def oneoff_command(args):
session = make_session()
load_plugins(settings["plugin_dir"], service_name="grouper-ctl")
oneoffs = Annex(BaseOneOff, [settings["oneoff_dir"]], raise_exceptions=True)
for oneoff in oneoffs:
oneoff.configure(service_name="grouper-ctl")
if args.subcommand == "run":
logging.info("running one-off with '{}'".format(sys.argv))
if args.dry_run:
logging.warning("running in DRY RUN mode")
else:
logging.warning("NOT running in dry run mode")
with wrapped_session(session, make_read_only=args.dry_run) as the_session:
for oneoff in oneoffs:
if oneoff.__class__.__name__ == args.classname:
params = args.oneoff_arguments or []
params += [('dry_run', args.dry_run)]
oneoff.run(the_session, **dict(params))
elif args.subcommand == "list":
for oneoff in oneoffs:
logging.info(oneoff.__class__.__name__)
def oneoff_command(args):
session = make_session()
oneoffs = load_plugins(
BaseOneOff,
settings.oneoff_dirs,
settings.oneoff_module_paths,
"grouper-ctl",
)
if args.subcommand == "run":
logging.info("running one-off with '{}'".format(sys.argv))
if args.dry_run:
logging.warning("running in DRY RUN mode")
else:
logging.warning("NOT running in dry run mode")
with wrapped_session(session, make_read_only=args.dry_run) as the_session:
for oneoff in oneoffs:
if oneoff.__class__.__name__ == args.classname:
params = args.oneoff_arguments or []
params += [('dry_run', args.dry_run)]
oneoff.run(the_session, **dict(params))
elif args.subcommand == "list":
for oneoff in oneoffs:
logging.info(oneoff.__class__.__name__)
def oneoff_command(args):
session = make_session()
oneoffs = load_plugins(BaseOneOff, settings.oneoff_dirs,
settings.oneoff_module_paths, "grouper-ctl")
if args.subcommand == "run":
logging.info("running one-off with '{}'".format(sys.argv))
if args.dry_run:
logging.warning("running in DRY RUN mode")
else:
logging.warning("NOT running in dry run mode")
with wrapped_session(session,
make_read_only=args.dry_run) as the_session:
for oneoff in oneoffs:
if oneoff.__class__.__name__ == args.classname:
params = args.oneoff_arguments or []
params += [("dry_run", args.dry_run)]
oneoff.run(the_session, **dict(params))
elif args.subcommand == "list":
for oneoff in oneoffs:
logging.info(oneoff.__class__.__name__)
def oneoff_command(args):
session = make_session()
load_plugins(settings["plugin_dir"], service_name="grouper-ctl")
oneoffs = Annex(BaseOneOff, [settings["oneoff_dir"]],
raise_exceptions=True)
for oneoff in oneoffs:
oneoff.configure(service_name="grouper-ctl")
if args.subcommand == "run":
logging.info("running one-off with '{}'".format(sys.argv))
if args.dry_run:
logging.warning("running in DRY RUN mode")
else:
logging.warning("NOT running in dry run mode")
with wrapped_session(session,
make_read_only=args.dry_run) as the_session:
for oneoff in oneoffs:
if oneoff.__class__.__name__ == args.classname:
params = args.oneoff_arguments or []
params += [('dry_run', args.dry_run)]
oneoff.run(the_session, **dict(params))
elif args.subcommand == "list":
for oneoff in oneoffs:
logging.info(oneoff.__class__.__name__)
def handle_command(args):
if args.subcommand == "list":
session = make_session()
all_users = get_all_users(session)
for user in all_users:
user_enabled = "enabled" if user.enabled else "disabled"
logging.info("{} has status {}".format(user.name, user_enabled))
return
else:
user_command(args)
def handle_command(args):
if args.subcommand == "list":
session = make_session()
all_users = get_all_users(session)
for user in all_users:
user_enabled = "enabled" if user.enabled else "disabled"
logging.info("{} has status {}".format(user.name, user_enabled))
return
else:
user_command(args)
def shell_command(args):
session = make_session()
graph = GroupGraph.from_db(session)
pp = pprint
try:
from IPython import embed
except ImportError:
code.interact(local={"session": session, "graph": graph, "pp": pp})
else:
embed()
def shell_command(args):
session = make_session()
graph = GroupGraph.from_db(session)
pp = pprint
try:
from IPython import embed
except ImportError:
code.interact(local={
"session": session,
"graph": graph,
"pp": pp,
})
else:
embed()
def sync_db_command(args):
# Models not implicitly or explictly imported above are explicitly imported
# here:
from grouper.models.perf_profile import PerfProfile # noqa
db_engine = get_db_engine(get_database_url(settings))
Model.metadata.create_all(db_engine)
# Add some basic database structures we know we will need if they don't exist.
session = make_session()
for name, description in SYSTEM_PERMISSIONS:
test = Permission.get(session, name)
if test:
continue
permission = Permission(name=name, description=description)
try:
permission.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create permission: %s' % (name, ))
session.commit()
# This group is needed to bootstrap a Grouper installation.
admin_group = Group.get(session, name="grouper-administrators")
if not admin_group:
admin_group = Group(
groupname="grouper-administrators",
description="Administrators of the Grouper system.",
canjoin="nobody",
)
try:
admin_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create group: grouper-administrators')
for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
permission = Permission.get(session, permission_name)
assert permission, "Permission should have been created earlier!"
