##// END OF EJS Templates
api: added audit logs for user-group related calls....
marcink -
r2686:7f25a959 default
parent child Browse files
Show More
@@ -638,8 +638,18 b' def grant_user_permission_to_user_group('
638 perm = get_perm_or_error(perm, prefix='usergroup.')
638 perm = get_perm_or_error(perm, prefix='usergroup.')
639
639
640 try:
640 try:
641 UserGroupModel().grant_user_permission(
641 changes = UserGroupModel().grant_user_permission(
642 user_group=user_group, user=user, perm=perm)
642 user_group=user_group, user=user, perm=perm)
643
644 action_data = {
645 'added': changes['added'],
646 'updated': changes['updated'],
647 'deleted': changes['deleted'],
648 }
649 audit_logger.store_api(
650 'user_group.edit.permissions', action_data=action_data,
651 user=apiuser)
652
643 Session().commit()
653 Session().commit()
644 return {
654 return {
645 'msg':
655 'msg':
@@ -698,8 +708,17 b' def revoke_user_permission_from_user_gro'
698 user = get_user_or_error(userid)
708 user = get_user_or_error(userid)
699
709
700 try:
710 try:
701 UserGroupModel().revoke_user_permission(
711 changes = UserGroupModel().revoke_user_permission(
702 user_group=user_group, user=user)
712 user_group=user_group, user=user)
713 action_data = {
714 'added': changes['added'],
715 'updated': changes['updated'],
716 'deleted': changes['deleted'],
717 }
718 audit_logger.store_api(
719 'user_group.edit.permissions', action_data=action_data,
720 user=apiuser)
721
703 Session().commit()
722 Session().commit()
704 return {
723 return {
705 'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
724 'msg': 'Revoked perm for user: `%s` in user group: `%s`' % (
@@ -764,11 +783,20 b' def grant_user_group_permission_to_user_'
764 'user group `%s` does not exist' % (sourceusergroupid,))
783 'user group `%s` does not exist' % (sourceusergroupid,))
765
784
766 try:
785 try:
767 UserGroupModel().grant_user_group_permission(
786 changes = UserGroupModel().grant_user_group_permission(
768 target_user_group=target_user_group,
787 target_user_group=target_user_group,
769 user_group=user_group, perm=perm)
788 user_group=user_group, perm=perm)
789
790 action_data = {
791 'added': changes['added'],
792 'updated': changes['updated'],
793 'deleted': changes['deleted'],
794 }
795 audit_logger.store_api(
796 'user_group.edit.permissions', action_data=action_data,
797 user=apiuser)
798
770 Session().commit()
799 Session().commit()
771
772 return {
800 return {
773 'msg': 'Granted perm: `%s` for user group: `%s` '
801 'msg': 'Granted perm: `%s` for user group: `%s` '
774 'in user group: `%s`' % (
802 'in user group: `%s`' % (
@@ -835,8 +863,17 b' def revoke_user_group_permission_from_us'
835 'user group `%s` does not exist' % (sourceusergroupid,))
863 'user group `%s` does not exist' % (sourceusergroupid,))
836
864
837 try:
865 try:
838 UserGroupModel().revoke_user_group_permission(
866 changes = UserGroupModel().revoke_user_group_permission(
839 target_user_group=target_user_group, user_group=user_group)
867 target_user_group=target_user_group, user_group=user_group)
868 action_data = {
869 'added': changes['added'],
870 'updated': changes['updated'],
871 'deleted': changes['deleted'],
872 }
873 audit_logger.store_api(
874 'user_group.edit.permissions', action_data=action_data,
875 user=apiuser)
876
840 Session().commit()
877 Session().commit()
841
878
842 return {
879 return {
@@ -80,6 +80,7 b' class UserGroupModel(BaseModel):'
80 'updated': [],
80 'updated': [],
81 'deleted': []
81 'deleted': []
82 }
82 }
83 change_obj = user_group.get_api_data()
83 # update permissions
84 # update permissions
84 for member_id, perm, member_type in perm_updates:
85 for member_id, perm, member_type in perm_updates:
85 member_id = int(member_id)
86 member_id = int(member_id)
@@ -97,7 +98,9 b' class UserGroupModel(BaseModel):'
97 self.grant_user_group_permission(
98 self.grant_user_group_permission(
98 target_user_group=user_group, user_group=member_id, perm=perm)
