Example #1
0
async def can_move_back_to_pending(current_user, request, groups):
    # Don't allow returning requests to pending state if more than a day has passed since the last update
    if request.get("last_updated", 0) < int(time.time()) - 86400:
        return False
    # Allow admins to return requests back to pending state
    if can_admin_all(current_user, groups):
        return True
    return False
Example #2
0
async def can_approve_reject_request(user, secondary_approvers, groups):
    # Allow admins to approve and reject all requests
    if can_admin_all(user, groups):
        return True

    if secondary_approvers:
        for g in secondary_approvers:
            if g in groups or g == user:
                return True
    return False
Example #3
0
async def can_cancel_request(current_user, requesting_user, groups):
    # Allow the requesting user to cancel their own request
    if current_user == requesting_user:
        return True

    # Allow admins to cancel requests
    if can_admin_all(current_user, groups):
        return True

    # Allow restricted admins to cancel requests
    for g in config.get("groups.can_admin_restricted"):
        if g in groups:
            return True

    return False
Example #4
0
    async def post(self):
        log_data = {
            "function":
            f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}",
            "user": self.user,
            "message": "Create/Update User",
            "user-agent": self.request.headers.get("User-Agent"),
            "request_id": self.request_uuid,
            "ip": self.ip,
        }
        generic_error_message = "Unable to create/update user"
        log.debug(log_data)
        # Checks authz levels of current user
        if not can_admin_all(self.user, self.groups):
            errors = ["User is not authorized to access this endpoint."]
            await handle_generic_error_response(self, generic_error_message,
                                                errors, 403, "unauthorized",
                                                log_data)
            return
        request = UserManagementModel.parse_raw(self.request.body)
        log_data["requested_user"] = request.username
        if request.user_management_action.value == "create":
            log.debug({
                **log_data,
                "message": "Creating user",
                "requested_user": request.username,
                "requested_groups": request.groups,
            })

            # Fails if password is not strong enough.
            password_strength_errors = await check_password_strength(
                request.password)
            if password_strength_errors:
                await handle_generic_error_response(
                    self,
                    password_strength_errors["message"],
                    password_strength_errors["errors"],
                    403,
                    "weak_password",
                    log_data,
                )
                return

            self.ddb.create_user(
                request.username,
                request.password,
                request.groups,
            )
            res = WebResponse(
                status="success",
                status_code=200,
                message=f"Successfully created user {request.username}.",
            )
            self.write(res.json())
            return
        elif request.user_management_action.value == "update":
            log.debug({
                **log_data,
                "message": "Updating user",
                "requested_user": request.username,
                "requested_groups": request.groups,
            })

            if request.password:
                # Fails if password is not strong enough.
                password_strength_errors = await check_password_strength(
                    request.password)
                if password_strength_errors:
                    await handle_generic_error_response(
                        self,
                        password_strength_errors["message"],
                        password_strength_errors["errors"],
                        403,
                        "weak_password",
                        log_data,
                    )
                    return
            self.ddb.update_user(
                request.username,
                request.password,
                request.groups,
            )
            res = WebResponse(
                status="success",
                status_code=200,
                message=f"Successfully updated user {request.username}.",
            )
            self.write(res.json())
            return
        elif request.user_management_action.value == "delete":
            log.debug({
                **log_data,
                "message": "Deleting user",
                "requested_user": request.username,
            })
            self.ddb.delete_user(request.username, )
            res = WebResponse(
                status="success",
                status_code=200,
                message=f"Successfully deleted user {request.username}.",
            )
            self.write(res.json())
            return
        else:
            errors = ["Change type is not supported by this endpoint."]
            await handle_generic_error_response(self, generic_error_message,
                                                errors, 403, "invalid_request",
                                                log_data)
            return