Documentation
¶
Index ¶
- Constants
- Variables
- func FmtDingtalkApproveFile(envType []string) string
- func LoadYaml(configFile string)
- func MatchPolicy(user User, inPutAction Action, server Server, dbPolicies []Policy, onlyIp bool) bool
- func MatchPolicyOwner(user User, server Server) bool
- func MatchServerByFilter(filter ServerFilterV1, server Server, onlyIp bool) bool
- func MatchUserGroup(user User, server Server) bool
- func ServerListToMap(s []Server) map[string]Server
- type Action
- type AddKeyRequest
- type AddScpRecordRequest
- type AddSshLoginRequest
- type ApprovalMut
- type ApprovalResult
- type ArrayString
- type AuthorizedKey
- type Broadcast
- type Config
- type CreateBroadcastRequest
- type CreateProfileRequest
- type CreateProxyRequest
- type CreateShellTaskRecordRequest
- type CreateShellTaskRequest
- type KV
- type Key
- type Keys
- type LocalServer
- type MatchResult
- type PGConfig
- type Period
- type Policy
- type PolicyOld
- type PolicyQueryRequest
- type PolicyRequest
- type Profile
- type Proxy
- type QueryLoginRequest
- type QueryRecordRequest
- type QueryScpRequest
- type SSHAlert
- type SSHLoginRecord
- type SSHUser
- type ScpRecord
- type Server
- type ServerFilter
- type ServerFilterV1
- type Servers
- type ShellTask
- type ShellTaskRecord
- type Status
- type StringSlice
- type User
- type UserPatchMut
- type UserRequest
- type WithDingtalk
- type WithLdap
- type WithPolicy
- type WithSSHCheck
- type WithVideo
Constants ¶
View Source
const ( Connect Action = "connect" DenyConnect Action = "deny_connect" Download Action = "download" DenyDownload Action = "deny_download" Upload Action = "upload" DenyUpload Action = "deny_upload" OneDay Period = "1d" OneWeek Period = "1w" OneMonth Period = "1m" OneYear Period = "1y" Forever Period = "ever" )
View Source
const ( // 0 机器没有密钥 ServerPemStatusNone = iota )
Variables ¶
View Source
var ( ConnectOnly = ArrayString{string(Connect)} DownloadOnly = ArrayString{string(Download)} UploadOnly = ArrayString{string(Upload)} ConnectAndDownload = ArrayString{string(Connect), string(Download)} ConnectAndUpload = ArrayString{string(Connect), string(Upload)} DownloadAndUpload = ArrayString{string(Download), string(Upload)} DenyALL = ArrayString{string(DenyConnect), string(DenyDownload), string(DenyUpload)} All = ArrayString{string(Connect), string(Download), string(Upload)} DefaultPolicies = map[string]ArrayString{ "All": All, "ConnectOnly": ConnectOnly, "DownloadOnly": DownloadOnly, "UploadOnly": UploadOnly, "ConnectAndDownload": ConnectAndDownload, "ConnectAndUpload": ConnectAndUpload, "DownloadAndUpload": DownloadAndUpload, } ExpireTimes = map[Period]time.Duration{ OneDay: time.Hour * 24, OneWeek: time.Hour * 24 * 7, OneMonth: time.Hour * 24 * 30, OneYear: time.Hour * 24 * 365, Forever: time.Hour * 24 * 365 * 100, } )
Functions ¶
func FmtDingtalkApproveFile ¶
审批表单目前只支持prod,dev,stage,none todo:判断策略属于审批的那个单子
func MatchPolicy ¶
func MatchPolicy(user User, inPutAction Action, server Server, dbPolicies []Policy, onlyIp bool) bool
对用户,策略,服务器,动作做权限判断 onlyIp 用来兼容策略对上传下载的判断,因为上传下载信息只会有 IP 信息。
func MatchServerByFilter ¶
func MatchServerByFilter(filter ServerFilterV1, server Server, onlyIp bool) bool
匹配服务器和过滤条件是否符合 支持多维度的并联匹配,ServerFilterV1如果属性没有为nil,则要进行联合匹配
func ServerListToMap ¶
ToMap convert to map with privateIp
Types ¶
type AddKeyRequest ¶
type AddKeyRequest struct {
IdentityFile *string `json:"identity_file" mapstructure:"identity_file"` // 云上下载下来的名字,比如 jms-key.pem,private key file name
PemBase64 *string `json:"pem_base64" binding:"required" mapstructure:"pem_base64"` // base64
