def post(self, user_id=None, name=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
try:
if user.role_user:
disable_role_user(self.session, user=user)
else:
disable_user(self.session, user)
except PluginRejectedDisablingUser as e:
alert = Alert("danger", str(e))
return self.redirect("/users/{}".format(user.name), alerts=[alert])
self.session.commit()
AuditLog.log(
self.session,
self.current_user.id,
"disable_user",
"Disabled user.",
on_user_id=user.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def post(self, user_id=None, name=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
try:
if user.role_user:
disable_role_user(self.session, user=user)
else:
disable_user(self.session, user)
except PluginRejectedDisablingUser as e:
alert = Alert("danger", str(e))
return self.redirect("/users/{}".format(user.name), alerts=[alert])
self.session.commit()
AuditLog.log(self.session,
self.current_user.id,
'disable_user',
'Disabled user.',
on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def test_can_disable_member(get_plugin_proxy, session, groups, users):
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
member = users["*****@*****.**"]
add_member(group, member)
disable_user(session, member)
def test_cant_disable_last_owner(get_plugin_proxy, session, groups, users):
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
owner = users["*****@*****.**"]
add_member(group, owner, role="owner")
with pytest.raises(PluginRejectedDisablingUser):
disable_user(session, owner)
def disable_role_user(session, user=None, group=None):
# type: (Session, User, Group) -> None
"""
Disables all components of the service account corresponding to user/group.
Args:
session: the database session
user: the User component of the service account to be disabled
group: the Group component of the service account to be disabled
"""
acc = get_role_user(session, user, group)
disable_user(session, acc.user)
acc.group.enabled = False
acc.user.add(session)
acc.group.add(session)
def disable_role_user(session, user=None, group=None):
# type: (Session, User, Group) -> None
"""
Disables all components of the service account corresponding to user/group.
Args:
session: the database session
user: the User component of the service account to be disabled
group: the Group component of the service account to be disabled
"""
acc = get_role_user(session, user, group)
disable_user(session, acc.user)
acc.group.enabled = False
acc.user.add(session)
acc.group.add(session)
def disable_service_account(session, actor, service_account):
# type: (Session, User, ServiceAccount) -> None
"""Disables a service account and deletes the association with a Group."""
disable_user(session, service_account.user)
owner_id = service_account.owner.group.id
service_account.owner.delete(session)
permissions = session.query(ServiceAccountPermissionMap).filter_by(
service_account_id=service_account.id)
for permission in permissions:
permission.delete(session)
AuditLog.log(session, actor.id, "disable_service_account", "Disabled service account.",
on_group_id=owner_id, on_user_id=service_account.user_id)
Counter.incr(session, "updates")
session.commit()
def post(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
user = User.get(self.session, name=name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
try:
if user.role_user:
disable_role_user(self.session, user=user)
else:
disable_user(self.session, user)
except PluginRejectedDisablingUser as e:
alert = Alert("danger", str(e))
return self.redirect("/users/{}".format(user.name), alerts=[alert])
self.session.commit()
AuditLog.log(
self.session,
self.current_user.id,
"disable_user",
"Disabled user.",
on_user_id=user.id,
)
if user.role_user:
group = Group.get(self.session, name=user.username)
if group and group.audit:
# complete the audit
group.audit.complete = True
self.session.commit()
cancel_async_emails(self.session, f"audit-{group.id}")
AuditLog.log(
self.session,
self.current_user.id,
"complete_audit",
"Disabling group completes group audit.",
on_group_id=group.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def post(self, user_id=None, name=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
if user.role_user:
disable_service_account(self.session, user=user)
else:
disable_user(self.session, user)
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'disable_user',
'Disabled user.', on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def post(self, user_id=None, name=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
if user.role_user:
disable_service_account(self.session, user=user)
else:
disable_user(self.session, user)
self.session.commit()
AuditLog.log(self.session,
self.current_user.id,
'disable_user',
'Disabled user.',
on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def user_command(args, settings, session_factory):
# type: (Namespace, CtlSettings, SessionFactory) -> None
session = session_factory.create_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session,
username=username,
role_user=args.role_user)
session.commit()
else:
logging.info(
"{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info(
"{}: User already disabled. Doing nothing.".format(
username))
else:
logging.info("{}: User found, disabling...".format(username))
try:
if user.role_user:
disable_role_user(session, user)
else:
disable_user(session, user)
AuditLog.log(
session,
user.id,
"disable_user",
"(Administrative) User disabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
except PluginRejectedDisablingUser as e:
logging.error("%s", e)
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info(
"{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_role_user(
session,
user,
preserve_membership=args.preserve_membership,
user=user)
else:
enable_user(session,
user,
user,
preserve_membership=args.preserve_membership)
AuditLog.log(
session,
user.id,
"enable_user",
"(Administrative) User enabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
logging.info("Setting %s metadata: %s=%s", args.username,
args.metadata_key, args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key,
args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
logging.info("Adding public key for user")
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
logging.error("Key already in use")
return
except public_key.PublicKeyParseError:
logging.error("Public key appears to be invalid")
return
AuditLog.log(
session,
user.id,
"add_public_key",
"(Administrative) Added public key: {}".format(
pubkey.fingerprint_sha256),
on_user_id=user.id,
)
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session,
username=username,
role_user=args.role_user)
session.commit()
else:
logging.info(
"{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info(
"{}: User already disabled. Doing nothing.".format(
username))
else:
logging.info("{}: User found, disabling...".format(username))
try:
if user.role_user:
disable_role_user(session, user)
else:
disable_user(session, user)
AuditLog.log(
session,
user.id,
'disable_user',
'(Administrative) User disabled via grouper-ctl',
on_user_id=user.id)
session.commit()
except PluginRejectedDisablingUser as e:
logging.error(e.message)
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info(
"{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_role_user(
session,
user,
preserve_membership=args.preserve_membership,
user=user)
else:
enable_user(session,
user,
user,
preserve_membership=args.preserve_membership)
AuditLog.log(session,
user.id,
'enable_user',
'(Administrative) User enabled via grouper-ctl',
on_user_id=user.id)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key,
args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key,
args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session,
user.id,
'add_public_key',
'(Administrative) Added public key: {}'.format(
pubkey.fingerprint),
on_user_id=user.id)
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session, username=username, role_user=args.role_user)
session.commit()
else:
logging.info("{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info("{}: User already disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, disabling...".format(username))
if user.role_user:
disable_service_account(session, user)
else:
disable_user(session, user)
session.commit()
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info("{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_service_account(session, user,
preserve_membership=args.preserve_membership, user=user)
else:
enable_user(session, user, user, preserve_membership=args.preserve_membership)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key, args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session, user.id, 'add_public_key',
'(Administrative) Added public key: {}'.format(pubkey.fingerprint),
on_user_id=user.id)
def user_command(args, settings, session_factory):
# type: (Namespace, CtlSettings, SessionFactory) -> None
session = session_factory.create_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session, username=username, role_user=args.role_user)
session.commit()
else:
logging.info("{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info("{}: User already disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, disabling...".format(username))
try:
if user.role_user:
disable_role_user(session, user)
else:
disable_user(session, user)
AuditLog.log(
session,
user.id,
"disable_user",
"(Administrative) User disabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
except PluginRejectedDisablingUser as e:
logging.error("%s", e)
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info("{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_role_user(
session, user, preserve_membership=args.preserve_membership, user=user
)
else:
enable_user(session, user, user, preserve_membership=args.preserve_membership)
AuditLog.log(
session,
user.id,
"enable_user",
"(Administrative) User enabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
logging.info(
"Setting %s metadata: %s=%s", args.username, args.metadata_key, args.metadata_value
)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key, args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
logging.info("Adding public key for user")
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
logging.error("Key already in use")
return
except public_key.PublicKeyParseError:
logging.error("Public key appears to be invalid")
return
AuditLog.log(
session,
user.id,
"add_public_key",
"(Administrative) Added public key: {}".format(pubkey.fingerprint_sha256),
on_user_id=user.id,
)