grant_permission(session, admin_group.id, permission.id)
session.commit()
def sync_db_command(args):
# Models not implicitly or explictly imported above are explicitly imported
# here:
from grouper.models.perf_profile import PerfProfile # noqa
db_engine = get_db_engine(get_database_url(settings))
Model.metadata.create_all(db_engine)
# Add some basic database structures we know we will need if they don't exist.
session = make_session()
for name, description in SYSTEM_PERMISSIONS:
test = Permission.get(session, name)
if test:
continue
permission = Permission(name=name, description=description)
try:
permission.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create permission: %s' % (name, ))
session.commit()
# This group is needed to bootstrap a Grouper installation.
admin_group = Group.get(session, name="grouper-administrators")
if not admin_group:
admin_group = Group(
groupname="grouper-administrators",
description="Administrators of the Grouper system.",
canjoin="nobody",
)
try:
admin_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create group: grouper-administrators')
for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
permission = Permission.get(session, permission_name)
assert permission, "Permission should have been created earlier!"
grant_permission(session, admin_group.id, permission.id)
session.commit()
def run(self, args):
# type: (Namespace) -> None
if args.subcommand == "convert_to_service_account":
usecase = self.usecase_factory.create_convert_user_to_service_account_usecase(
args.actor_name, self)
usecase.convert_user_to_service_account(args.username, args.owner)
elif args.subcommand == "list":
session = make_session()
all_users = get_all_users(session)
for user in all_users:
user_enabled = "enabled" if user.enabled else "disabled"
logging.info("{} has status {}".format(user.name,
user_enabled))
return
else:
user_command(args)
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session, username=username, role_user=args.role_user)
session.commit()
else:
logging.info("{}: Already exists. Doing nothing.".format(username))
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
user.set_metadata(args.metadata_key, args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session, user.id, 'add_public_key',
'(Administrative) Added public key: {}'.format(pubkey.fingerprint),
on_user_id=user.id)
def group_command(args):
# type: (Namespace) -> None
session = make_session()
group = session.query(Group).filter_by(groupname=args.groupname).scalar()
if not group:
logging.error("No such group %s".format(args.groupname))
return
if args.subcommand in ["add_member", "remove_member"]:
# somewhat hacky: using function instance to use # `ensure_valid_username` only on
# these subcommands
@ensure_valid_username
def call_mutate(args):
mutate_group_command(session, group, args)
call_mutate(args)
elif args.subcommand == "log_dump":
logdump_group_command(session, group, args)
def group_command(args):
session = make_session()
group = session.query(Group).filter_by(groupname=args.groupname).scalar()
if not group:
logging.error("No such group %s".format(args.groupname))
return
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.error("no such user '{}'".format(username))
return
if args.subcommand == "add_member":
if args.member:
role = 'member'
elif args.owner:
role = 'owner'
elif args.np_owner:
role = 'np-owner'
elif args.manager:
role = 'manager'
assert role
logging.info("Adding {} as {} to group {}".format(username, role, args.groupname))
group.add_member(user, user, "grouper-ctl join", status="actioned", role=role)
AuditLog.log(
session, user.id, 'join_group',
'{} manually joined via grouper-ctl'.format(username),
on_group_id=group.id)
session.commit()
elif args.subcommand == "remove_member":
logging.info("Removing {} from group {}".format(username, args.groupname))
group.revoke_member(user, user, "grouper-ctl remove")
AuditLog.log(
session, user.id, 'leave_group',
'{} manually left via grouper-ctl'.format(username),
on_group_id=group.id)
session.commit()
def service_account_command(args):
session = make_session()
actor_user = User.get(session, name=args.actor_name)
if not actor_user:
logging.fatal('Actor user "{}" is not a valid Grouper user'.format(
args.actor_name))
return
if args.subcommand == "create":
name = args.name
if ServiceAccount.get(session, name=name):
logging.info("{}: Already exists. Doing nothing.".format(name))
return
owner_group = Group.get(session, name=args.owner_group)
if not owner_group:
logging.fatal('Owner group "{}" does not exist.'.format(
args.owner_group))
return
logging.info("{}: No such service account, creating...".format(name))
description = args.description
machine_set = args.machine_set
create_service_account(session, actor_user, name, description,
machine_set, owner_group)
return
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session, username=username, role_user=args.role_user)
session.commit()
else:
logging.info("{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info("{}: User already disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, disabling...".format(username))
try:
if user.role_user:
disable_role_user(session, user)
else:
disable_user(session, user)
AuditLog.log(session, user.id, 'disable_user',
'(Administrative) User disabled via grouper-ctl',
on_user_id=user.id)
session.commit()
except PluginRejectedDisablingUser as e:
