def _get_edge(session, group, member):
return GroupEdge.get(
session,
group_id=group.id,
member_type=member.member_type,
member_pk=member.id
)
def get(self, group_id=None, name=None, name2=None, member_type=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
if self.current_user.name == name2:
return self.forbidden()
members = group.my_members()
my_role = user_role(self.current_user, members)
if my_role not in ("manager", "owner", "np-owner"):
return self.forbidden()
member = members.get((member_type.capitalize(), name2), None)
if not member:
return self.notfound()
edge = GroupEdge.get(
self.session,
group_id=group.id,
member_type=OBJ_TYPES[member.type],
member_pk=member.id,
)
if not edge:
return self.notfound()
form = GroupEditMemberForm(self.request.arguments)
form.role.choices = [["member", "Member"]]
if my_role in ("owner", "np-owner"):
form.role.choices.append(["manager", "Manager"])
form.role.choices.append(["owner", "Owner"])
form.role.choices.append(["np-owner", "No-Permissions Owner"])
form.role.data = edge.role
form.expiration.data = edge.expiration.strftime(
"%m/%d/%Y") if edge.expiration else None
self.render(
"group-edit-member.html",
group=group,
member=member,
edge=edge,
form=form,
)
def expire_nonauditors(self, session):
"""Checks all enabled audited groups and ensures that all approvers for that group have
the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors
have their membership in the audited group set to expire
settings.nonauditor_expiration_days days in the future.
Args:
session (Session): database session
"""
now = datetime.utcnow()
graph = Graph()
exp_days = timedelta(days=settings.nonauditor_expiration_days)
# Hack to ensure the graph is loaded before we access it
graph.update_from_db(session)
# TODO(tyleromeara): replace with graph call
for group in get_audited_groups(session):
members = group.my_members()
# Go through every member of the group and set them to expire if they are an approver
# but not an auditor
for (type_, member), edge in members.iteritems():
# Auditing is already inherited, so we don't need to handle that here
if type_ == "Group":
continue
member = User.get(session, name=member)
member_is_approver = user_role_index(
member, members) in APPROVER_ROLE_INDICES
member_is_auditor = user_has_permission(
session, member, PERMISSION_AUDITOR)
if not member_is_approver or member_is_auditor:
continue
edge = GroupEdge.get(session, id=edge.edge_id)
if edge.expiration and edge.expiration < now + exp_days:
continue
exp = now + exp_days
exp = exp.date()
edge.apply_changes_dict({
"expiration":
"{}/{}/{}".format(exp.month, exp.day, exp.year)
})
edge.add(session)
notify_nonauditor_flagged(settings, session, edge)
session.commit()
def expire_nonauditors(self, session):
# type: (Session) -> None
"""Checks all enabled audited groups and ensures that all approvers for that group have
the PERMISSION_AUDITOR permission. All approvers of audited groups that aren't auditors
have their membership in the audited group set to expire
settings.nonauditor_expiration_days days in the future.
Args:
session (Session): database session
"""
now = datetime.utcnow()
graph = Graph()
exp_days = timedelta(days=self.settings.nonauditor_expiration_days)
# Hack to ensure the graph is loaded before we access it
graph.update_from_db(session)
# TODO(tyleromeara): replace with graph call
for group in get_audited_groups(session):
members = group.my_members()
# Go through every member of the group and set them to expire if they are an approver
# but not an auditor
for (type_, member), edge in members.iteritems():
# Auditing is already inherited, so we don't need to handle that here
if type_ == "Group":
continue
member = User.get(session, name=member)
member_is_approver = user_role_index(member, members) in APPROVER_ROLE_INDICES
member_is_auditor = user_has_permission(session, member, PERMISSION_AUDITOR)
