def disable_permission_auditing(session: Session, permission_name: str, actor_user_id: int) -> None: """Set a permission as audited. Args: session: Database session permission_name: Name of permission in question actor_user_id: ID of user who is disabling auditing """ permission = get_permission(session, permission_name) if not permission: raise NoSuchPermission(name=permission_name) permission.audited = False AuditLog.log( session, actor_user_id, "disable_auditing", "Disabled auditing.", on_permission_id=permission.id, ) Counter.incr(session, "updates") session.commit()
def grant_permission_to_service_account(session: Session, account: ServiceAccount, permission: Permission, argument: str = "") -> None: """Grant a permission to this service account. This will fail if the (permission, argument) has already been granted to this group. Args: session: Database session account: A ServiceAccount object being granted a permission permission: A Permission object being granted argument: Must match constants.ARGUMENT_VALIDATION Throws: AssertError if argument does not match ARGUMENT_VALIDATION regex """ assert re.match(ARGUMENT_VALIDATION + r"$", argument), "Invalid permission argument" mapping = ServiceAccountPermissionMap(permission_id=permission.id, service_account_id=account.id, argument=argument) mapping.add(session) Counter.incr(session, "updates") session.commit()
def grant_permission(session: Session, group_id: int, permission_id: int, argument: str = "") -> None: """Grant a permission to this group. This will fail if the (permission, argument) has already been granted to this group. Args: session: Database session group_id: ID of group to which to grant the permission permission_id: ID of permission to grant argument: Must match constants.ARGUMENT_VALIDATION Throws: AssertError if argument does not match ARGUMENT_VALIDATION regex """ assert re.match(ARGUMENT_VALIDATION + r"$", argument), "Invalid permission argument" mapping = PermissionMap(permission_id=permission_id, group_id=group_id, argument=argument) mapping.add(session) Counter.incr(session, "updates") session.commit()
def send_async_email( session: Session, recipients: Iterable[str], subject: str, template: str, settings: Settings, context: Context, send_after: datetime, async_key: Optional[str] = None, ) -> None: """Construct a message object from a template and schedule it This is the main email sending method to send out a templated email. This is used to asynchronously queue up the email for sending. Args: recipients: Email addresses that will receive this mail subject: Subject of the email. template: Name of the template to use. context: Context for the template library. settings: Grouper settings send_after: Schedule the email to go out after this point in time. async_key: If you set this, it will be inserted into the db so that you can find this email in the future. """ msg = get_email_from_template(recipients, subject, template, settings, context) for rcpt in recipients: notif = AsyncNotification( key=async_key, email=rcpt, subject=subject, body=msg.as_string(), send_after=send_after ) notif.add(session) session.commit()
def mutate_group_command(session: Session, group: Group, args: Namespace) -> None: for username in args.username: user = User.get(session, name=username) if not user: logging.error("no such user '{}'".format(username)) return if args.subcommand == "add_member": if args.member: role = "member" elif args.owner: role = "owner" elif args.np_owner: role = "np-owner" elif args.manager: role = "manager" assert role logging.info("Adding {} as {} to group {}".format( username, role, args.groupname)) group.add_member(user, user, "grouper-ctl join", status="actioned", role=role) AuditLog.log( session, user.id, "join_group", "{} manually joined via grouper-ctl".format(username), on_group_id=group.id, ) session.commit() elif args.subcommand == "remove_member": logging.info("Removing {} from group {}".format( username, args.groupname)) try: group.revoke_member(user, user, "grouper-ctl remove") AuditLog.log( session, user.id, "leave_group", "{} manually left via grouper-ctl".format(username), on_group_id=group.id, ) session.commit() except PluginRejectedGroupMembershipUpdate as e: logging.error("%s", e)
def update_request(session: Session, request: PermissionRequest, user: User, new_status: str, comment: str) -> None: """Update a request. Args: session: Database session request: Request to update user: User making update new_status: New status comment: Comment to include with status change Raises: grouper.audit.UserNotAuditor in case we're trying to add an audited permission to a group without auditors """ if request.status == new_status: # nothing to do return # make sure the grant can happen if new_status == "actioned": if request.permission.audited: # will raise UserNotAuditor if no auditors are owners of the group assert_controllers_are_auditors(request.group) # all rows we add have the same timestamp now = datetime.utcnow() # new status change row permission_status_change = PermissionRequestStatusChange( request=request, user_id=user.id, from_status=request.status, to_status=new_status, change_at=now, ).add(session) session.flush() # new comment Comment( obj_type=OBJ_TYPES_IDX.index("PermissionRequestStatusChange"), obj_pk=permission_status_change.id, user_id=user.id, comment=comment, created_on=now, ).add(session) # update permissionRequest status request.status = new_status session.commit() if new_status == "actioned": # actually grant permission try: grant_permission(session, request.group.id, request.permission.id, request.argument) except IntegrityError: session.rollback() # audit log AuditLog.log( session, user.id, "update_perm_request", "updated permission request to status: {}".format(new_status), on_group_id=request.group_id, on_user_id=request.requester_id, on_permission_id=request.permission.id, ) session.commit() # send notification template_engine = EmailTemplateEngine(settings()) subject_template = template_engine.get_template( "email/pending_permission_request_subj.tmpl") subject = "Re: " + subject_template.render( permission=request.permission.name, group=request.group.name) if new_status == "actioned": email_template = "permission_request_actioned" else: email_template = "permission_request_cancelled" email_context = { "group_name": request.group.name, "action_taken_by": user.name, "reason": comment, "permission_name": request.permission.name, "argument": request.argument, } send_email(session, [request.requester.name], subject, email_template, settings(), email_context)