def get_user_view_template_vars(session, actor, user, graph):
# type: (Session, User, User, GroupGraph) -> Dict[str, Any]
# TODO(cbguder): get around circular dependencies
from grouper.fe.handlers.user_disable import UserDisable
from grouper.fe.handlers.user_enable import UserEnable
ret = {} # type: Dict[str, Any]
if user.is_service_account:
ret["can_control"] = can_manage_service_account(
session, user.service_account, actor
) or user_is_user_admin(session, actor)
ret["can_disable"] = ret["can_control"]
ret["can_enable"] = user_is_user_admin(session, actor)
ret["can_enable_preserving_membership"] = user_is_user_admin(session, actor)
ret["account"] = user.service_account
else:
ret["can_control"] = user.name == actor.name or user_is_user_admin(session, actor)
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable_preserving_membership"] = UserEnable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access_without_membership(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests(
session, status="pending", limit=1, offset=0, owner=actor
)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell_metadata = get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
ret["shell"] = shell_metadata.data_value if shell_metadata else "No shell configured"
github_username = get_user_metadata_by_key(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY)
ret["github_username"] = github_username.data_value if github_username else "(Unset)"
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [
{"name": g.name, "type": "Group", "role": ge._role} for g, ge in group_edge_list
]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
if user.is_service_account:
service_account = user.service_account
ret["permissions"] = service_account_permissions(session, service_account)
else:
ret["permissions"] = user_md.get("permissions", [])
for permission in ret["permissions"]:
permission["granted_on"] = datetime.fromtimestamp(permission["granted_on"])
return ret
def get_user_view_template_vars(session, actor, user, graph):
# TODO(cbguder): get around circular dependencies
from grouper.fe.handlers.user_disable import UserDisable
from grouper.fe.handlers.user_enable import UserEnable
ret = {}
if user.is_service_account:
ret["can_control"] = (
can_manage_service_account(session, user.service_account, actor) or
user_is_user_admin(session, actor)
)
ret["can_disable"] = ret["can_control"]
ret["can_enable"] = user_is_user_admin(session, actor)
ret["account"] = user.service_account
else:
ret["can_control"] = (user.name == actor.name or user_is_user_admin(session, actor))
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests_by_owner(session, actor,
status='pending', limit=1, offset=0)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell = (get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY).data_value
if get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
else "No shell configured")
ret["shell"] = shell
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [{'name': g.name, 'type': 'Group', 'role': ge._role}
for g, ge in group_edge_list]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
for key in ret["public_keys"]:
key.tags = get_public_key_tags(session, key)
key.pretty_permissions = ["{} ({})".format(perm.name,
perm.argument if perm.argument else "unargumented")
for perm in get_public_key_permissions(session, key)]
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
if user.is_service_account:
service_account = user.service_account
ret["permissions"] = service_account_permissions(session, service_account)
else:
ret["permissions"] = user_md.get('permissions', [])
return ret
def get_user_view_template_vars(session, actor, user, graph):
ret = {}
ret["can_control"] = (user.name == actor.name
or user_is_user_admin(session, actor))
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(
session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests_by_owner(
session, actor, status='pending', limit=1, offset=0)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell = (get_user_metadata_by_key(session, user.id,
USER_METADATA_SHELL_KEY).data_value
if get_user_metadata_by_key(session, user.id,
USER_METADATA_SHELL_KEY) else
"No shell configured")
ret["shell"] = shell
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [{
'name': g.name,
'type': 'Group',
'role': ge._role
} for g, ge in group_edge_list]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
for key in ret["public_keys"]:
key.tags = get_public_key_tags(session, key)
key.pretty_permissions = [
"{} ({})".format(
perm.name, perm.argument if perm.argument else "unargumented")
for perm in get_public_key_permissions(session, key)
]
ret["permissions"] = user_md.get('permissions', [])
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
return ret
def get(self):
offset = int(self.get_argument("offset", 0))
