def test_public_key(session, users, http_client, base_url):
    user = users['*****@*****.**']
    assert not get_public_keys_of_user(session, user.id)

    # add it
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'public_key': SSH_KEY_1}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = User.get(session, name=user.username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1
    assert keys[0].fingerprint == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
    assert keys[0].fingerprint_sha256 == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
    assert keys[0].comment == 'some-comment'

    # delete it
    fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
    resp = yield http_client.fetch(fe_url, method="POST", body='',
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = User.get(session, name=user.username)
    assert not get_public_keys_of_user(session, user.id)
Exemple #2
0
def test_user_public_key(make_session, session, users):
    make_session.return_value = session

    # good key
    username = '******'
    good_key = (
        'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
        'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
        'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
        'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
        '371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
        'gh/ some-comment')
    call_main('user', 'add_public_key', username, good_key)

    user = User.get(session, name=username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == good_key

    # bad key
    username = '******'
    bad_key = 'ssh-rsa AAAblahblahkey some-comment'
    call_main('user', 'add_public_key', username, good_key)

    user = User.get(session, name=username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == good_key
def test_sa_pubkeys(session, users, http_client, base_url):
    user = users['*****@*****.**']

    # Add account
    create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')

    u = User.get(session, name="*****@*****.**")
    g = Group.get(session, name="*****@*****.**")

    assert u is not None
    assert g is not None
    assert is_role_user(session, user=u)
    assert is_role_user(session, group=g)
    assert get_role_user(session, user=u).group.id == g.id
    assert get_role_user(session, group=g).user.id == u.id
    assert not is_role_user(session, user=user)
    assert not is_role_user(session, group=Group.get(session, name="team-sre"))

    assert not get_public_keys_of_user(session, user.id)

    with pytest.raises(HTTPError):
        # add it
        fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
        resp = yield http_client.fetch(fe_url, method="POST",
                body=urlencode({'public_key': SSH_KEY_1}),
                headers={'X-Grouper-User': "******"})

    # add it
    fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'public_key': SSH_KEY_1}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # add bad key -- shouldn't add
    fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'public_key': SSH_KEY_BAD}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    sa = User.get(session, name="*****@*****.**")
    keys = get_public_keys_of_user(session, sa.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1

    with pytest.raises(HTTPError):
        # delete it
        fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id))
        resp = yield http_client.fetch(fe_url, method="POST", body='',
                headers={'X-Grouper-User': "******"})

    # delete it
    fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id))
    resp = yield http_client.fetch(fe_url, method="POST", body='',
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    sa = User.get(session, name="*****@*****.**")
    assert not get_public_keys_of_user(session, sa.id)
def test_public_key(session, users, http_client, base_url):
    user = users['*****@*****.**']
    assert not get_public_keys_of_user(session, user.id)

    # add it
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({'public_key': SSH_KEY_1}),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = User.get(session, name=user.username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1
    assert keys[
        0].fingerprint == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
    assert keys[
        0].fingerprint_sha256 == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
    assert keys[0].comment == 'some-comment'

    # delete it
    fe_url = url(
        base_url,
        '/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body='',
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = User.get(session, name=user.username)
    assert not get_public_keys_of_user(session, user.id)
Exemple #5
0
def test_add_service_account(session, users, http_client, base_url):
    user = users['*****@*****.**']

    # Add account
    fe_url = url(base_url, '/service/create')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': '*****@*****.**', "description": "Hi", "canjoin": "canjoin"}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    assert User.get(session, name="*****@*****.**") is None
    assert Group.get(session, name="*****@*****.**") is None

    # Add account
    fe_url = url(base_url, '/service/create')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': '*****@*****.**', "description": "Hi", "canjoin": "canjoin"}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    u = User.get(session, name="*****@*****.**")
    g = Group.get(session, name="*****@*****.**")

    assert u is not None
    assert g is not None
    assert is_service_account(session, user=u)
    assert is_service_account(session, group=g)
    assert get_service_account(session, user=u).group.id == g.id
    assert get_service_account(session, group=g).user.id == u.id
    assert not is_service_account(session, user=user)
    assert not is_service_account(session, group=Group.get(session, name="team-sre"))
Exemple #6
0
def test_user_status_changes(session, tmpdir, users, groups):  # noqa: F811
    username = "******"
    groupname = "team-sre"

    # add user to a group
    call_main(session, tmpdir, "group", "add_member", "--member", groupname, username)

    # disable the account
    call_main(session, tmpdir, "user", "disable", username)
    assert not User.get(session, name=username).enabled

    # double disabling is a no-op
    call_main(session, tmpdir, "user", "disable", username)
    assert not User.get(session, name=username).enabled

    # re-enable the account, preserving memberships
    call_main(session, tmpdir, "user", "enable", "--preserve-membership", username)
    assert User.get(session, name=username).enabled
    assert (u"User", username) in groups[groupname].my_members()

    # enabling an active account is a no-op
    call_main(session, tmpdir, "user", "enable", username)
    assert User.get(session, name=username).enabled

    # disable and re-enable without the --preserve-membership flag
    call_main(session, tmpdir, "user", "disable", username)
    call_main(session, tmpdir, "user", "enable", username)
    assert User.get(session, name=username).enabled
    assert (u"User", username) not in groups[groupname].my_members()
def test_public_key_admin(session, users, http_client, base_url):
    user = users['*****@*****.**']
    assert not get_public_keys_of_user(session, user.id)

    # add it
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({'public_key': SSH_KEY_1}),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = User.get(session, name=user.username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1

    # have an admin delete it
    fe_url = url(
        base_url,
        '/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body='',
        headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    user = User.get(session, name=user.username)
    assert not get_public_keys_of_user(session, user.id)
Exemple #8
0
def test_user_status_changes(make_user_session, make_group_session, session,
                             users, groups):
    make_user_session.return_value = session
    make_group_session.return_value = session

    username = '******'
    groupname = 'team-sre'

    # add user to a group
    call_main('group', 'add_member', '--member', groupname, username)

    # disable the account
    call_main('user', 'disable', username)
    assert not User.get(session, name=username).enabled

    # double disabling is a no-op
    call_main('user', 'disable', username)
    assert not User.get(session, name=username).enabled

