Exemple #1
0
    def get(self, group_id=None, name=None):
        group = Group.get(self.session, group_id, name)
        if not group:
            return self.notfound()

        status = self.get_argument("status", None)
        offset = int(self.get_argument("offset", 0))
        limit = int(self.get_argument("limit", 100))
        if limit > 9000:
            limit = 9000

        requests = group.my_requests(status).order_by(
            Request.requested_at.desc()
        )
        members = group.my_members()

        total = requests.count()
        requests = requests.offset(offset).limit(limit)

        current_user_role = {
            'is_owner': user_role_index(self.current_user, members) in OWNER_ROLE_INDICES,
            'is_approver': user_role_index(self.current_user, members) in APPROVER_ROLE_INDICIES,
            'is_manager': user_role(self.current_user, members) == "manager",
            'role': user_role(self.current_user, members),
             }

        self.render(
            "group-requests.html", group=group, requests=requests,
            members=members, status=status, statuses=REQUEST_STATUS_CHOICES,
            offset=offset, limit=limit, total=total, current_user_role=current_user_role,
        )
    def get(self, group_id=None, name=None):
        group = Group.get(self.session, group_id, name)
        if not group:
            return self.notfound()

        status = self.get_argument("status", None)
        offset = int(self.get_argument("offset", 0))
        limit = int(self.get_argument("limit", 100))
        if limit > 9000:
            limit = 9000

        requests = group.my_requests(status).order_by(
            Request.requested_at.desc()
        )
        members = group.my_members()

        total = requests.count()
        requests = requests.offset(offset).limit(limit)

        current_user_role = {
            'is_owner': user_role_index(self.current_user, members) in OWNER_ROLE_INDICES,
            'is_approver': user_role_index(self.current_user, members) in APPROVER_ROLE_INDICES,
            'is_manager': user_role(self.current_user, members) == "manager",
            'role': user_role(self.current_user, members),
             }

        self.render(
            "group-requests.html", group=group, requests=requests,
            members=members, status=status, statuses=REQUEST_STATUS_CHOICES,
            offset=offset, limit=limit, total=total, current_user_role=current_user_role,
        )
def get_group_view_template_vars(session, actor, group, graph):
    # type: (Session, User, Group, GroupGraph) -> Dict[str, Any]
    ret = {}
    ret["grantable"] = user_grantable_permissions(session, actor)

    try:
        group_md = graph.get_group_details(group.name)
    except NoSuchGroup:
        # Very new group with no metadata yet, or it has been disabled and
        # excluded from in-memory cache.
        group_md = {}

    ret["members"] = group.my_members()
    ret["groups"] = group.my_groups()
    ret["service_accounts"] = get_service_accounts(session, group)
    ret["permissions"] = group_md.get("permissions", [])
    for permission in ret["permissions"]:
        permission["granted_on"] = datetime.fromtimestamp(permission["granted_on"])

    ret["permission_requests_pending"] = []
    for req in get_pending_request_by_group(session, group):
        granters = []
        for owner, argument in get_owner_arg_list(session, req.permission, req.argument):
            granters.append(owner.name)
        ret["permission_requests_pending"].append((req, granters))

    ret["audited"] = group_md.get("audited", False)
    ret["log_entries"] = group.my_log_entries()
    ret["num_pending"] = count_requests_by_group(session, group, status="pending")
    ret["current_user_role"] = {
        "is_owner": user_role_index(actor, ret["members"]) in OWNER_ROLE_INDICES,
        "is_approver": user_role_index(actor, ret["members"]) in APPROVER_ROLE_INDICES,
        "is_manager": user_role(actor, ret["members"]) == "manager",
        "is_member": user_role(actor, ret["members"]) is not None,
        "role": user_role(actor, ret["members"]),
    }
    ret["can_leave"] = (
        ret["current_user_role"]["is_member"] and not ret["current_user_role"]["is_owner"]
    )
    ret["statuses"] = AUDIT_STATUS_CHOICES

