def oneoff_command(args): session = make_session() load_plugins(settings["plugin_dir"], service_name="grouper-ctl") oneoffs = Annex(BaseOneOff, [settings["oneoff_dir"]], raise_exceptions=True) for oneoff in oneoffs: oneoff.configure(service_name="grouper-ctl") if args.subcommand == "run": logging.info("running one-off with '{}'".format(sys.argv)) if args.dry_run: logging.warning("running in DRY RUN mode") else: logging.warning("NOT running in dry run mode") with wrapped_session(session, make_read_only=args.dry_run) as the_session: for oneoff in oneoffs: if oneoff.__class__.__name__ == args.classname: params = args.oneoff_arguments or [] params += [('dry_run', args.dry_run)] oneoff.run(the_session, **dict(params)) elif args.subcommand == "list": for oneoff in oneoffs: logging.info(oneoff.__class__.__name__)
def oneoff_command(args): session = make_session() oneoffs = load_plugins( BaseOneOff, settings.oneoff_dirs, settings.oneoff_module_paths, "grouper-ctl", ) if args.subcommand == "run": logging.info("running one-off with '{}'".format(sys.argv)) if args.dry_run: logging.warning("running in DRY RUN mode") else: logging.warning("NOT running in dry run mode") with wrapped_session(session, make_read_only=args.dry_run) as the_session: for oneoff in oneoffs: if oneoff.__class__.__name__ == args.classname: params = args.oneoff_arguments or [] params += [('dry_run', args.dry_run)] oneoff.run(the_session, **dict(params)) elif args.subcommand == "list": for oneoff in oneoffs: logging.info(oneoff.__class__.__name__)
def oneoff_command(args): session = make_session() oneoffs = load_plugins(BaseOneOff, settings.oneoff_dirs, settings.oneoff_module_paths, "grouper-ctl") if args.subcommand == "run": logging.info("running one-off with '{}'".format(sys.argv)) if args.dry_run: logging.warning("running in DRY RUN mode") else: logging.warning("NOT running in dry run mode") with wrapped_session(session, make_read_only=args.dry_run) as the_session: for oneoff in oneoffs: if oneoff.__class__.__name__ == args.classname: params = args.oneoff_arguments or [] params += [("dry_run", args.dry_run)] oneoff.run(the_session, **dict(params)) elif args.subcommand == "list": for oneoff in oneoffs: logging.info(oneoff.__class__.__name__)
def handle_command(args): if args.subcommand == "list": session = make_session() all_users = get_all_users(session) for user in all_users: user_enabled = "enabled" if user.enabled else "disabled" logging.info("{} has status {}".format(user.name, user_enabled)) return else: user_command(args)
def shell_command(args): session = make_session() graph = GroupGraph.from_db(session) pp = pprint try: from IPython import embed except ImportError: code.interact(local={"session": session, "graph": graph, "pp": pp}) else: embed()
def shell_command(args): session = make_session() graph = GroupGraph.from_db(session) pp = pprint try: from IPython import embed except ImportError: code.interact(local={ "session": session, "graph": graph, "pp": pp, }) else: embed()
def sync_db_command(args): # Models not implicitly or explictly imported above are explicitly imported # here: from grouper.models.perf_profile import PerfProfile # noqa db_engine = get_db_engine(get_database_url(settings)) Model.metadata.create_all(db_engine) # Add some basic database structures we know we will need if they don't exist. session = make_session() for name, description in SYSTEM_PERMISSIONS: test = Permission.get(session, name) if test: continue permission = Permission(name=name, description=description) try: permission.add(session) session.flush() except IntegrityError: session.rollback() raise Exception('Failed to create permission: %s' % (name, )) session.commit() # This group is needed to bootstrap a Grouper installation. admin_group = Group.get(session, name="grouper-administrators") if not admin_group: admin_group = Group( groupname="grouper-administrators", description="Administrators of the Grouper system.", canjoin="nobody", ) try: admin_group.add(session) session.flush() except IntegrityError: session.rollback() raise Exception('Failed to create group: grouper-administrators') for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN): permission = Permission.get(session, permission_name) assert permission, "Permission should have been created earlier!" grant_permission(session, admin_group.id, permission.id) session.commit()
