from time import strftime
from dingtalkchatbot.chatbot import DingtalkChatbot
import json
from oracle_permission import *
import requests
import datetime
import logging
import re
import urllib3
webhook = 'https://oapi.dingtalk.com/robot/send?access_token=********************'
logging.captureWarnings(True) # 去掉建议使用SSL验证的显示
sql_data= [('xxx', '10.164.15.51', '2022/12/08 09:09:00', '2022/12/08 23:59:00')]
###获取所有权限规则
def get_asset_permissions():
url = "http://xx.xx.xx.xx/api/v1/perms/asset-permissions/"
payload = {}
headers = {
'Accept': 'application/json',
'Authorization': 'Token ***************',
'Cookie': 'SESSION_COOKIE_NAME_PREFIX=jms_'
}
response = requests.request('get', url, headers=headers, data=payload,verify=False)
return response.json()
### 创建授权规则
def create_asset_permissions(account, date_start, date_expired, assets, uuid, system_user_id):
url = "http://xx.xx.xx.xx/api/v1/perms/asset-permissions/"
payload = json.dumps({
"name": account,
"is_active": True,
"actions": ["all", "connect", "upload_file", "download_file", "updownload", "clipboard_copy", "clipboard_paste",
"clipboard_copy_paste"],
"date_expired": date_expired,
"date_start": date_start,
"assets": assets,
"users": [uuid],
"system_users": [
system_user_id
],
})
headers = {
'Accept': 'application/json',
'Authorization': 'Token ***************',
'Content-Type': 'application/json',
'Cookie': 'SESSION_COOKIE_NAME_PREFIX=jms_'
}
response = requests.request("POST", url, headers=headers, data=payload,verify=False)
print('create_asset_permissions request account:' + account + ',assets:' + assets[0] + ', uuid:' + uuid + ', system_user_id:' + system_user_id + ', response: ' + response.text)
return json.loads(response.text)
# 根据用户列表,用户名去获取用户ID
def get_uuid(user_list, username):
for user in user_list:
if user["username"] == username:
return user["id"]
## 资产权限ID
def has_permission(asset_permissions, account):
for asset_permission in asset_permissions:
if asset_permission['name'] == account:
return asset_permission['id']
return "none"
### 更新资产授权时间
def update_asset_date(permission_user, permission_id, date_start, date_expired):
url = "http://xx.xx.xx.xx/api/v1/perms/asset-permissions/" + permission_id + "/"
payload = json.dumps({
"name": permission_user,
"date_expired": date_expired,
"date_start": date_start
})
headers = {
'Authorization': 'Token ***************',
'Accept': 'application/json',
'Content-Type': 'application/json',
'Cookie': 'SESSION_COOKIE_NAME_PREFIX=jms_'
}
response = requests.request("PUT", url, headers=headers, data=payload,verify=False)
print('update_asset_date' + response.text)
return json.loads(response.text)
### 获取是否有授权规则
def asset_permissions_list():
url = "http://xx.xx.xx.xx/api/v1/perms/asset-permissions/"
payload = ""
headers = {
'Accept': 'application/json',
'Authorization': 'Token ***************',
'Cookie': 'SESSION_COOKIE_NAME_PREFIX=jms_'
}
response = requests.request("GET", url, headers=headers, data=payload,verify=False)
return json.loads(response.text)
### 添加资产到授权规则
def creat_asset_permission(asset_id, asset_permissionsId):
url = "http://xx.xx.xx.xx/api/v1/perms/asset-permissions-assets-relations/"
payload = json.dumps({
"asset": asset_id,
"assetpermission": asset_permissionsId
})
headers = {
'Accept': 'application/json',
'Authorization': 'Token ***************',
'Content-Type': 'application/json',
'Cookie': 'SESSION_COOKIE_NAME_PREFIX=jms_'
}
response = requests.request("POST", url, headers=headers, data=payload,verify=False)
print('creat_asset_permission: ' + response.text)
###获取所有资产
def get_asset_list():
import requests
url = "http://xx.xx.xx.xx/api/v1/assets/assets/"
payload = {}
headers = {
'Authorization': 'Token ***************',
'Accept': 'application/json',
'Cookie': 'SESSION_COOKIE_NAME_PREFIX=jms_'
}
response = requests.request("GET", url, headers=headers, data=payload,verify=False)
return response.json()
# 搜索用户
def search_user(username):
url = "http://xx.xx.xx.xx/api/v1/users/users/?search=" + username + "&offset=0&limit=15&display=1&draw=1"
headers = {
'Accept': 'application/json',
'Authorization': 'Token ***************',
'Cookie': 'SESSION_COOKIE_NAME_PREFIX=jms_'
}
payload = ""
response = requests.request("GET", url, headers=headers, data=payload,verify=False)
return json.loads(response.text)
# 根据资产名称,资产IP,资产列表 去查询资产字典
def get_asset(asset_name, asset_ip, jumpServerAssets):
for asset in jumpServerAssets:
