def delete_user(user):
"""
This command deletes an existing user from the RBAC database. The command is valid if and only if the user to be deleted is a member of the USERS data set.
The USERS and UA data sets and the assigned_users function are updated. This method performs a "hard" delete.
It completely removes all data associated with this user from the directory.
User entity must exist in directory prior to making this call else exception will be thrown.
required parameters:
user.uid - maps to INetOrgPerson uid
"""
utils.validate_user(user)
# get the user's role assignments from its entry.
out_user = userdao.read(user)
# it's needed to remove the user membership from associated role entries.
for role_nm in out_user.roles:
try:
roledao.remove_member(Role(name=role_nm), user.uid)
logger.info('admin.delete_user:'******', removed as member of role:' + role_nm)
except RbacError as e:
if e.id != global_ids.URLE_ASSIGN_NOT_EXIST:
raise RbacError(msg=e.msg, id=e.id)
else:
logger.warn('admin.delete_user:'******', is not occupant of role:' + role_nm)
# now remove the user entry:
return userdao.delete(user)
def deassign(user, role):
"""
This command deletes the assignment of the User from the Role entities.
The command is valid if and only if the user is a member of the USERS data set, the role is a member of the ROLES data set,
and the user is assigned to the role. Any sessions that currently have this role activated will not be effected.
Successful completion includes:
User entity in USER data set has role assignment removed.
Role entity in ROLE data set has userId removed as role occupant.
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
out_user = userdao.read(user)
for constraint in out_user.role_constraints:
if constraint.name == role.name:
found = True
userdao.deassign(user, constraint)
try:
roledao.remove_member(role, user.uid)
except RbacError as e:
if e.id != global_ids.URLE_ASSIGN_NOT_EXIST:
raise RbacError(msg=e.msg, id=e.id)
else:
logger.warn('admin.deassign remove member failed because not occupant. user:'******', role:' + role.name)
if not found:
raise RbacError(msg='Role deassign failed constraint not found', id=global_ids.URLE_DEASSIGN_FAILED)
def assign(user, role):
"""
This command assigns a user to a role.
The command is valid if and only if:
The user is a member of the USERS data set
The role is a member of the ROLES data set
The user is not already assigned to the role
required parameters:
user.uid - existing user.
role.name - existing role.
"""
utils.validate_user(user)
utils.validate_role(role)
entity = roledao.read(role)
# LDAP doesn't do well with sub-string indexes which is why the role assignments are stored within two separate multi-occurring attributes on the user entry -- roles' and 'role_constraints'.
# The first, is a set of role names (only), and will be indexed for fast search.
# the second, is a set of delimited strings containing the role name (once again) plus its associated temporal values.
userdao.assign(user, entity.constraint)
# Fortress user-role assignments also keep member association on the role itself.
# The rationale for these assignments also stored on role is two-fold:
# 1. works with traditional LDAP group-based authZ mechanisms
# 2. makes role-users search query more efficient, as its stored on single entry.
roledao.add_member(entity, user.uid)
def read_user(user):
"""
Method returns matching User entity that is contained within the people container in the directory.
required parameters:
user.uid - maps to INetOrgPerson uid
return:
User
"""
utils.validate_user(user)
return userdao.read(user)
def user_perms(user):
"""
This function returns the set of permissions a given user gets through his/her authorized roles. The function is valid if and only if the user is a member of the USERS data set.
required parameters:
user.uid - maps to INetOrgPerson uid
return:
Perm list
"""
utils.validate_user(user)
usr = userdao.read(user)
return permdao.search_on_roles(usr.roles)
def assigned_roles(user):
"""
This function returns the set of roles assigned to a given user. The function is valid if and only if the user is a member of the USERS data set.
required parameters:
user.uid - maps to existing user
return:
Constraint list
"""
utils.validate_user(user)
usr = userdao.read(user)
return usr.role_constraints
def find_users(user):
"""
Return a list of type User of all users in the people container that match all or part of the User.userId field passed in User entity.
required parameters:
user.uid - maps to existing user, can be partial with wildcard on end - *
optional parameters:
user.ou - maps to attribute assignment, can be partial with wildcard on end - *.
return:
User list
"""
utils.validate_user(user)
return userdao.search(user)
def add_user(user):
"""
This command creates a new RBAC user. The command is valid only if the new user is not already a member of the USERS data set.
The USER data set is updated. The new user does not own any session at the time of its creation.
required parameters:
user.uid - maps to INetOrgPerson uid
optional parameters Temporal constraints may be associated with ftUserAttrs aux object class based on:
user.constraint.name - just a label, i.e. uid
user.constraint.timeout - 99 - set the integer timeout that contains max time (in minutes) that entity may remain inactive.
user.constraint.begin_date - YYYYMMDD - determines date when user may be activated.
user.constraint.end_date - YYMMDD - indicates latest date user may be activated.
user.constraint.begin_lock_date - YYYYMMDD - determines beginning of enforced inactive status
user.constraint.end_lock_date - YYMMDD - determines end of enforced inactive status.
user.constraint.begin_time - HHMM - determines begin hour user may be activated.
user.constraint.end_time - user.role.constraints.end_time - HHMM - determines end hour user may be activated.
user.constraint.day_mask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week user may be activated.
user.props - multi-occurring name:value pairs
user.pw_policy - slapd pwpolicy
standard iNetOrgPerson attrs, more info here: https://tools.ietf.org/html/rfc2798:
user.ou
user.cn
user.sn
user.dn
user.description
user.display_name
user.employee_type
user.title
user.phones
user.mobiles
user.emails
user.department_number
user.l
user.physical_delivery_office_name
user.postal_code
user.room_number
"""
utils.validate_user(user)
return userdao.create(user)
def update_user(user):
"""
This method performs an update on User entity in directory. Prior to making this call the entity must exist in directory.
required parameters:
user.uid - maps to INetOrgPerson uid
optional parameters Temporal constraints may be associated with ftUserAttrs aux object class based on:
user.constraint.name - just a label, i.e. uid
user.constraint.timeout - 99 - set the integer timeout that contains max time (in minutes) that entity may remain inactive.
user.constraint.begin_date - YYYYMMDD - determines date when user may be activated.
user.constraint.end_date - YYMMDD - indicates latest date user may be activated.
user.constraint.begin_lock_date - YYYYMMDD - determines beginning of enforced inactive status
user.constraint.end_lock_date - YYMMDD - determines end of enforced inactive status.
user.constraint.begin_time - HHMM - determines begin hour user may be activated.
user.constraint.end_time - user.role.constraints.end_time - HHMM - determines end hour user may be activated.
user.constraint.day_mask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week user may be activated.
user.props - multi-occurring name:value pairs
user.pw_policy - slapd pwpolicy
standard iNetOrgPerson attrs, more info here: https://tools.ietf.org/html/rfc2798
user.ou
user.cn
user.sn
user.dn
user.description
user.display_name
user.employee_type
user.title
user.phones
user.mobiles
user.emails
user.department_number
user.l
user.physical_delivery_office_name
user.postal_code
user.room_number
"""
utils.validate_user(user)
return userdao.update(user)
