lemur/lemur/roles/service.py

"""
.. module: service
    :platform: Unix
    :synopsis: This module contains all of the services level functions used to
    administer roles in Lemur

    :copyright: (c) 2018 by Netflix Inc., see AUTHORS for more
    :license: Apache, see LICENSE for more details.

.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>
"""
from lemur import database
from lemur.roles.models import Role
from lemur.users.models import User
from lemur.logs import service as log_service


def update(role_id, name, description, users):
    """
    Update a role

    :param role_id:
    :param name:
    :param description:
    :param users:
    :return:
    """
    role = get(role_id)
    role.name = name
    role.description = description
    role.users = users
    database.update(role)

    log_service.audit_log("update_role", name, f"Role with id {role_id} updated")
    return role


def set_third_party(role_id, third_party_status=False):
    """
    Sets a role to be a third party role. A user should pretty much never
    call this directly.

    :param role_id:
    :param third_party_status:
    :return:
    """
    role = get(role_id)
    role.third_party = third_party_status
    database.update(role)

    log_service.audit_log("update_role", role.name, f"Updated third_party_status={third_party_status}")
    return role


def create(
    name, password=None, description=None, username=None, users=None, third_party=False
):
    """
    Create a new role

    :param name:
    :param users:
    :param description:
    :param username:
    :param password:
    :return:
    """
    role = Role(
        name=name,
        description=description,
        username=username,
        password=password,
        third_party=third_party,
    )

    if users:
        role.users = users

    log_service.audit_log("create_role", name, "Creating new role")
    return database.create(role)


def get(role_id):
    """
    Retrieve a role by ID

    :param role_id:
    :return:
    """
    return database.get(Role, role_id)


def get_by_name(role_name):
    """
    Retrieve a role by its name

    :param role_name:
    :return:
    """
    return database.get(Role, role_name, field="name")


def delete(role_id):
    """
    Remove a role

    :param role_id:
    :return:
    """

    role = get(role_id)
    log_service.audit_log("delete_role", role.name, "Deleting role")
    return database.delete(role)


def render(args):
    """
    Helper that filters subsets of roles depending on the parameters
    passed to the REST Api

    :param args:
    :return:
    """
    query = database.session_query(Role)
    filt = args.pop("filter")
    user_id = args.pop("user_id", None)
    authority_id = args.pop("authority_id", None)

    if user_id:
        query = query.filter(Role.users.any(User.id == user_id))

    if authority_id:
        query = query.filter(Role.authority_id == authority_id)

    if filt:
        terms = filt.split(";")
        query = database.filter(query, Role, terms)

    return database.sort_and_page(query, Role, args)


def get_or_create(role_name, description):
    role = get_by_name(role_name)
    if not role:
        role = create(name=role_name, description=description)

    return role
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`.. module: service`
			`:platform: Unix`
			`:synopsis: This module contains all of the services level functions used to`
			`administer roles in Lemur`

Addressing comments. Updating copyrights. Added function to determine authorative name server 2018-05-29 19:18:16 +02:00			`:copyright: (c) 2018 by Netflix Inc., see AUTHORS for more`
initial commit 2015-06-22 22:47:27 +02:00			`:license: Apache, see LICENSE for more details.`

			`.. moduleauthor:: Kevin Glisson <kglisson@netflix.com>`
			`"""`
			`from lemur import database`
			`from lemur.roles.models import Role`
			`from lemur.users.models import User`
Role and User update logs 2021-01-28 04:10:13 +01:00			`from lemur.logs import service as log_service`
initial commit 2015-06-22 22:47:27 +02:00
Pleasing the PEP8 gods 2015-07-21 22:06:13 +02:00
initial commit 2015-06-22 22:47:27 +02:00			`def update(role_id, name, description, users):`
			`"""`
			`Update a role`

			`:param role_id:`
			`:param name:`
			`:param description:`
			`:param users:`
			`:return:`
			`"""`
			`role = get(role_id)`
			`role.name = name`
			`role.description = description`
Allowing the role-user associated to be updated. (#396) * Allowing the role-user associated to be updated. * Fixing tests * Fixing tests, for real. 2016-07-07 22:03:10 +02:00			`role.users = users`
initial commit 2015-06-22 22:47:27 +02:00			`database.update(role)`
Role and User update logs 2021-01-28 04:10:13 +01:00
			`log_service.audit_log("update_role", name, f"Role with id {role_id} updated")`
initial commit 2015-06-22 22:47:27 +02:00			`return role`


fix roles assigned in the ui for sso (#1017) This commit fixes the ability to assign roles to people in the ui when the user is SSO. The idea is if a role is ever assigned via SSO it becomes a "SSO Role" or a "Third Party" Role. by setting third_party to true on the role object. Once a role is marked as third party it can no longer be controlled through the ui for SSO Users. (for ui users this poses no functional change). It must be controlled via SSO. 2017-12-11 22:51:45 +01:00			`def set_third_party(role_id, third_party_status=False):`
			`"""`
			`Sets a role to be a third party role. A user should pretty much never`
			`call this directly.`

