Merge pull request #209 from jumpserver/dev

Dev
jumpserver · Apr 30, 2019 · 212b5b0 · 212b5b0
2 parents 93f247c + 2d89332
commit 212b5b0
Show file tree

Hide file tree

Showing 10 changed files with 73 additions and 19 deletions.
diff --git a/coco/app.py b/coco/app.py
@@ -23,7 +23,7 @@
 from .models import Connection
 
 
-__version__ = '1.4.9'
+__version__ = '1.4.10'
 
 BASE_DIR = os.path.dirname(os.path.dirname(__file__))
 logger = get_logger(__file__)

diff --git a/coco/connection.py b/coco/connection.py
@@ -157,7 +157,7 @@ class TelnetConnection:
     password_pattern = re.compile(
         r'Password:?\s*$|passwd:?\s*$|密\s*码:?\s*$', re.I
     )
-    success_pattern = re.compile(r'Last\s*login|success|成功|#|\$', re.I)
+    success_pattern = re.compile(r'Last\s*login|success|成功|#|>|\$', re.I)
     custom_success_pattern = None
 
     def __init__(self, asset, system_user, client):

diff --git a/coco/const.py b/coco/const.py
@@ -0,0 +1,10 @@
+# -*- coding: utf-8 -*-
+#
+
+#
+# Permission actions choices
+#
+PERMS_ACTION_NAME_ALL = 'all'
+PERMS_ACTION_NAME_CONNECT = 'connect'
+PERMS_ACTION_NAME_UPLOAD_FILE = 'upload_file'
+PERMS_ACTION_NAME_DOWNLOAD_FILE = 'download_file'
diff --git a/coco/httpd/elfinder/connector.py b/coco/httpd/elfinder/connector.py
@@ -109,8 +109,8 @@ def run_command(self, func_name, args):
         try:
             func()
         except Exception as e:
+            logger.debug(e, exc_info=True)
             self.response['error'] = '%s' % e
-            logger.error(e, exc_info=True)
 
     def get_request_data(self):
         data_source = {}

diff --git a/coco/httpd/elfinder/volumes/sftp.py b/coco/httpd/elfinder/volumes/sftp.py
@@ -140,6 +140,7 @@ def mkdir(self, names, parent, many=False):
         if not many:
             names = [names]
         for name in names:
+            name = name.lstrip(self.path_sep)
             path = self._join(parent_path, name)
             remote_path = self._remote_path(path)
             self.sftp.mkdir(remote_path)
@@ -214,14 +215,11 @@ def remove(self, target):
         """ Delete a File or Directory object. """
         path = self._path(target)
         remote_path = self._remote_path(path)
-        try:
-            info = self.info(target)
-            if info['mime'] == 'directory':
-                self.sftp.rmdir(remote_path)
-            else:
-                self.sftp.unlink(remote_path)
-        except OSError:
-            raise OSError("Delete {} failed".format(self._base_name(path)))
+        info = self.info(target)
+        if info['mime'] == 'directory':
+            self.sftp.rmdir(remote_path)
+        else:
+            self.sftp.unlink(remote_path)
         return target
 
     def upload_as_url(self, url, parent):

diff --git a/coco/proxy.py b/coco/proxy.py
@@ -7,6 +7,7 @@
 
 from .session import Session
 from .models import Server, TelnetServer
+from .const import PERMS_ACTION_NAME_CONNECT
 from .connection import SSHConnection, TelnetConnection
 from .service import app_service
 from .conf import config
@@ -93,15 +94,20 @@ def validate_permission(self):
         验证用户是否有连接改资产的权限
         :return: True or False
         """
-        return app_service.validate_user_asset_permission(
-            self.client.user.id, self.asset.id, self.system_user.id
-        )
+        kwargs = {
+            'user_id': self.client.user.id,
+            'asset_id': self.asset.id,
+            'system_user_id': self.system_user.id,
+            'action_name': PERMS_ACTION_NAME_CONNECT
+        }
+        return app_service.validate_user_asset_permission(**kwargs)
 
     def get_server_conn(self):
         logger.info("Connect to {}:{} ...".format(self.asset.hostname, self.asset.port))
         self.send_connecting_message()
         if not self.validate_permission():
-            self.client.send_unicode(warning(_('No permission')))
+            msg = _('No permission')
+            self.client.send_unicode(warning(wr(msg, before=2, after=0)))
             server = None
         elif self.system_user.protocol == self.asset.protocol == 'telnet':
             server = self.get_telnet_server_conn()

diff --git a/coco/sftp.py b/coco/sftp.py
@@ -11,6 +11,10 @@
 from .conf import config
 from .service import app_service
 from .connection import SSHConnection
+from .const import (
+    PERMS_ACTION_NAME_DOWNLOAD_FILE, PERMS_ACTION_NAME_UPLOAD_FILE,
+    PERMS_ACTION_NAME_ALL,
+)
 
 CURRENT_DIR = os.path.dirname(__file__)
 logger = get_logger(__file__)
@@ -267,11 +271,27 @@ def stat(self, path):
     def lstat(self, path):
         return self.stat(path)
 