logging.error(e.message)
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info("{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_role_user(session, user,
preserve_membership=args.preserve_membership, user=user)
else:
enable_user(session, user, user, preserve_membership=args.preserve_membership)
AuditLog.log(session, user.id, 'enable_user',
'(Administrative) User enabled via grouper-ctl',
on_user_id=user.id)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key, args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session, user.id, 'add_public_key',
'(Administrative) Added public key: {}'.format(pubkey.fingerprint_sha256),
on_user_id=user.id)
def user_command(args):
# type: (Namespace) -> None
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session,
username=username,
role_user=args.role_user)
session.commit()
else:
logging.info(
"{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info(
"{}: User already disabled. Doing nothing.".format(
username))
else:
logging.info("{}: User found, disabling...".format(username))
try:
if user.role_user:
disable_role_user(session, user)
else:
disable_user(session, user)
AuditLog.log(
session,
user.id,
"disable_user",
"(Administrative) User disabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
except PluginRejectedDisablingUser as e:
logging.error("%s", e)
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info(
"{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_role_user(
session,
user,
preserve_membership=args.preserve_membership,
user=user)
else:
enable_user(session,
user,
user,
preserve_membership=args.preserve_membership)
AuditLog.log(
session,
user.id,
"enable_user",
"(Administrative) User enabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
logging.info("Setting %s metadata: %s=%s", args.username,
args.metadata_key, args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key,
args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
logging.info("Adding public key for user")
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
logging.error("Key already in use")
return
except public_key.PublicKeyParseError:
logging.error("Public key appears to be invalid")
return
AuditLog.log(
session,
user.id,
"add_public_key",
"(Administrative) Added public key: {}".format(
pubkey.fingerprint_sha256),
on_user_id=user.id,
)
def sync_db_command(args):
# Models not implicitly or explictly imported above are explicitly imported here
from grouper.models.perf_profile import PerfProfile # noqa: F401
from grouper.models.user_token import UserToken # noqa: F401
db_engine = get_db_engine(get_database_url(settings))
Model.metadata.create_all(db_engine)
# Add some basic database structures we know we will need if they don't exist.
session = make_session()
for name, description in SYSTEM_PERMISSIONS:
test = get_permission(session, name)
if test:
continue
try:
create_permission(session, name, description)
session.flush()
except IntegrityError:
session.rollback()
raise Exception("Failed to create permission: %s" % (name, ))
session.commit()
# This group is needed to bootstrap a Grouper installation.
admin_group = Group.get(session, name="grouper-administrators")
if not admin_group:
admin_group = Group(
groupname="grouper-administrators",
description="Administrators of the Grouper system.",
canjoin="nobody",
)
try:
admin_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception("Failed to create group: grouper-administrators")
for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
permission = get_permission(session, permission_name)
assert permission, "Permission should have been created earlier!"
grant_permission(session, admin_group.id, permission.id)
session.commit()
auditors_group_name = get_auditors_group_name(settings)
auditors_group = Group.get(session, name=auditors_group_name)
if not auditors_group:
auditors_group = Group(
groupname=auditors_group_name,
description=
"Group for auditors, who can be owners of audited groups.",
canjoin="canjoin",
)
try:
auditors_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception(
"Failed to create group: {}".format(auditors_group_name))
permission = get_permission(session, PERMISSION_AUDITOR)
assert permission, "Permission should have been created earlier!"
grant_permission(session, auditors_group.id, permission.id)
session.commit()
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session,
username=username,
role_user=args.role_user)
session.commit()
else:
logging.info(
"{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info(
"{}: User already disabled. Doing nothing.".format(
username))
else:
logging.info("{}: User found, disabling...".format(username))
if user.role_user:
disable_service_account(session, user)
else:
disable_user(session, user)
session.commit()
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info(
"{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_service_account(
session,
user,
preserve_membership=args.preserve_membership,
user=user)
else:
enable_user(session,
user,
user,
preserve_membership=args.preserve_membership)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key,
args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key,
args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session,
user.id,
'add_public_key',
'(Administrative) Added public key: {}'.format(
pubkey.fingerprint),
on_user_id=user.id)
