def get(self, group_id=None, name=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
status = self.get_argument("status", None)
offset = int(self.get_argument("offset", 0))
limit = int(self.get_argument("limit", 100))
if limit > 9000:
limit = 9000
requests = group.my_requests(status).order_by(
Request.requested_at.desc()
)
members = group.my_members()
total = requests.count()
requests = requests.offset(offset).limit(limit)
current_user_role = {
'is_owner': user_role_index(self.current_user, members) in OWNER_ROLE_INDICES,
'is_approver': user_role_index(self.current_user, members) in APPROVER_ROLE_INDICIES,
'is_manager': user_role(self.current_user, members) == "manager",
'role': user_role(self.current_user, members),
}
self.render(
"group-requests.html", group=group, requests=requests,
members=members, status=status, statuses=REQUEST_STATUS_CHOICES,
offset=offset, limit=limit, total=total, current_user_role=current_user_role,
)
def get(self, group_id=None, name=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
status = self.get_argument("status", None)
offset = int(self.get_argument("offset", 0))
limit = int(self.get_argument("limit", 100))
if limit > 9000:
limit = 9000
requests = group.my_requests(status).order_by(
Request.requested_at.desc()
)
members = group.my_members()
total = requests.count()
requests = requests.offset(offset).limit(limit)
current_user_role = {
'is_owner': user_role_index(self.current_user, members) in OWNER_ROLE_INDICES,
'is_approver': user_role_index(self.current_user, members) in APPROVER_ROLE_INDICES,
'is_manager': user_role(self.current_user, members) == "manager",
'role': user_role(self.current_user, members),
}
self.render(
"group-requests.html", group=group, requests=requests,
members=members, status=status, statuses=REQUEST_STATUS_CHOICES,
offset=offset, limit=limit, total=total, current_user_role=current_user_role,
)
def get_group_view_template_vars(session, actor, group, graph):
# type: (Session, User, Group, GroupGraph) -> Dict[str, Any]
ret = {}
ret["grantable"] = user_grantable_permissions(session, actor)
try:
group_md = graph.get_group_details(group.name)
except NoSuchGroup:
# Very new group with no metadata yet, or it has been disabled and
# excluded from in-memory cache.
group_md = {}
ret["members"] = group.my_members()
ret["groups"] = group.my_groups()
ret["service_accounts"] = get_service_accounts(session, group)
ret["permissions"] = group_md.get("permissions", [])
for permission in ret["permissions"]:
permission["granted_on"] = datetime.fromtimestamp(permission["granted_on"])
ret["permission_requests_pending"] = []
for req in get_pending_request_by_group(session, group):
granters = []
for owner, argument in get_owner_arg_list(session, req.permission, req.argument):
granters.append(owner.name)
ret["permission_requests_pending"].append((req, granters))
ret["audited"] = group_md.get("audited", False)
ret["log_entries"] = group.my_log_entries()
ret["num_pending"] = count_requests_by_group(session, group, status="pending")
ret["current_user_role"] = {
"is_owner": user_role_index(actor, ret["members"]) in OWNER_ROLE_INDICES,
"is_approver": user_role_index(actor, ret["members"]) in APPROVER_ROLE_INDICES,
"is_manager": user_role(actor, ret["members"]) == "manager",
"is_member": user_role(actor, ret["members"]) is not None,
"role": user_role(actor, ret["members"]),
}
ret["can_leave"] = (
ret["current_user_role"]["is_member"] and not ret["current_user_role"]["is_owner"]
)
ret["statuses"] = AUDIT_STATUS_CHOICES
# Add mapping_id to permissions structure
ret["my_permissions"] = group.my_permissions()
for perm_up in ret["permissions"]:
for perm_direct in ret["my_permissions"]:
if (
perm_up["permission"] == perm_direct.name
and perm_up["argument"] == perm_direct.argument
):
perm_up["mapping_id"] = perm_direct.mapping_id
break
ret["alerts"] = []
ret["self_pending"] = count_requests_by_group(session, group, status="pending", user=actor)
if ret["self_pending"]:
ret["alerts"].append(Alert("info", "You have a pending request to join this group.", None))
return ret
def get_group_view_template_vars(session, actor, group, graph):
ret = {}
ret["grantable"] = user_grantable_permissions(session, actor)
try:
group_md = graph.get_group_details(group.name)
except NoSuchGroup:
# Very new group with no metadata yet, or it has been disabled and
# excluded from in-memory cache.
group_md = {}
ret["members"] = group.my_members()
ret["groups"] = group.my_groups()
ret["service_accounts"] = get_service_accounts(session, group)
ret["permissions"] = group_md.get('permissions', [])
ret["permission_requests_pending"] = []
for req in get_pending_request_by_group(session, group):
granters = []
for owner, argument in get_owner_arg_list(session, req.permission,
req.argument):
granters.append(owner.name)
ret["permission_requests_pending"].append((req, granters))
ret["audited"] = group_md.get('audited', False)
ret["log_entries"] = group.my_log_entries()
ret["num_pending"] = group.my_requests("pending").count()
ret["current_user_role"] = {
'is_owner': user_role_index(actor,
ret["members"]) in OWNER_ROLE_INDICES,
'is_approver': user_role_index(actor, ret["members"])
in APPROVER_ROLE_INDICES,
'is_manager': user_role(actor, ret["members"]) == "manager",
'is_member': user_role(actor, ret["members"]) is not None,
'role': user_role(actor, ret["members"]),
}
ret["can_leave"] = (ret["current_user_role"]['is_member']
and not ret["current_user_role"]['is_owner'])
ret["statuses"] = AUDIT_STATUS_CHOICES
# Add mapping_id to permissions structure
ret["my_permissions"] = group.my_permissions()
for perm_up in ret["permissions"]:
for perm_direct in ret["my_permissions"]:
if (perm_up['permission'] == perm_direct.name
and perm_up['argument'] == perm_direct.argument):
perm_up['mapping_id'] = perm_direct.mapping_id
break
ret["alerts"] = []
ret["self_pending"] = group.my_requests("pending", user=actor).count()
if ret["self_pending"]:
ret["alerts"].append(
Alert('info', 'You have a pending request to join this group.',
None))
return ret
def get_group_view_template_vars(session, actor, group, graph):
ret = {}
ret["grantable"] = user_grantable_permissions(session, actor)
try:
group_md = graph.get_group_details(group.name)
except NoSuchGroup:
# Very new group with no metadata yet, or it has been disabled and
# excluded from in-memory cache.
group_md = {}
ret["members"] = group.my_members()
ret["groups"] = group.my_groups()
ret["permissions"] = group_md.get('permissions', [])
ret["permission_requests_pending"] = []
for req in get_pending_request_by_group(session, group):
granters = []
for owner, argument in get_owner_arg_list(session, req.permission, req.argument):
granters.append(owner.name)
ret["permission_requests_pending"].append((req, granters))
ret["audited"] = group_md.get('audited', False)
ret["log_entries"] = group.my_log_entries()
ret["num_pending"] = group.my_requests("pending").count()
ret["current_user_role"] = {
'is_owner': user_role_index(actor, ret["members"]) in OWNER_ROLE_INDICES,
'is_approver': user_role_index(actor, ret["members"]) in APPROVER_ROLE_INDICIES,
'is_manager': user_role(actor, ret["members"]) == "manager",
'is_member': user_role(actor, ret["members"]) is not None,
'role': user_role(actor, ret["members"]),
}
ret["can_leave"] = (ret["current_user_role"]['is_member'] and not
ret["current_user_role"]['is_owner'])
ret["statuses"] = AUDIT_STATUS_CHOICES
# Add mapping_id to permissions structure
ret["my_permissions"] = group.my_permissions()
for perm_up in ret["permissions"]:
for perm_direct in ret["my_permissions"]:
if (perm_up['permission'] == perm_direct.name and
perm_up['argument'] == perm_direct.argument):
perm_up['mapping_id'] = perm_direct.mapping_id
break
ret["alerts"] = []
ret["self_pending"] = group.my_requests("pending", user=actor).count()
if ret["self_pending"]:
ret["alerts"].append(Alert('info', 'You have a pending request to join this group.',
None))
return ret
def user_is_owner_of_group(session, group, user):
# type: (Session, Group, User) -> bool
"""Determine if this user is an owner of the given group
This returns true if this user object is an owner or np-owner of the given group.
"""
from grouper.user import user_role_index
if not group:
return False
members = group.my_members()
return user_role_index(user, members) in OWNER_ROLE_INDICES
def user_is_owner_of_group(session, group, user):
"""Determine if this user is an owner of the given group
This returns true if this user object is an owner or np-owner of the given group.
Args:
group (Group): Group to check permissions against.
Returns:
bool: True or False on whether or not they can manage.
"""
from grouper.user import user_role_index
if not group:
return False
members = group.my_members()
return user_role_index(user, members) in OWNER_ROLE_INDICES
def user_is_owner_of_group(session, group, user):
"""Determine if this user is an owner of the given group
This returns true if this user object is an owner or np-owner of the given group.
Args:
group (Group): Group to check permissions against.
Returns:
bool: True or False on whether or not they can manage.
"""
from grouper.user import user_role_index
if not group:
return False
members = group.my_members()
return user_role_index(user, members) in OWNER_ROLE_INDICES
def expire_nonauditors(self, session):
"""Checks all enabled audited groups and ensures that all approvers for that group have
the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors
have their membership in the audited group set to expire
settings.nonauditor_expiration_days days in the future.
