Ejemplo n.º 1
0
    def post(self, user_id=None, name=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserEnableForm(self.request.arguments)
        if not form.validate():
            # TODO: add error message
            return self.redirect("/users/{}?refresh=yes".format(user.name))

        if user.role_user:
            enable_service_account(
                self.session,
                actor=self.current_user,
                preserve_membership=form.preserve_membership.data,
                user=user)
        else:
            enable_user(self.session,
                        user,
                        self.current_user,
                        preserve_membership=form.preserve_membership.data)

        self.session.commit()

        AuditLog.log(self.session,
                     self.current_user.id,
                     'enable_user',
                     'Enabled user.',
                     on_user_id=user.id)

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Ejemplo n.º 2
0
    def post(self, user_id=None, name=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserEnableForm(self.request.arguments)
        if not form.validate():
            # TODO: add error message
            return self.redirect("/users/{}?refresh=yes".format(user.name))

        if user.role_user:
            enable_service_account(self.session, actor=self.current_user,
                preserve_membership=form.preserve_membership.data, user=user)
        else:
            enable_user(self.session, user, self.current_user,
                preserve_membership=form.preserve_membership.data)

        self.session.commit()

        AuditLog.log(self.session, self.current_user.id, 'enable_user',
                     'Enabled user.', on_user_id=user.id)

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Ejemplo n.º 3
0
def enable_service_account(session, actor, service_account, owner):
    # type: (Session, User, ServiceAccount, Group) -> None
    """Enables a service account and sets a new owner."""
    enable_user(session, service_account.user, actor, preserve_membership=False)
    add_service_account(session, owner, service_account)

    AuditLog.log(session, actor.id, "enable_service_account", "Enabled service account.",
                 on_group_id=owner.id, on_user_id=service_account.user_id)

    Counter.incr(session, "updates")
    session.commit()
Ejemplo n.º 4
0
def enable_role_user(session, actor, preserve_membership, user=None, group=None):
    # type: (Session, User, bool, User, Group) -> None
    """
    Enabled all components of the service account corresponding to user/group.

    Args:
        session: the database session
        actor: the User that is enabling the service account
        preserve_membership: whether to preserve what groups the service account is in
        user: the User component of the service account to be enabled
        group: the Group component of the service account to be enabled
    """
    acc = get_role_user(session, user, group)

    enable_user(session, acc.user, actor, preserve_membership)
    acc.group.enabled = True
    acc.user.add(session)
    acc.group.add(session)
Ejemplo n.º 5
0
def enable_role_user(session, actor, preserve_membership, user=None, group=None):
    # type: (Session, User, bool, User, Group) -> None
    """
    Enabled all components of the service account corresponding to user/group.

    Args:
        session: the database session
        actor: the User that is enabling the service account
        preserve_membership: whether to preserve what groups the service account is in
        user: the User component of the service account to be enabled
        group: the Group component of the service account to be enabled
    """
    acc = get_role_user(session, user, group)

    enable_user(session, acc.user, actor, preserve_membership)
    acc.group.enabled = True
    acc.user.add(session)
    acc.group.add(session)
Ejemplo n.º 6
0
    def post(self, *args: Any, **kwargs: Any) -> None:
        name = self.get_path_argument("name")

        user = User.get(self.session, name=name)
        if not user:
            return self.notfound()

        form = UserEnableForm(self.request.arguments)
        if not form.validate():
            # TODO: add error message
            return self.redirect("/users/{}?refresh=yes".format(user.name))

        if form.preserve_membership.data:
            if not self.check_access(self.session, self.current_user, user):
                return self.forbidden()
        else:
            if not self.check_access_without_membership(
                    self.session, self.current_user, user):
                return self.forbidden()

        if user.role_user:
            enable_role_user(
                self.session,
                actor=self.current_user,
                preserve_membership=form.preserve_membership.data,
                user=user,
            )
        else:
            enable_user(
                self.session,
                user,
                self.current_user,
                preserve_membership=form.preserve_membership.data,
            )

        self.session.commit()

        AuditLog.log(self.session,
                     self.current_user.id,
                     "enable_user",
                     "Enabled user.",
                     on_user_id=user.id)

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Ejemplo n.º 7
0
def user_command(args, settings, session_factory):
    # type: (Namespace, CtlSettings, SessionFactory) -> None
    session = session_factory.create_session()

    if args.subcommand == "create":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info("{}: No such user, creating...".format(username))
                user = User.get_or_create(session,
                                          username=username,
                                          role_user=args.role_user)
                session.commit()
            else:
                logging.info(
                    "{}: Already exists. Doing nothing.".format(username))
        return

