):
+                i.update(dict(choice_value=AttributeManager.get_choice_values(
+                    i["id"], i["value_type"], i.get("choice_web_hook"), i.get("choice_other"))))
+
+                if (_type.name in SysComputedAttributes.type2attr and
+                        i['name'] in SysComputedAttributes.type2attr[_type.name]):
+                    i['sys_computed'] = True
+                else:
+                    i['sys_computed'] = False
 
         return is_subscribed, result
 
     @classmethod
     def create_or_update_show_attributes(cls, type_id, attr_order):
-        existed_all = PreferenceShowAttributes.get_by(type_id=type_id, uid=g.user.uid, to_dict=False)
-        for _attr, order in attr_order:
-            attr = AttributeCache.get(_attr) or abort(404, "Attribute <{0}> does not exist".format(_attr))
+        existed_all = PreferenceShowAttributes.get_by(type_id=type_id, uid=current_user.uid, to_dict=False)
+        for x, order in attr_order:
+            if isinstance(x, list):
+                _attr, is_fixed = x
+            else:
+                _attr, is_fixed = x, False
+
+            if _attr in BUILTIN_ATTRIBUTES:
+                attr = None
+                builtin_attr = _attr
+            else:
+                attr = AttributeCache.get(_attr) or abort(
+                    404, ErrFormat.attribute_not_found.format("id={}".format(_attr)))
+                builtin_attr = None
             existed = PreferenceShowAttributes.get_by(type_id=type_id,
-                                                      uid=g.user.uid,
-                                                      attr_id=attr.id,
+                                                      uid=current_user.uid,
+                                                      attr_id=attr and attr.id,
+                                                      builtin_attr=builtin_attr,
                                                       first=True,
                                                       to_dict=False)
             if existed is None:
                 PreferenceShowAttributes.create(type_id=type_id,
-                                                uid=g.user.uid,
-                                                attr_id=attr.id,
-                                                order=order)
+                                                uid=current_user.uid,
+                                                attr_id=attr and attr.id,
+                                                builtin_attr=builtin_attr,
+                                                order=order,
+                                                is_fixed=is_fixed)
             else:
-                existed.update(order=order)
+                existed.update(order=order, is_fixed=is_fixed)
 
-        attr_dict = {int(i): j for i, j in attr_order}
+        attr_dict = {(int(i[0]) if i[0].isdigit() else i[0]) if isinstance(i, list) else
+                     (int(i) if i.isdigit() else i): j for i, j in attr_order}
         for i in existed_all:
-            if i.attr_id not in attr_dict:
+            if (i.attr_id and i.attr_id not in attr_dict) or (i.builtin_attr and i.builtin_attr not in attr_dict):
                 i.soft_delete()
 
+        if not existed_all and attr_order:
+            cls.add_ci_type_order_item(type_id, is_tree=False)
+
+        elif not PreferenceShowAttributes.get_by(type_id=type_id, uid=current_user.uid, to_dict=False):
+            cls.delete_ci_type_order_item(type_id, is_tree=False)
+
     @staticmethod
     def get_tree_view():
-        res = PreferenceTreeView.get_by(uid=g.user.uid, to_dict=True)
+        ci_type_order = sorted(PreferenceCITypeOrder.get_by(uid=current_user.uid, is_tree=True, to_dict=False),
+                               key=lambda x: x.order)
+
+        res = PreferenceTreeView.get_by(uid=current_user.uid, to_dict=True)
+        if ci_type_order:
+            res = sorted(res, key=lambda x: {ii.type_id: idx for idx, ii in enumerate(
+                ci_type_order)}.get(x['type_id'], 1))
+
         for item in res:
             if item["levels"]:
-                item.update(CITypeCache.get(item['type_id']).to_dict())
-                item.update(dict(levels=[AttributeCache.get(l).to_dict()
-                                         for l in item["levels"].split(",") if AttributeCache.get(l)]))
+                ci_type = CITypeCache.get(item['type_id']).to_dict()
+                attr_filter = CIFilterPermsCRUD.get_attr_filter(ci_type['id'])
+                ci_type.pop('id', None)
+                ci_type.pop('created_at', None)
+                ci_type.pop('updated_at', None)
+                item.update(ci_type)
+
+                _levels = []
+                for i in item["levels"]:
+                    attr = AttributeCache.get(i)
+                    if attr and (not attr_filter or attr.name in attr_filter):
+                        _levels.append(attr.to_dict())
+                item.update(dict(levels=_levels))
 
         return res
 
-    @staticmethod
-    def create_or_update_tree_view(type_id, levels):
-        attrs = CITypeAttributeCache.get(type_id)
+    @classmethod
+    def create_or_update_tree_view(cls, type_id, levels):
+        attrs = CITypeAttributesCache.get(type_id)
         for idx, i in enumerate(levels):
             for attr in attrs:
                 attr = AttributeCache.get(attr.attr_id)
                 if i == attr.id or i == attr.name or i == attr.alias:
-                    levels[idx] = str(attr.id)
-        levels = ",".join(levels)
+                    levels[idx] = attr.id
 
-        existed = PreferenceTreeView.get_by(uid=g.user.uid, type_id=type_id, to_dict=False, first=True)
+        existed = PreferenceTreeView.get_by(uid=current_user.uid, type_id=type_id, to_dict=False, first=True)
         if existed is not None:
             if not levels:
                 existed.soft_delete()
+                cls.delete_ci_type_order_item(type_id, is_tree=True)
                 return existed
             return existed.update(levels=levels)
         elif levels:
-            return PreferenceTreeView.create(levels=levels, type_id=type_id, uid=g.user.uid)
+            cls.add_ci_type_order_item(type_id, is_tree=True)
+
+            return PreferenceTreeView.create(levels=levels, type_id=type_id, uid=current_user.uid)
 
     @staticmethod
     def get_relation_view():
@@ -124,21 +278,23 @@ class PreferenceManager(object):
         if current_app.config.get("USE_ACL"):
             for i in _views:
                 try:
-                    if ACLManager().has_permission(i.get('name'),
-                                                   ResourceTypeEnum.RELATION_VIEW,
-                                                   PermEnum.READ):
+                    if i.get('is_public') or ACLManager().has_permission(i.get('name'),
+                                                                         ResourceTypeEnum.RELATION_VIEW,
+                                                                         PermEnum.READ):
                         views.append(i)
                 except AbortException:
                     pass
         else:
             views = _views
 
-        view2cr_ids = dict()
+        view2cr_ids = defaultdict(list)
+        name2view = dict()
         result = dict()
         name2id = list()
         for view in views:
-            view2cr_ids.setdefault(view['name'], []).extend(json.loads(view['cr_ids']))
+            view2cr_ids[view['name']].extend(view['cr_ids'])
             name2id.append([view['name'], view['id']])
+            name2view[view['name']] = view
 
         id2type = dict()
         for view_name in view2cr_ids:
@@ -159,15 +315,31 @@ class PreferenceManager(object):
                 if not parents:
                     return
 
-            for l in leaf:
-                _find_parent(l)
+            for _l in leaf:
+                _find_parent(_l)
 
             for node_id in node2show_types:
                 node2show_types[node_id] = [CITypeCache.get(i).to_dict() for i in set(node2show_types[node_id])]
 
+            topo_flatten = list(toposort.toposort_flatten(topo))
+            level2constraint = {}
+            for i, _ in enumerate(topo_flatten[1:]):
+                ctr = CITypeRelation.get_by(
+                    parent_id=topo_flatten[i], child_id=topo_flatten[i + 1], first=True, to_dict=False)
+                level2constraint[i + 1] = ctr and ctr.constraint
+
+            if leaf2show_types.get(topo_flatten[-1]):
+                ctr = CITypeRelation.get_by(
+                    parent_id=topo_flatten[-1],
+                    child_id=leaf2show_types[topo_flatten[-1]][0], first=True, to_dict=False)
+                level2constraint[len(topo_flatten)] = ctr and ctr.constraint
+
             result[view_name] = dict(topo=list(map(list, toposort.toposort(topo))),
-                                     topo_flatten=list(toposort.toposort_flatten(topo)),
+                                     topo_flatten=topo_flatten,
+                                     level2constraint=level2constraint,
                                      leaf=leaf,
+                                     option=name2view[view_name]['option'],
+                                     is_public=name2view[view_name]['is_public'],
                                      leaf2show_types=leaf2show_types,
                                      node2show_types=node2show_types,
                                      show_types=[CITypeCache.get(j).to_dict()
@@ -175,18 +347,26 @@ class PreferenceManager(object):
 
         for type_id in id2type:
             id2type[type_id] = CITypeCache.get(type_id).to_dict()
+            id2type[type_id]['unique_name'] = AttributeCache.get(id2type[type_id]['unique_id']).name
+            if id2type[type_id]['show_id']:
+                show_attr = AttributeCache.get(id2type[type_id]['show_id'])
+                id2type[type_id]['show_name'] = show_attr and show_attr.name
 
         return result, id2type, sorted(name2id, key=lambda x: x[1])
 
     @classmethod
-    def create_or_update_relation_view(cls, name, cr_ids):
+    def create_or_update_relation_view(cls, name=None, cr_ids=None, _id=None, is_public=False, option=None):
         if not cr_ids:
-            return abort(400, "Node must be selected")
+            return abort(400, ErrFormat.preference_relation_view_node_required)
 
-        existed = PreferenceRelationView.get_by(name=name, to_dict=False, first=True)
+        if _id is None:
+            existed = PreferenceRelationView.get_by(name=name, to_dict=False, first=True)
+        else:
+            existed = PreferenceRelationView.get_by_id(_id)
         current_app.logger.debug(existed)
         if existed is None:
-            PreferenceRelationView.create(name=name, cr_ids=json.dumps(cr_ids))
+            PreferenceRelationView.create(name=name, cr_ids=cr_ids, uid=current_user.uid,
+                                          is_public=is_public, option=option)
 
             if current_app.config.get("USE_ACL"):
                 ACLManager().add_resource(name, ResourceTypeEnum.RELATION_VIEW)
@@ -194,6 +374,11 @@ class PreferenceManager(object):
                                                     RoleEnum.CMDB_READ_ALL,
                                                     ResourceTypeEnum.RELATION_VIEW,
                                                     permissions=[PermEnum.READ])
+        else:
+            if existed.name != name and current_app.config.get("USE_ACL"):
+                ACLManager().update_resource(existed.name, name, ResourceTypeEnum.RELATION_VIEW)
+
+            existed.update(name=name, cr_ids=cr_ids, is_public=is_public, option=option)
 
         return cls.get_relation_view()
 
@@ -206,3 +391,135 @@ class PreferenceManager(object):
             ACLManager().del_resource(name, ResourceTypeEnum.RELATION_VIEW)
 
         return name
+
+    @staticmethod
+    def get_search_option(**kwargs):
+        query = PreferenceSearchOption.get_by(only_query=True)
+        query = query.filter(PreferenceSearchOption.uid == current_user.uid)
+
+        for k in kwargs:
+            if hasattr(PreferenceSearchOption, k) and kwargs[k]:
+                query = query.filter(getattr(PreferenceSearchOption, k) == kwargs[k])
+
+        return [i.to_dict() for i in query]
+
+    @staticmethod
+    def add_search_option(**kwargs):
+        kwargs['uid'] = current_user.uid
+
+        if kwargs['name'] in ('__recent__', '__favor__', '__relation_favor__'):
+            if kwargs['name'] == '__recent__':
+                for i in PreferenceSearchOption.get_by(
+                        only_query=True, name=kwargs['name'], uid=current_user.uid).order_by(
+                    PreferenceSearchOption.id.desc()).offset(20):
+                    i.delete()
+
+        else:
+            existed = PreferenceSearchOption.get_by(uid=current_user.uid,
+                                                    name=kwargs.get('name'),
+                                                    prv_id=kwargs.get('prv_id'),
+                                                    ptv_id=kwargs.get('ptv_id'),
+                                                    type_id=kwargs.get('type_id'),
+                                                    )
+            if existed:
+                return abort(400, ErrFormat.preference_search_option_exists)
+
+        return PreferenceSearchOption.create(**kwargs)
+
+    @staticmethod
+    def update_search_option(_id, **kwargs):
+
+        existed = PreferenceSearchOption.get_by_id(_id) or abort(404, ErrFormat.preference_search_option_not_found)
+
+        if current_user.uid != existed.uid:
+            return abort(400, ErrFormat.no_permission2)
+
+        other = PreferenceSearchOption.get_by(uid=current_user.uid,
+                                              name=kwargs.get('name'),
+                                              prv_id=kwargs.get('prv_id'),
+                                              ptv_id=kwargs.get('ptv_id'),
+                                              type_id=kwargs.get('type_id'),
+                                              )
+        if other.id != _id:
+            return abort(400, ErrFormat.preference_search_option_exists)
+
+        return existed.update(**kwargs)
+
+    @staticmethod
+    def delete_search_option(_id):
+        existed = PreferenceSearchOption.get_by_id(_id) or abort(404, ErrFormat.preference_search_option_not_found)
+
+        if current_user.uid != existed.uid:
+            return abort(400, ErrFormat.no_permission2)
+
+        existed.soft_delete()
+
+    @staticmethod
+    def delete_by_type_id(type_id, uid):
+        for i in PreferenceShowAttributes.get_by(type_id=type_id, uid=uid, to_dict=False):
+            i.soft_delete()
+
+        for i in PreferenceTreeView.get_by(type_id=type_id, uid=uid, to_dict=False):
+            i.soft_delete()
+
+        for i in PreferenceCITypeOrder.get_by(type_id=type_id, uid=uid, to_dict=False):
+            i.soft_delete()
+
+    @staticmethod
+    def can_edit_relation(parent_id, child_id):
+        views = PreferenceRelationView.get_by(to_dict=False)
+        for view in views:
+            has_m2m = False
+            last_node_id = None
+            for cr in view.cr_ids:
+                _rel = CITypeRelation.get_by(parent_id=cr['parent_id'], child_id=cr['child_id'],
+                                             first=True, to_dict=False)
+                if _rel and _rel.constraint == ConstraintEnum.Many2Many:
+                    has_m2m = True
+
+                    if parent_id == _rel.parent_id and child_id == _rel.child_id:
+                        return False
+
+                if _rel:
+                    last_node_id = _rel.child_id
+
+            if parent_id == last_node_id:
+                rels = CITypeRelation.get_by(parent_id=last_node_id, to_dict=False)
+                for rel in rels:
+                    if rel.child_id == child_id and has_m2m:
+                        return False
+
+        return True
+
+    @staticmethod
+    def add_ci_type_order_item(type_id, is_tree=False):
+        max_order = PreferenceCITypeOrder.get_by(
+            uid=current_user.uid, is_tree=is_tree, only_query=True).order_by(PreferenceCITypeOrder.order.desc()).first()
+        order = (max_order and max_order.order + 1) or 1
+
+        PreferenceCITypeOrder.create(type_id=type_id, is_tree=is_tree, uid=current_user.uid, order=order)
+
+    @staticmethod
+    def delete_ci_type_order_item(type_id, is_tree=False):
+        existed = PreferenceCITypeOrder.get_by(uid=current_user.uid, type_id=type_id, is_tree=is_tree,
+                                               first=True, to_dict=False)
+
+        existed and existed.soft_delete()
+
+    @staticmethod
+    def upsert_ci_type_order(type_ids, is_tree=False):
+        for idx, type_id in enumerate(type_ids):
+            order = idx + 1
+            existed = PreferenceCITypeOrder.get_by(uid=current_user.uid, type_id=type_id, is_tree=is_tree,
+                                                   to_dict=False, first=True)
+            if existed is not None:
+                existed.update(order=order, flush=True)
+            else:
+                PreferenceCITypeOrder.create(uid=current_user.uid, type_id=type_id, is_tree=is_tree, order=order,
+                                             flush=True)
+        try:
+            db.session.commit()
+        except Exception as e:
+            db.session.rollback()
+            current_app.logger.error("upsert citype order failed: {}".format(e))
+            return abort(400, ErrFormat.unknown_error)

cmdb-api/api/lib/cmdb/query_sql.py

@@ -0,0 +1,63 @@
+# -*- coding:utf-8 -*- 
+
+
+QUERY_CIS_BY_VALUE_TABLE = """
+    SELECT attr.name AS attr_name,
+          attr.alias AS attr_alias,
+          attr.value_type,
+          attr.is_list,
+          c_cis.type_id,
+          {0}.ci_id,
+          {0}.attr_id,
+          {0}.value
+   FROM {0}
+   INNER JOIN c_cis ON {0}.ci_id=c_cis.id
+   AND {0}.`ci_id` IN ({1})
+   INNER JOIN c_attributes as attr ON attr.id = {0}.attr_id
+"""
+
+#  {2}: value_table
+QUERY_CIS_BY_IDS = """
+    SELECT A.ci_id,
+           A.type_id,
+           A.attr_id,
+           A.attr_name,
+           A.attr_alias,
+           A.value,
+           A.value_type,
+           A.is_list
+    FROM
+      ({1}) AS A {0}
+       ORDER BY A.ci_id;
+"""
+
+FACET_QUERY1 = """
+    SELECT {0}.value,
+           count({0}.ci_id)
+    FROM {0}
+    INNER JOIN c_attributes AS attr ON attr.id={0}.attr_id
+    WHERE attr.name="{1}"
+    GROUP BY {0}.ci_id;
+"""
+
+FACET_QUERY = """
+    SELECT {0}.value,
+           count(distinct({0}.ci_id))
+    FROM {0}
+    INNER JOIN ({1}) AS F ON F.ci_id={0}.ci_id
+    WHERE {0}.attr_id={2:d}
+    GROUP BY {0}.value
+"""
+
+QUERY_CI_BY_ATTR_NAME = """
+    SELECT {0}.ci_id
+    FROM {0}
+    WHERE {0}.attr_id={1:d}
+      AND {0}.value {2}
+"""
+
+QUERY_CI_BY_TYPE = """
+    SELECT c_cis.id AS ci_id
+    FROM c_cis
+    WHERE c_cis.type_id in ({0})
+"""

cmdb-api/api/lib/cmdb/relation_type.py

@@ -3,10 +3,13 @@
 
 from flask import abort
 
+from api.lib.cmdb.resp_format import ErrFormat
 from api.models.cmdb import RelationType
 
 
 class RelationTypeManager(object):
+    cls = RelationType
+
     @staticmethod
     def get_all():
         return RelationType.get_by(to_dict=False)
@@ -21,17 +24,21 @@ class RelationTypeManager(object):
 
     @staticmethod
     def add(name):
-        RelationType.get_by(name=name, first=True, to_dict=False) and abort(400, "It's already existed")
+        RelationType.get_by(name=name, first=True, to_dict=False) and abort(
+            400, ErrFormat.relation_type_exists.format(name))
+
         return RelationType.create(name=name)
 
     @staticmethod
     def update(rel_id, name):
-        existed = RelationType.get_by_id(rel_id) or abort(404, "RelationType <{0}> does not exist".format(rel_id))
+        existed = RelationType.get_by_id(rel_id) or abort(
+            404, ErrFormat.relation_type_not_found.format("id={}".format(rel_id)))
 
         return existed.update(name=name)
 
     @staticmethod
     def delete(rel_id):
-        existed = RelationType.get_by_id(rel_id) or abort(404, "RelationType <{0}> does not exist".format(rel_id))
+        existed = RelationType.get_by_id(rel_id) or abort(
+            404, ErrFormat.relation_type_not_found.format("id={}".format(rel_id)))
 
         existed.soft_delete()

cmdb-api/api/lib/cmdb/resp_format.py

@@ -0,0 +1,178 @@
+# -*- coding:utf-8 -*-
+
+from flask_babel import lazy_gettext as _l
+
+from api.lib.resp_format import CommonErrFormat
+
+
+class ErrFormat(CommonErrFormat):
+    ci_type_config = _l("CI Model")  # 模型配置
+
+    invalid_relation_type = _l("Invalid relation type: {}")  # 无效的关系类型: {}
+    ci_type_not_found = _l("CIType is not found")  # 模型不存在!
+
+    # 参数 attributes 类型必须是列表
+    argument_attributes_must_be_list = _l("The type of parameter attributes must be a list")
+    argument_file_not_found = _l("The file doesn't seem to be uploaded")  # 文件似乎并未上传
+
+    attribute_not_found = _l("Attribute {} does not exist!")  # 属性 {} 不存在!
+    # 该属性是模型的唯一标识，不能被删除!
+    attribute_is_unique_id = _l(
+        "This attribute is the unique identifier of the model and cannot be deleted!")  
+    attribute_is_ref_by_type = _l(
+        "This attribute is referenced by model {} and cannot be deleted!")  # 该属性被模型 {} 引用, 不能删除!
+    attribute_value_type_cannot_change = _l(
+        "The value type of the attribute is not allowed to be modified!")  # 属性的值类型不允许修改!
+    attribute_list_value_cannot_change = _l("Multiple values are not allowed to be modified!")  # 多值不被允许修改!
+    # 修改索引 非管理员不被允许!
+    attribute_index_cannot_change = _l("Modifying the index is not allowed for non-administrators!")
+    attribute_index_change_failed = _l("Index switching failed!")  # 索引切换失败!
+    invalid_choice_values = _l("The predefined value is of the wrong type!")  # 预定义值的类型不对！
+    attribute_name_duplicate = _l("Duplicate attribute name {}")  # 重复的属性名 {}
+    add_attribute_failed = _l("Failed to create attribute {}!")  # 创建属性 {} 失败!
+    update_attribute_failed = _l("Modify attribute {} failed!")  # 修改属性 {} 失败!
+    cannot_edit_attribute = _l("You do not have permission to modify this attribute!")  # 您没有权限修改该属性!
+    cannot_delete_attribute = _l(
+        "Only creators and administrators are allowed to delete attributes!")  # 目前只允许 属性创建人、管理员 删除属性!
+    # 属性字段名不能是内置字段: id, _id, ci_id, type, _type, ci_type
+    attribute_name_cannot_be_builtin = _l(
+        "Attribute field names cannot be built-in fields: id, _id, ci_id, type, _type, ci_type, ticket_id")
+    attribute_choice_other_invalid = _l(
+        "Predefined value: Other model request parameters are illegal!")  # 预定义值: 其他模型请求参数不合法!
+
+    ci_not_found = _l("CI {} does not exist")  # CI {} 不存在
+    unique_constraint = _l("Multiple attribute joint unique verification failed: {}")  # 多属性联合唯一校验不通过: {}
+    unique_value_not_found = _l("The model's primary key {} does not exist!")  # 模型的主键 {} 不存在!
+    unique_key_required = _l("Primary key {} is missing")  # 主键字段 {} 缺失
+    ci_is_already_existed = _l("CI already exists!")  # CI 已经存在!
+    ci_reference_not_found = _l("{}: CI reference {} does not exist!")  # {}: CI引用 {} 不存在!
+    ci_reference_invalid = _l("{}: CI reference {} is illegal!")  # {}, CI引用 {} 不合法!
+    relation_constraint = _l("Relationship constraint: {}, verification failed")  # 关系约束: {}, 校验失败
+    # 多对多关系 限制: 模型 {} <-> {} 已经存在多对多关系!
+    m2m_relation_constraint = _l(
+        "Many-to-many relationship constraint: Model {} <-> {} already has a many-to-many relationship!")
+
+    relation_not_found = _l("CI relationship: {} does not exist")  # CI关系: {} 不存在
+
+    # 搜索表达式里小括号前不支持: 或、非
+    ci_search_Parentheses_invalid = _l("In search expressions, not supported before parentheses: or, not")
+
+    ci_type_not_found2 = _l("Model {} does not exist")  # 模型 {} 不存在
+    ci_type_is_already_existed = _l("Model {} already exists")  # 模型 {} 已经存在
+    unique_key_not_define = _l("The primary key is undefined or has been deleted")  # 主键未定义或者已被删除
+    only_owner_can_delete = _l("Only the creator can delete it!")  # 只有创建人才能删除它!
+    ci_exists_and_cannot_delete_type = _l(
+        "The model cannot be deleted because the CI already exists")  # 因为CI已经存在，不能删除模型
+    ci_exists_and_cannot_delete_inheritance = _l(
+        "The inheritance cannot be deleted because the CI already exists")  # 因为CI已经存在，不能删除继承关系
+    ci_type_inheritance_cannot_delete = _l("The model is inherited and cannot be deleted")  # 该模型被继承, 不能删除
+    ci_type_referenced_cannot_delete = _l(
+        "The model is referenced by attribute {} and cannot be deleted")  # 该模型被属性 {} 引用, 不能删除
+
+    # 因为关系视图 {} 引用了该模型，不能删除模型
+    ci_relation_view_exists_and_cannot_delete_type = _l(
+        "The model cannot be deleted because the model is referenced by the relational view {}")
+    ci_type_group_not_found = _l("Model group {} does not exist")  # 模型分组 {} 不存在
+    ci_type_group_exists = _l("Model group {} already exists")  # 模型分组 {} 已经存在
+    ci_type_relation_not_found = _l("Model relationship {} does not exist")  # 模型关系 {} 不存在
+    ci_type_attribute_group_duplicate = _l("Attribute group {} already exists")  # 属性分组 {} 已存在
+    ci_type_attribute_group_not_found = _l("Attribute group {} does not exist")  # 属性分组 {} 不存在
+    # 属性组<{0}> - 属性<{1}> 不存在
+    ci_type_group_attribute_not_found = _l("Attribute group <{0}> - attribute <{1}> does not exist")
+    unique_constraint_duplicate = _l("The unique constraint already exists!")  # 唯一约束已经存在!
+    # 唯一约束的属性不能是 JSON 和 多值
+    unique_constraint_invalid = _l("Uniquely constrained attributes cannot be JSON and multi-valued")
+    ci_type_trigger_duplicate = _l("Duplicated trigger")  # 重复的触发器
+    ci_type_trigger_not_found = _l("Trigger {} does not exist")  # 触发器 {} 不存在
+    ci_type_reconciliation_duplicate = _l("Duplicated reconciliation rule")  # 重复的校验规则
+    ci_type_reconciliation_not_found = _l("Reconciliation rule {} does not exist")  # 规则 {} 不存在
+
+    record_not_found = _l("Operation record {} does not exist")  # 操作记录 {} 不存在
+    cannot_delete_unique = _l("Unique identifier cannot be deleted")  # 不能删除唯一标识
+    cannot_delete_default_order_attr = _l("Cannot delete default sorted attributes")  # 不能删除默认排序的属性
+
+    preference_relation_view_node_required = _l("No node selected")  # 没有选择节点
+    preference_search_option_not_found = _l("This search option does not exist!")  # 该搜索选项不存在!
+    preference_search_option_exists = _l("This search option has a duplicate name!")  # 该搜索选项命名重复!
+
+    relation_type_exists = _l("Relationship type {} already exists")  # 关系类型 {} 已经存在
+    relation_type_not_found = _l("Relationship type {} does not exist")  # 关系类型 {} 不存在
+
+    attribute_value_invalid = _l("Invalid attribute value: {}")  # 无效的属性值: {}
+    attribute_value_invalid2 = _l("{} Invalid value: {}")  # {} 无效的值: {}
+    not_in_choice_values = _l("{} is not in the predefined values")  # {} 不在预定义值里
+    # 属性 {} 的值必须是唯一的, 当前值 {} 已存在
+    attribute_value_unique_required = _l("The value of attribute {} must be unique, {} already exists")
+    attribute_value_required = _l("Attribute {} value must exist")  # 属性 {} 值必须存在
+    attribute_value_out_of_range = _l("Out of range value, the maximum value is 2147483647")
+    # 新增或者修改属性值未知错误: {}
+    attribute_value_unknown_error = _l("Unknown error when adding or modifying attribute value: {}")
+
+    custom_name_duplicate = _l("Duplicate custom name")  # 订制名重复
+
+    limit_ci_type = _l("Number of models exceeds limit: {}")  # 模型数超过限制: {}
+    limit_ci = _l("The number of CIs exceeds the limit: {}")  # CI数超过限制: {}
+
+    adr_duplicate = _l("Auto-discovery rule: {} already exists!")  # 自动发现规则: {} 已经存在!
+    adr_not_found = _l("Auto-discovery rule: {} does not exist!")  # 自动发现规则: {} 不存在!
+    # 该自动发现规则被模型引用, 不能删除!
+    adr_referenced = _l("This auto-discovery rule is referenced by the model and cannot be deleted!")
+    # 自动发现规则的应用不能重复定义!
+    ad_duplicate = _l("The application of auto-discovery rules cannot be defined repeatedly!")
+    ad_not_found = _l("The auto-discovery you want to modify: {} does not exist!")  # 您要修改的自动发现: {} 不存在!
+    ad_not_unique_key = _l("Attribute does not include unique identifier: {}")  # 属性字段没有包括唯一标识: {}
+    adc_not_found = _l("The auto-discovery instance does not exist!")  # 自动发现的实例不存在!
+    adt_not_found = _l("The model is not associated with this auto-discovery!")  # 模型并未关联该自动发现!
+    adt_secret_no_permission = _l("Only the creator can modify the Secret!")  # 只有创建人才能修改Secret!
+    # 该规则已经有自动发现的实例, 不能被删除!
+    cannot_delete_adt = _l("This rule already has auto-discovery instances and cannot be deleted!")
+    # 该默认的自动发现规则 已经被模型 {} 引用!
+    adr_default_ref_once = _l("The default auto-discovery rule is already referenced by model {}!")
+    # unique_key方法必须返回非空字符串!
+    adr_unique_key_required = _l("The unique_key method must return a non-empty string!")
+    # attributes方法必须返回的是list
+    adr_plugin_attributes_list_required = _l("The attributes method must return a list")  
+    # attributes方法返回的list不能为空!
+    adr_plugin_attributes_list_no_empty = _l("The list returned by the attributes method cannot be empty!")
+    # 只有管理员才可以定义执行机器为: 所有节点!
+    adt_target_all_no_permission = _l("Only administrators can define execution targets as: all nodes!")
+    adt_target_expr_no_permission = _l("Execute targets permission check failed: {}")  # 执行机器权限检查不通过: {}
+
+    ci_filter_name_cannot_be_empty = _l("CI filter authorization must be named!")  # CI过滤授权 必须命名!
+    ci_filter_perm_cannot_or_query = _l(
+        "CI filter authorization is currently not supported or query")  # CI过滤授权 暂时不支持 或 查询
+    # 您没有属性 {} 的操作权限!
+    ci_filter_perm_attr_no_permission = _l("You do not have permission to operate attribute {}!")
+    ci_filter_perm_ci_no_permission = _l("You do not have permission to operate this CI!")  # 您没有该CI的操作权限!
+
+    password_save_failed = _l("Failed to save password: {}")  # 保存密码失败: {}
+    password_load_failed = _l("Failed to get password: {}")  # 获取密码失败: {}
+
+    cron_time_format_invalid = _l("Scheduling time format error")  # 调度时间格式错误
+    reconciliation_title = _l("CMDB data reconciliation results")  # CMDB数据合规检查结果
+    reconciliation_body = _l("Number of {} illegal: {}")  # "{} 不合规数: {}"
+
+    topology_exists = _l("Topology view {} already exists")  # 拓扑视图 {} 已经存在
+    topology_group_exists = _l("Topology group {} already exists")  # 拓扑视图分组 {} 已经存在
+    # 因为该分组下定义了拓扑视图，不能删除
+    topo_view_exists_cannot_delete_group = _l("The group cannot be deleted because the topology view already exists")
+
+    relation_path_search_src_target_required = _l("Both the source model and the target model must be selected")
+
+    builtin_type_cannot_update_name = _l("The names of built-in models cannot be changed")
+    # # IPAM
+    ipam_subnet_model_not_found = _l("The subnet model {} does not exist")
+    ipam_address_model_not_found = _l("The IP Address model {} does not exist")
+    ipam_cidr_invalid_notation = _l("CIDR {} is an invalid notation")
+    ipam_cidr_invalid_subnet = _l("Invalid CIDR: {}, available subnets: {}")
+    ipam_subnet_prefix_length_invalid = _l("Invalid subnet prefix length: {}")
+    ipam_parent_subnet_node_cidr_cannot_empty = _l("parent node cidr must be required")
+    ipam_subnet_overlapped = _l("{} and {} overlap")
+    ipam_subnet_cannot_delete = _l("Cannot delete because child nodes exist")
+    ipam_subnet_not_found = _l("Subnet is not found")
+    ipam_scope_cannot_delete = _l("Cannot delete because child nodes exist")
+
+    # # DCIM
+    dcim_builtin_model_not_found = _l("The dcim model {} does not exist")
+    dcim_rack_u_slot_invalid = _l("Irregularities in Rack Units")
+    dcim_rack_u_count_invalid = _l("The device's position is greater than the rack unit height")

cmdb-api/api/lib/cmdb/search/ci/__init__.py

@@ -1,3 +1,28 @@
 # -*- coding:utf-8 -*-
 
-__all__ = ['db', 'es']
+__all__ = ['db', 'es', 'search']
+
+from flask import current_app
+
+from api.lib.cmdb.const import RetKey
+from api.lib.cmdb.search.ci.db.search import Search as SearchFromDB
+from api.lib.cmdb.search.ci.es.search import Search as SearchFromES
+
+
+def search(query=None,
+           fl=None,
+           facet=None,
+           page=1,
+           ret_key=RetKey.NAME,
+           count=1,
+           sort=None,
+           excludes=None,
+           use_id_filter=False,
+           use_ci_filter=True):
+    if current_app.config.get("USE_ES"):
+        s = SearchFromES(query, fl, facet, page, ret_key, count, sort)
+    else:
+        s = SearchFromDB(query, fl, facet, page, ret_key, count, sort, excludes=excludes,
+                         use_id_filter=use_id_filter, use_ci_filter=use_ci_filter)
+
+    return s

cmdb-api/api/lib/cmdb/search/ci/db/query_sql.py

@@ -2,12 +2,12 @@
 
 from __future__ import unicode_literals
 
-
 QUERY_CIS_BY_VALUE_TABLE = """
     SELECT attr.name AS attr_name,
           attr.alias AS attr_alias,
           attr.value_type,
           attr.is_list,
+          attr.is_password,
           c_cis.type_id,
           {0}.ci_id,
           {0}.attr_id,
@@ -27,7 +27,8 @@ QUERY_CIS_BY_IDS = """
            A.attr_alias,
            A.value,
            A.value_type,
-           A.is_list
+           A.is_list,
+           A.is_password
     FROM
       ({1}) AS A {0}
        ORDER BY A.ci_id;
@@ -44,7 +45,7 @@ FACET_QUERY1 = """
 
 FACET_QUERY = """
     SELECT {0}.value,
-           count({0}.ci_id)
+           count(distinct {0}.ci_id)
     FROM {0}
     INNER JOIN ({1}) AS F ON F.ci_id={0}.ci_id
     WHERE {0}.attr_id={2:d}
@@ -55,7 +56,13 @@ QUERY_CI_BY_ATTR_NAME = """
     SELECT {0}.ci_id
     FROM {0}
     WHERE {0}.attr_id={1:d}
-      AND {0}.value {2}
+      AND ({0}.value {2})
+"""
+
+QUERY_CI_BY_ID = """
+    SELECT c_cis.id as ci_id
+    FROM c_cis
+    WHERE c_cis.id {}
 """
 
 QUERY_CI_BY_TYPE = """
@@ -64,3 +71,48 @@ QUERY_CI_BY_TYPE = """
     WHERE c_cis.type_id in ({0})
 """
 
+QUERY_UNION_CI_ATTRIBUTE_IS_NULL = """
+    SELECT *
+    FROM (
+      SELECT c_cis.id AS ci_id
+      FROM c_cis
+      WHERE c_cis.type_id IN ({0})
+    ) {3}
+      LEFT JOIN (
+        SELECT {1}.ci_id
+        FROM {1}
+        WHERE {1}.attr_id = {2}
+          AND {1}.value LIKE "%"
+      ) {4} USING (ci_id)
+    WHERE {4}.ci_id IS NULL
+"""
+
+QUERY_CI_BY_NO_ATTR = """
+SELECT *
+FROM 
+    (SELECT c_value_index_texts.ci_id
+    FROM c_value_index_texts
+    WHERE c_value_index_texts.value LIKE "{0}"
+    UNION
+    SELECT c_value_index_integers.ci_id
+    FROM c_value_index_integers
+    WHERE c_value_index_integers.value LIKE "{0}"
+    UNION
+    SELECT c_value_index_floats.ci_id
+    FROM c_value_index_floats
+    WHERE c_value_index_floats.value LIKE "{0}"
+    UNION
+    SELECT c_value_index_datetime.ci_id
+    FROM c_value_index_datetime
+    WHERE c_value_index_datetime.value LIKE "{0}") AS {1}
+GROUP BY  {1}.ci_id
+"""
+
+QUERY_CI_BY_NO_ATTR_IN = """
+SELECT *
+FROM 
+    (SELECT c_value_index_texts.ci_id
+    FROM c_value_index_texts
+    WHERE c_value_index_texts.value in ({0})) AS {1}
+GROUP BY {1}.ci_id
+"""

cmdb-api/api/lib/cmdb/search/ci/db/search.py

@@ -1,25 +1,41 @@
-# -*- coding:utf-8 -*- 
+# -*- coding:utf-8 -*-
 
 
 from __future__ import unicode_literals
 
+import copy
+import six
 import time
-
+from flask import abort
 from flask import current_app
+from flask_login import current_user
+from jinja2 import Template
+from sqlalchemy import text
 
 from api.extensions import db
 from api.lib.cmdb.cache import AttributeCache
 from api.lib.cmdb.cache import CITypeCache
 from api.lib.cmdb.ci import CIManager
+from api.lib.cmdb.const import BUILTIN_ATTRIBUTES
+from api.lib.cmdb.const import PermEnum
+from api.lib.cmdb.const import ResourceTypeEnum
 from api.lib.cmdb.const import RetKey
 from api.lib.cmdb.const import ValueTypeEnum
+from api.lib.cmdb.perms import CIFilterPermsCRUD
+from api.lib.cmdb.resp_format import ErrFormat
 from api.lib.cmdb.search import SearchError
 from api.lib.cmdb.search.ci.db.query_sql import FACET_QUERY
 from api.lib.cmdb.search.ci.db.query_sql import QUERY_CI_BY_ATTR_NAME
+from api.lib.cmdb.search.ci.db.query_sql import QUERY_CI_BY_ID
+from api.lib.cmdb.search.ci.db.query_sql import QUERY_CI_BY_NO_ATTR
+from api.lib.cmdb.search.ci.db.query_sql import QUERY_CI_BY_NO_ATTR_IN
 from api.lib.cmdb.search.ci.db.query_sql import QUERY_CI_BY_TYPE
+from api.lib.cmdb.search.ci.db.query_sql import QUERY_UNION_CI_ATTRIBUTE_IS_NULL
 from api.lib.cmdb.utils import TableMap
+from api.lib.cmdb.utils import ValueTypeMap
+from api.lib.perm.acl.acl import ACLManager
+from api.lib.perm.acl.acl import is_app_admin
 from api.lib.utils import handle_arg_list
-from api.models.cmdb import CI
 
 
 class Search(object):
@@ -30,24 +46,44 @@ class Search(object):
                  ret_key=RetKey.NAME,
                  count=1,
                  sort=None,
-                 ci_ids=None):
+                 ci_ids=None,
+                 excludes=None,
+                 parent_node_perm_passed=False,
+                 use_id_filter=False,
+                 use_ci_filter=True,
+                 only_ids=False):
         self.orig_query = query
-        self.fl = fl
+        self.fl = fl or []
+        self.excludes = excludes or []
         self.facet_field = facet_field
         self.page = page
         self.ret_key = ret_key
         self.count = count
         self.sort = sort
         self.ci_ids = ci_ids or []
+        self.raw_ci_ids = copy.deepcopy(self.ci_ids)
         self.query_sql = ""
         self.type_id_list = []
         self.only_type_query = False
+        self.parent_node_perm_passed = parent_node_perm_passed
+        self.use_id_filter = use_id_filter
+        self.use_ci_filter = use_ci_filter
+        self.only_ids = only_ids
+        self.multi_type_has_ci_filter = False
+
+        self.valid_type_names = []
+        self.type2filter_perms = dict()
+        self.is_app_admin = is_app_admin('cmdb') or current_user.username == "worker"
+        self.is_app_admin = self.is_app_admin or (not self.use_ci_filter and not self.use_id_filter)
 
     @staticmethod
     def _operator_proc(key):
         operator = "&"
         if key.startswith("+"):
             key = key[1:].strip()
+        elif key.startswith("-~"):
+            operator = "|~"
+            key = key[2:].strip()
         elif key.startswith("-"):
             operator = "|"
             key = key[1:].strip()
@@ -70,48 +106,139 @@ class Search(object):
         if attr:
             return attr.name, attr.value_type, operator, attr
         else:
-            raise SearchError("{0} is not existed".format(key))
+            raise SearchError(ErrFormat.attribute_not_found.format(key))
 
-    def _type_query_handler(self, v):
+    def _type_query_handler(self, v, queries, is_sub=False):
         new_v = v[1:-1].split(";") if v.startswith("(") and v.endswith(")") else [v]
+        type_num = len(new_v)
+        type_id_list = []
         for _v in new_v:
             ci_type = CITypeCache.get(_v)
-            if ci_type is not None:
-                self.type_id_list.append(str(ci_type.id))
 
-        if self.type_id_list:
-            type_ids = ",".join(self.type_id_list)
-            _query_sql = QUERY_CI_BY_TYPE.format(type_ids)
-            if self.only_type_query:
-                return _query_sql
+            if type_num == 1 and not self.sort and ci_type and ci_type.default_order_attr:
+                self.sort = ci_type.default_order_attr
+
+            if ci_type is not None:
+                if self.valid_type_names == "ALL" or ci_type.name in self.valid_type_names:
+                    if not is_sub:
+                        self.type_id_list.append(str(ci_type.id))
+                    type_id_list.append(str(ci_type.id))
+                    if ci_type.id in self.type2filter_perms and not is_sub:
+                        ci_filter = self.type2filter_perms[ci_type.id].get('ci_filter')
+                        if ci_filter and self.use_ci_filter and not self.use_id_filter:
+                            sub = []
+                            ci_filter = Template(ci_filter).render(user=current_user)
+                            for i in ci_filter.split(','):
+                                if type_num == 1:
+                                    if i.startswith("~") and not sub:
+                                        queries.append(i)
+                                    else:
+                                        sub.append(i)
+                                else:
+                                    sub.append(i)
+                            if sub:
+                                if type_num == 1:
+                                    queries.append(dict(operator="&", queries=sub))
+                                else:
+                                    if str(ci_type.id) in self.type_id_list:
+                                        self.type_id_list.remove(str(ci_type.id))
+                                    type_id_list.remove(str(ci_type.id))
+                                    sub.extend([i for i in queries[1:] if isinstance(i, (six.string_types, list))])
+
+                                    sub.insert(0, "_type:{}".format(ci_type.id))
+                                    queries.append(dict(operator="|", queries=sub))
+                                    self.multi_type_has_ci_filter = True
+                        if self.type2filter_perms[ci_type.id].get('attr_filter'):
+                            if type_num == 1:
+                                if not self.fl:
+                                    self.fl = set(self.type2filter_perms[ci_type.id]['attr_filter'])
+                                else:
+                                    fl = set(self.fl) & set(self.type2filter_perms[ci_type.id]['attr_filter'])
+                                    not fl and abort(400, ErrFormat.ci_filter_perm_attr_no_permission.format(self.fl))
+                                    self.fl = fl
+                            else:
+                                self.fl = self.fl or {}
+                                if not self.fl or isinstance(self.fl, dict):
+                                    self.fl[ci_type.id] = set(self.type2filter_perms[ci_type.id]['attr_filter'])
+
+                        if self.type2filter_perms[ci_type.id].get('id_filter') and self.use_id_filter:
+
+                            if not self.raw_ci_ids:
+                                self.ci_ids = list(self.type2filter_perms[ci_type.id]['id_filter'].keys())
+
+                    if self.use_id_filter and not self.ci_ids and not self.is_app_admin:
+                        self.raw_ci_ids = [0]
+                else:
+                    raise SearchError(ErrFormat.no_permission.format(ci_type.alias, PermEnum.READ))
             else:
-                return ""
+                raise SearchError(ErrFormat.ci_type_not_found2.format(_v))
+
+        if type_num != len(self.type_id_list) and queries and queries[0].startswith('_type') and not is_sub:
+            queries[0] = "_type:({})".format(";".join(self.type_id_list))
+
+        if type_id_list:
+            type_ids = ",".join(type_id_list)
+            _query_sql = QUERY_CI_BY_TYPE.format(type_ids)
+            if self.only_type_query or self.multi_type_has_ci_filter:
+                return _query_sql
+        elif type_num > 1:  # there must be instance-level access control
+            return "select c_cis.id as ci_id from c_cis where c_cis.id=0"
+
         return ""
 
