Merge branch 'master' into production

.github/workflows/semantic-release.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches-ignore:
       - master
+      - renovate/*
     tags-ignore:
       - v*
 jobs:

perun-base/src/main/java/cz/metacentrum/perun/core/api/CoreConfig.java

@@ -73,6 +73,7 @@ public void initBeansUtils() {
 	private String userExtSourcesPersistent;
 	private List<String> allowedCorsDomains;
 	private String pdfFontPath;
+	private boolean notifSendMessages;
 	private String smtpHost;
 	private int smtpPort;
 	private boolean smtpAuth;
@@ -598,6 +599,14 @@ public void setPdfFontPath(String pdfFontPath) {
 		this.pdfFontPath = pdfFontPath;
 	}
 
+	public boolean getNotifSendMessages() {
+		return notifSendMessages;
+	}
+
+	public void setNotifSendMessages(boolean notifSendMessages) {
+		this.notifSendMessages = notifSendMessages;
+	}
+
 	public String getSmtpHost() {
 		return smtpHost;
 	}

perun-base/src/main/java/cz/metacentrum/perun/core/api/MembersOrderColumn.java

@@ -18,7 +18,39 @@ public enum MembersOrderColumn {
 	                 "users.first_name " + getLangSql(query) + query.getOrder().getSqlValue()
 	),
 
-	ID("", "", query -> "members.id " + query.getOrder().getSqlValue());
+	ID("", "", query -> "members.id " + query.getOrder().getSqlValue()),
+	STATUS("","", query -> "members.status " + query.getOrder().getSqlValue()),
+	GROUP_STATUS("", "", query -> "groups_members.source_group_status " + query.getOrder().getSqlValue()),
+
+	// 1. user preferred mail, 2. member mail
+	EMAIL(
+			", usrvals.attr_value, memvals.attr_value ",
+			" left join " +
+			   	"(select attr_value, member_id, attr_id from member_attr_values) as memvals " +
+				"on members.id=memvals.member_id and memvals.attr_id=" +
+			   		"(select id from attr_names where attr_name='urn:perun:member:attribute-def:def:mail') " +
+			" left join " +
+				"(select attr_value, user_id, attr_id from user_attr_values) as usrvals " +
+				"on members.user_id=usrvals.user_id and usrvals.attr_id=" +
+					"(select id from attr_names where attr_name='urn:perun:user:attribute-def:def:preferredMail') ",
+			query -> "usrvals.attr_value " + query.getOrder().getSqlValue() + ", " +
+					 "memvals.attr_value " + query.getOrder().getSqlValue()
+	),
+
+	// 1. member organization, 2. user organization (from IdP)
+	ORGANIZATION(
+		", usrvals.attr_value, memvals.attr_value ",
+		" left join " +
+			"(select attr_value, member_id, attr_id from member_attr_values) as memvals " +
+			"on members.id=memvals.member_id and memvals.attr_id=" +
+			"(select id from attr_names where attr_name='urn:perun:member:attribute-def:def:organization') " +
+			" left join " +
+			"(select attr_value, user_id, attr_id from user_attr_values) as usrvals " +
+			"on members.user_id=usrvals.user_id and usrvals.attr_id=" +
+			"(select id from attr_names where attr_name='urn:perun:user:attribute-def:def:organization') ",
+		query -> "memvals.attr_value " + query.getOrder().getSqlValue() + ", " +
+			"usrvals.attr_value " + query.getOrder().getSqlValue()
+	);
 
 	private final Function<MembersPageQuery, String> orderBySqlFunction;
 	private final String selectSql;

perun-base/src/main/java/cz/metacentrum/perun/registrar/model/Application.java

@@ -25,7 +25,7 @@ public static enum AppType { INITIAL, EXTENSION, EMBEDDED }
 	private String extSourceType;
 	private int extSourceLoa = 0; // 0 - by default
 	private User user;
-
+	private String autoApproveError;
 	private String createdBy;
 	private String createdAt;
 	private String modifiedBy;
@@ -147,6 +147,10 @@ public String getModifiedAt() {
 		return modifiedAt;
 	}
 
+	public String getAutoApproveError() {
+		return autoApproveError;
+	}
+
 	public void setCreatedBy(String createdBy) {
 		this.createdBy = createdBy;
 	}
@@ -163,6 +167,10 @@ public void setModifiedAt(String modifiedAt) {
 		this.modifiedAt = modifiedAt;
 	}
 
