def validate_name(self, field):
query = IPNetworkGroup.find(
db.func.lower(IPNetworkGroup.name) == field.data.lower())
if self._network_group_id is not None:
query = query.filter(IPNetworkGroup.id != self._network_group_id)
if query.first():
raise ValueError(_("An IP network with this name already exists."))
def principal_from_fossil(fossil, allow_pending=False, allow_groups=True, legacy=True, allow_missing_groups=False,
allow_emails=False, allow_networks=False):
from indico.modules.networks.models.networks import IPNetworkGroup
from indico.modules.groups import GroupProxy
from indico.modules.users import User
type_ = fossil['_type']
id_ = fossil['id']
if type_ == 'Avatar':
if isinstance(id_, int) or id_.isdigit():
# regular user
user = User.get(int(id_))
elif allow_pending:
data = GenericCache('pending_identities').get(id_)
if not data:
raise ValueError("Cannot find user '{}' in cache".format(id_))
data = {k: '' if v is None else v for (k, v) in data.items()}
email = data['email'].lower()
# check if there is not already a (pending) user with that e-mail
# we need to check for non-pending users too since the search may
# show a user from external results even though the email belongs
# to an indico account in case some of the search criteria did not
# match the indico account
user = User.find_first(User.all_emails.contains(email), ~User.is_deleted)
if not user:
user = User(first_name=data.get('first_name') or '', last_name=data.get('last_name') or '',
email=email,
address=data.get('address', ''), phone=data.get('phone', ''),
affiliation=data.get('affiliation', ''), is_pending=True)
db.session.add(user)
db.session.flush()
else:
raise ValueError("Id '{}' is not a number and allow_pending=False".format(id_))
if user is None:
raise ValueError('User does not exist: {}'.format(id_))
return user.as_avatar if legacy else user
elif allow_emails and type_ == 'Email':
return EmailPrincipal(id_)
elif allow_networks and type_ == 'IPNetworkGroup':
group = IPNetworkGroup.get(int(id_))
if group is None:
raise ValueError('IP network group does not exist: {}'.format(id_))
return group
elif allow_groups and type_ in {'LocalGroupWrapper', 'LocalGroup'}:
group = GroupProxy(int(id_))
if group.group is None:
raise ValueError('Local group does not exist: {}'.format(id_))
return group.as_legacy_group if legacy else group
elif allow_groups and type_ in {'LDAPGroupWrapper', 'MultipassGroup'}:
provider = fossil['provider']
group = GroupProxy(id_, provider)
if group.group is None and not allow_missing_groups:
raise ValueError('Multipass group does not exist: {}:{}'.format(provider, id_))
return group.as_legacy_group if legacy else group
else:
raise ValueError('Unexpected fossil type: {}'.format(type_))
def _process(self):
form = IPNetworkGroupForm()
if form.validate_on_submit():
network_group = IPNetworkGroup()
form.populate_obj(network_group)
db.session.add(network_group)
db.session.flush()
logger.info('Network group %s created by %s', network_group, session.user)
return jsonify_data(flash=False)
return jsonify_form(form)
def migrate_networks(self):
self.print_step('migrating networks')
for domain in committing_iterator(self._iter_domains()):
ip_networks = filter(None, map(self._to_network, set(domain.filterList)))
if not ip_networks:
self.print_warning(cformat('%{yellow}Domain has no valid IPs: {}')
.format(convert_to_unicode(domain.name)))
network = IPNetworkGroup(name=convert_to_unicode(domain.name),
description=convert_to_unicode(domain.description), networks=ip_networks)
db.session.add(network)
self.print_success(repr(network))
db.session.flush()
def test_iter_acl():
user = User()
user_p = MagicMock(principal=user, spec=['principal'])
ipn = IPNetworkGroup()
ipn_p = MagicMock(principal=ipn, spec=['principal'])
local_group = GroupProxy(123, _group=MagicMock())
local_group_p = MagicMock(principal=local_group, spec=['principal'])