if not member_is_approver or member_is_auditor:
continue
edge = GroupEdge.get(session, id=edge.edge_id)
if edge.expiration and edge.expiration < now + exp_days:
continue
exp = (now + exp_days).date()
edge.apply_changes(
{"expiration": "{}/{}/{}".format(exp.month, exp.day, exp.year)}
)
edge.add(session)
notify_nonauditor_flagged(self.settings, session, edge)
session.commit()
def get(self, group_id=None, name=None, name2=None, member_type=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
if self.current_user.name == name2:
return self.forbidden()
members = group.my_members()
my_role = user_role(self.current_user, members)
if my_role not in ("manager", "owner", "np-owner"):
return self.forbidden()
member = members.get((member_type.capitalize(), name2), None)
if not member:
return self.notfound()
edge = GroupEdge.get(
self.session,
group_id=group.id,
member_type=OBJ_TYPES[member.type],
member_pk=member.id,
)
if not edge:
return self.notfound()
form = GroupEditMemberForm(self.request.arguments)
form.role.choices = [["member", "Member"]]
if my_role in ("owner", "np-owner"):
form.role.choices.append(["manager", "Manager"])
form.role.choices.append(["owner", "Owner"])
form.role.choices.append(["np-owner", "No-Permissions Owner"])
form.role.data = edge.role
form.expiration.data = edge.expiration.strftime("%m/%d/%Y") if edge.expiration else None
self.render(
"group-edit-member.html", group=group, member=member, edge=edge, form=form,
)
def get(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
member_name = self.get_path_argument("member_name")
member_type = self.get_path_argument("member_type")
group = Group.get(self.session, name=name)
if not group:
return self.notfound()
members = group.my_members()
my_role = user_role(self.current_user, members)
if my_role not in ("manager", "owner", "np-owner"):
return self.forbidden()
member = members.get((member_type.capitalize(), member_name), None)
if not member:
return self.notfound()
edge = GroupEdge.get(
self.session,
group_id=group.id,
member_type=OBJ_TYPES[member.type],
member_pk=member.id,
)
if not edge:
return self.notfound()
form = self._get_form(member_name, my_role, member_type)
form.role.data = edge.role
form.expiration.data = edge.expiration.strftime(
"%m/%d/%Y") if edge.expiration else None
self.render("group-edit-member.html",
group=group,
member=member,
edge=edge,
form=form)
def _get_edge(session, group, member):
# type: (Session, Group, Union[User, Group]) -> GroupEdge
return GroupEdge.get(session,
group_id=group.id,
member_type=member.member_type,
member_pk=member.id)
def post(self, group_id=None, name=None, name2=None, member_type=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
if self.current_user.name == name2:
return self.forbidden()
members = group.my_members()
my_role = user_role(self.current_user, members)
if my_role not in ("manager", "owner", "np-owner"):
return self.forbidden()
member = members.get((member_type.capitalize(), name2), None)
if not member:
return self.notfound()
if member.type == "Group":
user_or_group = Group.get(self.session, member.id)
else:
user_or_group = User.get(self.session, member.id)
if not user_or_group:
return self.notfound()
edge = GroupEdge.get(
self.session,
group_id=group.id,
member_type=OBJ_TYPES[member.type],
member_pk=member.id,
)
if not edge:
return self.notfound()
form = GroupEditMemberForm(self.request.arguments)
form.role.choices = [["member", "Member"]]
if my_role in ("owner", "np-owner"):
form.role.choices.append(["manager", "Manager"])
form.role.choices.append(["owner", "Owner"])
form.role.choices.append(["np-owner", "No-Permissions Owner"])
if not form.validate():
return self.render(
"group-edit-member.html",
group=group,
member=member,
edge=edge,
form=form,
alerts=self.get_form_alerts(form.errors),
)
fail_message = 'This join is denied with this role at this time.'