KeyID *string `json:"key_id" binding:"required" mapstructure:"key_id"` // 云上的key id,比如 skey-123456
Profile *string `json:"profile"` // 云账号的 profile,比如 aws, aliyun
}
type AddScpRecordRequest ¶
type AddSshLoginRequest ¶
type ApprovalMut ¶
type ApprovalMut struct {
Users ArrayString `json:"users" binding:"required"`
// Groups ArrayString `json:"groups"`
Applicant *string `json:"applicant" binding:"required"` // 申请人AD名,或者email
Name *string `json:"name"`
Period *Period `json:"period"` // 审批周期,默认一周
Actions []Action `json:"actions"` // 申请动作,默认只有connect
ServerFilter *ServerFilterV1 `json:"server_filter" binding:"required"`
}
func (*ApprovalMut) ToPolicyMut ¶
func (a *ApprovalMut) ToPolicyMut() *PolicyRequest
type ApprovalResult ¶
type ArrayString ¶
type ArrayString []string
func (*ArrayString) Scan ¶
func (a *ArrayString) Scan(value interface{}) error
type AuthorizedKey ¶
type AuthorizedKey struct {
gorm.Model
IsDelete bool `gorm:"column:is_delete;type:boolean;not null;default:false"`
UUID string `gorm:"column:uuid;type:varchar(36);unique_index;not null"`
UserName string `gorm:"column:user_name;type:varchar(255);not null"` // ad用户名
PublicKey string `gorm:"column:public_key;type:text;not null"`
}
type Broadcast ¶
type Config ¶
type Config struct {
Profiles []CreateProfileRequest `mapstructure:"profiles"` // 云账号配置,用来自动同步云服务器信息
Proxys []CreateProxyRequest `mapstructure:"proxies"` // ssh代理
Keys Keys `mapstructure:"keys"`
LocalServers []LocalServer `mapstructure:"localServers"` // 支持人工加入的服务器
WithVideo WithVideo `mapstructure:"withVideo"` // 视频存储
WithLdap WithLdap `mapstructure:"withLdap"` // 配置ldap
WithSSHCheck WithSSHCheck `mapstructure:"withSSHCheck"` // 配置服务器SSH可连接性告警
WithDB WithPolicy `mapstructure:"withDB"` // 需要进行权限管理则启用该配置,启用后会使用数据库进行权限管理
WithDingtalk WithDingtalk `mapstructure:"withDingtalk"` // 配置钉钉审批流程
Broadcast string `mapstructure:"broadcast"` // 配置广播消息
}
Config config
var Conf *Config
type CreateBroadcastRequest ¶
type CreateProfileRequest ¶
type CreateProxyRequest ¶
type CreateProxyRequest struct {
Name *string `json:"name" binding:"required" mapstructure:"name"` // 代理名称 唯一
Host *string `json:"host" mapstructure:"host"`
Port *int `json:"port" mapstructure:"port"`
IPPrefix *string `json:"ip_prefix" mapstructure:"ip_prefix"` // 适配哪些机器 IP 前缀使用 Proxy, 例如 192.168.1
LoginUser *string `json:"login_user" mapstructure:"login_user"` // key超级用户 root ec2-user
LoginPasswd *string `json:"login_passwd" mapstructure:"login_passwd"` // 密码或者key必须有一个, 优先使用密码
KeyID *string `json:"key_id" mapstructure:"key_id"` // KeyID和IdentityFile都是用pem来验证,KeyID是唯一的,IdentityFile在名称命名时候不同账号可能会同名。当出现IdentityFile不唯一的时候可以用 keyID, 优先使用KeyID
IdentityFile *string `json:"identity_file" mapstructure:"identity_file"` // KeyID和IdentityFile都是用pem来验证,KeyID是唯一的,IdentityFile在名称命名时候不同账号可能会同名。当出现IdentityFile不唯一的时候可以用 keyID, 优先使用KeyID
}
func (*CreateProxyRequest) ToProxy ¶
func (req *CreateProxyRequest) ToProxy() (Proxy, error)
type CreateShellTaskRecordRequest ¶
type CreateShellTaskRecordRequest struct {
TaskID *string `json:"task_id" binding:"required"`
TaskName *string `json:"task_name"`
Shell *string `json:"shell" binding:"required"`
ServerIP *string `json:"server_ip" binding:"required"`
ServerName *string `json:"server_name"`
CostTime *string `json:"cost_time"`
ExecTimes *int `json:"exec_times"` // 任务的执行次数,取自task的执行次数字段。
IsSuccess *bool `json:"is_success" binding:"required"` // 任务是否执行成功
Output *string `json:"output" binding:"required"`
}
type CreateShellTaskRequest ¶
type CreateShellTaskRequest struct {
Name *string `json:"name" binding:"required"` // 任务名称,唯一
