def _admin():
try:
if not admin.session.authorized:
return redirect(url_for("keycloak.login"))
resp = admin.session.get(
"/auth/realms/%s/protocol/openid-connect/userinfo" % oauth_realm)
assert resp.ok
groups = resp.json()['groups_all']
log.info("Checking? %s %s" %
(conf['oauth']['admin_group'], str(groups)))
if conf['oauth']['admin_group'] not in groups:
message = "Access Denied - User does not belong to the administration group."
activity('access', '', '',
resp.json()['preferred_username'], False, message)
del admin.token
return render_template('error.html',
message=message,
username=resp.json()['preferred_username'],
logout_url=admin_logout_url())
session['groups'] = groups
session['username'] = resp.json()['preferred_username']
activity('access', '', '', session['username'], True, "Access Granted")
return redirect(url_for("keycloak.main"))
except oauthlib.oauth2.rfc6749.errors.TokenExpiredError as ex:
return redirect(url_for("keycloak.login"))
def delete_user(username: str) -> object:
"""
Delete user if exists
"""
try:
keycloak_cli.del_user(username)
activity ('delete_user', '', '', 'api', True, "User %s Deleted" % username)
except BaseException as ex:
activity ('delete_user', '', '', 'api', False, "Failed - failed to delete user %s." % username)
raise ex
return jsonify({"status": "ok"})
def project_delete(projectId: str) -> object:
"""
Deletes the project access
"""
try:
minio_cli.del_project(projectId)
vault_cli.del_project(projectId)
activity('disable_project', '', projectId, 'api', True,
"Project Disabled")
except BaseException as ex:
activity('disable_project', '', projectId, 'api', False,
"Failed - project partially disabled")
raise ex
try:
purge = request.args.get('purge')
log.debug("Purge? %s" % purge)
if purge == "yes":
keycloak_cli.del_project(projectId)
minio_cli.del_buckets(projectId)
activity('purge_project', '', projectId, 'api', True,
"Project Purged")
except BaseException as ex:
activity('disable_project', '', projectId, 'api', False,
"Failed - project partially purged")
raise ex
return jsonify({"status": "ok"})
def leave(projectId: str, username: str) -> object:
"""
Leave project
"""
try:
keycloak_cli.leave_project(projectId, username)
activity('leave_project', '', projectId, 'api', True,
"User %s Removed" % username)
except BaseException as ex:
activity('leave_project', '', projectId, 'api', False,
"Failed - failed to remove user %s." % username)
raise ex
return jsonify({"status": "ok"})
def join(projectId: str, username: str) -> object:
"""
Join project
"""
try:
keycloak_cli.join_project(projectId, username)
activity('join_project', '', projectId, 'api', True,
"User %s Joined" % username)
except BaseException as ex:
activity('join_project', '', projectId, 'api', False,
"Failed - failed to join user %s." % username)
raise ex
return jsonify({"status": "ok"})
def do_render_template(**args):
if 'repository' in args['data']:
team = get_sae_project(session['groups'])
actor = session['username']
activity(args['action'], args['data']['repository'], team, actor,
args['success'], args['message'])
linked_repos = get_linked_repos()
return render_template('index.html',
**args,
repo_list=linked_repos,
unlinked_repo_list=get_unlinked_repos(),
noshares_repo_list=get_noshares_repos(linked_repos),
groups=session['groups'],
project=get_sae_project(session['groups']))
def project_post(projectId: str) -> object:
"""
Enables a project
"""
try:
keycloak_cli.add_project(projectId)
minio_cli.add_project(projectId)
vault_cli.add_project(projectId)
activity('enable_project', '', projectId, 'api', True,
"Project Enabled")
except BaseException as ex:
activity('enable_project', '', projectId, 'api', False,
"Failed - project partially enabled")
raise ex
return jsonify({"status": "ok"})
def add_user(username: str) -> object:
"""
Add user if it does not exist
"""
content = request.json
projectName = content['project']
try:
keycloak_cli.add_user(username, content['email'],
content['first_name'], content['last_name'])
keycloak_cli.join_project(projectName, username)
activity('add_user', '', projectName, 'api', True,
"User %s Added" % username)
except BaseException as ex:
activity('add_user', '', projectName, 'api', False,
"Failed - failed to add user %s." % username)
raise ex
return jsonify({"status": "ok"})
