def process_group_related_activities(datasource_id, actor_email, event):
event_name = event['name']
if event_name == 'ADD_GROUP_MEMBER':
activity_events_parameters = event['parameters']
group_email = None
user_email = None
for param in activity_events_parameters:
name = param['name']
if name == 'GROUP_EMAIL':
group_email = param['value']
elif name == 'USER_EMAIL':
user_email = param['value']
user_directory_struct = DirectoryStructure()
user_directory_struct.datasource_id = datasource_id
user_directory_struct.member_email = user_email
user_directory_struct.parent_email = group_email
user_directory_struct.member_role = 'MEMBER'
user_directory_struct.member_type = 'USER' # TODO : check whether type is group or user
db_session = db_connection().get_session()
db_session.execute(DirectoryStructure.__table__.insert().prefix_with("IGNORE").
values(db_utils.get_model_values(DirectoryStructure, user_directory_struct)))
if user_email:
datasource_obj = get_datasource(datasource_id)
domain_id = datasource_obj.domain_id
exposure_type = utils.check_if_external_user(db_session, domain_id, user_email)
if exposure_type == constants.EntityExposureType.EXTERNAL.value:
# check if external user present in domain user table
existing_user = db_session.query(DomainUser).filter(and_(DomainUser.datasource_id == datasource_id,
DomainUser.email == user_email)).first()
external_user = None
if not existing_user:
external_user = DomainUser()
external_user.datasource_id = datasource_id
external_user.email = user_email
external_user.member_type = constants.EntityExposureType.EXTERNAL.value
external_user.type = 'USER'
# TODO: find the first name and last name of external user
external_user.first_name = ""
external_user.last_name = ""
db_session.add(external_user)
user_obj = existing_user if existing_user else external_user
payload = {}
payload["user"] = json.dumps(user_obj, cls=alchemy_encoder())
policy_params = {'dataSourceId': datasource_id,
'policy_trigger': constants.PolicyTriggerType.NEW_USER.value}
Logger().info("new_user : payload : {}".format(payload))
messaging.trigger_post_event(urls.GSUITE_POLICIES_VALIDATE_PATH, constants.INTERNAL_SECRET, policy_params, payload,
"gsuite")
datasource_obj = get_datasource(datasource_id)
tags = {"group_email": group_email, "user_email":user_email}
activity_db().add_event(domain_id=datasource_obj.domain_id, connector_type=constants.ConnectorTypes.GSUITE.value,
event_type='ADD_GROUP_MEMBER', actor=actor_email, tags=tags)
db_connection().commit()
def create_report(auth_token, payload):
db_session = db_connection().get_session()
if "is_default" in payload:
result = []
db_session = db_connection().get_session()
datasource_id = payload["datasource_id"]
login_user = db_utils.get_user_session(auth_token).email
domain_id = db_session.query(DataSource).filter(
DataSource.datasource_id == datasource_id).first().domain_id
reports = default_reports.default_reports
datasource_type = db_utils.get_datasource(
datasource_id).datasource_type
default_datasource_reports = datasource_to_default_report_map[
datasource_type]
if default_datasource_reports:
reports.extend(default_datasource_reports)
for report in reports:
existing_report = db_session.query(Report).filter(
Report.domain_id == domain_id,
Report.name == report["name"]).first()
if not existing_report:
report["receivers"] = login_user
report["datasource_id"] = datasource_id
result.append(
insert_entry_into_report_table(db_session, auth_token,
report))
return result
else:
return [
insert_entry_into_report_table(db_session, auth_token, payload)
]
def delegate_admin_settings(datasource_id, actor_email, event):
db_session = db_connection().get_session()
event_name = event['name']
activity_events_parameters = event['parameters']
user_email = None
for param in activity_events_parameters:
name = param['name']
if name == 'USER_EMAIL':
user_email = param['value']
if event_name == 'ASSIGN_ROLE':
user_obj = db_session.query(DomainUser).filter(and_(DomainUser.datasource_id == datasource_id,
DomainUser.email == user_email)).first()
if user_obj:
user_obj.is_admin = True
call_validate_policies_for_admin_user(user_obj, datasource_id)
datasource_obj = get_datasource(datasource_id)
tags = {"user_email": user_email, "is_admin": user_obj.is_admin}
activity_db().add_event(domain_id=datasource_obj.domain_id,