    # Add mapping_id to permissions structure
    ret["my_permissions"] = group.my_permissions()
    for perm_up in ret["permissions"]:
        for perm_direct in ret["my_permissions"]:
            if (
                perm_up["permission"] == perm_direct.name
                and perm_up["argument"] == perm_direct.argument
            ):
                perm_up["mapping_id"] = perm_direct.mapping_id
                break

    ret["alerts"] = []
    ret["self_pending"] = count_requests_by_group(session, group, status="pending", user=actor)
    if ret["self_pending"]:
        ret["alerts"].append(Alert("info", "You have a pending request to join this group.", None))

    return ret
def get_group_view_template_vars(session, actor, group, graph):
    ret = {}
    ret["grantable"] = user_grantable_permissions(session, actor)

    try:
        group_md = graph.get_group_details(group.name)
    except NoSuchGroup:
        # Very new group with no metadata yet, or it has been disabled and
        # excluded from in-memory cache.
        group_md = {}

    ret["members"] = group.my_members()
    ret["groups"] = group.my_groups()
    ret["service_accounts"] = get_service_accounts(session, group)
    ret["permissions"] = group_md.get('permissions', [])

    ret["permission_requests_pending"] = []
    for req in get_pending_request_by_group(session, group):
        granters = []
        for owner, argument in get_owner_arg_list(session, req.permission,
                                                  req.argument):
            granters.append(owner.name)
        ret["permission_requests_pending"].append((req, granters))

    ret["audited"] = group_md.get('audited', False)
    ret["log_entries"] = group.my_log_entries()
    ret["num_pending"] = group.my_requests("pending").count()
    ret["current_user_role"] = {
        'is_owner': user_role_index(actor,
                                    ret["members"]) in OWNER_ROLE_INDICES,
        'is_approver': user_role_index(actor, ret["members"])
        in APPROVER_ROLE_INDICES,
        'is_manager': user_role(actor, ret["members"]) == "manager",
        'is_member': user_role(actor, ret["members"]) is not None,
        'role': user_role(actor, ret["members"]),
    }
    ret["can_leave"] = (ret["current_user_role"]['is_member']
                        and not ret["current_user_role"]['is_owner'])
    ret["statuses"] = AUDIT_STATUS_CHOICES

    # Add mapping_id to permissions structure
    ret["my_permissions"] = group.my_permissions()
    for perm_up in ret["permissions"]:
        for perm_direct in ret["my_permissions"]:
            if (perm_up['permission'] == perm_direct.name
                    and perm_up['argument'] == perm_direct.argument):
                perm_up['mapping_id'] = perm_direct.mapping_id
                break

    ret["alerts"] = []
    ret["self_pending"] = group.my_requests("pending", user=actor).count()
    if ret["self_pending"]:
        ret["alerts"].append(
            Alert('info', 'You have a pending request to join this group.',
                  None))

    return ret
def get_group_view_template_vars(session, actor, group, graph):
    ret = {}
    ret["grantable"] = user_grantable_permissions(session, actor)

    try:
        group_md = graph.get_group_details(group.name)
    except NoSuchGroup:
        # Very new group with no metadata yet, or it has been disabled and
        # excluded from in-memory cache.
        group_md = {}

    ret["members"] = group.my_members()
    ret["groups"] = group.my_groups()
    ret["permissions"] = group_md.get('permissions', [])

    ret["permission_requests_pending"] = []
    for req in get_pending_request_by_group(session, group):
        granters = []
        for owner, argument in get_owner_arg_list(session, req.permission, req.argument):
            granters.append(owner.name)
        ret["permission_requests_pending"].append((req, granters))

    ret["audited"] = group_md.get('audited', False)
    ret["log_entries"] = group.my_log_entries()
    ret["num_pending"] = group.my_requests("pending").count()
    ret["current_user_role"] = {
        'is_owner': user_role_index(actor, ret["members"]) in OWNER_ROLE_INDICES,
        'is_approver': user_role_index(actor, ret["members"]) in APPROVER_ROLE_INDICIES,
        'is_manager': user_role(actor, ret["members"]) == "manager",
        'is_member': user_role(actor, ret["members"]) is not None,
        'role': user_role(actor, ret["members"]),
        }
    ret["can_leave"] = (ret["current_user_role"]['is_member'] and not
        ret["current_user_role"]['is_owner'])
    ret["statuses"] = AUDIT_STATUS_CHOICES