     @staticmethod
-    def _in_query_handler(attr, v):
+    def _id_query_handler(v):
+        if ";" in v:
+            return QUERY_CI_BY_ID.format("in {}".format(v.replace(';', ',')))
+        else:
+            return QUERY_CI_BY_ID.format("= {}".format(v))
+
+    @staticmethod
+    def _in_query_handler(attr, v, is_not):
         new_v = v[1:-1].split(";")
-        table_name = TableMap(attr_name=attr.name).table_name
-        in_query = " OR {0}.value ".format(table_name).join(['LIKE "{0}"'.format(_v.replace("*", "%")) for _v in new_v])
+
+        if attr.value_type == ValueTypeEnum.DATE:
+            new_v = ["{} 00:00:00".format(i) for i in new_v if len(i) == 10]
+
+        table_name = TableMap(attr=attr).table_name
+        in_query = " OR {0}.value ".format(table_name).join(['{0} "{1}"'.format(
+            "NOT LIKE" if is_not else "LIKE",
+            _v.replace("*", "%")) for _v in new_v])
         _query_sql = QUERY_CI_BY_ATTR_NAME.format(table_name, attr.id, in_query)
+
         return _query_sql
 
     @staticmethod
-    def _range_query_handler(attr, v):
+    def _range_query_handler(attr, v, is_not):
         start, end = [x.strip() for x in v[1:-1].split("_TO_")]
-        table_name = TableMap(attr_name=attr.name).table_name
-        range_query = "BETWEEN '{0}' AND '{1}'".format(start.replace("*", "%"), end.replace("*", "%"))
+
+        if attr.value_type == ValueTypeEnum.DATE:
+            start = "{} 00:00:00".format(start) if len(start) == 10 else start
+            end = "{} 00:00:00".format(end) if len(end) == 10 else end
+
+        table_name = TableMap(attr=attr).table_name
+        range_query = "{0} '{1}' AND '{2}'".format(
+            "NOT BETWEEN" if is_not else "BETWEEN",
+            start.replace("*", "%"), end.replace("*", "%"))
         _query_sql = QUERY_CI_BY_ATTR_NAME.format(table_name, attr.id, range_query)
+
         return _query_sql
 
     @staticmethod
     def _comparison_query_handler(attr, v):
-        table_name = TableMap(attr_name=attr.name).table_name
+        table_name = TableMap(attr=attr).table_name
         if v.startswith(">=") or v.startswith("<="):
+            if attr.value_type == ValueTypeEnum.DATE and len(v[2:]) == 10:
+                v = "{} 00:00:00".format(v)
+
             comparison_query = "{0} '{1}'".format(v[:2], v[2:].replace("*", "%"))
         else:
+            if attr.value_type == ValueTypeEnum.DATE and len(v[1:]) == 10:
+                v = "{} 00:00:00".format(v)
+
             comparison_query = "{0} '{1}'".format(v[0], v[1:].replace("*", "%"))
         _query_sql = QUERY_CI_BY_ATTR_NAME.format(table_name, attr.id, comparison_query)
+
         return _query_sql
 
     @staticmethod
@@ -123,6 +250,7 @@ class Search(object):
         elif field.startswith("-"):
             field = field[1:]
             sort_type = "DESC"
+
         return field, sort_type
 
     def __sort_by_id(self, sort_type, query_sql):
@@ -132,7 +260,7 @@ class Search(object):
             return ret_sql.format(query_sql, "ORDER BY B.ci_id {1} LIMIT {0:d}, {2};".format(
                 (self.page - 1) * self.count, sort_type, self.count))
 
-        elif self.type_id_list:
+        elif self.type_id_list and not self.multi_type_has_ci_filter:
             self.query_sql = "SELECT B.ci_id FROM ({0}) AS B {1}".format(
                 query_sql,
                 "INNER JOIN c_cis on c_cis.id=B.ci_id WHERE c_cis.type_id IN ({0}) ".format(
@@ -154,21 +282,52 @@ class Search(object):
                 "INNER JOIN c_cis on c_cis.id=B.ci_id "
                 "ORDER BY B.ci_id {1} LIMIT {0:d}, {2};".format((self.page - 1) * self.count, sort_type, self.count))
 
+    def __sort_by_type(self, sort_type, query_sql):
+        ret_sql = "SELECT SQL_CALC_FOUND_ROWS DISTINCT B.ci_id FROM ({0}) AS B {1}"
+
+        if self.type_id_list and not self.multi_type_has_ci_filter:
+            self.query_sql = "SELECT B.ci_id FROM ({0}) AS B {1}".format(
+                query_sql,
+                "INNER JOIN c_cis on c_cis.id=B.ci_id WHERE c_cis.type_id IN ({0}) ".format(
+                    ",".join(self.type_id_list)))
+
+            return ret_sql.format(
+                query_sql,
+                "INNER JOIN c_cis on c_cis.id=B.ci_id WHERE c_cis.type_id IN ({3}) "
+                "ORDER BY c_cis.type_id {1} LIMIT {0:d}, {2};".format(
+                    (self.page - 1) * self.count, sort_type, self.count, ",".join(self.type_id_list)))
+
+        else:
+            self.query_sql = "SELECT B.ci_id FROM ({0}) AS B {1}".format(
+                query_sql,
+                "INNER JOIN c_cis on c_cis.id=B.ci_id ")
+
+            return ret_sql.format(
+                query_sql,
+                "INNER JOIN c_cis on c_cis.id=B.ci_id "
+                "ORDER BY c_cis.type_id {1} LIMIT {0:d}, {2};".format(
+                    (self.page - 1) * self.count, sort_type, self.count))
+
     def __sort_by_field(self, field, sort_type, query_sql):
-        attr = AttributeCache.get(field)
-        attr_id = attr.id
+        if field not in BUILTIN_ATTRIBUTES:
 
-        table_name = TableMap(attr_name=attr.name).table_name
-        _v_query_sql = """SELECT {0}.ci_id, {1}.value 
-                          FROM ({2}) AS {0} INNER JOIN {1} ON {1}.ci_id = {0}.ci_id
-                          WHERE {1}.attr_id = {3}""".format("ALIAS", table_name, query_sql, attr_id)
-        new_table = _v_query_sql
+            attr = AttributeCache.get(field)
+            attr_id = attr.id
 
-        if self.only_type_query or not self.type_id_list:
-            return "SELECT SQL_CALC_FOUND_ROWS DISTINCT C.ci_id, C.value " \
-                   "FROM ({0}) AS C " \
-                   "ORDER BY C.value {2} " \
-                   "LIMIT {1:d}, {3};".format(new_table, (self.page - 1) * self.count, sort_type, self.count)
+            table_name = TableMap(attr=attr).table_name
+            _v_query_sql = """SELECT ALIAS.ci_id, {0}.value
+                              FROM ({1}) AS ALIAS INNER JOIN {0} ON {0}.ci_id = ALIAS.ci_id
+                              WHERE {0}.attr_id = {2}""".format(table_name, query_sql, attr_id)
+            new_table = _v_query_sql
+        else:
+            _v_query_sql = """SELECT c_cis.id AS ci_id, c_cis.{0} AS value
+                                          FROM c_cis  INNER JOIN ({1}) AS ALIAS ON ALIAS.ci_id = c_cis.id""".format(
+                field[1:], query_sql)
+            new_table = _v_query_sql
+
+        if self.only_type_query or not self.type_id_list or self.multi_type_has_ci_filter:
+            return ("SELECT SQL_CALC_FOUND_ROWS DISTINCT C.ci_id FROM ({0}) AS C ORDER BY C.value {2} "
+                    "LIMIT {1:d}, {3};".format(new_table, (self.page - 1) * self.count, sort_type, self.count))
 
         elif self.type_id_list:
             self.query_sql = """SELECT C.ci_id
@@ -176,7 +335,7 @@ class Search(object):
                                 INNER JOIN c_cis on c_cis.id=C.ci_id
                                 WHERE c_cis.type_id IN ({1})""".format(new_table, ",".join(self.type_id_list))
 
-            return """SELECT SQL_CALC_FOUND_ROWS DISTINCT C.ci_id, C.value
+            return """SELECT SQL_CALC_FOUND_ROWS DISTINCT C.ci_id
                       FROM ({0}) AS C
                       INNER JOIN c_cis on c_cis.id=C.ci_id
                       WHERE c_cis.type_id IN ({4})
@@ -192,6 +351,8 @@ class Search(object):
 
         if field in ("_id", "ci_id") or not field:
             return self.__sort_by_id(sort_type, query_sql)
+        elif field in ("_type", "ci_type"):
+            return self.__sort_by_type(sort_type, query_sql)
         else:
             return self.__sort_by_field(field, sort_type, query_sql)
 
@@ -201,11 +362,13 @@ class Search(object):
             query_sql = """SELECT * FROM ({0}) as {1}
                            INNER JOIN ({2}) as {3} USING(ci_id)""".format(query_sql, alias, _query_sql, alias + "A")
 
-        elif operator == "|":
-            query_sql = "SELECT * FROM ({0}) as {1} UNION ALL ({2})".format(query_sql, alias, _query_sql)
+        elif operator == "|" or operator == "|~":
+            query_sql = "SELECT * FROM ({0}) as {1} UNION ALL SELECT * FROM ({2}) as {3}".format(query_sql, alias,
+                                                                                                 _query_sql,
+                                                                                                 alias + "A")
 
         elif operator == "~":
-            query_sql = """SELECT * FROM ({0}) as {1} LEFT JOIN ({2}) as {3} USING(ci_id) 
+            query_sql = """SELECT * FROM ({0}) as {1} LEFT JOIN ({2}) as {3} USING(ci_id)
                            WHERE {3}.ci_id is NULL""".format(query_sql, alias, _query_sql, alias + "A")
 
         return query_sql
@@ -215,8 +378,8 @@ class Search(object):
 
         start = time.time()
         execute = db.session.execute
-        current_app.logger.debug(v_query_sql)
-        res = execute(v_query_sql).fetchall()
+        # current_app.logger.debug(v_query_sql)
+        res = execute(text(v_query_sql)).fetchall()
         end_time = time.time()
         current_app.logger.debug("query ci ids time is: {0}".format(end_time - start))
 
@@ -225,54 +388,175 @@ class Search(object):
 
         return numfound, res
 
+    def __get_type2filter_perms(self):
+        res2 = ACLManager('cmdb').get_resources(ResourceTypeEnum.CI_FILTER)
+        if res2:
+            self.type2filter_perms = CIFilterPermsCRUD().get_by_ids(list(map(int, [i['name'] for i in res2])))
+
+    def __get_types_has_read(self):
+        """
+        :return: _type:(type1;type2)
+        """
+        acl = ACLManager('cmdb')
+        res = acl.get_resources(ResourceTypeEnum.CI)
+
+        self.valid_type_names = {i['name'] for i in res if PermEnum.READ in i['permissions']}
+
+        self.__get_type2filter_perms()
+
+        for type_id in self.type2filter_perms:
+            ci_type = CITypeCache.get(type_id)
+            if ci_type:
+                if self.type2filter_perms[type_id].get('id_filter'):
+                    if self.use_id_filter:
+                        self.valid_type_names.add(ci_type.name)
+                elif self.type2filter_perms[type_id].get('ci_filter'):
+                    if self.use_ci_filter:
+                        self.valid_type_names.add(ci_type.name)
+                else:
+                    self.valid_type_names.add(ci_type.name)
+
+        return "_type:({})".format(";".join(self.valid_type_names))
+
     def __confirm_type_first(self, queries):
+        has_type = False
+
+        result = []
+        sub = {}
+        id_query = None
         for q in queries:
             if q.startswith("_type"):
-                queries.remove(q)
-                queries.insert(0, q)
+                has_type = True
+                result.insert(0, q)
                 if len(queries) == 1 or queries[1].startswith("-") or queries[1].startswith("~"):
                     self.only_type_query = True
-        return queries
+            elif q.startswith("_id") and len(q.split(':')) == 2:
+                id_query = int(q.split(":")[1]) if q.split(":")[1].isdigit() else None
+                result.append(q)
+            elif q.startswith("(") or q[1:].startswith("(") or q[2:].startswith("("):
+                if not q.startswith("("):
+                    raise SearchError(ErrFormat.ci_search_Parentheses_invalid)
 
-    def __query_build_by_field(self, queries):
-        query_sql, alias, operator = "", "A", "&"
-        is_first, only_type_query_special = True, True
+                if ":" not in q:  # multi-line search
+                    result.append(q[1:-1].split(';'))
+                else:
+                    operator, q = self._operator_proc(q)
+                    if q.endswith(")"):
+                        result.append(dict(operator=operator, queries=[q[1:-1]]))
+
+                    sub = dict(operator=operator, queries=[q[1:]])
+            elif q.endswith(")") and sub:
+                sub['queries'].append(q[:-1])
+                result.append(copy.deepcopy(sub))
+                sub = {}
+            elif sub:
+                sub['queries'].append(q)
+            else:
+                result.append(q)
+
+        if self.parent_node_perm_passed:
+            self.__get_type2filter_perms()
+            self.valid_type_names = "ALL"
+        elif result and not has_type and not self.is_app_admin:
+            type_q = self.__get_types_has_read()
+            if id_query:
+                ci = CIManager.get_by_id(id_query)
+                if not ci:
+                    raise SearchError(ErrFormat.ci_not_found.format(id_query))
+                result.insert(0, "_type:{}".format(ci.type_id))
+            else:
+                result.insert(0, type_q)
+        elif self.is_app_admin:
+            self.valid_type_names = "ALL"
+        else:
+            self.__get_types_has_read()
+
+        return result
+
+    def __query_by_attr(self, q, queries, alias, is_sub=False):
+        k = q.split(":")[0].strip()
+        v = "\:".join(q.split(":")[1:]).strip()
+        v = v.replace("'", "\\'")
+        v = v.replace('"', '\\"')
+        field, field_type, operator, attr = self._attr_name_proc(k)
+        if field == "_type":
+            _query_sql = self._type_query_handler(v, queries, is_sub)
+
+        elif field == "_id":
+            _query_sql = self._id_query_handler(v)
+
+        elif field:
+            if attr is None:
+                raise SearchError(ErrFormat.attribute_not_found.format(field))
+
+            is_not = True if operator == "|~" else False
+
+            if field_type == ValueTypeEnum.DATE and len(v) == 10:
+                v = "{} 00:00:00".format(v)
+
+            if field_type == ValueTypeEnum.BOOL and "*" not in str(v):
+                v = str(int(v in current_app.config.get('BOOL_TRUE')))
+
+            # in query
+            if v.startswith("(") and v.endswith(")"):
+                _query_sql = self._in_query_handler(attr, v, is_not)
+            # range query
+            elif v.startswith("[") and v.endswith("]") and "_TO_" in v:
+                _query_sql = self._range_query_handler(attr, v, is_not)
+            # comparison query
+            elif v.startswith(">=") or v.startswith("<=") or v.startswith(">") or v.startswith("<"):
+                _query_sql = self._comparison_query_handler(attr, v)
+            else:
+                table_name = TableMap(attr=attr).table_name
+                if is_not and v == "*" and self.type_id_list:  # special handle
+                    _query_sql = QUERY_UNION_CI_ATTRIBUTE_IS_NULL.format(
+                        ",".join(self.type_id_list),
+                        table_name,
+                        attr.id,
+                        alias,
+                        alias + 'A'
+                    )
+                    alias += "AA"
+                else:
+                    _query_sql = QUERY_CI_BY_ATTR_NAME.format(
+                        table_name,
+                        attr.id,
+                        '{0} "{1}"'.format("NOT LIKE" if is_not else "LIKE", v.replace("*", "%")))
+        else:
+            raise SearchError(ErrFormat.argument_invalid.format("q"))
+
+        return alias, _query_sql, operator
+
+    def __query_build_by_field(self, queries, is_first=True, only_type_query_special=True, alias='A', operator='&',
+                               is_sub=False):
+        query_sql = ""
 
         for q in queries:
+            # current_app.logger.debug(q)
             _query_sql = ""
-            if ":" in q:
-                k = q.split(":")[0].strip()
-                v = ":".join(q.split(":")[1:]).strip()
-                current_app.logger.debug(v)
-                field, field_type, operator, attr = self._attr_name_proc(k)
-                if field == "_type":
-                    _query_sql = self._type_query_handler(v)
-                    current_app.logger.debug(_query_sql)
-                elif field == "_id":  # exclude all others
-                    ci = CI.get_by_id(v)
-                    if ci is not None:
-                        return 1, [str(v)]
-                elif field:
-                    if attr is None:
-                        raise SearchError("{0} is not found".format(field))
-
-                    # in query
-                    if v.startswith("(") and v.endswith(")"):
-                        _query_sql = self._in_query_handler(attr, v)
-                    # range query
-                    elif v.startswith("[") and v.endswith("]") and "_TO_" in v:
-                        _query_sql = self._range_query_handler(attr, v)
-                    # comparison query
-                    elif v.startswith(">=") or v.startswith("<=") or v.startswith(">") or v.startswith("<"):
-                        _query_sql = self._comparison_query_handler(attr, v)
-                    else:
-                        table_name = TableMap(attr_name=attr.name).table_name
-                        _query_sql = QUERY_CI_BY_ATTR_NAME.format(
-                            table_name, attr.id, 'LIKE "{0}"'.format(v.replace("*", "%")))
+            if isinstance(q, dict):
+                if len(q['queries']) == 1 and ";" in q['queries'][0]:
+                    values = q['queries'][0].split(";")
+                    in_values = ",".join("'{0}'".format(v) for v in values)
+                    _query_sql = QUERY_CI_BY_NO_ATTR_IN.format(in_values, alias)
+                    operator = q['operator']
                 else:
-                    raise SearchError("argument q format invalid: {0}".format(q))
+                    alias, _query_sql, operator = self.__query_build_by_field(q['queries'], True, True, alias,
+                                                                              is_sub=True)
+                    operator = q['operator']
+
+            elif ":" in q and not q.startswith("*"):
+                alias, _query_sql, operator = self.__query_by_attr(q, queries, alias, is_sub)
+            elif q == "*":
+                continue
             elif q:
-                raise SearchError("argument q format invalid: {0}".format(q))
+                if not isinstance(q, list):
+                    q = q.replace("'", "\\'")
+                    q = q.replace('"', '\\"')
+                    q = q.replace("*", "%").replace('\\n', '%')
+                    _query_sql = QUERY_CI_BY_NO_ATTR.format(q, alias)
+                else:
+                    _query_sql = QUERY_CI_BY_NO_ATTR_IN.format(",".join("'{0}'".format(v) for v in q), alias)
 
             if is_first and _query_sql and not self.only_type_query:
                 query_sql = "SELECT * FROM ({0}) AS {1}".format(_query_sql, alias)
@@ -285,30 +569,48 @@ class Search(object):
             elif _query_sql:
                 query_sql = self._wrap_sql(operator, alias, _query_sql, query_sql)
                 alias += "AA"
-        return None, query_sql
+
+        return alias, query_sql, operator
 
     def _filter_ids(self, query_sql):
         if self.ci_ids:
             return "SELECT * FROM ({0}) AS IN_QUERY WHERE IN_QUERY.ci_id IN ({1})".format(
-                query_sql, ",".join(list(map(str, self.ci_ids))))
+                query_sql, ",".join(list(set(map(str, self.ci_ids)))))
 
         return query_sql
 
+    @staticmethod
+    def _extra_handle_query_expr(args):  # \, or ,
+        result = []
+        if args:
+            result.append(args[0])
+
+        for arg in args[1:]:
+            if result[-1].endswith('\\'):
+                result[-1] = ",".join([result[-1].rstrip('\\'), arg])
+            # elif ":" not in arg:
+            #     result[-1] = ",".join([result[-1], arg])
+            else:
+                result.append(arg)
+
+        return result
+
     def _query_build_raw(self):
 
         queries = handle_arg_list(self.orig_query)
+        queries = self._extra_handle_query_expr(queries)
         queries = self.__confirm_type_first(queries)
-        current_app.logger.debug(queries)
 
-        ret, query_sql = self.__query_build_by_field(queries)
-        if ret is not None:
-            return ret, query_sql
+        _, query_sql, _ = self.__query_build_by_field(queries)
 
         s = time.time()
         if query_sql:
             query_sql = self._filter_ids(query_sql)
+            if self.raw_ci_ids and not self.ci_ids:
+                return 0, []
+
             self.query_sql = query_sql
-            current_app.logger.debug(query_sql)
+            # current_app.logger.debug(query_sql)
             numfound, res = self._execute_sql(query_sql)
             current_app.logger.debug("query ci ids is: {0}".format(time.time() - s))
             return numfound, [_res[0] for _res in res]
@@ -320,32 +622,37 @@ class Search(object):
         for f in self.facet_field:
             k, field_type, _, attr = self._attr_name_proc(f)
             if k:
-                table_name = TableMap(attr_name=k).table_name
+                table_name = TableMap(attr=attr).table_name
                 query_sql = FACET_QUERY.format(table_name, self.query_sql, attr.id)
-                current_app.logger.debug(query_sql)
-                result = db.session.execute(query_sql).fetchall()
+                result = db.session.execute(text(query_sql)).fetchall()
                 facet[k] = result
 
         facet_result = dict()
         for k, v in facet.items():
             if not k.startswith('_'):
-                a = getattr(AttributeCache.get(k), self.ret_key)
-                facet_result[a] = [(f[0], f[1], a) for f in v]
+                attr = AttributeCache.get(k)
+                a = getattr(attr, self.ret_key)
+                facet_result[a] = [(ValueTypeMap.serialize[attr.value_type](f[0]), f[1], a) for f in v]
 
         return facet_result
 
     def _fl_build(self):
-        _fl = list()
-        for f in self.fl:
-            k, _, _, _ = self._attr_name_proc(f)
-            if k:
-                _fl.append(k)
+        if isinstance(self.fl, list):
+            _fl = list()
+            for f in self.fl:
+                k, _, _, _ = self._attr_name_proc(f)
+                if k:
+                    _fl.append(k)
 
-        return _fl
+            return _fl
+        else:
+            return self.fl
 
     def search(self):
         numfound, ci_ids = self._query_build_raw()
         ci_ids = list(map(str, ci_ids))
+        if self.only_ids:
+            return ci_ids
 
         _fl = self._fl_build()
 
@@ -356,8 +663,10 @@ class Search(object):
 
         response, counter = [], {}
         if ci_ids:
-            response = CIManager.get_cis_by_ids(ci_ids, ret_key=self.ret_key, fields=_fl)
+            response = CIManager.get_cis_by_ids(ci_ids, ret_key=self.ret_key, fields=_fl, excludes=self.excludes)
         for res in response:
+            if not res:
+                continue
             ci_type = res.get("ci_type")
             if ci_type not in counter.keys():
                 counter[ci_type] = 0
@@ -365,3 +674,8 @@ class Search(object):
         total = len(response)
 
         return response, counter, total, self.page, numfound, facet
+
+    def get_ci_ids(self):
+        _, ci_ids = self._query_build_raw()
+
+        return ci_ids

cmdb-api/api/lib/cmdb/search/ci/es/search.py

@@ -3,12 +3,14 @@
 
 from __future__ import unicode_literals
 
+import six
 from flask import current_app
 
 from api.extensions import es
 from api.lib.cmdb.cache import AttributeCache
 from api.lib.cmdb.const import RetKey
 from api.lib.cmdb.const import ValueTypeEnum
+from api.lib.cmdb.resp_format import ErrFormat
 from api.lib.cmdb.search import SearchError
 from api.lib.utils import handle_arg_list
 
@@ -21,9 +23,11 @@ class Search(object):
                  ret_key=RetKey.NAME,
                  count=1,
                  sort=None,
-                 ci_ids=None):
+                 ci_ids=None,
+                 excludes=None):
         self.orig_query = query
-        self.fl = fl
+        self.fl = fl or []
+        self.excludes = excludes or []
         self.facet_field = facet_field
         self.page = page
         self.ret_key = ret_key
@@ -38,6 +42,9 @@ class Search(object):
         operator = "&"
         if key.startswith("+"):
             key = key[1:].strip()
+        elif key.startswith("-~"):
+            operator = "|~"
+            key = key[2:].strip()
         elif key.startswith("-"):
             operator = "|"
             key = key[1:].strip()
@@ -52,6 +59,8 @@ class Search(object):
             return self.query['query']['bool']['must']
         elif operator == "|":
             return self.query['query']['bool']['should']
+        elif operator == "|~":
+            return self.query['query']['bool']['should']
         else:
             return self.query['query']['bool']['must_not']
 
@@ -68,9 +77,9 @@ class Search(object):
         if attr:
             return attr.name, attr.value_type, operator
         else:
-            raise SearchError("{0} is not existed".format(key))
+            raise SearchError(ErrFormat.attribute_not_found.format(key))
 
-    def _in_query_handle(self, attr, v):
+    def _in_query_handle(self, attr, v, is_not):
         terms = v[1:-1].split(";")
         operator = "|"
         if attr in ('_type', 'ci_type', 'type_id') and terms and terms[0].isdigit():
@@ -78,11 +87,27 @@ class Search(object):
             terms = map(int, terms)
         current_app.logger.warning(terms)
         for term in terms:
-            self._operator2query(operator).append({
-                "term": {
-                    attr: term
-                }
-            })
+            if is_not:
+                self._operator2query(operator).append({
+                    "bool": {
+                        "must_not": [
+                            {
+                                "term": {
+                                    attr: term
+                                }
+                            }
+
+                        ]
+                    }
+
+                })
+
+            else:
+                self._operator2query(operator).append({
+                    "term": {
+                        attr: term
+                    }
+                })
 
     def _filter_ids(self):
         if self.ci_ids:
@@ -94,18 +119,36 @@ class Search(object):
             return int(float(s))
         return s
 
-    def _range_query_handle(self, attr, v, operator):
+    def _range_query_handle(self, attr, v, operator, is_not):
         left, right = v.split("_TO_")
         left, right = left.strip()[1:], right.strip()[:-1]
-        self._operator2query(operator).append({
-            "range": {
-                attr: {
-                    "lte": self._digit(right),
-                    "gte": self._digit(left),
-                    "boost": 2.0
+        if is_not:
+            self._operator2query(operator).append({
+                "bool": {
+                    "must_not": [
+                        {
+                            "range": {
+                                attr: {
+                                    "lte": self._digit(right),
+                                    "gte": self._digit(left),
+                                    "boost": 2.0
+                                }
+                            }
+                        }
+                    ]
                 }
-            }
-        })
+
+            })
+        else:
+            self._operator2query(operator).append({
+                "range": {
+                    attr: {
+                        "lte": self._digit(right),
+                        "gte": self._digit(left),
+                        "boost": 2.0
+                    }
+                }
+            })
 
     def _comparison_query_handle(self, attr, v, operator):
         if v.startswith(">="):
@@ -125,21 +168,50 @@ class Search(object):
             }
         })
 
-    def _match_query_handle(self, attr, v, operator):
+    def _match_query_handle(self, attr, v, operator, is_not):
         if "*" in v:
-            self._operator2query(operator).append({
-                "wildcard": {
-                    attr: v
-                }
-            })
+            if is_not:
+                self._operator2query(operator).append({
+                    "bool": {
+                        "must_not": [
+                            {
+                                "wildcard": {
+                                    attr: v.lower() if isinstance(v, six.string_types) else v
+                                }
+                            }
+                        ]
+                    }
+
+                })
+            else:
+                self._operator2query(operator).append({
+                    "wildcard": {
+                        attr: v.lower() if isinstance(v, six.string_types) else v
+                    }
+                })
         else:
             if attr == "ci_type" and v.isdigit():
                 attr = "type_id"
-            self._operator2query(operator).append({
-                "term": {
-                    attr: v
-                }
-            })
+
+            if is_not:
+                self._operator2query(operator).append({
+                    "bool": {
+                        "must_not": [
+                            {
+                                "term": {
+                                    attr: v.lower() if isinstance(v, six.string_types) else v
+                                }
+                            }
+                        ]
+                    }
+
+                })
+            else:
+                self._operator2query(operator).append({
+                    "term": {
+                        attr: v.lower() if isinstance(v, six.string_types) else v
+                    }
+                })
 
     def __query_build_by_field(self, queries):
 
@@ -149,21 +221,23 @@ class Search(object):
                 v = ":".join(q.split(":")[1:]).strip()
                 field_name, field_type, operator = self._attr_name_proc(k)
                 if field_name:
+                    is_not = True if operator == "|~" else False
+
                     # in query
                     if v.startswith("(") and v.endswith(")"):
-                        self._in_query_handle(field_name, v)
+                        self._in_query_handle(field_name, v, is_not)
                     # range query
                     elif v.startswith("[") and v.endswith("]") and "_TO_" in v:
-                        self._range_query_handle(field_name, v, operator)
+                        self._range_query_handle(field_name, v, operator, is_not)
                     # comparison query
                     elif v.startswith(">=") or v.startswith("<=") or v.startswith(">") or v.startswith("<"):
                         self._comparison_query_handle(field_name, v, operator)
                     else:
-                        self._match_query_handle(field_name, v, operator)
+                        self._match_query_handle(field_name, v, operator, is_not)
                 else:
-                    raise SearchError("argument q format invalid: {0}".format(q))
+                    raise SearchError(ErrFormat.argument_invalid.format("q"))
             elif q:
-                raise SearchError("argument q format invalid: {0}".format(q))
+                raise SearchError(ErrFormat.argument_invalid.format("q"))
 
     def _query_build_raw(self):
 
@@ -190,7 +264,7 @@ class Search(object):
         for field in self.facet_field:
             attr = AttributeCache.get(field)
             if not attr:
-                raise SearchError("Facet by <{0}> does not exist".format(field))
+                raise SearchError(ErrFormat.attribute_not_found(field))
             aggregations['aggs'].update({
                 field: {
                     "terms": {
@@ -221,10 +295,10 @@ class Search(object):
 
             attr = AttributeCache.get(field)
             if not attr:
-                raise SearchError("Sort by <{0}> does not exist".format(field))
+                raise SearchError(ErrFormat.attribute_not_found.format(field))
 
-            sort_by = "{0}.keyword".format(field) \
-                if attr.value_type not in (ValueTypeEnum.INT, ValueTypeEnum.FLOAT) else field
+            sort_by = ("{0}.keyword".format(field)
+                       if attr.value_type not in (ValueTypeEnum.INT, ValueTypeEnum.FLOAT) else field)
             sorts.append({sort_by: {"order": sort_type}})
 
         self.query.update(dict(sort=sorts))
@@ -241,7 +315,7 @@ class Search(object):
             numfound, cis, facet = self._query_build_raw()
         except Exception as e:
             current_app.logger.error(str(e))
-            raise SearchError("unknown search error")
+            raise SearchError(ErrFormat.unknown_search_error)
 
         total = len(cis)
 

cmdb-api/api/lib/cmdb/search/ci_relation/search.py

@@ -1,28 +1,52 @@
 # -*- coding:utf-8 -*-
+from collections import Counter
+from collections import defaultdict
 
-
+import copy
 import json
-
+import networkx as nx
+import sys
 from flask import abort
 from flask import current_app
+from flask_login import current_user
 
 from api.extensions import rd
+from api.lib.cmdb.cache import AttributeCache
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIRelationManager
 from api.lib.cmdb.ci_type import CITypeRelationManager
+from api.lib.cmdb.const import ConstraintEnum
+from api.lib.cmdb.const import PermEnum
 from api.lib.cmdb.const import REDIS_PREFIX_CI_RELATION
+from api.lib.cmdb.const import REDIS_PREFIX_CI_RELATION2
+from api.lib.cmdb.const import ResourceTypeEnum
+from api.lib.cmdb.perms import CIFilterPermsCRUD
+from api.lib.cmdb.resp_format import ErrFormat
 from api.lib.cmdb.search.ci.db.search import Search as SearchFromDB
 from api.lib.cmdb.search.ci.es.search import Search as SearchFromES
+from api.lib.cmdb.utils import TableMap
+from api.lib.cmdb.utils import ValueTypeMap
+from api.lib.perm.acl.acl import ACLManager
+from api.lib.perm.acl.acl import is_app_admin
 from api.models.cmdb import CI
+from api.models.cmdb import CITypeRelation
+from api.models.cmdb import RelationType
 
 
 class Search(object):
-    def __init__(self, root_id,
-                 level=1,
+    def __init__(self, root_id=None,
+                 level=None,
                  query=None,
                  fl=None,
                  facet_field=None,
                  page=1,
                  count=None,
-                 sort=None):
+                 sort=None,
+                 reverse=False,
+                 ancestor_ids=None,
+                 descendant_ids=None,
+                 has_m2m=None,
+                 root_parent_path=None):
         self.orig_query = query
         self.fl = fl
         self.facet_field = facet_field
@@ -31,21 +55,116 @@ class Search(object):
         self.sort = sort or ("ci_id" if current_app.config.get("USE_ES") else None)
 
         self.root_id = root_id
-        self.level = level
+        self.level = level or 0
+        self.reverse = reverse
 
-    def search(self):
-        ids = [self.root_id] if not isinstance(self.root_id, list) else self.root_id
-        cis = [CI.get_by_id(_id) or abort(404, "CI <{0}> does not exist".format(_id)) for _id in ids]
+        self.level2constraint = CITypeRelationManager.get_level2constraint(
+            root_id[0] if root_id and isinstance(root_id, list) else root_id,
+            level[0] if isinstance(level, list) and level else level)
+
+        self.ancestor_ids = ancestor_ids
+        self.descendant_ids = descendant_ids
+        self.root_parent_path = root_parent_path or []
+        self.has_m2m = has_m2m or False
+        if not self.has_m2m:
+            if self.ancestor_ids:
+                self.has_m2m = True
+            else:
+                level = level[0] if isinstance(level, list) and level else level
+                for _l, c in self.level2constraint.items():
+                    if _l < int(level) and c == ConstraintEnum.Many2Many:
+                        self.has_m2m = True
+
+        self.type2filter_perms = {}
+
+        self.is_app_admin = is_app_admin('cmdb') or current_user.username == "worker"
+
+    def _get_ids(self, ids):
 
         merge_ids = []
-        for level in self.level:
-            ids = [self.root_id] if not isinstance(self.root_id, list) else self.root_id
-            for _ in range(0, level):
-                _tmp = list(map(lambda x: list(json.loads(x).keys()),
-                                filter(lambda x: x is not None, rd.get(ids, REDIS_PREFIX_CI_RELATION) or [])))
-                ids = [j for i in _tmp for j in i]
+        key = []
+        _tmp = []
+        for level in range(1, sorted(self.level)[-1] + 1):
+            if len(self.descendant_ids or []) >= level and self.type2filter_perms.get(self.descendant_ids[level - 1]):
+                id_filter_limit, _ = self._get_ci_filter(self.type2filter_perms[self.descendant_ids[level - 1]])
+            else:
+                id_filter_limit = {}
 
-            merge_ids.extend(ids)
+            if not self.has_m2m:
+                key, prefix = list(map(str, ids)), REDIS_PREFIX_CI_RELATION
+
+            else:
+                if not self.ancestor_ids:
+                    if level == 1:
+                        key, prefix = list(map(str, ids)), REDIS_PREFIX_CI_RELATION
+                    else:
+                        key = list(set(["{},{}".format(i, j) for idx, i in enumerate(key) for j in _tmp[idx]]))
+                        prefix = REDIS_PREFIX_CI_RELATION2
+                else:
+                    if level == 1:
+                        key, prefix = ["{},{}".format(self.ancestor_ids, i) for i in ids], REDIS_PREFIX_CI_RELATION2
+                    else:
+                        key = list(set(["{},{}".format(i, j) for idx, i in enumerate(key) for j in _tmp[idx]]))
+                        prefix = REDIS_PREFIX_CI_RELATION2
+
+            if not key or id_filter_limit is None:
+                return []
+
+            res = [json.loads(x).items() for x in [i or '{}' for i in rd.get(key, prefix) or []]]
+            _tmp = [[i[0] for i in x if (not id_filter_limit or (
+                    key[idx] not in id_filter_limit or int(i[0]) in id_filter_limit[key[idx]]) or
+                                         int(i[0]) in id_filter_limit)] for idx, x in enumerate(res)]
+
+            ids = [j for i in _tmp for j in i]
+
+            if level in self.level:
+                merge_ids.extend(ids)
+
+        return merge_ids
+
+    def _get_reverse_ids(self, ids):
+        merge_ids = []
+        level2ids = {}
+        for level in range(1, sorted(self.level)[-1] + 1):
+            ids, _level2ids = CIRelationManager.get_ancestor_ids(ids, 1)
+
+            if _level2ids.get(2):
+                level2ids[level + 1] = _level2ids[2]
+
+            if level in self.level:
+                if level in level2ids and level2ids[level]:
+                    merge_ids.extend(set(ids) & set(level2ids[level]))
+                else:
+                    merge_ids.extend(ids)
+
+        return merge_ids
+
+    def _has_read_perm_from_parent_nodes(self):
+        self.root_parent_path = list(map(str, self.root_parent_path))
+        if str(self.root_id).isdigit() and str(self.root_id) not in self.root_parent_path:
+            self.root_parent_path.append(str(self.root_id))
+        self.root_parent_path = set(self.root_parent_path)
+
+        if self.is_app_admin:
+            self.type2filter_perms = {}
+            return True
+
+        res = ACLManager().get_resources(ResourceTypeEnum.CI_FILTER) or {}
+        self.type2filter_perms = CIFilterPermsCRUD().get_by_ids(list(map(int, [i['name'] for i in res]))) or {}
+        for _, filters in self.type2filter_perms.items():
+            if set((filters.get('id_filter') or {}).keys()) & self.root_parent_path:
+                return True
+
+        return True
+
+    def search(self, only_ids=False):
+        use_ci_filter = len(self.descendant_ids or []) == self.level[0] - 1
+        parent_node_perm_passed = not self.is_app_admin and self._has_read_perm_from_parent_nodes()
+
+        ids = [self.root_id] if not isinstance(self.root_id, list) else self.root_id
+        cis = [CI.get_by_id(_id) or abort(404, ErrFormat.ci_not_found.format("id={}".format(_id))) for _id in ids]
+
+        merge_ids = self._get_ids(ids) if not self.reverse else self._get_reverse_ids(ids)
 
         if not self.orig_query or ("_type:" not in self.orig_query
                                    and "type_id:" not in self.orig_query
@@ -53,12 +172,15 @@ class Search(object):
             type_ids = []
             for level in self.level:
                 for ci in cis:
-                    type_ids.extend(CITypeRelationManager.get_child_type_ids(ci.type_id, level))
-            type_ids = list(set(type_ids))
+                    if not self.reverse:
+                        type_ids.extend(CITypeRelationManager.get_child_type_ids(ci.type_id, level))
+                    else:
+                        type_ids.extend(CITypeRelationManager.get_parent_type_ids(ci.type_id, level))
+            type_ids = set(type_ids)
             if self.orig_query:
-                self.orig_query = "_type:({0}),{1}".format(";".join(list(map(str, type_ids))), self.orig_query)
+                self.orig_query = "_type:({0}),{1}".format(";".join(map(str, type_ids)), self.orig_query)
             else:
-                self.orig_query = "_type:({0})".format(";".join(list(map(str, type_ids))))
+                self.orig_query = "_type:({0})".format(";".join(map(str, type_ids)))
 
         if not merge_ids:
             # cis, counter, total, self.page, numfound, facet_
@@ -79,30 +201,394 @@ class Search(object):
                                 page=self.page,
                                 count=self.count,
                                 sort=self.sort,
-                                ci_ids=merge_ids).search()
+                                ci_ids=merge_ids,
+                                parent_node_perm_passed=parent_node_perm_passed,
+                                use_ci_filter=use_ci_filter,
+                                only_ids=only_ids).search()
 
-    def statistics(self, type_ids):
-        ids = [self.root_id] if not isinstance(self.root_id, list) else self.root_id
-        for l in range(0, int(self.level)):
-            if l == 0:
-                _tmp = list(map(lambda x: list(json.loads(x).keys()),
-                                [i or '{}' for i in rd.get(ids, REDIS_PREFIX_CI_RELATION) or []]))
+    def _get_ci_filter(self, filter_perms, ci_filters=None):
+        ci_filters = ci_filters or []
+        if ci_filters:
+            result = {}
+            for item in ci_filters:
+                res = SearchFromDB('_type:{},{}'.format(item['type_id'], item['ci_filter']),
+                                   count=sys.maxsize, parent_node_perm_passed=True).get_ci_ids()
+                if res:
+                    result[item['type_id']] = set(res)
+
+            return {}, result if result else None
+
+        result = dict()
+        if filter_perms.get('id_filter'):
+            for k in filter_perms['id_filter']:
+                node_path = k.split(',')
+                if len(node_path) == 1:
+                    result[int(node_path[0])] = 1
+                elif not self.has_m2m:
+                    result.setdefault(node_path[-2], set()).add(int(node_path[-1]))
+                else:
+                    result.setdefault(','.join(node_path[:-1]), set()).add(int(node_path[-1]))
+            if result:
+                return result, None
             else:
-                for idx, i in enumerate(_tmp):
-                    if i:
-                        if type_ids and l == self.level - 1:
-                            __tmp = list(
-                                map(lambda x: list({_id: 1 for _id, type_id in json.loads(x).items()
-                                                    if type_id in type_ids}.keys()),
-                                    filter(lambda x: x is not None,
-                                           rd.get(i, REDIS_PREFIX_CI_RELATION) or [])))
-                        else:
+                return None, None
 
