def remove_user_role(user_id, role_ids):
"""Create a relationship between a user and a role
:param user_id: User id
:param role_ids: List of role ids
:return User-Roles information
"""
username = get_username(user_id=user_id)
result = AffectedItemsWazuhResult(none_msg=f'No role was unlinked from user {username}',
some_msg=f'Some roles were not unlinked from user {username}',
all_msg=f'All roles were unlinked from user {username}')
success = False
with UserRolesManager() as urm:
for role_id in role_ids:
user_role = urm.remove_role_in_user(user_id=int(user_id[0]), role_id=role_id)
if user_role == SecurityError.INVALID:
result.add_failed_item(id_=int(role_id), error=WazuhError(4016))
elif user_role == SecurityError.ROLE_NOT_EXIST:
result.add_failed_item(id_=int(role_id), error=WazuhError(4002))
elif user_role == SecurityError.USER_NOT_EXIST:
result.add_failed_item(id_=int(user_id[0]), error=WazuhError(5001))
break
elif user_role == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=int(user_id[0]), error=WazuhError(4008))
else:
success = True
result.total_affected_items += 1
if success:
with AuthenticationManager() as auth:
result.affected_items.append(auth.get_user_id(int(user_id[0])))
result.affected_items.sort(key=str)
invalid_users_tokens(users=user_id)
return result
def set_user_role(user_id, role_ids, position=None):
"""Create a relationship between a user and a role.
Parameters
----------
user_id : list
User ID
role_ids : list of int
List of role ids
position : int
Position where the new role will be inserted
Returns
-------
Dict
User-Roles information
"""
if position is not None and position < 0:
raise WazuhError(4018)
username = get_username(user_id=user_id)
result = AffectedItemsWazuhResult(
none_msg=f'No link was created to user {username}',
some_msg=f'Some roles were not linked to user {username}',
all_msg=f'All roles were linked to user {username}')
success = False
with UserRolesManager() as urm:
for role_id in role_ids:
user_role = urm.add_role_to_user(user_id=int(user_id[0]),
role_id=int(role_id),
position=position)
if user_role == SecurityError.ALREADY_EXIST:
result.add_failed_item(id_=int(role_id),
error=WazuhError(4017))
elif user_role == SecurityError.ROLE_NOT_EXIST:
result.add_failed_item(id_=int(role_id),
error=WazuhError(4002))
elif user_role == SecurityError.USER_NOT_EXIST:
result.add_failed_item(id_=int(user_id[0]),
error=WazuhError(5001))
break
elif user_role == SecurityError.ADMIN_RESOURCES:
result.add_failed_item(id_=int(user_id[0]),
error=WazuhError(4008))
else:
success = True
result.total_affected_items += 1
if position is not None:
position += 1
if success:
with AuthenticationManager() as auth:
result.affected_items.append(auth.get_user_id(int(user_id[0])))
result.affected_items.sort(key=str)
invalid_users_tokens(users=user_id)
return result
def check_token(username, roles, token_nbf_time, run_as):
"""Check the validity of a token with the current time and the generation time of the token.
Parameters
----------
username : str
Unique username
roles : list
List of roles related with the current token
token_nbf_time : int
Issued at time of the current token
run_as : bool
Indicate if the token has been granted through run_as endpoint
Returns
-------
Dict with the result
"""
# Check that the user exists
with AuthenticationManager() as am:
user = am.get_user(username=username)
if not user:
return {'valid': False}
user_id = user['id']
with UserRolesManager() as urm:
user_roles = [
role['id']
for role in map(Roles.to_dict,
urm.get_all_roles_from_user(user_id=user_id))
]
if not am.user_allow_run_as(
user['username']) and set(user_roles) != set(roles):
return {'valid': False}
with TokenManager() as tm:
for role in user_roles:
if not tm.is_token_valid(
role_id=role,
user_id=user_id,
token_nbf_time=int(token_nbf_time),
run_as=run_as):
return {'valid': False}
policies = optimize_resources(roles)
return {'valid': True, 'policies': policies}