Shell *string `json:"shell" binding:"required"` // 脚本内容
Corn *string `json:"corn"` // corn表达式,支持定时执行任务,执行一次可以不传
Servers *ServerFilterV1 `json:"servers" binding:"required"` // 执行的机器
}
type Key ¶
type Key struct {
gorm.Model `json:"-"`
IsDelete bool `gorm:"column:is_delete;type:boolean;not null;default:false"`
UUID string `gorm:"column:uuid;type:varchar(36);unique_index;not null"`
KeyID string `gorm:"column:key_id;type:varchar(36);unique_index;not null"`
KeyName string `gorm:"column:key_name;type:varchar(255);unique_index;not null"`
Profile string `gorm:"column:profile;type:varchar(255);not null"`
PemBase64 string `gorm:"column:pem_base64;type:text;not null"`
}
type Keys ¶
type Keys []AddKeyRequest
func (Keys) ToMapWithID ¶
func (k Keys) ToMapWithID() map[string]AddKeyRequest
ToMapWithID convert to map with keyID
func (Keys) ToMapWithName ¶
func (k Keys) ToMapWithName() map[string]AddKeyRequest
type LocalServer ¶
type MatchResult ¶
type MatchResult int
const ( // 后续处理下一个匹配 MatchContinue MatchResult = 0 // 直接返回 true MatchTrue MatchResult = 1 // 直接 return false MatchFalse MatchResult = 2 )
type PGConfig ¶
type Policy ¶
type Policy struct {
ID string `json:"id" gorm:"column:id;primary_key;not null"`
CreatedAt time.Time `json:"created_at" gorm:"column:created_at"`
UpdatedAt time.Time `json:"updated_at" gorm:"column:updated_at"`
IsDeleted bool `json:"is_deleted" gorm:"column:is_deleted;default:false;not null"`
Name string `json:"name" gorm:"column:name;not null"`
Users ArrayString `json:"users" gorm:"column:users;type:json;not null"`
ServerFilterV1 *ServerFilterV1 `json:"server_filter_v1" gorm:"column:server_filter_v1;type:json;"`
ServerFilter *ServerFilter `json:"server_filter" gorm:"clumn:server_filter;type:json;"`
Actions ArrayString `json:"actions" gorm:"column:actions;type:json;not null"`
ExpiresAt time.Time `json:"expires_at" gorm:"column:expires_at;not null"`
Approver string `json:"approver" gorm:"column:approver"` // 审批人
ApprovalID string `json:"approval_id" gorm:"column:approval_id"` // 审批ID
IsEnabled bool `json:"is_enabled" gorm:"column:is_enabled;default:false;not null"`
}
type PolicyOld ¶
type PolicyOld struct {
ID string `json:"id" gorm:"column:id;primary_key;not null"`
CreatedAt time.Time `json:"created_at" gorm:"column:created_at"`
UpdatedAt time.Time `json:"updated_at" gorm:"column:updated_at"`
IsDeleted bool `json:"is_deleted" gorm:"column:is_deleted;default:false;not null"`
Name string `json:"name" gorm:"column:name;not null"`
Users ArrayString `json:"users" gorm:"column:users;type:json;not null"`
ServerFilter ServerFilter `json:"server_filter" gorm:"column:server_filter;type:json;not null"`
Actions ArrayString `json:"actions" gorm:"column:actions;type:json;not null"`
ExpiresAt time.Time `json:"expires_at" gorm:"column:expires_at;not null"`
Approver string `json:"approver" gorm:"column:approver"` // 审批人
ApprovalID string `json:"approval_id" gorm:"column:approval_id"` // 审批ID
IsEnabled bool `json:"is_enabled" gorm:"column:is_enabled;default:false;not null"`
}
type PolicyQueryRequest ¶
type PolicyQueryRequest struct {
User *string `json:"user"`
}
type PolicyRequest ¶
type PolicyRequest struct {
Name *string `json:"name" binding:"required"`
Users ArrayString `json:"users"`
Actions ArrayString `json:"actions"`
ServerFilterV1 *ServerFilterV1 `json:"server_filter" binding:"required"`
ExpiresAt *time.Time `json:"expires_at"` // time.Time
IsEnabled *bool `json:"is_enabled"`
ApprovalID *string `json:"approval_id"`
}
type Profile ¶
type Profile struct {
gorm.Model `json:"-"`