    # Add mapping_id to permissions structure
    ret["my_permissions"] = group.my_permissions()
    for perm_up in ret["permissions"]:
        for perm_direct in ret["my_permissions"]:
            if (perm_up['permission'] == perm_direct.name and
                    perm_up['argument'] == perm_direct.argument):
                perm_up['mapping_id'] = perm_direct.mapping_id
                break

    ret["alerts"] = []
    ret["self_pending"] = group.my_requests("pending", user=actor).count()
    if ret["self_pending"]:
        ret["alerts"].append(Alert('info', 'You have a pending request to join this group.',
            None))

    return ret
Exemple #6
0
def user_is_owner_of_group(session, group, user):
    # type: (Session, Group, User) -> bool
    """Determine if this user is an owner of the given group

    This returns true if this user object is an owner or np-owner of the given group.
    """
    from grouper.user import user_role_index

    if not group:
        return False
    members = group.my_members()
    return user_role_index(user, members) in OWNER_ROLE_INDICES
Exemple #7
0
def user_is_owner_of_group(session, group, user):
    """Determine if this user is an owner of the given group

    This returns true if this user object is an owner or np-owner of the given group.

    Args:
        group (Group): Group to check permissions against.

    Returns:
        bool: True or False on whether or not they can manage.
    """
    from grouper.user import user_role_index
    if not group:
        return False
    members = group.my_members()
    return user_role_index(user, members) in OWNER_ROLE_INDICES
Exemple #8
0
def user_is_owner_of_group(session, group, user):
    """Determine if this user is an owner of the given group

    This returns true if this user object is an owner or np-owner of the given group.

    Args:
        group (Group): Group to check permissions against.

    Returns:
        bool: True or False on whether or not they can manage.
    """
    from grouper.user import user_role_index
    if not group:
        return False
    members = group.my_members()
    return user_role_index(user, members) in OWNER_ROLE_INDICES
Exemple #9
0
    def expire_nonauditors(self, session):
        """Checks all enabled audited groups and ensures that all approvers for that group have
        the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors
        have their membership in the audited group set to expire
        settings.nonauditor_expiration_days days in the future.

        Args:
            session (Session): database session
        """
        now = datetime.utcnow()
        graph = Graph()
        exp_days = timedelta(days=settings.nonauditor_expiration_days)
        # Hack to ensure the graph is loaded before we access it
        graph.update_from_db(session)
        # TODO(tyleromeara): replace with graph call
        for group in get_audited_groups(session):
            members = group.my_members()
            # Go through every member of the group and set them to expire if they are an approver
            # but not an auditor
            for (type_, member), edge in members.iteritems():
                # Auditing is already inherited, so we don't need to handle that here
                if type_ == "Group":
                    continue
                member = User.get(session, name=member)
                member_is_approver = user_role_index(
                    member, members) in APPROVER_ROLE_INDICIES
                member_is_auditor = user_has_permission(
                    session, member, PERMISSION_AUDITOR)
                if not member_is_approver or member_is_auditor:
                    continue
                edge = GroupEdge.get(session, id=edge.edge_id)
                if edge.expiration and edge.expiration < now + exp_days:
                    continue
                exp = now + exp_days
                exp = exp.date()
                edge.apply_changes_dict({
                    "expiration":
                    "{}/{}/{}".format(exp.month, exp.day, exp.year)
                })
                edge.add(session)
                notify_nonauditor_flagged(settings, session, edge)
        session.commit()
    def expire_nonauditors(self, session):
        # type: (Session) -> None
        """Checks all enabled audited groups and ensures that all approvers for that group have
        the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors
        have their membership in the audited group set to expire
        settings.nonauditor_expiration_days days in the future.