99 target_user_group=user_group, user_group=member_id, perm=perm)
99
100
100 changes['updated'].append({'type': member_type, 'id': member_id,
101 changes['updated'].append({
102 'change_obj': change_obj,
103 'type': member_type, 'id': member_id,
101 'name': member_name, 'new_perm': perm})
104 'name': member_name, 'new_perm': perm})
102
105
103 # set new permissions
106 # set new permissions
@@ -115,7 +118,9 b' class UserGroupModel(BaseModel):'
115 self.grant_user_group_permission(
118 self.grant_user_group_permission(
116 target_user_group=user_group, user_group=member_id, perm=perm)
119 target_user_group=user_group, user_group=member_id, perm=perm)
117
120
118 changes['added'].append({'type': member_type, 'id': member_id,
121 changes['added'].append({
122 'change_obj': change_obj,
123 'type': member_type, 'id': member_id,
119 'name': member_name, 'new_perm': perm})
124 'name': member_name, 'new_perm': perm})
120
125
121 # delete permissions
126 # delete permissions
@@ -132,8 +137,11 b' class UserGroupModel(BaseModel):'
132 self.revoke_user_group_permission(
137 self.revoke_user_group_permission(
133 target_user_group=user_group, user_group=member_id)
138 target_user_group=user_group, user_group=member_id)
134
139
135 changes['deleted'].append({'type': member_type, 'id': member_id,
140 changes['deleted'].append({
141 'change_obj': change_obj,
142 'type': member_type, 'id': member_id,
136 'name': member_name, 'new_perm': perm})
143 'name': member_name, 'new_perm': perm})
144
137 return changes
145 return changes
138
146
139 def get(self, user_group_id, cache=False):
147 def get(self, user_group_id, cache=False):
@@ -400,10 +408,18 b' class UserGroupModel(BaseModel):'
400 :param user: Instance of User, user_id or username
408 :param user: Instance of User, user_id or username
401 :param perm: Instance of Permission, or permission_name
409 :param perm: Instance of Permission, or permission_name
402 """
410 """
411 changes = {
412 'added': [],
413 'updated': [],
414 'deleted': []
415 }
403
416
404 user_group = self._get_user_group(user_group)
417 user_group = self._get_user_group(user_group)
405 user = self._get_user(user)
418 user = self._get_user(user)
406 permission = self._get_perm(perm)
419 permission = self._get_perm(perm)
420 perm_name = permission.permission_name
421 member_id = user.user_id
422 member_name = user.username
407
423
408 # check if we have that permission already
424 # check if we have that permission already
409 obj = self.sa.query(UserUserGroupToPerm)\
425 obj = self.sa.query(UserUserGroupToPerm)\
@@ -422,7 +438,12 b' class UserGroupModel(BaseModel):'
422 'granted permission: {} to user: {} on usergroup: {}'.format(
438 'granted permission: {} to user: {} on usergroup: {}'.format(
423 perm, user, user_group), namespace='security.usergroup')
439 perm, user, user_group), namespace='security.usergroup')
424
440
425 return obj
441 changes['added'].append({
442 'change_obj': user_group.get_api_data(),
443 'type': 'user', 'id': member_id,
444 'name': member_name, 'new_perm': perm_name})
445
446 return changes
426
447
427 def revoke_user_permission(self, user_group, user):
448 def revoke_user_permission(self, user_group, user):
428 """
449 """
@@ -432,9 +453,17 b' class UserGroupModel(BaseModel):'
432 or users_group name
453 or users_group name
433 :param user: Instance of User, user_id or username
454 :param user: Instance of User, user_id or username
434 """
455 """
456 changes = {
457 'added': [],
458 'updated': [],
459 'deleted': []
460 }
435
461
436 user_group = self._get_user_group(user_group)
462 user_group = self._get_user_group(user_group)
437 user = self._get_user(user)
463 user = self._get_user(user)
464 perm_name = 'usergroup.none'
465 member_id = user.user_id
466 member_name = user.username
438
467
439 obj = self.sa.query(UserUserGroupToPerm)\
468 obj = self.sa.query(UserUserGroupToPerm)\
440 .filter(UserUserGroupToPerm.user == user)\