-                            __tmp = list(map(lambda x: list(json.loads(x).keys()),
-                                             filter(lambda x: x is not None,
-                                                    rd.get(i, REDIS_PREFIX_CI_RELATION) or [])))
-                        _tmp[idx] = [j for i in __tmp for j in i]
+        return {}, None
+
+    def statistics(self, type_ids, need_filter=True):
+        self.level = int(self.level)
+
+        acl = ACLManager('cmdb')
+
+        type2filter_perms = dict()
+        if not self.is_app_admin:
+            res2 = acl.get_resources(ResourceTypeEnum.CI_FILTER)
+            if res2:
+                type2filter_perms = CIFilterPermsCRUD().get_by_ids(list(map(int, [i['name'] for i in res2])))
+
+        ids = [self.root_id] if not isinstance(self.root_id, list) else self.root_id
+        _tmp, tmp_res = [], []
+        level2ids = {}
+        for lv in range(1, self.level + 1):
+            level2ids[lv] = []
+
+            if need_filter:
+                id_filter_limit, ci_filter_limit = None, None
+                if len(self.descendant_ids or []) >= lv and type2filter_perms.get(self.descendant_ids[lv - 1]):
+                    id_filter_limit, _ = self._get_ci_filter(type2filter_perms[self.descendant_ids[lv - 1]])
+                elif type_ids and self.level == lv:
+                    ci_filters = [type2filter_perms[type_id] for type_id in type_ids if type_id in type2filter_perms]
+                    if ci_filters:
+                        id_filter_limit, ci_filter_limit = self._get_ci_filter({}, ci_filters=ci_filters)
+                    else:
+                        id_filter_limit = {}
+                else:
+                    id_filter_limit = {}
+            else:
+                id_filter_limit, ci_filter_limit = {}, {}
+
+            if lv == 1:
+                if not self.has_m2m:
+                    key, prefix = [str(i) for i in ids], REDIS_PREFIX_CI_RELATION
+                else:
+                    key = ["{},{}".format(self.ancestor_ids, _id) for _id in ids]
+                    if not self.ancestor_ids:
+                        key, prefix = [str(i) for i in ids], REDIS_PREFIX_CI_RELATION
+                    else:
+                        prefix = REDIS_PREFIX_CI_RELATION2
+
+                    level2ids[lv] = [[i] for i in key]
+
+                if not key or id_filter_limit is None:
+                    _tmp = [[]] * len(ids)
+                    continue
+
+                res = [json.loads(x).items() for x in [i or '{}' for i in rd.get(key, prefix) or []]]
+                _tmp = []
+                if type_ids and lv == self.level:
+                    _tmp = [[i for i in x if i[1] in type_ids and
+                             (not id_filter_limit or (key[idx] not in id_filter_limit or
+                                                      int(i[0]) in id_filter_limit[key[idx]]) or
+                              int(i[0]) in id_filter_limit)] for idx, x in enumerate(res)]
+                else:
+                    _tmp = [[i for i in x if (not id_filter_limit or (key[idx] not in id_filter_limit or
+                                                                      int(i[0]) in id_filter_limit[key[idx]]) or
+                                              int(i[0]) in id_filter_limit)] for idx, x in enumerate(res)]
+
+                if ci_filter_limit:
+                    _tmp = [[j for j in i if j[1] not in ci_filter_limit or int(j[0]) in ci_filter_limit[j[1]]]
+                            for i in _tmp]
+
+            else:
+
+                for idx, item in enumerate(_tmp):
+                    if item:
+                        if not self.has_m2m:
+                            key, prefix = [i[0] for i in item], REDIS_PREFIX_CI_RELATION
+                        else:
+                            key = list(set(['{},{}'.format(j, i[0]) for i in item for j in level2ids[lv - 1][idx]]))
+                            prefix = REDIS_PREFIX_CI_RELATION2
+
+                            level2ids[lv].append(key)
+
+                        if key:
+                            res = [json.loads(x).items() for x in [i or '{}' for i in rd.get(key, prefix) or []]]
+                            if type_ids and lv == self.level:
+                                tmp_res = [[i for i in x if i[1] in type_ids and
+                                            (not id_filter_limit or (
+                                                    key[idx] not in id_filter_limit or
+                                                    int(i[0]) in id_filter_limit[key[idx]]) or
+                                             int(i[0]) in id_filter_limit)] for idx, x in enumerate(res)]
+                            else:
+                                tmp_res = [[i for i in x if (not id_filter_limit or (
+                                        key[idx] not in id_filter_limit or
+                                        int(i[0]) in id_filter_limit[key[idx]]) or
+                                                             int(i[0]) in id_filter_limit)] for idx, x in
+                                           enumerate(res)]
+
+                            if ci_filter_limit:
+                                tmp_res = [[j for j in i if j[1] not in ci_filter_limit or
+                                            int(j[0]) in ci_filter_limit[j[1]]] for i in tmp_res]
+                        else:
+                            tmp_res = []
+
+                        if tmp_res:
+                            _tmp[idx] = [j for i in tmp_res for j in i]
                     else:
                         _tmp[idx] = []
+                        level2ids[lv].append([])
 
-        return {_id: len(_tmp[idx]) for idx, _id in enumerate(ids)}
+        result = {str(_id): len(_tmp[idx]) for idx, _id in enumerate(ids)}
+
+        result.update(
+            detail={str(_id): dict(Counter([i[1] for i in _tmp[idx]]).items()) for idx, _id in enumerate(ids)})
+
+        return result
+
+    def search_full(self, type_ids):
+        def _get_id2name(_type_id):
+            ci_type = CITypeCache.get(_type_id)
+
+            attr = AttributeCache.get(ci_type.unique_id)
+            value_table = TableMap(attr=attr).table
+            serializer = ValueTypeMap.serialize[attr.value_type]
+            unique_value = {i.ci_id: serializer(i.value) for i in value_table.get_by(attr_id=attr.id, to_dict=False)}
+
+            attr = AttributeCache.get(ci_type.show_id)
+            if attr:
+                value_table = TableMap(attr=attr).table
+                serializer = ValueTypeMap.serialize[attr.value_type]
+                show_value = {i.ci_id: serializer(i.value) for i in value_table.get_by(attr_id=attr.id, to_dict=False)}
+            else:
+                show_value = unique_value
+
+            return show_value, unique_value
+
+        self.level = int(self.level)
+
+        acl = ACLManager('cmdb')
+
+        type2filter_perms = dict()
+        if not self.is_app_admin:
+            res2 = acl.get_resources(ResourceTypeEnum.CI_FILTER)
+            if res2:
+                type2filter_perms = CIFilterPermsCRUD().get_by_ids(list(map(int, [i['name'] for i in res2])))
+
+        ids = [self.root_id] if not isinstance(self.root_id, list) else self.root_id
+
+        level_ids = [str(i) for i in ids]
+        result = []
+        id2children = {}
+        id2name = _get_id2name(type_ids[0])
+        for i in level_ids:
+            item = dict(id=int(i),
+                        type_id=type_ids[0],
+                        isLeaf=False,
+                        title=id2name[0].get(int(i)),
+                        uniqueValue=id2name[1].get(int(i)),
+                        children=[])
+            result.append(item)
+            id2children[str(i)] = item['children']
+
+        for lv in range(1, self.level):
+            type_id = type_ids[lv]
+
+            if len(type_ids or []) >= lv and type2filter_perms.get(type_id):
+                id_filter_limit, _ = self._get_ci_filter(type2filter_perms[type_id])
+            else:
+                id_filter_limit = {}
+
+            if self.has_m2m and lv != 1:
+                key, prefix = [i for i in level_ids], REDIS_PREFIX_CI_RELATION2
+            else:
+                key, prefix = [i.split(',')[-1] for i in level_ids], REDIS_PREFIX_CI_RELATION
+            
+            res = [json.loads(x).items() for x in [i or '{}' for i in rd.get(key, prefix) or []]]
+            res = [[i for i in x if i[1] == type_id and (not id_filter_limit or (key[idx] not in id_filter_limit or
+                                                             int(i[0]) in id_filter_limit[key[idx]]) or
+                                     int(i[0]) in id_filter_limit)] for idx, x in enumerate(res)]
+            _level_ids = []
+            id2name = _get_id2name(type_id)
+            for idx, node_path in enumerate(level_ids):
+                for child_id, _ in (res[idx] or []):
+                    item = dict(id=int(child_id),
+                                type_id=type_id,
+                                isLeaf=True if lv == self.level - 1 else False,
+                                title=id2name[0].get(int(child_id)),
+                                uniqueValue=id2name[1].get(int(child_id)),
+                                children=[])
+                    id2children[node_path].append(item)
+
+                    _node_path = "{},{}".format(node_path, child_id)
+                    _level_ids.append(_node_path)
+                    id2children[_node_path] = item['children']
+
+            level_ids = _level_ids
+
+        return result
+
+    @staticmethod
+    def _get_src_ids(src):
+        q = src.get('q') or ''
+        if not q.startswith('_type:'):
+            q = "_type:{},{}".format(src['type_id'], q)
+
+        return SearchFromDB(q, use_ci_filter=True, only_ids=True, count=100000).search()
+
+    @staticmethod
+    def _filter_target_ids(target_ids, type_ids, q):
+        if not q.startswith('_type:'):
+            q = "_type:({}),{}".format(";".join(map(str, type_ids)), q)
+
+        ci_ids = SearchFromDB(q, ci_ids=target_ids, use_ci_filter=True, only_ids=True, count=100000).search()
+        cis = CI.get_by(fl=['id', 'type_id'], only_query=True).filter(CI.id.in_(ci_ids))
+
+        return [(str(i.id), i.type_id) for i in cis]
+
+    @staticmethod
+    def _path2level(src_type_id, target_type_ids, path):
+        if not src_type_id or not target_type_ids:
+            return abort(400, ErrFormat.relation_path_search_src_target_required)
+
+        graph = nx.DiGraph()
+        graph.add_edges_from([(n, _path[idx + 1]) for _path in path for idx, n in enumerate(_path[:-1])])
+        relation_types = defaultdict(dict)
+        level2type = defaultdict(set)
+        type2show_key = dict()
+        for _path in path:
+            for idx, node in enumerate(_path[1:]):
+                level2type[idx + 1].add(node)
+
+                src = CITypeCache.get(_path[idx])
+                target = CITypeCache.get(node)
+                relation_type = RelationType.get_by(only_query=True).join(
+                    CITypeRelation, CITypeRelation.relation_type_id == RelationType.id).filter(
+                    CITypeRelation.parent_id == src.id).filter(CITypeRelation.child_id == target.id).first()
+                relation_types[src.alias].update({target.alias: relation_type.name})
+
+                if src.id not in type2show_key:
+                    type2show_key[src.id] = AttributeCache.get(src.show_id or src.unique_id).name
+                if target.id not in type2show_key:
+                    type2show_key[target.id] = AttributeCache.get(target.show_id or target.unique_id).name
+
+        nodes = graph.nodes()
+
+        return level2type, list(nodes), relation_types, type2show_key
+
+    def _build_graph(self, source_ids, source_type_id, level2type, target_type_ids, acl):
+        type2filter_perms = dict()
+        if not self.is_app_admin:
+            res2 = acl.get_resources(ResourceTypeEnum.CI_FILTER)
+            if res2:
+                type2filter_perms = CIFilterPermsCRUD().get_by_ids(list(map(int, [i['name'] for i in res2])))
+
+        target_type_ids = set(target_type_ids)
+        graph = nx.DiGraph()
+        target_ids = []
+        key = [(str(i), source_type_id) for i in source_ids]
+        graph.add_nodes_from(key)
+        for level in level2type:
+            filter_type_ids = level2type[level]
+            id_filter_limit = dict()
+            for _type_id in filter_type_ids:
+                if type2filter_perms.get(_type_id):
+                    _id_filter_limit, _ = self._get_ci_filter(type2filter_perms[_type_id])
+                    id_filter_limit.update(_id_filter_limit)
+
+            has_target = filter_type_ids & target_type_ids
+
+            res = [json.loads(x).items() for x in [i or '{}' for i in rd.get([i[0] for i in key],
+                                                                             REDIS_PREFIX_CI_RELATION) or []]]
+            _key = []
+            for idx, _id in enumerate(key):
+                valid_targets = [i for i in res[idx] if i[1] in filter_type_ids and
+                                 (not id_filter_limit or int(i[0]) in id_filter_limit)]
+                _key.extend(valid_targets)
+                graph.add_edges_from(zip([_id] * len(valid_targets), valid_targets))
+
+            if has_target:
+                target_ids.extend([j[0] for i in res for j in i if j[1] in target_type_ids])
+
+            key = copy.deepcopy(_key)
+
+        return graph, target_ids
+
+    @staticmethod
+    def _find_paths(graph, source_ids, source_type_id, target_ids, valid_path, max_depth=6):
+        paths = []
+        for source_id in source_ids:
+            _paths = nx.all_simple_paths(graph,
+                                         source=(source_id, source_type_id),
+                                         target=target_ids,
+                                         cutoff=max_depth)
+            for __path in _paths:
+                if tuple([i[1] for i in __path]) in valid_path:
+                    paths.append([i[0] for i in __path])
+
+        return paths
+
+    @staticmethod
+    def _wrap_path_result(paths, types, valid_path, target_types, type2show_key):
+        ci_ids = [j for i in paths for j in i]
+
+        response, _, _, _, _, _ = SearchFromDB("_type:({})".format(";".join(map(str, types))),
+                                               use_ci_filter=False,
+                                               ci_ids=list(map(int, ci_ids)),
+                                               count=1000000).search()
+        id2ci = {str(i.get('_id')): i if i['_type'] in target_types else {
+            type2show_key[i['_type']]: i[type2show_key[i['_type']]],
+            "ci_type_alias": i["ci_type_alias"],
+            "_type": i["_type"],
+        } for i in response}
+
+        result = defaultdict(list)
+        counter = defaultdict(int)
+
+        for path in paths:
+            key = "-".join([id2ci.get(i, {}).get('ci_type_alias') or '' for i in path])
+            if tuple([id2ci.get(i, {}).get('_type') for i in path]) in valid_path:
+                counter[key] += 1
+                result[key].append(path)
+
+        return result, counter, id2ci
+
+    def search_by_path(self, source, target, path):
+        """
+
+        :param source: {type_id: id, q: expr}
+        :param target: {type_ids: [id], q: expr}
+        :param path: [source_type_id, ..., target_type_id], use type id
+        :return:
+        """
+        acl = ACLManager('cmdb')
+        if not self.is_app_admin:
+            res = {i['name'] for i in acl.get_resources(ResourceTypeEnum.CI_TYPE)}
+            for type_id in (source.get('type_id') and [source['type_id']] or []) + (target.get('type_ids') or []):
+                _type = CITypeCache.get(type_id)
+                if _type and _type.name not in res:
+                    return abort(403, ErrFormat.no_permission.format(_type.alias, PermEnum.READ))
+
+        target['type_ids'] = [i[-1] for i in path]
+        level2type, types, relation_types, type2show_key = self._path2level(
+            source.get('type_id'), target.get('type_ids'), path)
+        if not level2type:
+            return [], {}, 0, self.page, 0, {}, {}
+
+        source_ids = self._get_src_ids(source)
+
+        graph, target_ids = self._build_graph(source_ids, source['type_id'], level2type, target['type_ids'], acl)
+        target_ids = self._filter_target_ids(target_ids, target['type_ids'], target.get('q') or '')
+        paths = self._find_paths(graph,
+                                 source_ids,
+                                 source['type_id'],
+                                 set(target_ids),
+                                 {tuple(i): 1 for i in path})
+
+        numfound = len(paths)
+        paths = paths[(self.page - 1) * self.count:self.page * self.count]
+        response, counter, id2ci = self._wrap_path_result(paths,
+                                                          types,
+                                                          {tuple(i): 1 for i in path},
+                                                          set(target.get('type_ids') or []),
+                                                          type2show_key)
+        return response, counter, len(paths), self.page, numfound, id2ci, relation_types, type2show_key

cmdb-api/api/lib/cmdb/topology.py

@@ -0,0 +1,251 @@
+# -*- coding:utf-8 -*-
+
+import json
+
+from flask import abort
+from flask import current_app
+from flask_login import current_user
+from werkzeug.exceptions import BadRequest
+
+from api.extensions import rd
+from api.lib.cmdb.cache import AttributeCache
+from api.lib.cmdb.cache import CITypeCache
+from api.lib.cmdb.ci import CIRelationManager
+from api.lib.cmdb.ci_type import CITypeRelationManager
+from api.lib.cmdb.const import REDIS_PREFIX_CI_RELATION
+from api.lib.cmdb.const import ResourceTypeEnum
+from api.lib.cmdb.resp_format import ErrFormat
+from api.lib.cmdb.search import SearchError
+from api.lib.cmdb.search.ci import search as ci_search
+from api.lib.perm.acl.acl import ACLManager
+from api.lib.perm.acl.acl import is_app_admin
+from api.models.cmdb import TopologyView
+from api.models.cmdb import TopologyViewGroup
+
+
+class TopologyViewManager(object):
+    group_cls = TopologyViewGroup
+    cls = TopologyView
+
+    @classmethod
+    def get_name_by_id(cls, _id):
+        res = cls.cls.get_by_id(_id)
+        return res and res.name
+
+    def get_view_by_id(self, _id):
+        res = self.cls.get_by_id(_id)
+
+        return res and res.to_dict() or {}
+
+    @classmethod
+    def add_group(cls, name, order):
+        if order is None:
+            cur_max_order = cls.group_cls.get_by(only_query=True).order_by(cls.group_cls.order.desc()).first()
+            cur_max_order = cur_max_order and cur_max_order.order or 0
+            order = cur_max_order + 1
+
+        cls.group_cls.get_by(name=name, first=True, to_dict=False) and abort(
+            400, ErrFormat.topology_group_exists.format(name))
+
+        return cls.group_cls.create(name=name, order=order)
+
+    def update_group(self, group_id, name, view_ids):
+        existed = self.group_cls.get_by_id(group_id) or abort(404, ErrFormat.not_found)
+        if name is not None and name != existed.name:
+            existed.update(name=name)
+
+        for idx, view_id in enumerate(view_ids):
+            view = self.cls.get_by_id(view_id)
+            if view is not None:
+                view.update(group_id=group_id, order=idx)
+
+        return existed.to_dict()
+
+    @classmethod
+    def delete_group(cls, _id):
+        existed = cls.group_cls.get_by_id(_id) or abort(404, ErrFormat.not_found)
+
+        if cls.cls.get_by(group_id=_id, first=True):
+            return abort(400, ErrFormat.topo_view_exists_cannot_delete_group)
+
+        existed.soft_delete()
+
+    @classmethod
+    def group_order(cls, group_ids):
+        for idx, group_id in enumerate(group_ids):
+            group = cls.group_cls.get_by_id(group_id)
+            group.update(order=idx + 1)
+
+    @classmethod
+    def add(cls, name, group_id, option, order=None, **kwargs):
+        cls.cls.get_by(name=name, first=True) and abort(400, ErrFormat.topology_exists.format(name))
+        if order is None:
+            cur_max_order = cls.cls.get_by(group_id=group_id, only_query=True).order_by(
+                cls.cls.order.desc()).first()
+            cur_max_order = cur_max_order and cur_max_order.order or 0
+            order = cur_max_order + 1
+
+        inst = cls.cls.create(name=name, group_id=group_id, option=option, order=order, **kwargs).to_dict()
+        if current_app.config.get('USE_ACL'):
+            try:
+                ACLManager().add_resource(name, ResourceTypeEnum.TOPOLOGY_VIEW)
+            except BadRequest:
+                pass
+
+            ACLManager().grant_resource_to_role(name,
+                                                current_user.username,
+                                                ResourceTypeEnum.TOPOLOGY_VIEW)
+
+        return inst
+
+    @classmethod
+    def update(cls, _id, **kwargs):
+        existed = cls.cls.get_by_id(_id) or abort(404, ErrFormat.not_found)
+        existed_name = existed.name
+
+        inst = existed.update(filter_none=False, **kwargs).to_dict()
+        if current_app.config.get('USE_ACL') and existed_name != kwargs.get('name') and kwargs.get('name'):
+            try:
+                ACLManager().update_resource(existed_name, kwargs['name'], ResourceTypeEnum.TOPOLOGY_VIEW)
+            except BadRequest:
+                pass
+
+        return inst
+
+    @classmethod
+    def delete(cls, _id):
+        existed = cls.cls.get_by_id(_id) or abort(404, ErrFormat.not_found)
+
+        existed.soft_delete()
+        if current_app.config.get("USE_ACL"):
+            ACLManager().del_resource(existed.name, ResourceTypeEnum.TOPOLOGY_VIEW)
+
+    @classmethod
+    def group_inner_order(cls, _ids):
+        for idx, _id in enumerate(_ids):
+            topology = cls.cls.get_by_id(_id)
+            topology.update(order=idx + 1)
+
+    @classmethod
+    def get_all(cls):
+        resources = None
+        if current_app.config.get('USE_ACL') and not is_app_admin('cmdb'):
+            resources = set([i.get('name') for i in ACLManager().get_resources(ResourceTypeEnum.TOPOLOGY_VIEW)])
+
+        groups = cls.group_cls.get_by(to_dict=True)
+        groups = sorted(groups, key=lambda x: x['order'])
+        group2pos = {group['id']: idx for idx, group in enumerate(groups)}
+
+        topo_views = sorted(cls.cls.get_by(to_dict=True), key=lambda x: x['order'])
+        other_group = dict(views=[])
+        for view in topo_views:
+            if resources is not None and view['name'] not in resources:
+                continue
+
+            if view['group_id']:
+                groups[group2pos[view['group_id']]].setdefault('views', []).append(view)
+            else:
+                other_group['views'].append(view)
+
+        if other_group['views']:
+            groups.append(other_group)
+
+        return groups
+
+    @staticmethod
+    def relation_from_ci_type(type_id):
+        nodes, edges = CITypeRelationManager.get_relations_by_type_id(type_id)
+
+        return dict(nodes=nodes, edges=edges)
+
+    def topology_view(self, view_id=None, preview=None):
+        if view_id is not None:
+            view = self.cls.get_by_id(view_id) or abort(404, ErrFormat.not_found)
+            central_node_type, central_node_instances, path = (view.central_node_type,
+                                                               view.central_node_instances, view.path)
+        else:
+            central_node_type = preview.get('central_node_type')
+            central_node_instances = preview.get('central_node_instances')
+            path = preview.get('path')
+
+        nodes, links = [], []
+        _type = CITypeCache.get(central_node_type)
+        if not _type:
+            return dict(nodes=nodes, links=links)
+        type2meta = {_type.id: _type.icon}
+        root_ids = []
+        show_key = AttributeCache.get(_type.show_id or _type.unique_id)
+
+        q = (central_node_instances[2:] if central_node_instances.startswith('q=') else
+             central_node_instances)
+        s = ci_search(q, fl=['_id', show_key.name], use_id_filter=False, use_ci_filter=False, count=1000000)
+        try:
+            response, _, _, _, _, _ = s.search()
+        except SearchError as e:
+            current_app.logger.info(e)
+            return dict(nodes=nodes, links=links)
+        for i in response:
+            root_ids.append(i['_id'])
+            nodes.append(dict(id=str(i['_id']), name=i[show_key.name], type_id=central_node_type))
+        if not root_ids:
+            return dict(nodes=nodes, links=links)
+
+        prefix = REDIS_PREFIX_CI_RELATION
+        key = list(map(str, root_ids))
+        id2node = {}
+        for level in sorted([i for i in path.keys() if int(i) > 0]):
+            type_ids = {int(i) for i in path[level]}
+
+            res = [json.loads(x).items() for x in [i or '{}' for i in rd.get(key, prefix) or []]]
+            new_key = []
+            for idx, from_id in enumerate(key):
+                for to_id, type_id in res[idx]:
+                    if type_id in type_ids:
+                        links.append({'from': from_id, 'to': to_id})
+                        id2node[to_id] = {'id': to_id, 'type_id': type_id}
+                        new_key.append(to_id)
+                        if type_id not in type2meta:
+                            type2meta[type_id] = CITypeCache.get(type_id).icon
+
+            key = new_key
+
+        ci_ids = list(map(int, root_ids))
+        for level in sorted([i for i in path.keys() if int(i) < 0]):
+            type_ids = {int(i) for i in path[level]}
+            res = CIRelationManager.get_parent_ids(ci_ids)
+            _ci_ids = []
+            for to_id in res:
+                for from_id, type_id in res[to_id]:
+                    if type_id in type_ids:
+                        from_id, to_id = str(from_id), str(to_id)
+                        links.append({'from': from_id, 'to': to_id})
+                        id2node[from_id] = {'id': str(from_id), 'type_id': type_id}
+                        _ci_ids.append(from_id)
+                        if type_id not in type2meta:
+                            type2meta[type_id] = CITypeCache.get(type_id).icon
+
+            ci_ids = _ci_ids
+
+        fl = set()
+        type_ids = {t for lv in path if lv != '0' for t in path[lv]}
+        type2show = {}
+        for type_id in type_ids:
+            ci_type = CITypeCache.get(type_id)
+            if ci_type:
+                attr = AttributeCache.get(ci_type.show_id or ci_type.unique_id)
+                if attr:
+                    fl.add(attr.name)
+                    type2show[type_id] = attr.name
+
+        if id2node:
+            s = ci_search("_id:({})".format(';'.join(id2node.keys())), fl=list(fl),
+                       use_id_filter=False, use_ci_filter=False, count=1000000)
+            try:
+                response, _, _, _, _, _ = s.search()
+            except SearchError:
+                return dict(nodes=nodes, links=links)
+            for i in response:
+                id2node[str(i['_id'])]['name'] = i[type2show[str(i['_type'])]]
+            nodes.extend(id2node.values())
+
+        return dict(nodes=nodes, links=links, type2meta=type2meta)

cmdb-api/api/lib/cmdb/utils.py

@@ -3,45 +3,79 @@
 from __future__ import unicode_literals
 
 import datetime
+import json
+import re
 
 import six
-from markupsafe import escape
+from flask import current_app
 
 import api.models.cmdb as model
 from api.lib.cmdb.cache import AttributeCache
 from api.lib.cmdb.const import ValueTypeEnum
+from api.lib.cmdb.resp_format import ErrFormat
+
+TIME_RE = re.compile(r'(?:[01]\d|2[0-3]):[0-5]\d:[0-5]\d')
+
+
+class ValueDeserializeError(Exception):
+    pass
 
 
 def string2int(x):
-    return int(float(x))
+    v = int(float(x))
+    if v > 2147483647:
+        raise ValueDeserializeError(ErrFormat.attribute_value_out_of_range)
+
+    return v
 
 
-def str2datetime(x):
+def str2date(x):
+
     try:
-        return datetime.datetime.strptime(x, "%Y-%m-%d")
+        return datetime.datetime.strptime(x, "%Y-%m-%d").date()
     except ValueError:
         pass
 
-    return datetime.datetime.strptime(x, "%Y-%m-%d %H:%M:%S")
+    try:
+        return datetime.datetime.strptime(x, "%Y-%m-%d %H:%M:%S").date()
+    except ValueError:
+        pass
+
+
+def str2datetime(x):
+
+    x = x.replace('T', ' ')
+    x = x.replace('Z', '')
+
+    try:
+        return datetime.datetime.strptime(x, "%Y-%m-%d %H:%M:%S")
+    except ValueError:
+        pass
+
+    return datetime.datetime.strptime(x, "%Y-%m-%d %H:%M")
 
 
 class ValueTypeMap(object):
     deserialize = {
         ValueTypeEnum.INT: string2int,
         ValueTypeEnum.FLOAT: float,
-        ValueTypeEnum.TEXT: lambda x: escape(x).encode('utf-8').decode('utf-8'),
-        ValueTypeEnum.TIME: lambda x: escape(x).encode('utf-8').decode('utf-8'),
+        ValueTypeEnum.TEXT: lambda x: x,
+        ValueTypeEnum.TIME: lambda x: TIME_RE.findall(x)[0],
         ValueTypeEnum.DATETIME: str2datetime,
-        ValueTypeEnum.DATE: str2datetime,
+        ValueTypeEnum.DATE: str2date,
+        ValueTypeEnum.JSON: lambda x: json.loads(x) if isinstance(x, six.string_types) and x else x,
+        ValueTypeEnum.BOOL: lambda x: x in current_app.config.get('BOOL_TRUE'),
     }
 
     serialize = {
         ValueTypeEnum.INT: int,
         ValueTypeEnum.FLOAT: float,
-        ValueTypeEnum.TEXT: lambda x: x if isinstance(x, six.text_type) else str(x),
-        ValueTypeEnum.TIME: lambda x: x if isinstance(x, six.text_type) else str(x),
-        ValueTypeEnum.DATE: lambda x: x.strftime("%Y-%m-%d"),
-        ValueTypeEnum.DATETIME: lambda x: x.strftime("%Y-%m-%d %H:%M:%S"),
+        ValueTypeEnum.TEXT: lambda x: x if isinstance(x, six.string_types) else str(x),
+        ValueTypeEnum.TIME: lambda x: x if isinstance(x, six.string_types) else str(x),
+        ValueTypeEnum.DATE: lambda x: x.strftime("%Y-%m-%d") if not isinstance(x, six.string_types) else x,
+        ValueTypeEnum.DATETIME: lambda x: x.strftime("%Y-%m-%d %H:%M:%S") if not isinstance(x, six.string_types) else x,
+        ValueTypeEnum.JSON: lambda x: json.loads(x) if isinstance(x, six.string_types) and x else x,
+        ValueTypeEnum.BOOL: lambda x: x in current_app.config.get('BOOL_TRUE'),
     }
 
     serialize2 = {
@@ -49,44 +83,45 @@ class ValueTypeMap(object):
         ValueTypeEnum.FLOAT: float,
         ValueTypeEnum.TEXT: lambda x: x.decode() if not isinstance(x, six.string_types) else x,
         ValueTypeEnum.TIME: lambda x: x.decode() if not isinstance(x, six.string_types) else x,
-        ValueTypeEnum.DATE: lambda x: x.decode() if not isinstance(x, six.string_types) else x,
+        ValueTypeEnum.DATE: lambda x: (x.decode() if not isinstance(x, six.string_types) else x).split()[0],
         ValueTypeEnum.DATETIME: lambda x: x.decode() if not isinstance(x, six.string_types) else x,
+        ValueTypeEnum.JSON: lambda x: json.loads(x) if isinstance(x, six.string_types) and x else x,
+        ValueTypeEnum.BOOL: lambda x: x in current_app.config.get('BOOL_TRUE'),
     }
 
     choice = {
         ValueTypeEnum.INT: model.IntegerChoice,
         ValueTypeEnum.FLOAT: model.FloatChoice,
         ValueTypeEnum.TEXT: model.TextChoice,
+        ValueTypeEnum.TIME: model.TextChoice,
+        ValueTypeEnum.DATE: model.TextChoice,
+        ValueTypeEnum.DATETIME: model.TextChoice,
     }
 
     table = {
-        ValueTypeEnum.INT: model.CIValueInteger,
         ValueTypeEnum.TEXT: model.CIValueText,
-        ValueTypeEnum.DATETIME: model.CIValueDateTime,
-        ValueTypeEnum.DATE: model.CIValueDateTime,
-        ValueTypeEnum.TIME: model.CIValueText,
-        ValueTypeEnum.FLOAT: model.CIValueFloat,
+        ValueTypeEnum.JSON: model.CIValueJson,
         'index_{0}'.format(ValueTypeEnum.INT): model.CIIndexValueInteger,
         'index_{0}'.format(ValueTypeEnum.TEXT): model.CIIndexValueText,
         'index_{0}'.format(ValueTypeEnum.DATETIME): model.CIIndexValueDateTime,
         'index_{0}'.format(ValueTypeEnum.DATE): model.CIIndexValueDateTime,
         'index_{0}'.format(ValueTypeEnum.TIME): model.CIIndexValueText,
         'index_{0}'.format(ValueTypeEnum.FLOAT): model.CIIndexValueFloat,
+        'index_{0}'.format(ValueTypeEnum.JSON): model.CIValueJson,
+        'index_{0}'.format(ValueTypeEnum.BOOL): model.CIIndexValueInteger,
     }
 
     table_name = {
-        ValueTypeEnum.INT: 'c_value_integers',
         ValueTypeEnum.TEXT: 'c_value_texts',
-        ValueTypeEnum.DATETIME: 'c_value_datetime',
-        ValueTypeEnum.DATE: 'c_value_datetime',
-        ValueTypeEnum.TIME: 'c_value_texts',
-        ValueTypeEnum.FLOAT: 'c_value_floats',
+        ValueTypeEnum.JSON: 'c_value_json',
         'index_{0}'.format(ValueTypeEnum.INT): 'c_value_index_integers',
         'index_{0}'.format(ValueTypeEnum.TEXT): 'c_value_index_texts',
         'index_{0}'.format(ValueTypeEnum.DATETIME): 'c_value_index_datetime',
         'index_{0}'.format(ValueTypeEnum.DATE): 'c_value_index_datetime',
         'index_{0}'.format(ValueTypeEnum.TIME): 'c_value_index_texts',
         'index_{0}'.format(ValueTypeEnum.FLOAT): 'c_value_index_floats',
+        'index_{0}'.format(ValueTypeEnum.JSON): 'c_value_json',
+        'index_{0}'.format(ValueTypeEnum.BOOL): 'c_value_index_integers',
     }
 
     es_type = {
@@ -95,22 +130,41 @@ class ValueTypeMap(object):
         ValueTypeEnum.DATETIME: 'text',
         ValueTypeEnum.DATE: 'text',
         ValueTypeEnum.TIME: 'text',
-        ValueTypeEnum.FLOAT: 'float'
+        ValueTypeEnum.FLOAT: 'float',
+        ValueTypeEnum.JSON: 'object',
     }
 
 
 class TableMap(object):
-    def __init__(self, attr_name=None):
+    def __init__(self, attr_name=None, attr=None, is_index=None):
         self.attr_name = attr_name
+        self.attr = attr
+        self.is_index = is_index
 
     @property
     def table(self):
-        attr = AttributeCache.get(self.attr_name)
-        i = "index_{0}".format(attr.value_type) if attr.is_index else attr.value_type
+        attr = AttributeCache.get(self.attr_name) if not self.attr else self.attr
+        if attr.is_password or attr.is_link:
+            self.is_index = False
+        elif attr.value_type not in {ValueTypeEnum.TEXT, ValueTypeEnum.JSON}:
+            self.is_index = True
+        elif self.is_index is None:
+            self.is_index = attr.is_index
+
+        i = "index_{0}".format(attr.value_type) if self.is_index else attr.value_type
+
         return ValueTypeMap.table.get(i)
 
     @property
     def table_name(self):
-        attr = AttributeCache.get(self.attr_name)
-        i = "index_{0}".format(attr.value_type) if attr.is_index else attr.value_type
+        attr = AttributeCache.get(self.attr_name) if not self.attr else self.attr
+        if attr.is_password or attr.is_link:
+            self.is_index = False
+        elif attr.value_type not in {ValueTypeEnum.TEXT, ValueTypeEnum.JSON}:
+            self.is_index = True
+        elif self.is_index is None:
+            self.is_index = attr.is_index
+
+        i = "index_{0}".format(attr.value_type) if self.is_index else attr.value_type
+
         return ValueTypeMap.table_name.get(i)

cmdb-api/api/lib/cmdb/value.py

@@ -3,17 +3,32 @@
 
 from __future__ import unicode_literals
 
+import importlib.util
+
+import copy
+import jinja2
+import os
+import re
+import tempfile
 from flask import abort
+from flask import current_app
+from jinja2schema import infer
+from jinja2schema import to_json_schema
+from werkzeug.exceptions import BadRequest
 
 from api.extensions import db
 from api.lib.cmdb.attribute import AttributeManager
 from api.lib.cmdb.cache import AttributeCache
-from api.lib.cmdb.const import ExistPolicy
+from api.lib.cmdb.cache import CITypeAttributeCache
 from api.lib.cmdb.const import OperateType
+from api.lib.cmdb.const import ValueTypeEnum
 from api.lib.cmdb.history import AttributeHistoryManger
+from api.lib.cmdb.resp_format import ErrFormat
 from api.lib.cmdb.utils import TableMap
+from api.lib.cmdb.utils import ValueDeserializeError
 from api.lib.cmdb.utils import ValueTypeMap
 from api.lib.utils import handle_arg_list
+from api.models.cmdb import CI
 
 
 class AttributeValueManager(object):
@@ -32,7 +47,7 @@ class AttributeValueManager(object):
         """
         return AttributeCache.get(key)
 
-    def get_attr_values(self, fields, ci_id, ret_key="name", unique_key=None, use_master=False):
+    def get_attr_values(self, fields, ci_id, ret_key="name", unique_key=None, use_master=False, enum_map=None):
         """
 
         :param fields:
@@ -40,6 +55,7 @@ class AttributeValueManager(object):
         :param ret_key: It can be name or alias
         :param unique_key: primary attribute
         :param use_master: Only for master-slave read-write separation
+        :param enum_map:
         :return:
         """
         res = dict()
@@ -48,103 +64,329 @@ class AttributeValueManager(object):
             if not attr:
                 continue
 
-            value_table = TableMap(attr_name=attr.name).table
+            value_table = TableMap(attr=attr).table
             rs = value_table.get_by(ci_id=ci_id,
                                     attr_id=attr.id,
                                     use_master=use_master,
                                     to_dict=False)
             field_name = getattr(attr, ret_key)
-
             if attr.is_list:
                 res[field_name] = [ValueTypeMap.serialize[attr.value_type](i.value) for i in rs]
+            elif attr.is_password and rs:
+                res[field_name] = '******' if rs[0].value else ''
             else:
                 res[field_name] = ValueTypeMap.serialize[attr.value_type](rs[0].value) if rs else None
 
+            if enum_map and field_name in enum_map:
+                if attr.is_list:
+                    res[field_name] = [enum_map[field_name].get(i, i) for i in res[field_name]]
+                else:
+                    res[field_name] = enum_map[field_name].get(res[field_name], res[field_name])
+
             if unique_key is not None and attr.id == unique_key.id and rs:
                 res['unique'] = unique_key.name
+                res['unique_alias'] = unique_key.alias
 
         return res
 
     @staticmethod
-    def __deserialize_value(value_type, value):
+    def _deserialize_value(alias, value_type, value):
         if not value:
             return value
+
         deserialize = ValueTypeMap.deserialize[value_type]
         try:
             v = deserialize(value)
+            if value_type in (ValueTypeEnum.DATE, ValueTypeEnum.DATETIME):
+                return str(v)
             return v
+        except ValueDeserializeError as e:
+            return abort(400, ErrFormat.attribute_value_invalid2.format(alias, e))
         except ValueError:
-            return abort(400, "attribute value <{0}> is invalid".format(value))
+            return abort(400, ErrFormat.attribute_value_invalid2.format(alias, value))
 
     @staticmethod
-    def __check_is_choice(attr_id, value_type, value):
-        choice_values = AttributeManager.get_choice_values(attr_id, value_type)
-        if value not in choice_values:
-            return abort(400, "{0} does not existed in choice values".format(value))
+    def _check_is_choice(attr, value_type, value):
+        choice_values = AttributeManager.get_choice_values(attr.id, value_type, attr.choice_web_hook, attr.choice_other)
+        if value_type == ValueTypeEnum.FLOAT:
+            if float(value) not in list(map(float, [i[0] for i in choice_values])):
+                return abort(400, ErrFormat.not_in_choice_values.format(value))
+
+        else:
+            if str(value) not in list(map(str, [i[0] for i in choice_values])):
+                return abort(400, ErrFormat.not_in_choice_values.format(value))
 
     @staticmethod
-    def __check_is_unique(value_table, attr_id, ci_id, value):
-        existed = db.session.query(value_table.attr_id).filter(
-            value_table.attr_id == attr_id).filter(value_table.deleted.is_(False)).filter(
+    def _check_is_unique(value_table, attr, ci_id, type_id, value):
+        existed = db.session.query(value_table.attr_id).join(CI, CI.id == value_table.ci_id).filter(
+            CI.type_id == type_id).filter(
+            value_table.attr_id == attr.id).filter(value_table.deleted.is_(False)).filter(
             value_table.value == value).filter(value_table.ci_id != ci_id).first()
-        existed and abort(400, "attribute <{0}> value {1} must be unique".format(attr_id, value))
 
-    def _validate(self, attr, value, value_table, ci_id):
-        v = self.__deserialize_value(attr.value_type, value)
+        existed and abort(400, ErrFormat.attribute_value_unique_required.format(attr.alias, value))
 
-        attr.is_choice and value and self.__check_is_choice(attr.id, attr.value_type, v)
-        attr.is_unique and self.__check_is_unique(value_table, attr.id, ci_id, v)
+    @staticmethod
+    def _check_is_required(type_id, attr, value, type_attr=None):
+        type_attr = type_attr or CITypeAttributeCache.get(type_id, attr.id)
+        if type_attr and type_attr.is_required and not value and value != 0:
+            return abort(400, ErrFormat.attribute_value_required.format(attr.alias))
+
+    @staticmethod
+    def check_re(expr, alias, value):
+        if not re.compile(expr).match(str(value)):
+            return abort(400, ErrFormat.attribute_value_invalid2.format(alias, value))
+
+    def _validate(self, attr, value, value_table, ci=None, type_id=None, ci_id=None, type_attr=None, unique_name=None):
+        if not attr.is_reference:
+            ci = ci or {}
+            v = self._deserialize_value(attr.alias, attr.value_type, value)
+
+            attr.is_choice and value and self._check_is_choice(attr, attr.value_type, v)
+
+        else:
+            v = value or None
+
+        (attr.is_unique or attr.name == unique_name) and self._check_is_unique(
+            value_table, attr, ci and ci.id or ci_id, ci and ci.type_id or type_id, v)
+        self._check_is_required(ci and ci.type_id or type_id, attr, v, type_attr=type_attr)
+        if attr.is_reference:
+            return v
+
+        if v == "" and attr.value_type not in (ValueTypeEnum.TEXT,):
+            v = None
+
+        if attr.re_check and value:
+            self.check_re(attr.re_check, attr.alias, value)
 
         return v
 
     @staticmethod
-    def _write_change(ci_id, attr_id, operate_type, old, new):
-        AttributeHistoryManger.add(ci_id, [(attr_id, operate_type, old, new)])
+    def _write_change(ci_id, attr_id, operate_type, old, new, record_id, type_id):
+        return AttributeHistoryManger.add(record_id, ci_id, [(attr_id, operate_type, old, new)], type_id)
 
-    def create_or_update_attr_value(self, key, value, ci_id, _no_attribute_policy=ExistPolicy.IGNORE):
+    @staticmethod
+    def write_change2(changed, record_id=None, ticket_id=None):
+        for ci_id, attr_id, operate_type, old, new, type_id in changed:
+            record_id = AttributeHistoryManger.add(record_id, ci_id, [(attr_id, operate_type, old, new)], type_id,
+                                                   ticket_id=ticket_id,
+                                                   commit=False, flush=False)
+        try:
+            db.session.commit()
+        except Exception as e:
+            db.session.rollback()
+            current_app.logger.error("write change failed: {}".format(str(e)))
+
+        return record_id
+
+    @staticmethod
+    def _compute_attr_value_from_expr(expr, ci_dict):
+        t = jinja2.Template(expr).render(ci_dict)
+
+        try:
+            return eval(t)
+        except Exception as e:
+            current_app.logger.warning(str(e))
+            return t
+
+    @staticmethod
+    def _compute_attr_value_from_script(script, ci_dict):
+        script = jinja2.Template(script).render(ci_dict)
+
+        script_f = tempfile.NamedTemporaryFile(delete=False, suffix=".py")
+        script_f.write(script.encode('utf-8'))
+        script_f.close()
+
+        try:
+            path = script_f.name
+            name = os.path.basename(path)[:-3]
+
+            spec = importlib.util.spec_from_file_location(name, path)
+            mod = importlib.util.module_from_spec(spec)
+            spec.loader.exec_module(mod)
+
+            if hasattr(mod, 'computed'):
+                return mod.computed()
+        except Exception as e:
+            current_app.logger.error(str(e))
+
+        finally:
+            os.remove(script_f.name)
+
+    @staticmethod
+    def _jinja2_parse(content):
+        schema = to_json_schema(infer(content))
+
+        return [var for var in schema.get("properties")]
+
+    def _compute_attr_value(self, attr, payload, ci_id):
+        attrs = (self._jinja2_parse(attr['compute_expr']) if attr.get('compute_expr')
+                 else self._jinja2_parse(attr['compute_script']))
+        not_existed = [i for i in attrs if i not in payload]
+        if ci_id is not None:
+            payload.update(self.get_attr_values(not_existed, ci_id))
+
+        if attr['compute_expr']:
+            return self._compute_attr_value_from_expr(attr['compute_expr'], payload)
+        elif attr['compute_script']:
+            return self._compute_attr_value_from_script(attr['compute_script'], payload)
+
+    def handle_ci_compute_attributes(self, ci_dict, computed_attrs, ci):
+        payload = copy.deepcopy(ci_dict)
+        for attr in computed_attrs:
+            computed_value = self._compute_attr_value(attr, payload, ci and ci.id)
+            if computed_value is not None:
+                ci_dict[attr['name']] = computed_value
+
+    def valid_attr_value(self, ci_dict, type_id, ci_id, name2attr,
+                         alias2attr=None,
+                         ci_attr2type_attr=None,
+                         unique_name=None):
+        key2attr = dict()
+        alias2attr = alias2attr or {}
+        ci_attr2type_attr = ci_attr2type_attr or {}
+
+        for key, value in ci_dict.items():
+            attr = name2attr.get(key) or alias2attr.get(key)
+            key2attr[key] = attr
+
+            value_table = TableMap(attr=attr).table
+
+            try:
+                if attr.is_list:
+                    if isinstance(value, dict):
+                        if value.get('op') == "delete":
+                            value['v'] = [ValueTypeMap.serialize[attr.value_type](
+                                self._deserialize_value(attr.alias, attr.value_type, i))
+                                for i in handle_arg_list(value['v'])]
+                            continue
+                        _value = value.get('v') or []
+                    else:
+                        _value = value
+                    value_list = [self._validate(attr, i, value_table, ci=None, type_id=type_id, ci_id=ci_id,
+                                                 type_attr=ci_attr2type_attr.get(attr.id))
+                                  for i in handle_arg_list(_value)]
+                    ci_dict[key] = value_list if not isinstance(value, dict) else dict(op=value.get('op'), v=value_list)
+                    if not value_list:
+                        self._check_is_required(type_id, attr, '')
+
+                else:
+                    value = self._validate(attr, value, value_table, ci=None, type_id=type_id, ci_id=ci_id,
+                                           type_attr=ci_attr2type_attr.get(attr.id),
+                                           unique_name=unique_name)
+                    ci_dict[key] = value
+            except BadRequest as e:
+                raise
+            except Exception as e:
+                current_app.logger.warning(str(e))
+
+                return abort(400, ErrFormat.attribute_value_invalid2.format(
+                    "{}({})".format(attr.alias, attr.name), value))
+
+        return key2attr
+
+    def create_or_update_attr_value(self, ci, ci_dict, key2attr, ticket_id=None):
         """
         add or update attribute value, then write history
-        :param key: id, name or alias
-        :param value:
-        :param ci_id:
-        :param _no_attribute_policy: ignore or reject
+        :param ci: instance object
+        :param ci_dict: attribute dict
+        :param key2attr: attr key to attr
+        :param ticket_id:
         :return:
         """
-        attr = self._get_attr(key)
-        if attr is None:
-            if _no_attribute_policy == ExistPolicy.IGNORE:
-                return
-            if _no_attribute_policy == ExistPolicy.REJECT:
-                return abort(400, 'attribute {0} does not exist'.format(key))
+        changed = []
+        has_dynamic = False
+        for key, value in ci_dict.items():
+            attr = key2attr.get(key)
+            if not attr:
+                continue  # not be here
+            value_table = TableMap(attr=attr).table
 