remote_group = GroupProxy('foo', 'bar')
remote_group_p = MagicMock(principal=remote_group, spec=['principal'])
acl = [
ipn, user_p, remote_group, local_group_p, user, local_group,
remote_group_p, ipn_p
]
assert list(iter_acl(iter(acl))) == [
user_p, user, ipn, ipn_p, local_group_p, local_group, remote_group,
remote_group_p
]
def migrate_networks(self):
for domain in self._iter_domains():
ip_networks = filter(None,
map(self._to_network, set(domain.filterList)))
if not ip_networks:
self.print_warning(
'%[yellow]Domain has no valid IPs: {}'.format(
convert_to_unicode(domain.name)))
network = IPNetworkGroup(name=convert_to_unicode(domain.name),
description=convert_to_unicode(
domain.description),
networks=ip_networks)
db.session.add(network)
self.global_ns.ip_domains[convert_to_unicode(
domain.name).lower()] = network
self.print_success(repr(network))
db.session.flush()
def migrate_global_ip_acl(self):
ip_networks = filter(
None,
map(self._to_network,
self.makac_info._ip_based_acl_mgr._full_access_acl))
if not ip_networks:
self.print_error('%[red]No valid IPs found')
return
network = IPNetworkGroup(
name='Full Attachment Access',
hidden=True,
attachment_access_override=True,
description=
'IPs that can access all attachments without authentication',
networks=ip_networks)
db.session.add(network)
db.session.flush()
self.print_success(repr(network))
def migrate_global_ip_acl(self):
self.print_step('migrating global ip acl')
minfo = self.zodb_root['MaKaCInfo']['main']
ip_networks = filter(
None,
map(self._to_network, minfo._ip_based_acl_mgr._full_access_acl))
if not ip_networks:
self.print_error(cformat('%{red}No valid IPs found'))
return
network = IPNetworkGroup(
name='Full Attachment Access',
hidden=True,
attachment_access_override=True,
description=
'IPs that can access all attachments without authentication',
networks=ip_networks)
db.session.add(network)
db.session.flush()
self.print_success(repr(network), always=True)
db.session.commit()
def principal_from_fossil(fossil, allow_pending=False, allow_groups=True, allow_missing_groups=False,
allow_emails=False, allow_networks=False, existing_data=None, event=None):
from indico.modules.networks.models.networks import IPNetworkGroup
from indico.modules.events.models.roles import EventRole
from indico.modules.groups import GroupProxy
from indico.modules.users import User
if existing_data is None:
existing_data = set()
type_ = fossil['_type']
id_ = fossil['id']
if type_ == 'Avatar':
if isinstance(id_, int) or id_.isdigit():
# regular user
user = User.get(int(id_))
elif allow_pending:
data = GenericCache('pending_identities').get(id_)
if not data:
raise ValueError("Cannot find user '{}' in cache".format(id_))
data = {k: '' if v is None else v for k, v in data.items()}
email = data['email'].lower()
# check if there is not already a (pending) user with that e-mail
# we need to check for non-pending users too since the search may
# show a user from external results even though the email belongs
# to an indico account in case some of the search criteria did not
# match the indico account
user = User.query.filter(User.all_emails == email, ~User.is_deleted).first()
if not user:
user = User(first_name=data.get('first_name') or '', last_name=data.get('last_name') or '',
email=email,
address=data.get('address', ''), phone=data.get('phone', ''),
affiliation=data.get('affiliation', ''), is_pending=True)
db.session.add(user)
db.session.flush()
else:
raise ValueError("Id '{}' is not a number and allow_pending=False".format(id_))
if user is None:
raise ValueError('User does not exist: {}'.format(id_))
return user
elif allow_emails and type_ == 'Email':
return EmailPrincipal(id_)
elif allow_networks and type_ == 'IPNetworkGroup':
group = IPNetworkGroup.get(int(id_))
if group is None or (group.hidden and group not in existing_data):
raise ValueError('IP network group does not exist: {}'.format(id_))