if (asset['hostname'] == asset_name) | (asset['ip'] == asset_ip):
return asset
print('未能查找到资产, asset name ' + asset_name + 'asset ip ' + asset_ip)
###钉钉通知配置
def dingtalk_robot(username, asset_name, status,date_start,expired_time):
dogBOSS = DingtalkChatbot(webhook, '')
red_msg = '<font color="#dd0000">事项名称:权限申请''</font>'
orange_msg = '<font color=" #000000">事项状态:' + status + '</font>'
user_msg = '<font color=" #000000">堡垒机用户:' + username + '</font>'
asset_msg = '<font color=" #000000">资产:' + asset_name + '</font>'
# now_time = datetime.now().strftime('%Y.%m.%d %H:%M:%S')
url = 'http://xxxxx/seeyon/main.do?method=index'
dogBOSS.send_markdown(
title=f'来自OA权限通知',
text=f'### **OA审批流程**\n'
f'**{red_msg}**\n\n'
f'**{user_msg}**\n\n'
f'**{asset_msg}**\n\n'
f'**{orange_msg}**\n\n'
f'**开始时间:**{date_start}\n\n'
f'**到期时间:** {expired_time}\n\n',
is_at_all=True)
###获取系统用户
def get_sys_user(host_name):
url = "http://xx.xx.xx.xx/api/v1/assets/system-users/?type=common&search="+host_name+"&offset=0&limit=15&display=1&draw=1"
payload = {}
headers = {
'Accept': 'application/json',
'Authorization': 'Token ***************',
'Cookie': 'SESSION_COOKIE_NAME_PREFIX=jms_'
}
response = requests.request("GET", url, headers=headers, data=payload,verify=False)
print('get_sys_user request host_name:' + host_name + ', response: ' + response.text)
return response.json()
if __name__ == '__main__':
urllib3.disable_warnings()
jms_url = 'http://xx.xx.xx.xx'
# oracle_data = sql_data()
for jms in sql_data:
for users in jms:
if users != None:
tmp_user_list = users.split('、', -1)
for user in tmp_user_list:
if re.match('[a-z]', user) is None:
continue
if search_user(user)['count'] == 0:
continue
else:
jumpserveruser = user
date_start = jms[2]
date_expired= jms[3]
service_ip = jms[1]
print(type(service_ip))
# raise Exception('finish')
# dd = datetime.datetime.strptime(date_start, "%Y/%m/%d %H:%M:%S")
# date_expired = dd + datetime.timedelta(hours=48)
# date_expired = date_expired.strftime('%Y/%m/%d %H:%M:%S')
service_ip = service_ip.split(",")
print(type(service_ip))
# date_start = "2022/12/07 22:43:42 +0800"
#date_expired = "2026/12/07 22:43:42 +0800"
date_start = date_start + " +0800"
date_expired = date_expired + " +0800"
# permission_user = 'shenzhzh'
username = jumpserveruser
account = username
# 搜索资用户名称
data = search_user(account)
# 获取用户UUID
results = data["results"]
if data["count"] == 0:
print("用户不存在: " + account)
raise Exception('jumpserver 未找到系统对应的用户 ' + username)
else:
uuid = get_uuid(results, username)
# 循环 json 读取资产名称,IP
asset_list = get_asset_list()
for i in service_ip:
try:
asset = get_asset("", i, asset_list)
if asset is None:
continue
host_name = asset["hostname"]
print("找到资产" + host_name)
asset_name = asset['hostname']
asset_id = asset['id']
##获取系统用户ID
system_users = get_sys_user(asset_name)
try:
if system_users['count'] > 0:
system_user_id = system_users['results'][0]['id']
else:
print('can not find system_user_id for host: ' + asset_name + ',username: ' + username)
continue
except Exception as e:
print('get system_user_id failed ' + e)
finally:
print('system_user_id: ' + system_user_id)
# 授权规则名称
permission_user = host_name + "-" + username
# 获取资产权限列表
asset_permissions = asset_permissions_list()
permission_id = has_permission(asset_permissions, permission_user)
if permission_id != 'none':
update_asset_date_res = update_asset_date(permission_user, permission_id, date_start, date_expired)
status_str = '失效'
if update_asset_date_res['is_valid']:
status_str = '有效'
dingtalk_robot(username, host_name, status_str,date_start, date_expired)
else:
asset_id = asset['id']
if asset_id == '0':
raise Exception('jumpserver 未找到系统对应的资产 ' + asset_name)
create_asset_permissions_res = create_asset_permissions(permission_user, date_start, date_expired,[asset_id], uuid,system_user_id)
# 得去查询 create_asset_permissions_res['id'] 这个是否有效
status_str = '失效'
if create_asset_permissions_res['is_valid']:
status_str = '有效'
dingtalk_robot(username, host_name, status_str,date_start, date_expired)
# # asset_permissions = get_asset_permissions()1
# for asset_permission in asset_permissions:
# get_permission_user = asset_permission["name"]
# # print(get_permission_user)
# if get_permission_user == permission_user:
# else:
# except Exception as e:
# print('获取资产失败' + e)
finally:
print('最后执行')
#
致远OA打通jumpserver钉钉通知
于 2022-12-16 15:01:46 首次发布