connector_type=constants.ConnectorTypes.GSUITE.value,
event_type=event_name, actor=actor_email, tags=tags)
elif event_name == 'UNASSIGN_ROLE':
db_session.query(DomainUser).filter(and_(DomainUser.datasource_id == datasource_id,
DomainUser.email == user_email, DomainUser.is_admin == True)).update({DomainUser.is_admin: False})
db_connection().commit()
def modify_group_membership(auth_token, datasource_id, action_name,
action_parameters, log_entry):
user_email = action_parameters["user_email"]
group_email = action_parameters["group_email"]
db_session = db_connection().get_session()
status_message = "Action completed successfully"
datasource_obj = get_datasource(datasource_id)
datasource_type = datasource_obj.datasource_type
payload = {
"log_id": str(log_entry.log_id),
"action_type": action_name,
"user_email": user_email,
"group_email": group_email,
'datasource_id': datasource_id,
"domain_id": datasource_obj.domain_id
}
response = messaging.trigger_post_event(
datasource_execute_action_map[datasource_type], auth_token, None,
payload, connector_servicename_map[datasource_type],
constants.TriggerType.SYNC.value)
if response and action_name == action_constants.ActionNames.REMOVE_USER_FROM_GROUP.value:
if response.response_code != constants.SUCCESS_STATUS_CODE:
log_entry.status = action_constants.ActionStatus.FAILED.value
status_message = 'Action failed with error - ' + \
response.response_body['error']['message']
log_entry.message = status_message
return response_messages.ResponseMessage(response.response_code,
status_message)
db_session.query(DirectoryStructure).filter(
and_(DirectoryStructure.datasource_id == datasource_id,
DirectoryStructure.parent_email == group_email,
DirectoryStructure.member_email == user_email)).delete()
elif response and action_name == action_constants.ActionNames.ADD_USER_TO_GROUP.value:
if response.response_code != constants.SUCCESS_STATUS_CODE:
log_entry.status = action_constants.ActionStatus.FAILED.value
message = response.response_body['error']['message'] if 'message' in \
response.response_body['error'] else response.response_body['error']
status_message = 'Action failed with error - ' + message
log_entry.message = status_message
return response_messages.ResponseMessage(response.response_code,
status_message)
response_body = response.response_body
dirstructure = DirectoryStructure()
dirstructure.datasource_id = datasource_id
dirstructure.member_email = user_email
dirstructure.parent_email = group_email
dirstructure.member_type = response_body['type']
dirstructure.member_role = response_body['role']
dirstructure.member_id = response_body['id']
db_session.add(dirstructure)
log_entry.status = action_constants.ActionStatus.SUCCESS.value
log_entry.message = status_message
db_connection().commit()
return response_messages.ResponseMessage(200, status_message)
def process_channel_unarchive(db_session, datasource_id, payload):
channel_id = payload['channel']
db_session.query(DomainUser).filter(and_(DomainUser.datasource_id == datasource_id,
DomainUser.user_id == channel_id)).update({DomainUser.is_suspended: False})
datasource_obj = get_datasource(datasource_id)
if datasource_obj:
tags = {"channel_id": channel_id}
activity_db().add_event(domain_id=datasource_obj.domain_id, connector_type=constants.ConnectorTypes.SLACK.value,
event_type='CHANNEL_UNARCHIVE', actor=None,
tags=tags)
def process_user_related_activities(datasource_id, actor_email, event):
event_name = event['name']
activity_events_parameters = event['parameters']
user_email = None
user_obj = None
db_session = db_connection().get_session()
for param in activity_events_parameters:
name = param['name']
if name == 'USER_EMAIL':
user_email = param['value']
datasource_obj = get_datasource(datasource_id)
tags = {"user_email": user_email}
if event_name == 'CREATE_USER':
if user_email:
directory_service = gutils.get_directory_service(None, actor_email)
results = None
try:
results = directory_service.users().get(userKey=user_email).execute()
except RefreshError as ex:
Logger().info("User query : Not able to refresh credentials")
except HttpError as ex:
Logger().info("User query : Domain not found error")
if results:
gsuite_user = user.GsuiteUser(datasource_id, results)
user_obj = gsuite_user.get_model()
db_session.execute(DomainUser.__table__.insert().prefix_with("IGNORE").
