def post(self, group_id=None, name=None, account_id=None, accountname=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
service_account = ServiceAccount.get(self.session, account_id, accountname)
if not service_account:
return self.notfound()
if not self.check_access(self.session, self.current_user, service_account):
return self.forbidden()
disable_service_account(self.session, self.current_user, service_account)
return self.redirect("/groups/{}?refresh=yes".format(group.name))
def post(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
accountname = self.get_path_argument("accountname")
group = Group.get(self.session, name=name)
if not group:
return self.notfound()
service_account = ServiceAccount.get(self.session, name=accountname)
if not service_account:
return self.notfound()
if not self.check_access(self.session, self.current_user,
service_account):
return self.forbidden()
disable_service_account(self.session, self.current_user,
service_account)
return self.redirect("/groups/{}?refresh=yes".format(group.name))
def post(self, user_id=None, name=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
if user.role_user:
disable_service_account(self.session, user=user)
else:
disable_user(self.session, user)
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'disable_user',
'Disabled user.', on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def post(self, user_id=None, name=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
if user.role_user:
disable_service_account(self.session, user=user)
else:
disable_user(self.session, user)
self.session.commit()
AuditLog.log(self.session,
self.current_user.id,
'disable_user',
'Disabled user.',
on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def test_service_accounts(
session,
standard_graph,
graph,
users,
groups,
permissions # noqa: F811
):
# Create a service account.
service_account = ServiceAccount.get(session, name="*****@*****.**")
assert service_account.description == "some service account"
assert service_account.machine_set == "some machines"
assert service_account.user.name == "*****@*****.**"
assert service_account.user.enabled == True
assert service_account.user.is_service_account == True
accounts = get_service_accounts(session, groups["team-sre"])
assert len(accounts) == 1
assert accounts[0].user.name == "*****@*****.**"
assert is_service_account(session, service_account.user)
# Duplicates should raise an exception.
with pytest.raises(DuplicateServiceAccount):
create_service_account(session, users["*****@*****.**"], "*****@*****.**",
"dup", "dup", groups["team-sre"])
# zorkian should be able to manage the account, as should gary, but oliver (not a member of the
# group) should not.
assert can_manage_service_account(session, service_account,
users["*****@*****.**"])
assert can_manage_service_account(session, service_account,
users["*****@*****.**"])
assert not can_manage_service_account(session, service_account,
users["*****@*****.**"])
# Check that the user appears in the graph.
graph.update_from_db(session)
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["enabled"]
assert metadata["service_account"]["description"] == "some service account"
assert metadata["service_account"]["machine_set"] == "some machines"
assert metadata["service_account"]["owner"] == "team-sre"
group_details = graph.get_group_details("team-sre")
assert group_details["service_accounts"] == ["*****@*****.**"]
# Grant a permission to the service account and check it in the graph.
grant_permission_to_service_account(session, service_account,
permissions["team-sre"], "*")
graph.update_from_db(session)
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"][0]["permission"] == "team-sre"
assert user_details["permissions"][0]["argument"] == "*"
# Diabling the service account should remove the link to the group.
disable_service_account(session, users["*****@*****.**"], service_account)
assert service_account.user.enabled == False
assert get_service_accounts(session, groups["team-sre"]) == []
# The user should also be gone from the graph and have its permissions removed.
graph.update_from_db(session)
group_details = graph.get_group_details("team-sre")
assert "service_accounts" not in group_details
metadata = graph.user_metadata["*****@*****.**"]
assert not metadata["enabled"]
assert "owner" not in metadata["service_account"]
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
# We can re-enable and attach to a different group.
new_group = groups["security-team"]
enable_service_account(session, users["*****@*****.**"], service_account,
new_group)
assert service_account.user.enabled == True
assert get_service_accounts(session, groups["team-sre"]) == []
accounts = get_service_accounts(session, new_group)
assert len(accounts) == 1
assert accounts[0].user.name == "*****@*****.**"