    # re-enable the account, preserving memberships
    call_main('user', 'enable', '--preserve-membership', username)
    assert User.get(session, name=username).enabled
    assert (u'User', username) in groups[groupname].my_members()

    # enabling an active account is a no-op
    call_main('user', 'enable', username)
    assert User.get(session, name=username).enabled

    # disable and re-enable without the --preserve-membership flag
    call_main('user', 'disable', username)
    call_main('user', 'enable', username)
    assert User.get(session, name=username).enabled
    assert (u'User', username) not in groups[groupname].my_members()
Exemple #9
0
def test_user_create(make_session, session, users):
    make_session.return_value = session

    # simple
    username = '******'
    call_main('user', 'create', username)
    assert User.get(session,
                    name=username), 'non-existent user should be created'

    # check username
    bad_username = '******'
    call_main('user', 'create', bad_username)
    assert not User.get(session,
                        name=bad_username), 'bad user should not be created'

    # bulk
    usernames = ['*****@*****.**', '*****@*****.**', '*****@*****.**']
    call_main('user', 'create', *usernames)
    users = [User.get(session, name=u) for u in usernames]
    assert all(users), 'all users created'

    usernames_with_one_bad = ['*****@*****.**', '*****@*****.**', 'not_valid_user']
    call_main('user', 'create', *usernames_with_one_bad)
    users = [User.get(session, name=u) for u in usernames_with_one_bad]
    assert not any(users), 'one bad seed means no users created'
Exemple #10
0
def test_add_service_account(session, users, http_client, base_url):
    user = users['*****@*****.**']

    # Add account
    fe_url = url(base_url, '/service/create')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': '*****@*****.**', "description": "Hi", "canjoin": "canjoin"}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    assert User.get(session, name="*****@*****.**") is None
    assert Group.get(session, name="*****@*****.**") is None

    # Add account
    fe_url = url(base_url, '/service/create')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': '*****@*****.**', "description": "Hi", "canjoin": "canjoin"}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    u = User.get(session, name="*****@*****.**")
    g = Group.get(session, name="*****@*****.**")

    assert u is not None
    assert g is not None
    assert is_service_account(session, user=u)
    assert is_service_account(session, group=g)
    assert get_service_account(session, user=u).group.id == g.id
    assert get_service_account(session, group=g).user.id == u.id
    assert not is_service_account(session, user=user)
    assert not is_service_account(session, group=Group.get(session, name="team-sre"))
Exemple #11
0
def test_user_create(make_session, session, users):  # noqa: F811
    make_session.return_value = session

    # simple
    username = "******"
    call_main(session, "user", "create", username)
    assert User.get(session,
                    name=username), "non-existent user should be created"

    # check username
    bad_username = "******"
    call_main(session, "user", "create", bad_username)
    assert not User.get(session,
                        name=bad_username), "bad user should not be created"

    # bulk
    usernames = ["*****@*****.**", "*****@*****.**", "*****@*****.**"]
    call_main(session, "user", "create", *usernames)
    users = [User.get(session, name=u) for u in usernames]
    assert all(users), "all users created"

    usernames_with_one_bad = ["*****@*****.**", "*****@*****.**", "not_valid_user"]
    call_main(session, "user", "create", *usernames_with_one_bad)
    users = [User.get(session, name=u) for u in usernames_with_one_bad]
    assert not any(users), "one bad seed means no users created"
Exemple #12
0
def test_user_status_changes(session, tmpdir, users, groups):  # noqa: F811
    username = "******"
    groupname = "team-sre"

    # add user to a group
    call_main(session, tmpdir, "group", "add_member", "--member", groupname,
              username)

    # disable the account
    call_main(session, tmpdir, "user", "disable", username)
    assert not User.get(session, name=username).enabled

    # double disabling is a no-op
    call_main(session, tmpdir, "user", "disable", username)
    assert not User.get(session, name=username).enabled

    # re-enable the account, preserving memberships
    call_main(session, tmpdir, "user", "enable", "--preserve-membership",
              username)
    assert User.get(session, name=username).enabled
    assert (u"User", username) in groups[groupname].my_members()

    # enabling an active account is a no-op
    call_main(session, tmpdir, "user", "enable", username)
    assert User.get(session, name=username).enabled

    # disable and re-enable without the --preserve-membership flag
    call_main(session, tmpdir, "user", "disable", username)
    call_main(session, tmpdir, "user", "enable", username)
    assert User.get(session, name=username).enabled
    assert (u"User", username) not in groups[groupname].my_members()
Exemple #13
0
def test_user_public_key(make_session, session, users):
    make_session.return_value = session

    # good key
    username = '******'
    good_key = ('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
            'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
            'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
            'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
            '371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
            'gh/ some-comment')
    call_main('user', 'add_public_key', username, good_key)

    user = User.get(session, name=username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == good_key

    # bad key
    username = '******'
    bad_key = 'ssh-rsa AAAblahblahkey some-comment'
    call_main('user', 'add_public_key', username, good_key)

    user = User.get(session, name=username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == good_key
Exemple #14
0
def test_public_key_admin(session, users, http_client, base_url):  # noqa: F811
    user = users["*****@*****.**"]
    assert not get_public_keys_of_user(session, user.id)

    # add it
    fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({"public_key": SSH_KEY_1}),
        headers={"X-Grouper-User": user.username},
    )
    assert resp.code == 200

    user = User.get(session, name=user.username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1

    # have an admin delete it
    fe_url = url(base_url, "/users/{}/public-key/{}/delete".format(user.username, keys[0].id))
    resp = yield http_client.fetch(
        fe_url, method="POST", body="", headers={"X-Grouper-User": "******"}
    )
    assert resp.code == 200

    user = User.get(session, name=user.username)
    assert not get_public_keys_of_user(session, user.id)
Exemple #15
0
def test_public_key(session, users, http_client, base_url):  # noqa: F811
    user = users["*****@*****.**"]
    assert not get_public_keys_of_user(session, user.id)

    # add it
    fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({"public_key": SSH_KEY_ED25519}),
        headers={"X-Grouper-User": user.username},
    )
    assert resp.code == 200

    user = User.get(session, name=user.username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_ED25519
    assert keys[0].fingerprint == "fa:d9:ca:40:bd:f7:64:37:a7:99:3a:8e:50:8a:c5:94"
    assert keys[0].fingerprint_sha256 == "ExrCZ0nqSJv+LqAEh8CWeKUxiAeZA+N0bKC18dK7Adg"
    assert keys[0].comment == "comment"

