def _get_edge(session, group, member): return GroupEdge.get( session, group_id=group.id, member_type=member.member_type, member_pk=member.id )
def add_user_to_group(self, user, group, role="member"): # type: (str, str, str) -> None self.create_user(user) self.create_group(group) user_obj = User.get(self.session, name=user) assert user_obj group_obj = Group.get(self.session, name=group) assert group_obj edge = GroupEdge( group_id=group_obj.id, member_type=OBJ_TYPES["User"], member_pk=user_obj.id, active=True, _role=GROUP_EDGE_ROLES.index(role), ) edge.add(self.session)
def add_group_to_group(self, member, group): # type: (str, str) -> None self.create_group(member) self.create_group(group) member_obj = Group.get(self.session, name=member) assert member_obj group_obj = Group.get(self.session, name=group) assert group_obj edge = GroupEdge( group_id=group_obj.id, member_type=OBJ_TYPES["Group"], member_pk=member_obj.id, active=True, _role=GROUP_EDGE_ROLES.index("member"), ) edge.add(self.session)
def add_user_to_group(self, user, group, role="member", expiration=None): # type: (str, str, str, Optional[datetime]) -> None self.create_user(user) self.create_group(group) user_obj = User.get(self.session, name=user) assert user_obj group_obj = Group.get(self.session, name=group) assert group_obj edge = GroupEdge( group_id=group_obj.id, member_type=OBJ_TYPES["User"], member_pk=user_obj.id, expiration=expiration, active=True, _role=GROUP_EDGE_ROLES.index(role), ) edge.add(self.session)
def _create_edge(session, group, member, role): edge, new = GroupEdge.get_or_create(session, group_id=group.id, member_type=member.member_type, member_pk=member.id) if new: # TODO(herb): this means all requests by this user to this group will # have the same role. we should probably record the role specifically # on the request and use that as the source on the UI edge._role = GROUP_EDGE_ROLES.index(role) session.flush() return edge
def _create_edge(session, group, member, role): edge, new = GroupEdge.get_or_create( session, group_id=group.id, member_type=member.member_type, member_pk=member.id ) if new: # TODO(herb): this means all requests by this user to this group will # have the same role. we should probably record the role specifically # on the request and use that as the source on the UI edge._role = GROUP_EDGE_ROLES.index(role) session.flush() return edge
def get(self, group_id=None, name=None, name2=None, member_type=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() if self.current_user.name == name2: return self.forbidden() members = group.my_members() my_role = user_role(self.current_user, members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), name2), None) if not member: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = GroupEditMemberForm(self.request.arguments) form.role.choices = [["member", "Member"]] if my_role in ("owner", "np-owner"): form.role.choices.append(["manager", "Manager"]) form.role.choices.append(["owner", "Owner"]) form.role.choices.append(["np-owner", "No-Permissions Owner"]) form.role.data = edge.role form.expiration.data = edge.expiration.strftime( "%m/%d/%Y") if edge.expiration else None self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, )
def expire_nonauditors(self, session): """Checks all enabled audited groups and ensures that all approvers for that group have the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors have their membership in the audited group set to expire settings.nonauditor_expiration_days days in the future. Args: session (Session): database session """ now = datetime.utcnow() graph = Graph() exp_days = timedelta(days=settings.nonauditor_expiration_days) # Hack to ensure the graph is loaded before we access it graph.update_from_db(session) # TODO(tyleromeara): replace with graph call for group in get_audited_groups(session): members = group.my_members() # Go through every member of the group and set them to expire if they are an approver # but not an auditor for (type_, member), edge in members.iteritems(): # Auditing is already inherited, so we don't need to handle that here if type_ == "Group": continue member = User.get(session, name=member) member_is_approver = user_role_index( member, members) in APPROVER_ROLE_INDICES member_is_auditor = user_has_permission( session, member, PERMISSION_AUDITOR) if not member_is_approver or member_is_auditor: continue edge = GroupEdge.get(session, id=edge.edge_id) if edge.expiration and edge.expiration < now + exp_days: continue exp = now + exp_days exp = exp.date() edge.apply_changes_dict({ "expiration": "{}/{}/{}".format(exp.month, exp.day, exp.year) }) edge.add(session) notify_nonauditor_flagged(settings, session, edge) session.commit()
