def set_group_owner(self, owner_id, group_id): """ This method will simply set up the Entity L{owner_id} as a C{Group-owner} of group L{group_id}. @type db: Cerebrum.Database.Database @param db: A Cerebrum database object. @type owner_id: int @param owner_id: The C{entity_id} of the owner object. @type group_id: int @param group_id: The C{group_id} of a group object. """ ar = BofhdAuthRole(self.db) aos = BofhdAuthOpSet(self.db) aot = BofhdAuthOpTarget(self.db) # Find or create group operation target try: aot.find( aot.list(entity_id=group_id, target_type=self.co.auth_target_type_group)[0] ['op_target_id']) except IndexError: aot.populate(group_id, self.co.auth_target_type_group) aot.write_db() # Find the 'Group-owner' OpSet to get its entity_id aos.find_by_name('Group-owner') if not len(ar.list(owner_id, aos.op_set_id, aot.op_target_id)): ar.grant_auth(owner_id, aos.op_set_id, aot.op_target_id) return True return False
def set_group_owner(self, owner_id, group_id): """ This method will simply set up the Entity L{owner_id} as a C{Group-owner} of group L{group_id}. @type db: Cerebrum.Database.Database @param db: A Cerebrum database object. @type owner_id: int @param owner_id: The C{entity_id} of the owner object. @type group_id: int @param group_id: The C{group_id} of a group object. """ ar = BofhdAuthRole(self.db) aos = BofhdAuthOpSet(self.db) aot = BofhdAuthOpTarget(self.db) # Find or create group operation target try: aot.find(aot.list(entity_id=group_id, target_type=self.co.auth_target_type_group )[0]['op_target_id']) except IndexError: aot.populate(group_id, self.co.auth_target_type_group) aot.write_db() # Find the 'Group-owner' OpSet to get its entity_id aos.find_by_name('Group-owner') if not len(ar.list(owner_id, aos.op_set_id, aot.op_target_id)): ar.grant_auth(owner_id, aos.op_set_id, aot.op_target_id) return True return False
def write_db(self): """Write PosixUser instance to database, in addition to the personal file group. As long as L{gid_id} is not set, it gets set to the account's personal file group instead. """ if not self.gid_id: # Create the PosixGroup first, to get its entity_id # TODO: Should we handle that self.pg could not be populated when # we're here? When could gid_id be none without running populate? self.pg.write_db() # We'll need to set this here, as the groups entity_id is # created when we write to the DB. self.gid_id = self.pg.entity_id ret = self.__super.write_db() # Become a member of the group: if not hasattr(self.pg, "entity_id"): self.pg.find(self.gid_id) if not self.pg.has_member(self.entity_id): self.pg.add_member(self.entity_id) # If the dfg is not a personal group we are done now: # TODO: check trait_personal_dfg instead or in addition? if self.account_name != self.pg.group_name: return ret # Set the personal file group trait if not self.pg.get_trait(self.const.trait_personal_dfg): self.pg.populate_trait(self.const.trait_personal_dfg, target_id=self.entity_id) self.pg.write_db() # Register the posixuser as owner of the group, if not already set op_target = BofhdAuthOpTarget(self._db) if not op_target.list(entity_id=self.pg.entity_id, target_type="group"): op_target.populate(self.pg.entity_id, "group") op_target.write_db() op_set = BofhdAuthOpSet(self._db) op_set.find_by_name(cereconf.BOFHD_AUTH_GROUPMODERATOR) role = BofhdAuthRole(self._db) role.grant_auth(self.entity_id, op_set.op_set_id, op_target.op_target_id) # Syncronizing the groups spreads with the users mapping = { int(self.const.spread_uio_nis_user): int(self.const.spread_uio_nis_fg), int(self.const.spread_uio_ad_account): int(self.const.spread_uio_ad_group), int(self.const.spread_ifi_nis_user): int(self.const.spread_ifi_nis_fg), } user_spreads = [int(r["spread"]) for r in self.get_spread()] group_spreads = [int(r["spread"]) for r in self.pg.get_spread()] for uspr, gspr in mapping.iteritems(): if uspr in user_spreads: if gspr not in group_spreads: self.pg.add_spread(gspr) elif gspr in group_spreads: self.pg.delete_spread(gspr) return ret
def _group_make_owner(self, owner, target): op_set = BofhdAuthOpSet(self.db) op_set.find_by_name(cereconf.BOFHD_AUTH_GROUPMODERATOR) op_target = BofhdAuthOpTarget(self.db) op_target.populate(target.entity_id, 'group') op_target.write_db() role = BofhdAuthRole(self.db) role.grant_auth(owner.entity_id, op_set.op_set_id, op_target.op_target_id)
def _set_owner_of_group(self, group): op_target = BofhdAuthOpTarget(self._db) if not op_target.list(entity_id=group.entity_id, target_type='group'): op_target.populate(group.entity_id, 'group') op_target.write_db() op_set = BofhdAuthOpSet(self._db) op_set.find_by_name(cereconf.BOFHD_AUTH_GROUPMODERATOR) role = BofhdAuthRole(self._db) role.grant_auth(self.entity_id, op_set.op_set_id, op_target.op_target_id)
