def post(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
user = User.get(self.session, name=name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
form = UserShellForm(self.request.arguments)
form.shell.choices = settings().shell
if not form.validate():
return self.render("user-shell.html",
form=form,
user=user,
alerts=self.get_form_alerts(form.errors))
set_user_metadata(self.session, user.id, USER_METADATA_SHELL_KEY,
form.data["shell"])
AuditLog.log(
self.session,
self.current_user.id,
"changed_shell",
"Changed shell: {}".format(form.data["shell"]),
on_user_id=user.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def test_basic_metadata(standard_graph, session, users, groups, permissions): # noqa: F811
""" Test basic metadata functionality. """
user_id = users["*****@*****.**"].id
assert len(get_user_metadata(session, users["*****@*****.**"].id)) == 0, "No metadata yet"
# Test setting "foo" to 1 works, and we get "1" back (metadata is defined as strings)
set_user_metadata(session, user_id, "foo", 1)
md = get_user_metadata(session, user_id)
assert len(md) == 1, "One metadata item"
assert [d.data_value for d in md if d.data_key == "foo"] == ["1"], "foo is 1"
set_user_metadata(session, user_id, "bar", "test string")
md = get_user_metadata(session, user_id)
assert len(md) == 2, "Two metadata items"
assert [d.data_value for d in md if d.data_key == "bar"] == [
"test string"
], "bar is test string"
set_user_metadata(session, user_id, "foo", "test2")
md = get_user_metadata(session, user_id)
assert len(md) == 2, "Two metadata items"
assert [d.data_value for d in md if d.data_key == "foo"] == ["test2"], "foo is test2"
set_user_metadata(session, user_id, "foo", None)
md = get_user_metadata(session, user_id)
assert len(md) == 1, "One metadata item"
assert [d.data_value for d in md if d.data_key == "foo"] == [], "foo is not found"
set_user_metadata(session, user_id, "baz", None)
md = get_user_metadata(session, user_id)
assert len(md) == 1, "One metadata item"
def test_github_user_admin(session, users, http_client,
base_url): # noqa: F811
user = users["*****@*****.**"]
set_user_metadata(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY,
"zorkian")
data = get_user_metadata_by_key(session, user.id,
USER_METADATA_GITHUB_USERNAME_KEY)
assert data
assert data.data_value == "zorkian"
# Another random user should not be able to clear the GitHub identity.
fe_url = url(base_url, f"/users/{user.username}/github/clear")
with pytest.raises(HTTPError) as excinfo:
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": "******"},
body=b"")
assert excinfo.value.code == 403
data = get_user_metadata_by_key(session, user.id,
USER_METADATA_GITHUB_USERNAME_KEY)
assert data
assert data.data_value == "zorkian"
# A user admin should be able to clear the GitHub identity.
resp = yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": "******"},
body=b"")
assert resp.code == 200
assert get_user_metadata_by_key(session, user.id,
USER_METADATA_GITHUB_USERNAME_KEY) is None
def post(self, *args, **kwargs):
# type: (*Any, **Any) -> None
user_id = kwargs.get("user_id") # type: Optional[int]
name = kwargs.get("name") # type: Optional[str]
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
form = UserGitHubForm(self.request.arguments)
if not form.validate():
return self.render(
"user-github.html", form=form, user=user, alerts=self.get_form_alerts(form.errors)
)
new_username = form.data["username"]
if new_username == "":
new_username = None
set_user_metadata(self.session, user.id, USER_METADATA_GITHUB_USERNAME_KEY, new_username)
AuditLog.log(
self.session,
self.current_user.id,
"changed_github_username",
"Changed GitHub username: {}".format(form.data["username"]),
on_user_id=user.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def test_github_username(session, users, http_client, base_url,
graph): # noqa: F811
user = users["*****@*****.**"]
assert get_user_metadata_by_key(session, user.id,
USER_METADATA_GITHUB_USERNAME_KEY) is None
set_user_metadata(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY,
"zorkian-on-gh")
graph.update_from_db(session)
fe_url = url(base_url, "/users/{}".format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
[metadata] = body["data"]["user"]["metadata"]
assert metadata["data_key"] == "github_username"
assert metadata["data_value"] == "zorkian-on-gh"
set_user_metadata(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY,
None)
graph.update_from_db(session)
fe_url = url(base_url, "/users/{}".format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
assert body["data"]["user"]["metadata"] == []
def post(self, *args, **kwargs):
# type: (*Any, **Any) -> None
user_id = kwargs.get("user_id") # type: Optional[int]
name = kwargs.get("name") # type: Optional[str]
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
form = UserShellForm(self.request.arguments)
form.shell.choices = settings().shell
if not form.validate():
return self.render(
"user-shell.html", form=form, user=user, alerts=self.get_form_alerts(form.errors)