UUID string `gorm:"column:uuid;type:varchar(36);unique_index;not null"`
Name string `gorm:"column:name;type:varchar(255);not null"`
AK string `gorm:"column:ak;type:varchar(255);not null"`
SK string `gorm:"column:sk;type:varchar(255);not null"` // 经过加密
IsDelete bool `gorm:"column:is_delete;type:boolean;not null;default:false"`
Cloud string `gorm:"column:cloud;type:varchar(255);not null"`
Regions StringSlice `gorm:"column:regions;type:json;not null"`
Enabled bool `gorm:"column:enabled;type:boolean;not null;default:true"`
}
type Proxy ¶
type Proxy struct {
gorm.Model `json:"-"`
IsDelete bool `gorm:"column:is_delete;type:boolean;not null;default:false"`
UUID string `gorm:"column:uuid;type:varchar(36);unique_index;not null"`
KeyID string `gorm:"column:key_id;type:varchar(255);default:''"`
Name string `gorm:"column:name;type:varchar(255);"`
Host string `gorm:"column:host;type:varchar(255);not null"`
Port int `gorm:"column:port;type:integer;not null"`
IPPrefix string `gorm:"column:ip_prefix;type:varchar(255);not null"`
LoginUser string `gorm:"column:login_user;type:varchar(255);not null"`
LoginPasswd string `gorm:"column:login_passwd;type:varchar(255);"`
IdentityFile string `gorm:"column:identity_file;type:varchar(255);"`
}
type QueryLoginRequest ¶
type QueryRecordRequest ¶
type QueryScpRequest ¶
type SSHAlert ¶
type SSHAlert struct {
RobotToken string `mapstructure:"robotToken"`
}
目前只支持钉钉机器人群告警
type SSHLoginRecord ¶
type SSHLoginRecord struct {
gorm.Model
User string `json:"user" gorm:"column:user;type:varchar(255);not null"` // 用户
Client string `json:"client" gorm:"column:client;type:varchar(255);not null"` // 客户端
Target string `json:"target" gorm:"column:target;type:varchar(255);not null"` // 目标服务器
TargetInstanceId string `json:"target_instance_id" gorm:"column:target_instance_id;type:varchar(255)"`
}
type SSHUser ¶
type SSHUser struct {
UserName string
KeyName string // pem file name, 这里是支持本地读取内容的
Base64Pem string // base64 pem
Password string
}
SSHUser ssh user
type ScpRecord ¶
type ScpRecord struct {
gorm.Model
Action string `json:"action" gorm:"column:action;type:varchar(255);not null"` // download,upload
From string `json:"from" gorm:"column:from;type:varchar(255);not null"` // 来源
To string `json:"to" gorm:"column:to;type:varchar(255);not null"` // 目标
User string `json:"user" gorm:"column:user;type:varchar(255);not null"` // 用户
Client string `json:"client" gorm:"column:client;type:varchar(255);not null"` // 客户端
}
type Server ¶
type Server struct {
ID string
Name string
Host string // 默认取私有 IP 第一个
Port int
KeyPairs []*string // key pair name
// Proxy *CreateProxyRequest
Profile string
Region string
Tags model.Tags
Status model.InstanceStatus
SSHUsers []SSHUser
}
Server server
type ServerFilter ¶
type ServerFilter struct {
Name *string `json:"name"` // 名字完全匹配,支持*
IpAddr *string `json:"ip_addr"` // IP 地址完全匹配,支持* 匹配所有
EnvType *string `json:"env_type"` // 机器 Tags 中的 EnvType,支持* 匹配所有
Team *string `json:"team"` // 机器 Tags 中的 Team,支持* 匹配所有
}
func (*ServerFilter) Scan ¶
func (a *ServerFilter) Scan(value interface{}) error
func (ServerFilter) ToString ¶
func (a ServerFilter) ToString() string
func (ServerFilter) ToV1 ¶
func (a ServerFilter) ToV1() *ServerFilterV1
type ServerFilterV1 ¶
type ServerFilterV1 struct {
Name []string `json:"name"` // 名字完全匹配,支持*
IpAddr []string `json:"ip_addr"` // IP 地址完全匹配,支持* 匹配所有
EnvType []string `json:"env_type"` // 机器 Tags 中的 EnvType,支持* 匹配所有
Team []string `json:"team"` // 机器 Tags 中的 Team,支持* 匹配所有
KV *KV `json:"kv"` // 支持自己指定特定的 KV 来过滤
}
可以预定义一些资产用来快速分配给其他策略c
func (*ServerFilterV1) Scan ¶
func (a *ServerFilterV1) Scan(value interface{}) error