def run(self, args): # type: (Namespace) -> None if args.subcommand == "convert_to_service_account": usecase = self.usecase_factory.create_convert_user_to_service_account_usecase( args.actor_name, self) usecase.convert_user_to_service_account(args.username, args.owner) elif args.subcommand == "list": session = make_session() all_users = get_all_users(session) for user in all_users: user_enabled = "enabled" if user.enabled else "disabled" logging.info("{} has status {}".format(user.name, user_enabled)) return else: user_command(args)
def user_command(args): session = make_session() if args.subcommand == "create": for username in args.username: user = User.get(session, name=username) if not user: logging.info("{}: No such user, creating...".format(username)) user = User.get_or_create(session, username=username, role_user=args.role_user) session.commit() else: logging.info("{}: Already exists. Doing nothing.".format(username)) return # "add_public_key" and "set_metadata" user = User.get(session, name=args.username) if not user: logging.error("{}: No such user. Doing nothing.".format(args.username)) return # User must exist at this point. if args.subcommand == "set_metadata": print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value) if args.metadata_value == "": args.metadata_value = None user.set_metadata(args.metadata_key, args.metadata_value) session.commit() elif args.subcommand == "add_public_key": print "Adding public key for user..." try: pubkey = public_key.add_public_key(session, user, args.public_key) except public_key.DuplicateKey: print "Key already in use." return except public_key.PublicKeyParseError: print "Public key appears to be invalid." return AuditLog.log(session, user.id, 'add_public_key', '(Administrative) Added public key: {}'.format(pubkey.fingerprint), on_user_id=user.id)
def group_command(args): # type: (Namespace) -> None session = make_session() group = session.query(Group).filter_by(groupname=args.groupname).scalar() if not group: logging.error("No such group %s".format(args.groupname)) return if args.subcommand in ["add_member", "remove_member"]: # somewhat hacky: using function instance to use # `ensure_valid_username` only on # these subcommands @ensure_valid_username def call_mutate(args): mutate_group_command(session, group, args) call_mutate(args) elif args.subcommand == "log_dump": logdump_group_command(session, group, args)
def group_command(args): session = make_session() group = session.query(Group).filter_by(groupname=args.groupname).scalar() if not group: logging.error("No such group %s".format(args.groupname)) return for username in args.username: user = User.get(session, name=username) if not user: logging.error("no such user '{}'".format(username)) return if args.subcommand == "add_member": if args.member: role = 'member' elif args.owner: role = 'owner' elif args.np_owner: role = 'np-owner' elif args.manager: role = 'manager' assert role logging.info("Adding {} as {} to group {}".format(username, role, args.groupname)) group.add_member(user, user, "grouper-ctl join", status="actioned", role=role) AuditLog.log( session, user.id, 'join_group', '{} manually joined via grouper-ctl'.format(username), on_group_id=group.id) session.commit() elif args.subcommand == "remove_member": logging.info("Removing {} from group {}".format(username, args.groupname)) group.revoke_member(user, user, "grouper-ctl remove") AuditLog.log( session, user.id, 'leave_group', '{} manually left via grouper-ctl'.format(username), on_group_id=group.id) session.commit()
def service_account_command(args): session = make_session() actor_user = User.get(session, name=args.actor_name) if not actor_user: logging.fatal('Actor user "{}" is not a valid Grouper user'.format( args.actor_name)) return if args.subcommand == "create": name = args.name if ServiceAccount.get(session, name=name): logging.info("{}: Already exists. Doing nothing.".format(name)) return owner_group = Group.get(session, name=args.owner_group) if not owner_group: logging.fatal('Owner group "{}" does not exist.'.format( args.owner_group)) return logging.info("{}: No such service account, creating...".format(name)) description = args.description machine_set = args.machine_set create_service_account(session, actor_user, name, description, machine_set, owner_group) return
