def just_created(self):
# type: () -> None
"""Call the user_created plugin on new User creation."""
# This is a little weird because the default value of the column isn't applied in the
# object at the time this is called, so role_user may be None instead of False.
is_service_account = self.role_user is not None and self.role_user
for plugin in get_plugins():
plugin.user_created(self, is_service_account)
def disable_user(session, user):
"""Disables an enabled user"""
for plugin in get_plugins():
plugin.will_disable_user(session, user)
user.enabled = False
Counter.incr(session, "updates")
def get_owners_by_grantable_permission(session, separate_global=False):
"""
Returns all known permission arguments with owners. This consolidates
permission grants supported by grouper itself as well as any grants
governed by plugins.
Args:
session(sqlalchemy.orm.session.Session): database session
Returns:
A map of permission to argument to owners of the form {permission:
{argument: [owner1, ...], }, } where 'owners' are models.Group objects.
And 'argument' can be '*' which means 'anything'.
"""
all_permissions = {permission.name: permission for permission in Permission.get_all(session)}
all_groups = session.query(Group).filter(Group.enabled == True).all()
owners_by_arg_by_perm = defaultdict(lambda: defaultdict(list))
all_group_permissions = session.query(
Permission.name,
PermissionMap.argument,
PermissionMap.granted_on,
Group,
).filter(
PermissionMap.group_id == Group.id,
Permission.id == PermissionMap.permission_id,
).all()
grants_by_group = defaultdict(list)
for grant in all_group_permissions:
grants_by_group[grant.Group.id].append(grant)
for group in all_groups:
# special case permission admins
group_permissions = grants_by_group[group.id]
if any(filter(lambda g: g.name == PERMISSION_ADMIN, group_permissions)):
for perm_name in all_permissions:
owners_by_arg_by_perm[perm_name]["*"].append(group)
if separate_global:
owners_by_arg_by_perm[GLOBAL_OWNERS]["*"].append(group)
continue
grants = [gp for gp in group_permissions if gp.name == PERMISSION_GRANT]
for perm, arg in filter_grantable_permissions(session, grants,
all_permissions=all_permissions):
owners_by_arg_by_perm[perm.name][arg].append(group)
# merge in plugin results
for plugin in get_plugins():
res = plugin.get_owner_by_arg_by_perm(session) or {}
for perm, owners_by_arg in res.items():
for arg, owners in owners_by_arg.items():
owners_by_arg_by_perm[perm][arg] += owners
return owners_by_arg_by_perm
def _check_machine_set(service_account, machine_set):
# type: (ServiceAccount, str) -> None
"""Verify a service account machine set with plugins.
Raises:
BadMachineSet: if some plugin rejected the machine set
"""
try:
for plugin in get_plugins():
plugin.check_machine_set(service_account.user.username, machine_set)
except PluginRejectedMachineSet as e:
raise BadMachineSet(str(e))
def get_owners_by_grantable_permission(session):
"""
Returns all known permission arguments with owners. This consolidates
permission grants supported by grouper itself as well as any grants
governed by plugins.
Args:
session(sqlalchemy.orm.session.Session): database session
Returns:
A map of permission to argument to owners of the form {permission:
{argument: [owner1, ...], }, } where 'owners' are models.Group objects.
And 'argument' can be '*' which means 'anything'.
