Python&Powershell 实现用户权限查漏补缺
背景说明:
新领导在与业务部门的一次会议中,发现一用户笔记本电脑没有无线设备使用权限,这绝对是一管理漏洞,那么作为IT 管理部门,我们才能让所有笔记本电脑用户开通WIFI 权限呢?
准备工作
已知公司无线网络权限的管控是通过域控制器间接管理的,只要将用户加入对应的AD 安全组即可完成。那么问题来了?都有谁?加什么权限?怎么实现。于是想到如下平台或信息需要整理:
资产平台:提供具有笔记本电脑用户的员工编号。
HR平台:根据员工编号,查询用户的域账号。
权限组信息:线下手动维护
AD平台:用于权限查询及权限
逻辑整理
沟通下来不需要考虑VIP 用户的情况,逻辑图如上。
开发工具选择
本人运维出生,最近刚刚学python,原计划使用python 来实现这一功能,奈何参考互联网AD 没有找到合适的包来进行AD 安全组查询及操作,于是想到了powershell
主要逻辑实现:python
AD相关操作:powershell
代码
#为了避免操作麻烦,将pymysql 和 pymssql 进行重新封装 Opera_DB.py
# coding: utf-8
# 功能说明:
# 输出要求:数据库的查询及删除操作
import os
import pymssql
import pymysql
import yaml
import pymssql
import time
import schedule
import random
import re
import time
import json
from datetime import datetime
from common.SQL import SQL
config_path = os.path.join(os.getcwd(), 'config\conf.yaml')
with open(config_path,'rb') as f:
conf = f.read()
c_info=yaml.load(conf)
class MSSQL_DB(object):
"""用于连接文印服务器数据库,一边调用文印数据"""
def __init__(self, c_info):
self.conn=pymssql.connect(host=c_info['Server'],database=c_info['DB'],user=c_info['User'],password=c_info['Password'])
def Get_Data(self,SQL):
res={'Res':'success','Error':'null'}
Data_List = list()
try:
cursor = self.conn.cursor()
cursor.execute(SQL)
except Exception as e:
res['Res']='Error'
res['Error']=e
print(str(res))
if cursor:
for each in cursor:
Data_List.append(each)
return Data_List
def Update_Data(self,SQL_E):
res={'Res':'success','Error':'null'}
cursor = self.conn.cursor()
Data_List = list()
try:
cursor.execute(SQL_E)
self.conn.commit()
except Exception as e:
res['Res']='Error'
res['Error']=e
print(str(res))
print(SQL_E)
cursor.close()
def main():
logs=get_Antiviruslog()
infos=logs.get_Antiviruslog()
for each in infos:
print(each)
if __name__ == '__main__':
main()
#check_UserIsInGroup.ps1
#检查用户是否在对应权限组
$account=$args[0]
$group=$args[1]
function UserIn_Check($account,$group)
{
#Import-Module activedirectory
$res=get-adgroupmember -Identity $group |Select-Object -Property * |Where-Object{$_.SamAccountName -eq $account}
if($res)
{
return $true
}
else
{
return $false
}
}
UserIn_Check $account $group
#移动用户至指定安全组
#mv_UserToGroup.ps1
$account=$args[0]
$group=$args[1]
function mv_UserToGroup($account,$group)
{
#Import-Module activedirectory
Try
{
$res=Add-ADGroupMember -Identity $group -Members $account
return $true
}
Catch [Microsoft.ActiveDirectory.Management.ADException]
{
#Write-Host " Microsoft.ActiveDirectory.Management.ADException"
return $false
}
Catch [ Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException]
{
#Write-Host " Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException"
return $false
}
Catch
{
#Write-Host " 其他错误"
return $false
}
}
mv_UserToGroup $account $group
线下权限组
#config\conf.yaml
WIFI_Group:
CNSSZ_N: "USG-XXX-XX-XXXXX-WiFi-EMP_A"
CNSSZ_B: "USG-XXX-XX-XXXXX-WiFi-EMP_A"
CNECZ_N: "USG-XXX-CN-EXXXX-Nemployee"
CNECZ_B: "USG-XXX-CN-EXXXX-BNemployee"
#主函数 01_main.py
# coding: utf-8
# 功能说明:
# 输出要求:整个的逻辑判定和调度
from common.Opera_DB import MYSQL_DB,MSSQL_DB
import os,yaml
import time
import schedule
from datetime import datetime
from common.SQL import SQL
import json
import requests
import subprocess
config_path = os.path.join(os.getcwd(), r'config\conf.yaml')
with open(config_path,'rb') as f:
conf = f.read()
c_info=yaml.load(conf)
CON_LOG=r'config/log.conf'
# logging.config.fileConfig(CON_LOG)
# logging=logging.getLogger()
def make_logs(type,info):
with open('./logs/user.log', 'a') as f:
f.write(type+':'+time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())+':'+str(info)+'\n')
#从EAM 数据库获取笔记本电脑用户的必要信息
def Get_PCINfo_list():
SO_DB=MSSQL_DB(c_info['BIServer_Info'])
