def _admin(): try: if not admin.session.authorized: return redirect(url_for("keycloak.login")) resp = admin.session.get( "/auth/realms/%s/protocol/openid-connect/userinfo" % oauth_realm) assert resp.ok groups = resp.json()['groups_all'] log.info("Checking? %s %s" % (conf['oauth']['admin_group'], str(groups))) if conf['oauth']['admin_group'] not in groups: message = "Access Denied - User does not belong to the administration group." activity('access', '', '', resp.json()['preferred_username'], False, message) del admin.token return render_template('error.html', message=message, username=resp.json()['preferred_username'], logout_url=admin_logout_url()) session['groups'] = groups session['username'] = resp.json()['preferred_username'] activity('access', '', '', session['username'], True, "Access Granted") return redirect(url_for("keycloak.main")) except oauthlib.oauth2.rfc6749.errors.TokenExpiredError as ex: return redirect(url_for("keycloak.login"))
def delete_user(username: str) -> object: """ Delete user if exists """ try: keycloak_cli.del_user(username) activity ('delete_user', '', '', 'api', True, "User %s Deleted" % username) except BaseException as ex: activity ('delete_user', '', '', 'api', False, "Failed - failed to delete user %s." % username) raise ex return jsonify({"status": "ok"})
def project_delete(projectId: str) -> object: """ Deletes the project access """ try: minio_cli.del_project(projectId) vault_cli.del_project(projectId) activity('disable_project', '', projectId, 'api', True, "Project Disabled") except BaseException as ex: activity('disable_project', '', projectId, 'api', False, "Failed - project partially disabled") raise ex try: purge = request.args.get('purge') log.debug("Purge? %s" % purge) if purge == "yes": keycloak_cli.del_project(projectId) minio_cli.del_buckets(projectId) activity('purge_project', '', projectId, 'api', True, "Project Purged") except BaseException as ex: activity('disable_project', '', projectId, 'api', False, "Failed - project partially purged") raise ex return jsonify({"status": "ok"})
def leave(projectId: str, username: str) -> object: """ Leave project """ try: keycloak_cli.leave_project(projectId, username) activity('leave_project', '', projectId, 'api', True, "User %s Removed" % username) except BaseException as ex: activity('leave_project', '', projectId, 'api', False, "Failed - failed to remove user %s." % username) raise ex return jsonify({"status": "ok"})
def join(projectId: str, username: str) -> object: """ Join project """ try: keycloak_cli.join_project(projectId, username) activity('join_project', '', projectId, 'api', True, "User %s Joined" % username) except BaseException as ex: activity('join_project', '', projectId, 'api', False, "Failed - failed to join user %s." % username) raise ex return jsonify({"status": "ok"})
def do_render_template(**args): if 'repository' in args['data']: team = get_sae_project(session['groups']) actor = session['username'] activity(args['action'], args['data']['repository'], team, actor, args['success'], args['message']) linked_repos = get_linked_repos() return render_template('index.html', **args, repo_list=linked_repos, unlinked_repo_list=get_unlinked_repos(), noshares_repo_list=get_noshares_repos(linked_repos), groups=session['groups'], project=get_sae_project(session['groups']))
def project_post(projectId: str) -> object: """ Enables a project """ try: keycloak_cli.add_project(projectId) minio_cli.add_project(projectId) vault_cli.add_project(projectId) activity('enable_project', '', projectId, 'api', True, "Project Enabled") except BaseException as ex: activity('enable_project', '', projectId, 'api', False, "Failed - project partially enabled") raise ex return jsonify({"status": "ok"})
def add_user(username: str) -> object: """ Add user if it does not exist """ content = request.json projectName = content['project'] try: keycloak_cli.add_user(username, content['email'], content['first_name'], content['last_name']) keycloak_cli.join_project(projectName, username) activity('add_user', '', projectName, 'api', True, "User %s Added" % username) except BaseException as ex: activity('add_user', '', projectName, 'api', False, "Failed - failed to add user %s." % username) raise ex return jsonify({"status": "ok"})