)
set_user_metadata(self.session, user.id, USER_METADATA_SHELL_KEY, form.data["shell"])
AuditLog.log(
self.session,
self.current_user.id,
"changed_shell",
"Changed shell: {}".format(form.data["shell"]),
on_user_id=user.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def test_shell(session, users, http_client, base_url, graph):
user = users['*****@*****.**']
assert not get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
set_user_metadata(session, user.id, USER_METADATA_SHELL_KEY, "/bin/bash")
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
assert body["data"]["user"]["metadata"] != [], "There should be metadata"
assert len(body["data"]["user"]["metadata"]) == 1, "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_key"] == "shell", "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_value"] == "/bin/bash", "The shell should be set to the correct value"
set_user_metadata(session, user.id, USER_METADATA_SHELL_KEY, "/bin/zsh")
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
assert body["data"]["user"]["metadata"] != [], "There should be metadata"
assert body["data"]["user"]["metadata"][0]["data_key"] == "shell", "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_value"] == "/bin/zsh", "The shell should be set to the correct value"
assert len(body["data"]["user"]["metadata"]) == 1, "There should only be 1 metadata!"
def create_service_account(self,
name,
owner,
machine_set,
description,
initial_metadata=None):
# type: (str, str, str, str, Optional[Dict[str,str]]) -> None
group = Group.get(self.session, name=owner)
if not group:
raise GroupNotFoundException(owner)
# Create the service account in the database.
user = SQLUser(username=name, is_service_account=True)
service = SQLServiceAccount(user=user,
machine_set=machine_set,
description=description)
user.add(self.session)
service.add(self.session)
# Flush the account to allocate an ID.
self.session.flush()
# Set initial user metadata fields if present.
if initial_metadata is not None:
for key, value in initial_metadata.items():
# TODO: move this to use the hexagonal architecture model.
set_user_metadata(self.session, user.id, key, value)
# Create the linkage to the owner.
GroupServiceAccount(group_id=group.id,
service_account=service).add(self.session)
def set_metadata(self, key, value):
from grouper.user_metadata import set_user_metadata
logging.warning(
"User.set_metadata is deprecated."
"Please switch to using grouper.user_metadata.set_user_metadata")
set_user_metadata(self.session, self.id, key, value)
def test_basic_metadata(standard_graph, session, users, groups, permissions): # noqa: F811
""" Test basic metadata functionality. """
user_id = users["*****@*****.**"].id
assert len(get_user_metadata(session, users["*****@*****.**"].id)) == 0, "No metadata yet"
# Test setting "foo" to 1 works, and we get "1" back (metadata is defined as strings)
set_user_metadata(session, user_id, "foo", 1)
md = get_user_metadata(session, user_id)
assert len(md) == 1, "One metadata item"
assert [d.data_value for d in md if d.data_key == "foo"] == ["1"], "foo is 1"
set_user_metadata(session, user_id, "bar", "test string")
md = get_user_metadata(session, user_id)
assert len(md) == 2, "Two metadata items"
assert [d.data_value for d in md if d.data_key == "bar"] == [
"test string"
], "bar is test string"
set_user_metadata(session, user_id, "foo", "test2")
md = get_user_metadata(session, user_id)
assert len(md) == 2, "Two metadata items"
assert [d.data_value for d in md if d.data_key == "foo"] == ["test2"], "foo is test2"
set_user_metadata(session, user_id, "foo", None)
md = get_user_metadata(session, user_id)
assert len(md) == 1, "One metadata item"
assert [d.data_value for d in md if d.data_key == "foo"] == [], "foo is not found"
set_user_metadata(session, user_id, "baz", None)
md = get_user_metadata(session, user_id)
assert len(md) == 1, "One metadata item"
def test_shell(session, users, http_client, base_url, graph):
user = users['*****@*****.**']
assert not get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
set_user_metadata(session, user.id, USER_METADATA_SHELL_KEY, "/bin/bash")
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
assert body["data"]["user"]["metadata"] != [], "There should be metadata"
assert len(body["data"]["user"]["metadata"]) == 1, "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_key"] == "shell", "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_value"] == "/bin/bash", "The shell should be set to the correct value"
set_user_metadata(session, user.id, USER_METADATA_SHELL_KEY, "/bin/zsh")
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
assert body["data"]["user"]["metadata"] != [], "There should be metadata"
assert body["data"]["user"]["metadata"][0]["data_key"] == "shell", "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_value"] == "/bin/zsh", "The shell should be set to the correct value"
assert len(body["data"]["user"]["metadata"]) == 1, "There should only be 1 metadata!"
