def set_group_owner(self, owner_id, group_id):
""" This method will simply set up the Entity L{owner_id} as a
C{Group-owner} of group L{group_id}.
@type db: Cerebrum.Database.Database
@param db: A Cerebrum database object.
@type owner_id: int
@param owner_id: The C{entity_id} of the owner object.
@type group_id: int
@param group_id: The C{group_id} of a group object.
"""
ar = BofhdAuthRole(self.db)
aos = BofhdAuthOpSet(self.db)
aot = BofhdAuthOpTarget(self.db)
# Find or create group operation target
try:
aot.find(
aot.list(entity_id=group_id,
target_type=self.co.auth_target_type_group)[0]
['op_target_id'])
except IndexError:
aot.populate(group_id, self.co.auth_target_type_group)
aot.write_db()
# Find the 'Group-owner' OpSet to get its entity_id
aos.find_by_name('Group-owner')
if not len(ar.list(owner_id, aos.op_set_id, aot.op_target_id)):
ar.grant_auth(owner_id, aos.op_set_id, aot.op_target_id)
return True
return False
def set_group_owner(self, owner_id, group_id):
""" This method will simply set up the Entity L{owner_id} as a
C{Group-owner} of group L{group_id}.
@type db: Cerebrum.Database.Database
@param db: A Cerebrum database object.
@type owner_id: int
@param owner_id: The C{entity_id} of the owner object.
@type group_id: int
@param group_id: The C{group_id} of a group object.
"""
ar = BofhdAuthRole(self.db)
aos = BofhdAuthOpSet(self.db)
aot = BofhdAuthOpTarget(self.db)
# Find or create group operation target
try:
aot.find(aot.list(entity_id=group_id,
target_type=self.co.auth_target_type_group
)[0]['op_target_id'])
except IndexError:
aot.populate(group_id, self.co.auth_target_type_group)
aot.write_db()
# Find the 'Group-owner' OpSet to get its entity_id
aos.find_by_name('Group-owner')
if not len(ar.list(owner_id, aos.op_set_id, aot.op_target_id)):
ar.grant_auth(owner_id, aos.op_set_id, aot.op_target_id)
return True
return False
def write_db(self):
"""Write PosixUser instance to database, in addition to the personal
file group. As long as L{gid_id} is not set, it gets set to the
account's personal file group instead.
"""
if not self.gid_id:
# Create the PosixGroup first, to get its entity_id
# TODO: Should we handle that self.pg could not be populated when
# we're here? When could gid_id be none without running populate?
self.pg.write_db()
# We'll need to set this here, as the groups entity_id is
# created when we write to the DB.
self.gid_id = self.pg.entity_id
ret = self.__super.write_db()
# Become a member of the group:
if not hasattr(self.pg, "entity_id"):
self.pg.find(self.gid_id)
if not self.pg.has_member(self.entity_id):
self.pg.add_member(self.entity_id)
# If the dfg is not a personal group we are done now:
# TODO: check trait_personal_dfg instead or in addition?
if self.account_name != self.pg.group_name:
return ret
# Set the personal file group trait
if not self.pg.get_trait(self.const.trait_personal_dfg):
self.pg.populate_trait(self.const.trait_personal_dfg, target_id=self.entity_id)
self.pg.write_db()
# Register the posixuser as owner of the group, if not already set
op_target = BofhdAuthOpTarget(self._db)
if not op_target.list(entity_id=self.pg.entity_id, target_type="group"):
op_target.populate(self.pg.entity_id, "group")
op_target.write_db()
op_set = BofhdAuthOpSet(self._db)
op_set.find_by_name(cereconf.BOFHD_AUTH_GROUPMODERATOR)
role = BofhdAuthRole(self._db)
role.grant_auth(self.entity_id, op_set.op_set_id, op_target.op_target_id)
# Syncronizing the groups spreads with the users
mapping = {
int(self.const.spread_uio_nis_user): int(self.const.spread_uio_nis_fg),
int(self.const.spread_uio_ad_account): int(self.const.spread_uio_ad_group),
int(self.const.spread_ifi_nis_user): int(self.const.spread_ifi_nis_fg),
}
user_spreads = [int(r["spread"]) for r in self.get_spread()]
group_spreads = [int(r["spread"]) for r in self.pg.get_spread()]
for uspr, gspr in mapping.iteritems():
if uspr in user_spreads:
