def set_group_owner(self, owner_id, group_id):
""" This method will simply set up the Entity L{owner_id} as a
C{Group-owner} of group L{group_id}.
@type db: Cerebrum.Database.Database
@param db: A Cerebrum database object.
@type owner_id: int
@param owner_id: The C{entity_id} of the owner object.
@type group_id: int
@param group_id: The C{group_id} of a group object.
"""
ar = BofhdAuthRole(self.db)
aos = BofhdAuthOpSet(self.db)
aot = BofhdAuthOpTarget(self.db)
# Find or create group operation target
try:
aot.find(aot.list(entity_id=group_id,
target_type=self.co.auth_target_type_group
)[0]['op_target_id'])
except IndexError:
aot.populate(group_id, self.co.auth_target_type_group)
aot.write_db()
# Find the 'Group-owner' OpSet to get its entity_id
aos.find_by_name('Group-owner')
if not len(ar.list(owner_id, aos.op_set_id, aot.op_target_id)):
ar.grant_auth(owner_id, aos.op_set_id, aot.op_target_id)
return True
return False
def set_group_owner(self, owner_id, group_id):
""" This method will simply set up the Entity L{owner_id} as a
C{Group-owner} of group L{group_id}.
@type db: Cerebrum.Database.Database
@param db: A Cerebrum database object.
@type owner_id: int
@param owner_id: The C{entity_id} of the owner object.
@type group_id: int
@param group_id: The C{group_id} of a group object.
"""
ar = BofhdAuthRole(self.db)
aos = BofhdAuthOpSet(self.db)
aot = BofhdAuthOpTarget(self.db)
# Find or create group operation target
try:
aot.find(
aot.list(entity_id=group_id,
target_type=self.co.auth_target_type_group)[0]
['op_target_id'])
except IndexError:
aot.populate(group_id, self.co.auth_target_type_group)
aot.write_db()
# Find the 'Group-owner' OpSet to get its entity_id
aos.find_by_name('Group-owner')
if not len(ar.list(owner_id, aos.op_set_id, aot.op_target_id)):
ar.grant_auth(owner_id, aos.op_set_id, aot.op_target_id)
return True
return False
def delete(self, perform_checks=True):
if perform_checks:
if self.has_adresses_in_use():
raise SubnetError(
"Subnet '%s/%s' cannot be deleted; it has addresses in use" %
(self.subnet_ip, self.subnet_mask))
# Revoke BofhdAuthRoles associated with subnet
baot = BofhdAuthOpTarget(self._db)
bar = BofhdAuthRole(self._db)
targets = [x['op_target_id'] for x in
baot.list(entity_id=self.entity_id)]
if targets:
for target in targets:
for x in bar.list(op_target_id=target):
bar.revoke_auth(*x)
bar.commit()
# Remove BofhdAuthOpTarget associated with subnet
for x in targets:
baot.clear()
try:
baot.find(x)
baot.delete()
baot.commit()
except NotFoundError:
pass
self._db.log_change(self.entity_id, self.const.subnet_delete, None)
if self.__in_db:
self.execute("""
DELETE FROM [:table schema=cerebrum name=dns_subnet]
WHERE entity_id=:e_id""", {'e_id': self.entity_id})
self.__super.delete()
def remove_target_permissions(entity_id, db):
"""Remove all permissions (group owner/moderator) GIVEN TO entity_id.
FIXME: what if entity_id is a group owner? If we yank it, the group
remains ownerless.
Cf bofhd_virthome_cmds.py:__remove_auth_role.
"""
ar = BofhdAuthRole(db)
aot = BofhdAuthOpTarget(db)
for r in ar.list(entity_id):
ar.revoke_auth(entity_id, r['op_set_id'], r['op_target_id'])
# Also remove targets if this was the last reference from
# auth_role.
remaining = ar.list(op_target_id=r['op_target_id'])
if len(remaining) == 0:
aot.clear()
aot.find(r['op_target_id'])
aot.delete()
def remove_target_permissions(entity_id, db):
"""Remove all permissions (group owner/moderator) GIVEN TO entity_id.
FIXME: what if entity_id is a group owner? If we yank it, the group
remains ownerless.
Cf bofhd_virthome_cmds.py:__remove_auth_role.
"""
ar = BofhdAuthRole(db)
aot = BofhdAuthOpTarget(db)
for r in ar.list(entity_id):
ar.revoke_auth(entity_id, r['op_set_id'], r['op_target_id'])
# Also remove targets if this was the last reference from
# auth_role.
remaining = ar.list(op_target_id=r['op_target_id'])
if len(remaining) == 0:
aot.clear()
aot.find(r['op_target_id'])
aot.delete()
def remove_permissions_on_target(entity_id, db):
"""Remove all permissions GRANTED ON entity_id.
remote_target_permissions() removes permissions held by entity_id. This
function removes permissions held by other on entity_id.
Cf bofhd_virthome_cmds.py:__remove_auth_target.
"""
ar = BofhdAuthRole(db)
aot = BofhdAuthOpTarget(db)
for r in aot.list(entity_id=entity_id):
aot.clear()
aot.find(r['op_target_id'])
# We remove all auth_role entries pointing to this entity_id
# first.
for role in ar.list(op_target_id=r["op_target_id"]):
ar.revoke_auth(role['entity_id'], role['op_set_id'],
r['op_target_id'])
aot.delete()
def remove_permissions_on_target(entity_id, db):
"""Remove all permissions GRANTED ON entity_id.
remote_target_permissions() removes permissions held by entity_id. This
function removes permissions held by other on entity_id.
Cf bofhd_virthome_cmds.py:__remove_auth_target.
