def user_is_auditor(username: str) -> bool:
"""Check if a user is an auditor, defined as having the audit permission."""
graph = Graph()
user_md = graph.get_user_details(username)
for perm in user_md["permissions"]:
if perm["permission"] == PERMISSION_AUDITOR:
return True
return False
def promote_nonauditors(self, session):
# type: (Session) -> None
"""Checks all enabled audited groups and ensures that all approvers for that group have
the PERMISSION_AUDITOR permission. All non-auditor approvers of audited groups will be
promoted to be auditors, i.e., added to the auditors group.
Args:
session (Session): database session
"""
graph = Graph()
# Hack to ensure the graph is loaded before we access it
graph.update_from_db(session)
# map from user object to names of audited groups in which
# user is a nonauditor approver
nonauditor_approver_to_groups = defaultdict(
set) # type: Dict[User, Set[str]]
user_is_auditor = {} # type: Dict[str, bool]
for group_tuple in graph.get_groups(audited=True,
directly_audited=False):
group_md = graph.get_group_details(group_tuple.groupname,
expose_aliases=False)
for username, user_md in iteritems(group_md["users"]):
if username not in user_is_auditor:
user_perms = graph.get_user_details(
username)["permissions"]
user_is_auditor[username] = any([
p["permission"] == PERMISSION_AUDITOR
for p in user_perms
])
if user_is_auditor[username]:
# user is already auditor so can skip
continue
if user_md["role"] in APPROVER_ROLE_INDICES:
# non-auditor approver. BAD!
nonauditor_approver_to_groups[username].add(
group_tuple.groupname)
if nonauditor_approver_to_groups:
auditors_group = get_auditors_group(self.settings, session)
for username, group_names in iteritems(
nonauditor_approver_to_groups):
reason = "auto-added due to having approver role(s) in group(s): {}".format(
", ".join(group_names))
user = User.get(session, name=username)
assert user
auditors_group.add_member(user,
user,
reason,
status="actioned")
notify_nonauditor_promoted(self.settings, session, user,
auditors_group, group_names)
session.commit()
def user_is_auditor(username):
"""Check if a user is an auditor
This is defined as the user having the audit permission.
Args:
username (str): The account name to check.
Returns:
bool: True/False.
"""
graph = Graph()
user_md = graph.get_user_details(username)
for perm in user_md["permissions"]:
if perm["permission"] == PERMISSION_AUDITOR:
return True
return False
def user_is_auditor(username):
"""Check if a user is an auditor
This is defined as the user having the audit permission.
Args:
username (str): The account name to check.
Returns:
bool: True/False.
"""
graph = Graph()
user_md = graph.get_user_details(username)
for perm in user_md["permissions"]:
if perm["permission"] == PERMISSION_AUDITOR:
return True
return False
def promote_nonauditors(self, session):
# type: (Session) -> None
"""Checks all enabled audited groups and ensures that all approvers for that group have
the PERMISSION_AUDITOR permission. All non-auditor approvers of audited groups will be
promoted to be auditors, i.e., added to the auditors group.
Args:
session (Session): database session
"""
graph = Graph()
# Hack to ensure the graph is loaded before we access it
graph.update_from_db(session)
# map from user object to names of audited groups in which
# user is a nonauditor approver
nonauditor_approver_to_groups = defaultdict(set) # type: Dict[User, Set[str]]
user_is_auditor = {} # type: Dict[str, bool]
for group_tuple in graph.get_groups(audited=True, directly_audited=False):
group_md = graph.get_group_details(group_tuple.name, expose_aliases=False)
for username, user_md in iteritems(group_md["users"]):
if username not in user_is_auditor:
user_perms = graph.get_user_details(username)["permissions"]
user_is_auditor[username] = any(
[p["permission"] == PERMISSION_AUDITOR for p in user_perms]
)
if user_is_auditor[username]:
# user is already auditor so can skip
continue
if user_md["role"] in APPROVER_ROLE_INDICES:
# non-auditor approver. BAD!
nonauditor_approver_to_groups[username].add(group_tuple.name)
if nonauditor_approver_to_groups:
auditors_group = get_auditors_group(self.settings, session)
for username, group_names in iteritems(nonauditor_approver_to_groups):
reason = "auto-added due to having approver role(s) in group(s): {}".format(
", ".join(group_names)
)
user = User.get(session, name=username)
assert user
auditors_group.add_member(user, user, reason, status="actioned")
notify_nonauditor_promoted(
self.settings, session, user, auditors_group, group_names
)
session.commit()
