#!/usr/bin/python2.7 # grouper_revoke_privilege # revoke the specified privilege from this UNI or group for the target group import httplib2 import json import sys,string def usage(): print('usage: grouper_revoke_privilege -m -g -p ') print('-m the UNI or group that will lose the specified privilege') print('-g the specified privilege applies to this group') print('-p privilege can be admin, read, update, or view') exit(1) def main(): # parse the command line arguments if len(sys.argv) != 7: usage() if sys.argv[1] != '-m': usage() thisMember = sys.argv[2] if sys.argv[3] != '-g': usage() thisGroup = sys.argv[4] if sys.argv[5] != '-p': usage() thisPrivilege = sys.argv[6] # initialize httplib2 http = httplib2.Http() # set the grouper URI (dev or prod), username, password grouper_ws_uri = grouperWSParameters(http) # verify that the target group exists and is accessible by this user if grouperGetUuid(http,grouper_ws_uri,thisGroup) == 0: print(thisGroup + " group not found (does not exist or is not accessible)") exit(1) # examine thisMember to decide whether it is a UNI or a group # does thisMember string contain a colon? if thisMember.find(':') == -1: # thisMember does not contain a colon so it must be a UNI revokePrivilege = grouperRevokePrivilege(http,grouper_ws_uri,thisGroup,thisMember,thisPrivilege) if revokePrivilege and revokePrivilege['WsAssignGrouperPrivilegesLiteResult']['resultMetadata']['resultCode'] == 'SUCCESS_NOT_ALLOWED_DIDNT_EXIST': print(thisMember+' does not have the '+thisPrivilege+' privilege for '+thisGroup) elif revokePrivilege and revokePrivilege['WsAssignGrouperPrivilegesLiteResult']['resultMetadata']['resultCode'] == 'SUCCESS_NOT_ALLOWED': print(thisMember+' no longer has the '+thisPrivilege+' privilege for '+thisGroup) else: print('unable to revoke '+thisPrivilege+' privilege for '+thisMember+' in '+thisGroup) else: # thisMember contains a colon so it must be a group id path, get the UUID thisMemberUuid = grouperGetUuid(http,grouper_ws_uri,thisMember) if thisMemberUuid == 0: print(thisMember + " group not found (does not exist or is not accessible)") exit(1) # remove priv to UUID of thisMember for thisGroup revokePrivilege = grouperRevokePrivilege(http,grouper_ws_uri,thisGroup,thisMemberUuid,thisPrivilege) if revokePrivilege and revokePrivilege['WsAssignGrouperPrivilegesLiteResult']['resultMetadata']['resultCode'] == 'SUCCESS_NOT_ALLOWED_DIDNT_EXIST': print(thisMember+' does not have the '+thisPrivilege+' privilege for '+thisGroup) elif revokePrivilege and revokePrivilege['WsAssignGrouperPrivilegesLiteResult']['resultMetadata']['resultCode'] == 'SUCCESS_NOT_ALLOWED': print(thisMember+' no longer has the '+thisPrivilege+' privilege for '+thisGroup) else: print('unable to revoke '+thisPrivilege+' privilege for '+thisMember+' in '+thisGroup) def grouperRevokePrivilege(http, grouper_ws_uri, groupName, subjectId, privName): # revoke group privilege body = { "WsRestAssignGrouperPrivilegesLiteRequest": { "allowed": "F", "groupName": groupName, "privilegeName": privName, "privilegeType": "access", "subjectId": subjectId } } result = grouperWSRequest(http, grouper_ws_uri+"/grouperPrivileges", "POST", body) return result def grouperGetUuid(http, grouper_ws_uri, groupName): # get UUID for the specified group thisuuid = 0 body = { "WsRestFindGroupsRequest": { "wsQueryFilter": { "groupName": groupName, "queryFilterType": "FIND_BY_GROUP_NAME_EXACT", } } } findGroups = grouperWSRequest(http, grouper_ws_uri + "/groups", "POST", body) if findGroups and findGroups['WsFindGroupsResults']['resultMetadata']['success'] and 'groupResults' in findGroups['WsFindGroupsResults']: thisuuid = findGroups['WsFindGroupsResults']['groupResults'][0]['uuid'] return thisuuid def grouperWSRequest(http, url, method, body): # send a request to the Grouper Web Service # method can be GET, POST, or PUT content_type = 'application/x-www-form-urlencoded' if method == "POST" or method == "PUT": content_type = 'text/x-json; charset=UTF-8' try: resp, content = http.request(uri=url, method=method, body=json.dumps(body), headers={'Content-Type': content_type}) if resp.status == 200 or resp.status == 201: result = json.loads(content.decode('utf-8')) return result except httplib2.ServerNotFoundError as err: print("Unable to connect to Grouper Web Service") print(err) return None # http request failed, print the response status and content print("http response status "+str(resp.status)) print("http response content "+content) return None def grouperWSParameters(http): # set the Grouper Web Service username and password grouper_username = 'abc1234' grouper_password = 'xxxxxxxxxxxxxxxxxxxx' http.add_credentials(name=grouper_username, password=grouper_password) # the Grouper Web Service URI should point to dev or prod Grouper devGrouperURI = 'https://grouper-dev.cc.columbia.edu/grouper-ws/servicesRest/v2_4_000' prodGrouperURI = 'https://grouper.cc.columbia.edu/grouper-ws/servicesRest/v2_4_000' return devGrouperURI if __name__ == '__main__': main()