if gspr not in group_spreads:
self.pg.add_spread(gspr)
elif gspr in group_spreads:
self.pg.delete_spread(gspr)
return ret
def _group_make_owner(self, owner, target):
op_set = BofhdAuthOpSet(self.db)
op_set.find_by_name(cereconf.BOFHD_AUTH_GROUPMODERATOR)
op_target = BofhdAuthOpTarget(self.db)
op_target.populate(target.entity_id, 'group')
op_target.write_db()
role = BofhdAuthRole(self.db)
role.grant_auth(owner.entity_id, op_set.op_set_id,
op_target.op_target_id)
def _set_owner_of_group(self, group):
op_target = BofhdAuthOpTarget(self._db)
if not op_target.list(entity_id=group.entity_id, target_type='group'):
op_target.populate(group.entity_id, 'group')
op_target.write_db()
op_set = BofhdAuthOpSet(self._db)
op_set.find_by_name(cereconf.BOFHD_AUTH_GROUPMODERATOR)
role = BofhdAuthRole(self._db)
role.grant_auth(self.entity_id,
op_set.op_set_id,
op_target.op_target_id)
def _grant_auth(self, entity_id, opset, target_id, target_type, attr,
entity_name, target_name):
op_target_id = self._get_auth_op_target(target_id,
target_type,
attr,
create=True)
ar = BofhdAuthRole(self.db)
rows = ar.list(entity_id, opset.op_set_id, op_target_id)
if len(rows) == 0:
ar.grant_auth(entity_id, opset.op_set_id, op_target_id)
return "OK, granted %s access %s to %s %s" % (
entity_name, opset.name, six.text_type(target_type),
target_name)
return "%s already has %s access to %s %s" % (
entity_name, opset.name, six.text_type(target_type), target_name)
def grant_group_auth(self, account, opset_name, group):
""" Grants L{entity_id} access type L{opset_name} over group
L{group_id}.
This can be used to give admin and moderator access to groups.
@type account: self.account_class
@param account: The account that should be granted access
@type opset_name: str
@param opset_name: The name of the operation set (type of access)
@type group: self.group_class
@param group: The group that L{account} should be given access to
@rtype: bool
@return: True if access was granted, False if access already exists
"""
assert opset_name in GROUP_AUTH_OPSETS
assert hasattr(account, 'entity_id')
assert hasattr(group, 'entity_id')
ar = BofhdAuthRole(self.db)
aos = BofhdAuthOpSet(self.db)
aot = self.find_or_create_op_target(group.entity_id,
self.co.auth_target_type_group)
aos.find_by_name(opset_name)
assert account.np_type in (self.co.fedaccount_type, self.co.account_program)
assert hasattr(aot, 'op_target_id') # Must be populated
roles = list(ar.list(account.entity_id, aos.op_set_id, aot.op_target_id))
if len(roles) == 0:
ar.grant_auth(account.entity_id, aos.op_set_id, aot.op_target_id)
return True # Access granted
return False # Already had access
def grant_group_auth(self, account, opset_name, group):
""" Grants L{entity_id} access type L{opset_name} over group
L{group_id}.
This can be used to give admin and moderator access to groups.
@type account: self.account_class
@param account: The account that should be granted access
@type opset_name: str
@param opset_name: The name of the operation set (type of access)
@type group: self.group_class
@param group: The group that L{account} should be given access to
@rtype: bool
@return: True if access was granted, False if access already exists
"""
assert opset_name in GROUP_AUTH_OPSETS
assert hasattr(account, 'entity_id')
assert hasattr(group, 'entity_id')
ar = BofhdAuthRole(self.db)
aos = BofhdAuthOpSet(self.db)
aot = self.find_or_create_op_target(group.entity_id,
self.co.auth_target_type_group)
aos.find_by_name(opset_name)
assert account.np_type in (self.co.fedaccount_type, self.co.account_program)
assert hasattr(aot, 'op_target_id') # Must be populated
roles = list(ar.list(account.entity_id, aos.op_set_id, aot.op_target_id))
if len(roles) == 0:
ar.grant_auth(account.entity_id, aos.op_set_id, aot.op_target_id)
return True # Access granted
return False # Already had access
def grant_auth(en, gr, opset):
"""Grant authorization to a group.