    # delete it
    fe_url = url(base_url, "/users/{}/public-key/{}/delete".format(user.username, keys[0].id))
    resp = yield http_client.fetch(
        fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
    )
    assert resp.code == 200

    user = User.get(session, name=user.username)
    assert not get_public_keys_of_user(session, user.id)
Exemple #16
0
def test_user_status_changes(make_user_session, make_group_session, session, users, groups):
    make_user_session.return_value = session
    make_group_session.return_value = session

    username = '******'
    groupname = 'team-sre'

    # add user to a group
    call_main('group', 'add_member', '--member', groupname, username)

    # disable the account
    call_main('user', 'disable', username)
    assert not User.get(session, name=username).enabled

    # double disabling is a no-op
    call_main('user', 'disable', username)
    assert not User.get(session, name=username).enabled

    # re-enable the account, preserving memberships
    call_main('user', 'enable', '--preserve-membership', username)
    assert User.get(session, name=username).enabled
    assert (u'User', username) in groups[groupname].my_members()

    # enabling an active account is a no-op
    call_main('user', 'enable', username)
    assert User.get(session, name=username).enabled

    # disable and re-enable without the --preserve-membership flag
    call_main('user', 'disable', username)
    call_main('user', 'enable', username)
    assert User.get(session, name=username).enabled
    assert (u'User', username) not in groups[groupname].my_members()
Exemple #17
0
def test_success_set_initial_metadata(setup):
    # type: (SetupTest) -> None
    with setup.transaction():
        setup.add_user_to_group("*****@*****.**", "some-group")

    initial_metadata = {"test-item-1": "foo", "test-item-2": "bar"}

    mock_ui = MagicMock()
    usecase = setup.usecase_factory.create_create_service_account_usecase(
        "*****@*****.**", mock_ui)
    usecase.create_service_account("*****@*****.**", "some-group",
                                   "machine-set", "description",
                                   initial_metadata)

    user = User.get(setup.session, name="*****@*****.**")
    assert user is not None
    metadata_items = get_user_metadata(setup.session, user.id)
    actual_items = {mi.data_key: mi.data_value for mi in metadata_items}
    assert len(initial_metadata) == len(actual_items)
    for key, value in initial_metadata.items():
        assert key in actual_items
        assert initial_metadata[key] == actual_items[key]

    usecase = setup.usecase_factory.create_create_service_account_usecase(
        "*****@*****.**", mock_ui)
    usecase.create_service_account("*****@*****.**",
                                   "some-group", "machine-set", "description")
    user = User.get(setup.session, name="*****@*****.**")
    assert user is not None
    metadata_items = get_user_metadata(setup.session, user.id)
    assert metadata_items == []
Exemple #18
0
def test_shell(session, users, http_client, base_url):
    with patch('grouper.fe.handlers.user_shell.settings') as mock_settings:
        mock_settings.shell = [['/bin/bash', 'bash'], ['/bin/zsh', 'zsh']]

        user = users['*****@*****.**']
        assert not get_user_metadata_by_key(session, user.id,
                                            USER_METADATA_SHELL_KEY)

        user = User.get(session, name=user.username)
        fe_url = url(base_url, '/users/{}/shell'.format(user.username))
        resp = yield http_client.fetch(
            fe_url,
            method="POST",
            body=urlencode({'shell': "/bin/bash"}),
            headers={'X-Grouper-User': user.username})
        assert resp.code == 200

        user = User.get(session, name=user.username)

        assert get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY) is not None, \
            "The user should have shell metadata"
        assert (get_user_metadata_by_key(
            session, user.id,
            USER_METADATA_SHELL_KEY).data_value == "/bin/bash")

        fe_url = url(base_url, '/users/{}/shell'.format(user.username))
        resp = yield http_client.fetch(
            fe_url,
            method="POST",
            body=urlencode({'shell': "/bin/fish"}),
            headers={'X-Grouper-User': user.username})
        assert resp.code == 200

        user = User.get(session, name=user.username)

        assert get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY) is not None, \
            "The user should have shell metadata"
        assert get_user_metadata_by_key(
            session, user.id,
            USER_METADATA_SHELL_KEY).data_value == "/bin/bash"

        fe_url = url(base_url, '/users/{}/shell'.format(user.username))
        resp = yield http_client.fetch(
            fe_url,
            method="POST",
            body=urlencode({'shell': "/bin/zsh"}),
            headers={'X-Grouper-User': user.username})
        assert resp.code == 200

        user = User.get(session, name=user.username)

        assert get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY) is not None, \
            "The user should have shell metadata"
        assert (get_user_metadata_by_key(
            session, user.id,
            USER_METADATA_SHELL_KEY).data_value == "/bin/zsh")
Exemple #19
0
def test_shell(session, users, http_client, base_url):  # noqa: F811
    settings().shell = [["/bin/bash", "bash"], ["/bin/zsh", "zsh"]]

    user = users["*****@*****.**"]
    assert not get_user_metadata_by_key(session, user.id,
                                        USER_METADATA_SHELL_KEY)

    user = User.get(session, name=user.username)
    fe_url = url(base_url, "/users/{}/shell".format(user.username))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({"shell": "/bin/bash"}),
        headers={"X-Grouper-User": user.username},
    )
    assert resp.code == 200

    user = User.get(session, name=user.username)

    assert (get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
            is not None), "The user should have shell metadata"
    assert (get_user_metadata_by_key(
        session, user.id, USER_METADATA_SHELL_KEY).data_value == "/bin/bash")

    fe_url = url(base_url, "/users/{}/shell".format(user.username))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({"shell": "/bin/fish"}),
        headers={"X-Grouper-User": user.username},
    )
    assert resp.code == 200

    user = User.get(session, name=user.username)

    assert (get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
            is not None), "The user should have shell metadata"
    assert (get_user_metadata_by_key(
        session, user.id, USER_METADATA_SHELL_KEY).data_value == "/bin/bash")

    fe_url = url(base_url, "/users/{}/shell".format(user.username))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({"shell": "/bin/zsh"}),
        headers={"X-Grouper-User": user.username},
    )
    assert resp.code == 200