# Check that this is reflected in the graph and the user has no permissions.
graph.update_from_db(session)
group_details = graph.get_group_details("security-team")
assert group_details["service_accounts"] == ["*****@*****.**"]
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["service_account"]["owner"] == "security-team"
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session, username=username, role_user=args.role_user)
session.commit()
else:
logging.info("{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info("{}: User already disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, disabling...".format(username))
if user.role_user:
disable_service_account(session, user)
else:
disable_user(session, user)
session.commit()
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info("{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_service_account(session, user,
preserve_membership=args.preserve_membership, user=user)
else:
enable_user(session, user, user, preserve_membership=args.preserve_membership)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key, args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session, user.id, 'add_public_key',
'(Administrative) Added public key: {}'.format(pubkey.fingerprint),
on_user_id=user.id)
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session,
username=username,
role_user=args.role_user)
session.commit()
else:
logging.info(
"{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info(
"{}: User already disabled. Doing nothing.".format(
username))
else:
logging.info("{}: User found, disabling...".format(username))
if user.role_user:
disable_service_account(session, user)
else:
disable_user(session, user)
session.commit()
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info(
"{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_service_account(
session,
user,
preserve_membership=args.preserve_membership,
user=user)
else:
enable_user(session,
user,
user,
preserve_membership=args.preserve_membership)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key,
args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key,
args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session,
user.id,
'add_public_key',
'(Administrative) Added public key: {}'.format(
pubkey.fingerprint),
on_user_id=user.id)
def test_service_accounts(setup):
# type: (SetupTest) -> None
"""Tests remaining non-usecase service account functions."""
with setup.transaction():
setup.create_service_account("*****@*****.**", "team-sre",
"some machines", "some service account")
setup.add_user_to_group("*****@*****.**", "team-sre", "owner")
setup.add_user_to_group("*****@*****.**", "admins")
setup.grant_permission_to_group(USER_ADMIN, "", "admins")
setup.add_user_to_group("*****@*****.**", "team-sre")
setup.create_user("*****@*****.**")
setup.grant_permission_to_service_account("team-sre", "*",
"*****@*****.**")
setup.create_group("security-team")
group = Group.get(setup.session, name="team-sre")
assert group
accounts = get_service_accounts(setup.session, group)
assert len(accounts) == 1
service_account = accounts[0]
assert service_account.user.name == "*****@*****.**"
assert service_account.user.is_service_account
# zorkian should be able to manage the account, as should gary, but oliver (not a member of the
# group) should not.
zorkian_user = User.get(setup.session, name="*****@*****.**")
assert zorkian_user
gary_user = User.get(setup.session, name="*****@*****.**")
assert gary_user
oliver_user = User.get(setup.session, name="*****@*****.**")
assert oliver_user
assert can_manage_service_account(setup.session, service_account,
zorkian_user)
assert can_manage_service_account(setup.session, service_account,
gary_user)
assert not can_manage_service_account(setup.session, service_account,
oliver_user)
# Diabling the service account should remove the link to the group.
disable_service_account(setup.session, zorkian_user, service_account)
assert service_account.user.enabled == False
assert get_service_accounts(setup.session, group) == []
# The user should also be gone from the graph and have its permissions removed.
setup.graph.update_from_db(setup.session)
group_details = setup.graph.get_group_details("team-sre")
assert "service_accounts" not in group_details
metadata = setup.graph.user_metadata["*****@*****.**"]
assert not metadata["enabled"]
assert "owner" not in metadata["service_account"]
user_details = setup.graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
# We can re-enable and attach to a different group.
new_group = Group.get(setup.session, name="security-team")
assert new_group
enable_service_account(setup.session, zorkian_user, service_account,
new_group)
assert service_account.user.enabled == True
assert get_service_accounts(setup.session, group) == []
accounts = get_service_accounts(setup.session, new_group)
assert len(accounts) == 1
assert accounts[0].user.name == "*****@*****.**"