def post(self, *args, **kwargs):
# type: (*Any, **Any) -> None
user_id = kwargs.get("user_id") # type: Optional[int]
name = kwargs.get("name") # type: Optional[str]
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
form = UserGitHubForm(self.request.arguments)
if not form.validate():
return self.render("user-github.html",
form=form,
user=user,
alerts=self.get_form_alerts(form.errors))
new_username = form.data["username"]
if new_username == "":
new_username = None
set_user_metadata(self.session, user.id,
USER_METADATA_GITHUB_USERNAME_KEY, new_username)
AuditLog.log(
self.session,
self.current_user.id,
"changed_github_username",
"Changed GitHub username: {}".format(form.data["username"]),
on_user_id=user.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def post(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
user = User.get(self.session, name=name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
metadata_key = self.get_path_argument("key")
if metadata_key == USER_METADATA_SHELL_KEY:
return self.redirect("/users/{}/shell".format(user.name))
elif metadata_key == USER_METADATA_GITHUB_USERNAME_KEY:
return self.redirect("/github/link_begin/{}".format(user.id))
known_field = metadata_key in settings().metadata_options
metadata_item = get_user_metadata_by_key(self.session, user.id,
metadata_key)
if not metadata_item and not known_field:
return self.notfound()
form = UserMetadataForm(self.request.arguments)
form.value.choices = settings().metadata_options.get(
metadata_key, DEFAULT_METADATA_OPTIIONS)
if not form.validate():
return self.render(
"user-metadata.html",
form=form,
user=user,
metadata_key=metadata_key,
is_enabled=known_field,
alerts=self.get_form_alerts(form.errors),
)
set_user_metadata(self.session, user.id, metadata_key,
form.data["value"])
AuditLog.log(
self.session,
self.current_user.id,
"changed_user_metadata",
"Changed {}: {}".format(metadata_key, form.data["value"]),
on_user_id=user.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def test_metadata(session, users, http_client, base_url): # noqa: F811
settings().metadata_options = {
"favorite_food": [["pizza", "pizza"], ["kale", "kale"]]
}
user = users["*****@*****.**"]
assert not get_user_metadata_by_key(session, user.id, "favorite_food")
user = User.get(session, name=user.username)
set_user_metadata(session, user.id, "favorite_food", "default")
fe_url = url(base_url,
"/users/{}/metadata/favorite_food".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"value": "pizza"}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
assert get_user_metadata_by_key(session, user.id,
"favorite_food").data_value == "pizza"
fe_url = url(base_url,
"/users/{}/metadata/favorite_food".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"value": "kale"}),
headers={"X-Grouper-User": user.username},
)
assert get_user_metadata_by_key(session, user.id,
"favorite_food").data_value == "kale"
fe_url = url(base_url,
"/users/{}/metadata/favorite_food".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"value": "donuts"}),
headers={"X-Grouper-User": user.username},
)
assert get_user_metadata_by_key(session, user.id,
"favorite_food").data_value == "kale"
def get(self, *args: Any, **kwargs: Any) -> Iterator[Future]:
# Check that the state parameter is correct.
state = self.request.query_arguments.get("state", [b""])[-1]
expected_state = self.get_cookie("github-link-state",
"").encode("utf-8")
self.clear_cookie("github-link-state")
if not hmac.compare_digest(state, expected_state):
self.badrequest()
return
code = self.get_query_argument("code")