"""
ar = BofhdAuthRole(db)
aot = BofhdAuthOpTarget(db)
for r in aot.list(entity_id=entity_id):
aot.clear()
aot.find(r['op_target_id'])
# We remove all auth_role entries pointing to this entity_id
# first.
for role in ar.list(op_target_id=r["op_target_id"]):
ar.revoke_auth(role['entity_id'], role['op_set_id'],
r['op_target_id'])
aot.delete()
def find_or_create_op_target(self, entity_id, target_type):
""" Finds an op-target of type L{target_type} that points to
L{entity_id}. If no targets exist, one will be created.
"""
aot = BofhdAuthOpTarget(self.db)
op_targets = [t for t in aot.list(entity_id=entity_id,
target_type=target_type)]
# No target exists, create one
if not op_targets:
aot.populate(entity_id, target_type)
aot.write_db()
return aot
assert len(op_targets) == 1 # This method will never create more than one
assert op_targets[0]['attr'] is None # ... and never populates attr
# Target exists, return it
aot.find(op_targets[0]['op_target_id'])
return aot
def find_or_create_op_target(self, entity_id, target_type):
""" Finds an op-target of type L{target_type} that points to
L{entity_id}. If no targets exist, one will be created.
"""
aot = BofhdAuthOpTarget(self.db)
op_targets = [t for t in aot.list(entity_id=entity_id,
target_type=target_type)]
# No target exists, create one
if not op_targets:
aot.populate(entity_id, target_type)
aot.write_db()
return aot
assert len(op_targets) == 1 # This method will never create more than one
assert op_targets[0]['attr'] is None # ... and never populates attr
# Target exists, return it
aot.find(op_targets[0]['op_target_id'])
return aot
def _revoke_auth(self, entity_id, opset, target_id, target_type, attr,
entity_name, target_name):
op_target_id = self._get_auth_op_target(target_id, target_type, attr)
if not op_target_id:
raise CerebrumError(
"No one has matching access to {}".format(target_name))
ar = BofhdAuthRole(self.db)
rows = ar.list(entity_id, opset.op_set_id, op_target_id)
if len(rows) == 0:
return "%s doesn't have %s access to %s %s" % (
entity_name, opset.name, six.text_type(target_type),
target_name)
ar.revoke_auth(entity_id, opset.op_set_id, op_target_id)
# See if the op_target has any references left, delete it if not.
rows = ar.list(op_target_id=op_target_id)
if len(rows) == 0:
aot = BofhdAuthOpTarget(self.db)
aot.find(op_target_id)
aot.delete()
return "OK, revoked %s access for %s from %s %s" % (
opset.name, entity_name, six.text_type(target_type), target_name)
def remove_auth_roles(self, entity_id):
""" This method will remove all authorization roles that has been given
to an entity. It will also remove any remaining authorization targets
that no longer have auth roles pointing to it as a result.
@type entity_id: int
@param entity_id: The entity_id of an object.
"""
ar = BofhdAuthRole(self.db)
aot = BofhdAuthOpTarget(self.db)
# Remove all auth-roles the entity have over other targets
for target in ar.list(entity_ids=entity_id):
ar.revoke_auth(entity_id, target['op_set_id'], target['op_target_id'])
# Remove auth-target if there aren't any more auth-roles pointing
# to it
remaining = ar.list(op_target_id=target['op_target_id'])
if len(remaining) == 0:
aot.clear()
aot.find(target['op_target_id'])
aot.delete()
def remove_auth_roles(self, entity_id):
""" This method will remove all authorization roles that has been given
to an entity. It will also remove any remaining authorization targets
that no longer have auth roles pointing to it as a result.
@type entity_id: int
@param entity_id: The entity_id of an object.
"""
ar = BofhdAuthRole(self.db)
aot = BofhdAuthOpTarget(self.db)
# Remove all auth-roles the entity have over other targets
for target in ar.list(entity_ids=entity_id):
ar.revoke_auth(entity_id, target['op_set_id'], target['op_target_id'])
# Remove auth-target if there aren't any more auth-roles pointing
# to it
remaining = ar.list(op_target_id=target['op_target_id'])
if len(remaining) == 0:
aot.clear()
aot.find(target['op_target_id'])
aot.delete()
def remove_auth_targets(self, entity_id, target_type=None):
""" This method will remove authorization targets of type
L{target_type} that points to the L{entity_id}. If L{target_type} is
None, all targets regardless of type will be removed.
@type entity_id: int
@param entity_id: The entity_id of an object.
@type target_type: str
@param target_type: The target type of the authorization target
"""
ar = BofhdAuthRole(self.db)
aot = BofhdAuthOpTarget(self.db)
for target in aot.list(entity_id=entity_id, target_type=target_type):
aot.clear()
aot.find(target['op_target_id'])
# Before the target is removed, we must remove all roles that
# grants access to the target.
for role in ar.list(op_target_id=target["op_target_id"]):
ar.revoke_auth(role['entity_id'], role['op_set_id'],
target['op_target_id'])
aot.delete()
def remove_auth_targets(self, entity_id, target_type=None):
""" This method will remove authorization targets of type
L{target_type} that points to the L{entity_id}. If L{target_type} is
None, all targets regardless of type will be removed.
@type entity_id: int
@param entity_id: The entity_id of an object.
@type target_type: str
@param target_type: The target type of the authorization target
"""
ar = BofhdAuthRole(self.db)
aot = BofhdAuthOpTarget(self.db)
for target in aot.list(entity_id=entity_id, target_type=target_type):
aot.clear()
aot.find(target['op_target_id'])
# Before the target is removed, we must remove all roles that
# grants access to the target.
for role in ar.list(op_target_id=target["op_target_id"]):
ar.revoke_auth(role['entity_id'], role['op_set_id'],
target['op_target_id'])
aot.delete()