values(db_utils.get_model_values(DomainUser, user_obj)))
call_validate_policies_for_admin_user(user_obj, datasource_id)
additional_payload = {"user_email": user_email, "is_admin": user_obj.is_admin}
tags["is_admin"] = user_obj.is_admin
elif event_name == 'GRANT_ADMIN_PRIVILEGE':
user_obj = db_session.query(DomainUser).filter(and_(DomainUser.datasource_id == datasource_id,
DomainUser.email == user_email)).first()
if user_obj:
user_obj.is_admin = True
call_validate_policies_for_admin_user(user_obj, datasource_id)
tags["is_admin"] = user_obj.is_admin
elif event_name == "SUSPEND_USER":
db_session.query(DomainUser).filter(and_(DomainUser.datasource_id == datasource_id,
DomainUser.email == user_email)).update({DomainUser.is_suspended: True})
elif event_name == "DELETE_USER":
delete_user_info(db_session, user_email, datasource_id)
activity_db().add_event(domain_id=datasource_obj.domain_id,
connector_type=constants.ConnectorTypes.GSUITE.value,
event_type=event_name, actor=actor_email, tags=tags)
db_connection().commit()
def validate_permission_change(auth_token, datasource_id, payload):
old_permissions = json.loads(payload["old_permissions"])
new_permissions = json.loads(payload["new_permissions"])
old_permissions_map = {}
for permission in old_permissions:
old_permissions_map[permission["email"]] = permission
resource = json.loads(payload["resource"])
has_permission_changed = False
for new_permission in new_permissions:
new_permission_email = new_permission["email"]
Logger().info(
"Checking new permission - {}".format(new_permission_email))
if (not new_permission_email in old_permissions_map):
Logger().info(
"New permission does not exist in old permissions - {}".format(
new_permission_email))
has_permission_changed = True
else:
if (not old_permissions_map[new_permission_email]
["permission_type"] == new_permission["permission_type"]):
Logger().info(
"New permission is not same as old permission - {}".format(
new_permission_email))
has_permission_changed = True
del old_permissions_map[new_permission_email]
if not has_permission_changed and old_permissions_map:
Logger().info("Old permissions were more than new permissions")
has_permission_changed = True
if has_permission_changed:
Logger().info(
"Permissions changed for this document, validate policy conditions now..."
)
db_session = db_connection().get_session()
policies = db_session.query(Policy).filter(
and_(
Policy.datasource_id == datasource_id, Policy.trigger_type ==
constants.PolicyTriggerType.PERMISSION_CHANGE.value,
Policy.is_active == True)).all()
if not policies or len(policies) < 1:
Logger().info(
"No policies found for permission change trigger, ignoring...")
return
datasource_obj = get_datasource(datasource_id)
for policy in policies:
validate_permission_change_policy(db_session, auth_token,
datasource_obj, policy, resource,
new_permissions)
return
return
def new_channel_created(db_session, datasource_id, payload):
channel_info = payload['channel']
channel_info['channel_type'] = slack_constants.ChannelTypes.PUBLIC.value
channel_obj = entities.SlackChannel(datasource_id, channel_info)
channel_obj_model = channel_obj.get_model()
db_session.add(channel_obj_model)
datasource_obj = get_datasource(datasource_id)
if datasource_obj:
tags = {"channel_email": channel_obj_model.email}
activity_db().add_event(domain_id=datasource_obj.domain_id,
connector_type=constants.ConnectorTypes.SLACK.value,
event_type='CHANNEL_CREATED', actor=None,
tags={})
def process_drive_activity(datasource_id, incoming_activity):
actor = incoming_activity['actor']
# Sometimes email does not come, when the event is triggered by a service (Ex- Google Support for DLP)
actor_email = actor['email'] if 'email' in actor else ""
resource = {}
resource_permission = {}
last_modifying_user_email = actor_email
last_modified_time = incoming_activity['id']['time'][:-1]
for event in incoming_activity['events']:
event_name = event['name']
event_type = event['type']
activity_events_parameters = event['parameters']