def _selfserve():
try:
if not selfserve.session.authorized:
return redirect(url_for("kc.login"))
resp = selfserve.session.get(
"/auth/realms/%s/protocol/openid-connect/userinfo" % oauth_realm)
assert resp.ok
js = resp.json()
if 'groups' in js:
groups = js['groups']
else:
groups = []
session['groups'] = groups
session['policy'] = resp.json()['policy']
session['username'] = resp.json()['preferred_username']
session['jwt_info'] = json.dumps(resp.json(), indent=4, sort_keys=True)
activity('access', '', '', session['username'], True, "Access Granted")
return redirect(url_for("kc.main"))
except oauthlib.oauth2.rfc6749.errors.TokenExpiredError as ex:
return redirect(url_for("kc.login"))
def add_user(username: str) -> object:
"""
Add user if it does not exist
"""
content = request.json
groups = content['groups']
user_attributes = {}
if "user_attributes" in content:
user_attributes = content['user_attributes']
try:
keycloak_cli.add_user(username, content['email'], content['first_name'], content['last_name'], user_attributes)
for group in groups:
keycloak_cli.add_group(group)
keycloak_cli.join_group(group, username)
activity ('add_user', '', '', 'api', True, "User %s Added" % username)
except BaseException as ex:
activity ('add_user', '', '', 'api', False, "Failed - failed to add user %s." % username)
raise ex
return jsonify({"status": "ok"})
def record_approval_request() -> object:
"""
Record an approval request
"""
content = request.json
missing = []
required = [
'commit_sha', 'requestor', 'diff', 'applications',
'approval_callback_url'
]
for r in required:
if r not in content:
missing.append(r)
if len(missing) > 0:
raise Exception("Required data missing %s" % str(missing))
conf = config.Config()
vault_cli = VaultClient(conf.data['vault']['addr'],
conf.data['vault']['token'])
pkg_request = vault_cli.get_package_requests()
if pkg_request is None:
vault_cli.update_package_request(content)
activity(
'bbsae_apps_request', '', '', 'api', True,
'Initiated new apps approval for commit %s' %
content['commit_sha'])
else:
vault_cli.delete_package_request()
activity('bbsae_apps_req_cancelled', '', '', 'api', True,
'Cancelled request for commit %s' % pkg_request['commit_sha'])
vault_cli.update_package_request(content)
activity(
'bbsae_apps_request', '', '', 'api', True,
'Initiated new apps approval for commit %s' %
content['commit_sha'])
return jsonify({})
def approve_packages() -> object:
"""
Approve application changes
"""
data = request.form.to_dict()
conf = config.Config()
if not admin.session.authorized:
return redirect(url_for("keycloak.login"))
if not 'groups' in session:
return render_template('error.html',
message="Access Denied",
username=session['username'],
logout_url=admin_logout_url())
try:
validate(data, ['commit_sha', 'answer'])
commit_sha = data['commit_sha']
answer = data['answer']
# answer: approve | reject
# In the case of approve, call the callback_url
# In the case of reject, record in activity log
#
vault_cli = VaultClient(conf.data['vault']['addr'],
conf.data['vault']['token'])
pkg_request = vault_cli.get_package_requests()
if pkg_request is None:
return do_render_template(success=True,
action="approve",
tab={"approvals": "show active"},
message="Request already approved.")
if answer == "approve":
code = ''.join(
random.choice(string.ascii_uppercase + string.digits)
for _ in range(32))
log.debug("Callback %s" % pkg_request['approval_callback_url'])
receipt = call_callback(pkg_request['approval_callback_url'], code)
pkg_request['approve_result'] = {
"performed_by": session['username'],
"answer": answer,
"timestamp": utc_to_local(datetime.datetime.now()).isoformat(),
"tekton_receipt": receipt,
"code": code
}
vault_cli.update_package_request(pkg_request)
else:
vault_cli.delete_package_request()
msg = "Approved changes (%s)." % commit_sha
if answer == "reject":
msg = "Rejected changes (%s)." % commit_sha
activity('%s_bbsae_apps_req' % answer, '', '', session['username'],
True, msg)
return do_render_template(success=True,
action="approve",
tab={"approvals": "show active"},
message=msg)
except BaseException as error:
print("Exception %s" % error)
traceback.print_exc(file=sys.stdout)
return do_render_template(success=False,
action="approve",
tab={"approvals": "show active"},
message="Failed to approve. %s" % (error))