def _selfserve(): try: if not selfserve.session.authorized: return redirect(url_for("kc.login")) resp = selfserve.session.get( "/auth/realms/%s/protocol/openid-connect/userinfo" % oauth_realm) assert resp.ok js = resp.json() if 'groups' in js: groups = js['groups'] else: groups = [] session['groups'] = groups session['policy'] = resp.json()['policy'] session['username'] = resp.json()['preferred_username'] session['jwt_info'] = json.dumps(resp.json(), indent=4, sort_keys=True) activity('access', '', '', session['username'], True, "Access Granted") return redirect(url_for("kc.main")) except oauthlib.oauth2.rfc6749.errors.TokenExpiredError as ex: return redirect(url_for("kc.login"))
def add_user(username: str) -> object: """ Add user if it does not exist """ content = request.json groups = content['groups'] user_attributes = {} if "user_attributes" in content: user_attributes = content['user_attributes'] try: keycloak_cli.add_user(username, content['email'], content['first_name'], content['last_name'], user_attributes) for group in groups: keycloak_cli.add_group(group) keycloak_cli.join_group(group, username) activity ('add_user', '', '', 'api', True, "User %s Added" % username) except BaseException as ex: activity ('add_user', '', '', 'api', False, "Failed - failed to add user %s." % username) raise ex return jsonify({"status": "ok"})
def record_approval_request() -> object: """ Record an approval request """ content = request.json missing = [] required = [ 'commit_sha', 'requestor', 'diff', 'applications', 'approval_callback_url' ] for r in required: if r not in content: missing.append(r) if len(missing) > 0: raise Exception("Required data missing %s" % str(missing)) conf = config.Config() vault_cli = VaultClient(conf.data['vault']['addr'], conf.data['vault']['token']) pkg_request = vault_cli.get_package_requests() if pkg_request is None: vault_cli.update_package_request(content) activity( 'bbsae_apps_request', '', '', 'api', True, 'Initiated new apps approval for commit %s' % content['commit_sha']) else: vault_cli.delete_package_request() activity('bbsae_apps_req_cancelled', '', '', 'api', True, 'Cancelled request for commit %s' % pkg_request['commit_sha']) vault_cli.update_package_request(content) activity( 'bbsae_apps_request', '', '', 'api', True, 'Initiated new apps approval for commit %s' % content['commit_sha']) return jsonify({})
def approve_packages() -> object: """ Approve application changes """ data = request.form.to_dict() conf = config.Config() if not admin.session.authorized: return redirect(url_for("keycloak.login")) if not 'groups' in session: return render_template('error.html', message="Access Denied", username=session['username'], logout_url=admin_logout_url()) try: validate(data, ['commit_sha', 'answer']) commit_sha = data['commit_sha'] answer = data['answer'] # answer: approve | reject # In the case of approve, call the callback_url # In the case of reject, record in activity log # vault_cli = VaultClient(conf.data['vault']['addr'], conf.data['vault']['token']) pkg_request = vault_cli.get_package_requests() if pkg_request is None: return do_render_template(success=True, action="approve", tab={"approvals": "show active"}, message="Request already approved.") if answer == "approve": code = ''.join( random.choice(string.ascii_uppercase + string.digits) for _ in range(32)) log.debug("Callback %s" % pkg_request['approval_callback_url']) receipt = call_callback(pkg_request['approval_callback_url'], code) pkg_request['approve_result'] = { "performed_by": session['username'], "answer": answer, "timestamp": utc_to_local(datetime.datetime.now()).isoformat(), "tekton_receipt": receipt, "code": code } vault_cli.update_package_request(pkg_request) else: vault_cli.delete_package_request() msg = "Approved changes (%s)." % commit_sha if answer == "reject": msg = "Rejected changes (%s)." % commit_sha activity('%s_bbsae_apps_req' % answer, '', '', session['username'], True, msg) return do_render_template(success=True, action="approve", tab={"approvals": "show active"}, message=msg) except BaseException as error: print("Exception %s" % error) traceback.print_exc(file=sys.stdout) return do_render_template(success=False, action="approve", tab={"approvals": "show active"}, message="Failed to approve. %s" % (error))