primary_name = activity_events_parameters[0]['name']
if event_type == 'acl_change':
pass
# if primary_name == 'primary_event':
# boolValue = activity_events_parameters[0]['boolValue']
# if boolValue:
# max_perm_string = None
# for parameter in activity_events_parameters:
# if parameter['name'] == 'doc_id':
# resource["resource_id"] = parameter['value']
# resource_permission["resource_id"] =parameter['value']
# elif parameter['name'] == 'owner':
# resource['resource_owner_id'] = parameter['value']
# # permission change activity
# elif parameter['name'] == 'target_user':
# resource_permission['email'] = parameter['value']
# elif parameter['name'] == 'new_value':
# perm_values = parameter['multiValue'] # ['can_edit','can_view']
# for perm in perm_values:
# curr_perm_value = constants.permission_priority[perm] if perm in constants.permission_priority else 0
# max_perm_Value = constants.permission_priority[max_perm_string] if max_perm_string in constants.permission_priority else 0
# max_perm_string = perm if curr_perm_value > max_perm_Value else max_perm_string
#
# resource_permission['permission_type'] = constants.Permission_Role_mapping[max_perm_string]
# elif parameter['name'] == 'visibility':
# resource_permission['exposure_type'] = parameter['value']
elif event_type == 'download':
resource_id = None
if primary_name == 'primary_event':
boolValue = activity_events_parameters[0]['boolValue']
if boolValue:
for parameter in activity_events_parameters:
if parameter['name'] == 'doc_id':
resource_id = parameter['value']
datasource_obj = get_datasource(datasource_id)
activity_db().add_event(domain_id=datasource_obj.domain_id, connector_type=constants.ConnectorTypes.GSUITE.value,
event_type="DOWNLOAD", actor=actor_email, tags={'resource_id': resource_id})
def process_member_left_channel(db_session, datasource_id, payload):
left_user_id = payload['user']
channel_id = payload['channel']
user_channel_info = get_user_and_channel_info_based_on_ids(db_session, datasource_id, left_user_id, channel_id)
user_info = user_channel_info['user']
channel_info = user_channel_info['channel']
db_session.query(DirectoryStructure).filter(and_(DirectoryStructure.datasource_id == datasource_id,
DirectoryStructure.parent_email == channel_info.email,
DirectoryStructure.member_email == user_info.email)).delete()
datasource_obj = get_datasource(datasource_id)
if datasource_obj:
activity_db().add_event(domain_id=datasource_obj.domain_id,
connector_type=constants.ConnectorTypes.SLACK.value,
event_type='MEMBER_LEFT_CHANNEL', actor=None,
tags={"channel_id": channel_id, "user_email": user_info.email, "channel_email": channel_info.email})
def delete_repository(auth_token, datasource_id, action_key, action_parameters,
log_entry):
datasource_obj = get_datasource(datasource_id)
datasource_type = datasource_obj.datasource_type
status_message = "Action submitted successfully"
payload = {
"resource_name": action_parameters["resource_name"],
"action_type": action_key,
"datasource_id": datasource_id
}
messaging.trigger_post_event(
datasource_execute_action_map[datasource_type], auth_token, None,
payload, connector_servicename_map[datasource_type])
log_entry.status = action_constants.ActionStatus.SUCCESS.value
log_entry.message = status_message
db_connection().commit()
return response_messages.ResponseMessage(200, status_message)
def process_member_joined_channel(db_session, datasource_id, payload):
joined_user_id = payload['user'] if 'user' in payload else None
channel_id = payload['channel']
if joined_user_id:
user_channel_info = get_user_and_channel_info_based_on_ids(db_session, datasource_id, joined_user_id,
channel_id)
user_info = user_channel_info['user']
channel_info = user_channel_info['channel']
payload['name'] = channel_info.email
directory_member_obj = entities.SlackDirectoryMember(db_session, datasource_id, user_info, joined_user_id, None, payload)
db_session.execute(DirectoryStructure.__table__.insert().prefix_with("IGNORE").