    user = User.get(session, name=user.username)

    assert (get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
            is not None), "The user should have shell metadata"
    assert (get_user_metadata_by_key(
        session, user.id, USER_METADATA_SHELL_KEY).data_value == "/bin/zsh")
Exemple #20
0
def action_permission_requests(setup: SetupTest) -> None:
    """Action (approve) the perm.hasgranter request, cancel (deny) the perm.nogranter request."""
    granting_user = User.get(setup.session, name="*****@*****.**")
    assert granting_user
    admin_user = User.get(setup.session, name="*****@*****.**")
    assert admin_user

    with setup.transaction():
        all_requests = setup.session.query(PermissionRequest)
        for request in all_requests:
            if request.status == "pending" and request.permission.name == "perm.hasgranter":
                update_request(setup.session, request, granting_user, "actioned", "reasons")
            if request.status == "pending" and request.permission.name == "perm.nogranter":
                update_request(setup.session, request, admin_user, "cancelled", "reasons")
Exemple #21
0
 def create_user(self, name):
     # type: (str) -> None
     """Create a user, does nothing if it already exists."""
     if User.get(self.session, name=name):
         return
     user = User(username=name)
     user.add(self.session)
Exemple #22
0
    def post(self, user_id=None, name=None):

        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        try:
            if user.role_user:
                disable_role_user(self.session, user=user)
            else:
                disable_user(self.session, user)
        except PluginRejectedDisablingUser as e:
            alert = Alert("danger", str(e))
            return self.redirect("/users/{}".format(user.name), alerts=[alert])

        self.session.commit()

        AuditLog.log(self.session,
                     self.current_user.id,
                     'disable_user',
                     'Disabled user.',
                     on_user_id=user.id)

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #23
0
def service_account_command(args, settings, session_factory):
    # type: (Namespace, CtlSettings, SessionFactory) -> None
    session = session_factory.create_session()
    actor_user = User.get(session, name=args.actor_name)
    if not actor_user:
        logging.fatal('Actor user "{}" is not a valid Grouper user'.format(
            args.actor_name))
        return

    if args.subcommand == "create":
        name = args.name
        if ServiceAccount.get(session, name=name):
            logging.info("{}: Already exists. Doing nothing.".format(name))
            return
        owner_group = Group.get(session, name=args.owner_group)
        if not owner_group:
            logging.fatal('Owner group "{}" does not exist.'.format(
                args.owner_group))
            return
        logging.info("{}: No such service account, creating...".format(name))
        description = args.description
        machine_set = args.machine_set
        create_service_account(session, actor_user, name, description,
                               machine_set, owner_group)
        return
Exemple #24
0
def notify_nonauditor_flagged(settings, session, edge):
    """Send notification that a nonauditor in an audited group has had their membership
    set to expire.

    Handles email notification and audit logging.

    Args:
        settings (Settings): Grouper Settings object for current run.
        session (Session): Object for db session.
        edge (GroupEdge): The expiring edge.
    """
    # Pull data about the edge and the affected user
    group_name = edge.group.name
    assert OBJ_TYPES_IDX[edge.member_type] == "User"
    user = User.get(session, pk=edge.member_pk)
    member_name = user.username
    recipients = [member_name]

    audit_data = {
        "action": "nonauditor_flagged",
        "actor_id": user.id,
        "description": "Flagged {} as nonauditor approver in audited group".format(member_name),
    }
    AuditLog.log(session, on_user_id=user.id, on_group_id=edge.group_id, **audit_data)

    email_context = {"group_name": group_name, "member_name": member_name}
    send_email(
        session=session,
        recipients=recipients,
        subject="Membership in {} set to expire".format(group_name),
        template="nonauditor",
        settings=settings,
        context=email_context,
    )
Exemple #25
0
    def post(self, user_id=None, name=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserShellForm(self.request.arguments)
        form.shell.choices = settings.shell
        if not form.validate():
            return self.render(
                "user-shell.html", form=form, user=user,
                alerts=self.get_form_alerts(form.errors),
            )

        user.set_metadata(USER_METADATA_SHELL_KEY, form.data["shell"])
        user.add(self.session)
        self.session.commit()

        AuditLog.log(self.session, self.current_user.id, 'changed_shell',
                     'Changed shell: {}'.format(form.data["shell"]),
                     on_user_id=user.id)

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #26
0
    def post(self, *args, **kwargs):
        # type: (*Any, **Any) -> None
        user_id = kwargs.get("user_id")  # type: Optional[int]
        name = kwargs.get("name")  # type: Optional[str]

        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserGitHubForm(self.request.arguments)
        if not form.validate():
            return self.render(
                "user-github.html", form=form, user=user, alerts=self.get_form_alerts(form.errors)
            )

        new_username = form.data["username"]
        if new_username == "":
            new_username = None
        set_user_metadata(self.session, user.id, USER_METADATA_GITHUB_USERNAME_KEY, new_username)

        AuditLog.log(
            self.session,
            self.current_user.id,
            "changed_github_username",
            "Changed GitHub username: {}".format(form.data["username"]),
            on_user_id=user.id,
        )

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #27
0
    def post(self):
        supplied_token = self.get_body_argument("token")
        match = TokenValidate.validator.match(supplied_token)
        if not match:
            return self.error(((1, "Token format not recognized"),))

        sess = Session()

        token_name = match.group("token_name")
        token_secret = match.group("token_secret")
        owner = User.get(sess, name=match.group("name"))

        token = UserToken.get(sess, owner, token_name)
        if token is None:
            return self.error(((2, "Token specified does not exist"),))
        if not token.enabled:
            return self.error(((3, "Token is disabled"),))
        if not token.check_secret(token_secret):
            return self.error(((4, "Token secret mismatch"),))

        return self.success({
            "owner": owner.username,
            "identity": str(token),
            "act_as_owner": True,
            "valid": True,
        })
    def post(self, user_id=None, name=None, key_id=None, tag_id=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        try:
            key = get_public_key(self.session, user.id, key_id)
        except KeyNotFound:
            return self.notfound()

        tag = PublicKeyTag.get(self.session, id=tag_id)

        if not tag:
            return self.notfound()

        try:
            remove_tag_from_public_key(self.session, key, tag)
        except TagNotOnKey:
            return self.redirect("/users/{}?refresh=yes".format(user.name))

