def grant_to_model(user, controller): try: LOGGER.info('/USERS/%s/controllers/%s/models [PUT] => receiving call', user, controller) data = request.json token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info('/USERS/%s/controllers/%s/models [PUT] => Authenticated!', user, controller) con = juju.authorize(token, controller) LOGGER.info('/USERS/%s/controllers/%s/models [PUT] => Authorized!', user, controller) if (token.is_admin or con.c_access == 'superuser') and 'admin' != user: if juju.user_exists(user): juju.set_models_access(token, con, user, data) LOGGER.info( '/USERS/%s/controllers/%s/models [PUT] => Setting model access, check set_model_access.log for more information!', user, controller) code, response = 202, 'The model access is being changed' else: code, response = errors.does_not_exist('user') LOGGER.error( '/USERS/%s/controllers/%s/models [PUT] => User %s does not exist!', user, controller, user) else: user_access = juju.get_models_access(con, user) if juju.user_exists(user): for mod in data: if not mod['name'] in user_access: LOGGER.error( '/USERS/%s/controllers/%s/models [PUT] => No Permission to perform this action!', user, controller) code, response = errors.no_permission() return juju.create_response(code, response) juju.set_models_access(token, con, user, data) LOGGER.info( '/USERS/%s/controllers/%s/models [PUT] => Setting model access, check set_model_access.log for more information!', user, controller) code, response = 202, 'The model access is being changed' else: code, response = errors.does_not_exist('user') LOGGER.error( '/USERS/%s/controllers/%s/models [PUT] => User %s does not exist!', user, controller, user) except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)
def get_credentials(user): try: LOGGER.info('/USERS/%s/credentials [GET] => receiving call', user) token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info('/USERS/%s/credentials [GET] => Authenticated!', user) if token.is_admin or token.username == user: if juju.user_exists(user): code, response = 200, juju.get_credentials(user) LOGGER.info( '/USERS/%s/credentials [GET] => Succesfully retrieved credentials!', user) else: code, response = errors.does_not_exist('user') LOGGER.error( '/USERS/%s/credentials [GET] => User %s does not exist!', user, user) else: code, response = errors.no_permission() LOGGER.error( '/USERS/%s/credentials [GET] => No Permission to perform this action!', user) except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)
def authorize(token, controller, model=None): if not controller_exists(controller): error = errors.does_not_exist('controller') abort(error[0], error[1]) else: con = Controller_Connection(token, controller) if not c_access_exists(con.c_access): error = errors.does_not_exist('controller') abort(error[0], error[1]) if model and not model_exists(con, model): error = errors.does_not_exist('model') abort(error[0], error[1]) elif model: mod = Model_Connection(token, controller, model) if not m_access_exists(mod.m_access): error = errors.unauthorized() abort(error[0], error[1]) return con, mod return con
def remove_credential(user, credential): try: LOGGER.info('/USERS/%s/credentials/%s [DELETE] => receiving call', user, credential) token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info('/USERS/%s/credentials/%s [DELETE] => Authenticated!', user, credential) if token.is_admin or token.username == user: if juju.user_exists(user): if juju.credential_exists(user, credential): juju.remove_credential(user, credential) LOGGER.info( '/USERS/%s/credentials/%s [DELETE] => Removing credential, check remove_credential.log for more information!', user, credential) code, response = 202, 'Credentials are being removed' else: code, response = errors.does_not_exist('credential') else: code, response = errors.does_not_exist('user') LOGGER.error( '/USERS/%s/credentials/%s [DELETE] => User %s does not exist!', user, credential, user) else: code, response = errors.no_permission() LOGGER.error( '/USERS/%s/credentials/%s [DELETE] => No Permission to perform this action!', user, credential) except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)
def get_user_info(user): try: token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) user = juju.check_input(user) if execute_task(juju.user_exists, user): if user == token.username or token.is_admin: code, response = 200, execute_task(juju.get_user_info, user) else: code, response = errors.unauthorized() else: code, response = errors.does_not_exist('user') except KeyError: code, response = errors.invalid_data() return juju.create_response(code, response)
def get_ucontroller_access(user, controller): try: token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) con = execute_task(juju.authorize, token, juju.check_input(controller)) usr = juju.check_input(user) if execute_task(juju.user_exists, usr): if token.is_admin or token.username == usr: code, response = 200, execute_task(juju.get_ucontroller_access, con, usr) else: code, response = errors.unauthorized() else: code, response = errors.does_not_exist('user') except KeyError: code, response = errors.invalid_data() return juju.create_response(code, response)