values(db_utils.get_model_values(DirectoryStructure, directory_member_obj.get_model())))
datasource_obj = get_datasource(datasource_id)
if datasource_obj:
activity_db().add_event(domain_id=datasource_obj.domain_id,
connector_type=constants.ConnectorTypes.SLACK.value,
event_type='MEMBER_JOINED_CHANNEL', actor=None,
tags={"channel_id": channel_id, "channel_email": channel_info.email,
"user_email": user_info.email})
def transfer_ownership(auth_token, datasource_id, action_name,
action_parameters, log_entry):
status_message = "Action submitted successfully"
datasource_obj = get_datasource(datasource_id)
datasource_type = datasource_obj.datasource_type
payload = {
"log_id": str(log_entry.log_id),
"action_type": action_name,
"user_email": action_parameters["old_owner_email"],
"new_owner_email": action_parameters["new_owner_email"],
'datasource_id': datasource_id,
"domain_id": datasource_obj.domain_id
}
messaging.trigger_post_event(
datasource_execute_action_map[datasource_type], auth_token, None,
payload, connector_servicename_map[datasource_type])
log_entry.status = action_constants.ActionStatus.SUCCESS.value
log_entry.message = status_message
db_connection().commit()
return response_messages.ResponseMessage(200, status_message)
def create_policy(auth_token, payload):
db_session = db_connection().get_session()
datasource_id = payload["datasource_id"]
if "is_default" in payload:
login_user = db_utils.get_user_session(auth_token).email
datasource_obj = get_datasource(datasource_id)
datasource_type = datasource_obj.datasource_type
db_session = db_connection().get_session()
default_policies = datasource_to_default_policy_map[datasource_type]
for policy in default_policies:
existing_policy = db_session.query(Policy).filter(
and_(Policy.datasource_id == datasource_id,
Policy.name == policy["name"])).first()
if not existing_policy:
policy['datasource_id'] = datasource_id
if len(policy["actions"]) > 0:
policy["actions"][0]["config"]["to"] = login_user
policy["created_by"] = login_user
insert_entry_into_policy_table(db_session, policy)
return
else:
return insert_entry_into_policy_table(db_session, payload)
def execute_batch_delete(auth_token,
datasource_id,
user_email,
initiated_by,
permissions_to_update,
log_entry,
action_type,
more_to_execute=False):
sync_response = None
datasource_obj = get_datasource(datasource_id)
datasource_type = datasource_obj.datasource_type
body = json.dumps(permissions_to_update, cls=alchemy_encoder())
payload = {
"permissions": body,
"datasource_id": datasource_id,
"domain_id": datasource_obj.domain_id,
"more_to_execute": 1 if more_to_execute else 0,
"initiated_by_email": initiated_by,
"log_id": str(log_entry.log_id),
"user_email": user_email,
"action_type": action_type
}
sync_response = messaging.trigger_post_event(
datasource_execute_action_map[datasource_type], auth_token, None,
payload, connector_servicename_map[datasource_type],
constants.TriggerType.SYNC.value)
if sync_response.response_code != constants.SUCCESS_STATUS_CODE:
return sync_response
elif more_to_execute:
return response_messages.ResponseMessage(
constants.ACCEPTED_STATUS_CODE, 'Action submitted successfully')
else:
return response_messages.ResponseMessage(
200, 'Action completed successfully')
def add_resource_permission(auth_token, datasource_id, action_payload,
log_entry):
action_parameters = action_payload['parameters']
new_permission_role = action_parameters['new_permission_role']
resource_id = action_parameters['resource_id']
resource_owner = action_parameters['resource_owner_id']
permission = ResourcePermission()
permission.datasource_id = datasource_id
permission.resource_id = resource_id
permission.email = action_parameters['user_email']
permission.permission_type = new_permission_role
datasource_obj = get_datasource(datasource_id)
datasource_type = datasource_obj.datasource_type
body = json.dumps([permission], cls=alchemy_encoder())
payload = {
"permissions": body,
"datasource_id": datasource_id,
"domain_id": datasource_obj.domain_id,
"initiated_by_email": action_payload['initiated_by'],
"log_id": str(log_entry.log_id),
"user_email": resource_owner,
"action_type": action_payload['key']
}
response = messaging.trigger_post_event(
datasource_execute_action_map[datasource_type], auth_token, None,
payload, connector_servicename_map[datasource_type],
constants.TriggerType.SYNC.value)
if response and response.response_code == constants.SUCCESS_STATUS_CODE:
return response_messages.ResponseMessage(
constants.SUCCESS_STATUS_CODE, 'Action completed successfully')
else:
return response_messages.ResponseMessage(
response.response_code, response.response_body['message'])
def oauth_callback(oauth_code, scopes, state, error):
redirect_url = ""
if error or not oauth_code:
redirect_url = urls.OAUTH_STATUS_URL + "/error?error={}".format(error)
return redirect_url
# in state we are passing the login scope name
scope_name = state
scope = LOGIN_SCOPE
if scope_name in SCOPE_DICT:
scope = SCOPE_DICT[scope_name]
flow = google_auth_oauthlib.flow.Flow.from_client_secrets_file(
gutils.CLIENT_SECRETS_FILE, scopes=scope)