        Args:
            session (Session): database session
        """
        now = datetime.utcnow()
        graph = Graph()
        exp_days = timedelta(days=self.settings.nonauditor_expiration_days)
        # Hack to ensure the graph is loaded before we access it
        graph.update_from_db(session)
        # TODO(tyleromeara): replace with graph call
        for group in get_audited_groups(session):
            members = group.my_members()
            # Go through every member of the group and set them to expire if they are an approver
            # but not an auditor
            for (type_, member), edge in members.iteritems():
                # Auditing is already inherited, so we don't need to handle that here
                if type_ == "Group":
                    continue
                member = User.get(session, name=member)
                member_is_approver = user_role_index(member, members) in APPROVER_ROLE_INDICES
                member_is_auditor = user_has_permission(session, member, PERMISSION_AUDITOR)
                if not member_is_approver or member_is_auditor:
                    continue
                edge = GroupEdge.get(session, id=edge.edge_id)
                if edge.expiration and edge.expiration < now + exp_days:
                    continue
                exp = (now + exp_days).date()
                edge.apply_changes(
                    {"expiration": "{}/{}/{}".format(exp.month, exp.day, exp.year)}
                )
                edge.add(session)
                notify_nonauditor_flagged(self.settings, session, edge)
        session.commit()
Exemple #11
0
def get_group_view_template_vars(session, actor, group, graph):
    # type: (Session, User, Group, GroupGraph) -> Dict[str, Any]
    ret = {}
    ret["grantable"] = user_grantable_permissions(session, actor)

    try:
        group_md = graph.get_group_details(group.name)
    except NoSuchGroup:
        # Very new group with no metadata yet, or it has been disabled and
        # excluded from in-memory cache.
        group_md = {}

    ret["members"] = group.my_members()
    ret["groups"] = group.my_groups()
    ret["service_accounts"] = get_service_accounts(session, group)
    ret["permissions"] = group_md.get("permissions", [])
    for permission in ret["permissions"]:
        permission["granted_on"] = datetime.fromtimestamp(
            permission["granted_on"])

    ret["permission_requests_pending"] = []
    for req in get_pending_request_by_group(session, group):
        granters = []
        for owner, argument in get_owner_arg_list(session, req.permission,
                                                  req.argument):
            granters.append(owner.name)
        ret["permission_requests_pending"].append((req, granters))

    ret["audited"] = group_md.get("audited", False)
    ret["log_entries"] = group.my_log_entries()
    ret["num_pending"] = count_requests_by_group(session,
                                                 group,
                                                 status="pending")
    ret["current_user_role"] = {
        "is_owner": user_role_index(actor,
                                    ret["members"]) in OWNER_ROLE_INDICES,
        "is_approver": user_role_index(actor, ret["members"])
        in APPROVER_ROLE_INDICES,
        "is_manager": user_role(actor, ret["members"]) == "manager",
        "is_member": user_role(actor, ret["members"]) is not None,
        "role": user_role(actor, ret["members"]),
    }
    ret["can_leave"] = (ret["current_user_role"]["is_member"]
                        and not ret["current_user_role"]["is_owner"])
    ret["statuses"] = AUDIT_STATUS_CHOICES

    # Add mapping_id to permissions structure
    ret["my_permissions"] = group.my_permissions()
    for perm_up in ret["permissions"]:
        for perm_direct in ret["my_permissions"]:
            if (perm_up["permission"] == perm_direct.name
                    and perm_up["argument"] == perm_direct.argument):
                perm_up["mapping_id"] = perm_direct.mapping_id
                break

    ret["alerts"] = []
    ret["self_pending"] = count_requests_by_group(session,
                                                  group,
                                                  status="pending",
                                                  user=actor)
    if ret["self_pending"]:
        ret["alerts"].append(
            Alert("info", "You have a pending request to join this group.",
                  None))

    return ret