def user_command(args): session = make_session() if args.subcommand == "create": for username in args.username: user = User.get(session, name=username) if not user: logging.info("{}: No such user, creating...".format(username)) user = User.get_or_create(session, username=username, role_user=args.role_user) session.commit() else: logging.info("{}: Already exists. Doing nothing.".format(username)) return elif args.subcommand == "disable": for username in args.username: user = User.get(session, name=username) if not user: logging.info("{}: No such user. Doing nothing.".format(username)) elif not user.enabled: logging.info("{}: User already disabled. Doing nothing.".format(username)) else: logging.info("{}: User found, disabling...".format(username)) try: if user.role_user: disable_role_user(session, user) else: disable_user(session, user) AuditLog.log(session, user.id, 'disable_user', '(Administrative) User disabled via grouper-ctl', on_user_id=user.id) session.commit() except PluginRejectedDisablingUser as e: logging.error(e.message) return elif args.subcommand == "enable": for username in args.username: user = User.get(session, name=username) if not user: logging.info("{}: No such user. Doing nothing.".format(username)) elif user.enabled: logging.info("{}: User not disabled. Doing nothing.".format(username)) else: logging.info("{}: User found, enabling...".format(username)) if user.role_user: enable_role_user(session, user, preserve_membership=args.preserve_membership, user=user) else: enable_user(session, user, user, preserve_membership=args.preserve_membership) AuditLog.log(session, user.id, 'enable_user', '(Administrative) User enabled via grouper-ctl', on_user_id=user.id) session.commit() return # "add_public_key" and "set_metadata" user = User.get(session, name=args.username) if not user: logging.error("{}: No such user. Doing nothing.".format(args.username)) return # User must exist at this point. if args.subcommand == "set_metadata": print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value) if args.metadata_value == "": args.metadata_value = None set_user_metadata(session, user.id, args.metadata_key, args.metadata_value) session.commit() elif args.subcommand == "add_public_key": print "Adding public key for user..." try: pubkey = public_key.add_public_key(session, user, args.public_key) except public_key.DuplicateKey: print "Key already in use." return except public_key.PublicKeyParseError: print "Public key appears to be invalid." return AuditLog.log(session, user.id, 'add_public_key', '(Administrative) Added public key: {}'.format(pubkey.fingerprint_sha256), on_user_id=user.id)
def user_command(args): # type: (Namespace) -> None session = make_session() if args.subcommand == "create": for username in args.username: user = User.get(session, name=username) if not user: logging.info("{}: No such user, creating...".format(username)) user = User.get_or_create(session, username=username, role_user=args.role_user) session.commit() else: logging.info( "{}: Already exists. Doing nothing.".format(username)) return elif args.subcommand == "disable": for username in args.username: user = User.get(session, name=username) if not user: logging.info( "{}: No such user. Doing nothing.".format(username)) elif not user.enabled: logging.info( "{}: User already disabled. Doing nothing.".format( username)) else: logging.info("{}: User found, disabling...".format(username)) try: if user.role_user: disable_role_user(session, user) else: disable_user(session, user) AuditLog.log( session, user.id, "disable_user", "(Administrative) User disabled via grouper-ctl", on_user_id=user.id, ) session.commit() except PluginRejectedDisablingUser as e: logging.error("%s", e) return elif args.subcommand == "enable": for username in args.username: user = User.get(session, name=username) if not user: logging.info( "{}: No such user. Doing nothing.".format(username)) elif user.enabled: logging.info( "{}: User not disabled. Doing nothing.".format(username)) else: logging.info("{}: User found, enabling...".format(username)) if user.role_user: enable_role_user( session, user, preserve_membership=args.preserve_membership, user=user) else: enable_user(session, user, user, preserve_membership=args.preserve_membership) AuditLog.log( session, user.id, "enable_user", "(Administrative) User enabled via grouper-ctl", on_user_id=user.id, ) session.commit() return # "add_public_key" and "set_metadata" user = User.get(session, name=args.username) if not user: logging.error("{}: No such user. Doing nothing.".format(args.username)) return # User must exist at this point. if args.subcommand == "set_metadata": logging.info("Setting %s metadata: %s=%s", args.username, args.metadata_key, args.metadata_value) if args.metadata_value == "": args.metadata_value = None set_user_metadata(session, user.id, args.metadata_key, args.metadata_value) session.commit() elif args.subcommand == "add_public_key": logging.info("Adding public key for user") try: pubkey = public_key.add_public_key(session, user, args.public_key) except public_key.DuplicateKey: logging.error("Key already in use") return except public_key.PublicKeyParseError: logging.error("Public key appears to be invalid") return AuditLog.log( session, user.id, "add_public_key", "(Administrative) Added public key: {}".format( pubkey.fingerprint_sha256), on_user_id=user.id, )