flow.redirect_uri = urls.GOOGLE_OAUTH_CALLBACK_URL
# Use the authorization server's response to fetch the OAuth 2.0 tokens.
flow.fetch_token(code=oauth_code)
credentials = flow.credentials
if not credentials:
redirect_url = urls.OAUTH_STATUS_URL + "/error?error={}".format(
"Credentials not found.")
return redirect_url
refresh_token = credentials.refresh_token
token = credentials.token
service = gutils.get_oauth_service(credentials)
profile_info = service.userinfo().get().execute()
login_email = profile_info['email'].lower()
Logger().info(
"Credentials received for {} are token: {}, refresh_token: {}, scopes: {}"
.format(login_email, credentials.token, credentials.refresh_token,
credentials.scopes))
domain_id = login_email
db_session = db_connection().get_session()
login_user = db_utils.get_login_user_from_email(login_email, db_session)
is_serviceaccount_enabled = gutils.check_if_serviceaccount_enabled(
login_email)
if is_serviceaccount_enabled:
domain_id = login_email.split('@')[1]
if login_user:
if not login_user.is_serviceaccount_enabled == is_serviceaccount_enabled:
db_utils.create_domain(db_session, domain_id, domain_id)
db_session.delete(login_user)
db_connection().commit()
login_user = db_utils.create_user(login_email,
profile_info['given_name'],
profile_info['family_name'],
domain_id,
refresh_token,
is_serviceaccount_enabled,
scope_name,
token,
db_session=db_session)
if login_user:
adya_emails.send_welcome_email(login_user)
elif refresh_token:
login_user.refresh_token = refresh_token
login_user.authorize_scope_name = scope_name
login_user.token = token
login_user.last_login_time = datetime.datetime.utcnow()
db_connection().commit()
else:
existing_domain_user = db_session.query(DomainUser).filter(
and_(
DomainUser.email == login_email, DomainUser.member_type ==
constants.EntityExposureType.INTERNAL.value)).first()
if existing_domain_user and is_serviceaccount_enabled:
data_source = db_utils.get_datasource(
existing_domain_user.datasource_id, db_session)
login_user = db_utils.create_user(
login_email, existing_domain_user.first_name,
existing_domain_user.last_name, domain_id, refresh_token,
data_source.is_serviceaccount_enabled, scope_name, token,
db_session)
else:
domain = db_utils.create_domain(db_session, domain_id, domain_id)
login_user = db_utils.create_user(login_email,
profile_info['given_name'],
profile_info['family_name'],
domain_id, refresh_token,
is_serviceaccount_enabled,
scope_name, token, db_session)
if login_user:
adya_emails.send_welcome_email(login_user)
redirect_url = urls.OAUTH_STATUS_URL + "/success?email={}&authtoken={}".format(
login_email, login_user.auth_token)
return redirect_url
def process_application(db_session, datasource_id, payload):
slack_client = slack_utils.get_slack_client(datasource_id)
app_id = payload['profile']['api_app_id']
apps = slack_client.api_call(
"team.integrationLogs",
limit=150,
change_type=slack_constants.AppChangedTypes.ADDED.value,
app_id=app_id)
apps_list = apps["logs"]
if apps_list:
user_id = ''
display_text = ''
max_score = 0
for app in apps_list:
query_params = {"dataSourceId": datasource_id}
scanner_data = {"entities": [app]}
# add in application and userappassociation table
apps_scanner.process(db_session, None, query_params, scanner_data)
user_id = app['user_id']
display_text = app["app_type"] if "app_type" in app else app[
"service_type"]
if 'scope' in app:
scopes = app["scope"]
max_score = slack_utils.get_app_score(scopes)
#check for trusted apps
datasource_obj = get_datasource(datasource_id)
domain_id = datasource_obj.domain_id
check_app_is_trusted = False
trusted_apps_list = (get_trusted_entity_for_domain(
