diff --git a/fas/client/fasClient.py b/fas/client/fasClient.py new file mode 100644 index 0000000..2c2668d --- /dev/null +++ b/fas/client/fasClient.py @@ -0,0 +1,78 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Copyright © 2007-2008 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing to use, modify, +# copy, or redistribute it subject to the terms and conditions of the GNU +# General Public License v.2. This program is distributed in the hope that it +# will be useful, but WITHOUT ANY WARRANTY expressed or implied, including the +# implied warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# See the GNU General Public License for more details. You should have +# received a copy of the GNU General Public License along with this program; +# if not, write to the Free Software Foundation, Inc., 51 Franklin Street, +# Fifth Floor, Boston, MA 02110-1301, USA. Any Red Hat trademarks that are +# incorporated in the source code or documentation are not subject to the GNU +# General Public License and may only be used or replicated with the express +# permission of Red Hat, Inc. +# +# Red Hat Author(s): Mike McGrath +# + + +from fedora.tg.client import BaseClient, AuthError, ServerError + +import sys +import os +import logging + +FAS_URL = 'http://localhost:8080/fas/json/' + + +class MakeShellAccounts(BaseClient): + def group_list(self, search='*'): + params = {'search' : search} + data = self.send_request('group_list', auth=False, input=params) + return data['group_list'] + + def groups_text(self, groups=None, people=None): + i = 0 + file = open('/tmp/group.txt', 'w') + if not groups: + groups = self.group_list() + if not people: + people = self.people_list() + + ''' First create all of our users/groups combo ''' + for person in people: + uid = people[person]['id'] + username = people[person]['username'] + file.write("=%i %s:x:%i:\n" % (uid, username, uid)) + file.write( "0%i %s:x:%i:\n" % (i, username, uid)) + file.write( ".%s %s:x:%i:\n" % (username, username, uid)) + i = i + 1 + + for group in groups: + gid = groups[group]['id'] + name = groups[group]['name'] + file.write( "=%i %s:x:%i:\n" % (gid, name, gid)) + file.write("0%i %s:x:%i:\n" % (i, name, gid)) + file.write(".%s %s:x:%i:\n" % (name, name, gid)) + i = i + 1 + + file.close() + + + def people_list(self, search='*'): + params = {'search' : search} + data = self.send_request('people_list', auth=False, input=params) + return data['people_list'] + + def make_group_db(self): + self.groups_text() + os.system('makedb -o /tmp/group.db /tmp/group.txt') + +if __name__ == '__main__': + fas = MakeShellAccounts(FAS_URL, None, None, None) + fas.make_group_db() + diff --git a/fas/fas/controllers.py b/fas/fas/controllers.py index f2e232c..8d35d34 100644 --- a/fas/fas/controllers.py +++ b/fas/fas/controllers.py @@ -15,6 +15,7 @@ from operator import itemgetter from fas.user import User from fas.group import Group from fas.cla import CLA +from fas.json_request import JsonRequest #from fas.openid_fas import OpenID from fas.auth import isAdmin, canAdminGroup, canSponsorGroup, canEditUser @@ -41,6 +42,7 @@ class Root(controllers.RootController): user = User() group = Group() cla = CLA() + json = JsonRequest() # openid = OpenID() os.environ['GNUPGHOME'] = config.get('gpghome') diff --git a/fas/fas/json.py b/fas/fas/json.py index 54531fa..a49a7d8 100644 --- a/fas/fas/json.py +++ b/fas/fas/json.py @@ -77,10 +77,10 @@ class SABase(object): # pylint: enable-msg=E1101 # Load all the columns from the table - for key in self.mapper.props.keys(): # pylint: disable-msg=E1101 - if isinstance(self.mapper.props[key], # pylint: disable-msg=E1101 - sqlalchemy.orm.properties.ColumnProperty): - props[key] = getattr(self, key) + for column in sqlalchemy.orm.object_mapper(self).iterate_properties: + if isinstance(column, sqlalchemy.orm.properties.ColumnProperty): + props[column.key] = getattr(self, column.key) + # Load things that are explicitly listed for field in propList: props[field] = getattr(self, field) diff --git a/fas/fas/model.py b/fas/fas/model.py index 81aa043..66fa5c0 100644 --- a/fas/fas/model.py +++ b/fas/fas/model.py @@ -185,6 +185,73 @@ class People(SABase): def __repr__(cls): return "User(%s,%s)" % (cls.username, cls.human_name) + def __json__(self): + '''We want to make sure we keep a tight reign on sensistive information. + Thus we strip out certain information unless a user is an admin or the + current user. + + Current access restrictions + =========================== + + Anonymous users can see: + :id: The id in the account system and on the shell servers + :username: Username in FAS + :human_name: Human name of the person + :comments: Comments that the user leaves about themselves + :creation: Date this account was created + :ircnick: User's nickname on IRC + :last_seen: timestamp the user last logged into anything tied to + the account system + :status: Whether the user is active, inactive, on vacation, etc + :status_change: timestamp that the status was last updated + :locale: User's default locale for Fedora Services + :timezone: User's timezone + :latitude: Used for constructing maps of contributors + :longitude: Used for contructing maps of contributors + + Authenticated Users add: + :ssh_key: Public key for connecting to over ssh + :gpg_keyid: gpg key of the user + :affiliation: company or group the user wishes to identify with + :certificate_serial: serial number of the user's Fedora SSL + Certificate + + User Themselves add: + :password: hashed password to identify the user + :passwordtoken: used when the user needs to reset a password + :postal_address: user's postal address + :telephone: user's telephone number + :facsimile: user's FAX number + + Admins gets access to this final field as well: + :internal_comments: Comments an admin wants to write about a user + + Note: There are a few other resources that are not located directly in + the People structure that you are likely to want to pass to consuming + code like email address and groups. Please see the documentation on + SABase.__json__() to find out how to set jsonProps to handle those. + ''' + props = super(People, self).__json__() + if not identity.in_group('admin'): + # Only admins can see internal_comments + del props['internal_comments'] + + if not identity.current.user.user_name == self.username: + # Only an admin or the user themselves can see these fields + del props['password'] + del props['passwordtoken'] + del props['postal_address'] + del props['telephone'] + del props['facsimile'] + + if identity.current.anonymous: + # Only an authenticated user can see these fields + del props['ssh_key'] + del props['gpg_keyid'] + del props['affiliation'] + del props['certificate_serial'] + return props + memberships = association_proxy('roles', 'group') approved_memberships = association_proxy('approved_roles', 'group') unapproved_memberships = association_proxy('unapproved_roles', 'group') diff --git a/fas/fas2.sql b/fas/fas2.sql index 69074bc..0911c3e 100644 --- a/fas/fas2.sql +++ b/fas/fas2.sql @@ -28,10 +28,6 @@ CREATE SEQUENCE person_seq; -- TODO: Set this to start where our last person_id is SELECT setval('person_seq', 1111); -CREATE SEQUENCE group_seq; --- TODO: Set this to start where our last group_id is -SELECT setval('group_seq', 1222); - CREATE TABLE people ( -- tg_user::user_id id INTEGER PRIMARY KEY NOT NULL DEFAULT nextval('person_seq'), @@ -115,7 +111,7 @@ cluster configs_person_id_idx on configs; CREATE TABLE groups ( -- tg_group::group_id - id INTEGER PRIMARY KEY NOT NULL DEFAULT nextval('group_seq'), + id INTEGER PRIMARY KEY NOT NULL DEFAULT nextval('person_seq'), -- tg_group::group_name name VARCHAR(32) UNIQUE NOT NULL, -- tg_group::display_name @@ -428,7 +424,7 @@ create trigger email_bugzilla_sync before update or insert or delete for each row execute procedure bugzilla_sync_email(); -- For Fas to connect to the database -GRANT ALL ON TABLE people, groups, person_roles, person_emails, group_roles, group_emails, bugzilla_queue, configs, person_seq, group_seq, visit, visit_identity TO GROUP fedora; +GRANT ALL ON TABLE people, groups, person_roles, person_emails, group_roles, group_emails, bugzilla_queue, configs, person_seq, visit, visit_identity TO GROUP fedora; -- For other services to connect to the necessary session tables GRANT ALL ON TABLE visit, visit_identity TO GROUP apache;