return group
elif allow_groups and type_ in {'LocalGroupWrapper', 'LocalGroup'}:
group = GroupProxy(int(id_))
if group.group is None:
raise ValueError('Local group does not exist: {}'.format(id_))
return group
elif allow_groups and type_ in {'LDAPGroupWrapper', 'MultipassGroup'}:
provider = fossil['provider']
group = GroupProxy(id_, provider)
if group.group is None and not allow_missing_groups:
raise ValueError('Multipass group does not exist: {}:{}'.format(provider, id_))
return group
elif event and type_ == 'EventRole':
role = EventRole.get(id_)
role_name = fossil.get('name')
if role is None:
raise ValueError('Role does not exist: {}:{}'.format(role_name, id_))
if role.event != event:
raise ValueError('Role does not belong to provided event: {}:{} - {}'.format(role_name, id_, event))
return role
else:
raise ValueError('Unexpected fossil type: {}'.format(type_))
def _checkParams(self):
self.network_group = IPNetworkGroup.get_one(
request.view_args['network_group_id'])
def _process(self):
network_groups = IPNetworkGroup.find().order_by(
IPNetworkGroup.name).all()
return WPNetworksAdmin.render_template('networks.html',
'ip_networks',
network_groups=network_groups)
def _process_args(self):
self.network_group = IPNetworkGroup.get_or_404(
request.view_args['network_group_id'])
def validate_name(self, field):
query = IPNetworkGroup.find(db.func.lower(IPNetworkGroup.name) == field.data.lower())
if self._network_group_id is not None:
query = query.filter(IPNetworkGroup.id != self._network_group_id)
if query.first():
raise ValueError(_("An IP network with this name already exists."))
def _process(self):
network_groups = IPNetworkGroup.find().order_by(IPNetworkGroup.name).all()
return WPNetworksAdmin.render_template('networks.html', 'ip_networks', network_groups=network_groups)
def _process_args(self):
self.network_group = IPNetworkGroup.get_one(request.view_args['network_group_id'])
def has_data(self):
return IPNetworkGroup.has_rows()
def _checkParams(self):
self.network_group = IPNetworkGroup.get_one(request.view_args["network_group_id"])
def principal_from_identifier(identifier, allow_groups=False, allow_external_users=False, allow_event_roles=False,
allow_category_roles=False, allow_registration_forms=False, allow_emails=False,
allow_networks=False, event_id=None, category_id=None, soft_fail=False):
from indico.modules.categories.models.categories import Category
from indico.modules.categories.models.roles import CategoryRole
from indico.modules.events.models.events import Event
from indico.modules.events.models.roles import EventRole
from indico.modules.events.registration.models.forms import RegistrationForm
from indico.modules.groups import GroupProxy
from indico.modules.networks.models.networks import IPNetworkGroup
from indico.modules.users import User
if allow_category_roles and category_id is None and event_id is None:
raise ValueError('Cannot use category roles without a category/event context')
if allow_event_roles and event_id is None:
raise ValueError('Cannot use event roles without an event context')
if allow_registration_forms and event_id is None:
raise ValueError('Cannot use registration forms without an event context')
try:
type_, data = identifier.split(':', 1)
except ValueError:
raise ValueError('Invalid data')
if type_ == 'User':
try:
user_id = int(data)
except ValueError:
raise ValueError('Invalid data')
user = User.get(user_id, is_deleted=(None if soft_fail else False))
if user is None:
raise ValueError(f'Invalid user: {user_id}')
return user
elif type_ == 'ExternalUser':
if not allow_external_users:
raise ValueError('External users are not allowed')
cache = make_scoped_cache('external-user')
external_user_data = cache.get(data)
if not external_user_data:
raise ValueError('Invalid data')
user = User.query.filter(User.all_emails == external_user_data['email'], ~User.is_deleted).first()
if user:
