def delete_perm(db_session, permission: str, requester):
"""
Removes a permission from the system
:param db_session: The postgres session to be used.
:param permission: String The permission to be removed (name or ID).
:param requester: Who is creating this user. This is a dictionary with two keys:
"userid" and "username".
:return:
:raises HTTPRequestError: Can't delete a system permission.
"""
try:
perm = Permission.get_by_name_or_id(permission)
if perm.type == PermissionTypeEnum.api:
db_session.execute(
UserPermission.__table__.delete(
UserPermission.permission_id == perm.id))
db_session.execute(
GroupPermission.__table__.delete(
GroupPermission.permission_id == perm.id))
cache.delete_key(action=perm.method, resource=perm.path)
LOGGER.info(
f"permission {perm.name} deleted by {requester['username']}")
LOGGER.info(perm.safe_dict())
db_session.delete(perm)
db_session.commit()
MVUserPermission.refresh()
MVGroupPermission.refresh()
else:
raise HTTPRequestError(405, "Can't delete a system permission")
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID or name")
def delete_user(db_session, username: str, requester):
"""
Deletes an user from the system
:param db_session: The postgres session to be used
:param username: String The user to be removed
:param requester: Who is creating this user. This is a dictionary with two keys:
"userid" and "username"
:return: The removed user
:raises HTTPRequestError: If the user tries to remove itself.
:raises HTTPRequestError: Can't delete the admin user.
:raises HTTPRequestError: If the user is not in the database.
"""
try:
user = User.get_by_name_or_id(username)
if user.id == requester['userid']:
raise HTTPRequestError(400, "a user can't remove himself")
elif user.username == 'admin':
raise HTTPRequestError(405, "Can't delete the admin user")
db_session.execute(
UserPermission.__table__.delete(UserPermission.user_id == user.id))
db_session.execute(
UserGroup.__table__.delete(UserGroup.user_id == user.id))
cache.delete_key(userid=user.id)
# The user is not hardDeleted.
# it should be copied to inactiveUser table
inactiveTables.PasswdInactive.createInactiveFromUser(
db_session,
user,
)
inactiveTables.UserInactive.createInactiveFromUser(
db_session, user, requester['userid'])
password.expire_password_reset_requests(db_session, user.id)
db_session.delete(user)
LOGGER.info(f"user {user.username} deleted by {requester['username']}")
LOGGER.info(user.safe_dict())
kongUtils.remove_from_kong(user.username)
MVUserPermission.refresh()
MVGroupPermission.refresh()
db_session.commit()
if count_tenant_users(db_session, user.service) == 0:
LOGGER.info(
f"will emit tenant lifecycle event {user.service} - DELETE")
Publisher.send_notification({
"type": 'DELETE',
'tenant': user.service
})
return user
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No user found with this ID")
def deletePermission(permid):
try:
requester = auth.getJwtPayload(request.headers.get('Authorization'))
crud.getPerm(db.session, permid)
crud.deletePerm(db.session, permid, requester)
db.session.commit()
MVUserPermission.refresh()
MVGroupPermission.refresh()
return formatResponse(200)
except HTTPRequestError as err:
return formatResponse(err.errorCode, err.message)
def removeUser(user):
try:
requester = auth.getJwtPayload(request.headers.get('Authorization'))
oldUsername = crud.getUser(db.session, user).username
crud.deleteUser(db.session, user, requester)
kong.removeFromKong(oldUsername)
MVUserPermission.refresh()
MVGroupPermission.refresh()
db.session.commit()
return formatResponse(200, "User removed")
except HTTPRequestError as err:
return formatResponse(err.errorCode, err.message)
def addUserPermission(user, permission):
try:
requester = auth.getJwtPayload(request.headers.get('Authorization'))
if request.method == 'POST':
rship.addUserPermission(db.session, user, permission, requester)
else:
rship.removeUserPermission(db.session, user,
permission, requester)
MVUserPermission.refresh()
db.session.commit()
return formatResponse(200)
except HTTPRequestError as err:
return formatResponse(err.errorCode, err.message)
def populate():
print("Creating initial user and permission for test...")
try:
create_users()
create_groups()
add_permissions_group()
add_user_groups()
except sqlalchemy_exceptions.DBAPIError as err:
print("Could not connect to the database.")
print(err)
exit(-1)
# refresh views
MVUserPermission.refresh()
MVGroupPermission.refresh()
db.session.commit()
print("Success")
def populate():
print("Creating initial user and permission...")
try:
createUsers()
createGroups()
createPermissions()
addPermissionsGroup()
addUserGroups()
except sqlalchemy.exc.DBAPIError as e:
print("Could not connect to the database.")
print(e)
exit(-1)
# refresh views
MVUserPermission.refresh()
MVGroupPermission.refresh()
db.session.commit()
print("Success")
def remove_user(user):
try:
requester = auth.get_jwt_payload(request.headers.get('Authorization'))
old_username = crud.get_user(db.session, user).username
old_user = crud.delete_user(db.session, user, requester)
kong.remove_from_kong(old_username)
MVUserPermission.refresh()
MVGroupPermission.refresh()
db.session.commit()
if crud.count_tenant_users(db.session, old_user.service) == 0:
log().info("will emit tenant lifecycle event {} - DELETE".format(
old_user.service))
send_notification({"type": 'DELETE', 'tenant': old_user.service})
return format_response(200, "User removed")
except HTTPRequestError as err:
return format_response(err.errorCode, err.message)
def remove_user_permission(db_session, user, permission, requester):
try:
user = User.get_by_name_or_id(user)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No user found with this ID or name")
try:
perm = Permission.get_by_name_or_id(permission)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID")
try:
relation = db_session.query(UserPermission) \
.filter_by(user_id=user.id, permission_id=perm.id).one()
db_session.delete(relation)
cache.delete_key(userid=user.id,
action=perm.method,
resource=perm.path)
log().info(f"permission {perm.name} for user {user.username} was revoked by {requester['username']}")
MVUserPermission.refresh()
db_session.commit()
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "User does not have this permission")
def add_user_permission(db_session, user, permission, requester):
try:
user = User.get_by_name_or_id(user)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No user found with this ID or name")
try:
perm = Permission.get_by_name_or_id(permission)
except orm_exceptions.NoResultFound:
raise HTTPRequestError(404, "No permission found with this ID")
if db_session.query(UserPermission) \
.filter_by(user_id=user.id, permission_id=perm.id).one_or_none():
raise HTTPRequestError(409, "User already have this permission")
r = UserPermission(user_id=user.id, permission_id=perm.id)
db_session.add(r)
cache.delete_key(userid=user.id, action=perm.method, resource=perm.path)
MVUserPermission.refresh()
db_session.commit()
log().info(
f"user {user.username} received permission {perm.name} by {requester['username']}"
)