def change_user_password(user): try: token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) usr = juju.check_input(user) if execute_task(juju.user_exists, usr): if usr == token.username or token.is_admin: execute_task(juju.change_user_password, token, usr, request.json['password']) code, response = 200, 'succesfully changed password for user {}'.format(usr) else: code, response = errors.unauthorized() else: code, response = errors.does_not_exist('user') except KeyError: code, response = errors.invalid_data() return juju.create_response(code, response)
def grant_to_controller(user, controller): try: LOGGER.info('/USERS/%s/controllers/%s [PUT] => receiving call', user, controller) token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info('/USERS/%s/controllers/%s [PUT] => Authenticated!', user, controller) con = juju.authorize(token, controller) LOGGER.info('/USERS/%s/controllers/%s [PUT] => Authorized!', user, controller) if (token.is_admin or con.c_access == 'superuser') and 'admin' != user: if juju.user_exists(user): if request.json['access'] and juju.c_access_exists( request.json['access'].lower()): juju.grant_user_to_controller( token, con, user, request.json['access'].lower()) LOGGER.info( '/USERS/%s/controllers/%s [PUT] => Changing user access, check set_controller_access.log for more information!', user, controller) code, response = 202, 'The user\'s access is being changed' else: LOGGER.error( '/USERS/%s/controllers/%s [PUT] => Invalid access data provided : %s', user, controller, request.json['access']) code, response = errors.invalid_access('access') else: LOGGER.error( '/USERS/%s/controllers/%s [PUT] => User %s does not exist', user, controller, user) code, response = errors.does_not_exist('user') else: LOGGER.error( '/USERS/%s/controllers/%s [PUT] => No Permission to perform this action', user, controller) code, response = errors.no_permission() except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)
def grant_to_model(user, controller, model): try: token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) con, mod = execute_task(juju.authorize, token, juju.check_input(controller), juju.check_input(model)) usr = juju.check_input(user) if (token.is_admin or mod.m_access == 'admin' or con.c_access == 'superuser') and user != 'admin': access = juju.check_access(request.json['access']) if execute_task(juju.user_exists, user): execute_task(juju.add_user_to_model, token, con, mod, usr, access) code, response = 202, 'Process being handeled' else: code, response = errors.does_not_exist('user') else: code, response = errors.unauthorized() except KeyError: code, response = errors.invalid_data() return juju.create_response(code, response)
def update_ssh_keys(user): try: LOGGER.info('/USERS/%s/ssh-keys [PUT] => receiving call', user) data = request.json token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info('/USERS/%s/ssh-keys [PUT] => Authenticated!', user) if token.is_admin or token.username == user: if juju.user_exists(user): for key in data['ssh-keys']: try: fp_key = base64.b64decode( key.strip().split()[1].encode('ascii')) fp_plain = hashlib.md5(fp_key).hexdigest() output = ':'.join( a + b for a, b in zip(fp_plain[::2], fp_plain[1::2])) except Exception: code, response = errors.invalid_ssh_key(key) return juju.create_response(code, response) juju.update_ssh_keys_user(user, data['ssh-keys']) LOGGER.info( '/USERS/%s/ssh-keys [PUT] => SSH-keys are being updated, check update_ssh_keys.log for more information!', user) code, response = 202, 'SSH-keys are being updated' else: code, response = errors.does_not_exist('user') LOGGER.error( '/USERS/%s/ssh-keys [PUT] => User %s does not exist!', user, user) else: code, response = errors.no_permission() LOGGER.error( '/USERS/%s/ssh-keys [PUT] => No Permission to perform this action!', user) except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)
def revoke_from_controller(user, controller): try: token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) con = execute_task(juju.authorize, token, juju.check_input(controller)) usr = juju.check_input(user) if (token.is_admin or con.c_access == 'superuser' or token.username == usr) and usr != 'admin': if execute_task(juju.user_exists, usr): execute_task(con.connect, token) execute_task(juju.remove_user_from_controller, token, con, usr) code, response = 200, execute_task(juju.remove_user_from_controller, con, usr) execute_task(con.disconnect) else: code, response = errors.does_not_exist('user') else: code, response = errors.unauthorized() except KeyError: code, response = errors.invalid_data() return juju.create_response(code, response)
def delete_user(user): try: token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) usr = juju.check_input(user) if token.is_admin: if execute_task(juju.user_exists, usr): if usr != 'admin': execute_task(juju.delete_user, token, usr) code, response = 200, 'User {} succesfully removed'.format(usr) else: code, response = 403, 'This would remove the admin from the system!' else: code, response = errors.does_not_exist('user') else: code, response = errors.unauthorized() except KeyError: code, response = errors.invalid_data() return juju.create_response(code, response)
async def deploy_app(token, con, model, app_name, data): ser = data.get('series', None) if(cloud_supports_series(con, ser)): conf = data.get('config', None) machine = data.get('target', None) if machine and not machine_exists(token, model, machine): error = errors.does_not_exist(machine) abort(error[0], error[1]) units = data.get('units', "1") async with model.connect(token) as juju: try: await juju.deploy(app_name, application_name=app_name, series=ser, to=machine, config=conf, num_units=int(units)) except JujuError as e: if e == 'subordinate application must be deployed without units': await juju.deploy(app_name, application_name=app_name, series=ser, config=conf, num_units=0) else: error = errors.invalid_option(data) abort(error[0], error[1])
