def test_permission_exclude_inactive(session, standard_graph):
"""Ensure disabled groups are excluded from permission data."""
group = Group.get(session, name="team-sre")
permission = Permission.get(session, "ssh")
assert "team-sre" in [g[0] for g in permission.get_mapped_groups()]
group.disable()
assert "team-sre" not in [g[0] for g in permission.get_mapped_groups()]
def sync_db_command(args):
db_engine = get_db_engine(get_database_url(settings))
Model.metadata.create_all(db_engine)
# Add some basic database structures we know we will need if they don't exist.
session = make_session()
for name, description in SYSTEM_PERMISSIONS:
test = Permission.get(session, name)
if test:
continue
permission = Permission(name=name, description=description)
try:
permission.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create permission: %s' % (name, ))
session.commit()
# This group is needed to bootstrap a Grouper installation.
admin_group = Group.get(session, name="grouper-administrators")
if not admin_group:
admin_group = Group(
groupname="grouper-administrators",
description="Administrators of the Grouper system.",
canjoin="nobody",
)
try:
admin_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create group: grouper-administrators')
for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
permission = Permission.get(session, permission_name)
assert permission, "Permission should have been created earlier!"
admin_group.grant_permission(permission)
session.commit()
def get(self, name=None):
# TODO: use cached data instead, add refresh to appropriate redirects.
permission = Permission.get(self.session, name)
if not permission:
return self.notfound()
can_delete = self.current_user.permission_admin
mapped_groups = permission.get_mapped_groups()
log_entries = permission.my_log_entries()
self.render(
"permission.html", permission=permission, can_delete=can_delete,
mapped_groups=mapped_groups, log_entries=log_entries,
)
def post(self, name=None):
if not self.current_user.permission_admin:
return self.forbidden()
permission = Permission.get(self.session, name)
if not permission:
return self.notfound()
permission.enable_auditing()
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'enable_auditing',
'Enabled auditing.', on_permission_id=permission.id)
# No explicit refresh because handler queries SQL.
return self.redirect("/permissions/{}".format(permission.name))
def post(self, name=None):
grantable = self.current_user.my_grantable_permissions()
if not grantable:
return self.forbidden()
group = Group.get(self.session, None, name)
if not group:
return self.notfound()
form = PermissionGrantForm(self.request.arguments)
form.permission.choices = [["", "(select one)"]]
for perm in grantable:
grantable_str = "{} ({})".format(perm[0].name, perm[1])
form.permission.choices.append([perm[0].name, grantable_str])
if not form.validate():
return self.render(
"permission-grant.html", form=form, group=group, alerts=self.get_form_alerts(form.errors)
)
permission = Permission.get(self.session, form.data["permission"])
if not permission:
return self.notfound() # Shouldn't happen.
allowed = False
for perm in grantable:
if perm[0].name == permission.name:
if matches_glob(perm[1], form.data["argument"]):
allowed = True
if not allowed:
form.argument.errors.append("You do not have grant authority over that permission/argument combination.")
return self.render(
"permission-grant.html", form=form, group=group, alerts=self.get_form_alerts(form.errors)
)
# If the permission is audited, then see if the subtree meets auditing requirements.
if permission.audited:
fail_message = (
"Permission is audited and this group (or a subgroup) contains "
+ "owners, np-owners, or managers who have not received audit training."
)
try:
permission_ok = assert_controllers_are_auditors(group)
except UserNotAuditor as e:
permission_ok = False
fail_message = e
if not permission_ok:
form.permission.errors.append(fail_message)
return self.render(
"permission-grant.html", form=form, group=group, alerts=self.get_form_alerts(form.errors)
)
try:
group.grant_permission(permission, argument=form.data["argument"])
except IntegrityError:
form.argument.errors.append("Permission and Argument already mapped to this group.")
return self.render(
"permission-grant.html", form=form, group=group, alerts=self.get_form_alerts(form.errors)
)
self.session.commit()
AuditLog.log(
self.session,
self.current_user.id,
"grant_permission",
"Granted permission with argument: {}".format(form.data["argument"]),
on_permission_id=permission.id,
on_group_id=group.id,
)
return self.redirect("/groups/{}?refresh=yes".format(group.name))
def post(self, group_id=None, name=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
# only owner of group can request permissions for that group
role_index = self.current_user.my_role_index(group.my_members())
if role_index not in OWNER_ROLE_INDICES:
return self.forbidden()
# check inputs
args_by_perm = get_grantable_permissions(self.session,
settings.restricted_ownership_permissions)
dropdown_form, text_form = GroupPermissionRequest._get_forms(args_by_perm,
self.request.arguments)
argument_type = self.request.arguments.get("argument_type")
if argument_type and argument_type[0] == "text":
form = text_form
elif argument_type and argument_type[0] == "dropdown":
form = dropdown_form
form.argument.choices = [(a, a) for a in args_by_perm[form.permission_name.data]]
else:
# someone messing with the form
self.log_message("unknown argument type", group_name=group.name,
argument_type=argument_type)
return self.forbidden()
if not form.validate():
return self.render(
"group-permission-request.html", dropdown_form=dropdown_form,
text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm),
alerts=self.get_form_alerts(form.errors),
dropdown_help=settings.permission_request_dropdown_help,
text_help=settings.permission_request_text_help,
)
permission = Permission.get(self.session, form.permission_name.data)
assert permission is not None, "our prefilled permission should exist or we have problems"
# save off request
try:
permissions.create_request(self.session, self.current_user, group,
permission, form.argument.data, form.reason.data)
except permissions.RequestAlreadyGranted:
alerts = [Alert("danger", "This group already has this permission and argument.")]
except permissions.RequestAlreadyExists:
alerts = [Alert("danger",
"Request for permission and argument already exists, please wait patiently.")]
except permissions.NoOwnersAvailable:
self.log_message("prefilled perm+arg have no owner", group_name=group.name,
permission_name=permission.name, argument=form.argument.data)
alerts = [Alert("danger", "No owners available for requested permission and argument."
" If this error persists please contact an adminstrator.")]
else:
alerts = None
if alerts:
return self.render(
"group-permission-request.html", dropdown_form=dropdown_form,
text_form=text_form, group=group, args_by_perm_json=json.dumps(args_by_perm),
alerts=alerts,
)
else:
return self.redirect("/groups/{}".format(group.name))