    elif args.subcommand == "disable":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info(
                    "{}: No such user. Doing nothing.".format(username))
            elif not user.enabled:
                logging.info(
                    "{}: User already disabled. Doing nothing.".format(
                        username))
            else:
                logging.info("{}: User found, disabling...".format(username))
                try:
                    if user.role_user:
                        disable_role_user(session, user)
                    else:
                        disable_user(session, user)
                    AuditLog.log(
                        session,
                        user.id,
                        "disable_user",
                        "(Administrative) User disabled via grouper-ctl",
                        on_user_id=user.id,
                    )
                    session.commit()
                except PluginRejectedDisablingUser as e:
                    logging.error("%s", e)

        return

    elif args.subcommand == "enable":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info(
                    "{}: No such user. Doing nothing.".format(username))
            elif user.enabled:
                logging.info(
                    "{}: User not disabled. Doing nothing.".format(username))
            else:
                logging.info("{}: User found, enabling...".format(username))
                if user.role_user:
                    enable_role_user(
                        session,
                        user,
                        preserve_membership=args.preserve_membership,
                        user=user)
                else:
                    enable_user(session,
                                user,
                                user,
                                preserve_membership=args.preserve_membership)
                AuditLog.log(
                    session,
                    user.id,
                    "enable_user",
                    "(Administrative) User enabled via grouper-ctl",
                    on_user_id=user.id,
                )
                session.commit()
        return

    # "add_public_key" and "set_metadata"
    user = User.get(session, name=args.username)
    if not user:
        logging.error("{}: No such user. Doing nothing.".format(args.username))
        return

    # User must exist at this point.

    if args.subcommand == "set_metadata":
        logging.info("Setting %s metadata: %s=%s", args.username,
                     args.metadata_key, args.metadata_value)
        if args.metadata_value == "":
            args.metadata_value = None
        set_user_metadata(session, user.id, args.metadata_key,
                          args.metadata_value)
        session.commit()
    elif args.subcommand == "add_public_key":
        logging.info("Adding public key for user")

        try:
            pubkey = public_key.add_public_key(session, user, args.public_key)
        except public_key.DuplicateKey:
            logging.error("Key already in use")
            return
        except public_key.PublicKeyParseError:
            logging.error("Public key appears to be invalid")
            return

        AuditLog.log(
            session,
            user.id,
            "add_public_key",
            "(Administrative) Added public key: {}".format(
                pubkey.fingerprint_sha256),
            on_user_id=user.id,
        )
Ejemplo n.º 8
0
def user_command(args):
    session = make_session()

    if args.subcommand == "create":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info("{}: No such user, creating...".format(username))
                user = User.get_or_create(session,
                                          username=username,
                                          role_user=args.role_user)
                session.commit()
            else:
                logging.info(
                    "{}: Already exists. Doing nothing.".format(username))
        return

    elif args.subcommand == "disable":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info(
                    "{}: No such user. Doing nothing.".format(username))
            elif not user.enabled:
                logging.info(
                    "{}: User already disabled. Doing nothing.".format(
                        username))
            else:
                logging.info("{}: User found, disabling...".format(username))
                try:
                    if user.role_user:
                        disable_role_user(session, user)
                    else:
                        disable_user(session, user)
                    AuditLog.log(
                        session,
                        user.id,
                        'disable_user',
                        '(Administrative) User disabled via grouper-ctl',
                        on_user_id=user.id)
                    session.commit()
                except PluginRejectedDisablingUser as e:
                    logging.error(e.message)

        return

    elif args.subcommand == "enable":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info(
                    "{}: No such user. Doing nothing.".format(username))
            elif user.enabled:
                logging.info(
                    "{}: User not disabled. Doing nothing.".format(username))
            else:
                logging.info("{}: User found, enabling...".format(username))
                if user.role_user:
                    enable_role_user(
                        session,
                        user,
                        preserve_membership=args.preserve_membership,
                        user=user)
                else:
                    enable_user(session,
                                user,
                                user,
                                preserve_membership=args.preserve_membership)
                AuditLog.log(session,
                             user.id,
                             'enable_user',
                             '(Administrative) User enabled via grouper-ctl',
                             on_user_id=user.id)
                session.commit()
        return

    # "add_public_key" and "set_metadata"
    user = User.get(session, name=args.username)
    if not user:
        logging.error("{}: No such user. Doing nothing.".format(args.username))
        return

    # User must exist at this point.

    if args.subcommand == "set_metadata":
        print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key,
                                              args.metadata_value)
        if args.metadata_value == "":
            args.metadata_value = None
        set_user_metadata(session, user.id, args.metadata_key,
                          args.metadata_value)
        session.commit()
    elif args.subcommand == "add_public_key":
        print "Adding public key for user..."

        try:
            pubkey = public_key.add_public_key(session, user, args.public_key)
        except public_key.DuplicateKey:
            print "Key already in use."
            return
        except public_key.PublicKeyParseError:
            print "Public key appears to be invalid."
            return