func (ServerFilterV1) ToString ¶
func (a ServerFilterV1) ToString() string
type ShellTask ¶
type ShellTask struct {
gorm.Model `json:"-"`
IsDeleted bool `json:"is_deleted" gorm:"column:is_deleted;default:false;not null"`
UUID string `json:"uuid" gorm:"column:uuid;type:varchar(36);unique_index;not null"`
Name string `json:"name" gorm:"column:name;not null,unique"`
Shell string `json:"shell" gorm:"column:shell;not null"`
Corn string `json:"corn" gorm:"column:cron;not null;default:''"`
ExecTimes int `json:"exec_times" gorm:"column:exec_times;not null;default:0"` // 任务执行次数
Status Status `json:"status" gorm:"column:status;not null"`
ExecResult string `json:"exec_result" gorm:"column:exec_result;type:text;not null;default:''"` // 任务执行结果信息
Servers ServerFilterV1 `json:"servers" gorm:"column:servers;type:json;not null"`
SubmitUser string `json:"submit_user" gorm:"column:submit_user;not null"` // 直接在token中获取
}
type ShellTaskRecord ¶
type ShellTaskRecord struct {
gorm.Model `json:"-"`
UUID string `json:"uuid" gorm:"column:uuid;type:varchar(36);unique_index;not null"`
ExecTimes int `json:"exec_times" gorm:"column:exec_times;not null"`
TaskID string `json:"task_id" gorm:"column:task_id;not null"`
TaskName string `json:"task_name" gorm:"column:task_name;not null"`
Shell string `json:"shell" gorm:"column:shell;type:text;not null"`
ServerIP string `json:"server_ip" gorm:"column:server_ip;type:varchar(255);not null"`
ServerName string `json:"server_name" gorm:"column:server_name;type:varchar(255);not null"`
CostTime string `json:"cost_time" gorm:"column:cost_time;type:varchar(255);not null"`
Output string `json:"output" gorm:"column:output;type:text;not null"`
IsSuccess bool `json:"is_success" gorm:"column:is_success;type:boolean;not null"`
}
ShellTaskRecord 记录执行的日志 使用 TEXT 类型记录日志标准输出,最大支持 1G 内容足够 支持服务器 IP 维度,方便后续统计和查询
func (*ShellTaskRecord) TableName ¶
func (s *ShellTaskRecord) TableName() string
type Status ¶
type Status string
"Pending", "Running", "Success", "Failed", "NotAllSuccess", "Cancelled"
type StringSlice ¶
type StringSlice []string
func (*StringSlice) Scan ¶
func (ss *StringSlice) Scan(src interface{}) error
type User ¶
type User struct {
ID string `json:"id" gorm:"column:id;primary_key;not null"`
CreatedAt *time.Time `json:"created_at" gorm:"column:created_at"`
UpdatedAt *time.Time `json:"updated_at" gorm:"column:updated_at"`
IsDeleted *bool `json:"is_deleted" gorm:"column:is_deleted;default:false;not null"`
Username *string `json:"username" gorm:"column:username;not null"`
Passwd *string `json:"passwd" gorm:"column:passwd"` // bas64
Email *string `json:"email" gorm:"column:email"`
DingtalkID *string `json:"dingtalk_id" gorm:"column:dingtalk_id"`
DingtalkDeptID *string `json:"dingtalk_dept_id" gorm:"column:dingtalk_dept_id"`
Groups ArrayString `json:"groups" gorm:"column:groups;type:json"` // 组不在 jms维护这里只需要和机器 tag:Team 匹配即可。
IsLdap *bool `json:"is_ldap" gorm:"column:is_ldap;default:false;not null"`
}
type UserPatchMut ¶
type UserPatchMut struct {
Groups ArrayString `json:"groups"`
}
type UserRequest ¶
type WithDingtalk ¶
type WithLdap ¶
type WithLdap struct {
Enable bool `mapstructure:"enable"`
BindUser string `mapstructure:"bindUser"`
BindPassword string `mapstructure:"bindPassword"`
Host string `mapstructure:"host"`
Port int `mapstructure:"port"`
BaseDN string `mapstructure:"baseDN"`
UserSearchFilter string `mapstructure:"userSearchFilter"`
Attributes []string `mapstructure:"attributes"`
}
type WithPolicy ¶
type WithSSHCheck ¶
Source Files
Click to show internal directories.
Click to hide internal directories.