# Make sure we're modifying the authenticated user before doing more.
user_id = kwargs["user_id"]
user = User.get(self.session, user_id)
if not user:
self.notfound()
return
if self.current_user.id != user.id:
self.forbidden()
return
github_client = GitHubClient(_get_github_http_client(),
settings().http_proxy_host,
settings().http_proxy_port)
oauth_token = yield github_client.get_oauth_access_token(
settings().github_app_client_id,
get_plugin_proxy().get_github_app_client_secret(),
code,
state,
)
gh_username = yield github_client.get_username(oauth_token)
AuditLog.log(
self.session,
self.current_user.id,
"changed_github_username",
"Changed GitHub username: {}".format(gh_username),
on_user_id=user.id,
)
set_user_metadata(self.session, user.id,
USER_METADATA_GITHUB_USERNAME_KEY, gh_username)
self.redirect("/users/{}?refresh=yes".format(user.name))
def post(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
user = User.get(self.session, name=name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
set_user_metadata(self.session, user.id, USER_METADATA_GITHUB_USERNAME_KEY, None)
AuditLog.log(
self.session,
self.current_user.id,
"changed_github_username",
"Cleared GitHub link",
on_user_id=user.id,
)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def test_github_username(session, users, http_client, base_url, graph): # noqa: F811
user = users["*****@*****.**"]
assert get_user_metadata_by_key(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY) is None
set_user_metadata(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY, "zorkian-on-gh")
graph.update_from_db(session)
fe_url = url(base_url, "/users/{}".format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
[metadata] = body["data"]["user"]["metadata"]
assert metadata["data_key"] == "github_username"
assert metadata["data_value"] == "zorkian-on-gh"
set_user_metadata(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY, None)
graph.update_from_db(session)
fe_url = url(base_url, "/users/{}".format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
assert body["data"]["user"]["metadata"] == []
def post(self, user_id=None, name=None):
user = User.get(self.session, user_id, name)
if not user:
return self.notfound()
if not self.check_access(self.session, self.current_user, user):
return self.forbidden()
form = UserShellForm(self.request.arguments)
form.shell.choices = settings.shell
if not form.validate():
return self.render(
"user-shell.html", form=form, user=user,
alerts=self.get_form_alerts(form.errors),
)
set_user_metadata(self.session, user.id, USER_METADATA_SHELL_KEY, form.data["shell"])
AuditLog.log(self.session, self.current_user.id, 'changed_shell',
'Changed shell: {}'.format(form.data["shell"]),
on_user_id=user.id)
return self.redirect("/users/{}?refresh=yes".format(user.name))
def set_metadata(self, key, value):
from grouper.user_metadata import set_user_metadata
logging.warning("User.set_metadata is deprecated."
"Please switch to using grouper.user_metadata.set_user_metadata")
set_user_metadata(self.session, self.id, key, value)
def user_command(args, settings, session_factory):
# type: (Namespace, CtlSettings, SessionFactory) -> None
session = session_factory.create_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session,
username=username,
role_user=args.role_user)
session.commit()
else:
logging.info(
"{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info(
"{}: User already disabled. Doing nothing.".format(
username))
else:
logging.info("{}: User found, disabling...".format(username))
try:
if user.role_user:
disable_role_user(session, user)
else:
disable_user(session, user)
AuditLog.log(
session,
user.id,
"disable_user",
"(Administrative) User disabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
except PluginRejectedDisablingUser as e:
logging.error("%s", e)
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info(
"{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_role_user(
session,
user,
preserve_membership=args.preserve_membership,
user=user)
else:
enable_user(session,
user,
user,
preserve_membership=args.preserve_membership)
AuditLog.log(
session,
user.id,
"enable_user",
"(Administrative) User enabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
logging.info("Setting %s metadata: %s=%s", args.username,
args.metadata_key, args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key,
args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
logging.info("Adding public key for user")
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
logging.error("Key already in use")
return
except public_key.PublicKeyParseError:
logging.error("Public key appears to be invalid")
return
AuditLog.log(
session,
user.id,
"add_public_key",
"(Administrative) Added public key: {}".format(
pubkey.fingerprint_sha256),
on_user_id=user.id,
)
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session,
username=username,
role_user=args.role_user)
session.commit()
else:
logging.info(
"{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info(
"{}: User already disabled. Doing nothing.".format(
username))