def revoke_from_model(user, controller, model): try: token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) con, mod = execute_task(juju.authorize, token, juju.check_input(controller), juju.check_input(model)) usr = juju.check_input(user) if execute_task(juju.user_exists, usr): if (mod.m_access == 'admin' or mod.c_access == 'superuser') and user != 'admin': execute_task(con.connect, token) execute_task(mod.connect, token) execute_task(juju.remove_user_from_model, con, mod, usr) code, response = 200, 'Revoked access for user {} on model {}'.format(usr, model) execute_task(con.disconnect) execute_task(mod.disconnect) else: code, response = errors.unauthorized() else: code, response = errors.does_not_exist('user') except KeyError: code, response = errors.invalid_data() return juju.create_response(code, response)
def get_model_access(user, controller, model): try: LOGGER.info( '/USERS/%s/controllers/%s/models/%s [GET] => receiving call!', user, controller, model) token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info( '/USERS/%s/controllers/%s/models/%s [GET] => Authenticated!', user, controller, model) con, mod = juju.authorize(token, controller, model) LOGGER.info('/USERS/%s/controllers/%s/models/%s [GET] => Authorized!', user, controller, model) if token.is_admin or token.username == user or mod.access == 'admin' or con.access == 'superuser': if juju.user_exists(user): access = juju.get_model_access(mod.m_name, con.c_name, user) code, response = 200, {'access': access} LOGGER.info( '/USERS/%s/controllers/%s/models/%s [GET] => Succesfully retrieved model access!', user, controller, model) else: code, response = errors.does_not_exist('user') LOGGER.error( '/USERS/%s/controllers/%s/models/%s [GET] => User %s does not exist!', user, controller, model, user) else: code, response = errors.no_permission() LOGGER.error( '/USERS/%s/controllers/%s/models/%s [GET] => No Permission to perform this action!', user, controller, model) except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)
def change_user_password(user): try: LOGGER.info('/USERS/%s [PUT] => receiving call', user) token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info('/USERS/%s [PUT] => Authenticated!', user) if user == token.username or token.is_admin: if juju.user_exists(user): pwd = request.json['password'] if pwd: execute_task(juju.change_user_password, token, user, pwd) code, response = 200, 'Succesfully changed password for user {}'.format( user) LOGGER.info( '/USERS/%s [PUT] => Succesfully changed password for user %s!', user, user) else: code, response = errors.empty() LOGGER.error( '/USERS/%s [PUT] => User password can\'t be empty!', user) else: code, response = errors.does_not_exist('user') LOGGER.error('/USERS/%s [PUT] => User %s does not exist!', user, user) else: code, response = errors.no_permission() LOGGER.error( '/USERS/%s [PUT] => No Permission to perform this action!', user) except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)
def add_credential(user): try: LOGGER.info('/USERS/%s/credentials [POST] => receiving call', user) data = request.json token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info('/USERS/%s/credentials [POST] => Authenticated!', user) if token.is_admin or token.username == user: if juju.user_exists(user): if not juju.credential_exists(user, data['name']): juju.add_credential(user, data) LOGGER.info( '/USERS/%s/credentials [POST] => Adding credentials, check add_credential.log for more information!', user) code, response = 202, 'Credentials are being added' else: code, response = errors.already_exists('credential') LOGGER.error( '/USERS/%s/credentials [POST] => Credential for User %s already exists!', user, user) else: code, response = errors.does_not_exist('user') LOGGER.error( '/USERS/%s/credentials [POST] => User %s does not exist!', user, user) else: code, response = errors.no_permission() LOGGER.error( '/USERS/%s/credentials [POST] => No Permission to perform this action!', user) except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)
def delete_user(user): try: LOGGER.info('/USERS/%s [DELETE] => receiving call', user) token = execute_task(juju.authenticate, request.headers['api-key'], request.authorization) LOGGER.info('/USERS/%s [DELETE] => Authenticated!', user) if token.is_admin: if juju.user_exists(user): if user != 'admin': juju.delete_user(user) code, response = 202, 'User {} is being removed'.format( user) LOGGER.info( '/USERS/%s [DELETE] => User %s is being removed!', user, user) else: code, response = 403, 'This would remove the admin from the system!' LOGGER.error( '/USERS/%s [DELETE] => This would remove the admin from the system!', user) else: code, response = errors.does_not_exist('user') LOGGER.error('/USERS/%s [DELETE] => User %s does not exist!', user, user) else: code, response = errors.no_permission() LOGGER.error( '/USERS/%s [DELETE] => No Permission to perform this action!', user) except KeyError: code, response = errors.invalid_data() error_log() except HTTPException: ers = error_log() raise except Exception: ers = error_log() code, response = errors.cmd_error(ers) return juju.create_response(code, response)