"""
all_permissions = {permission.name: permission for permission in Permission.get_all(session)}
all_groups = session.query(Group).filter(Group.enabled == True).all()
owners_by_arg_by_perm = defaultdict(lambda: defaultdict(list))
for group in all_groups:
group_permissions = session.query(
Permission.name,
PermissionMap.argument,
PermissionMap.granted_on,
Group,
).filter(
PermissionMap.group_id == Group.id,
Group.id == group.id,
Permission.id == PermissionMap.permission_id,
).all()
# special case permission admins
if any(filter(lambda g: g.name == PERMISSION_ADMIN, group_permissions)):
for perm_name in all_permissions:
owners_by_arg_by_perm[perm_name]["*"].append(group)
continue
grants = [gp for gp in group_permissions if gp.name == PERMISSION_GRANT]
for perm, arg in filter_grantable_permissions(session, grants,
all_permissions=all_permissions):
owners_by_arg_by_perm[perm.name][arg].append(group)
# merge in plugin results
for plugin in get_plugins():
res = plugin.get_owner_by_arg_by_perm(session) or {}
for perm, owners_by_arg in res.items():
for arg, owners in owners_by_arg.items():
owners_by_arg_by_perm[perm][arg] += owners
return owners_by_arg_by_perm
def log(session,
actor_id,
action,
description,
on_user_id=None,
on_group_id=None,
on_permission_id=None,
on_tag_id=None,
category=AuditLogCategory.general):
"""
Log an event in the database.
Args:
session(Session): database session
actor_id(int): actor
action(str): unique string identifier for action taken
description(str): description for action taken
on_user_id(int): user affected, if any
on_group_id(int): group affected, if any
on_permission_id(int): permission affected, if any
category(AuditLogCategory): category of log entry
"""
entry = AuditLog(
actor_id=actor_id,
log_time=datetime.utcnow(),
action=action,
description=description,
on_user_id=on_user_id if on_user_id else None,
on_group_id=on_group_id if on_group_id else None,
on_permission_id=on_permission_id if on_permission_id else None,
on_tag_id=on_tag_id if on_tag_id else None,
category=int(category),
)
try:
entry.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise AuditLogFailure()
session.commit()
for plugin in get_plugins():
plugin.log_auditlog_entry(entry)
def log(session, actor_id, action, description,
on_user_id=None, on_group_id=None, on_permission_id=None, on_tag_id=None,
category=AuditLogCategory.general):
'''
Log an event in the database.
Args:
session(Session): database session
actor_id(int): actor
action(str): unique string identifier for action taken
description(str): description for action taken
on_user_id(int): user affected, if any
on_group_id(int): group affected, if any
on_permission_id(int): permission affected, if any
category(AuditLogCategory): category of log entry
'''
entry = AuditLog(
actor_id=actor_id,
log_time=datetime.utcnow(),
action=action,
description=description,
on_user_id=on_user_id if on_user_id else None,
on_group_id=on_group_id if on_group_id else None,
on_permission_id=on_permission_id if on_permission_id else None,
on_tag_id=on_tag_id if on_tag_id else None,
category=int(category),
)
try:
entry.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise AuditLogFailure()
session.commit()
for plugin in get_plugins():
plugin.log_auditlog_entry(entry)
def persist_group_member_changes(session,
group,
requester,
member,
status,
reason,
create_edge=False,
**updates):
requested_at = datetime.utcnow()
if "role" in updates:
role = updates["role"]
_validate_role(member.member_type, role)
for plugin in get_plugins():
plugin.will_update_group_membership(session, group, member, **updates)
if create_edge:
edge = _create_edge(session, group, member,
updates.get("role", "member"))
else:
edge = _get_edge(session, group, member)
if not edge:
raise MemberNotFound()
changes = _serialize_changes(edge, **updates)
request = Request(
requester_id=requester.id,
requesting_id=group.id,
on_behalf_obj_type=member.member_type,
on_behalf_obj_pk=member.id,
requested_at=requested_at,
edge_id=edge.id,
status=status,
changes=changes,
).add(session)
session.flush()
request_status_change = RequestStatusChange(
request=request,
user_id=requester.id,
to_status=status,
change_at=requested_at,
).add(session)
session.flush()
Comment(
obj_type=OBJ_TYPES["RequestStatusChange"],
obj_pk=request_status_change.id,
user_id=requester.id,
comment=reason,
created_on=requested_at,
).add(session)
session.flush()
if status == "actioned":
edge.apply_changes(request)
session.flush()
Counter.incr(session, "updates")
return request
def just_created(self):
for plugin in get_plugins():
plugin.user_created(self)
def just_created(self):
for plugin in get_plugins():
plugin.user_created(self)