-        value_table = TableMap(attr_name=attr.name).table
+            if attr.is_list:
+                existed_attrs = value_table.get_by(attr_id=attr.id, ci_id=ci.id, to_dict=False)
+                existed_values = [(ValueTypeMap.serialize[attr.value_type](i.value) if
+                                   i.value or i.value == 0 else i.value) for i in existed_attrs]
 
-        if attr.is_list:
-            value_list = [self._validate(attr, i, value_table, ci_id) for i in handle_arg_list(value)]
-            existed_attrs = value_table.get_by(attr_id=attr.id,
-                                               ci_id=ci_id,
-                                               to_dict=False)
-            existed_values = [i.value for i in existed_attrs]
-            added = set(value_list) - set(existed_values)
-            deleted = set(existed_values) - set(value_list)
-            for v in added:
-                value_table.create(ci_id=ci_id, attr_id=attr.id, value=v)
-                self._write_change(ci_id, attr.id, OperateType.ADD, None, v)
+                if isinstance(value, dict):
+                    if value.get('op') == "add":
+                        for v in (value.get('v') or []):
+                            if v not in existed_values:
+                                value_table.create(ci_id=ci.id, attr_id=attr.id, value=v, flush=False, commit=False)
+                                if not attr.is_dynamic:
+                                    changed.append((ci.id, attr.id, OperateType.ADD, None, v, ci.type_id))
+                                else:
+                                    has_dynamic = True
 
-            for v in deleted:
-                existed_attr = existed_attrs[existed_values.index(v)]
-                existed_attr.delete()
-                self._write_change(ci_id, attr.id, OperateType.DELETE, v, None)
-        else:
-            value = self._validate(attr, value, value_table, ci_id)
-            existed_attr = value_table.get_by(attr_id=attr.id,
-                                              ci_id=ci_id,
-                                              first=True,
-                                              to_dict=False)
-            existed_value = existed_attr and existed_attr.value
-            if existed_value is None:
-                value_table.create(ci_id=ci_id, attr_id=attr.id, value=value)
-                self._write_change(ci_id, attr.id, OperateType.ADD, None, value)
+                    elif value.get('op') == "delete":
+                        for v in (value.get('v') or []):
+                            if v in existed_values:
+                                existed_attrs[existed_values.index(v)].delete(flush=False, commit=False)
+                                if not attr.is_dynamic:
+                                    changed.append((ci.id, attr.id, OperateType.DELETE, v, None, ci.type_id))
+                                else:
+                                    has_dynamic = True
+                else:
+                    # Comparison array starts from which position changes
+                    min_len = min(len(value), len(existed_values))
+                    index = 0
+                    while index < min_len:
+                        if value[index] != existed_values[index]:
+                            break
+                        index += 1
+
+                    # Delete first and then add to ensure id sorting
+                    for idx in range(index, len(existed_attrs)):
+                        existed_attr = existed_attrs[idx]
+                        existed_attr.delete(flush=False, commit=False)
+                        if not attr.is_dynamic:
+                            changed.append((ci.id, attr.id, OperateType.DELETE, existed_values[idx], None, ci.type_id))
+                        else:
+                            has_dynamic = True
+                    for idx in range(index, len(value)):
+                        value_table.create(ci_id=ci.id, attr_id=attr.id, value=value[idx], flush=False, commit=False)
+                        if not attr.is_dynamic:
+                            changed.append((ci.id, attr.id, OperateType.ADD, None, value[idx], ci.type_id))
+                        else:
+                            has_dynamic = True
             else:
-                existed_attr.update(value=value)
-                self._write_change(ci_id, attr.id, OperateType.UPDATE, existed_value, value)
+                existed_attr = value_table.get_by(attr_id=attr.id, ci_id=ci.id, first=True, to_dict=False)
+                existed_value = existed_attr and existed_attr.value
+                existed_value = (ValueTypeMap.serialize[attr.value_type](existed_value) if
+                                 existed_value or existed_value == 0 else existed_value)
+                if existed_value is None and value is not None:
+                    value_table.create(ci_id=ci.id, attr_id=attr.id, value=value, flush=False, commit=False)
+
+                    if not attr.is_dynamic:
+                        changed.append((ci.id, attr.id, OperateType.ADD, None, value, ci.type_id))
+                    else:
+                        has_dynamic = True
+                else:
+                    if existed_value != value and existed_attr:
+                        if value is None:
+                            existed_attr.delete(flush=False, commit=False)
+                        else:
+                            existed_attr.update(value=value, flush=False, commit=False)
+
+                        if not attr.is_dynamic:
+                            changed.append((ci.id, attr.id, OperateType.UPDATE, existed_value, value, ci.type_id))
+                        else:
+                            has_dynamic = True
+
+        if changed or has_dynamic:
+            try:
+                db.session.commit()
+            except Exception as e:
+                db.session.rollback()
+                current_app.logger.warning(str(e))
+                return abort(400, ErrFormat.attribute_value_unknown_error.format(e.args[0]))
+
+            return self.write_change2(changed, ticket_id=ticket_id), has_dynamic
+        else:
+            return None, has_dynamic
+
+    @staticmethod
+    def delete_attr_value(attr_id, ci_id, commit=True):
+        attr = AttributeCache.get(attr_id)
+        if attr is not None:
+            value_table = TableMap(attr=attr).table
+            for item in value_table.get_by(attr_id=attr.id, ci_id=ci_id, to_dict=False):
+                item.delete(commit=commit)

cmdb-api/api/lib/common_setting/acl.py

@@ -0,0 +1,153 @@
+# -*- coding:utf-8 -*-
+from flask import current_app
+
+from api.lib.common_setting.resp_format import ErrFormat
+from api.lib.perm.acl.app import AppCRUD
+from api.lib.perm.acl.cache import RoleCache, AppCache
+from api.lib.perm.acl.permission import PermissionCRUD
+from api.lib.perm.acl.resource import ResourceTypeCRUD, ResourceCRUD
+from api.lib.perm.acl.role import RoleCRUD, RoleRelationCRUD
+from api.lib.perm.acl.user import UserCRUD
+
+
+def validate_app(app_id):
+    app = AppCache.get(app_id)
+    return app.id if app else None
+
+
+class ACLManager(object):
+    def __init__(self, app_name='acl', uid=None):
+        self.log = current_app.logger
+        self.app_name = app_name
+        self.uid = uid
+
+    @staticmethod
+    def get_all_users():
+        try:
+            numfound, users = UserCRUD.search(None, 1, 999999)
+            users = [i.to_dict() for i in users]
+            for u in users:
+                u.pop('password', None)
+                u.pop('key', None)
+                u.pop('secret', None)
+            return users
+        except Exception as e:
+            current_app.logger.error(str(e))
+            raise Exception(ErrFormat.acl_get_all_users_failed.format(str(e)))
+
+    @staticmethod
+    def create_user(payload):
+        user = UserCRUD.add(**payload)
+        return user.to_dict()
+
+    @staticmethod
+    def edit_user(uid, payload):
+        user = UserCRUD.update(uid, **payload)
+        return user.to_dict()
+
+    def get_all_roles(self):
+        numfound, roles = RoleCRUD.search(
+            None, self.app_name, 1, 999999, True, True, False)
+
+        return [i.to_dict() for i in roles]
+
+    def remove_user_from_role(self, user_rid, payload):
+        app_id = self.app_name
+        app = AppCache.get(app_id)
+        if app and app.name == "acl":
+            app_id = None  # global
+
+        RoleRelationCRUD.delete2(
+            payload.get('parent_id'), user_rid, app_id)
+        return dict(
+            message="success"
+        )
+
+    def add_user_to_role(self, role_id, payload):
+        app_id = self.app_name
+        app = AppCache.get(self.app_name)
+        if app and app.name == "acl":
+            app_id = None
+        role = RoleCache.get(role_id)
+        res = RoleRelationCRUD.add(
+            role, role_id, payload['child_ids'], app_id)
+        return res
+
+    @staticmethod
+    def create_role(payload):
+        payload['is_app_admin'] = payload.get('is_app_admin', False)
+        role = RoleCRUD.add_role(**payload)
+        return role.to_dict()
+
+    @staticmethod
+    def edit_role(_id, payload):
+        role = RoleCRUD.update_role(_id, **payload)
+        return role.to_dict()
+
+    @staticmethod
+    def delete_role(_id):
+        RoleCRUD.delete_role(_id)
+        return dict(rid=_id)
+
+    def get_user_info(self, username):
+        from api.lib.perm.acl.acl import ACLManager as ACL
+        user_info = ACL().get_user_info(username, self.app_name)
+        result = dict(
+            name=user_info.get('nickname') or username,
+            username=user_info.get('username') or username,
+            email=user_info.get('email'),
+            uid=user_info.get('uid'),
+            rid=user_info.get('rid'),
+            role=dict(permissions=user_info.get('parents')),
+            avatar=user_info.get('avatar')
+        )
+
+        return result
+
+    def validate_app(self):
+        return AppCache.get(self.app_name)
+
+    def get_all_resources_types(self, q=None, page=1, page_size=999999):
+        app_id = self.validate_app().id
+        numfound, res, id2perms = ResourceTypeCRUD.search(q, app_id, page, page_size)
+
+        return dict(
+            numfound=numfound,
+            groups=[i.to_dict() for i in res],
+            id2perms=id2perms
+        )
+
+    def create_resources_type(self, payload):
+        payload['app_id'] = self.validate_app().id
+        rt = ResourceTypeCRUD.add(**payload)
+
+        return rt.to_dict()
+
+    def update_resources_type(self, _id, payload):
+        rt = ResourceTypeCRUD.update(_id, **payload)
+
+        return rt.to_dict()
+
+    def create_resource(self, payload):
+        payload['app_id'] = self.validate_app().id
+        resource = ResourceCRUD.add(**payload)
+
+        return resource.to_dict()
+
+    def get_resource_by_type(self, q, u, rt_id, page=1, page_size=999999):
+        numfound, res = ResourceCRUD.search(q, u, self.validate_app().id, rt_id, page, page_size)
+        return res
+
+    @staticmethod
+    def grant_resource(rid, resource_id, perms):
+        PermissionCRUD.grant(rid, perms, resource_id=resource_id, group_id=None)
+
+    @staticmethod
+    def create_app(payload):
+        rt = AppCRUD.add(**payload)
+
+        return rt.to_dict()
+
+    def role_has_perms(self, rid, resource_name, resource_type_name, perm):
+        app_id = validate_app(self.app_name)
+        return RoleCRUD.has_permission(rid, resource_name, resource_type_name, app_id, perm)

cmdb-api/api/lib/common_setting/common_data.py

@@ -0,0 +1,282 @@
+import copy
+import json
+
+from flask import abort, current_app
+from ldap3 import Connection
+from ldap3 import Server
+from ldap3.core.exceptions import LDAPBindError, LDAPSocketOpenError
+from ldap3 import AUTO_BIND_NO_TLS
+
+from api.extensions import db
+from api.lib.common_setting.resp_format import ErrFormat
+from api.models.common_setting import CommonData
+from api.lib.utils import AESCrypto
+from api.lib.common_setting.const import AuthCommonConfig, AuthenticateType, AuthCommonConfigAutoRedirect, TestType
+
+
+class CommonDataCRUD(object):
+
+    @staticmethod
+    def get_data_by_type(data_type):
+        CommonDataCRUD.check_auth_type(data_type)
+        return CommonData.get_by(data_type=data_type)
+
+    @staticmethod
+    def get_data_by_id(_id, to_dict=True):
+        return CommonData.get_by(first=True, id=_id, to_dict=to_dict)
+
+    @staticmethod
+    def create_new_data(data_type, **kwargs):
+        try:
+            CommonDataCRUD.check_auth_type(data_type)
+
+            return CommonData.create(data_type=data_type, **kwargs)
+        except Exception as e:
+            db.session.rollback()
+            abort(400, str(e))
+
+    @staticmethod
+    def update_data(_id, **kwargs):
+        existed = CommonDataCRUD.get_data_by_id(_id, to_dict=False)
+        if not existed:
+            abort(404, ErrFormat.common_data_not_found.format(_id))
+        try:
+            CommonDataCRUD.check_auth_type(existed.data_type)
+            return existed.update(**kwargs)
+        except Exception as e:
+            db.session.rollback()
+            abort(400, str(e))
+
+    @staticmethod
+    def delete(_id):
+        existed = CommonDataCRUD.get_data_by_id(_id, to_dict=False)
+        if not existed:
+            abort(404, ErrFormat.common_data_not_found.format(_id))
+        try:
+            CommonDataCRUD.check_auth_type(existed.data_type)
+            existed.soft_delete()
+        except Exception as e:
+            db.session.rollback()
+            abort(400, str(e))
+
+    @staticmethod
+    def check_auth_type(data_type):
+        if data_type in list(AuthenticateType.all()) + [AuthCommonConfig]:
+            abort(400, ErrFormat.common_data_not_support_auth_type.format(data_type))
+
+    @staticmethod
+    def set_auth_auto_redirect_enable(_value: int):
+        existed = CommonData.get_by(first=True, data_type=AuthCommonConfig, to_dict=False)
+        if not existed:
+            CommonDataCRUD.create_new_data(AuthCommonConfig, data={AuthCommonConfigAutoRedirect: _value})
+        else:
+            data = existed.data
+            data = copy.deepcopy(existed.data) if data else {}
+            data[AuthCommonConfigAutoRedirect] = _value
+            CommonDataCRUD.update_data(existed.id, data=data)
+        return True
+
+    @staticmethod
+    def get_auth_auto_redirect_enable():
+        existed = CommonData.get_by(first=True, data_type=AuthCommonConfig)
+        if not existed:
+            return 0
+        data = existed.get('data', {})
+        if not data:
+            return 0
+        return data.get(AuthCommonConfigAutoRedirect, 0)
+
+
+class AuthenticateDataCRUD(object):
+    common_type_list = [AuthCommonConfig]
+
+    def __init__(self, _type):
+        self._type = _type
+        self.record = None
+        self.decrypt_data = {}
+
+    def get_support_type_list(self):
+        return list(AuthenticateType.all()) + self.common_type_list
+
+    def get(self):
+        if not self.decrypt_data:
+            self.decrypt_data = self.get_decrypt_data()
+
+        return self.decrypt_data
+
+    def get_by_key(self, _key):
+        if not self.decrypt_data:
+            self.decrypt_data = self.get_decrypt_data()
+
+        return self.decrypt_data.get(_key, None)
+
+    def get_record(self, to_dict=False) -> CommonData:
+        return CommonData.get_by(first=True, data_type=self._type, to_dict=to_dict)
+
+    def get_record_with_decrypt(self) -> dict:
+        record = CommonData.get_by(first=True, data_type=self._type, to_dict=True)
+        if not record:
+            return {}
+        data = self.get_decrypt_dict(record.get('data', ''))
+        record['data'] = data
+        return record
+
+    def get_decrypt_dict(self, data):
+        decrypt_str = self.decrypt(data)
+        try:
+            return json.loads(decrypt_str)
+        except Exception as e:
+            abort(400, str(e))
+
+    def get_decrypt_data(self) -> dict:
+        self.record = self.get_record()
+        if not self.record:
+            return self.get_from_config()
+        return self.get_decrypt_dict(self.record.data)
+
+    def get_from_config(self):
+        return current_app.config.get(self._type, {})
+
+    def check_by_type(self) -> None:
+        existed = self.get_record()
+        if existed:
+            abort(400, ErrFormat.common_data_already_existed.format(self._type))
+
+    def create(self, data) -> CommonData:
+        self.check_by_type()
+        encrypt = data.pop('encrypt', None)
+        if encrypt is False:
+            return CommonData.create(data_type=self._type, data=data)
+        encrypted_data = self.encrypt(data)
+        try:
+            return CommonData.create(data_type=self._type, data=encrypted_data)
+        except Exception as e:
+            db.session.rollback()
+            abort(400, str(e))
+
+    def update_by_record(self, record, data) -> CommonData:
+        encrypt = data.pop('encrypt', None)
+        if encrypt is False:
+            return record.update(data=data)
+        encrypted_data = self.encrypt(data)
+        try:
+            return record.update(data=encrypted_data)
+        except Exception as e:
+            db.session.rollback()
+            abort(400, str(e))
+
+    def update(self, _id, data) -> CommonData:
+        existed = CommonData.get_by(first=True, to_dict=False, id=_id)
+        if not existed:
+            abort(404, ErrFormat.common_data_not_found.format(_id))
+
+        return self.update_by_record(existed, data)
+
+    @staticmethod
+    def delete(_id) -> None:
+        existed = CommonData.get_by(first=True, to_dict=False, id=_id)
+        if not existed:
+            abort(404, ErrFormat.common_data_not_found.format(_id))
+        try:
+            existed.soft_delete()
+        except Exception as e:
+            db.session.rollback()
+            abort(400, str(e))
+
+    @staticmethod
+    def encrypt(data) -> str:
+        if type(data) is dict:
+            try:
+                data = json.dumps(data)
+            except Exception as e:
+                abort(400, str(e))
+        return AESCrypto().encrypt(data)
+
+    @staticmethod
+    def decrypt(data) -> str:
+        return AESCrypto().decrypt(data)
+
+    @staticmethod
+    def get_enable_list():
+        all_records = CommonData.query.filter(
+            CommonData.data_type.in_(AuthenticateType.all()),
+            CommonData.deleted == 0
+        ).all()
+        enable_list = []
+        for auth_type in AuthenticateType.all():
+            record = list(filter(lambda x: x.data_type == auth_type, all_records))
+            if not record:
+                config = current_app.config.get(auth_type, None)
+                if not config:
+                    continue
+
+                if config.get('enable', False):
+                    enable_list.append(dict(
+                        auth_type=auth_type,
+                    ))
+
+                continue
+
+            try:
+                decrypt_data = json.loads(AuthenticateDataCRUD.decrypt(record[0].data))
+            except Exception as e:
+                current_app.logger.error(e)
+                continue
+
+            if decrypt_data.get('enable', 0) == 1:
+                enable_list.append(dict(
+                    auth_type=auth_type,
+                ))
+
+        auth_auto_redirect = CommonDataCRUD.get_auth_auto_redirect_enable()
+
+        return dict(
+            enable_list=enable_list,
+            auth_auto_redirect=auth_auto_redirect,
+        )
+
+    def test(self, test_type, data):
+        type_lower = self._type.lower()
+        func_name = f'test_{type_lower}'
+        if hasattr(self, func_name):
+            try:
+                return getattr(self, f'test_{type_lower}')(test_type, data)
+            except Exception as e:
+                abort(400, str(e))
+        abort(400, ErrFormat.not_support_test.format(self._type))
+
+    @staticmethod
+    def test_ldap(test_type, data):
+        ldap_server = data.get('ldap_server')
+        ldap_user_dn = data.get('ldap_user_dn', '{}')
+
+        server = Server(ldap_server, connect_timeout=2)
+        if not server.check_availability():
+            raise Exception(ErrFormat.ldap_server_connect_not_available)
+        else:
+            if test_type == TestType.Connect:
+                return True
+
+        username = data.get('username', None)
+        if not username:
+            raise Exception(ErrFormat.ldap_test_username_required)
+        user = ldap_user_dn.format(username)
+        password = data.get('password', None)
+
+        try:
+            Connection(server, user=user, password=password, auto_bind=AUTO_BIND_NO_TLS)
+        except LDAPBindError:
+            ldap_domain = data.get('ldap_domain')
+            user_with_domain = f"{username}@{ldap_domain}"
+            try:
+                Connection(server, user=user_with_domain, password=password, auto_bind=AUTO_BIND_NO_TLS)
+            except Exception as e:
+                raise Exception(ErrFormat.ldap_test_unknown_error.format(str(e)))
+
+        except LDAPSocketOpenError:
+            raise Exception(ErrFormat.ldap_server_connect_timeout)
+
+        except Exception as e:
+            raise Exception(ErrFormat.ldap_test_unknown_error.format(str(e)))
+
+        return True

cmdb-api/api/lib/common_setting/company_info.py

@@ -0,0 +1,63 @@
+# -*- coding:utf-8 -*-
+from urllib.parse import urlparse
+
+from api.extensions import cache
+from api.models.common_setting import CompanyInfo
+
+
+class CompanyInfoCRUD(object):
+
+    @staticmethod
+    def get():
+        return CompanyInfo.get_by(first=True) or {}
+
+    @staticmethod
+    def create(**kwargs):
+        CompanyInfoCRUD.check_data(**kwargs)
+        res = CompanyInfo.create(**kwargs)
+        CompanyInfoCache.refresh(res.info)
+        return res
+
+    @staticmethod
+    def update(_id, **kwargs):
+        kwargs.pop('id', None)
+        existed = CompanyInfo.get_by_id(_id)
+        if not existed:
+            existed = CompanyInfoCRUD.create(**kwargs)
+        else:
+            CompanyInfoCRUD.check_data(**kwargs)
+            existed = existed.update(**kwargs)
+        CompanyInfoCache.refresh(existed.info)
+        return existed
+
+    @staticmethod
+    def check_data(**kwargs):
+        info = kwargs.get('info', {})
+        info['messenger'] = CompanyInfoCRUD.check_messenger(info.get('messenger', None))
+
+        kwargs['info'] = info
+
+    @staticmethod
+    def check_messenger(messenger):
+        if not messenger:
+            return messenger
+
+        parsed_url = urlparse(messenger)
+        return f"{parsed_url.scheme}://{parsed_url.netloc}"
+
+
+class CompanyInfoCache(object):
+    key = 'CompanyInfoCache::'
+
+    @classmethod
+    def get(cls):
+        info = cache.get(cls.key)
+        if not info:
+            res = CompanyInfo.get_by(first=True) or {}
+            info = res.get('info', {})
+            cache.set(cls.key, info)
+        return info
+
+    @classmethod
+    def refresh(cls, info):
+        cache.set(cls.key, info)

cmdb-api/api/lib/common_setting/const.py

@@ -0,0 +1,66 @@
+from api.lib.common_setting.utils import BaseEnum
+
+COMMON_SETTING_QUEUE = "common_setting_async"
+
+
+class OperatorType(BaseEnum):
+    EQUAL = 1
+    NOT_EQUAL = 2
+    IN = 3
+    NOT_IN = 4
+    GREATER_THAN = 5
+    LESS_THAN = 6
+    IS_EMPTY = 7
+    IS_NOT_EMPTY = 8
+
+
+BotNameMap = {
+    'wechatApp': 'wechatBot',
+    'feishuApp': 'feishuBot',
+    'dingdingApp': 'dingdingBot',
+}
+
+
+class AuthenticateType(BaseEnum):
+    CAS = 'CAS'
+    OAUTH2 = 'OAUTH2'
+    OIDC = 'OIDC'
+    LDAP = 'LDAP'
+
+
+AuthCommonConfig = 'AuthCommonConfig'
+AuthCommonConfigAutoRedirect = 'auto_redirect'
+
+
+class TestType(BaseEnum):
+    Connect = 'connect'
+    Login = 'login'
+
+
+MIMEExtMap = {
+    'application/vnd.openxmlformats-officedocument.wordprocessingml.document': '.docx',
+    'application/msword': '.doc',
+    'application/vnd.ms-word.document.macroEnabled.12': '.docm',
+    'application/vnd.ms-excel': '.xls',
+    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet': '.xlsx',
+    'application/vnd.ms-excel.sheet.macroEnabled.12': '.xlsm',
+    'application/vnd.ms-powerpoint': '.ppt',
+    'application/vnd.openxmlformats-officedocument.presentationml.presentation': '.pptx',
+    'application/vnd.ms-powerpoint.presentation.macroEnabled.12': '.pptm',
+    'application/zip': '.zip',
+    'application/x-7z-compressed': '.7z',
+    'application/json': '.json',
+    'application/pdf': '.pdf',
+    'image/png': '.png',
+    'image/bmp': '.bmp',
+    'image/prs.btif': '.btif',
+    'image/gif': '.gif',
+    'image/jpeg': '.jpg',
+    'image/tiff': '.tif',
+    'image/vnd.microsoft.icon': '.ico',
+    'image/webp': '.webp',
+    'image/svg+xml': '.svg',
+    'image/vnd.adobe.photoshop': '.psd',
+    'text/plain': '.txt',
+    'text/csv': '.csv',
+}

cmdb-api/api/lib/common_setting/decorator.py

@@ -0,0 +1,39 @@
+import functools
+
+from flask import abort, session, current_app
+from api.lib.common_setting.acl import ACLManager
+from api.lib.common_setting.resp_format import ErrFormat
+from api.lib.perm.acl.acl import is_app_admin
+
+
+def perms_role_required(app_name, resource_type_name, resource_name, perm, role_name=None):
+    def decorator_perms_role_required(func):
+        @functools.wraps(func)
+        def wrapper_required(*args, **kwargs):
+            acl = ACLManager(app_name)
+            has_perms = False
+            try:
+                has_perms = acl.role_has_perms(session["acl"]['rid'], resource_name, resource_type_name, perm)
+            except Exception as e:
+                current_app.logger.error(f"acl role_has_perms err: {e}")
+                # resource_type not exist, continue check role
+                if role_name:
+                    if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin(app_name):
+                        abort(403, ErrFormat.role_required.format(role_name))
+
+                    return func(*args, **kwargs)
+                else:
+                    abort(403, ErrFormat.resource_no_permission.format(resource_name, perm))
+
+            if not has_perms:
+                if role_name:
+                    if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin(app_name):
+                        abort(403, ErrFormat.role_required.format(role_name))
+                else:
+                    abort(403, ErrFormat.resource_no_permission.format(resource_name, perm))
+
+            return func(*args, **kwargs)
+
+        return wrapper_required
+
+    return decorator_perms_role_required

cmdb-api/api/lib/common_setting/department.py

@@ -0,0 +1,559 @@
+# -*- coding:utf-8 -*-
+
+from flask import abort, current_app
+from treelib import Tree
+from wtforms import Form
+from wtforms import IntegerField
+from wtforms import StringField
+from wtforms import validators
+
+from api.extensions import db
+from api.lib.common_setting.resp_format import ErrFormat
+from api.lib.common_setting.acl import ACLManager
+from api.lib.perm.acl.role import RoleCRUD
+from api.models.common_setting import Department, Employee
+
+sub_departments_column_name = 'sub_departments'
+
+
+def get_all_department_list(to_dict=True):
+    criterion = [
+        Department.deleted == 0,
+    ]
+    query = Department.query.filter(
+        *criterion
+    ).order_by(Department.department_id.asc())
+    results = query.all()
+    if to_dict:
+        datas = []
+        for r in results:
+            d = r.to_dict()
+            if r.department_id == 0:
+                d['department_name'] = ErrFormat.company_wide
+            datas.append(d)
+        return datas
+    return results
+
+
+def get_all_employee_list(block=0, to_dict=True):
+    criterion = [
+        Employee.deleted == 0,
+    ]
+    if block >= 0:
+        criterion.append(
+            Employee.block == block
+        )
+
+    results = db.session.query(Employee).filter(*criterion).all()
+
+    DepartmentTreeEmployeeColumns = [
+        'acl_rid',
+        'employee_id',
+        'username',
+        'nickname',
+        'email',
+        'mobile',
+        'direct_supervisor_id',
+        'block',
+        'department_id',
+    ]
+
+    def format_columns(e):
+        return {column: getattr(e, column) for column in DepartmentTreeEmployeeColumns}
+
+    return [format_columns(r) for r in results] if to_dict else results
+
+
+class DepartmentTree(object):
+    def __init__(self, append_employee=False, block=-1):
+        self.append_employee = append_employee
+        self.block = block
+        self.all_department_list = get_all_department_list()
+        self.all_employee_list = get_all_employee_list(
+            block) if append_employee else None
+
+    def prepare(self):
+        pass
+
+    def get_employees_by_d_id(self, d_id):
+        block = self.block
+
+        def filter_department_id(e):
+            if self.block != -1:
+                return e['department_id'] == d_id and e['block'] == block
+            return e.department_id == d_id
+
+        results = list(filter(lambda e: filter_department_id(e), self.all_employee_list))
+
+        return results
+
+    def get_department_by_parent_id(self, parent_id):
+        results = list(filter(lambda d: d['department_parent_id'] == parent_id, self.all_department_list))
+        if not results:
+            return []
+        return results
+
+    def get_tree_departments(self):
+        # 一级部门
+        top_departments = self.get_department_by_parent_id(-1)
+        if len(top_departments) == 0:
+            return []
+
+        d_list = []
+
+        for top_d in top_departments:
+            department_id = top_d['department_id']
+            sub_deps = self.get_department_by_parent_id(department_id)
+            employees = []
+            if self.append_employee:
+                employees = self.get_employees_by_d_id(department_id)
+
+            top_d['employees'] = employees
+            top_d['department_name'] = ErrFormat.company_wide
+            if len(sub_deps) == 0:
+                top_d[sub_departments_column_name] = []
+                d_list.append(top_d)
+                continue
+
+            self.parse_sub_department(sub_deps, top_d)
+            d_list.append(top_d)
+
+        return d_list
+
+    def get_all_departments(self, is_tree=1):
+        if len(self.all_department_list) == 0:
+            return []
+
+        if is_tree != 1:
+            return self.all_department_list
+
+        return self.get_tree_departments()
+
+    def parse_sub_department(self, deps, top_d):
+        sub_departments = []
+        for d in deps:
+            sub_deps = self.get_department_by_parent_id(d['department_id'])
+            employees = []
+            if self.append_employee:
+                employees = self.get_employees_by_d_id(d['department_id'])
+
+            d['employees'] = employees
+
+            if len(sub_deps) == 0:
+                d[sub_departments_column_name] = []
+                sub_departments.append(d)
+                continue
+
+            self.parse_sub_department(sub_deps, d)
+            sub_departments.append(d)
+
+        top_d[sub_departments_column_name] = sub_departments
+
+
+class DepartmentForm(Form):
+    department_name = StringField(validators=[
+        validators.DataRequired(message="部门名称不能为空"),
+        validators.Length(max=255),
+    ])
+
+    department_director_id = IntegerField(validators=[], default=0)
+    department_parent_id = IntegerField(validators=[], default=1)
+
+
+class DepartmentCRUD(object):
+
+    @staticmethod
+    def get_department_by_id(d_id, to_dict=True):
+        return Department.get_by(first=True, department_id=d_id, to_dict=to_dict)
+
+    @staticmethod
+    def add(**kwargs):
+        DepartmentCRUD.check_department_name_unique(kwargs['department_name'])
+        department_parent_id = kwargs.get('department_parent_id', 0)
+        DepartmentCRUD.check_department_parent_id(department_parent_id)
+
+        DepartmentCRUD.check_department_parent_id_allow(
+            -1, department_parent_id)
+
+        try:
+            role = RoleCRUD.add_role(name=kwargs['department_name'])
+        except Exception as e:
+            return abort(400, ErrFormat.acl_add_role_failed.format(str(e)))
+
+        kwargs['acl_rid'] = role.id
+        try:
+            db_department = Department.create(
+                **kwargs
+            )
+
+        except Exception as e:
+            return abort(400, str(e))
+
+        return db_department
+
+    @staticmethod
+    def check_department_parent_id_allow(d_id, department_parent_id):
+        if department_parent_id == 0:
+            return
+        allow_p_d_id_list = DepartmentCRUD.get_allow_parent_d_id_by(d_id)
+        target = list(
+            filter(lambda d: d['department_id'] == department_parent_id, allow_p_d_id_list))
+        if len(target) == 0:
+            try:
+                dep = Department.get_by(
+                    first=True, to_dict=False, department_id=department_parent_id)
+                name = dep.department_name if dep else ErrFormat.department_id_not_found.format(department_parent_id)
+            except Exception as e:
+                current_app.logger.error(str(e))
+                name = ErrFormat.department_id_not_found.format(department_parent_id)
+            abort(400, ErrFormat.cannot_to_be_parent_department.format(name))
+
+    @staticmethod
+    def check_department_parent_id(department_parent_id):
+        if int(department_parent_id) < 0:
+            abort(400, ErrFormat.parent_department_id_must_more_than_zero)
+
+    @staticmethod
+    def check_department_name_unique(name, _id=0):
+        criterion = [
+            Department.department_name == name,
+            Department.deleted == 0,
+        ]
+        if _id > 0:
+            criterion.append(
+                Department.department_id != _id
+            )
+
+        res = Department.query.filter(
+            *criterion
+        ).all()
+
+        res and abort(
+            400, ErrFormat.department_name_already_exists.format(name)
+        )
+
+    @staticmethod
+    def edit(_id, **kwargs):
+        DepartmentCRUD.check_department_name_unique(
+            kwargs['department_name'], _id)
+        kwargs.pop('department_id', None)
+        existed = Department.get_by(
+            first=True, department_id=_id, to_dict=False)
+        if not existed:
+            abort(404, ErrFormat.department_id_not_found.format(_id))
+
+        department_parent_id = kwargs.get('department_parent_id', 0)
+        DepartmentCRUD.check_department_parent_id(department_parent_id)
+        if department_parent_id > 0:
+            DepartmentCRUD.check_department_parent_id_allow(
+                _id, department_parent_id)
+
+        try:
+            RoleCRUD.update_role(
+                existed.acl_rid, name=kwargs['department_name'])
+        except Exception as e:
+            return abort(400, ErrFormat.acl_update_role_failed.format(str(e)))
+
+        try:
+            return existed.update(**kwargs)
+        except Exception as e:
+            return abort(400, str(e))
+
+    @staticmethod
+    def delete(_id):
+        existed = Department.get_by(
+            first=True, department_id=_id, to_dict=False)
+        if not existed:
+            abort(404, ErrFormat.department_id_not_found.format(_id))
+        try:
+            RoleCRUD.delete_role(existed.acl_rid)
+        except Exception as e:
+            current_app.logger.error(str(e))
+
+        return existed.soft_delete()
+
+    @staticmethod
+    def get_allow_parent_d_id_by(department_id):
+        tree_list = DepartmentCRUD.get_department_tree_list()
+
+        allow_d_id_list = []
+
+        for tree in tree_list:
+            if department_id > 0:
+                try:
+                    tree.remove_subtree(department_id)
+                except Exception as e:
+                    current_app.logger.error(str(e))
+
+            [allow_d_id_list.append({'department_id': int(n.identifier), 'department_name': n.tag}) for n in
+             tree.all_nodes()]
+
+        return allow_d_id_list
+
+    @staticmethod
+    def update_department_sort(department_list):
+        d_map = {d['id']: d['sort_value'] for d in department_list}
+        d_id = [d['id'] for d in department_list]
+
+        db_list = Department.query.filter(
+            Department.department_id.in_(d_id),
+            Department.deleted == 0
+        ).all()
+
+        for existed in db_list:
+            existed.update(sort_value=d_map[existed.department_id])
+
+        return []
+
+    @staticmethod
+    def get_all_departments_with_employee(block):
+        return DepartmentTree(True, block).get_all_departments(1)
+
+    @staticmethod
+    def get_department_tree_list():
+        all_deps = get_all_department_list()
+        if len(all_deps) == 0:
+            return []
+
+        top_deps = list(filter(lambda d: d['department_parent_id'] == -1, all_deps))
+        if len(top_deps) == 0:
+            return []
+
+        tree_list = []
+
+        for top_d in top_deps:
+            top_d['department_name'] = ErrFormat.company_wide
+            tree = Tree()
+            identifier_root = top_d['department_id']
+            tree.create_node(
+                top_d['department_name'],
+                identifier_root
+            )
+            sub_ds = list(filter(lambda d: d['department_parent_id'] == identifier_root, all_deps))
+            if len(sub_ds) == 0:
+                tree_list.append(tree)
+                continue
+
+            DepartmentCRUD.parse_sub_department_node(
+                sub_ds, all_deps, tree, identifier_root)
+
+            tree_list.append(tree)
+
+        return tree_list
+
+    @staticmethod
+    def parse_sub_department_node(sub_ds, all_ds, tree, parent_id):
+        for d in sub_ds:
+            tree.create_node(
+                d['department_name'],
+                d['department_id'],
+                parent=parent_id
+            )
+
+            next_sub_ds = list(filter(lambda item_d: item_d['department_parent_id'] == d['department_id'], all_ds))
+            if len(next_sub_ds) == 0:
+                continue
+
+            DepartmentCRUD.parse_sub_department_node(
+                next_sub_ds, all_ds, tree, d['department_id'])
+
+    @staticmethod
+    def get_department_by_query(query, to_dict=True):
+        results = query.all()
+        if not results:
+            return []
+        return results if not to_dict else [r.to_dict() for r in results]
+
+    @staticmethod
+    def get_departments_and_ids(department_parent_id, block):
+        query = Department.query.filter(
+            Department.department_parent_id == department_parent_id,
+            Department.deleted == 0,
+        ).order_by(Department.sort_value.asc())
+        all_departments = DepartmentCRUD.get_department_by_query(query)
+        if len(all_departments) == 0:
+            return [], []
+
+        tree_list = DepartmentCRUD.get_department_tree_list()
+        all_employee_list = get_all_employee_list(block)
+
+        department_id_list = [d['department_id'] for d in all_departments]
+        query = Department.query.filter(
+            Department.department_parent_id.in_(department_id_list),
+            Department.deleted == 0,
+        ).order_by(Department.sort_value.asc()).group_by(Department.department_id)
+        sub_deps = DepartmentCRUD.get_department_by_query(query)
+
+        sub_map = {d['department_parent_id']: 1 for d in sub_deps}
+
+        for d in all_departments:
+            d['has_sub'] = sub_map.get(d['department_id'], 0)
+
+            d_ids = DepartmentCRUD.get_department_id_list_by_root(d['department_id'], tree_list)
+
+            d['employee_count'] = len(list(filter(lambda e: e['department_id'] in d_ids, all_employee_list)))
+
+            if int(department_parent_id) == -1:
+                d['department_name'] = ErrFormat.company_wide
+
+        return all_departments, department_id_list
+
+    @staticmethod
+    def get_department_id_list_by_root(root_department_id, tree_list=None):
+        if tree_list is None:
+            tree_list = DepartmentCRUD.get_department_tree_list()
+        id_list = []
+        for tree in tree_list:
+            try:
+                tmp_tree = tree.subtree(root_department_id)
+                [id_list.append(int(n.identifier))
+                 for n in tmp_tree.all_nodes()]
+            except Exception as e:
+                current_app.logger.error(str(e))
+
+        return id_list
+
+
+class EditDepartmentInACL(object):
+
+    @staticmethod
+    def add_department_to_acl(department_id, op_uid):
+        db_department = DepartmentCRUD.get_department_by_id(department_id, to_dict=False)
+        if not db_department:
+            return
+
+        from api.models.acl import Role
+        role = Role.get_by(first=True, name=db_department.department_name, app_id=None)
+
+        acl = ACLManager('acl', str(op_uid))
+        if role is None:
+            payload = {
+                'app_id': 'acl',
+                'name': db_department.department_name,
+            }
+            role = acl.create_role(payload)
+
+        acl_rid = role.get('id') if role else 0
+
+        db_department.update(
+            acl_rid=acl_rid
+        )
+        info = f"add_department_to_acl, acl_rid: {acl_rid}"
+        current_app.logger.info(info)
+        return info
+
+    @staticmethod
+    def delete_department_from_acl(department_rids, op_uid):
+        acl = ACLManager('acl', str(op_uid))
+
+        result = []
+
+        for rid in department_rids:
+            try:
+                acl.delete_role(rid)
+            except Exception as e:
+                result.append(f"delete_department_in_acl, rid: {rid}, error: {e}")
+                continue
+
+        return result
+
+    @staticmethod
+    def edit_department_name_in_acl(d_rid: int, d_name: str, op_uid: int):
+        acl = ACLManager('acl', str(op_uid))
+        payload = {
+            'name': d_name
+        }
+        try:
+            acl.edit_role(d_rid, payload)
+        except Exception as e:
+            return f"edit_department_name_in_acl, rid: {d_rid}, error: {e}"
+
+        return f"edit_department_name_in_acl, rid: {d_rid}, success"
+
+    @classmethod
+    def remove_from_old_department_role(cls, e_list, acl):
+        result = []
+        for employee in e_list:
+            employee_acl_rid = employee.get('e_acl_rid')
+            if employee_acl_rid == 0:
+                result.append("employee_acl_rid == 0")
+                continue
+            cls.remove_single_employee_from_old_department(acl, employee, result)
+
+    @staticmethod
+    def remove_single_employee_from_old_department(acl, employee, result):
+        from api.models.acl import Role
+        old_department = DepartmentCRUD.get_department_by_id(employee.get('department_id'), False)
+        if not old_department:
+            return False
+
+        old_role = Role.get_by(first=True, name=old_department.department_name, app_id=None)
+        old_d_rid_in_acl = old_role.get('id') if old_role else 0
+        if old_d_rid_in_acl == 0:
+            return False
+
+        d_acl_rid = old_department.acl_rid if old_d_rid_in_acl == old_department.acl_rid else old_d_rid_in_acl
+        payload = {
+            'app_id': 'acl',
+            'parent_id': d_acl_rid,
+        }
+        try:
+            acl.remove_user_from_role(employee.get('e_acl_rid'), payload)
+            current_app.logger.info(f"remove {employee.get('e_acl_rid')} from {d_acl_rid}")
+        except Exception as e:
+            err = f"remove_user_from_role e_acl_rid: {employee.get('e_acl_rid')}, parent_id: {d_acl_rid}, err: {e}"
+            result.append(err)
+
+        return True
+
+    @staticmethod
+    def add_employee_to_new_department(acl, employee_acl_rid, new_department_acl_rid, result):
+        payload = {
+            'app_id': 'acl',
+            'child_ids': [employee_acl_rid],
+        }
+        try:
+            acl.add_user_to_role(new_department_acl_rid, payload)
+            current_app.logger.info(f"add {employee_acl_rid} to {new_department_acl_rid}")
+        except Exception as e:
+            result.append(
+                f"add_user_to_role employee_acl_rid: {employee_acl_rid}, parent_id: {new_department_acl_rid}, \
+                             err: {e}")
+
+    @classmethod
+    def edit_employee_department_in_acl(cls, e_list: list, new_d_id: int, op_uid: int):
+        result = []
+        new_department = DepartmentCRUD.get_department_by_id(new_d_id, False)
+        if not new_department:
+            result.append(f"{new_d_id} new_department is None")
+            return result
+
+        from api.models.acl import Role
+        new_role = Role.get_by(first=True, name=new_department.department_name, app_id=None)
+        new_d_rid_in_acl = new_role.get('id') if new_role else 0
+        acl = ACLManager('acl', str(op_uid))
+
+        if new_d_rid_in_acl == 0:
+            # only remove from old department role
+            cls.remove_from_old_department_role(e_list, acl)
+            return
+
+        if new_d_rid_in_acl != new_department.acl_rid:
+            new_department.update(
+                acl_rid=new_d_rid_in_acl
+            )
+        new_department_acl_rid = new_department.acl_rid if new_d_rid_in_acl == new_department.acl_rid else \
+            new_d_rid_in_acl
+
+        for employee in e_list:
+            employee_acl_rid = employee.get('e_acl_rid')
+            if employee_acl_rid == 0:
+                result.append("employee_acl_rid == 0")
+                continue
+
+            cls.remove_single_employee_from_old_department(acl, employee, result)
+
+            # 在新部门中添加员工
+            cls.add_employee_to_new_department(acl, employee_acl_rid, new_department_acl_rid, result)
+
+        return result