def expire_nonauditors(self, session): # type: (Session) -> None """Checks all enabled audited groups and ensures that all approvers for that group have the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors have their membership in the audited group set to expire settings.nonauditor_expiration_days days in the future. Args: session (Session): database session """ now = datetime.utcnow() graph = Graph() exp_days = timedelta(days=self.settings.nonauditor_expiration_days) # Hack to ensure the graph is loaded before we access it graph.update_from_db(session) # TODO(tyleromeara): replace with graph call for group in get_audited_groups(session): members = group.my_members() # Go through every member of the group and set them to expire if they are an approver # but not an auditor for (type_, member), edge in members.iteritems(): # Auditing is already inherited, so we don't need to handle that here if type_ == "Group": continue member = User.get(session, name=member) member_is_approver = user_role_index(member, members) in APPROVER_ROLE_INDICES member_is_auditor = user_has_permission(session, member, PERMISSION_AUDITOR) if not member_is_approver or member_is_auditor: continue edge = GroupEdge.get(session, id=edge.edge_id) if edge.expiration and edge.expiration < now + exp_days: continue exp = (now + exp_days).date() edge.apply_changes( {"expiration": "{}/{}/{}".format(exp.month, exp.day, exp.year)} ) edge.add(session) notify_nonauditor_flagged(self.settings, session, edge) session.commit()
def get(self, group_id=None, name=None, name2=None, member_type=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() if self.current_user.name == name2: return self.forbidden() members = group.my_members() my_role = user_role(self.current_user, members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), name2), None) if not member: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = GroupEditMemberForm(self.request.arguments) form.role.choices = [["member", "Member"]] if my_role in ("owner", "np-owner"): form.role.choices.append(["manager", "Manager"]) form.role.choices.append(["owner", "Owner"]) form.role.choices.append(["np-owner", "No-Permissions Owner"]) form.role.data = edge.role form.expiration.data = edge.expiration.strftime("%m/%d/%Y") if edge.expiration else None self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, )
def get(self, *args: Any, **kwargs: Any) -> None: name = self.get_path_argument("name") member_name = self.get_path_argument("member_name") member_type = self.get_path_argument("member_type") group = Group.get(self.session, name=name) if not group: return self.notfound() members = group.my_members() my_role = user_role(self.current_user, members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), member_name), None) if not member: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = self._get_form(member_name, my_role, member_type) form.role.data = edge.role form.expiration.data = edge.expiration.strftime( "%m/%d/%Y") if edge.expiration else None self.render("group-edit-member.html", group=group, member=member, edge=edge, form=form)
def _get_edge(session, group, member): # type: (Session, Group, Union[User, Group]) -> GroupEdge return GroupEdge.get(session, group_id=group.id, member_type=member.member_type, member_pk=member.id)
def post(self, group_id=None, name=None, name2=None, member_type=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() if self.current_user.name == name2: return self.forbidden() members = group.my_members() my_role = user_role(self.current_user, members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), name2), None) if not member: return self.notfound() if member.type == "Group": user_or_group = Group.get(self.session, member.id) else: user_or_group = User.get(self.session, member.id) if not user_or_group: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = GroupEditMemberForm(self.request.arguments) form.role.choices = [["member", "Member"]] if my_role in ("owner", "np-owner"): form.role.choices.append(["manager", "Manager"]) form.role.choices.append(["owner", "Owner"]) form.role.choices.append(["np-owner", "No-Permissions Owner"]) if not form.validate(): return self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, alerts=self.get_form_alerts(form.errors), ) fail_message = 'This join is denied with this role at this time.' try: user_can_join = assert_can_join(group, user_or_group, role=form.data["role"]) except