+	public void setAutoApproveError(String error) {
+		this.autoApproveError = error;
+	}
+
 	/**
 	 * Return bean name as PerunBean does.
 	 *
@@ -181,15 +189,15 @@ public String toString() {
 			", fedInfo='" + getFedInfo() + '\'' +
 			", type='" + getType().toString() + '\'' +
 			", state='" + getState().toString() + '\'' +
+			", autoApproveError='" + getAutoApproveError() + '\'' +
 			", extSourceName='" + getExtSourceName() + '\'' +
 			", extSourceType='" + getExtSourceType() + '\'' +
 			", extSourceLoa='" + getExtSourceLoa() + '\'' +
 			", user='" + getUser() + '\'' +
 			", created_at='" + getCreatedAt() + '\'' +
 			", created_by='" + getCreatedBy() + '\'' +
 			", modified_at='" + getModifiedAt() + '\'' +
-			", modified_by='" + getModifiedBy() + '\'' +
-			']';
+			", modified_by='" + getModifiedBy() + '\'' + ']';
 	}
 
 }

perun-base/src/main/resources/perun-base.xml

@@ -56,6 +56,7 @@
 		<property name="oidcIssuers" value="#{'${perun.oidc.issuers}'.split('\s*,\s*')}"/>
 		<property name="allowedCorsDomains" value="#{'${perun.allowedCorsDomains}'.split('\s*,\s*')}" />
 		<property name="pdfFontPath" value="${perun.pdfFontPath}" />
+		<property name="notifSendMessages" value="${notif.sendMessages}" />
 		<property name="smtpHost" value="${mail.smtp.host}" />
 		<property name="smtpPort" value="${mail.smtp.port}" />
 		<property name="smtpAuth" value="${mail.smtp.auth}" />
@@ -163,6 +164,7 @@
 				<prop key="perun.oidc.i2.extsource.name">https://login.elixir-czech.org/idp/</prop>
 				<prop key="perun.oidc.i2.extsource.type">cz.metacentrum.perun.core.impl.ExtSourceIdp</prop>
 
+				<prop key="notif.sendMessages">true</prop>
 				<prop key="mail.smtp.host">localhost</prop>
 				<prop key="mail.smtp.port">25</prop>
 				<prop key="mail.smtp.auth">false</prop>

perun-base/src/main/resources/perun-roles.yml

@@ -149,9 +149,10 @@ perun_roles:
 # optional word with a dash at the end can be used before the method name.
 # Example: filter-getAllMembers_Group_policy
 #
-# Each policy is composed of two parts.
+# Each policy is composed of two parts and one optional part.
 # The first one is called policy_roles, which contains privileged roles for this policy.
 # The second one is include_policies which contains policies which add their policy_roles to this policy.
+# Another part, mfa_rules, is optional and is used for defining critical objects of the method.
 #
 # The policy_roles is a list of maps, where the relation between list entries is logical OR
 # and the relation between map entries is logical AND.
@@ -185,6 +186,19 @@ perun_roles:
 #            - default_policy
 #            - getAllVos_policy
 #
+# The mfa_rules is a list of rules marking critical objects of the method, which forces user to have valid Multi-Factor
+# authentication. The objects themselves need to be marked as critical (in an attribute). Requiring MFA does not need
+# to be related to critical objects, the method itself can be marked as critical. The elements of the list are related
+# by OR relation meaning if any of the objects is critical, then the method call is considered critical.
+# Example, creating subgroup in a group:
+#     mfa_rules:
+#      - MFA: Group
+#      - MFA: Vo
+# If parent group or virtual organization is marked as critical (in an attribute), then MFA is required to call this
+# method. If
+#      - MFA:
+# would be used instead, the method would require MFA always.
+# Some roles (usually system ones) can be exempted from having MFA to call critical operation.
 perun_policies:
 
   default_policy:
@@ -1501,6 +1515,26 @@ perun_policies:
       - MFA: Group
       - MFA: Vo
 