cmdb-api/api/lib/common_setting/employee.py

@@ -0,0 +1,974 @@
+# -*- coding:utf-8 -*-
+import copy
+import traceback
+from datetime import datetime
+
+import requests
+from flask import abort, current_app
+from flask_login import current_user
+from sqlalchemy import or_, literal_column, func, not_, and_
+from werkzeug.datastructures import MultiDict
+from wtforms import Form
+from wtforms import IntegerField
+from wtforms import StringField
+from wtforms import validators
+
+from api.extensions import db
+from api.lib.common_setting.acl import ACLManager
+from api.lib.common_setting.const import OperatorType
+from api.lib.perm.acl.const import ACL_QUEUE
+from api.lib.common_setting.resp_format import ErrFormat
+from api.models.common_setting import Employee, Department
+
+from api.tasks.common_setting import refresh_employee_acl_info, edit_employee_department_in_acl
+
+acl_user_columns = [
+    'email',
+    'mobile',
+    'nickname',
+    'username',
+    'password',
+    'block',
+    'avatar',
+]
+employee_pop_columns = ['password']
+can_not_edit_columns = ['email']
+
+
+def edit_acl_user(uid, **kwargs):
+    user_data = {column: kwargs.get(
+        column, '') for column in acl_user_columns if kwargs.get(column, '')}
+    if 'block' in kwargs:
+        user_data['block'] = kwargs.get('block')
+    try:
+        acl = ACLManager()
+        return acl.edit_user(uid, user_data)
+    except Exception as e:
+        abort(400, ErrFormat.acl_edit_user_failed.format(str(e)))
+
+
+def get_block_value(value):
+    if value in ['False', 'false', '0', 0]:
+        value = False
+    else:
+        value = True
+
+    return value
+
+
+def get_employee_list_by_direct_supervisor_id(direct_supervisor_id):
+    return Employee.get_by(direct_supervisor_id=direct_supervisor_id)
+
+
+def get_department_list_by_director_id(director_id):
+    return Department.get_by(department_director_id=director_id)
+
+
+def raise_exception(err):
+    raise Exception(err)
+
+
+def check_department_director_id_or_direct_supervisor_id(_id):
+    get_employee_list_by_direct_supervisor_id(
+        _id) and raise_exception(ErrFormat.cannot_block_this_employee_is_other_direct_supervisor)
+    get_department_list_by_director_id(
+        _id) and raise_exception(ErrFormat.cannot_block_this_employee_is_department_manager)
+
+
+class EmployeeCRUD(object):
+    @staticmethod
+    def get_employee_by_id(_id):
+        return Employee.get_by(
+            first=True, to_dict=False, deleted=0, employee_id=_id
+        ) or abort(404, ErrFormat.employee_id_not_found.format(_id))
+
+    @staticmethod
+    def get_employee_by_uid_with_create(_uid):
+        try:
+            return EmployeeCRUD.get_employee_by_uid(_uid).to_dict()
+        except Exception as e:
+            if '不存在' not in str(e):
+                abort(400, str(e))
+
+            try:
+                acl = ACLManager('acl')
+                user_info = acl.get_user_info(_uid)
+                return EmployeeCRUD.check_acl_user_and_create(user_info)
+
+            except Exception as e:
+                abort(400, str(e))
+
+    @staticmethod
+    def get_employee_by_uid(_uid):
+        return Employee.get_by(
+            first=True, to_dict=False, deleted=0, acl_uid=_uid
+        ) or abort(404, ErrFormat.acl_uid_not_found.format(_uid))
+
+    @staticmethod
+    def check_acl_user_and_create(user_info):
+        existed = Employee.get_by(
+            first=True, to_dict=False, username=user_info['username'])
+        if existed:
+            existed.update(
+                acl_uid=user_info['uid'],
+            )
+            return existed.to_dict()
+        if not user_info.get('nickname', None):
+            user_info['nickname'] = user_info['name']
+
+        form = EmployeeAddForm(MultiDict(user_info))
+        data = form.data
+        data['password'] = ''
+        data['acl_uid'] = user_info['uid']
+
+        employee = CreateEmployee().create_single(**data)
+        return employee.to_dict()
+
+    @staticmethod
+    def add_employee_from_acl_created(**kwargs):
+        try:
+            kwargs['acl_uid'] = kwargs.pop('uid')
+            kwargs['acl_rid'] = kwargs.pop('rid')
+            kwargs['department_id'] = 0
+
+            Employee.create(
+                **kwargs
+            )
+        except Exception as e:
+            abort(400, str(e))
+
+    @staticmethod
+    def add(**kwargs):
+        try:
+            res = CreateEmployee().create_single(**kwargs)
+            refresh_employee_acl_info.apply_async(args=(res.employee_id,), queue=ACL_QUEUE)
+            return res
+        except Exception as e:
+            abort(400, str(e))
+
+    @staticmethod
+    def update(_id, **kwargs):
+        EmployeeCRUD.check_email_unique(kwargs['email'], _id)
+
+        existed = EmployeeCRUD.get_employee_by_id(_id)
+
+        try:
+            edit_acl_user(existed.acl_uid, **kwargs)
+
+            for column in employee_pop_columns:
+                kwargs.pop(column, None)
+
+            new_department_id = kwargs.get('department_id', None)
+            e_list = []
+            if new_department_id is not None and new_department_id != existed.department_id:
+                e_list = [dict(
+                    e_acl_rid=existed.acl_rid,
+                    department_id=existed.department_id
+                )]
+
+            existed.update(**kwargs)
+
+            if len(e_list) > 0:
+                edit_employee_department_in_acl.apply_async(
+                    args=(e_list, new_department_id, current_user.uid),
+                    queue=ACL_QUEUE
+                )
+
+            return existed
+        except Exception as e:
+            return abort(400, str(e))
+
+    @staticmethod
+    def edit_employee_by_uid(_uid, **kwargs):
+        existed = EmployeeCRUD.get_employee_by_uid(_uid)
+        try:
+            edit_acl_user(_uid, **kwargs)
+
+            for column in employee_pop_columns:
+                if kwargs.get(column):
+                    kwargs.pop(column)
+
+            return existed.update(**kwargs)
+        except Exception as e:
+            return abort(400, str(e))
+
+    @staticmethod
+    def change_password_by_uid(_uid, password):
+        EmployeeCRUD.get_employee_by_uid(_uid)
+        try:
+            edit_acl_user(_uid, password=password)
+        except Exception as e:
+            return abort(400, str(e))
+
+    @staticmethod
+    def get_all_position():
+        criterion = [
+            Employee.deleted == 0,
+        ]
+        results = Employee.query.with_entities(
+            Employee.position_name
+        ).filter(*criterion).group_by(
+            Employee.position_name
+        ).order_by(
+            func.CONVERT(literal_column('position_name using gbk'))
+        ).all()
+
+        return [item[0] for item in results if (item[0] is not None and item[0] != '')]
+
+    @staticmethod
+    def get_employee_count(block_status):
+        criterion = [
+            Employee.deleted == 0
+        ]
+
+        if block_status >= 0:
+            criterion.append(
+                Employee.block == block_status
+            )
+
+        return Employee.query.filter(
+            *criterion
+        ).count()
+
+    @staticmethod
+    def check_email_unique(email, _id=0):
+        criterion = [
+            Employee.email == email,
+            Employee.deleted == 0,
+        ]
+        if _id > 0:
+            criterion.append(
+                Employee.employee_id != _id
+            )
+        res = Employee.query.filter(
+            *criterion
+        ).all()
+
+        if res:
+            err = ErrFormat.email_already_exists.format(email)
+            raise Exception(err)
+
+    @staticmethod
+    def get_employee_list_by_body(department_id, block_status, search='', order='', conditions=None, page=1,
+                                  page_size=10):
+        criterion = [
+            Employee.deleted == 0
+        ]
+
+        if block_status >= 0:
+            criterion.append(
+                Employee.block == block_status
+            )
+
+        if len(search) > 0:
+            search_key = f"%{search}%"
+            criterion.append(
+                or_(
+                    Employee.email.like(search_key),
+                    Employee.username.like(search_key),
+                    Employee.nickname.like(search_key)
+                )
+            )
+
+        if department_id > 0:
+            from api.lib.common_setting.department import DepartmentCRUD
+            department_id_list = DepartmentCRUD.get_department_id_list_by_root(
+                department_id)
+            criterion.append(
+                Employee.department_id.in_(department_id_list)
+            )
+
+        if conditions:
+            query = EmployeeCRUD.parse_condition_list_to_query(conditions).filter(
+                *criterion
+            )
+        else:
+            query = db.session.query(Employee, Department).outerjoin(Department).filter(
+                *criterion
+            )
+
+        if len(order) > 0:
+            query = EmployeeCRUD.format_query_sort(query, order)
+
+        pagination = query.paginate(page=page, per_page=page_size)
+
+        employees = []
+        for r in pagination.items:
+            d = r.Employee.to_dict()
+            d['department_name'] = r.Department.department_name if r.Department else ''
+            if r.Employee.department_id == 0:
+                d['department_name'] = ErrFormat.company_wide
+            employees.append(d)
+
+        return {
+            'data_list': employees,
+            'page': page,
+            'page_size': page_size,
+            'total': pagination.total,
+        }
+
+    @staticmethod
+    def parse_condition_list_to_query(condition_list):
+        query = db.session.query(Employee, Department).outerjoin(Department)
+
+        query = EmployeeCRUD.get_query_by_conditions(query, condition_list)
+        return query
+
+    @staticmethod
+    def get_expr_by_condition(column, operator, value, relation):
+        """
+        get expr: (and_list, or_list)
+        """
+        attr = EmployeeCRUD.get_attr_by_column(column)
+        # 根据operator生成条件表达式
+        if operator == OperatorType.EQUAL:
+            expr = [attr == value]
+        elif operator == OperatorType.NOT_EQUAL:
+            expr = [attr != value]
+        elif operator == OperatorType.IN:
+            expr = [attr.like('%{}%'.format(value))]
+        elif operator == OperatorType.NOT_IN:
+            expr = [not_(attr.like('%{}%'.format(value)))]
+        elif operator == OperatorType.GREATER_THAN:
+            expr = [attr > value]
+        elif operator == OperatorType.LESS_THAN:
+            expr = [attr < value]
+        elif operator == OperatorType.IS_EMPTY:
+            if value:
+                abort(400, ErrFormat.query_column_none_keep_value_empty.format(column))
+            expr = [attr.is_(None)]
+            if column not in ["last_login"]:
+                expr += [attr == '']
+                expr = [or_(*expr)]
+        elif operator == OperatorType.IS_NOT_EMPTY:
+            if value:
+                abort(400, ErrFormat.query_column_none_keep_value_empty.format(column))
+
+            expr = [attr.isnot(None)]
+            if column not in ["last_login"]:
+                expr += [attr != '']
+                expr = [and_(*expr)]
+        else:
+            abort(400, ErrFormat.not_support_operator.format(operator))
+
+        if relation == "&":
+            return expr, []
+        elif relation == "|":
+            return [], expr
+        else:
+            return abort(400, ErrFormat.not_support_relation.format(relation))
+
+    @staticmethod
+    def check_condition(column, operator, value, relation):
+        if column is None or operator is None or relation is None:
+            return abort(400, ErrFormat.conditions_field_missing)
+
+        if value and column == "last_login":
+            try:
+                return datetime.strptime(value, "%Y-%m-%d %H:%M:%S")
+            except Exception as e:
+                err = f"{ErrFormat.datetime_format_error.format(column)}: {str(e)}"
+                abort(400, err)
+        return value
+
+    @staticmethod
+    def get_attr_by_column(column):
+        if 'department' in column:
+            attr = Department.__dict__[column]
+        else:
+            attr = Employee.__dict__[column]
+        return attr
+
+    @staticmethod
+    def get_query_by_conditions(query, conditions):
+        and_list = []
+        or_list = []
+
+        for condition in conditions:
+            operator = condition.get("operator", None)
+            column = condition.get("column", None)
+            relation = condition.get("relation", None)
+            value = condition.get("value", None)
+
+            value = EmployeeCRUD.check_condition(column, operator, value, relation)
+            a, o = EmployeeCRUD.get_expr_by_condition(
+                column, operator, value, relation)
+            and_list += a
+            or_list += o
+
+        query = query.filter(
+            Employee.deleted == 0,
+            or_(and_(*and_list), *or_list)
+        )
+
+        return query
+
+    @staticmethod
+    def get_employee_list_by(department_id, block_status, search='', order='', page=1, page_size=10):
+        criterion = [
+            Employee.deleted == 0
+        ]
+
+        if block_status >= 0:
+            criterion.append(
+                Employee.block == block_status
+            )
+
+        if len(search) > 0:
+            search_key = f"%{search}%"
+            criterion.append(
+                or_(
+                    Employee.email.like(search_key),
+                    Employee.username.like(search_key),
+                    Employee.nickname.like(search_key)
+                )
+            )
+
+        if department_id > 0:
+            from api.lib.common_setting.department import DepartmentCRUD
+            department_id_list = DepartmentCRUD.get_department_id_list_by_root(
+                department_id)
+            criterion.append(
+                Employee.department_id.in_(department_id_list)
+            )
+
+        query = db.session.query(Employee, Department).outerjoin(Department).filter(
+            *criterion
+        )
+
+        if len(order) > 0:
+            query = EmployeeCRUD.format_query_sort(query, order)
+
+        pagination = query.paginate(page=page, per_page=page_size)
+        employees = []
+        for r in pagination.items:
+            d = r.Employee.to_dict()
+            d['department_name'] = r.Department.department_name if r.Department else ''
+            employees.append(d)
+
+        return {
+            'data_list': employees,
+            'page': page,
+            'page_size': page_size,
+            'total': pagination.total,
+        }
+
+    @staticmethod
+    def format_query_sort(query, order):
+        order_list = order.split(',')
+        all_columns = Employee.get_columns()
+
+        for order_column in order_list:
+            if order_column.startswith('-'):
+                target_column = order_column[1:]
+                if target_column not in all_columns:
+                    continue
+                query = query.order_by(getattr(Employee, target_column).desc())
+            else:
+                if order_column not in all_columns:
+                    continue
+
+                query = query.order_by(getattr(Employee, order_column).asc())
+
+        return query
+
+    @staticmethod
+    def get_employees_by_department_id(department_id, block):
+        criterion = [
+            Employee.deleted == 0,
+            Employee.block == block,
+        ]
+        if isinstance(department_id, list):
+            if len(department_id) == 0:
+                return []
+            else:
+                criterion.append(
+                    Employee.department_id.in_(department_id)
+                )
+        else:
+            criterion.append(
+                Employee.department_id == department_id
+            )
+
+        results = Employee.query.filter(
+            *criterion
+        ).all()
+
+        return [r.to_dict() for r in results]
+
+    @staticmethod
+    def remove_bind_notice_by_uid(_platform, _uid):
+        existed = EmployeeCRUD.get_employee_by_uid(_uid)
+        employee_data = existed.to_dict()
+
+        notice_info = employee_data.get('notice_info', {})
+        notice_info = copy.deepcopy(notice_info) if notice_info else {}
+
+        notice_info[_platform] = ''
+
+        existed.update(
+            notice_info=notice_info
+        )
+        return ErrFormat.notice_remove_bind_success
+
+    @staticmethod
+    def bind_notice_by_uid(_platform, _uid):
+        existed = EmployeeCRUD.get_employee_by_uid(_uid)
+        mobile = existed.mobile
+        if not mobile or len(mobile) == 0:
+            abort(400, ErrFormat.notice_bind_err_with_empty_mobile)
+
+        from api.lib.common_setting.notice_config import NoticeConfigCRUD
+        messenger = NoticeConfigCRUD.get_messenger_url()
+        if not messenger or len(messenger) == 0:
+            abort(400, ErrFormat.notice_please_config_messenger_first)
+
+        url = f"{messenger}/v1/uid/getbyphone"
+        try:
+            payload = dict(
+                phone=mobile,
+                sender=_platform
+            )
+            res = requests.post(url, json=payload)
+            result = res.json()
+            if res.status_code != 200:
+                raise Exception(result.get('msg', ''))
+            target_id = result.get('uid', '')
+
+            employee_data = existed.to_dict()
+
+            notice_info = employee_data.get('notice_info', {})
+            notice_info = copy.deepcopy(notice_info) if notice_info else {}
+
+            notice_info[_platform] = '' if not target_id else target_id
+
+            existed.update(
+                notice_info=notice_info
+            )
+            return ErrFormat.notice_bind_success
+
+        except Exception as e:
+            return abort(400, ErrFormat.notice_bind_failed.format(str(e)))
+
+    @staticmethod
+    def get_employee_notice_by_ids(employee_ids):
+        criterion = [
+            Employee.employee_id.in_(employee_ids),
+            Employee.deleted == 0,
+        ]
+        direct_columns = ['email', 'mobile']
+        employees = Employee.query.filter(
+            *criterion
+        ).all()
+        results = []
+        for employee in employees:
+            d = employee.to_dict()
+            tmp = dict(
+                employee_id=employee.employee_id,
+            )
+            for column in direct_columns:
+                tmp[column] = d.get(column, '')
+            notice_info = d.get('notice_info', {})
+            notice_info = copy.deepcopy(notice_info) if notice_info else {}
+            tmp.update(**notice_info)
+            results.append(tmp)
+        return results
+
+    @staticmethod
+    def import_employee(employee_list):
+        res = CreateEmployee().batch_create(employee_list)
+        return res
+
+    @staticmethod
+    def batch_edit_employee_department(employee_id_list, column_value):
+        err_list = []
+        employee_list = []
+        for _id in employee_id_list:
+            try:
+                existed = EmployeeCRUD.get_employee_by_id(_id)
+                employee = dict(
+                    e_acl_rid=existed.acl_rid,
+                    department_id=existed.department_id
+                )
+                employee_list.append(employee)
+                existed.update(department_id=column_value)
+
+            except Exception as e:
+                err_list.append({
+                    'employee_id': _id,
+                    'err': str(e),
+                })
+        from api.lib.common_setting.department import EditDepartmentInACL
+        EditDepartmentInACL.edit_employee_department_in_acl(
+            employee_list, column_value, current_user.uid
+        )
+        return err_list
+
+    @staticmethod
+    def batch_edit_password_or_block_column(column_name, employee_id_list, column_value, is_acl=False):
+        if column_name == 'block':
+            err_list = []
+            success_list = []
+            for _id in employee_id_list:
+                try:
+                    employee = EmployeeCRUD.edit_employee_block_column(
+                        _id, is_acl, **{column_name: column_value})
+                    success_list.append(employee)
+                except Exception as e:
+                    err_list.append({
+                        'employee_id': _id,
+                        'err': str(e),
+                    })
+            return err_list
+        else:
+            return EmployeeCRUD.batch_edit_column(column_name, employee_id_list, column_value, is_acl)
+
+    @staticmethod
+    def batch_edit_column(column_name, employee_id_list, column_value, is_acl=False):
+        err_list = []
+        for _id in employee_id_list:
+            try:
+                EmployeeCRUD.edit_employee_single_column(
+                    _id, is_acl, **{column_name: column_value})
+            except Exception as e:
+                err_list.append({
+                    'employee_id': _id,
+                    'err': str(e),
+                })
+
+        return err_list
+
+    @staticmethod
+    def edit_employee_single_column(_id, is_acl=False, **kwargs):
+        existed = EmployeeCRUD.get_employee_by_id(_id)
+        if 'direct_supervisor_id' in kwargs.keys():
+            if kwargs['direct_supervisor_id'] == existed.direct_supervisor_id:
+                raise Exception(ErrFormat.direct_supervisor_is_not_self)
+
+        if is_acl:
+            return edit_acl_user(existed.acl_uid, **kwargs)
+
+        try:
+            for column in employee_pop_columns:
+                if kwargs.get(column):
+                    kwargs.pop(column)
+
+            return existed.update(**kwargs)
+        except Exception as e:
+            return abort(400, str(e))
+
+    @staticmethod
+    def edit_employee_block_column(_id, is_acl=False, **kwargs):
+        existed = EmployeeCRUD.get_employee_by_id(_id)
+        value = get_block_value(kwargs.get('block'))
+        if value is True:
+            check_department_director_id_or_direct_supervisor_id(_id)
+            value = 1
+        else:
+            value = 0
+
+        if is_acl:
+            kwargs['block'] = value
+            edit_acl_user(existed.acl_uid, **kwargs)
+
+        existed.update(block=value)
+        data = existed.to_dict()
+        return data
+
+    @staticmethod
+    def batch_employee(column_name, column_value, employee_id_list):
+        if column_value is None:
+            abort(400, ErrFormat.value_is_required)
+        if column_name in ['password', 'block']:
+            return EmployeeCRUD.batch_edit_password_or_block_column(column_name, employee_id_list, column_value, True)
+
+        elif column_name in ['department_id']:
+            return EmployeeCRUD.batch_edit_employee_department(employee_id_list, column_value)
+
+        elif column_name in [
+            'direct_supervisor_id', 'position_name'
+        ]:
+            return EmployeeCRUD.batch_edit_column(column_name, employee_id_list, column_value, False)
+
+        else:
+            abort(400, ErrFormat.column_name_not_support)
+
+    @staticmethod
+    def update_last_login_by_uid(uid, last_login=None):
+        employee = Employee.get_by(acl_uid=uid, first=True, to_dict=False)
+        if not employee:
+            return
+        if last_login:
+            try:
+                last_login = datetime.strptime(last_login, '%Y-%m-%d %H:%M:%S')
+            except Exception as e:
+                current_app.logger.error(f"strptime {last_login} err: {e}")
+                last_login = datetime.now()
+        else:
+            last_login = datetime.now()
+
+        try:
+            employee.update(
+                last_login=last_login
+            )
+            return last_login
+        except Exception as e:
+            current_app.logger.error(f"update last_login err: {e}")
+            return
+
+
+def get_user_map(key='uid', acl=None):
+    """
+    {
+        uid: userinfo
+    }
+    """
+    if acl is None:
+        acl = ACLManager()
+    data = {user[key]: user for user in acl.get_all_users()}
+
+    return data
+
+
+def format_params(params):
+    for k in ['_key', '_secret']:
+        params.pop(k, None)
+    return params
+
+
+class CreateEmployee(object):
+    def __init__(self):
+        self.acl = ACLManager()
+        self.all_acl_users = self.acl.get_all_users()
+
+    def check_acl_user(self, user_data):
+        target_email = list(filter(lambda x: x['email'] == user_data['email'], self.all_acl_users))
+        if target_email:
+            return target_email[0]
+
+        target_username = list(filter(lambda x: x['username'] == user_data['username'], self.all_acl_users))
+        if target_username:
+            return target_username[0]
+
+    def add_acl_user(self, **kwargs):
+        user_data = {column: kwargs.get(
+            column, '') for column in acl_user_columns if kwargs.get(column, '')}
+        try:
+            existed = self.check_acl_user(user_data)
+            if not existed:
+                user_data['add_from'] = 'common'
+                return self.acl.create_user(user_data)
+            return existed
+        except Exception as e:
+            abort(400, ErrFormat.acl_add_user_failed.format(str(e)))
+
+    def create_single(self, **kwargs):
+        EmployeeCRUD.check_email_unique(kwargs['email'])
+        user = self.add_acl_user(**kwargs)
+        kwargs['acl_uid'] = user['uid']
+        kwargs['last_login'] = user['last_login']
+
+        for column in employee_pop_columns:
+            kwargs.pop(column)
+
+        return Employee.create(
+            **kwargs
+        )
+
+    def create_single_with_import(self, **kwargs):
+        user = self.add_acl_user(**kwargs)
+        kwargs['acl_uid'] = user['uid']
+        kwargs['last_login'] = user['last_login']
+
+        for column in employee_pop_columns:
+            kwargs.pop(column)
+
+        existed = Employee.get_by(
+            first=True, to_dict=False, deleted=0, acl_uid=user['uid']
+        )
+        if existed:
+            return existed
+
+        res = Employee.create(
+            **kwargs
+        )
+        refresh_employee_acl_info.apply_async(args=(res.employee_id,), queue=ACL_QUEUE)
+        return res
+
+    @staticmethod
+    def get_department_by_name(d_name):
+        return Department.get_by(first=True, department_name=d_name)
+
+    def get_end_department_id(self, department_name_list, department_name_map):
+        parent_id = 0
+
+        end_d_id = 0
+        for d_name in department_name_list:
+            tmp_d = self.get_department_by_name(d_name)
+            if not tmp_d:
+                tmp_d = Department.create(
+                    department_name=d_name, department_parent_id=parent_id).to_dict()
+            else:
+                if tmp_d['department_parent_id'] != parent_id:
+                    department_name_map[d_name] = tmp_d
+                    raise Exception(ErrFormat.department_level_relation_error)
+
+            department_name_map[d_name] = tmp_d
+
+            end_d_id = tmp_d['department_id']
+            parent_id = tmp_d['department_id']
+
+        return end_d_id
+
+    def format_department_id(self, employee):
+        department_name_map = {}
+        try:
+            department_name = employee.get('department_name', '')
+            if len(department_name) == 0:
+                return employee
+            department_name_list = department_name.split('/')
+            employee['department_id'] = self.get_end_department_id(
+                department_name_list, department_name_map)
+
+        except Exception as e:
+            employee['err'] = str(e)
+
+        return employee
+
+    def batch_create(self, employee_list):
+        err_list = []
+
+        for employee in employee_list:
+            try:
+                username = employee.get('username', None)
+                if username is None:
+                    employee['username'] = employee['email']
+
+                employee = self.format_department_id(employee)
+                err = employee.get('err', None)
+                if err:
+                    raise Exception(err)
+
+                params = format_params(employee)
+                form = EmployeeAddForm(MultiDict(params))
+                if not form.validate():
+                    raise Exception(
+                        ','.join(['{}: {}'.format(filed, ','.join(msg)) for filed, msg in form.errors.items()]))
+
+                self.create_single_with_import(**form.data)
+            except Exception as e:
+                err_list.append({
+                    'email': employee.get('email', ''),
+                    'nickname': employee.get('nickname', ''),
+                    'err': str(e),
+                })
+                traceback.print_exc()
+
+        return err_list
+
+
+class EmployeeAddForm(Form):
+    username = StringField(validators=[
+        validators.DataRequired(message=ErrFormat.username_is_required),
+        validators.Length(max=255),
+    ])
+    email = StringField(validators=[
+        validators.DataRequired(message=ErrFormat.email_is_required),
+        validators.Email(message=ErrFormat.email_format_error),
+        validators.Length(max=255),
+    ])
+    password = StringField(validators=[
+        validators.Length(max=255),
+    ])
+    position_name = StringField(validators=[])
+
+    nickname = StringField(validators=[
+        validators.DataRequired(message=ErrFormat.nickname_is_required),
+        validators.Length(max=255),
+    ])
+    sex = StringField(validators=[])
+    mobile = StringField(validators=[])
+    department_id = IntegerField(validators=[], default=0)
+    direct_supervisor_id = IntegerField(validators=[], default=0)
+
+
+class EmployeeUpdateByUidForm(Form):
+    nickname = StringField(validators=[
+        validators.DataRequired(message=ErrFormat.nickname_is_required),
+        validators.Length(max=255),
+    ])
+    avatar = StringField(validators=[])
+    sex = StringField(validators=[])
+    mobile = StringField(validators=[])
+
+
+class GrantEmployeeACLPerm(object):
+    """
+    Grant ACL Permission After Create New Employee
+    """
+
+    def __init__(self, acl=None):
+        self.perms_by_create_resources_type = ['read', 'grant', 'delete', 'update']
+        self.perms_by_common_grant = ['read']
+        self.resource_name_list = ['公司信息', '公司架构', '通知设置']
+
+        self.acl = acl if acl else self.check_app('backend')
+        self.resources_types = self.acl.get_all_resources_types()
+        self.resources_type = self.get_resources_type()
+        self.resource_list = self.acl.get_resource_by_type(None, None, self.resources_type['id'])
+
+    @staticmethod
+    def check_app(app_name):
+        acl = ACLManager(app_name)
+        payload = dict(
+            name=app_name,
+            description=app_name
+        )
+        app = acl.validate_app()
+        if not app:
+            acl.create_app(payload)
+        return acl
+
+    def get_resources_type(self):
+        results = list(filter(lambda t: t['name'] == '操作权限', self.resources_types['groups']))
+        if len(results) == 0:
+            payload = dict(
+                app_id=self.acl.app_name,
+                name='操作权限',
+                description='',
+                perms=self.perms_by_create_resources_type
+            )
+            resource_type = self.acl.create_resources_type(payload)
+        else:
+            resource_type = results[0]
+            resource_type_id = resource_type['id']
+            existed_perms = self.resources_types.get('id2perms', {}).get(resource_type_id, [])
+            existed_perms = [p['name'] for p in existed_perms]
+            new_perms = []
+            for perm in self.perms_by_create_resources_type:
+                if perm not in existed_perms:
+                    new_perms.append(perm)
+            if len(new_perms) > 0:
+                resource_type['perms'] = existed_perms + new_perms
+                self.acl.update_resources_type(resource_type_id, resource_type)
+
+        return resource_type
+
+    def grant(self, rid_list):
+        [self.grant_by_rid(rid) for rid in rid_list if rid > 0]
+
+    def grant_by_rid(self, rid, is_admin=False):
+        for name in self.resource_name_list:
+            resource = list(filter(lambda r: r['name'] == name, self.resource_list))
+            if len(resource) == 0:
+                payload = dict(
+                    type_id=self.resources_type['id'],
+                    app_id=self.acl.app_name,
+                    name=name,
+                )
+                resource = self.acl.create_resource(payload)
+            else:
+                resource = resource[0]
+
+            perms = self.perms_by_create_resources_type if is_admin else self.perms_by_common_grant
+            self.acl.grant_resource(rid, resource['id'], perms)

cmdb-api/api/lib/common_setting/notice_config.py

@@ -0,0 +1,165 @@
+import requests
+
+from api.lib.common_setting.const import BotNameMap
+from api.lib.common_setting.resp_format import ErrFormat
+from api.models.common_setting import NoticeConfig
+from wtforms import Form
+from wtforms import StringField
+from wtforms import validators
+from flask import abort, current_app
+
+
+class NoticeConfigCRUD(object):
+
+    @staticmethod
+    def add_notice_config(**kwargs):
+        platform = kwargs.get('platform')
+        NoticeConfigCRUD.check_platform(platform)
+        info = kwargs.get('info', {})
+        if 'name' not in info:
+            info['name'] = platform
+        kwargs['info'] = info
+        try:
+            NoticeConfigCRUD.update_messenger_config(**info)
+            res = NoticeConfig.create(
+                **kwargs
+            )
+            return res
+
+        except Exception as e:
+            return abort(400, str(e))
+
+    @staticmethod
+    def check_platform(platform):
+        NoticeConfig.get_by(first=True, to_dict=False, platform=platform) and \
+        abort(400, ErrFormat.notice_platform_existed.format(platform))
+
+    @staticmethod
+    def edit_notice_config(_id, **kwargs):
+        existed = NoticeConfigCRUD.get_notice_config_by_id(_id)
+        try:
+            info = kwargs.get('info', {})
+            if 'name' not in info:
+                info['name'] = existed.platform
+            kwargs['info'] = info
+            NoticeConfigCRUD.update_messenger_config(**info)
+
+            res = existed.update(**kwargs)
+            return res
+        except Exception as e:
+            return abort(400, str(e))
+
+    @staticmethod
+    def get_messenger_url():
+        from api.lib.common_setting.company_info import CompanyInfoCache
+        com_info = CompanyInfoCache.get()
+        if not com_info:
+            return
+        messenger = com_info.get('messenger', '')
+        if len(messenger) == 0:
+            return
+        if messenger[-1] == '/':
+            messenger = messenger[:-1]
+        return messenger
+
+    @staticmethod
+    def update_messenger_config(**kwargs):
+        try:
+            messenger = NoticeConfigCRUD.get_messenger_url()
+            if not messenger or len(messenger) == 0:
+                raise Exception(ErrFormat.notice_please_config_messenger_first)
+
+            url = f"{messenger}/v1/senders"
+            name = kwargs.get('name')
+            bot_list = kwargs.pop('bot', None)
+            for k, v in kwargs.items():
+                if isinstance(v, bool):
+                    kwargs[k] = 'true' if v else 'false'
+                else:
+                    kwargs[k] = str(v)
+
+            payload = {name: [kwargs]}
+            current_app.logger.info(f"update_messenger_config: {url}, {payload}")
+            res = requests.put(url, json=payload, timeout=2)
+            current_app.logger.info(f"update_messenger_config: {res.status_code}, {res.text}")
+
+            if not bot_list or len(bot_list) == 0:
+                return
+            bot_name = BotNameMap.get(name)
+            payload = {bot_name: bot_list}
+            current_app.logger.info(f"update_messenger_config: {url}, {payload}")
+            bot_res = requests.put(url, json=payload, timeout=2)
+            current_app.logger.info(f"update_messenger_config: {bot_res.status_code}, {bot_res.text}")
+
+        except Exception as e:
+            return abort(400, str(e))
+
+    @staticmethod
+    def get_notice_config_by_id(_id):
+        return NoticeConfig.get_by(first=True, to_dict=False, id=_id) or \
+            abort(400,
+                  ErrFormat.notice_not_existed.format(_id))
+
+    @staticmethod
+    def get_all():
+        return NoticeConfig.get_by(to_dict=True)
+
+    @staticmethod
+    def test_send_email(receive_address, **kwargs):
+        messenger = NoticeConfigCRUD.get_messenger_url()
+        if not messenger or len(messenger) == 0:
+            abort(400, ErrFormat.notice_please_config_messenger_first)
+        url = f"{messenger}/v1/message"
+
+        recipient_email = receive_address
+
+        subject = 'Test Email'
+        body = 'This is a test email'
+        payload = {
+            "sender": 'email',
+            "msgtype": "text/plain",
+            "title": subject,
+            "content": body,
+            "tos": [recipient_email],
+        }
+        current_app.logger.info(f"test_send_email: {url}, {payload}")
+        response = requests.post(url, json=payload)
+        if response.status_code != 200:
+            abort(400, response.text)
+
+        return 1
+
+    @staticmethod
+    def get_app_bot():
+        result = []
+        for notice_app in NoticeConfig.get_by(to_dict=False):
+            if notice_app.platform in ['email']:
+                continue
+            info = notice_app.info
+            name = info.get('name', '')
+            if name not in BotNameMap:
+                continue
+            result.append(dict(
+                name=info.get('name', ''),
+                label=info.get('label', ''),
+                bot=info.get('bot', []),
+            ))
+        return result
+
+
+class NoticeConfigForm(Form):
+    platform = StringField(validators=[
+        validators.DataRequired(message="平台 不能为空"),
+        validators.Length(max=255),
+    ])
+    info = StringField(validators=[
+        validators.DataRequired(message="信息 不能为空"),
+        validators.Length(max=255),
+    ])
+
+
+class NoticeConfigUpdateForm(Form):
+    info = StringField(validators=[
+        validators.DataRequired(message="信息 不能为空"),
+        validators.Length(max=255),
+    ])

cmdb-api/api/lib/common_setting/resp_format.py

@@ -0,0 +1,84 @@
+# -*- coding:utf-8 -*-
+from flask_babel import lazy_gettext as _l
+
+from api.lib.resp_format import CommonErrFormat
+
+
+class ErrFormat(CommonErrFormat):
+    company_info_is_already_existed = _l("Company info already existed")  # 公司信息已存在！无法创建
+
+    no_file_part = _l("No file part")  # 没有文件部分
+    file_is_required = _l("File is required")  # 文件是必须的
+    file_not_found = _l("File not found")  # 文件不存在
+    file_type_not_allowed = _l("File type not allowed")  # 文件类型不允许
+    upload_failed = _l("Upload failed: {}")  # 上传失败: {}
+
+    direct_supervisor_is_not_self = _l("Direct supervisor is not self")  # 直属上级不能是自己
+    parent_department_is_not_self = _l("Parent department is not self")  # 上级部门不能是自己
+    employee_list_is_empty = _l("Employee list is empty")  # 员工列表为空
+
+    column_name_not_support = _l("Column name not support")  # 不支持的列名
+    password_is_required = _l("Password is required")  # 密码是必须的
+    employee_acl_rid_is_zero = _l("Employee acl rid is zero")  # 员工ACL角色ID不能为0
+
+    generate_excel_failed = _l("Generate excel failed: {}")  # 生成excel失败: {}
+    rename_columns_failed = _l("Rename columns failed: {}")  # 重命名字段失败: {}
+    cannot_block_this_employee_is_other_direct_supervisor = _l(
+        "Cannot block this employee is other direct supervisor")  # 该员工是其他员工的直属上级, 不能禁用
+    cannot_block_this_employee_is_department_manager = _l(
+        "Cannot block this employee is department manager")  # 该员工是部门负责人, 不能禁用
+    employee_id_not_found = _l("Employee id [{}] not found")  # 员工ID [{}] 不存在
+    value_is_required = _l("Value is required")  # 值是必须的
+    email_already_exists = _l("Email already exists")  # 邮箱已存在
+    query_column_none_keep_value_empty = _l("Query {} none keep value empty")  # 查询 {} 空值时请保持value为空"
+    not_support_operator = _l("Not support operator: {}")  # 不支持的操作符: {}
+    not_support_relation = _l("Not support relation: {}")  # 不支持的关系: {}
+    conditions_field_missing = _l("Conditions field missing")  # conditions内元素字段缺失，请检查！
+    datetime_format_error = _l("Datetime format error: {}")  # {} 格式错误，应该为：%Y-%m-%d %H:%M:%S
+    department_level_relation_error = _l("Department level relation error")  # 部门层级关系不正确
+    delete_reserved_department_name = _l("Delete reserved department name")  # 保留部门，无法删除！
+    department_id_is_required = _l("Department id is required")  # 部门ID是必须的
+    department_list_is_required = _l("Department list is required")  # 部门列表是必须的
+    cannot_to_be_parent_department = _l("{} Cannot to be parent department")  # 不能设置为上级部门
+    department_id_not_found = _l("Department id [{}] not found")  # 部门ID [{}] 不存在
+    parent_department_id_must_more_than_zero = _l("Parent department id must more than zero")  # 上级部门ID必须大于0
+    department_name_already_exists = _l("Department name [{}] already exists")  # 部门名称 [{}] 已存在
+    new_department_is_none = _l("New department is none")  # 新部门是空的
+
+    acl_edit_user_failed = _l("ACL edit user failed: {}")  # ACL 修改用户失败: {}
+    acl_uid_not_found = _l("ACL uid not found: {}")  # ACL 用户UID [{}] 不存在
+    acl_add_user_failed = _l("ACL add user failed: {}")  # ACL 添加用户失败: {}
+    acl_add_role_failed = _l("ACL add role failed: {}")  # ACL 添加角色失败: {}
+    acl_update_role_failed = _l("ACL update role failed: {}")  # ACL 更新角色失败: {}
+    acl_get_all_users_failed = _l("ACL get all users failed: {}")  # ACL 获取所有用户失败: {}
+    acl_remove_user_from_role_failed = _l("ACL remove user from role failed: {}")  # ACL 从角色中移除用户失败: {}
+    acl_add_user_to_role_failed = _l("ACL add user to role failed: {}")  # ACL 添加用户到角色失败: {}
+    acl_import_user_failed = _l("ACL import user failed: {}")  # ACL 导入用户失败: {}
+
+    nickname_is_required = _l("Nickname is required")  # 昵称不能为空
+    username_is_required = _l("Username is required")  # 用户名不能为空
+    email_is_required = _l("Email is required")  # 邮箱不能为空
+    email_format_error = _l("Email format error")  # 邮箱格式错误
+    email_send_timeout = _l("Email send timeout")  # 邮件发送超时
+
+    common_data_not_found = _l("Common data not found {} ")  # ID {} 找不到记录
+    common_data_already_existed = _l("Common data {} already existed")  # {} 已存在
+    notice_platform_existed = _l("Notice platform {} existed")  # {} 已存在
+    notice_not_existed = _l("Notice {} not existed")  # {} 配置项不存在
+    notice_please_config_messenger_first = _l("Notice please config messenger first")  # 请先配置messenger URL
+    notice_bind_err_with_empty_mobile = _l("Notice bind err with empty mobile")  # 绑定错误，手机号为空
+    notice_bind_failed = _l("Notice bind failed: {}")  # 绑定失败: {}
+    notice_bind_success = _l("Notice bind success")  # 绑定成功
+    notice_remove_bind_success = _l("Notice remove bind success")  # 解绑成功
+
+    not_support_test = _l("Not support test type: {}")  # 不支持的测试类型: {}
+    not_support_auth_type = _l("Not support auth type: {}")  # 不支持的认证类型: {}
+    ldap_server_connect_timeout = _l("LDAP server connect timeout")  # LDAP服务器连接超时
+    ldap_server_connect_not_available = _l("LDAP server connect not available")  # LDAP服务器连接不可用
+    ldap_test_unknown_error = _l("LDAP test unknown error: {}")  # LDAP测试未知错误: {}
+    common_data_not_support_auth_type = _l("Common data not support auth type: {}")  # 通用数据不支持auth类型: {}
+    ldap_test_username_required = _l("LDAP test username required")  # LDAP测试用户名必填
+
+    company_wide = _l("Company wide")  # 全公司
+
+    resource_no_permission = _l("No permission to access resource {}, perm {} ")  # 没有权限访问 {} 资源的 {} 权限"

cmdb-api/api/lib/common_setting/role_perm_base.py

@@ -0,0 +1,68 @@
+class OperationPermission(object):
+
+    def __init__(self, resource_perms):
+        for _r in resource_perms:
+            setattr(self, _r['page'], _r['page'])
+            for _p in _r['perms']:
+                setattr(self, _p, _p)
+
+
+class BaseApp(object):
+    resource_type_name = 'OperationPermission'
+    all_resource_perms = []
+
+    def __init__(self):
+        self.admin_name = None
+        self.roles = []
+        self.app_name = 'acl'
+        self.require_create_resource_type = self.resource_type_name
+        self.extra_create_resource_type_list = []
+
+        self.op = None
+
+    @staticmethod
+    def format_role(role_name, role_type, acl_rid, resource_perms, description=''):
+        return dict(
+            role_name=role_name,
+            role_type=role_type,
+            acl_rid=acl_rid,
+            description=description,
+            resource_perms=resource_perms,
+        )
+
+
+class CMDBApp(BaseApp):
+    all_resource_perms = [
+        {"page": "Big_Screen", "page_cn": "大屏", "perms": ["read"]},
+        {"page": "Dashboard", "page_cn": "仪表盘", "perms": ["read"]},
+        {"page": "Resource_Search", "page_cn": "资源搜索", "perms": ["read"]},
+        {"page": "Auto_Discovery_Pool", "page_cn": "自动发现池", "perms": ["read"]},
+        {"page": "My_Subscriptions", "page_cn": "我的订阅", "perms": ["read"]},
+        {"page": "Bulk_Import", "page_cn": "批量导入", "perms": ["read"]},
+        {"page": "Model_Configuration", "page_cn": "模型配置",
+         "perms": ["read", "create_CIType", "create_CIType_group", "update_CIType_group",
+                   "delete_CIType_group", "download_CIType"]},
+        {"page": "Backend_Management", "page_cn": "后台管理", "perms": ["read"]},
+        {"page": "Customized_Dashboard", "page_cn": "定制仪表盘", "perms": ["read"]},
+        {"page": "Service_Tree_Definition", "page_cn": "服务树定义", "perms": ["read"]},
+        {"page": "Model_Relationships", "page_cn": "模型关系", "perms": ["read"]},
+        {"page": "Operation_Audit", "page_cn": "操作审计", "perms": ["read"]},
+        {"page": "Relationship_Types", "page_cn": "关系类型", "perms": ["read"]},
+        {"page": "Auto_Discovery", "page_cn": "自动发现",
+         "perms": ["read", "create_plugin", "update_plugin", "delete_plugin"]
+        },
+        {"page": "TopologyView", "page_cn": "拓扑视图",
+         "perms": ["read", "create_topology_group", "update_topology_group", "delete_topology_group",
+                   "create_topology_view"],
+         },
+        {"page": "IPAM", "page_cn": "IPAM", "perms": ["read"]},
+        {"page": "DCIM", "page_cn": "数据中心", "perms": ["read"]},
+    ]
+
+    def __init__(self):
+        super().__init__()
+
+        self.admin_name = 'cmdb_admin'
+        self.app_name = 'cmdb'
+
+        self.op = OperationPermission(self.all_resource_perms)