EAMData_List=SO_DB.Get_Data(SQL['Get_NotebookInfoFrom_EAMData'])
for EAMData in EAMData_List:
Temp={}
for i in range(len(EAMData)):
if i==51:
Temp[i]=EAMData[i].strftime('%Y-%m-%d %H:%M:%S')
elif EAMData[i] ==None:
Temp[i]='NULL'
else:
Temp[i]=str(EAMData[i]).replace('\'','')
yield(Temp[1],Temp[2],Temp[7],Temp[14],Temp[36])
#资产编号,资产名称,型号,出场编码,责任人
#根据用户域账号,从蓝鲸平台获取用户的基础信息
def Get_UserInfo(account):
try:
res = requests.get(url='http://bkpaas4.XXXX.com/o/dingding/get_hcm_user_by_ad_account/{}'.format(account),
timeout=60, verify=False)
except Exception as e:
print ('connect error, please check system ip or the network, error message: ' + str(e.message))
sys.exit(1)
# print(type(json.loads(res.content)))
try:
content = json.loads(res.content)
user={}
user['Name']=content['data']["NACHN"]+content['data']["VORNA"]
user['IsVIP']=content['data']["PTEXT"]
user['LocationCity']=content['data']["BTEXT"]
user['ADAccount']=content['data']["ADAccount"]
user['BAccount']=content['data']["BAccount"]
return user
except:
pass
def call_powershell(account,group,ps1):
#根据传递的域账号(或B账号),安全组,以及对应powershell 脚本
if account is None:
return False
else:
try:
args=[r"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","-ExecutionPolicy","Unrestricted", r".\{}".format(ps1), account,group]
# print(args)
p=subprocess.Popen(args, stdout=subprocess.PIPE)
dt=p.stdout.read()
# print(dt,account,group,ps1)
if dt.decode("ANSI").split()[0]=="True":
return True
elif dt.decode("ANSI").split()[0]=="False":
return False
else:
make_logs('WARN',"未知错误,用户名:{},安全组:{}"+str(account,group))
return False
except Exception as e:
return False
#根据用户账号,所在安全组的情况,以及组,判断对应的操作
def make_design(user_N,user_B,res_N,res_B,WIFI_GroupN,WIFI_GroupB):
if res_N or res_B:
if res_N:
make_logs('info',"账号{}具有{}无线网权限".format(user_N,WIFI_GroupN))
else:
make_logs('info',"账号{}具有{}无线网权限".format(user_B,WIFI_GroupB))
elif user_N is not None:
res=call_powershell(user_N,WIFI_GroupN,"mv_UserToGroup.ps1")
if res:
make_logs('info',"添加用户{}至安全组{}成功".format(user_N,WIFI_GroupN))
else:
make_logs('WARN',"添加用户{}至安全组{}失败".format(user_N,WIFI_GroupN))
elif user_B is not None:
res=call_powershell(user_B,WIFI_GroupB,"mv_UserToGroup.ps1")
if res:
make_logs('info',"添加用户{}至安全组{}成功".format(user_B,WIFI_GroupB))
else:
make_logs('WARN',"添加用户{}至安全组{}失败".format(user_B,WIFI_GroupB))
else:
make_logs('WARN',"用户账号:{},B账号:{}信息无效".format(user_N,user_B))
def main():
# 获取今天是周几
Today = datetime.today().weekday()
PC_list=Get_PCINfo_list()
for PC_Info in PC_list:
# print(PC_Info)
user=Get_UserInfo(PC_Info[4])
try:
if "总监以上" in user['IsVIP']:
# print(user)
make_logs('info',"VIP will not update"+str(user))
else:
if "深圳" in user['LocationCity']:
# print(user['LocationCity'])
# print("深圳" in user['LocationCity'])
res_N=call_powershell(user['ADAccount'],c_info['WIFI_Group']['CNSSZ_N'],"check_UserIsInGroup.ps1")
res_B=call_powershell(user['BAccount'],c_info['WIFI_Group']['CNSSZ_B'],"check_UserIsInGroup.ps1")
make_design(user['ADAccount'],user['BAccount'],res_N,res_B,c_info['WIFI_Group']['CNSSZ_N'],c_info['WIFI_Group']['CNSSZ_B'])
else:
# print(user['LocationCity'])
res_N=call_powershell(user['ADAccount'],c_info['WIFI_Group']['CNECZ_N'],"check_UserIsInGroup.ps1")
res_B=call_powershell(user['BAccount'],c_info['WIFI_Group']['CNECZ_B'],"check_UserIsInGroup.ps1")
make_design(user['ADAccount'],user['BAccount'],res_N,res_B,c_info['WIFI_Group']['CNECZ_N'],c_info['WIFI_Group']['CNECZ_B'])
except:
make_logs('WARN',"Invalid user information"+str(user))
if __name__ == '__main__':
# schedule.every(1).day.at('05:40').do(main)
# while True:
# schedule.run_pending()
# time.sleep(1)
main()