return user
# create a pending user. this user isn't sent to the DB unless it gets added
# to the sqlalchemy session somehow (e.g. by adding it to an ACL).
# like this processing form data does not result in something being stored in
# the database, which is good!
return User(first_name=external_user_data['first_name'], last_name=external_user_data['last_name'],
email=external_user_data['email'], affiliation=external_user_data['affiliation'],
address=external_user_data['address'], phone=external_user_data['phone'], is_pending=True)
elif type_ == 'Group':
if not allow_groups:
raise ValueError('Groups are not allowed')
try:
provider, name = data.split(':', 1)
except ValueError:
raise ValueError('Invalid data')
if not provider:
# local group
try:
group_id = int(name)
except ValueError:
raise ValueError('Invalid data')
group = GroupProxy(group_id)
else:
# multipass group
group = GroupProxy(name, provider)
if not soft_fail and group.group is None:
raise ValueError(f'Invalid group: {data}')
return group
elif type_ == 'EventRole':
if not allow_event_roles:
raise ValueError('Event roles are not allowed')
try:
event_role_id = int(data)
except ValueError:
raise ValueError('Invalid data')
event_role = EventRole.get(event_role_id)
if event_role is None or event_role.event_id != event_id:
raise ValueError(f'Invalid event role: {event_role_id}')
return event_role
elif type_ == 'CategoryRole':
if not allow_category_roles:
raise ValueError('Category roles are not allowed')
category = None
if category_id is not None:
category = Category.get(category_id)
if category is None:
raise ValueError(f'Invalid category id: {category_id}')
elif event_id is not None:
event = Event.get(event_id)
if event is None:
raise ValueError(f'Invalid event id: {event_id}')
category = event.category
try:
category_role_id = int(data)
except ValueError:
raise ValueError('Invalid data')
if soft_fail:
category_role = CategoryRole.get(category_role_id)
else:
category_role = CategoryRole.get_category_role_by_id(category, category_role_id)
if category_role is None:
raise ValueError(f'Invalid category role: {category_role_id}')
return category_role
elif type_ == 'RegistrationForm':
if not allow_registration_forms:
raise ValueError('Registration forms are not allowed')
try:
reg_form_id = int(data)
except ValueError:
raise ValueError('Invalid data')
registration_form = RegistrationForm.get(reg_form_id, is_deleted=(None if soft_fail else False))
if registration_form is None or registration_form.event_id != event_id:
raise ValueError(f'Invalid registration form: {reg_form_id}')
return registration_form
elif type_ == 'Email':
if not allow_emails:
raise ValueError('Emails are not allowed')
return EmailPrincipal(data)
elif type_ == 'IPNetworkGroup':
if not allow_networks:
raise ValueError('Network groups are not allowed')
try:
netgroup_id = int(data)
except ValueError:
raise ValueError('Invalid data')
netgroup = IPNetworkGroup.get(netgroup_id)
if netgroup is None or (netgroup.hidden and not soft_fail):
raise ValueError(f'Invalid network group: {netgroup_id}')
return netgroup
else:
raise ValueError('Invalid data')
if not allow_registration_forms:
raise ValueError('Registration forms are not allowed')
try:
reg_form_id = int(data)
except ValueError:
raise ValueError('Invalid data')
registration_form = RegistrationForm.get(
reg_form_id, is_deleted=(None if soft_fail else False))
if registration_form is None or registration_form.event_id != event_id:
raise ValueError(f'Invalid registration form: {reg_form_id}')
return registration_form
elif type_ == 'Email':
if not allow_emails:
raise ValueError('Emails are not allowed')
return EmailPrincipal(data)
elif type_ == 'IPNetworkGroup':
if not allow_networks:
raise ValueError('Network groups are not allowed')
try:
netgroup_id = int(data)
except ValueError:
raise ValueError('Invalid data')
netgroup = IPNetworkGroup.get(netgroup_id)
if netgroup is None or (netgroup.hidden and not soft_fail):
raise ValueError(f'Invalid network group: {netgroup_id}')
return netgroup
else:
raise ValueError('Invalid data')