cmdb-api/api/lib/common_setting/upload_file.py

@@ -0,0 +1,94 @@
+import base64
+import uuid
+import os
+from io import BytesIO
+
+from flask import abort, current_app
+import lz4.frame
+
+from api.lib.common_setting.utils import get_cur_time_str
+from api.models.common_setting import CommonFile
+from api.lib.common_setting.resp_format import ErrFormat
+
+
+def allowed_file(filename, allowed_extensions):
+    return '.' in filename and filename.rsplit('.', 1)[1].lower() in allowed_extensions
+
+
+def generate_new_file_name(name):
+    ext = name.split('.')[-1]
+    prev_name = ''.join(name.split(f".{ext}")[:-1])
+    uid = str(uuid.uuid4())
+    cur_str = get_cur_time_str('_')
+
+    return f"{prev_name}_{cur_str}_{uid}.{ext}"
+
+
+class CommonFileCRUD:
+    @staticmethod
+    def add_file(**kwargs):
+        return CommonFile.create(**kwargs)
+
+    @staticmethod
+    def get_file(file_name, to_str=False):
+        existed = CommonFile.get_by(file_name=file_name, first=True, to_dict=False)
+        if not existed:
+            abort(400, ErrFormat.file_not_found)
+
+        uncompressed_data = lz4.frame.decompress(existed.binary)
+
+        return base64.b64encode(uncompressed_data).decode('utf-8') if to_str else BytesIO(uncompressed_data)
+
+    @staticmethod
+    def sync_file_to_db():
+        for p in ['UPLOAD_DIRECTORY_FULL']:
+            upload_path = current_app.config.get(p, None)
+            if not upload_path:
+                continue
+            for root, dirs, files in os.walk(upload_path):
+                for file in files:
+                    file_path = os.path.join(root, file)
+                    if not os.path.isfile(file_path):
+                        continue
+
+                    existed = CommonFile.get_by(file_name=file, first=True, to_dict=False)
+                    if existed:
+                        continue
+                    with open(file_path, 'rb') as f:
+                        data = f.read()
+                    compressed_data = lz4.frame.compress(data)
+                    try:
+                        CommonFileCRUD.add_file(
+                            origin_name=file,
+                            file_name=file,
+                            binary=compressed_data
+                        )
+
+                        current_app.logger.info(f'sync file {file} to db')
+                    except Exception as e:
+                        current_app.logger.error(f'sync file {file} to db error: {e}')
+
+    def get_file_binary_str(self, file_name):
+        return self.get_file(file_name, True)
+
+    def save_str_to_file(self, file_name, str_data):
+        try:
+            self.get_file(file_name)
+            current_app.logger.info(f'file {file_name} already exists')
+            return
+        except Exception as e:
+            # file not found
+            pass
+
+        bytes_data = base64.b64decode(str_data)
+        compressed_data = lz4.frame.compress(bytes_data)
+
+        try:
+            self.add_file(
+                origin_name=file_name,
+                file_name=file_name,
+                binary=compressed_data
+            )
+            current_app.logger.info(f'save_str_to_file {file_name} success')
+        except Exception as e:
+            current_app.logger.error(f"save_str_to_file error: {e}")

cmdb-api/api/lib/common_setting/utils.py

@@ -0,0 +1,142 @@
+# -*- coding:utf-8 -*-
+from datetime import datetime
+from flask import current_app
+from sqlalchemy import inspect, text
+from sqlalchemy.dialects.mysql import ENUM
+
+from api.extensions import db
+
+
+def get_cur_time_str(split_flag='-'):
+    f = f"%Y{split_flag}%m{split_flag}%d{split_flag}%H{split_flag}%M{split_flag}%S{split_flag}%f"
+    return datetime.now().strftime(f)[:-3]
+
+
+class BaseEnum(object):
+    _ALL_ = set()
+
+    @classmethod
+    def is_valid(cls, item):
+        return item in cls.all()
+
+    @classmethod
+    def all(cls):
+        if not cls._ALL_:
+            cls._ALL_ = {
+                getattr(cls, attr)
+                for attr in dir(cls)
+                if not attr.startswith("_") and not callable(getattr(cls, attr))
+            }
+        return cls._ALL_
+
+
+class CheckNewColumn(object):
+
+    def __init__(self):
+        self.engine = db.get_engine()
+        self.inspector = inspect(self.engine)
+        self.table_names = self.inspector.get_table_names()
+
+    @staticmethod
+    def get_model_by_table_name(_table_name):
+        registry = getattr(db.Model, 'registry', None)
+        class_registry = getattr(registry, '_class_registry', None)
+        for _model in class_registry.values():
+            if hasattr(_model, '__tablename__') and _model.__tablename__ == _table_name:
+                return _model
+        return None
+
+    def run(self):
+        for table_name in self.table_names:
+            self.check_by_table(table_name)
+
+    def check_by_table(self, table_name):
+        existed_columns = self.inspector.get_columns(table_name)
+        enum_columns = []
+        existed_column_name_list = []
+        for c in existed_columns:
+            if isinstance(c['type'], ENUM):
+                enum_columns.append(c['name'])
+            existed_column_name_list.append(c['name'])
+
+        model = self.get_model_by_table_name(table_name)
+        if model is None:
+            return
+        model_columns = getattr(getattr(getattr(model, '__table__'), 'columns'), '_all_columns')
+        for column in model_columns:
+            if column.name not in existed_column_name_list:
+                add_res = self.add_new_column(table_name, column)
+                if not add_res:
+                    continue
+
+                current_app.logger.info(f"add new column [{column.name}] in table [{table_name}] success.")
+
+                if column.name in enum_columns:
+                    enum_columns.remove(column.name)
+
+                self.add_new_index(table_name, column)
+
+        if len(enum_columns) > 0:
+            self.check_enum_column(enum_columns, existed_columns, model_columns, table_name)
+
+    def add_new_column(self, target_table_name, new_column):
+        try:
+            column_type = new_column.type.compile(self.engine.dialect)
+            default_value = new_column.default.arg if new_column.default else None
+
+            sql = "ALTER TABLE " + target_table_name + " ADD COLUMN " + f"`{new_column.name}`" + " " + column_type
+            if new_column.comment:
+                sql += f" comment '{new_column.comment}'"
+
+            if column_type == 'JSON':
+                pass
+            elif default_value:
+                if column_type.startswith('VAR') or column_type.startswith('Text'):
+                    if default_value is None or len(default_value) == 0:
+                        pass
+                else:
+                    sql += f" DEFAULT {default_value}"
+
+            sql = text(sql)
+            db.session.execute(sql)
+            return True
+        except Exception as e:
+            err = f"add_new_column [{new_column.name}] to table [{target_table_name}] err: {e}"
+            current_app.logger.error(err)
+            return False
+
+    @staticmethod
+    def add_new_index(target_table_name, new_column):
+        try:
+            if new_column.index:
+                index_name = f"{target_table_name}_{new_column.name}"
+                sql = "CREATE INDEX " + f"{index_name}" + " ON " + target_table_name + " (" + new_column.name + ")"
+                db.session.execute(sql)
+                current_app.logger.info(f"add new index [{index_name}] in table [{target_table_name}] success.")
+
+            return True
+        except Exception as e:
+            err = f"add_new_index [{new_column.name}] to table [{target_table_name}] err: {e}"
+            current_app.logger.error(err)
+            return False
+
+    @staticmethod
+    def check_enum_column(enum_columns, existed_columns, model_columns, table_name):
+        for column_name in enum_columns:
+            try:
+                enum_column = list(filter(lambda x: x['name'] == column_name, existed_columns))[0]
+                old_enum_value = enum_column.get('type', {}).enums
+                target_column = list(filter(lambda x: x.name == column_name, model_columns))[0]
+                new_enum_value = target_column.type.enums
+
+                if set(old_enum_value) == set(new_enum_value):
+                    continue
+
+                enum_values_str = ','.join(["'{}'".format(value) for value in new_enum_value])
+                sql = f"ALTER TABLE {table_name} MODIFY COLUMN" + f"`{column_name}`" + f" enum({enum_values_str})"
+                db.session.execute(sql)
+                current_app.logger.info(
+                    f"modify column [{column_name}] ENUM: {new_enum_value} in table [{table_name}] success.")
+            except Exception as e:
+                current_app.logger.error(
+                    f"modify column  ENUM [{column_name}] in table [{table_name}] err: {e}")

cmdb-api/api/lib/const.py

@@ -0,0 +1,17 @@
+# -*- coding:utf-8 -*-
+
+from api.lib.utils import BaseEnum
+
+
+class PermEnum(BaseEnum):
+    ADD = "create"
+    UPDATE = "update"
+    DELETE = "delete"
+    READ = "read"
+    EXECUTE = "execute"
+    GRANT = "grant"
+    ADMIN = "admin"
+
+
+class RoleEnum(BaseEnum):
+    ADMIN = "OneOPS_Application_Admin"

cmdb-api/api/lib/database.py

@@ -11,32 +11,54 @@ from api.lib.exception import CommitException
 class FormatMixin(object):
     def to_dict(self):
         res = dict()
-        for k in getattr(self, "__table__").columns:
-            if not isinstance(getattr(self, k.name), datetime.datetime):
-                res[k.name] = getattr(self, k.name)
+        for k in getattr(self, "__mapper__").c.keys():
+            if k in {'password', '_password', 'secret', '_secret'}:
+                continue
+
+            if k.startswith('_'):
+                k = k[1:]
+
+            if not isinstance(getattr(self, k), (datetime.datetime, datetime.date, datetime.time)):
+                res[k] = getattr(self, k)
             else:
-                res[k.name] = getattr(self, k.name).strftime('%Y-%m-%d %H:%M:%S')
+                res[k] = str(getattr(self, k))
 
         return res
+    
+    @classmethod
+    def from_dict(cls, **kwargs):
+        from sqlalchemy.sql.sqltypes import Time, Date, DateTime
+
+        columns = dict(getattr(cls, "__table__").columns)
+
+        for k, c in columns.items():
+            if kwargs.get(k):
+                if type(c.type) == Time:
+                    kwargs[k] = datetime.datetime.strptime(kwargs[k], "%H:%M:%S").time()
+                if type(c.type) == Date:
+                    kwargs[k] = datetime.datetime.strptime(kwargs[k], "%Y-%m-%d").date()
+                if type(c.type) == DateTime:
+                    kwargs[k] = datetime.datetime.strptime(kwargs[k], "%Y-%m-%d %H:%M:%S")
+
+        return cls(**kwargs)
 
     @classmethod
     def get_columns(cls):
-        return {k.name: 1 for k in getattr(cls, "__mapper__").c.values()}
+        return {k: 1 for k in getattr(cls, "__mapper__").c.keys()}
 
 
 class CRUDMixin(FormatMixin):
     @classmethod
-    def create(cls, flush=False, **kwargs):
-        return cls(**kwargs).save(flush=flush)
+    def create(cls, flush=False, commit=True, **kwargs):
+        return cls(**kwargs).save(flush=flush, commit=commit)
 
-    def update(self, flush=False, **kwargs):
+    def update(self, flush=False, commit=True, filter_none=True, **kwargs):
         kwargs.pop("id", None)
         for attr, value in six.iteritems(kwargs):
-            if value is not None:
+            if (value is not None and filter_none) or not filter_none:
                 setattr(self, attr, value)
-        if flush:
-            return self.save(flush=flush)
-        return self.save()
+
+        return self.save(flush=flush, commit=commit)
 
     def save(self, commit=True, flush=False):
         db.session.add(self)
@@ -51,29 +73,39 @@ class CRUDMixin(FormatMixin):
 
         return self
 
-    def delete(self, flush=False):
+    def delete(self, flush=False, commit=True):
         db.session.delete(self)
         try:
             if flush:
                 return db.session.flush()
-            return db.session.commit()
+            elif commit:
+                return db.session.commit()
         except Exception as e:
             db.session.rollback()
             raise CommitException(str(e))
 
-    def soft_delete(self, flush=False):
+    def soft_delete(self, flush=False, commit=True):
         setattr(self, "deleted", True)
         setattr(self, "deleted_at", datetime.datetime.now())
-        self.save(flush=flush)
+        self.save(flush=flush, commit=commit)
 
     @classmethod
     def get_by_id(cls, _id):
         if any((isinstance(_id, six.string_types) and _id.isdigit(),
                 isinstance(_id, (six.integer_types, float))), ):
-            return getattr(cls, "query").get(int(_id)) or None
+            obj = getattr(cls, "query").get(int(_id))
+            if obj and not getattr(obj, 'deleted', False):
+                return obj
 
     @classmethod
-    def get_by(cls, first=False, to_dict=True, fl=None, exclude=None, deleted=False, use_master=False, **kwargs):
+    def get_by(cls, first=False,
+               to_dict=True,
+               fl=None,
+               exclude=None,
+               deleted=False,
+               use_master=False,
+               only_query=False,
+               **kwargs):
         db_session = db.session if not use_master else db.session().using_bind("master")
         fl = fl.strip().split(",") if fl and isinstance(fl, six.string_types) else (fl or [])
         exclude = exclude.strip().split(",") if exclude and isinstance(exclude, six.string_types) else (exclude or [])
@@ -86,18 +118,35 @@ class CRUDMixin(FormatMixin):
         if hasattr(cls, "deleted") and deleted is not None:
             kwargs["deleted"] = deleted
 
+        kwargs_for_func = {i[7:]: kwargs[i] for i in kwargs if i.startswith('__func_')}
+        kwargs = {i: kwargs[i] for i in kwargs if not i.startswith('__func_')}
+
         if fl:
             query = db_session.query(*[getattr(cls, k) for k in fl])
-            query = query.filter_by(**kwargs)
-            result = [{k: getattr(i, k) for k in fl} for i in query]
         else:
-            result = [i.to_dict() if to_dict else i for i in getattr(cls, 'query').filter_by(**kwargs)]
+            query = db_session.query(cls)
+
+        query = query.filter_by(**kwargs)
+        for i in kwargs_for_func:
+            func, key = i.split('__key_')
+            query = query.filter(getattr(getattr(cls, key), func)(kwargs_for_func[i]))
+
+        if only_query:
+            return query
+
+        if fl:
+            result = [{k: getattr(i, k) for k in fl} if to_dict else i for i in query]
+        else:
+            result = [i.to_dict() if to_dict else i for i in query]
 
         return result[0] if first and result else (None if first else result)
 
     @classmethod
-    def get_by_like(cls, to_dict=True, **kwargs):
+    def get_by_like(cls, to_dict=True, deleted=False, **kwargs):
         query = db.session.query(cls)
+        if hasattr(cls, "deleted") and deleted is not None:
+            query = query.filter(cls.deleted.is_(deleted))
+
         for k, v in kwargs.items():
             query = query.filter(getattr(cls, k).ilike('%{0}%'.format(v)))
         return [i.to_dict() if to_dict else i for i in query]
@@ -113,6 +162,10 @@ class TimestampMixin(object):
     updated_at = db.Column(db.DateTime, onupdate=lambda: datetime.datetime.now())
 
 
+class TimestampMixin2(object):
+    created_at = db.Column(db.DateTime, default=lambda: datetime.datetime.now(), index=True)
+
+
 class SurrogatePK(object):
     __table_args__ = {"extend_existing": True}
 
@@ -125,3 +178,7 @@ class Model(SoftDeleteMixin, TimestampMixin, CRUDMixin, db.Model, SurrogatePK):
 
 class CRUDModel(db.Model, CRUDMixin):
     __abstract__ = True
+
+
+class Model2(TimestampMixin2, db.Model, CRUDMixin, SurrogatePK):
+    __abstract__ = True

cmdb-api/api/lib/decorator.py

@@ -4,7 +4,15 @@
 from functools import wraps
 
 from flask import abort
+from flask import current_app
 from flask import request
+from sqlalchemy.exc import InvalidRequestError
+from sqlalchemy.exc import OperationalError
+from sqlalchemy.exc import PendingRollbackError
+from sqlalchemy.exc import StatementError
+
+from api.extensions import db
+from api.lib.resp_format import CommonErrFormat
 
 
 def kwargs_required(*required_args):
@@ -13,7 +21,8 @@ def kwargs_required(*required_args):
         def wrapper(*args, **kwargs):
             for arg in required_args:
                 if arg not in kwargs:
-                    return abort(400, "Argument <{0}> is required".format(arg))
+                    return abort(400, CommonErrFormat.argument_required.format(arg))
+
             return func(*args, **kwargs)
 
         return wrapper
@@ -21,15 +30,89 @@ def kwargs_required(*required_args):
     return decorate
 
 
-def args_required(*required_args):
+def args_required(*required_args, **value_required):
     def decorate(func):
         @wraps(func)
         def wrapper(*args, **kwargs):
             for arg in required_args:
                 if arg not in request.values:
-                    return abort(400, "Argument <{0}> is required".format(arg))
+                    return abort(400, CommonErrFormat.argument_required.format(arg))
+
+                if value_required.get('value_required', True) and not request.values.get(arg):
+                    return abort(400, CommonErrFormat.argument_value_required.format(arg))
+
             return func(*args, **kwargs)
 
         return wrapper
 
     return decorate
+
+
+def args_validate(model_cls, exclude_args=None):
+    def decorate(func):
+        @wraps(func)
+        def wrapper(*args, **kwargs):
+            for arg in request.values:
+                if hasattr(model_cls, arg):
+                    attr = getattr(model_cls, arg)
+                    if not hasattr(attr, "type"):
+                        continue
+
+                    if exclude_args and arg in exclude_args:
+                        continue
+
+                    if attr.type.python_type == str and attr.type.length and (
+                            len(request.values[arg] or '') > attr.type.length):
+
+                        return abort(400, CommonErrFormat.argument_str_length_limit.format(arg, attr.type.length))
+                    elif attr.type.python_type in (int, float) and request.values[arg]:
+                        try:
+                            int(float(request.values[arg]))
+                        except (TypeError, ValueError):
+                            return abort(400, CommonErrFormat.argument_invalid.format(arg))
+
+            return func(*args, **kwargs)
+
+        return wrapper
+
+    return decorate
+
+
+def reconnect_db(func):
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        try:
+            return func(*args, **kwargs)
+        except (StatementError, OperationalError, InvalidRequestError) as e:
+            error_msg = str(e)
+            if 'Lost connection' in error_msg or 'reconnect until invalid transaction' in error_msg or \
+                    'can be emitted within this transaction' in error_msg:
+                current_app.logger.info('[reconnect_db] lost connect rollback then retry')
+                db.session.rollback()
+                return func(*args, **kwargs)
+            else:
+                raise e
+        except Exception as e:
+            raise e
+
+    return wrapper
+
+
+def _flush_db():
+    try:
+        db.session.commit()
+    except (StatementError, OperationalError, InvalidRequestError, PendingRollbackError):
+        db.session.rollback()
+
+
+def flush_db(func):
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        _flush_db()
+        return func(*args, **kwargs)
+
+    return wrapper
+
+
+def run_flush_db():
+    _flush_db()

cmdb-api/api/lib/http_cli.py

@@ -1,25 +1,25 @@
 # -*- coding:utf-8 -*-
 
-from __future__ import unicode_literals
 
 import hashlib
 
 import requests
 from flask import abort
 from flask import current_app
-from flask import g
+from flask_login import current_user
 from future.moves.urllib.parse import urlparse
 
 
 def build_api_key(path, params):
-    g.user is not None or abort(403, "您得登陆才能进行该操作")
-    key = g.user.key
-    secret = g.user.secret
+    current_user is not None or abort(403, u"您得登陆才能进行该操作")
+    key = current_user.key
+    secret = current_user.secret
     values = "".join([str(params[k]) for k in sorted(params.keys())
                       if params[k] is not None]) if params.keys() else ""
     _secret = "".join([path, secret, values]).encode("utf-8")
     params["_secret"] = hashlib.sha1(_secret).hexdigest()
     params["_key"] = key
+
     return params
 
 

cmdb-api/api/lib/mail.py

@@ -1,51 +1,54 @@
 # -*- coding:utf-8 -*- 
 
-
 import smtplib
 import time
-from email import Utils
 from email.header import Header
 from email.mime.image import MIMEImage
 from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
+from email.utils import make_msgid
 
 from flask import current_app
 
 
 def send_mail(sender, receiver, subject, content, ctype="html", pics=()):
     """subject and body are unicode objects"""
+    if not receiver:
+        return
     if not sender:
         sender = current_app.config.get("DEFAULT_MAIL_SENDER")
-    smtp_server = current_app.config.get("MAIL_SERVER")
+    smtpserver = current_app.config.get("MAIL_SERVER")
     if ctype == "html":
         msg = MIMEText(content, 'html', 'utf-8')
     else:
         msg = MIMEText(content, 'plain', 'utf-8')
 
     if len(pics) != 0:
-        msg_root = MIMEMultipart('related')
-        msg_text = MIMEText(content, 'html', 'utf-8')
-        msg_root.attach(msg_text)
+        msgRoot = MIMEMultipart('related')
+        msgText = MIMEText(content, 'html', 'utf-8')
+        msgRoot.attach(msgText)
         i = 1
         for pic in pics:
             fp = open(pic, "rb")
             image = MIMEImage(fp.read())
             fp.close()
             image.add_header('Content-ID', '<img%02d>' % i)
-            msg_root.attach(image)
+            msgRoot.attach(image)
             i += 1
-        msg = msg_root
+        msg = msgRoot
 
     msg['Subject'] = Header(subject, 'utf-8')
     msg['From'] = sender
     msg['To'] = ';'.join(receiver)
-    msg['Message-ID'] = Utils.make_msgid()
+    msg['Message-ID'] = make_msgid()
     msg['date'] = time.strftime('%a, %d %b %Y %H:%M:%S %z')
 
-    smtp = smtplib.SMTP()
-    smtp.connect(smtp_server, 25)
-    username, password = current_app.config.get("MAIL_USERNAME"), current_app.config.get("MAIL_PASSWORD")
-    if username and password:
-        smtp.login(username, password)
+    if current_app.config.get("MAIL_USE_SSL") or current_app.config.get("MAIL_USE_TLS"):
+        smtp = smtplib.SMTP_SSL(smtpserver)
+    else:
+        smtp = smtplib.SMTP()
+    smtp.connect(smtpserver, 25)
+    if current_app.config.get("MAIL_PASSWORD") != "":
+        smtp.login(current_app.config.get("MAIL_USERNAME"), current_app.config.get("MAIL_PASSWORD")) 
     smtp.sendmail(sender, receiver, msg.as_string())
     smtp.quit()

cmdb-api/api/lib/mixin.py

@@ -0,0 +1,113 @@
+# -*- coding:utf-8 -*-
+
+
+from flask import current_app
+from sqlalchemy import func
+
+from api.extensions import db
+from api.lib.utils import get_page
+from api.lib.utils import get_page_size
+
+
+class DBMixin(object):
+    cls = None
+
+    @classmethod
+    def search(cls, page, page_size, fl=None, only_query=False, reverse=False, count_query=False,
+               last_size=None, **kwargs):
+        page = get_page(page)
+        page_size = get_page_size(page_size)
+        if fl is None:
+            query = db.session.query(cls.cls)
+        else:
+            query = db.session.query(*[getattr(cls.cls, i) for i in fl])
+
+        _query = None
+        if count_query:
+            _query = db.session.query(func.count(cls.cls.id))
+
+        if hasattr(cls.cls, 'deleted'):
+            query = query.filter(cls.cls.deleted.is_(False))
+            if _query:
+                _query = _query.filter(cls.cls.deleted.is_(False))
+
+        for k in kwargs:
+            if hasattr(cls.cls, k):
+                if isinstance(kwargs[k], list):
+                    query = query.filter(getattr(cls.cls, k).in_(kwargs[k]))
+                    if count_query:
+                        _query = _query.filter(getattr(cls.cls, k).in_(kwargs[k]))
+                else:
+                    if "*" in str(kwargs[k]):
+                        query = query.filter(getattr(cls.cls, k).ilike(kwargs[k].replace('*', '%')))
+                        if count_query:
+                            _query = _query.filter(getattr(cls.cls, k).ilike(kwargs[k].replace('*', '%')))
+                    else:
+                        query = query.filter(getattr(cls.cls, k) == kwargs[k])
+                        if count_query:
+                            _query = _query.filter(getattr(cls.cls, k) == kwargs[k])
+
+        if reverse in current_app.config.get('BOOL_TRUE'):
+            query = query.order_by(cls.cls.id.desc())
+
+        if only_query and not count_query:
+            return query
+        elif only_query:
+            return _query, query
+
+        numfound = query.count()
+        if not last_size:
+            return numfound, [i.to_dict() if fl is None else getattr(i, '_asdict')()
+                              for i in query.offset((page - 1) * page_size).limit(page_size)]
+        else:
+            offset = numfound - last_size
+            if offset < 0:
+                offset = 0
+            return numfound, [i.to_dict() if fl is None else getattr(i, '_asdict')()
+                              for i in query.offset(offset).limit(last_size)]
+
+    def _can_add(self, **kwargs):
+        raise NotImplementedError
+
+    def _after_add(self, obj, **kwargs):
+        pass
+
+    def _can_update(self, **kwargs):
+        raise NotImplementedError
+
+    def _after_update(self, obj, **kwargs):
+        pass
+
+    def _can_delete(self, **kwargs):
+        raise NotImplementedError
+
+    def _after_delete(self, obj):
+        pass
+
+    def add(self, **kwargs):
+        kwargs = self._can_add(**kwargs) or kwargs
+
+        obj = self.cls.create(**kwargs)
+
+        kwargs['_id'] = obj.id if hasattr(obj, 'id') else None
+        self._after_add(obj, **kwargs)
+
+        return obj
+
+    def update(self, _id, **kwargs):
+        inst = self._can_update(_id=_id, **kwargs)
+
+        obj = inst.update(_id=_id, **kwargs)
+
+        self._after_update(obj, **kwargs)
+
+        return obj
+
+    def delete(self, _id):
+        inst = self._can_delete(_id=_id)
+
+        inst.soft_delete()
+
+        self._after_delete(inst)
+
+        return inst

cmdb-api/api/lib/notify.py

@@ -0,0 +1,72 @@
+# -*- coding:utf-8 -*-
+
+import json
+
+import requests
+import six
+from flask import current_app
+from jinja2 import Template
+from markdownify import markdownify as md
+
+from api.lib.common_setting.notice_config import NoticeConfigCRUD
+from api.lib.mail import send_mail
+
+
+def _request_messenger(subject, body, tos, sender, payload):
+    params = dict(sender=sender, title=subject,
+                  tos=[to[sender] for to in tos if to.get(sender)])
+
+    if not params['tos']:
+        raise Exception("no receivers")
+
+    flat_tos = []
+    for i in params['tos']:
+        if i.strip():
+            to = Template(i).render(payload)
+            if isinstance(to, list):
+                flat_tos.extend(to)
+            elif isinstance(to, six.string_types):
+                flat_tos.append(to)
+    params['tos'] = flat_tos
+
+    if sender == "email":
+        params['msgtype'] = 'text/html'
+        params['content'] = body
+    else:
+        params['msgtype'] = 'markdown'
+        try:
+            content = md("{}\n{}".format(subject or '', body or ''))
+        except Exception as e:
+            current_app.logger.warning("html2markdown failed: {}".format(e))
+            content = "{}\n{}".format(subject or '', body or '')
+
+        params['content'] = json.dumps(dict(content=content))
+
+    url = current_app.config.get('MESSENGER_URL') or NoticeConfigCRUD.get_messenger_url()
+    if not url:
+        raise Exception("no messenger url")
+
+    if not url.endswith("message"):
+        url = "{}/v1/message".format(url)
+
+    resp = requests.post(url, json=params)
+    if resp.status_code != 200:
+        raise Exception(resp.text)
+
+    return resp.text
+
+
+def notify_send(subject, body, methods, tos, payload=None):
+    payload = payload or {}
+    payload = {k: '' if v is None else v for k, v in payload.items()}
+    subject = Template(subject).render(payload)
+    body = Template(body).render(payload)
+
+    res = ''
+    for method in methods:
+        if method == "email" and not current_app.config.get('USE_MESSENGER', True):
+            send_mail(None, [Template(to.get('email')).render(payload) for to in tos], subject, body)
+
+        res += (_request_messenger(subject, body, tos, method, payload) + "\n")
+
+    return res

cmdb-api/api/lib/perm/acl/__init__.py

@@ -3,20 +3,22 @@
 
 from functools import wraps
 
-from flask import request
 from flask import abort
+from flask import request
 
 from api.lib.perm.acl.cache import AppCache
+from api.lib.perm.acl.resp_format import ErrFormat
 
 
 def validate_app(func):
     @wraps(func)
     def wrapper(*args, **kwargs):
-        app_id = request.values.get('app_id')
-        app = AppCache.get(app_id)
-        if app is None:
-            return abort(400, "App <{0}> does not exist".format(app_id))
-        request.values['app_id'] = app.id
+        if not request.headers.get('App-Access-Token', '').strip():
+            app_id = request.values.get('app_id')
+            app = AppCache.get(app_id)
+            if app is None:
+                return abort(400, ErrFormat.app_not_found.format("id={}".format(app_id)))
+            request.values['app_id'] = app.id
 
         return func(*args, **kwargs)
 

cmdb-api/api/lib/perm/acl/acl.py

@@ -1,37 +1,72 @@
 # -*- coding:utf-8 -*-
 
 import functools
+import hashlib
 
+import requests
 import six
-from flask import current_app, g, request
-from flask import session, abort
+from flask import abort
+from flask import current_app
+from flask import request
+from flask import session
+from flask_login import current_user
 
-from api.lib.cmdb.const import ResourceTypeEnum as CmdbResourceType
-from api.lib.cmdb.const import RoleEnum
+from api.extensions import cache
+from api.lib.perm.acl.audit import AuditCRUD
 from api.lib.perm.acl.cache import AppCache
 from api.lib.perm.acl.cache import RoleCache
 from api.lib.perm.acl.cache import UserCache
 from api.lib.perm.acl.permission import PermissionCRUD
 from api.lib.perm.acl.resource import ResourceCRUD
+from api.lib.perm.acl.resp_format import ErrFormat
 from api.lib.perm.acl.role import RoleCRUD
+from api.lib.perm.acl.role import RoleRelationCRUD
+from api.models.acl import App
 from api.models.acl import Resource
 from api.models.acl import ResourceGroup
 from api.models.acl import ResourceType
 from api.models.acl import Role
 
-CMDB_RESOURCE_TYPES = CmdbResourceType.all()
+
+def get_access_token():
+    url = "{0}/acl/apps/token".format(current_app.config.get('ACL_URI'))
+    payload = dict(app_id=current_app.config.get('APP_ID'),
+                   secret_key=hashlib.md5(current_app.config.get('APP_SECRET_KEY').encode('utf-8')).hexdigest())
+    try:
+        res = requests.post(url, data=payload).json()
+        return res.get("token")
+    except Exception as e:
+        current_app.logger.error(str(e))
+
+
+class AccessTokenCache(object):
+    TOKEN_KEY = 'TICKET::AccessToken'
+
+    @classmethod
+    def get(cls):
+        if cache.get(cls.TOKEN_KEY) is not None and cache.get(cls.TOKEN_KEY) != "":
+            return cache.get(cls.TOKEN_KEY)
+
+        res = get_access_token() or ""
+
+        cache.set(cls.TOKEN_KEY, res, timeout=60 * 60)
+        return res
+
+    @classmethod
+    def clean(cls):
+        cache.clear(cls.TOKEN_KEY)
 
 
 class ACLManager(object):
-    def __init__(self):
-        self.app_id = AppCache.get('cmdb')
-        if not self.app_id:
-            raise Exception("cmdb not in acl apps")
-        self.app_id = self.app_id.id
+    def __init__(self, app=None):
+        self.app = AppCache.get(app or 'cmdb')
+        if not self.app:
+            raise Exception(ErrFormat.app_not_found.format(app))
+        self.app_id = self.app.id
 
     def _get_resource(self, name, resource_type_name):
         resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False)
-        resource_type or abort(404, "ResourceType <{0}> cannot be found".format(resource_type_name))
+        resource_type or abort(404, ErrFormat.resource_type_not_found.format(resource_type_name))
 
         return Resource.get_by(resource_type_id=resource_type.id,
                                app_id=self.app_id,
@@ -52,13 +87,23 @@ class ACLManager(object):
         if user:
             return Role.get_by(name=name, uid=user.uid, first=True, to_dict=False)
 
-        return Role.get_by(name=name, app_id=self.app_id, first=True, to_dict=False)
+        return (Role.get_by(name=name, app_id=self.app_id, first=True, to_dict=False) or
+                Role.get_by(name=name, first=True, to_dict=False))
 
     def add_resource(self, name, resource_type_name=None):
         resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False)
-        resource_type or abort(404, "ResourceType <{0}> cannot be found".format(resource_type_name))
+        resource_type or abort(404, ErrFormat.resource_type_not_found.format(resource_type_name))
 
-        ResourceCRUD.add(name, resource_type.id, self.app_id)
+        uid = AuditCRUD.get_current_operate_uid()
+        ResourceCRUD.add(name, resource_type.id, self.app_id, uid)
+
+    def update_resource(self, name, new_name, resource_type_name=None):
+        resource = self._get_resource(name, resource_type_name)
+
+        if resource is None:
+            self.add_resource(new_name, resource_type_name)
+        else:
+            ResourceCRUD.update(resource.id, new_name)
 
     def grant_resource_to_role(self, name, role, resource_type_name=None, permissions=None):
         resource = self._get_resource(name, resource_type_name)
@@ -72,35 +117,117 @@ class ACLManager(object):
             if group:
                 PermissionCRUD.grant(role.id, permissions, group_id=group.id)
 
-    def del_resource(self, name, resource_type_name=None):
+    def grant_resource_to_role_by_rid(self, name, rid, resource_type_name=None, permissions=None, rebuild=True):
+        resource = self._get_resource(name, resource_type_name)
+
+        if resource:
+            PermissionCRUD.grant(rid, permissions, resource_id=resource.id, rebuild=rebuild)
+        else:
+            group = self._get_resource_group(name)
+            if group:
+                PermissionCRUD.grant(rid, permissions, group_id=group.id, rebuild=rebuild)
+
+    def revoke_resource_from_role(self, name, role, resource_type_name=None, permissions=None):
+        resource = self._get_resource(name, resource_type_name)
+        role = self._get_role(role)
+
+        if resource:
+            PermissionCRUD.revoke(role.id, permissions, resource_id=resource.id)
+        else:
+            group = self._get_resource_group(name)
+            if group:
+                PermissionCRUD.revoke(role.id, permissions, group_id=group.id)
+
+    def revoke_resource_from_role_by_rid(self, name, rid, resource_type_name=None, permissions=None, rebuild=True):
+        resource = self._get_resource(name, resource_type_name)
+
+        if resource:
+            PermissionCRUD.revoke(rid, permissions, resource_id=resource.id, rebuild=rebuild)
+        else:
+            group = self._get_resource_group(name)
+            if group:
+                PermissionCRUD.revoke(rid, permissions, group_id=group.id, rebuild=rebuild)
+
+    def del_resource(self, name, resource_type_name=None, rebuild=True):
         resource = self._get_resource(name, resource_type_name)
         if resource:
-            ResourceCRUD.delete(resource.id)
+            return ResourceCRUD.delete(resource.id, rebuild=rebuild)
 
-    def has_permission(self, resource_name, resource_type, perm):
+    def has_permission(self, resource_name, resource_type, perm, resource_id=None, rid=None):
+        if is_app_admin(self.app_id):
+            return True
 
-        role = self._get_role(g.user.username)
+        role = self._get_role(current_user.username) if rid is None else RoleCache.get(rid)
 
-        role or abort(404, "Role <{0}> is not found".format(g.user.username))
+        role or abort(404, ErrFormat.role_not_found.format(current_user.username))
 
-        return RoleCRUD.has_permission(role.id, resource_name, resource_type, self.app_id, perm)
+        return RoleCRUD.has_permission(role.id, resource_name, resource_type, self.app_id, perm,
+                                       resource_id=resource_id)
+
+    @staticmethod
+    def get_user_info(username, app_id=None):
+        user = UserCache.get(username)
+        if not user:
+            user = RoleCache.get_by_name(app_id, username) or RoleCache.get_by_name(None, username)  # FIXME
+
+        if not user:
+            return abort(404, ErrFormat.user_not_found.format(username))
+        user = user.to_dict()
+
+        role = Role.get_by(uid=user['uid'], first=True, to_dict=False) if user.get('uid') else None
+        if role is not None:
+            user["rid"] = role.id
+            if app_id is None:
+                parent_ids = []
+                apps = App.get_by(to_dict=False)
+                for app in apps:
+                    parent_ids.extend(RoleRelationCRUD.recursive_parent_ids(role.id, app.id))
+            else:
+                parent_ids = RoleRelationCRUD.recursive_parent_ids(role.id, app_id)
+
+            user['parents'] = [RoleCache.get(rid).name for rid in set(parent_ids) if RoleCache.get(rid)]
+        else:
+            user['parents'] = []
+            user['rid'] = user['id'] if user.get('id') else None
+            if user['rid']:
+                parent_ids = RoleRelationCRUD.recursive_parent_ids(user['rid'], app_id)
+                user['parents'] = [RoleCache.get(rid).name for rid in set(parent_ids) if RoleCache.get(rid)]
+
+        return user
+
+    def get_resources(self, resource_type_name=None):
+        role = self._get_role(current_user.username)
+
+        role or abort(404, ErrFormat.role_not_found.format(current_user.username))
+        rid = role.id
+
+        return RoleCRUD.recursive_resources(rid, self.app_id, resource_type_name).get('resources')
+
+    @staticmethod
+    def authenticate_with_token(token):
+        url = "{0}/acl/auth_with_token".format(current_app.config.get('ACL_URI'))
+        try:
+            return requests.post(url, json={"token": token},
+                                 headers={'App-Access-Token': AccessTokenCache.get()}).json()
+        except:
+            return {}
 
 
-def validate_permission(resources, resource_type, perm):
+def validate_permission(resources, resource_type, perm, app=None):
     if not resources:
         return
 
     if current_app.config.get("USE_ACL"):
-        if g.user.username == "worker":
+        if current_user.username == "worker":
             return
 
         resources = [resources] if isinstance(resources, six.string_types) else resources
         for resource in resources:
-            if not ACLManager().has_permission(resource, resource_type, perm):
-                return abort(403, "has no permission")
+            if not ACLManager(app).has_permission(resource, resource_type, perm):
+                return abort(403, ErrFormat.resource_no_permission.format(resource, perm))
 
 
-def has_perm(resources, resource_type, perm):
+def has_perm(resources, resource_type, perm, app=None):
     def decorator_has_perm(func):
         @functools.wraps(func)
         def wrapper_has_perm(*args, **kwargs):
@@ -108,10 +235,10 @@ def has_perm(resources, resource_type, perm):
                 return
 
             if current_app.config.get("USE_ACL"):
-                if is_app_admin():
+                if is_app_admin(app):
                     return func(*args, **kwargs)
 
-                validate_permission(resources, resource_type, perm)
+                validate_permission(resources, resource_type, perm, app)
 
             return func(*args, **kwargs)
 
@@ -121,20 +248,44 @@ def has_perm(resources, resource_type, perm):
 
 
 def is_app_admin(app=None):
-    if RoleEnum.CONFIG in session.get("acl", {}).get("parentRoles", []):
+    app = app or 'cmdb'
+    app = AppCache.get(app)
+    if app is None:
+        return False
+
+    app_id = app.id
+    if 'acl_admin' in session.get("acl", {}).get("parentRoles", []):
         return True
 
-    app = app or 'cmdb'
-    app_id = AppCache.get(app).id
-
-    for role in session.get("acl", {}).get("parentRoles", []):
-        if RoleCache.get_by_name(app_id, role).is_app_admin:
+    for role_name in session.get("acl", {}).get("parentRoles", []):
+        role = RoleCache.get_by_name(app_id, role_name)
+        if role and role.is_app_admin:
             return True
 
     return False
 
 
-def has_perm_from_args(arg_name, resource_type, perm, callback=None):
+def is_admin():
+    if 'acl_admin' in session.get("acl", {}).get("parentRoles", []):
+        return True
+
+    return False
+
+
+def admin_required(app=None):
+    def decorator_admin_required(func):
+        @functools.wraps(func)
+        def wrapper_admin_required(*args, **kwargs):
+            if is_app_admin(app):
+                return func(*args, **kwargs)
+            return abort(403, ErrFormat.admin_required)
+
+        return wrapper_admin_required
+
+    return decorator_admin_required
+
+
+def has_perm_from_args(arg_name, resource_type, perm, callback=None, app=None):
     def decorator_has_perm(func):
         @functools.wraps(func)
         def wrapper_has_perm(*args, **kwargs):
@@ -145,10 +296,10 @@ def has_perm_from_args(arg_name, resource_type, perm, callback=None):
                 resource = callback(resource)
 
             if current_app.config.get("USE_ACL") and resource:
-                if is_app_admin():
+                if is_app_admin(app):
                     return func(*args, **kwargs)
 
-                validate_permission(resource, resource_type, perm)
+                validate_permission(resource, resource_type, perm, app)
 
             return func(*args, **kwargs)
 
@@ -157,7 +308,7 @@ def has_perm_from_args(arg_name, resource_type, perm, callback=None):
     return decorator_has_perm
 