			`:param role_id:`
			`:param third_party_status:`
			`:return:`
			`"""`
			`role = get(role_id)`
			`role.third_party = third_party_status`
			`database.update(role)`
Role and User update logs 2021-01-28 04:10:13 +01:00
			`log_service.audit_log("update_role", role.name, f"Updated third_party_status={third_party_status}")`
fix roles assigned in the ui for sso (#1017) This commit fixes the ability to assign roles to people in the ui when the user is SSO. The idea is if a role is ever assigned via SSO it becomes a "SSO Role" or a "Third Party" Role. by setting third_party to true on the role object. Once a role is marked as third party it can no longer be controlled through the ui for SSO Users. (for ui users this poses no functional change). It must be controlled via SSO. 2017-12-11 22:51:45 +01:00			`return role`


Black lint all the things 2019-05-16 16:57:02 +02:00			`def create(`
			`name, password=None, description=None, username=None, users=None, third_party=False`
			`):`
initial commit 2015-06-22 22:47:27 +02:00			`"""`
			`Create a new role`

			`:param name:`
			`:param users:`
			`:param description:`
			`:param username:`
			`:param password:`
			`:return:`
			`"""`
Black lint all the things 2019-05-16 16:57:02 +02:00			`role = Role(`
			`name=name,`
			`description=description,`
			`username=username,`
			`password=password,`
			`third_party=third_party,`
			`)`
Allowing the role-user associated to be updated. (#396) * Allowing the role-user associated to be updated. * Fixing tests * Fixing tests, for real. 2016-07-07 22:03:10 +02:00
initial commit 2015-06-22 22:47:27 +02:00			`if users:`
Closes #372 (#389) * Closes #372 2016-07-04 23:32:46 +02:00			`role.users = users`
Allowing the role-user associated to be updated. (#396) * Allowing the role-user associated to be updated. * Fixing tests * Fixing tests, for real. 2016-07-07 22:03:10 +02:00
Role and User update logs 2021-01-28 04:10:13 +01:00			`log_service.audit_log("create_role", name, "Creating new role")`
initial commit 2015-06-22 22:47:27 +02:00			`return database.create(role)`


			`def get(role_id):`
			`"""`
			`Retrieve a role by ID`

			`:param role_id:`
			`:return:`
			`"""`
			`return database.get(Role, role_id)`


			`def get_by_name(role_name):`
			`"""`
Minor documentation fixes/tweaks (#597) Mostly typos, grammar errors and inconsistent indentation in code examples. Some errors detected using Topy (https://github.com/intgr/topy), all changes verified by hand. 2016-12-14 18:29:04 +01:00			`Retrieve a role by its name`
initial commit 2015-06-22 22:47:27 +02:00
			`:param role_name:`
			`:return:`
			`"""`
Black lint all the things 2019-05-16 16:57:02 +02:00			`return database.get(Role, role_name, field="name")`
initial commit 2015-06-22 22:47:27 +02:00

			`def delete(role_id):`
			`"""`
			`Remove a role`

			`:param role_id:`
			`:return:`
			`"""`
Role and User update logs 2021-01-28 04:10:13 +01:00
			`role = get(role_id)`
			`log_service.audit_log("delete_role", role.name, "Deleting role")`
			`return database.delete(role)`
initial commit 2015-06-22 22:47:27 +02:00

			`def render(args):`
			`"""`
			`Helper that filters subsets of roles depending on the parameters`
			`passed to the REST Api`

			`:param args:`
			`:return:`
			`"""`
			`query = database.session_query(Role)`
Black lint all the things 2019-05-16 16:57:02 +02:00			`filt = args.pop("filter")`
			`user_id = args.pop("user_id", None)`
			`authority_id = args.pop("authority_id", None)`
initial commit 2015-06-22 22:47:27 +02:00
			`if user_id:`
			`query = query.filter(Role.users.any(User.id == user_id))`

			`if authority_id:`
			`query = query.filter(Role.authority_id == authority_id)`

			`if filt:`
Black lint all the things 2019-05-16 16:57:02 +02:00			`terms = filt.split(";")`
initial commit 2015-06-22 22:47:27 +02:00			`query = database.filter(query, Role, terms)`

Various bug fixes. (#314) 2016-05-12 21:38:44 +02:00			`return database.sort_and_page(query, Role, args)`
Certificate edit: update role and notification with owner change 2020-10-10 01:55:19 +02:00

			`def get_or_create(role_name, description):`
			`role = get_by_name(role_name)`
			`if not role:`
			`role = create(name=role_name, description=description)`

			`return role`