Args:
session (Session): database session
"""
now = datetime.utcnow()
graph = Graph()
exp_days = timedelta(days=settings.nonauditor_expiration_days)
# Hack to ensure the graph is loaded before we access it
graph.update_from_db(session)
# TODO(tyleromeara): replace with graph call
for group in get_audited_groups(session):
members = group.my_members()
# Go through every member of the group and set them to expire if they are an approver
# but not an auditor
for (type_, member), edge in members.iteritems():
# Auditing is already inherited, so we don't need to handle that here
if type_ == "Group":
continue
member = User.get(session, name=member)
member_is_approver = user_role_index(
member, members) in APPROVER_ROLE_INDICIES
member_is_auditor = user_has_permission(
session, member, PERMISSION_AUDITOR)
if not member_is_approver or member_is_auditor:
continue
edge = GroupEdge.get(session, id=edge.edge_id)
if edge.expiration and edge.expiration < now + exp_days:
continue
exp = now + exp_days
exp = exp.date()
edge.apply_changes_dict({
"expiration":
"{}/{}/{}".format(exp.month, exp.day, exp.year)
})
edge.add(session)
notify_nonauditor_flagged(settings, session, edge)
session.commit()
def expire_nonauditors(self, session):
# type: (Session) -> None
"""Checks all enabled audited groups and ensures that all approvers for that group have
the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors
have their membership in the audited group set to expire
settings.nonauditor_expiration_days days in the future.
Args:
session (Session): database session
"""
now = datetime.utcnow()
graph = Graph()
exp_days = timedelta(days=self.settings.nonauditor_expiration_days)
# Hack to ensure the graph is loaded before we access it
graph.update_from_db(session)
# TODO(tyleromeara): replace with graph call
for group in get_audited_groups(session):
members = group.my_members()
# Go through every member of the group and set them to expire if they are an approver
# but not an auditor
for (type_, member), edge in members.iteritems():
# Auditing is already inherited, so we don't need to handle that here
if type_ == "Group":
continue
member = User.get(session, name=member)
member_is_approver = user_role_index(member, members) in APPROVER_ROLE_INDICES
member_is_auditor = user_has_permission(session, member, PERMISSION_AUDITOR)
if not member_is_approver or member_is_auditor:
continue
edge = GroupEdge.get(session, id=edge.edge_id)
if edge.expiration and edge.expiration < now + exp_days:
continue
exp = (now + exp_days).date()
edge.apply_changes(
{"expiration": "{}/{}/{}".format(exp.month, exp.day, exp.year)}
)
edge.add(session)
notify_nonauditor_flagged(self.settings, session, edge)
session.commit()
def get_group_view_template_vars(session, actor, group, graph):
# type: (Session, User, Group, GroupGraph) -> Dict[str, Any]
ret = {}
ret["grantable"] = user_grantable_permissions(session, actor)
try:
group_md = graph.get_group_details(group.name)
except NoSuchGroup:
# Very new group with no metadata yet, or it has been disabled and
# excluded from in-memory cache.
group_md = {}
ret["members"] = group.my_members()
ret["groups"] = group.my_groups()
ret["service_accounts"] = get_service_accounts(session, group)
ret["permissions"] = group_md.get("permissions", [])
for permission in ret["permissions"]:
permission["granted_on"] = datetime.fromtimestamp(
permission["granted_on"])
ret["permission_requests_pending"] = []
for req in get_pending_request_by_group(session, group):
granters = []
for owner, argument in get_owner_arg_list(session, req.permission,
req.argument):
granters.append(owner.name)
ret["permission_requests_pending"].append((req, granters))
ret["audited"] = group_md.get("audited", False)
ret["log_entries"] = group.my_log_entries()
ret["num_pending"] = count_requests_by_group(session,
group,
status="pending")
ret["current_user_role"] = {
"is_owner": user_role_index(actor,
ret["members"]) in OWNER_ROLE_INDICES,
"is_approver": user_role_index(actor, ret["members"])
in APPROVER_ROLE_INDICES,
"is_manager": user_role(actor, ret["members"]) == "manager",
"is_member": user_role(actor, ret["members"]) is not None,
"role": user_role(actor, ret["members"]),
}
ret["can_leave"] = (ret["current_user_role"]["is_member"]
and not ret["current_user_role"]["is_owner"])
ret["statuses"] = AUDIT_STATUS_CHOICES
# Add mapping_id to permissions structure
ret["my_permissions"] = group.my_permissions()
for perm_up in ret["permissions"]:
for perm_direct in ret["my_permissions"]:
if (perm_up["permission"] == perm_direct.name
and perm_up["argument"] == perm_direct.argument):
perm_up["mapping_id"] = perm_direct.mapping_id
break
ret["alerts"] = []
ret["self_pending"] = count_requests_by_group(session,
group,
status="pending",
user=actor)
if ret["self_pending"]:
ret["alerts"].append(
Alert("info", "You have a pending request to join this group.",
None))
return ret