def register_user_with_group(user_name, group_name, email, password,
db_session):
# type: (Str, Str, Str, Str, Session) -> None
"""
Registers the user if missing and associate him to a group specified by name, also created if missing.
:param user_name: name of the user to create (if missing) and to make part of the group (if specified)
:param group_name: name of the group to create (if missing and specified) and to make the user join (if not already)
:param email: email of the user to be created (if missing)
:param password: password of the user to be created (if missing)
:param db_session: database connexion to apply changes
.. warning::
Should be employed only for **special** users/groups in this module as other expected API behaviour
and operations will not be applied (ex: create additional permissions or user-group references).
"""
if not GroupService.by_group_name(group_name, db_session=db_session):
# noinspection PyArgumentList
new_group = models.Group(group_name=group_name)
db_session.add(new_group)
registered_group = GroupService.by_group_name(group_name=group_name,
db_session=db_session)
registered_user = UserService.by_user_name(user_name,
db_session=db_session)
if not registered_user:
# noinspection PyArgumentList
new_user = models.User(user_name=user_name, email=email)
UserService.set_password(new_user, password)
UserService.regenerate_security_code(new_user)
db_session.add(new_user)
if group_name is not None:
registered_user = UserService.by_user_name(user_name,
db_session=db_session)
else:
print_log("User '{}' already exist".format(user_name),
level=logging.DEBUG)
# noinspection PyBroadException
try:
# ensure the reference between user/group exists (user joined the group)
user_group_refs = BaseService.all(models.UserGroup,
db_session=db_session)
user_group_refs_tup = [(ref.group_id, ref.user_id)
for ref in user_group_refs]
if (registered_group.id,
registered_user.id) not in user_group_refs_tup:
# noinspection PyArgumentList
group_entry = models.UserGroup(group_id=registered_group.id,
user_id=registered_user.id)
db_session.add(group_entry)
except Exception: # in case reference already exists, avoid duplicate error
db_session.rollback()
def upgrade():
context = get_context()
session = Session(bind=op.get_bind())
# two following lines avoids double 'DELETE' erroneous call when deleting group due to incorrect checks
# https://stackoverflow.com/questions/28824401
context.connection.engine.dialect.supports_sane_rowcount = False
context.connection.engine.dialect.supports_sane_multi_rowcount = False
if isinstance(context.connection.engine.dialect, PGDialect):
# make sure group exists, then get it
init_anonymous(db_session=session)
anonym_group = GroupService.by_group_name(
constants.get_constant("MAGPIE_ANONYMOUS_GROUP"),
db_session=session)
all_users = BaseService.all(models.User, db_session=session)
all_user_group_refs = BaseService.all(models.UserGroup,
db_session=session)
all_user_group_tups = [(ugr.user_id, ugr.group_id)
for ugr in all_user_group_refs]
for user in all_users:
if (user.id, anonym_group.id) not in all_user_group_tups:
# noinspection PyArgumentList
user_group = models.UserGroup(user_id=user.id,
group_id=anonym_group.id)
session.add(user_group)
session.commit()
def _apply_session(_usr_name=None, _grp_name=None):
"""
Apply operation using db session.
"""
from magpie.api.management.user import user_utils as ut
from magpie.api.management.group import group_utils as gt
res = ResourceService.by_resource_id(resource_id,
db_session=cookies_or_session)
if _usr_name:
usr = UserService.by_user_name(_usr_name,
db_session=cookies_or_session)
if create_perm:
return ut.create_user_resource_permission_response(
usr, res, perm, db_session=cookies_or_session)
else:
return ut.delete_user_resource_permission_response(
usr, res, perm, db_session=cookies_or_session)
if _grp_name:
grp = GroupService.by_group_name(_grp_name,
db_session=cookies_or_session)
if create_perm:
return gt.create_group_resource_permission_response(
grp, res, perm, db_session=cookies_or_session)
else:
return gt.delete_group_resource_permission_response(
grp, res, perm, db_session=cookies_or_session)
def get_all_group_names(db_session):
# type: (Session) -> List[Str]
"""
Get all existing group names from the database.