        AuditLog.log(
            self.session,
            self.current_user.id,
            "untag_public_key",
            "Untagged public key: {}".format(key.fingerprint_sha256),
            on_tag_id=tag.id,
            on_user_id=user.id,
        )

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #29
0
    def cancel_user_request(self, user_request, reason, authorization):
        # type: (UserGroupRequest, str, Authorization) -> None
        now = datetime.utcnow()
        request = Request.get(self.session, id=user_request.id)
        if not request:
            raise UserGroupRequestNotFoundException(request)
        actor = User.get(self.session, name=authorization.actor)
        if not actor:
            raise UserNotFoundException(authorization.actor)

        request_status_change = RequestStatusChange(
            request=request,
            user_id=actor.id,
            from_status=request.status,
            to_status="cancelled",
            change_at=now,
        ).add(self.session)

        request.status = "cancelled"
        self.session.flush()

        Comment(
            obj_type=OBJ_TYPES["RequestStatusChange"],
            obj_pk=request_status_change.id,
            user_id=actor.id,
            comment=reason,
            created_on=now,
        ).add(self.session)
def test_user_public_key(make_session, session, users):
    make_session.return_value = session

    # good key
    username = '******'
    call_main('user', 'add_public_key', username, SSH_KEY_1)

    user = User.get(session, name=username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1

    # duplicate key
    call_main('user', 'add_public_key', username, SSH_KEY_1)

    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1

    # bad key
    call_main('user', 'add_public_key', username, SSH_KEY_BAD)

    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1
Exemple #31
0
    def role(self, role):
        prev_role = self._role
        self._role = GROUP_EDGE_ROLES.index(role)

        # Groups should always "member".
        if not (OBJ_TYPES_IDX[self.member_type] == "User"):
            return

        # If ownership status is unchanged, no notices need to be adjusted.
        if (self._role in OWNER_ROLE_INDICES) == (prev_role in OWNER_ROLE_INDICES):
            return

        recipient = User.get(self.session, pk=self.member_pk).username
        expiring_supergroups = self.group.my_expiring_groups()
        member_name = self.group.name

        if role in ["owner", "np-owner"]:
            # We're creating a new owner, who should find out when this group
            # they now own loses its membership in larger groups.
            for supergroup_name, expiration in expiring_supergroups:
                AsyncNotification.add_expiration(self.session,
                                                 expiration,
                                                 group_name=supergroup_name,
                                                 member_name=member_name,
                                                 recipients=[recipient],
                                                 member_is_user=False)
        else:
            # We're removing an owner, who should no longer find out when this
            # group they no longer own loses its membership in larger groups.
            for supergroup_name, _ in expiring_supergroups:
                AsyncNotification.cancel_expiration(self.session,
                                                    group_name=supergroup_name,
                                                    member_name=member_name,
                                                    recipients=[recipient])
Exemple #32
0
    def post(self, *args, **kwargs):
        # type: (*Any, **Any) -> None
        user_id = kwargs.get("user_id")  # type: Optional[int]
        name = kwargs.get("name")  # type: Optional[str]

        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserShellForm(self.request.arguments)
        form.shell.choices = settings().shell
        if not form.validate():
            return self.render(
                "user-shell.html", form=form, user=user, alerts=self.get_form_alerts(form.errors)
            )

        set_user_metadata(self.session, user.id, USER_METADATA_SHELL_KEY, form.data["shell"])

        AuditLog.log(
            self.session,
            self.current_user.id,
            "changed_shell",
            "Changed shell: {}".format(form.data["shell"]),
            on_user_id=user.id,
        )

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #33
0
    def post(self, user_id=None, name=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserEnableForm(self.request.arguments)
        if not form.validate():
            # TODO: add error message
            return self.redirect("/users/{}?refresh=yes".format(user.name))

        if user.role_user:
            enable_service_account(self.session, actor=self.current_user,
                preserve_membership=form.preserve_membership.data, user=user)
        else:
            enable_user(self.session, user, self.current_user,
                preserve_membership=form.preserve_membership.data)

        self.session.commit()

        AuditLog.log(self.session, self.current_user.id, 'enable_user',
                     'Enabled user.', on_user_id=user.id)

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #34
0
 def create_user(self, name):
     # type: (str) -> None
     """Create a user, does nothing if it already exists."""
     if User.get(self.session, name=name):
         return
     user = User(username=name)
     user.add(self.session)
    def role(self, role):
        prev_role = self._role
        self._role = GROUP_EDGE_ROLES.index(role)

        # Groups should always "member".
        if not (OBJ_TYPES_IDX[self.member_type] == "User"):
            return

        # If ownership status is unchanged, no notices need to be adjusted.
        if (self._role in OWNER_ROLE_INDICES) == (prev_role in OWNER_ROLE_INDICES):
            return

        recipient = User.get(self.session, pk=self.member_pk).username
        expiring_supergroups = self.group.my_expiring_groups()
        member_name = self.group.name

        if role in ["owner", "np-owner"]:
            # We're creating a new owner, who should find out when this group
            # they now own loses its membership in larger groups.
            for supergroup_name, expiration in expiring_supergroups:
                AsyncNotification.add_expiration(self.session,
                                                 expiration,
                                                 group_name=supergroup_name,
                                                 member_name=member_name,
                                                 recipients=[recipient],
                                                 member_is_user=False)
        else:
            # We're removing an owner, who should no longer find out when this
            # group they no longer own loses its membership in larger groups.
            for supergroup_name, _ in expiring_supergroups:
                AsyncNotification.cancel_expiration(self.session,
                                                    group_name=supergroup_name,
                                                    member_name=member_name,
                                                    recipients=[recipient])
Exemple #36
0
    def get(self, user_id=None, name=None):
        self.handle_refresh()

        user = User.get(self.session, user_id, name)

        if not user:
            return self.notfound()

        if user.role_user:
            return self.redirect("/service/{}".format(user_id or name))

        if user.is_service_account:
            service_account = user.service_account
            if service_account.owner:
                return self.redirect("/groups/{}/service/{}".format(
                    service_account.owner.group.name, user.username))
            else:
                self.render("service-account.html",
                            service_account=service_account,
                            group=None,
                            user=user,
                            **get_user_view_template_vars(
                                self.session, self.current_user, user,
                                self.graph))
                return