+  addMemberCandidates_Vo_List<MemberCandidate>_Group_policy:
+    policy_roles:
+      - GROUPADMIN: Group
+      - GROUPMEMBERSHIPMANAGER: Group
+      - SPREGAPPLICATION:
+      - VOADMIN: Vo
+    include_policies:
+      - default_policy
+    mfa_rules:
+      - MFA: Group
+      - MFA: Vo
+
+  addMemberCandidates_Vo_List<MemberCandidate>_policy:
+    policy_roles:
+      - VOADMIN: Vo
+    include_policies:
+      - default_policy
+    mfa_rules:
+      - MFA: Vo
+
   removeMember_Group_Member_policy:
     policy_roles:
       - GROUPADMIN: Group

perun-base/src/test/resources/test-roles.yml

@@ -10,9 +10,10 @@ perun_roles: []
 # optional word with a dash at the end can be used before the method name.
 # Example: filter-getAllMembers_Group_policy
 #
-# Each policy is composed of two parts.
+# Each policy is composed of two parts and one optional part.
 # The first one is called policy_roles, which contains privileged roles for this policy.
 # The second one is include_policies which contains policies which add their policy_roles to this policy.
+# Another part, mfa_rules, is optional and is used for defining critical objects of the method.
 #
 # The policy_roles is a list of maps, where the relation between list entries is logical OR
 # and the relation between map entries is logical AND.
@@ -46,6 +47,19 @@ perun_roles: []
 #            - default_policy
 #            - getAllVos_policy
 #
+# The mfa_rules is a list of rules marking critical objects of the method, which forces user to have valid Multi-Factor
+# authentication. The objects themselves need to be marked as critical (in an attribute). Requiring MFA does not need
+# to be related to critical objects, the method itself can be marked as critical. The elements of the list are related
+# by OR relation meaning if any of the objects is critical, then the method call is considered critical.
+# Example, creating subgroup in a group:
+#     mfa_rules:
+#      - MFA: Group
+#      - MFA: Vo
+# If parent group or virtual organization is marked as critical (in an attribute), then MFA is required to call this
+# method. If
+#      - MFA:
+# would be used instead, the method would require MFA always.
+# Some roles (usually system ones) can be exempted from having MFA to call critical operation.
 perun_policies:
 
   default_policy:

perun-base/src/test/resources/test-schema.sql

@@ -1,4 +1,4 @@
--- database version 3.2.10 (don't forget to update insert statement at the end of file)
+-- database version 3.2.11 (don't forget to update insert statement at the end of file)
 CREATE EXTENSION IF NOT EXISTS "unaccent";
 CREATE EXTENSION IF NOT EXISTS "pgcrypto";
 
@@ -14,7 +14,7 @@ create table vos (
 					  created_by_uid integer,
 					  modified_by_uid integer,
 					  constraint vo_pk primary key (id),
-					  constraint vo_u unique (name)
+					  constraint vo_u unique (short_name)
 );
 
 -- USERS - information about user as real person
@@ -517,6 +517,7 @@ create table application (
 							  state varchar,           --state of application (new/verified/approved/rejected)
 							  extSourceLoa integer,  --level of assurance of user by external source
 							  group_id integer,      --identifier of group (groups.id) if application is for group
+							  auto_approve_error varchar,	--error that occurred during automatic approval
 							  created_at timestamp default statement_timestamp() not null,
 							  created_by varchar default user not null,
 							  modified_at timestamp default statement_timestamp() not null,
@@ -1881,7 +1882,7 @@ create index idx_fk_attr_critops ON attribute_critical_actions(attr_id);
 create index app_state_idx ON application (state);
 
 -- set initial Perun DB version
-insert into configurations values ('DATABASE VERSION','3.2.10');
+insert into configurations values ('DATABASE VERSION','3.2.11');
 -- insert membership types
 insert into membership_types (id, membership_type, description) values (1, 'DIRECT', 'Member is directly added into group');
 insert into membership_types (id, membership_type, description) values (2, 'INDIRECT', 'Member is added indirectly through UNION relation');

perun-cli-java/src/main/java/cz/metacentrum/perun/cli/PerunCLI.java

@@ -121,7 +121,7 @@ private static void call(PerunCommand command, String[] cliArgs) throws ParseExc
 		if (commandLine.hasOption(PERUN_URL_OPTION)) {
 			perunUrl = commandLine.getOptionValue(PERUN_URL_OPTION);
 		}
-		if (perunUrl == null) perunUrl = "https://perun.cesnet.cz/krb/rpc";
+		if (perunUrl == null) perunUrl = "https://perun-api.e-infra.cz/krb/rpc";
 