"""
group_names = ax.evaluate_call(
lambda: [grp.group_name for grp in GroupService.all(models.Group, db_session=db_session)],
httpError=HTTPForbidden, msgOnFail=s.Groups_GET_ForbiddenResponseSchema.description)
return group_names
def get_grp_res_perm(grp, db, res_ids, res_types):
res_perms_tup = GroupService.resources_with_possible_perms(
grp, resource_ids=res_ids, resource_types=res_types, db_session=db)
res_perms_dict = {}
for res_perm in res_perms_tup:
if res_perm.resource.resource_id not in res_perms_dict:
res_perms_dict[res_perm.resource.resource_id] = [res_perm.perm_name]
else:
res_perms_dict[res_perm.resource.resource_id].append(res_perm.perm_name)
return res_perms_dict
def init_admin(db_session, settings=None):
# type: (Session, Optional[AnySettingsContainer]) -> None
"""
Registers in db the user and group matching ``MAGPIE_ADMIN_USER`` and ``MAGPIE_ADMIN_GROUP`` respectively if not
defined.
Also associates the created admin user with the admin group and give it admin permissions.
"""
admin_usr_name = get_constant("MAGPIE_ADMIN_USER",
settings_container=settings)
admin_grp_name = get_constant("MAGPIE_ADMIN_GROUP",
settings_container=settings)
if not (UserService.by_user_name(admin_usr_name, db_session=db_session) and
GroupService.by_group_name(admin_grp_name, db_session=db_session)):
register_user_with_group(
user_name=admin_usr_name,
group_name=admin_grp_name,
email=get_constant("MAGPIE_ADMIN_EMAIL",
settings_container=settings),
password=get_constant("MAGPIE_ADMIN_PASSWORD",
settings_container=settings),
db_session=db_session)
# Check if MAGPIE_ADMIN_GROUP has permission MAGPIE_ADMIN_PERMISSION
magpie_admin_group = GroupService.by_group_name(admin_grp_name,
db_session=db_session)
permission_names = [
permission.perm_name for permission in magpie_admin_group.permissions
]
admin_perm = get_constant("MAGPIE_ADMIN_PERMISSION",
settings_container=settings)
if admin_perm not in permission_names:
# noinspection PyArgumentList
new_group_permission = models.GroupPermission(
perm_name=admin_perm, group_id=magpie_admin_group.id)
try:
db_session.add(new_group_permission)
except Exception as e:
db_session.rollback()
raise_log("Failed to create admin user-group permission",
exception=type(e))
def add_service_getcapabilities_perms(service, db_session, group_name=None):
if service.type in SERVICES_PHOENIX_ALLOWED and \
Permission.GET_CAPABILITIES in SERVICE_TYPE_DICT[service.type].permissions:
if group_name is None:
group_name = get_constant('MAGPIE_ANONYMOUS_USER')
group = GroupService.by_group_name(group_name, db_session=db_session)
perm = ResourceService.perm_by_group_and_perm_name(
service.resource_id, group.id, Permission.GET_CAPABILITIES.value,
db_session)
if perm is None: # not set, create it
create_group_resource_permission_response(
group, service, Permission.GET_CAPABILITIES, db_session)
def _get_group(grp_name):
# type: (Str) -> models.Group
grp = ax.evaluate_call(
lambda: GroupService.by_group_name(grp_name, db_session=db_session
),
httpError=HTTPForbidden,
msgOnFail=s.UserGroup_GET_ForbiddenResponseSchema.description)
ax.verify_param(
grp,
notNone=True,
httpError=HTTPBadRequest,
msgOnFail=s.UserGroup_Check_BadRequestResponseSchema.description)
return grp
def init_users_group(db_session, settings=None):
# type: (Session, Optional[AnySettingsContainer]) -> None
"""
Registers in db the group matching ``MAGPIE_USERS_GROUP`` if not defined.
"""
usr_grp_name = get_constant("MAGPIE_USERS_GROUP",
settings_container=settings)
if not GroupService.by_group_name(usr_grp_name, db_session=db_session):
# noinspection PyArgumentList
user_group = models.Group(group_name=usr_grp_name)
db_session.add(user_group)
else:
print_log("MAGPIE_USERS_GROUP already initialized",
level=logging.DEBUG)
def assign_user_group_view(request):
"""
Assign a user to a group.
