Example #1
0
 def just_created(self):
     # type: () -> None
     """Call the user_created plugin on new User creation."""
     # This is a little weird because the default value of the column isn't applied in the
     # object at the time this is called, so role_user may be None instead of False.
     is_service_account = self.role_user is not None and self.role_user
     for plugin in get_plugins():
         plugin.user_created(self, is_service_account)
Example #2
0
def disable_user(session, user):
    """Disables an enabled user"""

    for plugin in get_plugins():
        plugin.will_disable_user(session, user)

    user.enabled = False
    Counter.incr(session, "updates")
Example #3
0
def get_owners_by_grantable_permission(session, separate_global=False):
    """
    Returns all known permission arguments with owners. This consolidates
    permission grants supported by grouper itself as well as any grants
    governed by plugins.

    Args:
        session(sqlalchemy.orm.session.Session): database session

    Returns:
        A map of permission to argument to owners of the form {permission:
        {argument: [owner1, ...], }, } where 'owners' are models.Group objects.
        And 'argument' can be '*' which means 'anything'.
    """
    all_permissions = {permission.name: permission for permission in Permission.get_all(session)}
    all_groups = session.query(Group).filter(Group.enabled == True).all()

    owners_by_arg_by_perm = defaultdict(lambda: defaultdict(list))

    all_group_permissions = session.query(
            Permission.name,
            PermissionMap.argument,
            PermissionMap.granted_on,
            Group,
    ).filter(
            PermissionMap.group_id == Group.id,
            Permission.id == PermissionMap.permission_id,
    ).all()

    grants_by_group = defaultdict(list)

    for grant in all_group_permissions:
        grants_by_group[grant.Group.id].append(grant)

    for group in all_groups:
        # special case permission admins
        group_permissions = grants_by_group[group.id]
        if any(filter(lambda g: g.name == PERMISSION_ADMIN, group_permissions)):
            for perm_name in all_permissions:
                owners_by_arg_by_perm[perm_name]["*"].append(group)
            if separate_global:
                owners_by_arg_by_perm[GLOBAL_OWNERS]["*"].append(group)
            continue

        grants = [gp for gp in group_permissions if gp.name == PERMISSION_GRANT]

        for perm, arg in filter_grantable_permissions(session, grants,
                all_permissions=all_permissions):
            owners_by_arg_by_perm[perm.name][arg].append(group)

    # merge in plugin results
    for plugin in get_plugins():
        res = plugin.get_owner_by_arg_by_perm(session) or {}
        for perm, owners_by_arg in res.items():
            for arg, owners in owners_by_arg.items():
                owners_by_arg_by_perm[perm][arg] += owners

    return owners_by_arg_by_perm
Example #4
0
def _check_machine_set(service_account, machine_set):
    # type: (ServiceAccount, str) -> None
    """Verify a service account machine set with plugins.

    Raises:
        BadMachineSet: if some plugin rejected the machine set
    """
    try:
        for plugin in get_plugins():
            plugin.check_machine_set(service_account.user.username, machine_set)
    except PluginRejectedMachineSet as e:
        raise BadMachineSet(str(e))
Example #5
0
def get_owners_by_grantable_permission(session):
    """
    Returns all known permission arguments with owners. This consolidates
    permission grants supported by grouper itself as well as any grants
    governed by plugins.

    Args:
        session(sqlalchemy.orm.session.Session): database session

    Returns:
        A map of permission to argument to owners of the form {permission:
        {argument: [owner1, ...], }, } where 'owners' are models.Group objects.
        And 'argument' can be '*' which means 'anything'.
    """
    all_permissions = {permission.name: permission for permission in Permission.get_all(session)}
    all_groups = session.query(Group).filter(Group.enabled == True).all()

    owners_by_arg_by_perm = defaultdict(lambda: defaultdict(list))
    for group in all_groups:
        group_permissions = session.query(
                Permission.name,
                PermissionMap.argument,
                PermissionMap.granted_on,
                Group,
        ).filter(
                PermissionMap.group_id == Group.id,
                Group.id == group.id,
                Permission.id == PermissionMap.permission_id,
        ).all()

        # special case permission admins
        if any(filter(lambda g: g.name == PERMISSION_ADMIN, group_permissions)):
            for perm_name in all_permissions:
                owners_by_arg_by_perm[perm_name]["*"].append(group)
            continue

        grants = [gp for gp in group_permissions if gp.name == PERMISSION_GRANT]

        for perm, arg in filter_grantable_permissions(session, grants,
                all_permissions=all_permissions):
            owners_by_arg_by_perm[perm.name][arg].append(group)

