优化ldap登陆有页面访问权限

.gitignore

@@ -20,3 +20,4 @@ var/
 *.tar.gz
 gitversion
 .DS_Store
+.idea/

rrd/config.py

@@ -54,6 +54,7 @@
 LDAP_TLS_KEYFILE = ""
 LDAP_TLS_REQUIRE_CERT = True
 LDAP_TLS_CIPHER_SUITE = ""
+ROOT_PASSWD = os.environ.get("ROOT_PASSWD","ROOT PASSWORD")
 
 # i18n
 BABEL_DEFAULT_LOCALE   = 'zh_CN'

rrd/templates/base.html

@@ -27,6 +27,10 @@
             }
             select {font-size:12px;}
             input {font-size:12px;}
+            .danger a{color:red;}
+            .danger{color:red;}
+            .attention{color:#FF00CC;}
+            .attention a{color:#FF00CC;}
         </style>
     {% endblock %}
 

rrd/templates/navbar.html

@@ -15,11 +15,13 @@
                <li><a href="/screen/add">+screen</a></li>
            </ul>
           </li>
+          {%if g.user.is_admin() or g.user.is_root() %}
           <li {%if g.nav_menu == "p_hostgroup"%}class="active"{%endif%}><a href="/portal/hostgroup">HostGroups</a></li>
           <li {%if g.nav_menu == "p_template"%}class="active"{%endif%}><a href="/portal/template">Templates</a></li>
           <li {%if g.nav_menu == "p_expression"%}class="active"{%endif%}><a href="/portal/expression">Expressions</a></li>
           <li {%if g.nav_menu == "p_nodata"%}class="active"{%endif%}><a href="/portal/nodata">Nodata</a></li>
           <li {%if g.nav_menu == "p_alarm-dash"%}class="active"{%endif%}><a href="/portal/alarm-dash/case">Alarm-Dashboard</a></li>
+          {%endif%}
           <li class="dropdown">
               <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false">
                   {%if g.user%} Welcome {{g.user.name}}{%else%}Sign in{%endif%}<span class="caret"></span></a>

rrd/templates/portal/alarm/case.html

@@ -10,13 +10,30 @@ <h4 class="panel-title">{{_('alerting cases')}}
         <div class="panel-body">
             <div class="alarms">
                 {%for case in cases%}
-                <div class="alarm">
-                    <input type="checkbox" alarm="{{case.id}}">
+                    {% if case.priority == 0 %}
+                        <div class="alarm danger">
+                    {% elif case.priority < 3 %}
+                        <div class="alarm attention">
+                    {% else %}
+                        <div class="alarm">
+                    {% endif %}
+                    {% if case.status.startswith("OK") %}
+                        <input type="checkbox" alarm="{{case.id}}">
+                    {% endif %}
                     {{case.status}} P{{case.priority}}
-                    [第<span class="orange">#{{case.current_step}}</span>次/最大{{case.max_step}}次]
-                    <span class="orange">{{case.timestamp|time_duration}}</span>
-                    <span class="gray">[</span>
-                    <a href="/portal/template/view/{{case.template_id}}" target="_blank">template</a>
+
+                    {% if case.priority < 3 %}
+                        [第#{{case.current_step}}次/最大{{case.max_step}}次]
+                        {{case.timestamp|time_duration}}
+                        [
+                        <a href="/portal/template/view/{{case.template_id}}" target="_blank">template</a>
+                    {% else %}
+                        [第<span class="orange">#{{case.current_step}}</span>次/最大{{case.max_step}}次]
+                        <span class="orange">{{case.timestamp|time_duration}}</span>
+                        <span class="gray">[</span>
+                        <a href="/portal/template/view/{{case.template_id}}" target="_blank">template</a>
+                    {% endif %}
+
 
                     {%if case.strategy_id>0%}
                     <span class="cut-line">¦</span>
@@ -28,11 +45,17 @@ <h4 class="panel-title">{{_('alerting cases')}}
                     <a href="/portal/expression/view/{{case.expression_id}}" target="_blank">expression</a>
                     {%endif%}
 
-                    <span class="cut-line">¦</span>
-                    <a href="javascript:alarm_case_rm('{{case.id}}');">delete</a>
+                    {% if case.status.startswith("OK") %}
+                        <span class="cut-line">¦</span>
+                        <a href="javascript:alarm_case_rm('{{case.id}}');">delete</a>
+                    {% endif %}
                     <span class="cut-line">¦</span>
                     <a href="/portal/alarm-dash/case/event?case_id={{case.id}}">{{_('event list')}}</a>
-                    <span class="gray">]</span>
+                    {% if case.priority < 3 %}
+                        ]
+                    {% else %}
+                        <span class="gray">]</span>
+                    {% endif %}
                     </br>
 