 		// find user and password
 		String user = System.getenv(PERUN_USER_VARIABLE);

perun-cli-java/src/main/java/cz/metacentrum/perun/cli/commands/GetFacilityByAttributeWithAttributes.java

@@ -0,0 +1,46 @@
+package cz.metacentrum.perun.cli.commands;
+
+import cz.metacentrum.perun.cli.PerunCLI;
+import cz.metacentrum.perun.cli.PerunCommand;
+import cz.metacentrum.perun.openapi.model.FacilityWithAttributes;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.Options;
+
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * Prints owners of facilities having the specified destination.
+ *
+ * @author Martin Kuba [email protected]
+ */
+@SuppressWarnings("unused")
+public class GetFacilityByAttributeWithAttributes extends PerunCommand {
+
+	@Override
+	public String getCommandDescription() {
+		return "prints attributes of facilities found by attribute value";
+	}
+
+	@Override
+	public void addOptions(Options options) {
+		options.addOption(Option.builder("a").required(true).hasArg(true).longOpt("attrName").desc("attribute name").build());
+		options.addOption(Option.builder("v").required(true).hasArg(true).longOpt("attrValue").desc("attribute value").build());
+		options.addOption(Option.builder("r").required(true).hasArg(true).longOpt("returnedAttributeNames").desc("names of returned attributes").build());
+	}
+
+	@Override
+	public void executeCommand(PerunCLI.CommandContext ctx) {
+		String attributeName = ctx.getCommandLine().getOptionValue("a");
+		String attributeValue = ctx.getCommandLine().getOptionValue("v");
+		List<String> attrNames = Arrays.asList(ctx.getCommandLine().getOptionValue("r").split(","));
+
+		List<FacilityWithAttributes> facilities = ctx.getPerunRPC().getFacilitiesManager().getFacilitiesByAttributeWithAttributes(attributeName, attributeValue, attrNames);
+
+		for (FacilityWithAttributes facility : facilities) {
+			System.out.println(facility);
+		}
+
+	}
+
+}

perun-cli-python/generate.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-GENERATOR_VERSION=6.2.1
+GENERATOR_VERSION=6.3.0
 if [ ! -f  "openapi-generator-cli-$GENERATOR_VERSION.jar" ] ; then
   wget https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/$GENERATOR_VERSION/openapi-generator-cli-$GENERATOR_VERSION.jar
 fi

perun-cli-python/perun/cli/getFacilitiesByAttribute.py

@@ -0,0 +1,40 @@
+from typing import Optional
+from typer import Option
+from perun_openapi import ApiException
+from rich import print
+from rich.console import Console
+from rich.table import Table
+from perun.rpc import PerunException
+import perun.cli
+import typer
+
+from perun_openapi.model.facility import Facility
+
+
+def main(attr_name: str = Option(..., '-a', '--attributeName', help='attribute name (namespace + : + friendlyName)'),
+         attr_value: str = Option(..., '-v', '--attributeValue', help='short name of VO'),
+         sort_by_id: bool = typer.Option(False, '-i', '--orderById', help='order by id'),
+         sort_by_name: bool = typer.Option(False, '-n', '--orderByName', help='order by short name')
+         ) -> None:
+    """ search for facilities by attributeName and attributeValue """
+    rpc = perun.cli.rpc
+    try:
+        facilities: list[Facility] = rpc.facilities_manager.get_facilities_by_attribute(attr_name, attr_value)
+        if sort_by_id:
+            facilities.sort(key=lambda x: x.id)
+        if sort_by_name:
+            facilities.sort(key=lambda x: x.name)
+        console = Console()
+        # print user
+        table = Table(title="facilities")
+        table.add_column("id", justify="right")
+        table.add_column("name")
+        table.add_column("description")
+        for facility in facilities:
+            table.add_row(str(facility.id), str(facility.name), str(facility.description))
+        console.print(table)
+
+    except ApiException as ex:
+        print('error name:', PerunException(ex).name)
+        print('error message:', PerunException(ex).message)
+    raise typer.Exit(code=1)