+    @staticmethod
+    def validate_permission(system_user, action):
+        check_actions = [PERMS_ACTION_NAME_ALL, action]
+        granted_actions = getattr(system_user, 'actions', [])
+        actions = list(set(granted_actions).intersection(set(check_actions)))
+        return bool(actions)
+
+    def check_action(self, path, action):
+        request = self.parse_path(path)
+        host, su = request['host'], request['su']
+        system_user = self.hosts.get(host, {}).get('system_users', {}).get(su)
+        if not system_user:
+            raise PermissionError("No system user explicit")
+
+        if not self.validate_permission(system_user, action):
+            raise PermissionError("Permission deny")
+
     @convert_error
     def open(self, path, flags, attr=None):
         binary_flag = getattr(os, 'O_BINARY', 0)
         flags |= binary_flag
-        success = False
 
         if flags & os.O_WRONLY:
             if flags & os.O_APPEND:
@@ -288,12 +308,17 @@ def open(self, path, flags, attr=None):
 
         if 'r' in mode:
             operate = "Download"
+            action = PERMS_ACTION_NAME_DOWNLOAD_FILE
         elif 'a' in mode:
             operate = "Append"
+            action = PERMS_ACTION_NAME_UPLOAD_FILE
         else:
             operate = "Upload"
+            action = PERMS_ACTION_NAME_UPLOAD_FILE
 
+        success = False
         try:
+            self.check_action(path, action)
             client, rpath = self.get_sftp_client_rpath(path)
             f = client.open(rpath, mode, bufsize=4096)
             f.prefetch()
@@ -309,6 +334,7 @@ def open(self, path, flags, attr=None):
 
     @convert_error
     def remove(self, path):
+        self.check_action(path, action=PERMS_ACTION_NAME_UPLOAD_FILE)
         client, rpath = self.get_sftp_client_rpath(path)
         success = False
 
@@ -321,6 +347,7 @@ def remove(self, path):
 
     @convert_error
     def rename(self, src, dest):
+        self.check_action(src, action=PERMS_ACTION_NAME_UPLOAD_FILE)
         client, rsrc = self.get_sftp_client_rpath(src)
         client2, rdest = self.get_sftp_client_rpath(dest)
         success = False
@@ -338,6 +365,7 @@ def rename(self, src, dest):
 
     @convert_error
     def mkdir(self, path, attr=0o755):
+        self.check_action(path, action=PERMS_ACTION_NAME_UPLOAD_FILE)
         client, rpath = self.get_sftp_client_rpath(path)
         success = False
 
@@ -352,6 +380,7 @@ def mkdir(self, path, attr=0o755):
 
     @convert_error
     def rmdir(self, path):
+        self.check_action(path, action=PERMS_ACTION_NAME_UPLOAD_FILE)
         client, rpath = self.get_sftp_client_rpath(path)
         success = False
 
@@ -405,10 +434,14 @@ def open(self, path, mode, **kwargs):
         client, rpath = self.get_sftp_client_rpath(path)
         if 'r' in mode:
             operate = "Download"
+            action = PERMS_ACTION_NAME_DOWNLOAD_FILE
         else:
             operate = "Upload"
+            action = PERMS_ACTION_NAME_UPLOAD_FILE
+
         success = False
         try:
+            self.check_action(path, action=action)
             f = client.open(rpath, mode, bufsize=4096)
             success = True
             return f
@@ -423,16 +456,23 @@ def lstat(self, path):
         attr = super(InternalSFTPClient, self).lstat.__wrapped__(self, path)
         return attr
 
+    def rename(self, src, dest):
+        return super(InternalSFTPClient, self).rename.__wrapped__(self, src, dest)
+
+    def mkdir(self, path, attr=0o755):
+        return super(InternalSFTPClient, self).mkdir.__wrapped__(self, path, attr)
+
     def rmdir(self, path):
         return super(InternalSFTPClient, self).rmdir.__wrapped__(self, path)
 
     def get_channel(self):
         return FakeChannel.new()
 
     def unlink(self, path):
-        return self.remove(path)
+        return super(InternalSFTPClient, self).remove.__wrapped__(self, path)
 
     def putfo(self, f, path, callback=None, confirm=True):
+        self.check_action(path, action=PERMS_ACTION_NAME_UPLOAD_FILE)
         client, rpath = self.get_sftp_client_rpath(path)
         success = False
         try:

diff --git a/locale/zh_CN/LC_MESSAGES/coco.mo b/locale/zh_CN/LC_MESSAGES/coco.mo
diff --git a/locale/zh_CN/LC_MESSAGES/coco.po b/locale/zh_CN/LC_MESSAGES/coco.po
@@ -83,7 +83,7 @@ msgstr "{T}7) 输入 {green}h{end} 帮助.{R}"
 #: coco/interactive.py:96
 #, python-brace-format
 msgid "{T}8) Enter {green}r{end} to refresh your assets and nodes.{R}"
-msgstr "{T}0) 输入 {green}r{end} 刷新最新的机器和节点信息.{R}"
+msgstr "{T}8) 输入 {green}r{end} 刷新最新的机器和节点信息.{R}"
 
 #: coco/interactive.py:97
 #, python-brace-format

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
@@ -19,7 +19,7 @@ itsdangerous==0.24
 Jinja2==2.10
 jmespath==0.9.3
 jms-storage==0.0.22
-jumpserver-python-sdk==0.0.57
+jumpserver-python-sdk==0.0.58
 MarkupSafe==1.0
 oss2==2.4.0
 paramiko==2.4.1