# Copyright (c) 2015 Ansible, Inc. # All Rights Reserved. # Django from django.conf import settings from django.db import models from django.contrib.auth.models import User from django.contrib.sessions.models import Session from django.utils.timezone import now as tz_now from django.utils.translation import gettext_lazy as _ # AWX from awx.api.versioning import reverse from awx.main.fields import AutoOneToOneField, ImplicitRoleField, OrderedManyToManyField from awx.main.models.base import BaseModel, CommonModel, CommonModelNameNotUnique, CreatedModifiedModel, NotificationFieldsModel from awx.main.models.rbac import ( ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ROLE_SINGLETON_SYSTEM_AUDITOR, ) from awx.main.models.unified_jobs import UnifiedJob from awx.main.models.mixins import ResourceMixin, CustomVirtualEnvMixin, RelatedJobsMixin __all__ = ['Organization', 'Team', 'Profile', 'UserSessionMembership'] class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVirtualEnvMixin, RelatedJobsMixin): """ An organization is the basic unit of multi-tenancy divisions """ class Meta: app_label = 'main' ordering = ('name',) instance_groups = OrderedManyToManyField('InstanceGroup', blank=True, through='OrganizationInstanceGroupMembership') galaxy_credentials = OrderedManyToManyField( 'Credential', blank=True, through='OrganizationGalaxyCredentialMembership', related_name='%(class)s_galaxy_credentials' ) max_hosts = models.PositiveIntegerField( blank=True, default=0, help_text=_('Maximum number of hosts allowed to be managed by this organization.'), ) notification_templates_approvals = models.ManyToManyField("NotificationTemplate", blank=True, related_name='%(class)s_notification_templates_for_approvals') default_environment = models.ForeignKey( 'ExecutionEnvironment', null=True, blank=True, default=None, on_delete=models.SET_NULL, related_name='+', help_text=_('The default execution environment for jobs run by this organization.'), ) admin_role = ImplicitRoleField( parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ) execute_role = ImplicitRoleField( parent_role='admin_role', ) project_admin_role = ImplicitRoleField( parent_role='admin_role', ) inventory_admin_role = ImplicitRoleField( parent_role='admin_role', ) credential_admin_role = ImplicitRoleField( parent_role='admin_role', ) workflow_admin_role = ImplicitRoleField( parent_role='admin_role', ) notification_admin_role = ImplicitRoleField( parent_role='admin_role', ) job_template_admin_role = ImplicitRoleField( parent_role='admin_role', ) execution_environment_admin_role = ImplicitRoleField( parent_role='admin_role', ) auditor_role = ImplicitRoleField( parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, ) member_role = ImplicitRoleField(parent_role=['admin_role']) read_role = ImplicitRoleField( parent_role=[ 'member_role', 'auditor_role', 'execute_role', 'project_admin_role', 'inventory_admin_role', 'workflow_admin_role', 'notification_admin_role', 'credential_admin_role', 'job_template_admin_role', 'approval_role', 'execution_environment_admin_role', ], ) approval_role = ImplicitRoleField( parent_role='admin_role', ) def get_absolute_url(self, request=None): return reverse('api:organization_detail', kwargs={'pk': self.pk}, request=request) ''' RelatedJobsMixin ''' def _get_related_jobs(self): return UnifiedJob.objects.non_polymorphic().filter(organization=self) class OrganizationGalaxyCredentialMembership(models.Model): organization = models.ForeignKey('Organization', on_delete=models.CASCADE) credential = models.ForeignKey('Credential', on_delete=models.CASCADE) position = models.PositiveIntegerField( null=True, default=None, db_index=True, ) class Team(CommonModelNameNotUnique, ResourceMixin): """ A team is a group of users that work on common projects. """ class Meta: app_label = 'main' unique_together = [('organization', 'name')] ordering = ('organization__name', 'name') organization = models.ForeignKey( 'Organization', blank=False, null=False, on_delete=models.CASCADE, related_name='teams', ) admin_role = ImplicitRoleField( parent_role='organization.admin_role', ) member_role = ImplicitRoleField( parent_role='admin_role', ) read_role = ImplicitRoleField( parent_role=['organization.auditor_role', 'member_role'], ) def get_absolute_url(self, request=None): return reverse('api:team_detail', kwargs={'pk': self.pk}, request=request) class Profile(CreatedModifiedModel): """ Profile model related to User object. Currently stores LDAP DN for users loaded from LDAP. """ class Meta: app_label = 'main' user = AutoOneToOneField('auth.User', related_name='profile', editable=False, on_delete=models.CASCADE) ldap_dn = models.CharField( max_length=1024, default='', ) class UserSessionMembership(BaseModel): """ A lookup table for API session membership given user. Note, there is a different session created by channels for websockets using the same underlying model. """ class Meta: app_label = 'main' user = models.ForeignKey('auth.User', related_name='+', blank=False, null=False, on_delete=models.CASCADE) session = models.OneToOneField(Session, related_name='+', blank=False, null=False, on_delete=models.CASCADE) created = models.DateTimeField(default=None, editable=False) @staticmethod def get_memberships_over_limit(user_id, now=None): if settings.SESSIONS_PER_USER == -1: return [] if now is None: now = tz_now() query_set = UserSessionMembership.objects.select_related('session').filter(user_id=user_id).order_by('-created') non_expire_memberships = [x for x in query_set if x.session.expire_date > now] return non_expire_memberships[settings.SESSIONS_PER_USER :] # Add get_absolute_url method to User model if not present. if not hasattr(User, 'get_absolute_url'): def user_get_absolute_url(user, request=None): return reverse('api:user_detail', kwargs={'pk': user.pk}, request=request) User.add_to_class('get_absolute_url', user_get_absolute_url)