    # merge in plugin results
    for plugin in get_plugins():
        res = plugin.get_owner_by_arg_by_perm(session) or {}
        for perm, owners_by_arg in res.items():
            for arg, owners in owners_by_arg.items():
                owners_by_arg_by_perm[perm][arg] += owners

    return owners_by_arg_by_perm
Example #6
0
    def log(session,
            actor_id,
            action,
            description,
            on_user_id=None,
            on_group_id=None,
            on_permission_id=None,
            on_tag_id=None,
            category=AuditLogCategory.general):
        """
        Log an event in the database.

        Args:
            session(Session): database session
            actor_id(int): actor
            action(str): unique string identifier for action taken
            description(str): description for action taken
            on_user_id(int): user affected, if any
            on_group_id(int): group affected, if any
            on_permission_id(int): permission affected, if any
            category(AuditLogCategory): category of log entry
        """
        entry = AuditLog(
            actor_id=actor_id,
            log_time=datetime.utcnow(),
            action=action,
            description=description,
            on_user_id=on_user_id if on_user_id else None,
            on_group_id=on_group_id if on_group_id else None,
            on_permission_id=on_permission_id if on_permission_id else None,
            on_tag_id=on_tag_id if on_tag_id else None,
            category=int(category),
        )
        try:
            entry.add(session)
            session.flush()
        except IntegrityError:
            session.rollback()
            raise AuditLogFailure()
        session.commit()

        for plugin in get_plugins():
            plugin.log_auditlog_entry(entry)
Example #7
0
    def log(session, actor_id, action, description,
            on_user_id=None, on_group_id=None, on_permission_id=None, on_tag_id=None,
            category=AuditLogCategory.general):
        '''
        Log an event in the database.

        Args:
            session(Session): database session
            actor_id(int): actor
            action(str): unique string identifier for action taken
            description(str): description for action taken
            on_user_id(int): user affected, if any
            on_group_id(int): group affected, if any
            on_permission_id(int): permission affected, if any
            category(AuditLogCategory): category of log entry
        '''
        entry = AuditLog(
            actor_id=actor_id,
            log_time=datetime.utcnow(),
            action=action,
            description=description,
            on_user_id=on_user_id if on_user_id else None,
            on_group_id=on_group_id if on_group_id else None,
            on_permission_id=on_permission_id if on_permission_id else None,
            on_tag_id=on_tag_id if on_tag_id else None,
            category=int(category),
        )
        try:
            entry.add(session)
            session.flush()
        except IntegrityError:
            session.rollback()
            raise AuditLogFailure()
        session.commit()

        for plugin in get_plugins():
            plugin.log_auditlog_entry(entry)
Example #8
0
def persist_group_member_changes(session,
                                 group,
                                 requester,
                                 member,
                                 status,
                                 reason,
                                 create_edge=False,
                                 **updates):
    requested_at = datetime.utcnow()

    if "role" in updates:
        role = updates["role"]
        _validate_role(member.member_type, role)

    for plugin in get_plugins():
        plugin.will_update_group_membership(session, group, member, **updates)

    if create_edge:
        edge = _create_edge(session, group, member,
                            updates.get("role", "member"))
    else:
        edge = _get_edge(session, group, member)
        if not edge:
            raise MemberNotFound()

    changes = _serialize_changes(edge, **updates)

    request = Request(
        requester_id=requester.id,
        requesting_id=group.id,
        on_behalf_obj_type=member.member_type,
        on_behalf_obj_pk=member.id,
        requested_at=requested_at,
        edge_id=edge.id,
        status=status,
        changes=changes,
    ).add(session)
    session.flush()

    request_status_change = RequestStatusChange(
        request=request,
        user_id=requester.id,
        to_status=status,
        change_at=requested_at,
    ).add(session)
    session.flush()

    Comment(
        obj_type=OBJ_TYPES["RequestStatusChange"],
        obj_pk=request_status_change.id,
        user_id=requester.id,
        comment=reason,
        created_on=requested_at,
    ).add(session)
    session.flush()

    if status == "actioned":
        edge.apply_changes(request)
        session.flush()

    Counter.incr(session, "updates")

    return request
Example #9
0
 def just_created(self):
     for plugin in get_plugins():
         plugin.user_created(self)
Example #10
0
 def just_created(self):
     for plugin in get_plugins():
         plugin.user_created(self)