                     <span style="padding-left:17px;"> {{case.endpoint}} 
@@ -43,7 +66,11 @@ <h4 class="panel-title">{{_('alerting cases')}}
                         <span class="cut-line">¦</span> 
                         {{case.cond}}</span>
                         <span class="cut-line">¦</span> 
-                        <span class="gray">note: {{case.note}}</span>
+                        {% if case.priority < 3 %}
+                            note: {{case.note}}
+                        {% else %}
+                            <span class="gray">note: {{case.note}}</span>
+                        {% endif %}
                 </div>
                 <hr>
                 {%endfor%}
@@ -57,6 +84,13 @@ <h4 class="panel-title">{{_('alerting cases')}}
         <div class="pull-left">
             {{ blocks.pager('/portal/alarm-dash/case?status='+status, total, limit, page) }}
         </div>
+        <script language="JavaScript">
+            function myrefresh()
+            {
+            window.location.reload();
+            }
+            setTimeout('myrefresh()',10000); //指定1秒刷新一次
+        </script>
 
     </div>
 {%endblock%}

rrd/view/__init__.py

@@ -16,7 +16,7 @@
 
 import datetime
 import time
-from flask import g, session, request, redirect
+from flask import g, abort, session, request, redirect
 
 from rrd import app, config
 from rrd.view.utils import get_usertoken_from_session, get_current_user_profile
@@ -64,7 +64,9 @@ def app_before():
             not path.startswith("/portal/links/") and \
             not path.startswith("/auth/register"):
         return redirect("/auth/login")
-
+    if path.startswith("/portal/"):
+        if not (g.user.is_admin() or g.user.is_root()):
+            return abort(403, "no such privilege")
     if path.startswith("/screen"):
         g.nav_menu = "nav_screen"
     elif path.startswith("/portal/hostgroup") or path.startswith("/portal/group"):

rrd/view/auth/auth.py

@@ -38,7 +38,9 @@ def auth_login():
         ret = { "msg": "", }
 
         name = request.form.get("name")
+        user_id = -1
         password = request.form.get("password")
+        random_pass = view_utils.gen_random_pass(12)
         ldap = request.form.get("ldap") or "0"
 
         if not name or not password:
@@ -52,15 +54,39 @@ def auth_login():
                 h = {"Content-type":"application/json"}
                 d = {
                     "name": name,
-                    "password": password,
+                    "password": random_pass,
                     "cnname": ldap_info['cnname'],
                     "email": ldap_info['email'],
                     "phone": ldap_info['phone'],
                 }
 
-                r = requests.post("%s/user/create" %(config.API_ADDR,), \
-                        data=json.dumps(d), headers=h)
-                log.debug("%s:%s" %(r.status_code, r.text))
+                root_sig = view_utils.get_root_sig("root", config.ROOT_PASSWD)
+                if not root_sig:
+                    ret["msg"] = "ldap user login failed"
+                    return json.dumps(ret)
+
+                Apitoken = {"name":"root", "sig":root_sig}
+                h.update({"apitoken":json.dumps(Apitoken)})
+                r = requests.get("%s/user/name/%s" % (config.API_ADDR,name), headers=h)
+                if r.status_code == 200:
+                    j = r.json()
+                    user_id = j["id"]
+
+                    d = {
+                        "user_id": user_id, "password": random_pass,
+                    }
+                    req = requests.put("%s/admin/change_user_passwd" % (config.API_ADDR,), \
+                                       data=json.dumps(d), headers=h)
+                    log.debug("%s:%s" % (req.status_code, req.text))
+
+                    if req.status_code != 200:
+                        raise Exception("%s %s" % (req.status_code, req.text))
+                else:
+                    req = requests.post("%s/user/create" %(config.API_ADDR,), \
+                            data=json.dumps(d), headers=h)
+                    log.debug("%s:%s" %(req.status_code, reqr.text))
+
+                password = random_pass
 
                 #TODO: update password in db if ldap password changed
             except Exception as e:

rrd/view/utils.py

@@ -16,6 +16,7 @@
 
 import json
 import requests
+import random
 from flask import g, redirect, session, abort, request
 
 from functools import wraps
@@ -116,6 +117,17 @@ def login_user(name, password):
     set_user_cookie(ut, session)
     return ut
 
+def get_root_sig(name, password):
+    params = {
+        "name": name,
+        "password": password,
+    }
+    r = requests.post("%s/user/login" %config.API_ADDR, data=params)
+    if r.status_code != 200:
+        raise Exception("%s : %s" %(r.status_code, r.text))
+
+    j = r.json()
+    return j["sig"]
 
 def ldap_login_user(name, password):
     import ldap
@@ -179,3 +191,10 @@ def ldap_login_user(name, password):
         raise e
     finally:
         cli and cli.unbind_s()
+
+def gen_random_pass(pass_len):
+    s = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+{}|:"<>?'
+    nonce = ''
+    for i in range(pass_len):
+        nonce = "%s%s" % (nonce, random.choice(s))
+    return nonce