"""
user = ar.get_user_matchdict_checked_or_logged(request)
group_name = ar.get_value_multiformat_post_checked(request, "group_name")
group = ax.evaluate_call(
lambda: GroupService.by_group_name(group_name, db_session=request.db),
fallback=lambda: request.db.rollback(),
httpError=HTTPForbidden,
msgOnFail=s.UserGroups_POST_ForbiddenResponseSchema.description)
ax.verify_param(
group,
notNone=True,
httpError=HTTPNotFound,
msgOnFail=s.UserGroups_POST_GroupNotFoundResponseSchema.description)
ax.verify_param(
user.id,
paramCompare=[usr.id for usr in group.users],
notIn=True,
httpError=HTTPConflict,
content={
u"user_name": user.user_name,
u"group_name": group.group_name
},
msgOnFail=s.UserGroups_POST_ConflictResponseSchema.description)
# noinspection PyArgumentList
ax.evaluate_call(
lambda: request.db.add(
models.UserGroup(group_id=group.id, user_id=user.id)),
fallback=lambda: request.db.rollback(),
httpError=HTTPForbidden,
msgOnFail=s.UserGroups_POST_RelationshipForbiddenResponseSchema.
description,
content={
u"user_name": user.user_name,
u"group_name": group.group_name
})
return ax.valid_http(
httpSuccess=HTTPCreated,
detail=s.UserGroups_POST_CreatedResponseSchema.description,
content={
u"user_name": user.user_name,
u"group_name": group.group_name
})
def create_group(group_name, db_session):
# type: (Str, Session) -> HTTPException
"""
Creates a group if it is permitted and not conflicting.
:returns: valid HTTP response on successful operations.
:raises HTTPException: error HTTP response of corresponding situation.
"""
group = GroupService.by_group_name(group_name, db_session=db_session)
group_content_error = {u"group_name": str(group_name)}
ax.verify_param(group, isNone=True, httpError=HTTPConflict, withParam=False,
msgOnFail=s.Groups_POST_ConflictResponseSchema.description, content=group_content_error)
# noinspection PyArgumentList
new_group = ax.evaluate_call(lambda: models.Group(group_name=group_name), fallback=lambda: db_session.rollback(),
httpError=HTTPForbidden, content=group_content_error,
msgOnFail=s.Groups_POST_ForbiddenCreateResponseSchema.description)
ax.evaluate_call(lambda: db_session.add(new_group), fallback=lambda: db_session.rollback(),
httpError=HTTPForbidden, content=group_content_error,
msgOnFail=s.Groups_POST_ForbiddenAddResponseSchema.description)
return ax.valid_http(httpSuccess=HTTPCreated, detail=s.Groups_POST_CreatedResponseSchema.description,
content={u"group": format_group(new_group, basic_info=True)})
def upgrade():
context = get_context()
session = Session(bind=op.get_bind())
# two following lines avoids double 'DELETE' erroneous call when deleting group due to incorrect checks
# https://stackoverflow.com/questions/28824401
context.connection.engine.dialect.supports_sane_rowcount = False
context.connection.engine.dialect.supports_sane_multi_rowcount = False
if isinstance(context.connection.engine.dialect, PGDialect):
all_groups = session.query(models.Group)
all_user_group_refs = BaseService.all(models.UserGroup,
db_session=session)
map_groups = {
OLD_GROUP_ADMIN: NEW_GROUP_ADMIN,
OLD_GROUP_USERS: NEW_GROUP_USERS
}
for group in all_groups:
if group.group_name in map_groups.keys():
new_group_name = map_groups[group.group_name]
new_group = GroupService.by_group_name(new_group_name,
db_session=session)
# create new group if missing
if not new_group:
# noinspection PyArgumentList
new_group = models.Group(group_name=new_group_name)
session.add(new_group)
new_group = GroupService.by_group_name(new_group_name,
db_session=session)
old_group_perms = GroupService.resources_with_possible_perms(
group, db_session=session)
new_group_perms = GroupService.resources_with_possible_perms(
new_group, db_session=session)
diff_group_perms = set(old_group_perms) - set(new_group_perms)
for perm in diff_group_perms:
perm.group = new_group
session.add(perm)
for perm in old_group_perms:
session.delete(perm)
old_group_users = [user.user_name for user in group.users]
new_group_users = [user.user_name for user in new_group.users]
diff_group_users = set(old_group_users) - set(new_group_users)
for user_name in diff_group_users:
user = UserService.by_user_name(user_name=user_name,
db_session=session)
# noinspection PyArgumentList
user_group = models.UserGroup(group_id=new_group.id,
user_id=user.id)
session.add(user_group)
session.delete(group)
for user_group in all_user_group_refs:
if user_group.group_id == group.id:
session.delete(user_group)
session.commit()