        self.render("user.html",
                    user=user,
                    **get_user_view_template_vars(self.session,
                                                  self.current_user, user,
                                                  self.graph))
Exemple #37
0
    def post(self):
        supplied_token = self.get_body_argument("token")
        match = TokenValidate.validator.match(supplied_token)
        if not match:
            return self.error(((1, "Token format not recognized"), ))

        sess = Session()

        token_name = match.group("token_name")
        token_secret = match.group("token_secret")
        owner = User.get(sess, name=match.group("name"))

        token = UserToken.get(sess, owner, token_name)
        if token is None:
            return self.error(((2, "Token specified does not exist"), ))
        if not token.enabled:
            return self.error(((3, "Token is disabled"), ))
        if not token.check_secret(token_secret):
            return self.error(((4, "Token secret mismatch"), ))

        return self.success({
            "owner": owner.username,
            "identity": str(token),
            "act_as_owner": True,
            "valid": True,
        })
Exemple #38
0
    def post(self, *args: Any, **kwargs: Any) -> None:
        name = self.get_path_argument("name")

        user = User.get(self.session, name=name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserShellForm(self.request.arguments)
        form.shell.choices = settings().shell
        if not form.validate():
            return self.render("user-shell.html",
                               form=form,
                               user=user,
                               alerts=self.get_form_alerts(form.errors))

        set_user_metadata(self.session, user.id, USER_METADATA_SHELL_KEY,
                          form.data["shell"])

        AuditLog.log(
            self.session,
            self.current_user.id,
            "changed_shell",
            "Changed shell: {}".format(form.data["shell"]),
            on_user_id=user.id,
        )

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #39
0
    def get(self, *args: Any, **kwargs: Any) -> None:
        name = self.get_path_argument("name")

        self.handle_refresh()

        user = User.get(self.session, name=name)

        if not user:
            return self.notfound()

        if user.role_user:
            return self.redirect("/service/{}".format(name))

        if user.is_service_account:
            service_account = user.service_account
            if service_account.owner:
                return self.redirect("/groups/{}/service/{}".format(
                    service_account.owner.group.name, user.username))
            else:
                self.render("service-account.html",
                            service_account=service_account,
                            group=None,
                            user=user,
                            **get_user_view_template_vars(
                                self.session, self.current_user, user,
                                self.graph))
                return

        self.render("user.html",
                    user=user,
                    **get_user_view_template_vars(self.session,
                                                  self.current_user, user,
                                                  self.graph))
Exemple #40
0
    def post(self, user_id=None, name=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserEnableForm(self.request.arguments)
        if not form.validate():
            # TODO: add error message
            return self.redirect("/users/{}?refresh=yes".format(user.name))

        if user.role_user:
            enable_service_account(
                self.session,
                actor=self.current_user,
                preserve_membership=form.preserve_membership.data,
                user=user)
        else:
            enable_user(self.session,
                        user,
                        self.current_user,
                        preserve_membership=form.preserve_membership.data)

        self.session.commit()

        AuditLog.log(self.session,
                     self.current_user.id,
                     'enable_user',
                     'Enabled user.',
                     on_user_id=user.id)

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #41
0
    def post(self, *args, **kwargs):
        # type: (*Any, **Any) -> None
        user_id = kwargs.get("user_id")  # type: Optional[int]
        name = kwargs.get("name")  # type: Optional[str]

        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserGitHubForm(self.request.arguments)
        if not form.validate():
            return self.render("user-github.html",
                               form=form,
                               user=user,
                               alerts=self.get_form_alerts(form.errors))

        new_username = form.data["username"]
        if new_username == "":
            new_username = None
        set_user_metadata(self.session, user.id,
                          USER_METADATA_GITHUB_USERNAME_KEY, new_username)

        AuditLog.log(
            self.session,
            self.current_user.id,
            "changed_github_username",
            "Changed GitHub username: {}".format(form.data["username"]),
            on_user_id=user.id,
        )

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #42
0
    def get(self, user_id=None, name=None):
        self.handle_refresh()

        user = User.get(self.session, user_id, name)

        if not user:
            return self.notfound()

        if user.role_user:
            return self.redirect("/service/{}".format(user_id or name))

        if user.is_service_account:
            service_account = user.service_account
            if service_account.owner:
                return self.redirect("/groups/{}/service/{}".format(
                    service_account.owner.group.name, user.username))
            else:
                self.render(
                    "service-account.html", service_account=service_account, group=None, user=user,
                    **get_user_view_template_vars(self.session, self.current_user, user, self.graph)
                )
                return

        self.render("user.html",
                    user=user,
                    **get_user_view_template_vars(self.session, self.current_user, user, self.graph)
                    )
Exemple #43
0
def get_role_user(session, user=None, group=None):
    # type: (Session, User, Group) -> RoleUser
    """
    Takes in a User or a Group and returns a dictionary that contains
    all of the service account components for the service account that
    the user/group is part of.

    Args:
        session: the database session
        user: a User object to check
        group: a Group object to check

    Throws:
        RoleUserNotFound: if the user or group is not part of a service account

    Returns:
        a dictionary with all components of the service account of the
            user or group passed in
    """
    if not is_role_user(session, user, group):
        raise RoleUserNotFound()

    if user:
        name = user.name
    else:
        assert group is not None
        name = group.name
    return RoleUser(User.get(session, name=name), Group.get(session, name=name))
    def permission_grants_for_user(self, name):
        # type: (str) -> List[GroupPermissionGrant]
        """Return all permission grants a user has from whatever source.

        TODO(rra): Currently does not expand permission aliases, and therefore doesn't match the
        graph behavior.  Use with caution until that is fixed.
        """
        now = datetime.utcnow()
        user = User.get(self.session, name=name)
        if not user or user.role_user or user.is_service_account or not user.enabled:
            return []

        # Get the groups of which this user is a direct member.
        groups = (self.session.query(Group.id).join(
            GroupEdge, Group.id == GroupEdge.group_id).join(
                User, User.id == GroupEdge.member_pk).filter(
                    Group.enabled == True,
                    User.id == user.id,
                    GroupEdge.active == True,
                    GroupEdge.member_type == OBJ_TYPES["User"],
                    GroupEdge._role != GROUP_EDGE_ROLES.index("np-owner"),
                    or_(GroupEdge.expiration > now,
                        GroupEdge.expiration == None),
                ).distinct())
        group_ids = [g.id for g in groups]

        # If the user was not a member of any group, we can return early.
        if not group_ids:
            return []

        # Now, return all the permission grants for those groups.
        return self._permission_grants_for_group_ids(group_ids)
Exemple #45
0
def is_role_user(session, user=None, group=None):
    # type: (Session, User, Group) -> bool
    """
    Takes in a User or a Group and returns a boolean indicating whether
    that User/Group is a component of a service account.