UserNotAuditor as e: user_can_join = False fail_message = e if not user_can_join: return self.render("group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[ Alert('danger', fail_message, 'Audit Policy Enforcement') ]) expiration = None if form.data["expiration"]: expiration = datetime.strptime(form.data["expiration"], "%m/%d/%Y") try: group.edit_member(self.current_user, user_or_group, form.data["reason"], role=form.data["role"], expiration=expiration) except (InvalidRoleForMember, PluginRejectedGroupMembershipUpdate) as e: return self.render("group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[Alert('danger', e.message)]) return self.redirect("/groups/{}?refresh=yes".format(group.name))
def _get_edge(session, group, member): return GroupEdge.get(session, group_id=group.id, member_type=member.member_type, member_pk=member.id)
def post(self, group_id=None, name=None, name2=None, member_type=None): group = Group.get(self.session, group_id, name) if not group: return self.notfound() if self.current_user.name == name2: return self.forbidden() members = group.my_members() my_role = user_role(self.current_user, members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), name2), None) if not member: return self.notfound() if member.type == "Group": user_or_group = Group.get(self.session, member.id) else: user_or_group = User.get(self.session, member.id) if not user_or_group: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = GroupEditMemberForm(self.request.arguments) form.role.choices = [["member", "Member"]] if my_role in ("owner", "np-owner"): form.role.choices.append(["manager", "Manager"]) form.role.choices.append(["owner", "Owner"]) form.role.choices.append(["np-owner", "No-Permissions Owner"]) if not form.validate(): return self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, alerts=self.get_form_alerts(form.errors), ) fail_message = 'This join is denied with this role at this time.' try: user_can_join = assert_can_join(group, user_or_group, role=form.data["role"]) except UserNotAuditor as e: user_can_join = False fail_message = e if not user_can_join: return self.render( "group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[ Alert('danger', fail_message, 'Audit Policy Enforcement') ] ) expiration = None if form.data["expiration"]: expiration = datetime.strptime(form.data["expiration"], "%m/%d/%Y") try: group.edit_member(self.current_user, user_or_group, form.data["reason"], role=form.data["role"], expiration=expiration) except (InvalidRoleForMember, PluginRejectedGroupMembershipUpdate) as e: return self.render( "group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[Alert('danger', e.message)] ) return self.redirect("/groups/{}?refresh=yes".format(group.name))
def post(self, *args: Any, **kwargs: Any) -> None: name = self.get_path_argument("name") member_name = self.get_path_argument("member_name") member_type = self.get_path_argument("member_type") group = Group.get(self.session, name=name) if not group: return self.notfound() members = group.my_members() my_role = user_role(self.current_user, members) if my_role not in ("manager", "owner", "np-owner"): return self.forbidden() member = members.get((member_type.capitalize(), member_name), None) if not member: return self.notfound() if member.type == "Group": user_or_group = Group.get(self.session, member.id) else: user_or_group = User.get(self.session, member.id) if not user_or_group: return self.notfound() edge = GroupEdge.get( self.session, group_id=group.id, member_type=OBJ_TYPES[member.type], member_pk=member.id, ) if not edge: return self.notfound() form = self._get_form(member_name, my_role, member_type) if not form.validate(): return self.render( "group-edit-member.html", group=group, member=member, edge=edge, form=form, alerts=self.get_form_alerts(form.errors), ) try: assert_can_join(group, user_or_group, role=form.data["role"]) except UserNotAuditor as e: return self.render( "group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[Alert("danger", str(e), "Audit Policy Enforcement")], ) expiration = None if form.data["expiration"]: expiration = datetime.strptime(form.data["expiration"], "%m/%d/%Y") try: group.edit_member( self.current_user, user_or_group, form.data["reason"], role=form.data["role"], expiration=expiration, ) except (InvalidRoleForMember, PluginRejectedGroupMembershipUpdate) as e: return self.render( "group-edit-member.html", form=form, group=group, member=member, edge=edge, alerts=[Alert("danger", str(e))], ) return self.redirect("/groups/{}?refresh=yes".format(group.name))