limit = int(self.get_argument("limit", 100))
if limit > 9000:
limit = 9000
requests = user_requests_aggregate(self.session, self.current_user).order_by(
Request.requested_at.desc()
)
total = requests.count()
requests = requests.offset(offset).limit(limit)
self.render("user-requests.html", requests=requests, offset=offset, limit=limit,
total=total)
def get(self):
offset = int(self.get_argument("offset", 0))
limit = int(self.get_argument("limit", 100))
if limit > 9000:
limit = 9000
requests = user_requests_aggregate(self.session,
self.current_user).order_by(
Request.requested_at.desc())
total = requests.count()
requests = requests.offset(offset).limit(limit)
self.render("user-requests.html",
requests=requests,
offset=offset,
limit=limit,
total=total)
def test_aggregate_request(graph, groups, permissions, session, standard_graph, users):
gary = users["*****@*****.**"]
testuser = users["*****@*****.**"]
not_involved = [user for name,user in users.items() if name not in ("*****@*****.**",
"*****@*****.**")]
assert not any([user_requests_aggregate(session, u).all() for u in users.values()]), \
"should have no pending requests to begin with"
# one request to one team
groups["team-sre"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
session.commit()
assert len(user_requests_aggregate(session, gary).all()) == 1, "one pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# two request to two teams, same owner
groups["team-infra"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
session.commit()
request_gary = user_requests_aggregate(session, gary).all()
assert len(request_gary) == 2, "two pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# resolving one request should reflect
request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
request.update_status(users["*****@*****.**"], "actioned", "for being a good person")
session.commit()
assert len(user_requests_aggregate(session, gary).all()) == 1, "one pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# requests to dependent teams should reflect apprpriately
groups["security-team"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
session.commit()
assert len(user_requests_aggregate(session, gary).all()) == 1, "super owner should not get request"
assert len(user_requests_aggregate(session, users["*****@*****.**"]).all()) == 1, "owner should get request"
user_not_gary_oliver = [u for n,u in users.items() if n not in ("*****@*****.**","*****@*****.**")]
assert not any([user_requests_aggregate(session, u).all() for u in user_not_gary_oliver])
# manager and np-owner should get requests
figurehead = users["*****@*****.**"]
add_member(groups["audited-team"], figurehead, role="manager")
assert len(user_requests_aggregate(session, figurehead).all()) == 0, "no request for np-owner at first"
groups["tech-ops"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
assert len(user_requests_aggregate(session, figurehead).all()) == 1, "request for np-owner"
groups["audited-team"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
assert len(user_requests_aggregate(session, figurehead).all()) == 2, "request for np-owner and manager"
def test_aggregate_request(
graph,
groups,
permissions,
session,
standard_graph,
users # noqa: F811
):
gary = users["*****@*****.**"]
not_involved = [
user for name, user in users.items()
if name not in ("*****@*****.**", "*****@*****.**")
]
assert not any([
user_requests_aggregate(session, u).all() for u in users.values()
]), "should have no pending requests to begin with"
# one request to one team
groups["team-sre"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
session.commit()
assert len(user_requests_aggregate(
session, gary).all()) == 1, "one pending request for owner"
assert not any(
[user_requests_aggregate(session, u).all()
for u in not_involved]), "no pending requests if you're not the owner"
# two request to two teams, same owner
groups["team-infra"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
session.commit()
request_gary = user_requests_aggregate(session, gary).all()
assert len(request_gary) == 2, "two pending request for owner"
assert not any(
[user_requests_aggregate(session, u).all()
for u in not_involved]), "no pending requests if you're not the owner"
# resolving one request should reflect
request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
request.update_status(users["*****@*****.**"], "actioned",
"for being a good person")
session.commit()
assert len(user_requests_aggregate(
session, gary).all()) == 1, "one pending request for owner"
assert not any(
[user_requests_aggregate(session, u).all()
for u in not_involved]), "no pending requests if you're not the owner"
# requests to dependent teams should reflect apprpriately
groups["security-team"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
session.commit()
assert (len(user_requests_aggregate(