 
-def role_required(role_name):
+def role_required(role_name, app=None):
     def decorator_role_required(func):
         @functools.wraps(func)
         def wrapper_role_required(*args, **kwargs):
@@ -165,8 +316,11 @@ def role_required(role_name):
                 return
 
             if current_app.config.get("USE_ACL"):
-                if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin():
-                    return abort(403, "Role {0} is required".format(role_name))
+                if getattr(current_user, 'username', None) == "worker":
+                    return func(*args, **kwargs)
+
+                if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin(app):
+                    return abort(403, ErrFormat.role_required.format(role_name))
             return func(*args, **kwargs)
 
         return wrapper_role_required

cmdb-api/api/lib/perm/acl/app.py

@@ -0,0 +1,93 @@
+# -*- coding:utf-8 -*-
+
+import datetime
+import hashlib
+
+import jwt
+from flask import abort
+from flask import current_app
+
+from api.extensions import db
+from api.lib.perm.acl.audit import AuditCRUD
+from api.lib.perm.acl.audit import AuditOperateType
+from api.lib.perm.acl.audit import AuditScope
+from api.lib.perm.acl.resp_format import ErrFormat
+from api.models.acl import App
+
+
+class AppCRUD(object):
+    cls = App
+
+    @staticmethod
+    def get_all():
+        return App.get_by(to_dict=False)
+
+    @staticmethod
+    def get(app_id):
+        return App.get_by_id(app_id)
+
+    @staticmethod
+    def search(q, page=1, page_size=None):
+        query = db.session.query(App).filter(App.deleted.is_(False))
+        if q:
+            query = query.filter(App.name.ilike('%{0}%'.format(q)))
+
+        numfound = query.count()
+        res = query.offset((page - 1) * page_size).limit(page_size)
+
+        return numfound, res
+
+    @classmethod
+    def add(cls, name, description):
+        App.get_by(name=name) and abort(400, ErrFormat.app_is_ready_existed.format(name))
+
+        from api.lib.perm.acl.user import UserCRUD
+        app_id, secret_key = UserCRUD.gen_key_secret()
+
+        app = App.create(name=name, description=description, app_id=app_id, secret_key=secret_key)
+        AuditCRUD.add_resource_log(app.id, AuditOperateType.create, AuditScope.app, app.id, {}, app.to_dict(), {})
+        return app
+
+    @classmethod
+    def update(cls, _id, **kwargs):
+        kwargs.pop('id', None)
+
+        existed = App.get_by_id(_id) or abort(404, ErrFormat.app_not_found.format("id={}".format(_id)))
+
+        origin = existed.to_dict()
+        existed = existed.update(**kwargs)
+
+        AuditCRUD.add_resource_log(existed.id, AuditOperateType.update,
+                                   AuditScope.app, existed.id, origin, existed.to_dict(), {})
+
+        return existed
+
+    @classmethod
+    def delete(cls, _id):
+        app = App.get_by_id(_id) or abort(404, ErrFormat.app_not_found.format("id={}".format(_id)))
+        origin = app.to_dict()
+
+        app.soft_delete()
+
+        AuditCRUD.add_resource_log(app.id, AuditOperateType.delete,
+                                   AuditScope.app, app.id, origin, {}, {})
+
+    @staticmethod
+    def _get_by_key(key):
+        return App.get_by(app_id=key, first=True, to_dict=False)
+
+    @classmethod
+    def gen_token(cls, key, secret):
+        app = cls._get_by_key(key) or abort(404, ErrFormat.app_not_found.format("key={}".format(key)))
+        secret != hashlib.md5(app.secret_key.encode('utf-8')).hexdigest() and abort(403, ErrFormat.app_secret_invalid)
+
+        token = jwt.encode({
+            'sub': app.name,
+            'iat': datetime.datetime.now(),
+            'exp': datetime.datetime.now() + datetime.timedelta(minutes=2 * 60)},
+            current_app.config['SECRET_KEY'])
+
+        try:
+            return token.decode()
+        except AttributeError:
+            return token

cmdb-api/api/lib/perm/acl/audit.py

@@ -0,0 +1,405 @@
+# -*- coding:utf-8 -*-
+
+import datetime
+import itertools
+import json
+from enum import Enum
+from typing import List
+
+from flask import has_request_context
+from flask import request
+from flask_login import current_user
+from sqlalchemy import func
+
+from api.extensions import db
+from api.lib.perm.acl import AppCache
+from api.models.acl import AuditLoginLog
+from api.models.acl import AuditPermissionLog
+from api.models.acl import AuditResourceLog
+from api.models.acl import AuditRoleLog
+from api.models.acl import AuditTriggerLog
+from api.models.acl import Permission
+from api.models.acl import Resource
+from api.models.acl import ResourceGroup
+from api.models.acl import ResourceType
+from api.models.acl import Role
+from api.models.acl import RolePermission
+
+
+class AuditScope(str, Enum):
+    app = 'app'
+    resource = 'resource'
+    resource_type = 'resource_type'
+    resource_group = 'resource_group'
+
+    user = 'user'
+    role = 'role'
+    role_relation = 'role_relation'
+
+
+class AuditOperateType(str, Enum):
+    read = 'read'
+    create = 'create'
+    update = 'update'
+    delete = 'delete'
+
+    user_login = 'user_login'
+    role_relation_add = 'role_relation_add'
+    role_relation_delete = 'role_relation_delete'
+    grant = 'grant'
+    revoke = 'revoke'
+    trigger_apply = 'trigger_apply'
+    trigger_cancel = 'trigger_cancel'
+
+
+class AuditOperateSource(str, Enum):
+    api = 'api'
+    acl = 'acl'
+    trigger = 'trigger'
+
+
+class AuditCRUD(object):
+
+    @staticmethod
+    def get_current_operate_uid(uid=None):
+        user_id = uid or (getattr(current_user, 'uid', None)) or getattr(current_user, 'user_id', None)
+
+        if has_request_context() and request.headers.get('X-User-Id'):
+            _user_id = request.headers['X-User-Id']
+            user_id = int(_user_id) if _user_id.isdigit() else uid
+
+        return user_id
+
+    @staticmethod
+    def get_operate_source(source):
+        if has_request_context() and request.headers.get('App-Access-Token'):
+            source = AuditOperateSource.api
+
+        return source
+
+    @staticmethod
+    def search_permission(app_id, q=None, page=1, page_size=10, start=None, end=None):
+        criterion = []
+        if app_id:
+            app = AppCache.get(app_id)
+            criterion.append(AuditPermissionLog.app_id == app.id)
+
+        if start:
+            criterion.append(AuditPermissionLog.created_at >= start)
+        if end:
+            criterion.append(AuditPermissionLog.created_at <= end)
+
+        kwargs = {expr.split(':')[0]: expr.split(':')[1] for expr in q.split(',')} if q else {}
+        for k, v in kwargs.items():
+            if k == 'resource_type_id':
+                criterion.append(AuditPermissionLog.resource_type_id == int(v))
+            elif k == 'rid':
+                criterion.append(AuditPermissionLog.rid == int(v))
+            elif k == 'resource_id':
+                criterion.append(func.json_contains(AuditPermissionLog.resource_ids, v) == 1)
+
+            elif k == 'operate_uid':
+                criterion.append(AuditPermissionLog.operate_uid == v)
+            elif k == 'operate_type':
+                criterion.append(AuditPermissionLog.operate_type == v)
+
+        records = AuditPermissionLog.query.filter(
+            AuditPermissionLog.deleted == 0, *criterion).order_by(
+            AuditPermissionLog.id.desc()).offset((page - 1) * page_size).limit(page_size).all()
+
+        data = {
+            'data': [r.to_dict() for r in records],
+            'id2resources': {},
+            'id2roles': {},
+            'id2groups': {},
+            'id2perms': {},
+            'id2resource_types': {},
+        }
+
+        resource_ids = set(itertools.chain(*[r.resource_ids for r in records]))
+        group_ids = set(itertools.chain(*[r.group_ids for r in records]))
+        permission_ids = set(itertools.chain(*[r.permission_ids for r in records]))
+        resource_type_ids = {r.resource_type_id for r in records}
+        rids = {r.rid for r in records}
+
+        if rids:
+            roles = Role.query.filter(Role.id.in_(rids)).all()
+            data['id2roles'] = {r.id: r.to_dict() for r in roles}
+
+        if resource_type_ids:
+            resource_types = ResourceType.query.filter(ResourceType.id.in_(resource_type_ids)).all()
+            data['id2resource_types'] = {r.id: r.to_dict() for r in resource_types}
+
+        if resource_ids:
+            resources = Resource.query.filter(Resource.id.in_(resource_ids)).all()
+            data['id2resources'] = {r.id: r.to_dict() for r in resources}
+
+        if group_ids:
+            groups = ResourceGroup.query.filter(ResourceGroup.id.in_(group_ids)).all()
+            data['id2groups'] = {_g.id: _g.to_dict() for _g in groups}
+
+        if permission_ids:
+            perms = Permission.query.filter(Permission.id.in_(permission_ids)).all()
+
+            data['id2perms'] = {_p.id: _p.to_dict() for _p in perms}
+
+        return data
+
+    @staticmethod
+    def search_role(app_id, q=None, page=1, page_size=10, start=None, end=None):
+        criterion = []
+        if app_id:
+            app = AppCache.get(app_id)
+            criterion.append(AuditRoleLog.app_id == app.id)
+
+        if start:
+            criterion.append(AuditRoleLog.created_at >= start)
+        if end:
+            criterion.append(AuditRoleLog.created_at <= end)
+
+        kwargs = {expr.split(':')[0]: expr.split(':')[1] for expr in q.split(',')} if q else {}
+        for k, v in kwargs.items():
+            if k == 'scope':
+                criterion.append(AuditRoleLog.scope == v)
+            elif k == 'link_id':
+                criterion.append(AuditRoleLog.link_id == int(v))
+            elif k == 'operate_uid':
+                criterion.append(AuditRoleLog.operate_uid == v)
+            elif k == 'operate_type':
+                criterion.append(AuditRoleLog.operate_type == v)
+
+        records = AuditRoleLog.query.filter(AuditRoleLog.deleted == 0, *criterion).order_by(
+            AuditRoleLog.id.desc()).offset((page - 1) * page_size).limit(page_size).all()
+
+        data = {
+            'data': [r.to_dict() for r in records],
+            'id2roles': {}
+        }
+
+        role_permissions = list(itertools.chain(*[r.extra.get('role_permissions', []) for r in records]))
+        _rids = set()
+        if role_permissions:
+
+            resource_ids = set([r['resource_id'] for r in role_permissions])
+            group_ids = set([r['group_id'] for r in role_permissions])
+            perm_ids = set([r['perm_id'] for r in role_permissions])
+            _rids.update(set([r['rid'] for r in role_permissions]))
+
+            if resource_ids:
+                resources = Resource.query.filter(Resource.id.in_(resource_ids)).all()
+                data['id2resources'] = {r.id: r.to_dict() for r in resources}
+
+            if group_ids:
+                groups = ResourceGroup.query.filter(ResourceGroup.id.in_(group_ids)).all()
+                data['id2groups'] = {_g.id: _g.to_dict() for _g in groups}
+
+            if perm_ids:
+                perms = Permission.query.filter(Permission.id.in_(perm_ids)).all()
+
+                data['id2perms'] = {_p.id: _p.to_dict() for _p in perms}
+
+        rids = set(itertools.chain(*[r.extra.get('child_ids', []) + r.extra.get('parent_ids', [])
+                                     for r in records]))
+        rids.update(_rids)
+        if rids:
+            roles = Role.query.filter(Role.id.in_(rids)).all()
+            data['id2roles'].update({r.id: r.to_dict() for r in roles})
+
+        return data
+
+    @staticmethod
+    def search_resource(app_id, q=None, page=1, page_size=10, start=None, end=None):
+        criterion = []
+        if app_id:
+            app = AppCache.get(app_id)
+            criterion.append(AuditResourceLog.app_id == app.id)
+
+        if start:
+            criterion.append(AuditResourceLog.created_at >= start)
+        if end:
+            criterion.append(AuditResourceLog.created_at <= end)
+
+        kwargs = {expr.split(':')[0]: expr.split(':')[1] for expr in q.split(',')} if q else {}
+        for k, v in kwargs.items():
+            if k == 'scope':
+                criterion.append(AuditResourceLog.scope == v)
+            elif k == 'link_id':
+                criterion.append(AuditResourceLog.link_id == int(v))
+            elif k == 'operate_uid':
+                criterion.append(AuditResourceLog.operate_uid == v)
+            elif k == 'operate_type':
+                criterion.append(AuditResourceLog.operate_type == v)
+
+        records = AuditResourceLog.query.filter(
+            AuditResourceLog.deleted == 0, *criterion).order_by(
+            AuditResourceLog.id.desc()).offset((page - 1) * page_size).limit(page_size).all()
+
+        data = {
+            'data': [r.to_dict() for r in records],
+        }
+
+        return data
+
+    @staticmethod
+    def search_trigger(app_id, q=None, page=1, page_size=10, start=None, end=None):
+        criterion = []
+        if app_id:
+            app = AppCache.get(app_id)
+            criterion.append(AuditTriggerLog.app_id == app.id)
+
+        if start:
+            criterion.append(AuditTriggerLog.created_at >= start)
+        if end:
+            criterion.append(AuditTriggerLog.created_at <= end)
+
+        kwargs = {expr.split(':')[0]: expr.split(':')[1] for expr in q.split(',')} if q else {}
+        for k, v in kwargs.items():
+            if k == 'trigger_id':
+                criterion.append(AuditTriggerLog.trigger_id == int(v))
+            elif k == 'operate_uid':
+                criterion.append(AuditTriggerLog.operate_uid == v)
+            elif k == 'operate_type':
+                criterion.append(AuditTriggerLog.operate_type == v)
+
+        records = AuditTriggerLog.query.filter(
+            AuditTriggerLog.deleted == 0, *criterion).order_by(
+            AuditTriggerLog.id.desc()).offset((page - 1) * page_size).limit(page_size).all()
+
+        data = {
+            'data': [r.to_dict() for r in records],
+            'id2roles': {},
+            'id2resource_types': {},
+        }
+
+        rids = set(itertools.chain(*[json.loads(r.origin.get('roles', "[]")) +
+                                     json.loads(r.current.get('roles', "[]"))
+                                     for r in records]))
+        resource_type_ids = set([r.origin.get('resource_type_id') for r in records
+                                 if r.origin.get('resource_type_id')] +
+                                [r.current.get('resource_type_id') for r in records
+                                 if r.current.get('resource_type_id')])
+        if rids:
+            roles = Role.query.filter(Role.id.in_(rids)).all()
+            data['id2roles'] = {r.id: r.to_dict() for r in roles}
+
+        if resource_type_ids:
+            resource_types = ResourceType.query.filter(ResourceType.id.in_(resource_type_ids)).all()
+            data['id2resource_types'] = {r.id: r.to_dict() for r in resource_types}
+
+        return data
+
+    @staticmethod
+    def search_login(_, q=None, page=1, page_size=10, start=None, end=None):
+        query = db.session.query(AuditLoginLog)
+
+        if start:
+            query = query.filter(AuditLoginLog.login_at >= start)
+        if end:
+            query = query.filter(AuditLoginLog.login_at <= end)
+
+        if q:
+            query = query.filter(AuditLoginLog.username == q)
+
+        records = query.order_by(
+            AuditLoginLog.id.desc()).offset((page - 1) * page_size).limit(page_size).all()
+
+        data = {
+            'data': [r.to_dict() for r in records],
+        }
+
+        return data
+
+    @classmethod
+    def add_role_log(cls, app_id, operate_type: AuditOperateType,
+                     scope: AuditScope, link_id: int, origin: dict, current: dict, extra: dict,
+                     uid=None, source=AuditOperateSource.acl):
+
+        user_id = cls.get_current_operate_uid(uid)
+
+        AuditRoleLog.create(app_id=app_id, operate_uid=user_id, operate_type=operate_type.value,
+                            scope=scope.value,
+                            link_id=link_id,
+                            origin=origin,
+                            current=current,
+                            extra=extra,
+                            source=source.value)
+
+    @classmethod
+    def add_resource_log(cls, app_id, operate_type: AuditOperateType,
+                         scope: AuditScope, link_id: int, origin: dict, current: dict, extra: dict,
+                         uid=None, source=AuditOperateSource.acl):
+        user_id = cls.get_current_operate_uid(uid)
+
+        source = cls.get_operate_source(source)
+
+        AuditResourceLog.create(app_id=app_id, operate_uid=user_id, operate_type=operate_type.value,
+                                scope=scope.value,
+                                link_id=link_id,
+                                origin=origin,
+                                current=current,
+                                extra=extra,
+                                source=source.value)
+
+    @classmethod
+    def add_permission_log(cls, app_id, operate_type: AuditOperateType,
+                           rid: int, rt_id: int, role_permissions: List[RolePermission],
+                           uid=None, source=AuditOperateSource.acl):
+
+        if not role_permissions:
+            return
+        user_id = cls.get_current_operate_uid(uid)
+        source = cls.get_operate_source(source)
+
+        resource_ids = list({r.resource_id for r in role_permissions if r.resource_id})
+        permission_ids = list({r.perm_id for r in role_permissions if r.perm_id})
+        group_ids = list({r.group_id for r in role_permissions if r.group_id})
+
+        AuditPermissionLog.create(app_id=app_id, operate_uid=user_id,
+                                  operate_type=operate_type.value,
+                                  rid=rid,
+                                  resource_type_id=rt_id,
+                                  resource_ids=resource_ids,
+                                  permission_ids=permission_ids,
+                                  group_ids=group_ids,
+                                  source=source.value)
+
+    @classmethod
+    def add_trigger_log(cls, app_id, trigger_id, operate_type: AuditOperateType,
+                        origin: dict, current: dict, extra: dict,
+                        uid=None, source=AuditOperateSource.acl):
+
+        user_id = cls.get_current_operate_uid(uid)
+        source = cls.get_operate_source(source)
+
+        AuditTriggerLog.create(app_id=app_id, trigger_id=trigger_id, operate_uid=user_id,
+                               operate_type=operate_type.value,
+                               origin=origin, current=current, extra=extra, source=source.value)
+
+    @classmethod
+    def add_login_log(cls, username, is_ok, description, _id=None, logout_at=None, ip=None, browser=None):
+        if _id is not None:
+            existed = AuditLoginLog.get_by_id(_id)
+            if existed is not None:
+                existed.update(logout_at=logout_at)
+                return
+
+        payload = dict(username=username,
+                       is_ok=is_ok,
+                       description=description,
+                       logout_at=logout_at,
+                       ip=(ip or request.headers.get('X-Forwarded-For') or
+                           request.headers.get('X-Real-IP') or request.remote_addr or '').split(',')[0],
+                       browser=browser or request.headers.get('User-Agent'),
+                       channel=request.values.get('channel', 'web'),
+                       )
+
+        if logout_at is None:
+            payload['login_at'] = datetime.datetime.now()
+
+        try:
+            from api.lib.common_setting.employee import EmployeeCRUD
+            EmployeeCRUD.update_last_login_by_uid(current_user.uid)
+        except:
+            pass
+
+        return AuditLoginLog.create(**payload).id

cmdb-api/api/lib/perm/acl/cache.py

@@ -1,13 +1,34 @@
 # -*- coding:utf-8 -*-
 
+
+import msgpack
+import redis_lock
+
 from api.extensions import cache
 from api.extensions import db
+from api.extensions import rd
+from api.lib.decorator import flush_db
 from api.models.acl import App
 from api.models.acl import Permission
+from api.models.acl import Resource
+from api.models.acl import ResourceGroup
 from api.models.acl import Role
 from api.models.acl import User
 
 
+class AppAccessTokenCache(object):
+    PREFIX = "AppAccessTokenCache::token::{}"
+
+    @classmethod
+    def get_app_id(cls, token):
+        app_id = cache.get(cls.PREFIX.format(token))
+        return app_id
+
+    @classmethod
+    def set(cls, token, app, timeout=7200):
+        cache.set(token, cls.PREFIX.format(app.app_id), timeout=timeout)
+
+
 class AppCache(object):
     PREFIX_ID = "App::id::{0}"
     PREFIX_NAME = "App::name::{0}"
@@ -37,16 +58,19 @@ class UserCache(object):
     PREFIX_ID = "User::uid::{0}"
     PREFIX_NAME = "User::username::{0}"
     PREFIX_NICK = "User::nickname::{0}"
+    PREFIX_WXID = "User::wxid::{0}"
 
     @classmethod
     def get(cls, key):
-        user = cache.get(cls.PREFIX_ID.format(key)) or \
-               cache.get(cls.PREFIX_NAME.format(key)) or \
-               cache.get(cls.PREFIX_NICK.format(key))
+        user = (cache.get(cls.PREFIX_ID.format(key)) or
+                cache.get(cls.PREFIX_NAME.format(key)) or
+                cache.get(cls.PREFIX_NICK.format(key)) or
+                cache.get(cls.PREFIX_WXID.format(key)))
         if not user:
-            user = User.query.get(key) or \
-                   User.query.get_by_username(key) or \
-                   User.query.get_by_nickname(key)
+            user = (User.query.get(key) or
+                    User.query.get_by_username(key) or
+                    User.query.get_by_nickname(key) or
+                    User.query.get_by_wxid(key))
         if user:
             cls.set(user)
 
@@ -57,12 +81,16 @@ class UserCache(object):
         cache.set(cls.PREFIX_ID.format(user.uid), user)
         cache.set(cls.PREFIX_NAME.format(user.username), user)
         cache.set(cls.PREFIX_NICK.format(user.nickname), user)
+        if user.wx_id:
+            cache.set(cls.PREFIX_WXID.format(user.wx_id), user)
 
     @classmethod
     def clean(cls, user):
         cache.delete(cls.PREFIX_ID.format(user.uid))
         cache.delete(cls.PREFIX_NAME.format(user.username))
         cache.delete(cls.PREFIX_NICK.format(user.nickname))
+        if user.wx_id:
+            cache.delete(cls.PREFIX_WXID.format(user.wx_id))
 
 
 class RoleCache(object):
@@ -74,6 +102,9 @@ class RoleCache(object):
         role = cache.get(cls.PREFIX_NAME.format(app_id, name))
         if role is None:
             role = Role.get_by(app_id=app_id, name=name, first=True, to_dict=False)
+            if role is None and app_id is None:  # try global role
+                role = Role.get_by(name=name, first=True, to_dict=False)
+
             if role is not None:
                 cache.set(cls.PREFIX_NAME.format(app_id, name), role)
 
@@ -98,77 +129,207 @@ class RoleCache(object):
         cache.delete(cls.PREFIX_NAME.format(app_id, name))
 
 
-class RoleRelationCache(object):
-    PREFIX_PARENT = "RoleRelationParent::id::{0}"
-    PREFIX_CHILDREN = "RoleRelationChildren::id::{0}"
-    PREFIX_RESOURCES = "RoleRelationResources::id::{0}"
+class HasResourceRoleCache(object):
+    PREFIX_KEY = "HasResourceRoleCache::AppId::{0}"
 
     @classmethod
-    def get_parent_ids(cls, rid):
-        parent_ids = cache.get(cls.PREFIX_PARENT.format(rid))
-        if not parent_ids:
+    def get(cls, app_id):
+        return cache.get(cls.PREFIX_KEY.format(app_id)) or {}
+
+    @classmethod
+    def add(cls, rid, app_id):
+        with redis_lock.Lock(rd.r, 'HasResourceRoleCache', expire=10):
+            c = cls.get(app_id)
+            c[rid] = 1
+            cache.set(cls.PREFIX_KEY.format(app_id), c, timeout=0)
+
+    @classmethod
+    def remove(cls, rid, app_id):
+        with redis_lock.Lock(rd.r, 'HasResourceRoleCache', expire=10):
+            c = cls.get(app_id)
+            c.pop(rid, None)
+            cache.set(cls.PREFIX_KEY.format(app_id), c, timeout=0)
+
+
+class RoleRelationCache(object):
+    PREFIX_PARENT = "RoleRelationParent::id::{0}::AppId::{1}"
+    PREFIX_CHILDREN = "RoleRelationChildren::id::{0}::AppId::{1}"
+    PREFIX_RESOURCES = "RoleRelationResources::id::{0}::AppId::{1}"
+    PREFIX_RESOURCES2 = "RoleRelationResources2::id::{0}::AppId::{1}"
+
+    @classmethod
+    def get_parent_ids(cls, rid, app_id, force=False):
+        parent_ids = cache.get(cls.PREFIX_PARENT.format(rid, app_id))
+        if not parent_ids or force:
+            db.session.commit()
             from api.lib.perm.acl.role import RoleRelationCRUD
-            parent_ids = RoleRelationCRUD.get_parent_ids(rid)
-            cache.set(cls.PREFIX_PARENT.format(rid), parent_ids, timeout=0)
+            parent_ids = RoleRelationCRUD.get_parent_ids(rid, app_id)
+            cache.set(cls.PREFIX_PARENT.format(rid, app_id), parent_ids, timeout=0)
 
         return parent_ids
 
     @classmethod
-    def get_child_ids(cls, rid):
-        child_ids = cache.get(cls.PREFIX_CHILDREN.format(rid))
-        if not child_ids:
+    def get_child_ids(cls, rid, app_id, force=False):
+        child_ids = cache.get(cls.PREFIX_CHILDREN.format(rid, app_id))
+        if not child_ids or force:
+            db.session.commit()
             from api.lib.perm.acl.role import RoleRelationCRUD
-            child_ids = RoleRelationCRUD.get_child_ids(rid)
-            cache.set(cls.PREFIX_CHILDREN.format(rid), child_ids, timeout=0)
+            child_ids = RoleRelationCRUD.get_child_ids(rid, app_id)
+            cache.set(cls.PREFIX_CHILDREN.format(rid, app_id), child_ids, timeout=0)
 
         return child_ids
 
     @classmethod
-    def get_resources(cls, rid):
+    def get_resources(cls, rid, app_id, force=False):
         """
         :param rid: 
+        :param app_id: 
+        :param force:
         :return: {id2perms: {resource_id: [perm,]}, group2perms: {group_id: [perm, ]}}
         """
-        resources = cache.get(cls.PREFIX_RESOURCES.format(rid))
-        if not resources:
+        resources = cache.get(cls.PREFIX_RESOURCES.format(rid, app_id))
+        if not resources or force:
+            db.session.commit()
             from api.lib.perm.acl.role import RoleCRUD
-            resources = RoleCRUD.get_resources(rid)
-            cache.set(cls.PREFIX_RESOURCES.format(rid), resources, timeout=0)
+            resources = RoleCRUD.get_resources(rid, app_id)
+            if resources['id2perms'] or resources['group2perms']:
+                cache.set(cls.PREFIX_RESOURCES.format(rid, app_id), resources, timeout=0)
 
         return resources or {}
 
     @classmethod
-    def rebuild(cls, rid):
-        cls.clean(rid)
-        db.session.close()
-        cls.get_parent_ids(rid)
-        cls.get_child_ids(rid)
-        cls.get_resources(rid)
+    def get_resources2(cls, rid, app_id, force=False):
+        r_g = cache.get(cls.PREFIX_RESOURCES2.format(rid, app_id))
+        if not r_g or force:
+            db.session.commit()
+            res = cls.get_resources(rid, app_id)
+            id2perms = res['id2perms']
+            group2perms = res['group2perms']
+
+            resources, groups = dict(), dict()
+            for _id in id2perms:
+                resource = ResourceCache.get(_id)
+                if not resource:
+                    continue
+                resource = resource.to_dict()
+                resource.update(dict(permissions=id2perms[_id]))
+                resources[_id] = resource
+
+            for _id in group2perms:
+                group = ResourceGroupCache.get(_id)
+                if not group:
+                    continue
+                group = group.to_dict()
+                group.update(dict(permissions=group2perms[_id]))
+                groups[_id] = group
+            r_g = msgpack.dumps(dict(resources=resources, groups=groups))
+            cache.set(cls.PREFIX_RESOURCES2.format(rid, app_id), r_g, timeout=0)
+
+        return msgpack.loads(r_g, raw=False)
 
     @classmethod
-    def clean(cls, rid):
-        cache.delete(cls.PREFIX_PARENT.format(rid))
-        cache.delete(cls.PREFIX_CHILDREN.format(rid))
-        cache.delete(cls.PREFIX_RESOURCES.format(rid))
+    @flush_db
+    def rebuild(cls, rid, app_id):
+        if app_id is None:
+            app_ids = [None] + [i.id for i in App.get_by(to_dict=False)]
+        else:
+            app_ids = [app_id]
+
+        for _app_id in app_ids:
+            cls.clean(rid, _app_id)
+
+            cls.get_parent_ids(rid, _app_id, force=True)
+            cls.get_child_ids(rid, _app_id, force=True)
+            resources = cls.get_resources(rid, _app_id, force=True)
+            if resources.get('id2perms') or resources.get('group2perms'):
+                HasResourceRoleCache.add(rid, _app_id)
+            else:
+                HasResourceRoleCache.remove(rid, _app_id)
+            cls.get_resources2(rid, _app_id, force=True)
+
+    @classmethod
+    @flush_db
+    def rebuild2(cls, rid, app_id):
+        cache.delete(cls.PREFIX_RESOURCES2.format(rid, app_id))
+        cls.get_resources2(rid, app_id, force=True)
+
+    @classmethod
+    def clean(cls, rid, app_id):
+        cache.delete(cls.PREFIX_PARENT.format(rid, app_id))
+        cache.delete(cls.PREFIX_CHILDREN.format(rid, app_id))
+        cache.delete(cls.PREFIX_RESOURCES.format(rid, app_id))
+        cache.delete(cls.PREFIX_RESOURCES2.format(rid, app_id))
 
 
 class PermissionCache(object):
-    PREFIX_ID = "Permission::id::{0}"
-    PREFIX_NAME = "Permission::name::{0}"
+    PREFIX_ID = "Permission::id::{0}::ResourceTypeId::{1}"
+    PREFIX_NAME = "Permission::name::{0}::ResourceTypeId::{1}"
 
     @classmethod
-    def get(cls, key):
-        perm = cache.get(cls.PREFIX_ID.format(key))
-        perm = perm or cache.get(cls.PREFIX_NAME.format(key))
+    def get(cls, key, rt_id):
+        perm = cache.get(cls.PREFIX_ID.format(key, rt_id))
+        perm = perm or cache.get(cls.PREFIX_NAME.format(key, rt_id))
         if perm is None:
             perm = Permission.get_by_id(key)
-            perm = perm or Permission.get_by(name=key, first=True, to_dict=False)
+            perm = perm or Permission.get_by(name=key, resource_type_id=rt_id, first=True, to_dict=False)
             if perm is not None:
-                cache.set(cls.PREFIX_ID.format(key), perm)
+                cache.set(cls.PREFIX_ID.format(perm.id, rt_id), perm)
+                cache.set(cls.PREFIX_NAME.format(perm.name, rt_id), perm)
 
         return perm
 
+
+class ResourceCache(object):
+    PREFIX_ID = "Resource::id::{0}"
+    PREFIX_NAME = "Resource::type_id::{0}::name::{1}"
+
     @classmethod
-    def clean(cls, key):
-        cache.delete(cls.PREFIX_ID.format(key))
-        cache.delete(cls.PREFIX_NAME.format(key))
+    def get(cls, key, type_id=None):
+        resource = cache.get(cls.PREFIX_ID.format(key)) or cache.get(cls.PREFIX_NAME.format(type_id, key))
+        if resource is None:
+            resource = Resource.get_by_id(key) or Resource.get_by(name=key,
+                                                                  resource_type_id=type_id,
+                                                                  to_dict=False,
+                                                                  first=True)
+        if resource is not None:
+            cls.set(resource)
+
+        return resource
+
+    @classmethod
+    def set(cls, resource):
+        cache.set(cls.PREFIX_ID.format(resource.id), resource)
+        cache.set(cls.PREFIX_NAME.format(resource.resource_type_id, resource.name), resource)
+
+    @classmethod
+    def clean(cls, resource):
+        cache.delete(cls.PREFIX_ID.format(resource.id))
+        cache.delete(cls.PREFIX_NAME.format(resource.resource_type_id, resource.name))
+
+
+class ResourceGroupCache(object):
+    PREFIX_ID = "ResourceGroup::id::{0}"
+    PREFIX_NAME = "ResourceGroup::type_id::{0}::name::{1}"
+
+    @classmethod
+    def get(cls, key, type_id=None):
+        group = cache.get(cls.PREFIX_ID.format(key)) or cache.get(cls.PREFIX_NAME.format(type_id, key))
+        if group is None:
+            group = ResourceGroup.get_by_id(key) or ResourceGroup.get_by(name=key,
+                                                                         resource_type_id=type_id,
+                                                                         to_dict=False,
+                                                                         first=True)
+        if group is not None:
+            cls.set(group)
+
+        return group
+
+    @classmethod
+    def set(cls, group):
+        cache.set(cls.PREFIX_ID.format(group.id), group)
+        cache.set(cls.PREFIX_NAME.format(group.resource_type_id, group.name), group)
+
+    @classmethod
+    def clean(cls, group):
+        cache.delete(cls.PREFIX_ID.format(group.id))
+        cache.delete(cls.PREFIX_NAME.format(group.resource_type_id, group.name))

cmdb-api/api/lib/perm/acl/const.py

@@ -1,5 +1,13 @@
 # -*- coding:utf-8 -*-
 
-from api.lib.cmdb.const import CMDB_QUEUE
+from api.lib.utils import BaseEnum
 
-ACL_QUEUE = CMDB_QUEUE
+ACL_QUEUE = "acl_async"
+
+
+class OperateType(BaseEnum):
+    LOGIN = "0"
+    READ = "1"
+    UPDATE = "2"
+    CREATE = "3"
+    DELETE = "4"

cmdb-api/api/lib/perm/acl/permission.py

@@ -1,48 +1,322 @@
 # -*- coding:utf-8 -*-
+import datetime
 
+from flask import abort
 
+from api.extensions import db
+from api.lib.perm.acl.audit import AuditCRUD
+from api.lib.perm.acl.audit import AuditOperateSource
+from api.lib.perm.acl.audit import AuditOperateType
 from api.lib.perm.acl.cache import PermissionCache
 from api.lib.perm.acl.cache import RoleCache
+from api.lib.perm.acl.cache import UserCache
 from api.lib.perm.acl.const import ACL_QUEUE
+from api.lib.perm.acl.resp_format import ErrFormat
+from api.lib.perm.acl.role import RoleRelationCRUD
+from api.models.acl import Resource
+from api.models.acl import ResourceGroup
+from api.models.acl import ResourceType
 from api.models.acl import RolePermission
 from api.tasks.acl import role_rebuild
 
 
 class PermissionCRUD(object):
     @staticmethod
-    def get_all(resource_id=None, group_id=None):
+    def get_all(resource_id=None, group_id=None, need_users=True):
         result = dict()
+
         if resource_id is not None:
+            r = Resource.get_by_id(resource_id)
+            if not r:
+                return result
+            rt_id = r.resource_type_id
             perms = RolePermission.get_by(resource_id=resource_id, to_dict=False)
         else:
+            rg = ResourceGroup.get_by_id(group_id)
+            if not rg:
+                return result
+            rt_id = rg.resource_type_id
             perms = RolePermission.get_by(group_id=group_id, to_dict=False)
 
+        rid2obj = dict()
+        uid2obj = dict()
         for perm in perms:
-            perm_dict = PermissionCache.get(perm.perm_id).to_dict()
+            perm_dict = PermissionCache.get(perm.perm_id, rt_id)
+            perm_dict = perm_dict and perm_dict.to_dict()
+            if not perm_dict:
+                continue
             perm_dict.update(dict(rid=perm.rid))
-            result.setdefault(RoleCache.get(perm.rid).name, []).append(perm_dict)
+
+            if perm.rid not in rid2obj:
+                rid2obj[perm.rid] = RoleCache.get(perm.rid)
+
+            role = rid2obj[perm.rid]
+            if role and role.uid:
+                if role.uid not in uid2obj:
+                    uid2obj[role.uid] = UserCache.get(role.uid)
+
+                name = uid2obj[role.uid].nickname
+            elif role:
+                name = role.name
+            else:
+                continue
+
+            result.setdefault(name,
+                              dict(perms=[],
+                                   users=RoleRelationCRUD.get_users_by_rid(perm.rid, perm.app_id, rid2obj, uid2obj)
+                                   if need_users else [])
+                              )['perms'].append(perm_dict)
 
         return result
 
-    @staticmethod
-    def grant(rid, perms, resource_id=None, group_id=None):
-        for perm in perms:
-            perm = PermissionCache.get(perm)
-            existed = RolePermission.get_by(rid=rid, perm_id=perm.id, group_id=group_id, resource_id=resource_id)
-            existed or RolePermission.create(rid=rid, perm_id=perm.id, group_id=group_id, resource_id=resource_id)
+    @classmethod
+    def get_all2(cls, resource_name, resource_type_name, app_id):
+        rt = ResourceType.get_by(name=resource_type_name, app_id=app_id, first=True, to_dict=False)
+        rt or abort(404, ErrFormat.resource_type_not_found.format(resource_type_name))
 
-        role_rebuild.apply_async(args=(rid,), queue=ACL_QUEUE)
+        r = Resource.get_by(name=resource_name, resource_type_id=rt.id, app_id=app_id, first=True, to_dict=False)
+
+        return r and cls.get_all(r.id)
 
     @staticmethod
-    def revoke(rid, perms, resource_id=None, group_id=None):
+    def grant(rid, perms, resource_id=None, group_id=None, rebuild=True,
+              source=AuditOperateSource.acl, force_update=False):
+        app_id = None
+        rt_id = None
+
+        from api.lib.perm.acl.resource import ResourceTypeCRUD
+
+        if resource_id is not None:
+            from api.models.acl import Resource
+
+            resource = Resource.get_by_id(resource_id) or abort(404, ErrFormat.resource_not_found.format(
+                "id={}".format(resource_id)))
+
+            app_id = resource.app_id
+            rt_id = resource.resource_type_id
+            if not perms:
+                perms = [i.get('name') for i in ResourceTypeCRUD.get_perms(resource.resource_type_id)]
+
+        elif group_id is not None:
+            from api.models.acl import ResourceGroup
+
+            group = ResourceGroup.get_by_id(group_id) or abort(
+                404, ErrFormat.resource_group_not_found.format("id={}".format(group_id)))
+            app_id = group.app_id
+            rt_id = group.resource_type_id
+            if not perms:
+                perms = [i.get('name') for i in ResourceTypeCRUD.get_perms(group.resource_type_id)]
+
+        if force_update:
+            revoke_role_permissions = []
+            existed_perms = RolePermission.get_by(rid=rid,
+                                                  app_id=app_id,
+                                                  group_id=group_id,
+                                                  resource_id=resource_id,
+                                                  to_dict=False)
+            for role_perm in existed_perms:
+                perm = PermissionCache.get(role_perm.perm_id, rt_id)
+                if perm and perm.name not in perms:
+                    role_perm.soft_delete()
+                    revoke_role_permissions.append(role_perm)
+
+            AuditCRUD.add_permission_log(app_id, AuditOperateType.revoke, rid, rt_id,
+                                         revoke_role_permissions, source=source)
+
+        _role_permissions = []
+        for _perm in set(perms):
+            perm = PermissionCache.get(_perm, rt_id)
+            if not perm:
+                continue
+
+            existed = RolePermission.get_by(rid=rid,
+                                            app_id=app_id,
+                                            perm_id=perm.id,
+                                            group_id=group_id,
+                                            resource_id=resource_id)
+
+            if not existed:
+                __role_permission = RolePermission.create(rid=rid,
+                                                          app_id=app_id,
+                                                          perm_id=perm.id,
+                                                          group_id=group_id,
+                                                          resource_id=resource_id)
+                _role_permissions.append(__role_permission)
+
+        if rebuild:
+            role_rebuild.apply_async(args=(rid, app_id), queue=ACL_QUEUE)
+
+        AuditCRUD.add_permission_log(app_id, AuditOperateType.grant, rid, rt_id, _role_permissions,
+                                     source=source)
+
+    @staticmethod
+    def batch_grant_by_resource_names(rid, perms, resource_type_id, resource_names,
+                                      resource_ids=None, perm_map=None, app_id=None):
+
+        from api.lib.perm.acl.resource import ResourceTypeCRUD
+
+        if resource_names:
+            resource_ids = []
+            from api.models.acl import Resource
+
+            for n in resource_names:
+                resource = Resource.get_by(name=n, resource_type_id=resource_type_id, first=True, to_dict=False)
+                if resource:
+                    app_id = resource.app_id
+                    if not perms:
+                        perms = [i.get('name') for i in ResourceTypeCRUD.get_perms(resource.resource_type_id)]
+
+                    resource_ids.append(resource.id)
+        resource_ids = resource_ids or []
+
+        _role_permissions = []
+        if isinstance(perm_map, dict):
+            perm2resource = dict()
+            for resource_id in resource_ids:
+                for _perm in (perm_map.get(str(resource_id)) or []):
+                    perm2resource.setdefault(_perm, []).append(resource_id)
+            for _perm in perm2resource:
+                perm = PermissionCache.get(_perm, resource_type_id)
+                existeds = RolePermission.get_by(rid=rid,
+                                                 app_id=app_id,
+                                                 perm_id=perm.id,
+                                                 __func_in___key_resource_id=perm2resource[_perm],
+                                                 to_dict=False)
+
+                for resource_id in (set(perm2resource[_perm]) - set([i.resource_id for i in existeds])):
+                    _role_permission = RolePermission.create(flush=False,
+                                                             commit=False,
+                                                             rid=rid,
+                                                             app_id=app_id,
+                                                             perm_id=perm.id,
+                                                             resource_id=resource_id,
+                                                             )
+                    _role_permissions.append(_role_permission)
+
+            db.session.commit()
+
+        else:
+            for _perm in perms:
+                perm = PermissionCache.get(_perm, resource_type_id)
+                for resource_id in resource_ids:
+                    existed = RolePermission.get_by(rid=rid,
+                                                    app_id=app_id,
+                                                    perm_id=perm.id,
+                                                    resource_id=resource_id)
+
+                    if not existed:
+                        _role_permission = RolePermission.create(rid=rid,
+                                                                 app_id=app_id,
+                                                                 perm_id=perm.id,
+                                                                 resource_id=resource_id)
+                        _role_permissions.append(_role_permission)
+
+        role_rebuild.apply_async(args=(rid, app_id), queue=ACL_QUEUE)
+
+        AuditCRUD.add_permission_log(app_id, AuditOperateType.grant, rid, resource_type_id, _role_permissions)
+
+    @staticmethod
+    def revoke(rid, perms, resource_id=None, group_id=None, rebuild=True, source=AuditOperateSource.acl):
+        app_id = None
+        rt_id = None
+
+        from api.lib.perm.acl.resource import ResourceTypeCRUD
+        if resource_id is not None:
+            from api.models.acl import Resource
+
+            resource = Resource.get_by_id(resource_id) or abort(
+                404, ErrFormat.resource_not_found.format("id={}".format(resource_id)))
+            app_id = resource.app_id
+            rt_id = resource.resource_type_id
+            if not perms:
+                perms = [i.get('name') for i in ResourceTypeCRUD.get_perms(resource.resource_type_id)]
+
+        elif group_id is not None:
+            from api.models.acl import ResourceGroup
+
+            group = ResourceGroup.get_by_id(group_id) or abort(
+                404, ErrFormat.resource_group_not_found.format("id={}".format(group_id)))
+            app_id = group.app_id
+
+            rt_id = group.resource_type_id
+            if not perms:
+                perms = [i.get('name') for i in ResourceTypeCRUD.get_perms(group.resource_type_id)]
+        _role_permissions = []
+
         for perm in perms:
-            perm = PermissionCache.get(perm)
+            perm = PermissionCache.get(perm, rt_id)
+            if not perm:
+                continue
             existed = RolePermission.get_by(rid=rid,
                                             perm_id=perm.id,
                                             group_id=group_id,
                                             resource_id=resource_id,
                                             first=True,
                                             to_dict=False)
-            existed and existed.soft_delete()
+            if existed:
+                existed.soft_delete()
+                _role_permissions.append(existed)
 