def _grant_auth(self, entity_id, opset, target_id, target_type, attr, entity_name, target_name): op_target_id = self._get_auth_op_target(target_id, target_type, attr, create=True) ar = BofhdAuthRole(self.db) rows = ar.list(entity_id, opset.op_set_id, op_target_id) if len(rows) == 0: ar.grant_auth(entity_id, opset.op_set_id, op_target_id) return "OK, granted %s access %s to %s %s" % ( entity_name, opset.name, six.text_type(target_type), target_name) return "%s already has %s access to %s %s" % ( entity_name, opset.name, six.text_type(target_type), target_name)
def grant_group_auth(self, account, opset_name, group): """ Grants L{entity_id} access type L{opset_name} over group L{group_id}. This can be used to give admin and moderator access to groups. @type account: self.account_class @param account: The account that should be granted access @type opset_name: str @param opset_name: The name of the operation set (type of access) @type group: self.group_class @param group: The group that L{account} should be given access to @rtype: bool @return: True if access was granted, False if access already exists """ assert opset_name in GROUP_AUTH_OPSETS assert hasattr(account, 'entity_id') assert hasattr(group, 'entity_id') ar = BofhdAuthRole(self.db) aos = BofhdAuthOpSet(self.db) aot = self.find_or_create_op_target(group.entity_id, self.co.auth_target_type_group) aos.find_by_name(opset_name) assert account.np_type in (self.co.fedaccount_type, self.co.account_program) assert hasattr(aot, 'op_target_id') # Must be populated roles = list(ar.list(account.entity_id, aos.op_set_id, aot.op_target_id)) if len(roles) == 0: ar.grant_auth(account.entity_id, aos.op_set_id, aot.op_target_id) return True # Access granted return False # Already had access
def grant_auth(en, gr, opset): """Grant authorization to a group. :type en: <Cerebrum.Entity.Entity> :param en: The entity to grant auth to. :type gr: <Cerebrum.Group.Group> :param gr: The group to grant auth on. :type opset: str :param opset: The OpSet to be granted.""" # TODO: ._db? 'group' to op_target.populate ok? should be derived from # gr, but that means we'll need to do Factory.get in here... :( # TODO: Can this be generalized and moved to utils?? from Cerebrum.modules.bofhd.auth import BofhdAuthOpSet, \ BofhdAuthOpTarget, BofhdAuthRole op_set = BofhdAuthOpSet(en._db) op_set.find_by_name(opset) op_target = BofhdAuthOpTarget(en._db) op_target.populate(gr.entity_id, 'group') op_target.write_db() role = BofhdAuthRole(en._db) role.grant_auth(en.entity_id, op_set.op_set_id, op_target.op_target_id)
def write_db(self): """Write PosixUser instance to database, in addition to the personal file group. As long as L{gid_id} is not set, it gets set to the account's personal file group instead. """ if not self.gid_id: # Create the PosixGroup first, to get its entity_id # TODO: Should we handle that self.pg could not be populated when # we're here? When could gid_id be none without running populate? self.pg.write_db() # We'll need to set this here, as the groups entity_id is # created when we write to the DB. self.gid_id = self.pg.entity_id ret = self.__super.write_db() # Become a member of the group: if not hasattr(self.pg, 'entity_id'): self.pg.find(self.gid_id) if not self.pg.has_member(self.entity_id): self.pg.add_member(self.entity_id) # If the dfg is not a personal group we are done now: # TODO: check trait_personal_dfg instead or in addition? if self.account_name != self.pg.group_name: return ret # Set the personal file group trait if not self.pg.get_trait(self.const.trait_personal_dfg): self.pg.populate_trait(self.const.trait_personal_dfg, target_id=self.entity_id) self.pg.write_db() # Register the posixuser as owner of the group, if not already set op_target = BofhdAuthOpTarget(self._db) if not op_target.list(entity_id=self.pg.entity_id, target_type='group'): op_target.populate(self.pg.entity_id, 'group') op_target.write_db() op_set = BofhdAuthOpSet(self._db) op_set.find_by_name(cereconf.BOFHD_AUTH_GROUPMODERATOR) role = BofhdAuthRole(self._db) role.grant_auth(self.entity_id, op_set.op_set_id, op_target.op_target_id) # Syncronizing the groups spreads with the users mapping = { int(self.const.spread_uio_nis_user): int(self.const.spread_uio_nis_fg), int(self.const.spread_uio_ad_account): int(self.const.spread_uio_ad_group), int(self.const.spread_ifi_nis_user): int(self.const.spread_ifi_nis_fg) } user_spreads = [int(r['spread']) for r in self.get_spread()] group_spreads = [int(r['spread']) for r in self.pg.get_spread()] for uspr, gspr in mapping.iteritems(): if uspr in user_spreads: if gspr not in group_spreads: self.pg.add_spread(gspr) elif gspr in group_spreads: self.pg.delete_spread(gspr) return ret