        AuditLog.log(session,
                     user.id,
                     'add_public_key',
                     '(Administrative) Added public key: {}'.format(
                         pubkey.fingerprint),
                     on_user_id=user.id)
Ejemplo n.º 9
0
def user_command(args):
    session = make_session()

    if args.subcommand == "create":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info("{}: No such user, creating...".format(username))
                user = User.get_or_create(session, username=username, role_user=args.role_user)
                session.commit()
            else:
                logging.info("{}: Already exists. Doing nothing.".format(username))
        return

    elif args.subcommand == "disable":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info("{}: No such user. Doing nothing.".format(username))
            elif not user.enabled:
                logging.info("{}: User already disabled. Doing nothing.".format(username))
            else:
                logging.info("{}: User found, disabling...".format(username))
                if user.role_user:
                    disable_service_account(session, user)
                else:
                    disable_user(session, user)
                session.commit()
        return

    elif args.subcommand == "enable":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info("{}: No such user. Doing nothing.".format(username))
            elif user.enabled:
                logging.info("{}: User not disabled. Doing nothing.".format(username))
            else:
                logging.info("{}: User found, enabling...".format(username))
                if user.role_user:
                    enable_service_account(session, user,
                        preserve_membership=args.preserve_membership, user=user)
                else:
                    enable_user(session, user, user, preserve_membership=args.preserve_membership)
                session.commit()
        return

    # "add_public_key" and "set_metadata"
    user = User.get(session, name=args.username)
    if not user:
        logging.error("{}: No such user. Doing nothing.".format(args.username))
        return

    # User must exist at this point.

    if args.subcommand == "set_metadata":
        print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value)
        if args.metadata_value == "":
            args.metadata_value = None
        set_user_metadata(session, user.id, args.metadata_key, args.metadata_value)
        session.commit()
    elif args.subcommand == "add_public_key":
        print "Adding public key for user..."

        try:
            pubkey = public_key.add_public_key(session, user, args.public_key)
        except public_key.DuplicateKey:
            print "Key already in use."
            return
        except public_key.PublicKeyParseError:
            print "Public key appears to be invalid."
            return

        AuditLog.log(session, user.id, 'add_public_key',
                '(Administrative) Added public key: {}'.format(pubkey.fingerprint),
                on_user_id=user.id)
Ejemplo n.º 10
0
def user_command(args, settings, session_factory):
    # type: (Namespace, CtlSettings, SessionFactory) -> None
    session = session_factory.create_session()

    if args.subcommand == "create":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info("{}: No such user, creating...".format(username))
                user = User.get_or_create(session, username=username, role_user=args.role_user)
                session.commit()
            else:
                logging.info("{}: Already exists. Doing nothing.".format(username))
        return

    elif args.subcommand == "disable":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info("{}: No such user. Doing nothing.".format(username))
            elif not user.enabled:
                logging.info("{}: User already disabled. Doing nothing.".format(username))
            else:
                logging.info("{}: User found, disabling...".format(username))
                try:
                    if user.role_user:
                        disable_role_user(session, user)
                    else:
                        disable_user(session, user)
                    AuditLog.log(
                        session,
                        user.id,
                        "disable_user",
                        "(Administrative) User disabled via grouper-ctl",
                        on_user_id=user.id,
                    )
                    session.commit()
                except PluginRejectedDisablingUser as e:
                    logging.error("%s", e)

        return

    elif args.subcommand == "enable":
        for username in args.username:
            user = User.get(session, name=username)
            if not user:
                logging.info("{}: No such user. Doing nothing.".format(username))
            elif user.enabled:
                logging.info("{}: User not disabled. Doing nothing.".format(username))
            else:
                logging.info("{}: User found, enabling...".format(username))
                if user.role_user:
                    enable_role_user(
                        session, user, preserve_membership=args.preserve_membership, user=user
                    )
                else:
                    enable_user(session, user, user, preserve_membership=args.preserve_membership)
                AuditLog.log(
                    session,
                    user.id,
                    "enable_user",
                    "(Administrative) User enabled via grouper-ctl",
                    on_user_id=user.id,
                )
                session.commit()
        return

    # "add_public_key" and "set_metadata"
    user = User.get(session, name=args.username)
    if not user:
        logging.error("{}: No such user. Doing nothing.".format(args.username))
        return

    # User must exist at this point.

    if args.subcommand == "set_metadata":
        logging.info(
            "Setting %s metadata: %s=%s", args.username, args.metadata_key, args.metadata_value
        )
        if args.metadata_value == "":
            args.metadata_value = None
        set_user_metadata(session, user.id, args.metadata_key, args.metadata_value)
        session.commit()
    elif args.subcommand == "add_public_key":
        logging.info("Adding public key for user")

        try:
            pubkey = public_key.add_public_key(session, user, args.public_key)
        except public_key.DuplicateKey:
            logging.error("Key already in use")
            return
        except public_key.PublicKeyParseError:
            logging.error("Public key appears to be invalid")
            return

        AuditLog.log(
            session,
            user.id,
            "add_public_key",
            "(Administrative) Added public key: {}".format(pubkey.fingerprint_sha256),
            on_user_id=user.id,
        )