-        role_rebuild.apply_async(args=(rid,), queue=ACL_QUEUE)
+        if rebuild:
+            role_rebuild.apply_async(args=(rid, app_id), queue=ACL_QUEUE)
+
+        AuditCRUD.add_permission_log(app_id, AuditOperateType.revoke, rid, rt_id, _role_permissions,
+                                     source=source)
+
+    @staticmethod
+    def batch_revoke_by_resource_names(rid, perms, resource_type_id, resource_names,
+                                       resource_ids=None, perm_map=None, app_id=None):
+
+        from api.lib.perm.acl.resource import ResourceTypeCRUD
+        if resource_names:
+            resource_ids = []
+            from api.models.acl import Resource
+
+            for n in resource_names:
+                resource = Resource.get_by(name=n, resource_type_id=resource_type_id, first=True, to_dict=False)
+                if resource:
+                    app_id = resource.app_id
+                    if not perms:
+                        perms = [i.get('name') for i in ResourceTypeCRUD.get_perms(resource.resource_type_id)]
+
+                    resource_ids.append(resource.id)
+        resource_ids = resource_ids or []
+
+        _role_permissions = []
+        if isinstance(perm_map, dict):
+            perm2resource = dict()
+            for resource_id in resource_ids:
+                for _perm in (perm_map.get(str(resource_id)) or []):
+                    perm2resource.setdefault(_perm, []).append(resource_id)
+            for _perm in perm2resource:
+                perm = PermissionCache.get(_perm, resource_type_id)
+                if perm is None:
+                    continue
+                exists = RolePermission.get_by(rid=rid,
+                                               app_id=app_id,
+                                               perm_id=perm.id,
+                                               __func_in___key_resource_id=perm2resource[_perm],
+                                               to_dict=False)
+                for existed in exists:
+                    existed.deleted = True
+                    existed.deleted_at = datetime.datetime.now()
+                    db.session.add(existed)
+                    _role_permissions.append(existed)
+
+            db.session.commit()
+        else:
+            for _perm in perms:
+                perm = PermissionCache.get(_perm, resource_type_id)
+                for resource_id in resource_ids:
+                    existed = RolePermission.get_by(rid=rid,
+                                                    app_id=app_id,
+                                                    perm_id=perm.id,
+                                                    resource_id=resource_id,
+                                                    first=True, to_dict=False)
+                    if existed:
+                        existed.soft_delete()
+                        _role_permissions.append(existed)
+
+        role_rebuild.apply_async(args=(rid, app_id), queue=ACL_QUEUE)
+
+        AuditCRUD.add_permission_log(app_id, AuditOperateType.revoke, rid, resource_type_id, _role_permissions)

cmdb-api/api/lib/perm/acl/record.py

@@ -0,0 +1,21 @@
+# -*- coding:utf-8 -*-
+
+from api.models.acl import OperationRecord
+
+
+class OperateRecordCRUD(object):
+    @staticmethod
+    def search(page, page_size, **kwargs):
+        query = OperationRecord.get_by(only_query=True)
+        for k, v in kwargs.items():
+            if hasattr(OperationRecord, k) and v:
+                query = query.filter(getattr(OperationRecord, k) == v)
+
+        numfound = query.count()
+        res = query.offset((page - 1) * page_size).limit(page_size)
+
+        return numfound, res
+
+    @staticmethod
+    def add(app, rolename, operate, obj):
+        OperationRecord.create(app=app, rolename=rolename, operate=operate, obj=obj)

cmdb-api/api/lib/perm/acl/resource.py

@@ -4,7 +4,15 @@
 from flask import abort
 
 from api.extensions import db
+from api.lib.perm.acl.audit import AuditCRUD
+from api.lib.perm.acl.audit import AuditOperateType
+from api.lib.perm.acl.audit import AuditScope
+from api.lib.perm.acl.cache import ResourceCache
+from api.lib.perm.acl.cache import ResourceGroupCache
+from api.lib.perm.acl.cache import UserCache
 from api.lib.perm.acl.const import ACL_QUEUE
+from api.lib.perm.acl.resp_format import ErrFormat
+from api.lib.perm.acl.trigger import TriggerCRUD
 from api.models.acl import Permission
 from api.models.acl import Resource
 from api.models.acl import ResourceGroup
@@ -12,9 +20,12 @@ from api.models.acl import ResourceGroupItems
 from api.models.acl import ResourceType
 from api.models.acl import RolePermission
 from api.tasks.acl import role_rebuild
+from api.tasks.acl import update_resource_to_build_role
 
 
 class ResourceTypeCRUD(object):
+    cls = ResourceType
+
     @staticmethod
     def search(q, app_id, page=1, page_size=None):
         query = db.session.query(ResourceType).filter(
@@ -33,6 +44,15 @@ class ResourceTypeCRUD(object):
 
         return numfound, res, id2perms
 
+    @classmethod
+    def id2name(cls):
+        return {i.id: i.name for i in ResourceType.get_by(to_dict=False)}
+
+    @staticmethod
+    def get_by_name(app_id, name):
+        resource_type = ResourceType.get_by(first=True, app_id=app_id, name=name, to_dict=False)
+        return resource_type
+
     @staticmethod
     def get_perms(rt_id):
         perms = Permission.get_by(resource_type_id=rt_id, to_dict=False)
@@ -40,12 +60,16 @@ class ResourceTypeCRUD(object):
 
     @classmethod
     def add(cls, app_id, name, description, perms):
-        ResourceType.get_by(name=name, app_id=app_id) and abort(
-            400, "ResourceType <{0}> is already existed".format(name))
+        ResourceType.get_by(name=name, app_id=app_id) and abort(400, ErrFormat.resource_type_exists.format(name))
 
         rt = ResourceType.create(name=name, description=description, app_id=app_id)
 
-        cls.update_perms(rt.id, perms, app_id)
+        _, current_perm_ids = cls.update_perms(rt.id, perms, app_id)
+
+        AuditCRUD.add_resource_log(app_id, AuditOperateType.create,
+                                   AuditScope.resource_type, rt.id, {}, rt.to_dict(),
+                                   {'permission_ids': {'current': current_perm_ids, 'origin': []}, }
+                                   )
 
         return rt
 
@@ -53,46 +77,86 @@ class ResourceTypeCRUD(object):
     def update(cls, rt_id, **kwargs):
         kwargs.pop('app_id', None)
 
-        rt = ResourceType.get_by_id(rt_id) or abort(404, "ResourceType <{0}> is not found".format(rt_id))
+        rt = ResourceType.get_by_id(rt_id) or abort(404,
+                                                    ErrFormat.resource_type_not_found.format("id={}".format(rt_id)))
         if 'name' in kwargs:
             other = ResourceType.get_by(name=kwargs['name'], app_id=rt.app_id, to_dict=False, first=True)
             if other and other.id != rt_id:
-                return abort(400, "ResourceType <{0}> is duplicated".format(kwargs['name']))
+                return abort(400, ErrFormat.resource_type_exists.format(kwargs['name']))
 
-        if 'perms' in kwargs:
-            cls.update_perms(rt_id, kwargs.pop('perms'), rt.app_id)
+        perms = kwargs.pop('perms', None)
+        current_perm_ids = []
+        existed_perm_ids = []
 
-        return rt.update(**kwargs)
+        if perms:
+            existed_perm_ids, current_perm_ids = cls.update_perms(rt_id, perms, rt.app_id)
+
+        origin = rt.to_dict()
+        rt = rt.update(**kwargs)
+
+        AuditCRUD.add_resource_log(rt.app_id, AuditOperateType.update,
+                                   AuditScope.resource_type, rt.id, origin, rt.to_dict(),
+                                   {'permission_ids': {'current': current_perm_ids, 'origin': existed_perm_ids}, }
+                                   )
+
+        return rt
 
     @classmethod
     def delete(cls, rt_id):
-        rt = ResourceType.get_by_id(rt_id) or abort(404, "ResourceType <{0}> is not found".format(rt_id))
+        rt = ResourceType.get_by_id(rt_id) or abort(
+            404, ErrFormat.resource_type_not_found.format("id={}".format(rt_id)))
 
-        cls.update_perms(rt_id, [], rt.app_id)
+        Resource.get_by(resource_type_id=rt_id) and abort(400, ErrFormat.resource_type_cannot_delete)
+
+        origin = rt.to_dict()
+
+        existed_perm_ids, _ = cls.update_perms(rt_id, [], rt.app_id)
 
         rt.soft_delete()
 
+        AuditCRUD.add_resource_log(rt.app_id, AuditOperateType.delete,
+                                   AuditScope.resource_type, rt.id, origin, {},
+                                   {'permission_ids': {'current': [], 'origin': existed_perm_ids}, }
+                                   )
+
     @classmethod
     def update_perms(cls, rt_id, perms, app_id):
         existed = Permission.get_by(resource_type_id=rt_id, to_dict=False)
         existed_names = [i.name for i in existed]
+        existed_ids = [i.id for i in existed]
+        current_ids = []
 
+        rebuild_rids = set()
         for i in existed:
             if i.name not in perms:
-                i.soft_delete()
+                i.soft_delete(commit=False)
+                for rp in RolePermission.get_by(perm_id=i.id, to_dict=False):
+                    rp.soft_delete(commit=False)
+                    rebuild_rids.add((rp.app_id, rp.rid))
+            else:
+                current_ids.append(i.id)
+        db.session.commit()
+        for _app_id, _rid in rebuild_rids:
+            role_rebuild.apply_async(args=(_rid, _app_id), queue=ACL_QUEUE)
 
         for i in perms:
             if i not in existed_names:
-                Permission.create(resource_type_id=rt_id,
-                                  name=i,
-                                  app_id=app_id)
+                p = Permission.create(resource_type_id=rt_id,
+                                      name=i,
+                                      app_id=app_id)
+                current_ids.append(p.id)
+
+        return existed_ids, current_ids
 
 
 class ResourceGroupCRUD(object):
+    cls = ResourceGroup
+
     @staticmethod
-    def search(q, app_id, page=1, page_size=None):
+    def search(q, app_id, resource_type_id, page=1, page_size=None):
         query = db.session.query(ResourceGroup).filter(
-            ResourceGroup.deleted.is_(False)).filter(ResourceGroup.app_id == app_id)
+            ResourceGroup.deleted.is_(False)).filter(ResourceGroup.app_id == app_id).filter(
+            ResourceGroup.resource_type_id == resource_type_id)
 
         if q:
             query = query.filter(ResourceGroup.name.ilike("%{0}%".format(q)))
@@ -108,14 +172,20 @@ class ResourceGroupCRUD(object):
         return [i.resource.to_dict() for i in items]
 
     @staticmethod
-    def add(name, type_id, app_id):
+    def add(name, type_id, app_id, uid=None):
         ResourceGroup.get_by(name=name, resource_type_id=type_id, app_id=app_id) and abort(
-            400, "ResourceGroup <{0}> is already existed".format(name))
+            400, ErrFormat.resource_group_exists.format(name))
+        rg = ResourceGroup.create(name=name, resource_type_id=type_id, app_id=app_id, uid=uid)
 
-        return ResourceGroup.create(name=name, resource_type_id=type_id, app_id=app_id)
+        AuditCRUD.add_resource_log(app_id, AuditOperateType.create,
+                                   AuditScope.resource_group, rg.id, {}, rg.to_dict(), {})
+        return rg
 
     @staticmethod
     def update(rg_id, items):
+        rg = ResourceGroup.get_by_id(rg_id) or abort(
+            404, ErrFormat.resource_group_not_found.format("id={}".format(rg_id)))
+
         existed = ResourceGroupItems.get_by(group_id=rg_id, to_dict=False)
         existed_ids = [i.resource_id for i in existed]
 
@@ -127,60 +197,159 @@ class ResourceGroupCRUD(object):
             if _id not in existed_ids:
                 ResourceGroupItems.create(group_id=rg_id, resource_id=_id)
 
+        AuditCRUD.add_resource_log(rg.app_id, AuditOperateType.update,
+                                   AuditScope.resource_group, rg.id, rg.to_dict(), rg.to_dict(),
+                                   {'resource_ids': {'current': items, 'origin': existed_ids}, }
+                                   )
+
     @staticmethod
     def delete(rg_id):
-        rg = ResourceGroup.get_by_id(rg_id) or abort(404, "ResourceGroup <{0}> is not found".format(rg_id))
+        rg = ResourceGroup.get_by_id(rg_id) or abort(
+            404, ErrFormat.resource_group_not_found.format("id={}".format(rg_id)))
 
+        origin = rg.to_dict()
         rg.soft_delete()
 
         items = ResourceGroupItems.get_by(group_id=rg_id, to_dict=False)
+        existed_ids = []
+
         for item in items:
+            existed_ids.append(item.resource_id)
             item.soft_delete()
 
+        rebuild = set()
         for i in RolePermission.get_by(group_id=rg_id, to_dict=False):
             i.soft_delete()
-            role_rebuild.apply_async(args=(i.rid,), queue=ACL_QUEUE)
+            rebuild.add(i.rid)
+
+        for _rid in rebuild:
+            role_rebuild.apply_async(args=(_rid, rg.app_id), queue=ACL_QUEUE)
+
+        ResourceGroupCache.clean(rg)
+
+        AuditCRUD.add_resource_log(rg.app_id, AuditOperateType.delete,
+                                   AuditScope.resource_group, rg.id, origin, {},
+                                   {'resource_ids': {'current': [], 'origin': existed_ids}, }
+
+                                   )
 
 
 class ResourceCRUD(object):
+    cls = Resource
+
     @staticmethod
-    def search(q, app_id, resource_type_id=None, page=1, page_size=None):
-        query = db.session.query(Resource).filter(
+    def _parse_resource_type_id(type_id, app_id):
+        try:
+            type_id = int(type_id)
+        except ValueError:
+            _type = ResourceType.get_by(name=type_id, app_id=app_id, first=True, to_dict=False)
+            type_id = _type and _type.id
+
+        return type_id
+
+    @classmethod
+    def search(cls, q, u, app_id, resource_type_id=None, page=1, page_size=None):
+        query = Resource.query.filter(
             Resource.deleted.is_(False)).filter(Resource.app_id == app_id)
 
         if q:
             query = query.filter(Resource.name.ilike("%{0}%".format(q)))
 
+        if u and UserCache.get(u):
+            query = query.filter(Resource.uid == UserCache.get(u).uid)
+
         if resource_type_id:
+            resource_type_id = cls._parse_resource_type_id(resource_type_id, app_id)
+
             query = query.filter(Resource.resource_type_id == resource_type_id)
 
         numfound = query.count()
+        res = [i.to_dict() for i in query.offset((page - 1) * page_size).limit(page_size)]
+        for i in res:
+            user = UserCache.get(i['uid']) if i['uid'] else ''
+            i['user'] = user and user.nickname
 
-        return numfound, query.offset((page - 1) * page_size).limit(page_size)
+        return numfound, res
+
+    @classmethod
+    def add(cls, name, type_id, app_id, uid=None):
+        type_id = cls._parse_resource_type_id(type_id, app_id)
 
-    @staticmethod
-    def add(name, type_id, app_id):
         Resource.get_by(name=name, resource_type_id=type_id, app_id=app_id) and abort(
-            400, "Resource <{0}> is already existed".format(name))
+            400, ErrFormat.resource_exists.format(name))
 
-        return Resource.create(name=name, resource_type_id=type_id, app_id=app_id)
+        r = Resource.create(name=name, resource_type_id=type_id, app_id=app_id, uid=uid)
+
+        from api.tasks.acl import apply_trigger
+        triggers = TriggerCRUD.match_triggers(app_id, r.name, r.resource_type_id, uid)
+        for trigger in triggers:
+            # auto trigger should be no uid
+            apply_trigger.apply_async(args=(trigger.id,),
+                                      kwargs=dict(resource_id=r.id, ), queue=ACL_QUEUE)
+
+        AuditCRUD.add_resource_log(app_id, AuditOperateType.create,
+                                   AuditScope.resource, r.id, {}, r.to_dict(), {})
+
+        return r
 
     @staticmethod
     def update(_id, name):
-        resource = Resource.get_by_id(_id) or abort(404, "Resource <{0}> is not found".format(_id))
+        # todo trigger rebuild
+        resource = Resource.get_by_id(_id) or abort(404, ErrFormat.resource_not_found.format("id={}".format(_id)))
+
+        origin = resource.to_dict()
 
         other = Resource.get_by(name=name, resource_type_id=resource.resource_type_id, to_dict=False, first=True)
         if other and other.id != _id:
-            return abort(400, "Resource <{0}> is duplicated".format(name))
+            return abort(400, ErrFormat.resource_exists.format(name))
 
-        return resource.update(name=name)
+        ResourceCache.clean(resource)
+
+        resource = resource.update(name=name)
+
+        update_resource_to_build_role.apply_async(args=(_id, resource.app_id), queue=ACL_QUEUE)
+
+        AuditCRUD.add_resource_log(resource.app_id, AuditOperateType.update,
+                                   AuditScope.resource, resource.id, origin, resource.to_dict(), {})
+
+        return resource
 
     @staticmethod
-    def delete(_id):
-        resource = Resource.get_by_id(_id) or abort(404, "Resource <{0}> is not found".format(_id))
+    def delete(_id, rebuild=True, app_id=None):
+        resource = Resource.get_by_id(_id) or abort(404, ErrFormat.resource_not_found.format("id={}".format(_id)))
 
+        if app_id is not None and resource.app_id != app_id:
+            return abort(404, ErrFormat.resource_not_found.format("id={}".format(_id)))
+
+        origin = resource.to_dict()
         resource.soft_delete()
 
+        ResourceCache.clean(resource)
+
+        rebuilds = []
         for i in RolePermission.get_by(resource_id=_id, to_dict=False):
             i.soft_delete()
-            role_rebuild.apply_async(args=(i.rid,), queue=ACL_QUEUE)
+            rebuilds.append((i.rid, i.app_id))
+
+        if rebuild:
+            for rid, app_id in set(rebuilds):
+                role_rebuild.apply_async(args=(rid, app_id), queue=ACL_QUEUE)
+
+        AuditCRUD.add_resource_log(resource.app_id, AuditOperateType.delete,
+                                   AuditScope.resource, resource.id, origin, {}, {})
+
+        return rebuilds
+
+    @classmethod
+    def delete_by_name(cls, name, type_id, app_id):
+        resource = Resource.get_by(name=name, resource_type_id=type_id, app_id=app_id) or abort(
+            400, ErrFormat.resource_exists.format(name))
+
+        return cls.delete(resource.id)
+
+    @classmethod
+    def update_by_name(cls, name, type_id, app_id, new_name):
+        resource = Resource.get_by(name=name, resource_type_id=type_id, app_id=app_id) or abort(
+            400, ErrFormat.resource_exists.format(name))
+
+        return cls.update(resource.id, new_name)

cmdb-api/api/lib/perm/acl/resp_format.py

@@ -0,0 +1,50 @@
+# -*- coding:utf-8 -*-
+
+from flask_babel import lazy_gettext as _l
+
+from api.lib.resp_format import CommonErrFormat
+
+
+class ErrFormat(CommonErrFormat):
+    login_succeed = _l("login successful")  # 登录成功
+    ldap_connection_failed = _l("Failed to connect to LDAP service")  # 连接LDAP服务失败
+    invalid_password = _l("Password verification failed")  # 密码验证失败
+    auth_only_with_app_token_failed = _l("Application Token verification failed")  # 应用 Token验证失败
+    # 您不是应用管理员 或者 session失效(尝试一下退出重新登录)
+    session_invalid = _l(
+        "You are not the application administrator or the session has expired (try logging out and logging in again)")
+
+    resource_type_not_found = _l("Resource type {} does not exist!")  # 资源类型 {} 不存在!
+    resource_type_exists = _l("Resource type {} already exists!")  # 资源类型 {} 已经存在!
+    # 因为该类型下有资源的存在, 不能删除!
+    resource_type_cannot_delete = _l("Because there are resources under this type, they cannot be deleted!")
+
+    user_not_found = _l("User {} does not exist!")  # 用户 {} 不存在!
+    user_exists = _l("User {} already exists!")  # 用户 {} 已经存在!
+    role_not_found = _l("Role {} does not exist!")  # 角色 {} 不存在!
+    role_exists = _l("Role {} already exists!")  # 角色 {} 已经存在!
+    global_role_not_found = _l("Global role {} does not exist!")  # 全局角色 {} 不存在!
+    global_role_exists = _l("Global role {} already exists!")  # 全局角色 {} 已经存在!
+
+    resource_no_permission = _l("You do not have {} permission on resource: {}")  # 您没有资源: {} 的 {} 权限
+    admin_required = _l("Requires administrator permissions")  # 需要管理员权限
+    role_required = _l("Requires role: {}")  # 需要角色: {}
+    # 删除用户角色, 请在 用户管理 页面操作!
+    user_role_delete_invalid = _l("To delete a user role, please operate on the User Management page!")
+
+    app_is_ready_existed = _l("Application {} already exists")  # 应用 {} 已经存在
+    app_not_found = _l("Application {} does not exist!")  # 应用 {} 不存在!
+    app_secret_invalid = _l("The Secret is invalid")  # 应用的Secret无效
+
+    resource_not_found = _l("Resource {} does not exist!")  # 资源 {} 不存在!
+    resource_exists = _l("Resource {} already exists!")  # 资源 {} 已经存在!
+
+    resource_group_not_found = _l("Resource group {} does not exist!")  # 资源组 {} 不存在!
+    resource_group_exists = _l("Resource group {} already exists!")  # 资源组 {} 已经存在!
+
+    inheritance_dead_loop = _l("Inheritance detected infinite loop")  # 继承检测到了死循环
+    role_relation_not_found = _l("Role relationship {} does not exist!")  # 角色关系 {} 不存在!
+
+    trigger_not_found = _l("Trigger {} does not exist!")  # 触发器 {} 不存在!
+    trigger_exists = _l("Trigger {} already exists!")  # 触发器 {} 已经存在!
+    trigger_disabled = _l("Trigger {} has been disabled!")  # Trigger {} has been disabled!

cmdb-api/api/lib/perm/acl/role.py

@@ -1,25 +1,39 @@
 # -*- coding:utf-8 -*-
 
-
+import redis_lock
 import six
 from flask import abort
+from flask import current_app
+from sqlalchemy import or_
 
 from api.extensions import db
+from api.extensions import rd
+from api.lib.perm.acl.app import AppCRUD
+from api.lib.perm.acl.audit import AuditCRUD, AuditOperateType, AuditScope
+from api.lib.perm.acl.cache import AppCache
+from api.lib.perm.acl.cache import HasResourceRoleCache
 from api.lib.perm.acl.cache import RoleCache
 from api.lib.perm.acl.cache import RoleRelationCache
+from api.lib.perm.acl.cache import UserCache
 from api.lib.perm.acl.const import ACL_QUEUE
-from api.models.acl import Resource
+from api.lib.perm.acl.const import OperateType
+from api.lib.perm.acl.resource import ResourceGroupCRUD
+from api.lib.perm.acl.resp_format import ErrFormat
+from api.models.acl import Resource, ResourceGroup
 from api.models.acl import ResourceGroupItems
 from api.models.acl import ResourceType
 from api.models.acl import Role
 from api.models.acl import RolePermission
 from api.models.acl import RoleRelation
+from api.tasks.acl import op_record
 from api.tasks.acl import role_rebuild
 
 
 class RoleRelationCRUD(object):
+    cls = RoleRelation
+
     @staticmethod
-    def get_parents(rids=None, uids=None):
+    def get_parents(rids=None, uids=None, app_id=None, all_app=False):
         rid2uid = dict()
         if uids is not None:
             uids = [uids] if isinstance(uids, six.integer_types) else uids
@@ -29,33 +43,53 @@ class RoleRelationCRUD(object):
         else:
             rids = [rids] if isinstance(rids, six.integer_types) else rids
 
-        res = db.session.query(RoleRelation).filter(
-            RoleRelation.child_id.in_(rids)).filter(RoleRelation.deleted.is_(False))
+        if app_id is not None:
+            res = db.session.query(RoleRelation).filter(
+                RoleRelation.child_id.in_(rids)).filter(RoleRelation.app_id == app_id).filter(
+                RoleRelation.deleted.is_(False)).union(
+                db.session.query(RoleRelation).filter(
+                    RoleRelation.child_id.in_(rids)).filter(RoleRelation.app_id.is_(None)).filter(
+                    RoleRelation.deleted.is_(False)))
+
+        elif not all_app:
+            res = db.session.query(RoleRelation).filter(
+                RoleRelation.child_id.in_(rids)).filter(RoleRelation.app_id.is_(None)).filter(
+                RoleRelation.deleted.is_(False))
+        else:
+            res = db.session.query(RoleRelation).filter(
+                RoleRelation.child_id.in_(rids)).filter(RoleRelation.deleted.is_(False))
+
         id2parents = {}
         for i in res:
-            id2parents.setdefault(rid2uid.get(i.child_id, i.child_id), []).append(RoleCache.get(i.parent_id).to_dict())
+            parent = RoleCache.get(i.parent_id)
+            if parent:
+                id2parents.setdefault(rid2uid.get(i.child_id, i.child_id), []).append(parent.to_dict())
 
         return id2parents
 
     @staticmethod
-    def get_parent_ids(rid):
-        res = RoleRelation.get_by(child_id=rid, to_dict=False)
-
-        return [i.parent_id for i in res]
+    def get_parent_ids(rid, app_id):
+        if app_id is not None:
+            return [i.parent_id for i in RoleRelation.get_by(child_id=rid, app_id=app_id, to_dict=False)] + \
+                   [i.parent_id for i in RoleRelation.get_by(child_id=rid, app_id=None, to_dict=False)]
+        else:
+            return [i.parent_id for i in RoleRelation.get_by(child_id=rid, app_id=app_id, to_dict=False)]
 
     @staticmethod
-    def get_child_ids(rid):
-        res = RoleRelation.get_by(parent_id=rid, to_dict=False)
-
-        return [i.parent_id for i in res]
+    def get_child_ids(rid, app_id):
+        if app_id is not None:
+            return [i.child_id for i in RoleRelation.get_by(parent_id=rid, app_id=app_id, to_dict=False)] + \
+                   [i.child_id for i in RoleRelation.get_by(parent_id=rid, app_id=None, to_dict=False)]
+        else:
+            return [i.child_id for i in RoleRelation.get_by(parent_id=rid, app_id=app_id, to_dict=False)]
 
     @classmethod
-    def recursive_parent_ids(cls, rid):
+    def recursive_parent_ids(cls, rid, app_id):
         all_parent_ids = set()
 
         def _get_parent(_id):
             all_parent_ids.add(_id)
-            parent_ids = RoleRelationCache.get_parent_ids(_id)
+            parent_ids = RoleRelationCache.get_parent_ids(_id, app_id)
             for parent_id in parent_ids:
                 _get_parent(parent_id)
 
@@ -64,12 +98,12 @@ class RoleRelationCRUD(object):
         return all_parent_ids
 
     @classmethod
-    def recursive_child_ids(cls, rid):
+    def recursive_child_ids(cls, rid, app_id):
         all_child_ids = set()
 
         def _get_children(_id):
             all_child_ids.add(_id)
-            child_ids = RoleRelationCache.get_child_ids(_id)
+            child_ids = RoleRelationCache.get_child_ids(_id, app_id)
             for child_id in child_ids:
                 _get_children(child_id)
 
@@ -77,52 +111,124 @@ class RoleRelationCRUD(object):
 
         return all_child_ids
 
-    @staticmethod
-    def add(parent_id, child_id):
-        RoleRelation.get_by(parent_id=parent_id, child_id=child_id) and abort(400, "It's already existed")
+    @classmethod
+    def get_users_by_rid(cls, rid, app_id, rid2obj=None, uid2obj=None):
+        rid2obj = rid2obj or dict()
+        uid2obj = uid2obj or dict()
 
-        RoleRelationCache.clean(parent_id)
-        RoleRelationCache.clean(child_id)
+        users = []
+        rids = cls.recursive_child_ids(rid, app_id)
+        for rid in rids:
+            if rid not in rid2obj:
+                rid2obj[rid] = RoleCache.get(rid)
 
-        return RoleRelation.create(parent_id=parent_id, child_id=child_id)
+            role = rid2obj[rid]
+            if role and role.uid:
+                if role.uid and role.uid not in uid2obj:
+                    uid2obj[role.uid] = UserCache.get(role.uid)
+
+                u = uid2obj.get(role.uid)
+                u = u and u.to_dict()
+                if u:
+                    u.update(dict(role=role.to_dict()))
+                    users.append(u)
+
+        # todo role read log
+        # user_id = AuditCRUD.get_current_operate_uid()
+        # audit_role_log.apply_async(args=(app_id, user_id, result.copy()),
+        #                            queue=ACL_QUEUE)
+
+        return users
 
     @classmethod
-    def delete(cls, _id):
-        existed = RoleRelation.get_by_id(_id) or abort(400, "RoleRelation <{0}> does not exist".format(_id))
+    def add(cls, role, parent_id, child_ids, app_id):
+        with redis_lock.Lock(rd.r, "ROLE_RELATION_ADD", expire=10):
+            db.session.commit()
 
-        child_ids = cls.recursive_child_ids(existed.child_id)
+            result = []
+            for child_id in child_ids:
+                existed = RoleRelation.get_by(parent_id=parent_id, child_id=child_id, app_id=app_id)
+                if existed:
+                    continue
+
+                if parent_id in cls.recursive_child_ids(child_id, app_id):
+                    return abort(400, ErrFormat.inheritance_dead_loop)
+
+                result.append(RoleRelation.create(parent_id=parent_id, child_id=child_id, app_id=app_id).to_dict())
+
+                RoleRelationCache.clean(parent_id, app_id)
+                RoleRelationCache.clean(child_id, app_id)
+
+                if app_id is None:
+                    for app in AppCRUD.get_all():
+                        if app.name != "acl":
+                            RoleRelationCache.clean(child_id, app.id)
+
+        AuditCRUD.add_role_log(app_id, AuditOperateType.role_relation_add,
+                               AuditScope.role_relation, role.id, {}, {},
+                               {'child_ids': list(child_ids), 'parent_ids': [parent_id], }
+                               )
+        return result
+
+    @classmethod
+    def delete(cls, _id, app_id):
+        existed = RoleRelation.get_by_id(_id) or abort(
+            400, ErrFormat.role_relation_not_found.format("id={}".format(_id)))
+
+        child_ids = cls.recursive_child_ids(existed.child_id, app_id)
         for child_id in child_ids:
-            role_rebuild.apply_async(args=(child_id,), queue=ACL_QUEUE)
-
-        RoleRelationCache.clean(existed.parent_id)
-        RoleRelationCache.clean(existed.child_id)
+            role_rebuild.apply_async(args=(child_id, app_id), queue=ACL_QUEUE)
+        role = RoleCache.get(existed.parent_id)
 
         existed.soft_delete()
 
+        RoleRelationCache.clean(existed.parent_id, app_id)
+        RoleRelationCache.clean(existed.child_id, app_id)
+
+        AuditCRUD.add_role_log(app_id, AuditOperateType.role_relation_delete,
+                               AuditScope.role_relation, role.id, {}, {},
+                               {'child_ids': list(child_ids), 'parent_ids': [existed.parent_id], }
+                               )
+
     @classmethod
-    def delete2(cls, parent_id, child_id):
-        existed = RoleRelation.get_by(parent_id=parent_id, child_id=child_id, first=True, to_dict=False)
-        existed or abort(400, "RoleRelation < {0} -> {1} > does not exist".format(parent_id, child_id))
+    def delete2(cls, parent_id, child_id, app_id):
+        existed = RoleRelation.get_by(parent_id=parent_id, child_id=child_id, app_id=app_id, first=True, to_dict=False)
+        existed or abort(400, ErrFormat.role_relation_not_found.format("{} -> {}".format(parent_id, child_id)))
 
-        child_ids = cls.recursive_child_ids(existed.child_id)
-        for child_id in child_ids:
-            role_rebuild.apply_async(args=(child_id,), queue=ACL_QUEUE)
-
-        RoleRelationCache.clean(existed.parent_id)
-        RoleRelationCache.clean(existed.child_id)
+        role = RoleCache.get(existed.parent_id)
 
         existed.soft_delete()
 
+        child_ids = cls.recursive_child_ids(existed.child_id, app_id)
+        for child_id in child_ids:
+            role_rebuild.apply_async(args=(child_id, app_id), queue=ACL_QUEUE)
+
+        RoleRelationCache.clean(existed.parent_id, app_id)
+        RoleRelationCache.clean(existed.child_id, app_id)
+
+        AuditCRUD.add_role_log(app_id, AuditOperateType.role_relation_delete,
+                               AuditScope.role_relation, role.id, {}, {},
+                               {'child_ids': list(child_ids), 'parent_ids': [existed.parent_id], }
+                               )
+
 
 class RoleCRUD(object):
-    @staticmethod
-    def search(q, app_id, page=1, page_size=None, user_role=True):
-        query = db.session.query(Role).filter(Role.deleted.is_(False))
-        query = query.filter(Role.app_id == app_id).filter(Role.uid.is_(None))
+    cls = Role
 
-        if user_role:
-            query1 = db.session.query(Role).filter(Role.deleted.is_(False)).filter(Role.uid.isnot(None))
-            query = query.union(query1)
+    @staticmethod
+    def search(q, app_id, page=1, page_size=None, user_role=True, is_all=False, user_only=False):
+        if user_only:  # only user role
+            query = db.session.query(Role).filter(Role.deleted.is_(False)).filter(Role.uid.isnot(None))
+
+        else:
+            query = db.session.query(Role).filter(Role.deleted.is_(False)).filter(
+                or_(Role.app_id == app_id, Role.app_id.is_(None)))
+            if not user_role:  # only virtual role
+                query = query.filter(Role.uid.is_(None))
+
+        if not is_all:
+            role_ids = list(HasResourceRoleCache.get(app_id).keys())
+            query = query.filter(Role.id.in_(role_ids))
 
         if q:
             query = query.filter(Role.name.ilike('%{0}%'.format(q)))
@@ -132,46 +238,107 @@ class RoleCRUD(object):
         return numfound, query.offset((page - 1) * page_size).limit(page_size)
 
     @staticmethod
-    def add_role(name, app_id=None, is_app_admin=False, uid=None):
-        Role.get_by(name=name, app_id=app_id) and abort(400, "Role <{0}> is already existed".format(name))
+    def add_role(name, app_id=None, is_app_admin=False, uid=None, password=None):
+        if app_id and AppCache.get(app_id).name == "acl":
+            app_id = None
 
-        return Role.create(name=name,
+        Role.get_by(name=name, app_id=app_id) and abort(400, ErrFormat.role_exists.format(name))
+
+        if app_id is not None:
+            Role.get_by(name=name, app_id=None) and abort(400, ErrFormat.global_role_exists.format(name))
+
+        from api.lib.perm.acl.user import UserCRUD
+        key, secret = UserCRUD.gen_key_secret()
+
+        role = Role.create(name=name,
                            app_id=app_id,
                            is_app_admin=is_app_admin,
+                           password=password,
+                           key=key,
+                           secret=secret,
                            uid=uid)
 
+        AuditCRUD.add_role_log(app_id, AuditOperateType.create,
+                               AuditScope.role, role.id, {}, role.to_dict(), {})
+
+        return role
+
     @staticmethod
     def update_role(rid, **kwargs):
         kwargs.pop('app_id', None)
 
-        role = Role.get_by_id(rid) or abort(404, "Role <{0}> does not exist".format(rid))
+        role = Role.get_by_id(rid) or abort(404, ErrFormat.role_not_found.format("rid={}".format(rid)))
+
+        origin = role.to_dict()
 
         RoleCache.clean(rid)
 
-        return role.update(**kwargs)
+        role = role.update(**kwargs)
+
+        if origin['uid'] and kwargs.get('name') and kwargs.get('name') != origin['name']:
+            from api.models.acl import User
+            user = User.get_by(uid=origin['uid'], first=True, to_dict=False)
+            if user:
+                user.update(username=kwargs['name'])
+
+        AuditCRUD.add_role_log(role.app_id, AuditOperateType.update,
+                               AuditScope.role, role.id, origin, role.to_dict(), {},
+                               )
+
+        return role
+
+    @staticmethod
+    def get_by_name(name, app_id):
+
+        role = Role.get_by(name=name, app_id=app_id)
+
+        return role
 
     @classmethod
-    def delete_role(cls, rid):
-        role = Role.get_by_id(rid) or abort(404, "Role <{0}> does not exist".format(rid))
+    def delete_role(cls, rid, force=False):
+        from api.lib.perm.acl.acl import is_admin
+
+        role = Role.get_by_id(rid) or abort(404, ErrFormat.role_not_found.format("rid={}".format(rid)))
+        if not role.app_id and not is_admin():
+            return abort(403, ErrFormat.admin_required)
+
+        not force and role.uid and abort(400, ErrFormat.user_role_delete_invalid)
+
+        origin = role.to_dict()
+
+        child_ids = []
+        parent_ids = []
+        recursive_child_ids = list(RoleRelationCRUD.recursive_child_ids(rid, role.app_id))
 
         for i in RoleRelation.get_by(parent_id=rid, to_dict=False):
+            child_ids.append(i.child_id)
             i.soft_delete()
+
         for i in RoleRelation.get_by(child_id=rid, to_dict=False):
+            parent_ids.append(i.parent_id)
             i.soft_delete()
 
+        role_permissions = []
         for i in RolePermission.get_by(rid=rid, to_dict=False):
+            role_permissions.append(i.to_dict())
             i.soft_delete()
 
-        role_rebuild.apply_async(args=(list(RoleRelationCRUD.recursive_child_ids(rid)), ), queue=ACL_QUEUE)
-
-        RoleCache.clean(rid)
-        RoleRelationCache.clean(rid)
-
         role.soft_delete()
 
+        role_rebuild.apply_async(args=(recursive_child_ids, role.app_id), queue=ACL_QUEUE)
+
+        RoleCache.clean(rid)
+        RoleRelationCache.clean(rid, role.app_id)
+
+        AuditCRUD.add_role_log(role.app_id, AuditOperateType.delete,
+                               AuditScope.role, role.id, origin, {},
+                               {'child_ids': child_ids, 'parent_ids': parent_ids,
+                                'role_permissions': role_permissions, },
+                               )
+
     @staticmethod
-    def get_resources(rid):
-        res = RolePermission.get_by(rid=rid, to_dict=False)
+    def get_resources(rid, app_id):
+        res = RolePermission.get_by(rid=rid, app_id=app_id, to_dict=False)
         id2perms = dict(id2perms={}, group2perms={})
         for i in res:
             if i.resource_id:
@@ -181,24 +348,90 @@ class RoleCRUD(object):
 
         return id2perms
 
+    @staticmethod
+    def _extend_resources(rid, resource_type_id, app_id):
+        res = RoleRelationCache.get_resources2(rid, app_id)
+        resources = {_id: res['resources'][_id] for _id in res['resources']
+                     if not resource_type_id or resource_type_id == res['resources'][_id]['resource_type_id']}
+        groups = {_id: res['groups'][_id] for _id in res['groups']
+                  if not resource_type_id or resource_type_id == res['groups'][_id]['resource_type_id']}
+
+        return resources, groups
+
+    @classmethod
+    def recursive_resources(cls, rid, app_id, resource_type_id=None, group_flat=True, to_record=False):
+        def _merge(a, b):
+            for i in b:
+                if i in a:
+                    a[i]['permissions'] = list(set(a[i]['permissions'] + b[i]['permissions']))
+                else:
+                    a[i] = b[i]
+
+            return a
+
+        try:
+            resource_type_id = resource_type_id and int(resource_type_id)
+        except ValueError:
+            resource_type = ResourceType.get_by(name=resource_type_id, app_id=app_id, first=True, to_dict=False)
+            resource_type_id = resource_type and resource_type.id
+
+        result = dict(resources=dict(), groups=dict())
+        # s = time.time()
+        parent_ids = RoleRelationCRUD.recursive_parent_ids(rid, app_id)
+        # current_app.logger.info('parent ids {0}: {1}'.format(parent_ids, time.time() - s))
+        for parent_id in parent_ids:
+
+            _resources, _groups = cls._extend_resources(parent_id, resource_type_id, app_id)
+            # current_app.logger.info('middle1: {0}'.format(time.time() - s))
+            _merge(result['resources'], _resources)
+            # current_app.logger.info('middle2: {0}'.format(time.time() - s))
+            # current_app.logger.info(len(_groups))
+            if not group_flat:
+                _merge(result['groups'], _groups)
+            else:
+                for rg_id in _groups:
+                    items = ResourceGroupCRUD.get_items(rg_id)
+                    for item in items:
+                        if not resource_type_id or resource_type_id == item['resource_type_id']:
+                            item.setdefault('permissions', [])
+                            item['permissions'] = list(set(item['permissions'] + _groups[rg_id]['permissions']))
+                            result['resources'][item['id']] = item
+        # current_app.logger.info('End: {0}'.format(time.time() - s))
+
+        result['resources'] = list(result['resources'].values())
+        result['groups'] = list(result['groups'].values())
+
+        if to_record:
+            op_record.apply_async(args=(app_id, rid, OperateType.READ, ["resources"]),
+                                  queue=ACL_QUEUE)
+
+            # todo role read log
+            # user_id = AuditCRUD.get_current_operate_uid()
+            # audit_role_log.apply_async(args=(app_id, user_id, result.copy()),
+            #                            queue=ACL_QUEUE)
+        return result
+
     @staticmethod
     def get_group_ids(resource_id):
         return [i.group_id for i in ResourceGroupItems.get_by(resource_id=resource_id, to_dict=False)]
 
     @classmethod
-    def has_permission(cls, rid, resource_name, resource_type, app_id, perm):
-        resource_type = ResourceType.get_by(app_id=app_id, name=resource_type, first=True, to_dict=False)
-        resource_type or abort(404, "ResourceType <{0}> is not found".format(resource_type))
-        type_id = resource_type.id
-        resource = Resource.get_by(name=resource_name, resource_type_id=type_id, first=True, to_dict=False)
-        resource = resource or abort(403, "Resource <{0}> is not in ACL".format(resource_name))
+    def has_permission(cls, rid, resource_name, resource_type_name, app_id, perm, resource_id=None):
+        current_app.logger.debug((rid, resource_name, resource_type_name, app_id, perm))
+        if not resource_id:
+            resource_type = ResourceType.get_by(app_id=app_id, name=resource_type_name, first=True, to_dict=False)
+            resource_type or abort(404, ErrFormat.resource_type_not_found.format(resource_type_name))
+            type_id = resource_type.id
+            resource = Resource.get_by(name=resource_name, resource_type_id=type_id, first=True, to_dict=False)
+            resource = resource or abort(403, ErrFormat.resource_not_found.format(resource_name))
+            resource_id = resource.id
 
-        parent_ids = RoleRelationCRUD.recursive_parent_ids(rid)
-
-        group_ids = cls.get_group_ids(resource.id)
+        parent_ids = RoleRelationCRUD.recursive_parent_ids(rid, app_id)
+        group_ids = cls.get_group_ids(resource_id)
         for parent_id in parent_ids:
-            id2perms = RoleRelationCache.get_resources(parent_id)
-            perms = id2perms['id2perms'].get(resource.id, [])
+            id2perms = RoleRelationCache.get_resources(parent_id, app_id)
+            current_app.logger.debug(id2perms)
+            perms = id2perms['id2perms'].get(resource_id, [])
             if perms and {perm}.issubset(set(perms)):
                 return True
 
@@ -210,19 +443,60 @@ class RoleCRUD(object):
         return False
 
     @classmethod
-    def get_permissions(cls, rid, resource_name):
-        resource = Resource.get_by(name=resource_name, first=True, to_dict=False)
-        resource = resource or abort(403, "Resource <{0}> is not in ACL".format(resource_name))
+    def get_permissions(cls, rid, resource_name, app_id):
 
-        parent_ids = RoleRelationCRUD.recursive_parent_ids(rid)
+        resource = Resource.get_by(name=resource_name, first=True, to_dict=False)
+        resource = resource or abort(403, ErrFormat.resource_not_found.format(resource_name))
+
+        parent_ids = RoleRelationCRUD.recursive_parent_ids(rid, app_id)
         group_ids = cls.get_group_ids(resource.id)
 
         perms = []
         for parent_id in parent_ids:
-            id2perms = RoleRelationCache.get_resources(parent_id)
+            id2perms = RoleRelationCache.get_resources(parent_id, app_id)
             perms += id2perms['id2perms'].get(parent_id, [])
 
             for group_id in group_ids:
                 perms += id2perms['group2perms'].get(group_id, [])
 
         return set(perms)
+
+    @classmethod
+    def list_resources(cls, app_id, rids, resource_type_id=None, q=None):
+
+        query = db.session.query(Resource, RolePermission).filter(
+            Resource.app_id == app_id,
+            Resource.deleted.is_(False),
+            RolePermission.deleted.is_(False),
+            RolePermission.rid.in_(rids),
+        ).join(
+            RolePermission, Resource.id == RolePermission.resource_id
+        )
+
+        if resource_type_id:
+            query = query.filter(Resource.resource_type_id == resource_type_id)
+
+        if q:
+            query = query.filter(Resource.resource_type_id == resource_type_id)
+
+        return query.all()
+
+    @classmethod
+    def list_resource_groups(cls, app_id, rids, resource_type_id=None, q=None):
+
+        query = db.session.query(ResourceGroup, RolePermission).filter(
+            ResourceGroup.app_id == app_id,
+            ResourceGroup.deleted.is_(False),
+            RolePermission.deleted.is_(False),
+            RolePermission.rid.in_(rids),
+        ).join(
+            RolePermission, ResourceGroup.id == RolePermission.group_id
+        )
+
+        if resource_type_id:
+            query = query.filter(ResourceGroup.resource_type_id == resource_type_id)
+
+        if q:
+            query = query.filter(ResourceGroup.resource_type_id == resource_type_id)
+
+        return query.all()