    Args:
        session: the database session
        user: a User object to check
        group: a Group object to check

    Throws:
        AssertionError if neither a user nor a group is provided

    Returns:
        whether the User/Group is a component of a service account
    """
    if user is not None:
        return user.role_user

    assert group is not None
    user = User.get(session, name=group.groupname)
    if not user:
        return False

    return user.role_user
Exemple #46
0
    def post(self, user_id=None, name=None, key_id=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        try:
            key = get_public_key(self.session, user.id, key_id)
            delete_public_key(self.session, user.id, key_id)
        except KeyNotFound:
            return self.notfound()

        AuditLog.log(self.session, self.current_user.id, 'delete_public_key',
                     'Deleted public key: {}'.format(key.fingerprint),
                     on_user_id=user.id)

        email_context = {
                "actioner": self.current_user.name,
                "changed_user": user.name,
                "action": "removed",
                }
        send_email(self.session, [user.name], 'Public SSH key removed', 'ssh_keys_changed',
                settings, email_context)

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #47
0
def is_role_user(session, user=None, group=None):
    # type: (Session, User, Group) -> bool
    """
    Takes in a User or a Group and returns a boolean indicating whether
    that User/Group is a component of a service account.

    Args:
        session: the database session
        user: a User object to check
        group: a Group object to check

    Throws:
        AssertionError if neither a user nor a group is provided

    Returns:
        whether the User/Group is a component of a service account
    """
    if user is not None:
        return user.role_user

    assert group is not None
    user = User.get(session, name=group.groupname)
    if not user:
        return False

    return user.role_user
Exemple #48
0
def get_role_user(session, user=None, group=None):
    # type: (Session, User, Group) -> RoleUser
    """
    Takes in a User or a Group and returns a dictionary that contains
    all of the service account components for the service account that
    the user/group is part of.

    Args:
        session: the database session
        user: a User object to check
        group: a Group object to check

    Throws:
        RoleUserNotFound: if the user or group is not part of a service account

    Returns:
        a dictionary with all components of the service account of the
            user or group passed in
    """
    if not is_role_user(session, user, group):
        raise RoleUserNotFound()

    if user:
        name = user.name
    else:
        assert group is not None
        name = group.name
    user_obj = User.get(session, name=name)
    assert user_obj, "User object for role user not found"
    group_obj = Group.get(session, name=name)
    assert group_obj, "Group object for role user not found"
    return RoleUser(user_obj, group_obj)
Exemple #49
0
def test_user_public_key(make_session, session, users):  # noqa: F811
    make_session.return_value = session

    # good key
    username = "******"
    call_main(session, "user", "add_public_key", username, SSH_KEY_1)

    user = User.get(session, name=username)
    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1

    # duplicate key
    call_main(session, "user", "add_public_key", username, SSH_KEY_1)

    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1

    # bad key
    call_main(session, "user", "add_public_key", username, SSH_KEY_BAD)

    keys = get_public_keys_of_user(session, user.id)
    assert len(keys) == 1
    assert keys[0].public_key == SSH_KEY_1
Exemple #50
0
    def post(self, user_id=None, name=None):

        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        try:
            if user.role_user:
                disable_role_user(self.session, user=user)
            else:
                disable_user(self.session, user)
        except PluginRejectedDisablingUser as e:
            alert = Alert("danger", str(e))
            return self.redirect("/users/{}".format(user.name), alerts=[alert])

        self.session.commit()

        AuditLog.log(
            self.session,
            self.current_user.id,
            "disable_user",
            "Disabled user.",
            on_user_id=user.id,
        )

        return self.redirect("/users/{}?refresh=yes".format(user.name))
Exemple #51
0
    def cancel_user_request(self, user_request, reason, authorization):
        # type: (UserGroupRequest, str, Authorization) -> None
        now = datetime.utcnow()
        request = Request.get(self.session, id=user_request.id)
        if not request:
            raise UserGroupRequestNotFoundException(request)
        actor = User.get(self.session, name=authorization.actor)
        if not actor:
            raise UserNotFoundException(authorization.actor)

        request_status_change = RequestStatusChange(
            request=request,
            user_id=actor.id,
            from_status=request.status,
            to_status="cancelled",
            change_at=now,
        ).add(self.session)

        request.status = "cancelled"
        self.session.flush()

        Comment(
            obj_type=OBJ_TYPES["RequestStatusChange"],
            obj_pk=request_status_change.id,
            user_id=actor.id,
            comment=reason,
            created_on=now,
        ).add(self.session)
def test_sa_tokens(session, users, http_client, base_url):
    user = users['*****@*****.**']

    # Add account
    create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')

    u = User.get(session, name="*****@*****.**")
    g = Group.get(session, name="*****@*****.**")

    assert u is not None
    assert g is not None
    assert is_role_user(session, user=u)
    assert is_role_user(session, group=g)
    assert get_role_user(session, user=u).group.id == g.id
    assert get_role_user(session, group=g).user.id == u.id
    assert not is_role_user(session, user=user)
    assert not is_role_user(session, group=Group.get(session, name="team-sre"))

    with pytest.raises(HTTPError):
        # Add token
        fe_url = url(base_url, '/users/{}/tokens/add'.format("*****@*****.**"))
        resp = yield http_client.fetch(fe_url, method="POST",
                body=urlencode({'name': 'myDHDToken'}),
                headers={'X-Grouper-User': "******"})

    # Add token
    fe_url = url(base_url, '/users/{}/tokens/add'.format("*****@*****.**"))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': 'myDHDToken'}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Verify add
    fe_url = url(base_url, '/users/{}'.format("*****@*****.**"))
    resp = yield http_client.fetch(fe_url, method="GET",
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200
    assert "Added token: myDHDToken" in resp.body

    with pytest.raises(HTTPError):
        # Disable token
        fe_url = url(base_url, '/users/{}/tokens/1/disable'.format("*****@*****.**"))
        resp = yield http_client.fetch(fe_url, method="POST",
                body="",
                headers={'X-Grouper-User': "******"})