else:
logging.info("{}: User found, disabling...".format(username))
try:
if user.role_user:
disable_role_user(session, user)
else:
disable_user(session, user)
AuditLog.log(
session,
user.id,
'disable_user',
'(Administrative) User disabled via grouper-ctl',
on_user_id=user.id)
session.commit()
except PluginRejectedDisablingUser as e:
logging.error(e.message)
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info(
"{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info(
"{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_role_user(
session,
user,
preserve_membership=args.preserve_membership,
user=user)
else:
enable_user(session,
user,
user,
preserve_membership=args.preserve_membership)
AuditLog.log(session,
user.id,
'enable_user',
'(Administrative) User enabled via grouper-ctl',
on_user_id=user.id)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key,
args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key,
args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session,
user.id,
'add_public_key',
'(Administrative) Added public key: {}'.format(
pubkey.fingerprint),
on_user_id=user.id)
def user_command(args, settings, session_factory):
# type: (Namespace, CtlSettings, SessionFactory) -> None
session = session_factory.create_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session, username=username, role_user=args.role_user)
session.commit()
else:
logging.info("{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info("{}: User already disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, disabling...".format(username))
try:
if user.role_user:
disable_role_user(session, user)
else:
disable_user(session, user)
AuditLog.log(
session,
user.id,
"disable_user",
"(Administrative) User disabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
except PluginRejectedDisablingUser as e:
logging.error("%s", e)
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info("{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_role_user(
session, user, preserve_membership=args.preserve_membership, user=user
)
else:
enable_user(session, user, user, preserve_membership=args.preserve_membership)
AuditLog.log(
session,
user.id,
"enable_user",
"(Administrative) User enabled via grouper-ctl",
on_user_id=user.id,
)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
logging.info(
"Setting %s metadata: %s=%s", args.username, args.metadata_key, args.metadata_value
)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key, args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
logging.info("Adding public key for user")
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
logging.error("Key already in use")
return
except public_key.PublicKeyParseError:
logging.error("Public key appears to be invalid")
return
AuditLog.log(
session,
user.id,
"add_public_key",
"(Administrative) Added public key: {}".format(pubkey.fingerprint_sha256),
on_user_id=user.id,
)
def user_command(args):
session = make_session()
if args.subcommand == "create":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user, creating...".format(username))
user = User.get_or_create(session, username=username, role_user=args.role_user)
session.commit()
else:
logging.info("{}: Already exists. Doing nothing.".format(username))
return
elif args.subcommand == "disable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif not user.enabled:
logging.info("{}: User already disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, disabling...".format(username))
if user.role_user:
disable_service_account(session, user)
else:
disable_user(session, user)
session.commit()
return
elif args.subcommand == "enable":
for username in args.username:
user = User.get(session, name=username)
if not user:
logging.info("{}: No such user. Doing nothing.".format(username))
elif user.enabled:
logging.info("{}: User not disabled. Doing nothing.".format(username))
else:
logging.info("{}: User found, enabling...".format(username))
if user.role_user:
enable_service_account(session, user,
preserve_membership=args.preserve_membership, user=user)
else:
enable_user(session, user, user, preserve_membership=args.preserve_membership)
session.commit()
return
# "add_public_key" and "set_metadata"
user = User.get(session, name=args.username)
if not user:
logging.error("{}: No such user. Doing nothing.".format(args.username))
return
# User must exist at this point.
if args.subcommand == "set_metadata":
print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value)
if args.metadata_value == "":
args.metadata_value = None
set_user_metadata(session, user.id, args.metadata_key, args.metadata_value)
session.commit()
elif args.subcommand == "add_public_key":
print "Adding public key for user..."
try:
pubkey = public_key.add_public_key(session, user, args.public_key)
except public_key.DuplicateKey:
print "Key already in use."
return
except public_key.PublicKeyParseError:
print "Public key appears to be invalid."
return
AuditLog.log(session, user.id, 'add_public_key',
'(Administrative) Added public key: {}'.format(pubkey.fingerprint),
on_user_id=user.id)