# Check that this is reflected in the graph and the user has no permissions.
setup.graph.update_from_db(setup.session)
group_details = setup.graph.get_group_details("security-team")
assert group_details["service_accounts"] == ["*****@*****.**"]
metadata = setup.graph.user_metadata["*****@*****.**"]
assert metadata["service_account"]["owner"] == "security-team"
user_details = setup.graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
def test_disable_service_account(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
fe_url = url(base_url, '/service/create')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'name': '*****@*****.**',
"description": "Hi",
"canjoin": "canjoin"
}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert User.get(session, name="*****@*****.**") is None
assert Group.get(session, name="*****@*****.**") is None
# Add account
fe_url = url(base_url, '/service/create')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'name': '*****@*****.**',
"description": "Hi",
"canjoin": "canjoin"
}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_service_account(session, user=u)
assert is_service_account(session, group=g)
assert get_service_account(session, user=u).group.id == g.id
assert get_service_account(session, group=g).user.id == u.id
assert not is_service_account(session, user=user)
assert not is_service_account(session,
group=Group.get(session, name="team-sre"))
disable_service_account(session, user=u)
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "The SA User should be disabled"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "The SA Group should be disabled"
enable_service_account(session,
actor=user,
group=g,
preserve_membership=True)
u = User.get(session, name="*****@*****.**")
assert u.enabled, "The SA User should be enabled"
g = Group.get(session, name="*****@*****.**")
assert g.enabled, "The SA Group should be enabled"
with pytest.raises(HTTPError):
fe_url = url(base_url,
'/groups/{}/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(
fe_url,
method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert u.enabled, "Attempting to disable SAs through groups/disable should not work"
g = Group.get(session, name="*****@*****.**")
assert g.enabled, "Attempting to disable SAs through groups/disable should not work"
fe_url = url(base_url, '/users/{}/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "The SA User should be disabled"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "The SA Group should be disabled"
with pytest.raises(HTTPError):
fe_url = url(base_url, '/groups/{}/enable'.format("*****@*****.**"))
resp = yield http_client.fetch(
fe_url,
method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "Attempting to enable SAs through groups/enable should not work"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "Attempting to enable SAs through groups/enable should not work"
def test_disable_service_account(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
fe_url = url(base_url, '/service/create')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'name': '*****@*****.**', "description": "Hi", "canjoin": "canjoin"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert User.get(session, name="*****@*****.**") is None
assert Group.get(session, name="*****@*****.**") is None
# Add account
fe_url = url(base_url, '/service/create')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'name': '*****@*****.**', "description": "Hi", "canjoin": "canjoin"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_service_account(session, user=u)
assert is_service_account(session, group=g)
assert get_service_account(session, user=u).group.id == g.id
assert get_service_account(session, group=g).user.id == u.id
assert not is_service_account(session, user=user)
assert not is_service_account(session, group=Group.get(session, name="team-sre"))
disable_service_account(session, user=u)
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "The SA User should be disabled"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "The SA Group should be disabled"
enable_service_account(session, actor=user, group=g, preserve_membership=True)
u = User.get(session, name="*****@*****.**")
assert u.enabled, "The SA User should be enabled"
g = Group.get(session, name="*****@*****.**")
assert g.enabled, "The SA Group should be enabled"
with pytest.raises(HTTPError):
fe_url = url(base_url, '/groups/{}/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert u.enabled, "Attempting to disable SAs through groups/disable should not work"
g = Group.get(session, name="*****@*****.**")
assert g.enabled, "Attempting to disable SAs through groups/disable should not work"
fe_url = url(base_url, '/users/{}/disable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "The SA User should be disabled"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "The SA Group should be disabled"
with pytest.raises(HTTPError):
fe_url = url(base_url, '/groups/{}/enable'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': user.username})
u = User.get(session, name="*****@*****.**")
assert not u.enabled, "Attempting to enable SAs through groups/enable should not work"
g = Group.get(session, name="*****@*****.**")
assert not g.enabled, "Attempting to enable SAs through groups/enable should not work"