try:
user_can_join = assert_can_join(group,
user_or_group,
role=form.data["role"])
except UserNotAuditor as e:
user_can_join = False
fail_message = e
if not user_can_join:
return self.render("group-edit-member.html",
form=form,
group=group,
member=member,
edge=edge,
alerts=[
Alert('danger', fail_message,
'Audit Policy Enforcement')
])
expiration = None
if form.data["expiration"]:
expiration = datetime.strptime(form.data["expiration"], "%m/%d/%Y")
try:
group.edit_member(self.current_user,
user_or_group,
form.data["reason"],
role=form.data["role"],
expiration=expiration)
except (InvalidRoleForMember,
PluginRejectedGroupMembershipUpdate) as e:
return self.render("group-edit-member.html",
form=form,
group=group,
member=member,
edge=edge,
alerts=[Alert('danger', e.message)])
return self.redirect("/groups/{}?refresh=yes".format(group.name))
def _get_edge(session, group, member):
return GroupEdge.get(session,
group_id=group.id,
member_type=member.member_type,
member_pk=member.id)
def post(self, group_id=None, name=None, name2=None, member_type=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
if self.current_user.name == name2:
return self.forbidden()
members = group.my_members()
my_role = user_role(self.current_user, members)
if my_role not in ("manager", "owner", "np-owner"):
return self.forbidden()
member = members.get((member_type.capitalize(), name2), None)
if not member:
return self.notfound()
if member.type == "Group":
user_or_group = Group.get(self.session, member.id)
else:
user_or_group = User.get(self.session, member.id)
if not user_or_group:
return self.notfound()
edge = GroupEdge.get(
self.session,
group_id=group.id,
member_type=OBJ_TYPES[member.type],
member_pk=member.id,
)
if not edge:
return self.notfound()
form = GroupEditMemberForm(self.request.arguments)
form.role.choices = [["member", "Member"]]
if my_role in ("owner", "np-owner"):
form.role.choices.append(["manager", "Manager"])
form.role.choices.append(["owner", "Owner"])
form.role.choices.append(["np-owner", "No-Permissions Owner"])
if not form.validate():
return self.render(
"group-edit-member.html", group=group, member=member, edge=edge, form=form,
alerts=self.get_form_alerts(form.errors),
)
fail_message = 'This join is denied with this role at this time.'
try:
user_can_join = assert_can_join(group, user_or_group, role=form.data["role"])
except UserNotAuditor as e:
user_can_join = False
fail_message = e
if not user_can_join:
return self.render(
"group-edit-member.html", form=form, group=group, member=member, edge=edge,
alerts=[
Alert('danger', fail_message, 'Audit Policy Enforcement')
]
)
expiration = None
if form.data["expiration"]:
expiration = datetime.strptime(form.data["expiration"], "%m/%d/%Y")
try:
group.edit_member(self.current_user, user_or_group, form.data["reason"],
role=form.data["role"], expiration=expiration)
except (InvalidRoleForMember, PluginRejectedGroupMembershipUpdate) as e:
return self.render(
"group-edit-member.html", form=form, group=group, member=member, edge=edge,
alerts=[Alert('danger', e.message)]
)
return self.redirect("/groups/{}?refresh=yes".format(group.name))
def post(self, *args: Any, **kwargs: Any) -> None:
name = self.get_path_argument("name")
member_name = self.get_path_argument("member_name")
member_type = self.get_path_argument("member_type")
group = Group.get(self.session, name=name)
if not group:
return self.notfound()
members = group.my_members()
my_role = user_role(self.current_user, members)
if my_role not in ("manager", "owner", "np-owner"):
return self.forbidden()
member = members.get((member_type.capitalize(), member_name), None)
if not member:
return self.notfound()
if member.type == "Group":
user_or_group = Group.get(self.session, member.id)
else:
user_or_group = User.get(self.session, member.id)
if not user_or_group:
return self.notfound()
edge = GroupEdge.get(
self.session,
group_id=group.id,
member_type=OBJ_TYPES[member.type],
member_pk=member.id,
)
if not edge:
return self.notfound()
form = self._get_form(member_name, my_role, member_type)
if not form.validate():
return self.render(
"group-edit-member.html",
group=group,
member=member,
edge=edge,
form=form,
alerts=self.get_form_alerts(form.errors),
)
try:
assert_can_join(group, user_or_group, role=form.data["role"])
except UserNotAuditor as e:
return self.render(
"group-edit-member.html",
form=form,
group=group,
member=member,
edge=edge,
alerts=[Alert("danger", str(e), "Audit Policy Enforcement")],
)
expiration = None
if form.data["expiration"]:
expiration = datetime.strptime(form.data["expiration"], "%m/%d/%Y")
try:
group.edit_member(
self.current_user,
user_or_group,
form.data["reason"],
role=form.data["role"],
expiration=expiration,
)
except (InvalidRoleForMember,
PluginRejectedGroupMembershipUpdate) as e:
return self.render(
"group-edit-member.html",
form=form,
group=group,
member=member,
edge=edge,
alerts=[Alert("danger", str(e))],
)
return self.redirect("/groups/{}?refresh=yes".format(group.name))