def disable_permission_auditing(session: Session, permission_name: str,
actor_user_id: int) -> None:
"""Set a permission as audited.
Args:
session: Database session
permission_name: Name of permission in question
actor_user_id: ID of user who is disabling auditing
"""
permission = get_permission(session, permission_name)
if not permission:
raise NoSuchPermission(name=permission_name)
permission.audited = False
AuditLog.log(
session,
actor_user_id,
"disable_auditing",
"Disabled auditing.",
on_permission_id=permission.id,
)
Counter.incr(session, "updates")
session.commit()
def grant_permission_to_service_account(session: Session,
account: ServiceAccount,
permission: Permission,
argument: str = "") -> None:
"""Grant a permission to this service account.
This will fail if the (permission, argument) has already been granted to this group.
Args:
session: Database session
account: A ServiceAccount object being granted a permission
permission: A Permission object being granted
argument: Must match constants.ARGUMENT_VALIDATION
Throws:
AssertError if argument does not match ARGUMENT_VALIDATION regex
"""
assert re.match(ARGUMENT_VALIDATION + r"$",
argument), "Invalid permission argument"
mapping = ServiceAccountPermissionMap(permission_id=permission.id,
service_account_id=account.id,
argument=argument)
mapping.add(session)
Counter.incr(session, "updates")
session.commit()
def grant_permission(session: Session,
group_id: int,
permission_id: int,
argument: str = "") -> None:
"""Grant a permission to this group.
This will fail if the (permission, argument) has already been granted to this group.
Args:
session: Database session
group_id: ID of group to which to grant the permission
permission_id: ID of permission to grant
argument: Must match constants.ARGUMENT_VALIDATION
Throws:
AssertError if argument does not match ARGUMENT_VALIDATION regex
"""
assert re.match(ARGUMENT_VALIDATION + r"$",
argument), "Invalid permission argument"
mapping = PermissionMap(permission_id=permission_id,
group_id=group_id,
argument=argument)
mapping.add(session)
Counter.incr(session, "updates")
session.commit()
def send_async_email(
session: Session,
recipients: Iterable[str],
subject: str,
template: str,
settings: Settings,
context: Context,
send_after: datetime,
async_key: Optional[str] = None,
) -> None:
"""Construct a message object from a template and schedule it
This is the main email sending method to send out a templated email. This is used to
asynchronously queue up the email for sending.
Args:
recipients: Email addresses that will receive this mail
subject: Subject of the email.
template: Name of the template to use.
context: Context for the template library.
settings: Grouper settings
send_after: Schedule the email to go out after this point in time.
async_key: If you set this, it will be inserted into the db so that you can find this email
in the future.
"""
msg = get_email_from_template(recipients, subject, template, settings, context)
for rcpt in recipients:
notif = AsyncNotification(
key=async_key, email=rcpt, subject=subject, body=msg.as_string(), send_after=send_after
)
notif.add(session)
session.commit()
def mutate_group_command(session: Session, group: Group,
args: Namespace) -> None:
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.error("no such user '{}'".format(username))
return
if args.subcommand == "add_member":
if args.member:
role = "member"
elif args.owner:
role = "owner"
elif args.np_owner:
role = "np-owner"
elif args.manager:
role = "manager"
assert role
logging.info("Adding {} as {} to group {}".format(
username, role, args.groupname))
group.add_member(user,
user,
"grouper-ctl join",
status="actioned",
role=role)
AuditLog.log(
session,
user.id,
"join_group",
"{} manually joined via grouper-ctl".format(username),
on_group_id=group.id,
)
session.commit()
elif args.subcommand == "remove_member":
logging.info("Removing {} from group {}".format(
username, args.groupname))
try:
group.revoke_member(user, user, "grouper-ctl remove")
AuditLog.log(
session,
user.id,
"leave_group",
"{} manually left via grouper-ctl".format(username),
on_group_id=group.id,
)
session.commit()
except PluginRejectedGroupMembershipUpdate as e:
logging.error("%s", e)
def update_request(session: Session, request: PermissionRequest, user: User,
new_status: str, comment: str) -> None:
"""Update a request.
Args:
session: Database session
request: Request to update
user: User making update
new_status: New status
comment: Comment to include with status change
Raises:
grouper.audit.UserNotAuditor in case we're trying to add an audited permission to a group
without auditors
"""
if request.status == new_status:
# nothing to do
return
# make sure the grant can happen
if new_status == "actioned":
if request.permission.audited:
# will raise UserNotAuditor if no auditors are owners of the group
assert_controllers_are_auditors(request.group)
# all rows we add have the same timestamp
now = datetime.utcnow()
# new status change row
permission_status_change = PermissionRequestStatusChange(
request=request,
user_id=user.id,
from_status=request.status,
to_status=new_status,
change_at=now,
).add(session)
session.flush()
# new comment
Comment(
obj_type=OBJ_TYPES_IDX.index("PermissionRequestStatusChange"),
obj_pk=permission_status_change.id,
user_id=user.id,
comment=comment,
created_on=now,
).add(session)
# update permissionRequest status
request.status = new_status
session.commit()
if new_status == "actioned":
# actually grant permission
try:
grant_permission(session, request.group.id, request.permission.id,
request.argument)
except IntegrityError:
session.rollback()
# audit log
AuditLog.log(
session,
user.id,
"update_perm_request",
"updated permission request to status: {}".format(new_status),
on_group_id=request.group_id,
on_user_id=request.requester_id,
on_permission_id=request.permission.id,
)
session.commit()
# send notification
template_engine = EmailTemplateEngine(settings())
subject_template = template_engine.get_template(
"email/pending_permission_request_subj.tmpl")
subject = "Re: " + subject_template.render(
permission=request.permission.name, group=request.group.name)
if new_status == "actioned":
email_template = "permission_request_actioned"
else:
email_template = "permission_request_cancelled"
email_context = {
"group_name": request.group.name,
"action_taken_by": user.name,
"reason": comment,
"permission_name": request.permission.name,
"argument": request.argument,
}
send_email(session, [request.requester.name], subject, email_template,
settings(), email_context)
