lyft · laudiacay · Oct 11, 2018 · Oct 30, 2018 · Nov 8, 2018 · Dec 4, 2018
diff --git a/confidant/authnz/__init__.py b/confidant/authnz/__init__.py
@@ -54,6 +54,16 @@ def get_logged_in_user():
     raise UserUnknownError()
 
 
+def get_user_groups():
+    if user_mod.is_authenticated():
+        return user_mod.current_groups()
+    raise UserUnknownError()
+
+
+def user_is_member(groupname):
+    return groupname in get_user_groups()
+
+
 def user_is_user_type(user_type):
     if not app.config.get('USE_AUTH'):
         return True
@@ -90,6 +100,19 @@ def user_type_has_privilege(user_type, privilege):
     return False
 
 
+def user_is_authorized(groupname):
+    # Fail open if:
+    # - the principal is not a human user
+    # - authz checks are disabled globally
+    # - OR there is no group specified
+    return (
+        not user_is_user_type('user')
+        or not app.config.get('USE_GROUPS')
+        or not groupname
+        or user_is_member(groupname)
+    )
+
+
 def require_csrf_token(f):
     @wraps(f)
     def decorated(*args, **kwargs):

diff --git a/confidant/authnz/userauth.py b/confidant/authnz/userauth.py
@@ -2,6 +2,7 @@
 import logging
 import datetime
 import random
+import grp
 
 import yaml
 from six.moves.urllib.parse import urlparse
@@ -113,13 +114,24 @@ def set_expiration(self):
                 max_expiration = now + datetime.timedelta(seconds=max_lifetime)
                 session['max_expiration'] = max_expiration
 
-    def set_current_user(self, email, first_name=None, last_name=None):
+    def set_current_user(self, email, first_name=None, last_name=None, username=None):
+        if email is None or email == '':
+            raise errors.UserUnknownError('No email provided')
+
         session['user'] = {
             'email': email,
             'first_name': first_name,
             'last_name': last_name,
+            'groups': []
         }
 
+        if username is None:
+            username = email.strip().split('@')[0]
+
+        if app.config.get('USE_GROUPS'):
+            all_groups = grp.getgrall()
+            session['user']['groups'] = [g.gr_name for g in all_groups if email in g.gr_mem]
+
     def current_email(self):
         ret = self.current_user()['email'].lower()
         # when migrating from 2 -> 3, the session email object may be bytes
@@ -131,6 +143,13 @@ def current_first_name(self):
     def current_last_name(self):
         return self.current_user()['last_name']
 
+    def current_groups(self):
+        groups = self.current_user().get('groups')
+        if groups is None:
+            return []
+        else:
+            return groups
-        groups = self.current_user().get('groups')
-        if groups is None:
-            return []
-        else:
-            return groups
+        groups = self.current_user().get('groups', [])
-        groups = self.current_user().get('groups')
-        if groups is None:
-            return []
-        else:
-            return groups
+        groups = self.current_user().get('groups', [])
+
     def redirect_to_index(self):
         return redirect(flask.url_for('index'))
 
@@ -251,6 +270,7 @@ def current_user(self):
             'email': 'unauthenticated user',
             'first_name': 'unauthenticated',
             'last_name': 'user',
+            'groups': []
         }
 
     def is_authenticated(self):
@@ -299,22 +319,27 @@ def assert_headers(self):
     def current_user(self):
         self.assert_headers()
 
-        info = {
-            'email': request.headers[self.email_header],
-
-            # TODO: should we use a string like "unknown", fall back to the
-            # email/username, ...?
-            'first_name': '',
-            'last_name': '',
-        }
-
+        first_name = None
         if self.first_name_header and self.first_name_header in request.headers:
-            info['first_name'] = request.headers[self.first_name_header]
+            first_name = request.headers[self.first_name_header]
 
+        last_name = None
         if self.last_name_header and self.last_name_header in request.headers:
-            info['last_name'] = request.headers[self.last_name_header]
-
-        return info
+            last_name = request.headers[self.last_name_header]
+
+        username = None
+        if self.username_header and self.username_header in request.headers:
+            username = request.headers[self.username_header]
+
+        # Set current user on every request to ensure that the user's group
+        # list is updated (TODO: caching?)
+        self.set_current_user(
+            request.headers[self.email_header],
+            first_name = first_name,
+            last_name = last_name,
+            username = username
+        )
+        return session['user']
 
     def is_authenticated(self):
         """Any user that is able to make requests is authenticated"""

diff --git a/confidant/models/credential.py b/confidant/models/credential.py
@@ -48,3 +48,4 @@ class Meta:
     modified_date = UTCDateTimeAttribute(default=datetime.now)
     modified_by = UnicodeAttribute()
     documentation = UnicodeAttribute(null=True)
+    group = UnicodeAttribute(null=True)
diff --git a/confidant/public/modules/resources/controllers/CredentialDetailsCtrl.js b/confidant/public/modules/resources/controllers/CredentialDetailsCtrl.js
@@ -79,6 +79,10 @@
                 $scope.shown = true;
             }
 
+	    $scope.groups = function(usergroups) {
+		return [""].concat(usergroups);
+	    }
+
             $scope.showValue = function(credentialPair) {
                 if (credentialPair.shown) {
                     return credentialPair.value;
@@ -154,6 +158,7 @@
                 _credential.name = $scope.credential.name;
                 _credential.enabled = $scope.credential.enabled;
                 _credential.documentation = $scope.credential.documentation;
+                _credential.group = $scope.credential.group;
                 _credential.credential_pairs = {};
                 _credential.metadata = {};
                 $scope.saveError = '';

diff --git a/confidant/public/modules/resources/views/credential-details.html b/confidant/public/modules/resources/views/credential-details.html
@@ -38,6 +38,15 @@
       <label for="credentialEnabled">Credential Enabled</label>
       <span editable-checkbox="credential.enabled" id="credentialEnabled">{{ credential.enabled }}</span>
     </div>
+    <div class="form-group">
+      <label for="credentialGroup">Credential Group</label>
+      <span editable-select="credential.group"
+	    e-ng-options="x for x in groups( {{user.groups}} )"
+	    id="credentialGroupInput">
+	{{ credential.group || 'No group set' }}
+      </span>
+      <span ng-show="credential.id && !credential.authorized">YOU ARE NOT AUTHORIZED TO VIEW OR MODIFY THIS CREDENTIAL'S DETAILS</span>
+    </div>
     <div class="form-group">
       <label for="credentialPairInputs">Credential Pairs <span class="glyphicon glyphicon-lock"></span></label>
       <div class="well well-sm" id="credentialPairInputs">
@@ -148,7 +157,7 @@
     </div>
 
     <div class="buttons has-margin-bottom-lg">
-      <button type="button" class="btn btn-default" ng-click="editableForm.$show()" ng-show="!editableForm.$visible">Edit</button>
+      <button type="button" class="btn btn-default" ng-click="editableForm.$show()" ng-show="!editableForm.$visible && credential.authorized">Edit</button>
       <span ng-show="editableForm.$visible">
         <button type="submit" class="btn" ng-disabled="editableForm.$waiting">Save</button>
         <button type="button" class="btn btn-alternate" ng-disabled="editableForm.$waiting" ng-click="editableForm.$cancel()">Cancel</button>