469 .filter(UserUserGroupToPerm.user == user)\
@@ -447,6 +476,13 b' class UserGroupModel(BaseModel):'
447 'revoked permission from user: {} on usergroup: {}'.format(
476 'revoked permission from user: {} on usergroup: {}'.format(
448 user, user_group), namespace='security.usergroup')
477 user, user_group), namespace='security.usergroup')
449
478
479 changes['deleted'].append({
480 'change_obj': user_group.get_api_data(),
481 'type': 'user', 'id': member_id,
482 'name': member_name, 'new_perm': perm_name})
483
484 return changes
485
450 def grant_user_group_permission(self, target_user_group, user_group, perm):
486 def grant_user_group_permission(self, target_user_group, user_group, perm):
451 """
487 """
452 Grant user group permission for given target_user_group
488 Grant user group permission for given target_user_group
@@ -455,9 +491,19 b' class UserGroupModel(BaseModel):'
455 :param user_group:
491 :param user_group:
456 :param perm:
492 :param perm:
457 """
493 """
494 changes = {
495 'added': [],
496 'updated': [],
497 'deleted': []
498 }
499
458 target_user_group = self._get_user_group(target_user_group)
500 target_user_group = self._get_user_group(target_user_group)
459 user_group = self._get_user_group(user_group)
501 user_group = self._get_user_group(user_group)
460 permission = self._get_perm(perm)
502 permission = self._get_perm(perm)
503 perm_name = permission.permission_name
504 member_id = user_group.users_group_id
505 member_name = user_group.users_group_name
506
461 # forbid assigning same user group to itself
507 # forbid assigning same user group to itself
462 if target_user_group == user_group:
508 if target_user_group == user_group:
463 raise RepoGroupAssignmentError('target repo:%s cannot be '
509 raise RepoGroupAssignmentError('target repo:%s cannot be '
@@ -482,7 +528,12 b' class UserGroupModel(BaseModel):'
482 perm, user_group, target_user_group),
528 perm, user_group, target_user_group),
483 namespace='security.usergroup')
529 namespace='security.usergroup')
484
530
485 return obj
531 changes['added'].append({
532 'change_obj': target_user_group.get_api_data(),
533 'type': 'user_group', 'id': member_id,
534 'name': member_name, 'new_perm': perm_name})
535
536 return changes
486
537
487 def revoke_user_group_permission(self, target_user_group, user_group):
538 def revoke_user_group_permission(self, target_user_group, user_group):
488 """
539 """
@@ -491,8 +542,17 b' class UserGroupModel(BaseModel):'
491 :param target_user_group:
542 :param target_user_group:
492 :param user_group:
543 :param user_group:
493 """
544 """
545 changes = {
546 'added': [],
547 'updated': [],
548 'deleted': []
549 }
550
494 target_user_group = self._get_user_group(target_user_group)
551 target_user_group = self._get_user_group(target_user_group)
495 user_group = self._get_user_group(user_group)
552 user_group = self._get_user_group(user_group)
553 perm_name = 'usergroup.none'
554 member_id = user_group.users_group_id
555 member_name = user_group.users_group_name
496
556
497 obj = self.sa.query(UserGroupUserGroupToPerm)\
557 obj = self.sa.query(UserGroupUserGroupToPerm)\
498 .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
558 .filter(UserGroupUserGroupToPerm.target_user_group == target_user_group)\
@@ -507,6 +567,13 b' class UserGroupModel(BaseModel):'
507 user_group, target_user_group),
567 user_group, target_user_group),
508 namespace='security.repogroup')
568 namespace='security.repogroup')
509
569
570 changes['deleted'].append({
571 'change_obj': target_user_group.get_api_data(),
572 'type': 'user_group', 'id': member_id,
573 'name': member_name, 'new_perm': perm_name})
574
575 return changes
576
510 def get_perms_summary(self, user_group_id):
577 def get_perms_summary(self, user_group_id):
511 permissions = {
578 permissions = {
512 'repositories': {},
579 'repositories': {},
General Comments 0
You need to be logged in to leave comments. Login now