def sync_db_command(args): # Models not implicitly or explictly imported above are explicitly imported here from grouper.models.perf_profile import PerfProfile # noqa: F401 from grouper.models.user_token import UserToken # noqa: F401 db_engine = get_db_engine(get_database_url(settings)) Model.metadata.create_all(db_engine) # Add some basic database structures we know we will need if they don't exist. session = make_session() for name, description in SYSTEM_PERMISSIONS: test = get_permission(session, name) if test: continue try: create_permission(session, name, description) session.flush() except IntegrityError: session.rollback() raise Exception("Failed to create permission: %s" % (name, )) session.commit() # This group is needed to bootstrap a Grouper installation. admin_group = Group.get(session, name="grouper-administrators") if not admin_group: admin_group = Group( groupname="grouper-administrators", description="Administrators of the Grouper system.", canjoin="nobody", ) try: admin_group.add(session) session.flush() except IntegrityError: session.rollback() raise Exception("Failed to create group: grouper-administrators") for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN): permission = get_permission(session, permission_name) assert permission, "Permission should have been created earlier!" grant_permission(session, admin_group.id, permission.id) session.commit() auditors_group_name = get_auditors_group_name(settings) auditors_group = Group.get(session, name=auditors_group_name) if not auditors_group: auditors_group = Group( groupname=auditors_group_name, description= "Group for auditors, who can be owners of audited groups.", canjoin="canjoin", ) try: auditors_group.add(session) session.flush() except IntegrityError: session.rollback() raise Exception( "Failed to create group: {}".format(auditors_group_name)) permission = get_permission(session, PERMISSION_AUDITOR) assert permission, "Permission should have been created earlier!" grant_permission(session, auditors_group.id, permission.id) session.commit()
def user_command(args): session = make_session() if args.subcommand == "create": for username in args.username: user = User.get(session, name=username) if not user: logging.info("{}: No such user, creating...".format(username)) user = User.get_or_create(session, username=username, role_user=args.role_user) session.commit() else: logging.info( "{}: Already exists. Doing nothing.".format(username)) return elif args.subcommand == "disable": for username in args.username: user = User.get(session, name=username) if not user: logging.info( "{}: No such user. Doing nothing.".format(username)) elif not user.enabled: logging.info( "{}: User already disabled. Doing nothing.".format( username)) else: logging.info("{}: User found, disabling...".format(username)) if user.role_user: disable_service_account(session, user) else: disable_user(session, user) session.commit() return elif args.subcommand == "enable": for username in args.username: user = User.get(session, name=username) if not user: logging.info( "{}: No such user. Doing nothing.".format(username)) elif user.enabled: logging.info( "{}: User not disabled. Doing nothing.".format(username)) else: logging.info("{}: User found, enabling...".format(username)) if user.role_user: enable_service_account( session, user, preserve_membership=args.preserve_membership, user=user) else: enable_user(session, user, user, preserve_membership=args.preserve_membership) session.commit() return # "add_public_key" and "set_metadata" user = User.get(session, name=args.username) if not user: logging.error("{}: No such user. Doing nothing.".format(args.username)) return # User must exist at this point. if args.subcommand == "set_metadata": print "Setting %s metadata: %s=%s" % (args.username, args.metadata_key, args.metadata_value) if args.metadata_value == "": args.metadata_value = None set_user_metadata(session, user.id, args.metadata_key, args.metadata_value) session.commit() elif args.subcommand == "add_public_key": print "Adding public key for user..." try: pubkey = public_key.add_public_key(session, user, args.public_key) except public_key.DuplicateKey: print "Key already in use." return except public_key.PublicKeyParseError: print "Public key appears to be invalid." return AuditLog.log(session, user.id, 'add_public_key', '(Administrative) Added public key: {}'.format( pubkey.fingerprint), on_user_id=user.id)