:type en: <Cerebrum.Entity.Entity>
:param en: The entity to grant auth to.
:type gr: <Cerebrum.Group.Group>
:param gr: The group to grant auth on.
:type opset: str
:param opset: The OpSet to be granted."""
# TODO: ._db? 'group' to op_target.populate ok? should be derived from
# gr, but that means we'll need to do Factory.get in here... :(
# TODO: Can this be generalized and moved to utils??
from Cerebrum.modules.bofhd.auth import BofhdAuthOpSet, \
BofhdAuthOpTarget, BofhdAuthRole
op_set = BofhdAuthOpSet(en._db)
op_set.find_by_name(opset)
op_target = BofhdAuthOpTarget(en._db)
op_target.populate(gr.entity_id, 'group')
op_target.write_db()
role = BofhdAuthRole(en._db)
role.grant_auth(en.entity_id, op_set.op_set_id,
op_target.op_target_id)
def grant_auth(en, gr, opset):
"""Grant authorization to a group.
:type en: <Cerebrum.Entity.Entity>
:param en: The entity to grant auth to.
:type gr: <Cerebrum.Group.Group>
:param gr: The group to grant auth on.
:type opset: str
:param opset: The OpSet to be granted."""
# TODO: ._db? 'group' to op_target.populate ok? should be derived from
# gr, but that means we'll need to do Factory.get in here... :(
# TODO: Can this be generalized and moved to utils??
from Cerebrum.modules.bofhd.auth import BofhdAuthOpSet, \
BofhdAuthOpTarget, BofhdAuthRole
op_set = BofhdAuthOpSet(en._db)
op_set.find_by_name(opset)
op_target = BofhdAuthOpTarget(en._db)
op_target.populate(gr.entity_id, 'group')
op_target.write_db()
role = BofhdAuthRole(en._db)
role.grant_auth(en.entity_id, op_set.op_set_id,
op_target.op_target_id)
def write_db(self):
"""Write PosixUser instance to database, in addition to the personal
file group. As long as L{gid_id} is not set, it gets set to the
account's personal file group instead.
"""
if not self.gid_id:
# Create the PosixGroup first, to get its entity_id
# TODO: Should we handle that self.pg could not be populated when
# we're here? When could gid_id be none without running populate?
self.pg.write_db()
# We'll need to set this here, as the groups entity_id is
# created when we write to the DB.
self.gid_id = self.pg.entity_id
ret = self.__super.write_db()
# Become a member of the group:
if not hasattr(self.pg, 'entity_id'):
self.pg.find(self.gid_id)
if not self.pg.has_member(self.entity_id):
self.pg.add_member(self.entity_id)
# If the dfg is not a personal group we are done now:
# TODO: check trait_personal_dfg instead or in addition?
if self.account_name != self.pg.group_name:
return ret
# Set the personal file group trait
if not self.pg.get_trait(self.const.trait_personal_dfg):
self.pg.populate_trait(self.const.trait_personal_dfg,
target_id=self.entity_id)
self.pg.write_db()
# Register the posixuser as owner of the group, if not already set
op_target = BofhdAuthOpTarget(self._db)
if not op_target.list(entity_id=self.pg.entity_id,
target_type='group'):
op_target.populate(self.pg.entity_id, 'group')
op_target.write_db()
op_set = BofhdAuthOpSet(self._db)
op_set.find_by_name(cereconf.BOFHD_AUTH_GROUPMODERATOR)
role = BofhdAuthRole(self._db)
role.grant_auth(self.entity_id, op_set.op_set_id,
op_target.op_target_id)
# Syncronizing the groups spreads with the users
mapping = {
int(self.const.spread_uio_nis_user):
int(self.const.spread_uio_nis_fg),
int(self.const.spread_uio_ad_account):
int(self.const.spread_uio_ad_group),
int(self.const.spread_ifi_nis_user):
int(self.const.spread_ifi_nis_fg)
}
user_spreads = [int(r['spread']) for r in self.get_spread()]
group_spreads = [int(r['spread']) for r in self.pg.get_spread()]
for uspr, gspr in mapping.iteritems():
if uspr in user_spreads:
if gspr not in group_spreads:
self.pg.add_spread(gspr)
elif gspr in group_spreads:
self.pg.delete_spread(gspr)
return ret