session, gary).all()) == 1), "super owner should not get request"
assert (len(user_requests_aggregate(
session, users["*****@*****.**"]).all()) == 1), "owner should get request"
user_not_gary_oliver = [
u for n, u in users.items() if n not in ("*****@*****.**", "*****@*****.**")
]
assert not any([
user_requests_aggregate(session, u).all() for u in user_not_gary_oliver
])
# manager and np-owner should get requests
figurehead = users["*****@*****.**"]
add_member(groups["audited-team"], figurehead, role="manager")
assert (len(user_requests_aggregate(
session, figurehead).all()) == 0), "no request for np-owner at first"
groups["tech-ops"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
assert len(user_requests_aggregate(
session, figurehead).all()) == 1, "request for np-owner"
groups["audited-team"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
assert (len(user_requests_aggregate(
session, figurehead).all()) == 2), "request for np-owner and manager"
def get_user_view_template_vars(session, actor, user, graph):
# type: (Session, User, User, GroupGraph) -> Dict[str, Any]
# TODO(cbguder): get around circular dependencies
from grouper.fe.handlers.user_disable import UserDisable
from grouper.fe.handlers.user_enable import UserEnable
ret = {} # type: Dict[str, Any]
if user.is_service_account:
ret["can_control"] = can_manage_service_account(
session, user.service_account, actor
) or user_is_user_admin(session, actor)
ret["can_disable"] = ret["can_control"]
ret["can_enable"] = user_is_user_admin(session, actor)
ret["can_enable_preserving_membership"] = user_is_user_admin(session, actor)
ret["account"] = user.service_account
else:
ret["can_control"] = user.name == actor.name or user_is_user_admin(session, actor)
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable_preserving_membership"] = UserEnable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access_without_membership(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests(
session, status="pending", limit=1, offset=0, owner=actor
)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell = (
get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY).data_value
if get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
else "No shell configured"
)
ret["shell"] = shell
github_username = get_user_metadata_by_key(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY)
ret["github_username"] = github_username.data_value if github_username else "(Unset)"
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [
{"name": g.name, "type": "Group", "role": ge._role} for g, ge in group_edge_list
]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
if user.is_service_account:
service_account = user.service_account
ret["permissions"] = service_account_permissions(session, service_account)
else:
ret["permissions"] = user_md.get("permissions", [])
for permission in ret["permissions"]:
permission["granted_on"] = datetime.fromtimestamp(permission["granted_on"])
return ret
def get_user_view_template_vars(session, actor, user, graph):
# TODO(cbguder): get around circular dependencies
from grouper.fe.handlers.user_disable import UserDisable
from grouper.fe.handlers.user_enable import UserEnable
ret = {}
if user.is_service_account:
ret["can_control"] = can_manage_service_account(
session, user.service_account, actor
) or user_is_user_admin(session, actor)
ret["can_disable"] = ret["can_control"]
ret["can_enable"] = user_is_user_admin(session, actor)
ret["can_enable_preserving_membership"] = user_is_user_admin(session, actor)
ret["account"] = user.service_account
else:
ret["can_control"] = user.name == actor.name or user_is_user_admin(session, actor)
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable_preserving_membership"] = UserEnable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access_without_membership(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests(
session, status="pending", limit=1, offset=0, owner=actor
)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell = (
get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY).data_value
if get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
else "No shell configured"
)
ret["shell"] = shell
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [
{"name": g.name, "type": "Group", "role": ge._role} for g, ge in group_edge_list
]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
for key in ret["public_keys"]:
key.tags = get_public_key_tags(session, key)
key.pretty_permissions = [
"{} ({})".format(perm.name, perm.argument if perm.argument else "unargumented")
for perm in get_public_key_permissions(session, key)
]
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
if user.is_service_account:
service_account = user.service_account
ret["permissions"] = service_account_permissions(session, service_account)
else:
ret["permissions"] = user_md.get("permissions", [])
return ret