    # Disable token
    fe_url = url(base_url, '/users/{}/tokens/1/disable'.format("*****@*****.**"))
    resp = yield http_client.fetch(fe_url, method="POST",
            body="",
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Verify disable
    fe_url = url(base_url, '/users/{}'.format("*****@*****.**"))
    resp = yield http_client.fetch(fe_url, method="GET",
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200
    assert "Disabled token: myDHDToken" in resp.body
Exemple #53
0
def test_shell(session, users, http_client, base_url):
    with patch('grouper.fe.handlers.user_shell.settings') as mock_settings:
        mock_settings.shell = [['/bin/bash', 'bash'], ['/bin/zsh', 'zsh']]

        user = users['*****@*****.**']
        assert not get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)

        user = User.get(session, name=user.username)
        fe_url = url(base_url, '/users/{}/shell'.format(user.username))
        resp = yield http_client.fetch(fe_url, method="POST",
                body=urlencode({'shell': "/bin/bash"}),
                headers={'X-Grouper-User': user.username})
        assert resp.code == 200

        user = User.get(session, name=user.username)

        assert get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY) is not None, \
            "The user should have shell metadata"
        assert (get_user_metadata_by_key(session, user.id, 
                   USER_METADATA_SHELL_KEY).data_value == "/bin/bash")

        fe_url = url(base_url, '/users/{}/shell'.format(user.username))
        resp = yield http_client.fetch(fe_url, method="POST",
                body=urlencode({'shell': "/bin/fish"}),
                headers={'X-Grouper-User': user.username})
        assert resp.code == 200

        user = User.get(session, name=user.username)

        assert get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY) is not None, \
            "The user should have shell metadata"
        assert get_user_metadata_by_key(session, user.id,
                                        USER_METADATA_SHELL_KEY).data_value == "/bin/bash"

        fe_url = url(base_url, '/users/{}/shell'.format(user.username))
        resp = yield http_client.fetch(fe_url, method="POST",
                body=urlencode({'shell': "/bin/zsh"}),
                headers={'X-Grouper-User': user.username})
        assert resp.code == 200

        user = User.get(session, name=user.username)

        assert get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY) is not None, \
            "The user should have shell metadata"
        assert (get_user_metadata_by_key(session, user.id, 
                   USER_METADATA_SHELL_KEY).data_value == "/bin/zsh")
Exemple #54
0
    def post(self, *args, **kwargs):
        # type: (*Any, **Any) -> None
        user_id = kwargs.get("user_id")  # type: Optional[int]
        name = kwargs.get("name")  # type: Optional[str]

        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserTokenForm(self.request.arguments)
        if not form.validate():
            return self.render(
                "user-token-add.html",
                form=form,
                user=user,
                alerts=self.get_form_alerts(form.errors),
            )

        try:
            token, secret = add_new_user_token(
                self.session, UserToken(name=form.data["name"], user=user)
            )
            self.session.commit()
        except IntegrityError:
            self.session.rollback()
            form.name.errors.append("Name already in use.")
            return self.render(
                "user-token-add.html",
                form=form,
                user=user,
                alerts=self.get_form_alerts(form.errors),
            )

        AuditLog.log(
            self.session,
            self.current_user.id,
            "add_token",
            "Added token: {}".format(token.name),
            on_user_id=user.id,
        )

        email_context = {
            "actioner": self.current_user.name,
            "changed_user": user.name,
            "action": "added",
        }
        send_email(
            self.session,
            [user.name],
            "User token created",
            "user_tokens_changed",
            settings(),
            email_context,
        )
        return self.render("user-token-created.html", token=token, secret=secret)
Exemple #55
0
    def post(self, *args, **kwargs):
        # type: (*Any, **Any) -> None
        user_id = kwargs.get("user_id")  # type: Optional[int]
        name = kwargs.get("name")  # type: Optional[str]

        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        form = UserPasswordForm(self.request.arguments)
        if not form.validate():
            return self.render(
                "user-password-add.html",
                form=form,
                user=user,
                alerts=self.get_form_alerts(form.errors),
            )

        pass_name = form.data["name"]
        password = form.data["password"]
        try:
            add_new_user_password(self.session, pass_name, password, user.id)
        except PasswordAlreadyExists:
            self.session.rollback()
            form.name.errors.append("Name already in use.")
            return self.render(
                "user-password-add.html",
                form=form,
                user=user,
                alerts=self.get_form_alerts(form.errors),
            )

        AuditLog.log(
            self.session,
            self.current_user.id,
            "add_password",
            "Added password: {}".format(pass_name),
            on_user_id=user.id,
        )

        email_context = {
            "actioner": self.current_user.name,
            "changed_user": user.name,
            "pass_name": pass_name,
        }
        send_email(
            self.session,
            [user.name],
            "User password created",
            "user_password_created",
            settings(),
            email_context,
        )
        return self.redirect("/users/{}?refresh=yes".format(user.name))
    def get(self, user_id=None, name=None, pass_id=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()
        password = UserPassword.get(self.session, user=user, id=pass_id)
        return self.render("user-password-delete.html", user=user, password=password)
Exemple #57
0
    def member(self):
        # TODO(cbguder): get around circular dependencies
        from grouper.models.group import Group

        if self.edge.member_type == 0:  # User
            return User.get(self.session, pk=self.edge.member_pk)
        elif self.edge.member_type == 1:  # Group
            return Group.get(self.session, pk=self.edge.member_pk)
        raise Exception("invalid member_type in AuditMember!")
Exemple #58
0
    def get(self, user_id=None, name=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        self.render("user-token-add.html", form=UserTokenForm(), user=user)
Exemple #59
0
    def get(self, user_id=None, name=None, token_id=None):
        user = User.get(self.session, user_id, name)
        if not user:
            return self.notfound()

        if not self.check_access(self.session, self.current_user, user):
            return self.forbidden()

        token = UserToken.get(self.session, user=user, id=token_id)
        return self.render("user-token-disable.html", user=user, token=token)