def grant_permission_to_service_account(session: Session,
account: ServiceAccount,
permission: Permission,
argument: str = "") -> None:
"""Grant a permission to this service account.
This will fail if the (permission, argument) has already been granted to this group.
Args:
session: Database session
account: A ServiceAccount object being granted a permission
permission: A Permission object being granted
argument: Must match constants.ARGUMENT_VALIDATION
Throws:
AssertError if argument does not match ARGUMENT_VALIDATION regex
"""
assert re.match(ARGUMENT_VALIDATION + r"$",
argument), "Invalid permission argument"
mapping = ServiceAccountPermissionMap(permission_id=permission.id,
service_account_id=account.id,
argument=argument)
mapping.add(session)
Counter.incr(session, "updates")
session.commit()
def grant_permission_to_service_account(session,
account,
permission,
argument=""):
"""
Grant a permission to this service account. This will fail if the (permission, argument) has
already been granted to this group.
Args:
session(models.base.session.Session): database session
account(ServiceAccount): a ServiceAccount object being granted a permission
permission(Permission): a Permission object being granted
argument(str): must match constants.ARGUMENT_VALIDATION
Throws:
AssertError if argument does not match ARGUMENT_VALIDATION regex
"""
assert re.match(ARGUMENT_VALIDATION + r"$",
argument), "Permission argument does not match regex."
mapping = ServiceAccountPermissionMap(permission_id=permission.id,
service_account_id=account.id,
argument=argument)
mapping.add(session)
Counter.incr(session, "updates")
session.commit()
def grant_permission_to_service_account(session, account, permission, argument=""):
"""
Grant a permission to this service account. This will fail if the (permission, argument) has
already been granted to this group.
Args:
session(models.base.session.Session): database session
account(ServiceAccount): a ServiceAccount object being granted a permission
permission(Permission): a Permission object being granted
argument(str): must match constants.ARGUMENT_VALIDATION
Throws:
AssertError if argument does not match ARGUMENT_VALIDATION regex
"""
assert re.match(
ARGUMENT_VALIDATION + r"$", argument
), "Permission argument does not match regex."
mapping = ServiceAccountPermissionMap(
permission_id=permission.id, service_account_id=account.id, argument=argument
)
mapping.add(session)
Counter.incr(session, "updates")
session.commit()
def grant_permission_to_service_account(self, permission, argument, service_account):
# type: (str, str, str) -> None
self.create_permission(permission)
permission_obj = Permission.get(self.session, name=permission)
assert permission_obj
user_obj = User.get(self.session, name=service_account)
assert user_obj, "Must create the service account first"
assert user_obj.is_service_account
grant = ServiceAccountPermissionMap(
permission_id=permission_obj.id,
service_account_id=user_obj.service_account.id,
argument=argument,
)
grant.add(self.session)
def grant_permission_to_service_account(self, permission, argument,
service):
# type: (str, str, str) -> None
sql_service = ServiceAccount.get(self.session, name=service)
if not sql_service or not sql_service.user.enabled:
raise ServiceAccountNotFoundException(service)
sql_permission = Permission.get(self.session, name=permission)
if not sql_permission:
raise PermissionNotFoundException(permission)
mapping = ServiceAccountPermissionMap(
permission_id=sql_permission.id,
service_account_id=sql_service.id,
argument=argument)
mapping.add(self.session)
def grant_permission_to_service_account(self, permission, argument,
service_account):
# type: (str, str, str) -> None
self.create_permission(permission)
permission_obj = Permission.get(self.session, name=permission)
assert permission_obj
user_obj = User.get(self.session, name=service_account)
assert user_obj, "Must create the service account first"
assert user_obj.is_service_account
grant = ServiceAccountPermissionMap(
permission_id=permission_obj.id,
service_account_id=user_obj.service_account.id,
argument=argument,
)
grant.add(self.session)
def post(self, group_id=None, name=None, account_id=None, accountname=None, mapping_id=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
service_account = ServiceAccount.get(self.session, account_id, accountname)
if not service_account:
return self.notfound()
if not self.check_access(self.session, self.current_user, service_account):
return self.forbidden()
mapping = ServiceAccountPermissionMap.get(self.session, mapping_id)
if not mapping:
return self.notfound()
permission = mapping.permission
argument = mapping.argument
mapping.delete(self.session)
Counter.incr(self.session, "updates")
self.session.commit()
AuditLog.log(
self.session,
self.current_user.id,
"revoke_permission",
"Revoked permission with argument: {}".format(argument),
on_permission_id=permission.id,
on_group_id=group.id,
on_user_id=service_account.user.id,
)
return self.redirect(
"/groups/{}/service/{}?refresh=yes".format(group.name, service_account.user.username)
)
def post(self, group_id=None, name=None, account_id=None, accountname=None, mapping_id=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
service_account = ServiceAccount.get(self.session, account_id, accountname)
if not service_account:
return self.notfound()
if not self.check_access(self.session, self.current_user, service_account):
return self.forbidden()
mapping = ServiceAccountPermissionMap.get(self.session, mapping_id)
if not mapping:
return self.notfound()
permission = mapping.permission
argument = mapping.argument
mapping.delete(self.session)
Counter.incr(self.session, "updates")
self.session.commit()
AuditLog.log(self.session, self.current_user.id, "revoke_permission",
"Revoked permission with argument: {}".format(argument),
on_permission_id=permission.id, on_group_id=group.id,
on_user_id=service_account.user.id)
return self.redirect("/groups/{}/service/{}?refresh=yes".format(
group.name, service_account.user.username))