db_session, domain_id))['trusted_apps']
if display_text in trusted_apps_list:
check_app_is_trusted = True
# policy check and send alert if apps are not trusted
if not check_app_is_trusted:
policy_params = {
'dataSourceId': datasource_id,
'policy_trigger': constants.PolicyTriggerType.APP_INSTALL.value
}
app_payload = {}
app_payload['display_text'] = display_text
app_payload['score'] = max_score
user_info = db_session.query(DomainUser).filter(
and_(DomainUser.datasource_id == datasource_id,
DomainUser.user_id == user_id)).first()
app_payload['user_email'] = user_info.email
policy_payload = {}
policy_payload['application'] = json.dumps(app_payload,
cls=alchemy_encoder())
Logger().info("added_app : payload : {}".format(app_payload))
messaging.trigger_post_event(urls.SLACK_POLICIES_VALIDATE_PATH,
constants.INTERNAL_SECRET,
policy_params, policy_payload,
"slack")
activity_db().add_event(
domain_id=domain_id,
connector_type=constants.ConnectorTypes.SLACK.value,
event_type='OAUTH_GRANT',
actor=user_id,
tags={
"score": max_score,
"display_text": display_text
})
def update_or_delete_resource_permission(auth_token, datasource_id,
action_payload, log_entry):
action_parameters = action_payload['parameters']
new_permission_role = action_parameters['new_permission_role']
user_type = action_parameters[
'user_type'] if 'user_type' in action_parameters else 'user'
resource_id = action_parameters['resource_id']
resource_owner = action_parameters['resource_owner_id']
user_email = action_parameters['user_email']
initiated_user = action_payload['initiated_by']
current_time = datetime.utcnow()
db_session = db_connection().get_session()
existing_permission = db_session.query(ResourcePermission).filter(
and_(ResourcePermission.resource_id == resource_id,
ResourcePermission.datasource_id == datasource_id,
ResourcePermission.email == user_email)).first()
if not existing_permission and action_payload[
'key'] == action_constants.ActionNames.CHANGE_OWNER_OF_FILE.value:
Logger().info("add a new permission ")
response = add_resource_permission(auth_token, datasource_id,
action_payload, log_entry)
return response
if not existing_permission:
status_message = "Bad Request - Permission not found in records"
Logger().info(status_message)
log_entry.status = action_constants.ActionStatus.FAILED.value
log_entry.message = status_message
return ResponseMessage(400, status_message)
query_param = {
'user_email': resource_owner,
'initiated_by_email': initiated_user,
'datasource_id': datasource_id,
"log_id": str(log_entry.log_id)
}
existing_permission_json = json.loads(
json.dumps(existing_permission, cls=alchemy_encoder()))
existing_permission_json["permission_type"] = new_permission_role
body = json.dumps([existing_permission_json], cls=alchemy_encoder())
response = "Action executed"
datasource_obj = get_datasource(datasource_id)
datasource_type = datasource_obj.datasource_type
payload = {
"permissions": body,
"datasource_id": datasource_id,
"domain_id": datasource_obj.domain_id,
"initiated_by_email": action_payload['initiated_by'],
"log_id": str(log_entry.log_id),
"user_email": resource_owner,
"action_type": action_payload['key'],
"resource_name": action_parameters["resource_name"]
}
response = messaging.trigger_post_event(
datasource_execute_action_map[datasource_type], auth_token, None,
payload, connector_servicename_map[datasource_type],
constants.TriggerType.SYNC.value)
if response and response.response_code == constants.SUCCESS_STATUS_CODE:
return response_messages.ResponseMessage(
constants.SUCCESS_STATUS_CODE, 'Action completed successfully')
else:
return response_messages.ResponseMessage(
response.response_code, response.response_body['message'])