async def can_move_back_to_pending(current_user, request, groups):
# Don't allow returning requests to pending state if more than a day has passed since the last update
if request.get("last_updated", 0) < int(time.time()) - 86400:
return False
# Allow admins to return requests back to pending state
if can_admin_all(current_user, groups):
return True
return False
async def can_approve_reject_request(user, secondary_approvers, groups):
# Allow admins to approve and reject all requests
if can_admin_all(user, groups):
return True
if secondary_approvers:
for g in secondary_approvers:
if g in groups or g == user:
return True
return False
async def can_cancel_request(current_user, requesting_user, groups):
# Allow the requesting user to cancel their own request
if current_user == requesting_user:
return True
# Allow admins to cancel requests
if can_admin_all(current_user, groups):
return True
# Allow restricted admins to cancel requests
for g in config.get("groups.can_admin_restricted"):
if g in groups:
return True
return False
async def post(self):
log_data = {
"function":
f"{__name__}.{self.__class__.__name__}.{sys._getframe().f_code.co_name}",
"user": self.user,
"message": "Create/Update User",
"user-agent": self.request.headers.get("User-Agent"),
"request_id": self.request_uuid,
"ip": self.ip,
}
generic_error_message = "Unable to create/update user"
log.debug(log_data)
# Checks authz levels of current user
if not can_admin_all(self.user, self.groups):
errors = ["User is not authorized to access this endpoint."]
await handle_generic_error_response(self, generic_error_message,
errors, 403, "unauthorized",
log_data)
return
request = UserManagementModel.parse_raw(self.request.body)
log_data["requested_user"] = request.username
if request.user_management_action.value == "create":
log.debug({
**log_data,
"message": "Creating user",
"requested_user": request.username,
"requested_groups": request.groups,
})
# Fails if password is not strong enough.
password_strength_errors = await check_password_strength(
request.password)
if password_strength_errors:
await handle_generic_error_response(
self,
password_strength_errors["message"],
password_strength_errors["errors"],
403,
"weak_password",
log_data,
)
return
self.ddb.create_user(
request.username,
request.password,
request.groups,
)
res = WebResponse(
status="success",
status_code=200,
message=f"Successfully created user {request.username}.",
)
self.write(res.json())
return
elif request.user_management_action.value == "update":
log.debug({
**log_data,
"message": "Updating user",
"requested_user": request.username,
"requested_groups": request.groups,
})
if request.password:
# Fails if password is not strong enough.
password_strength_errors = await check_password_strength(
request.password)
if password_strength_errors:
await handle_generic_error_response(
self,
password_strength_errors["message"],
password_strength_errors["errors"],
403,
"weak_password",
log_data,
)
return
self.ddb.update_user(
request.username,
request.password,
request.groups,
)
res = WebResponse(
status="success",
status_code=200,
message=f"Successfully updated user {request.username}.",
)
self.write(res.json())
return
elif request.user_management_action.value == "delete":
log.debug({
**log_data,
"message": "Deleting user",
"requested_user": request.username,
})
self.ddb.delete_user(request.username, )
res = WebResponse(
status="success",
status_code=200,
message=f"Successfully deleted user {request.username}.",
)
self.write(res.json())
return
else:
errors = ["Change type is not supported by this endpoint."]
await handle_generic_error_response(self, generic_error_message,
errors, 403, "invalid_request",
log_data)
return