pythonghana
diff --git a/‎.gitignore
Lines changed: 17 additions & 0 deletions b/‎.gitignore
Lines changed: 17 additions & 0 deletions
diff --git a/‎3rdparty/python/BUILD
Lines changed: 1 addition & 0 deletions b/‎3rdparty/python/BUILD
Lines changed: 1 addition & 0 deletions
diff --git a/‎3rdparty/python/requirements.txt
Lines changed: 40 additions & 0 deletions b/‎3rdparty/python/requirements.txt
Lines changed: 40 additions & 0 deletions
diff --git a/‎BUILD
Lines changed: 49 additions & 0 deletions b/‎BUILD
Lines changed: 49 additions & 0 deletions
diff --git a/‎config/config.example.yml
Lines changed: 91 additions & 0 deletions b/‎config/config.example.yml
Lines changed: 91 additions & 0 deletions
diff --git a/‎config/gate_keeping_service.aurora
Lines changed: 32 additions & 0 deletions b/‎config/gate_keeping_service.aurora
Lines changed: 32 additions & 0 deletions
diff --git a/‎forms.py
Lines changed: 85 additions & 0 deletions b/‎forms.py
Lines changed: 85 additions & 0 deletions
@@ -1,3 +1,17 @@
+## PROJECT SPECIFIC SECTION
+
+# Ignore config files
+config/config.yml
+
+# Ignore GApps keyfiles
+config/google_api_service_account_keyfile.json
+
+# Ignore static JS libs
+static/bower_components/*
+
+
+## MISC FILES SECTION
+
 # Temp files
 *#
 .#*
@@ -20,6 +34,9 @@ dist
 .pids
 .pants.workdir.file_lock
 
+
+## GITHUB TEMPLATE SECTION
+
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]
 
@@ -0,0 +1 @@
+python_requirements()
@@ -0,0 +1,40 @@
+certifi==2017.11.5
+chardet==3.0.4
+click==6.7
+Flask==0.12.2
+Flask-WTF==0.14.2
+gevent==1.2.2
+google-api-python-client==1.6.4
+greenlet==0.4.12
+gunicorn==19.7.1
+httplib2==0.10.3
+idna==2.6
+itsdangerous==0.24
+Jinja2==2.10
+MarkupSafe==1.0
+mock==2.0.0
+oauth2client==4.1.2
+pyasn1==0.4.2
+pyasn1-modules==0.2.1
+pycrypto==2.6.1
+python-ldap==3.1.0
+PyYAML==3.12
+requests==2.18.4
+rsa==3.4.2
+six==1.11.0
+simplejson==3.15.0
+SocksiPy-branch==1.1
+twitter.common.app==0.3.9
+twitter.common.collections==0.3.9
+twitter.common.contextutil==0.3.9
+twitter.common.dirutil==0.3.9
+twitter.common.lang==0.3.9
+twitter.common.log==0.3.9
+twitter.common.options==0.3.9
+twitter.common.process==0.3.9
+twitter.common.string==0.3.9
+twitter.common.util==0.3.9
+uritemplate==3.0.0
+urllib3==1.22
+Werkzeug==0.13
+WTForms==2.1
@@ -0,0 +1,49 @@
+python_binary(
+  name = "gate-keeping-service",
+  source = "gate_keeping_service.py",
+  zip_safe = False,
+  dependencies = [
+    ":gatekeeper_dependencies",
+  ],
+)
+
+python_library(
+  name = "gatekeeper_dependencies",
+  sources = globs("*.py", "templates/*"),
+  dependencies = [
+    "3rdparty/python:twitter.common.app",
+    "3rdparty/python:twitter.common.log",
+    "3rdparty/python:Flask",
+    "3rdparty/python:Flask-WTF",
+    "3rdparty/python:MarkupSafe",
+    "3rdparty/python:WTForms",
+    "3rdparty/python:gevent",
+    "3rdparty/python:greenlet",
+    "3rdparty/python:pycrypto",
+    "lib:pagerduty",
+    "lib:google_api",
+    "lib:gunicorn_wrapper",
+    "lib:ldap_client"
+  ],
+)
+
+python_binary(
+  name = "runner",
+  source = "runner.py",
+  dependencies = [
+    ":runner_dependencies",
+  ],
+)
+
+python_library(
+  name = "runner_dependencies",
+  sources = globs("runner.py"),
+  dependencies = [
+    "3rdparty/python:twitter.common.log",
+    "3rdparty/python:pycrypto",
+    "lib:pagerduty",
+    "lib:google_api",
+    "lib:ldap_client"
+  ],
+)
+
@@ -0,0 +1,91 @@
+defaults:
+  # Environment used. Choose between 'production' and 'testing'.
+  environment: "testing"
+  base_dir: "."
+  use_https: false
+  debug: true
+  flask_secret: "CHANGE_ME"
+  http_proxy:
+    use_proxy: false
+    proxy_url: "CHANGE_ME"
+    proxy_port: 8080
+    proxy_user: "CHANGE_ME"
+    proxy_pass: "CHANGE_ME"
+
+ldap:
+  base_dn: "CHANGE_ME"
+  pass: "CHANGE_ME"
+  uri: "CHANGE_ME"
+  user: "CHANGE_ME"
+  queries:
+    all_users: "CHANGE_ME"
+    user_is_valid: "CHANGE_ME"
+    user_is_active: "CHANGE_ME"
+    user_info: "(uid=USER)"
+  fields:
+    full_name: "cn"
+    first_name: "givenName"
+    role: "CHANGE_ME"
+    team: "CHANGE_ME"
+    org: "CHANGE_ME"
+    location: "CHANGE_ME"
+    start_date: "CHANGE_ME"
+    uid_number: "uidNumber"
+    groups: "memberOf"
+    photo_url: "CHANGE_ME"
+
+pagerduty:
+  base_url: "https://api.pagerduty.com/"
+  api_key: "CHANGE_ME"
+
+google_apps:
+  admin_user: "gate-keeping-admin"
+  domain: "testdomain.com"
+  credentials_keyfile: "google_api_service_account_keyfile.json"
+  api_scopes:
+    - "https://www.googleapis.com/auth/admin.directory.user"
+    - "https://www.googleapis.com/auth/admin.directory.user.security"
+    - "https://www.googleapis.com/auth/admin.directory.group.member"
+    - "https://www.googleapis.com/auth/gmail.settings.basic"
+    - "https://www.googleapis.com/auth/gmail.settings.sharing"
+    - "https://www.googleapis.com/auth/calendar"
+    - "https://www.googleapis.com/auth/drive"
+
+# Note: the items in the following lists MUST match the names of the fields for each form
+# See forms.py for more info.
+actions:
+  google_admin: &google_admin
+    RESET_PASSWORD: true
+    DELETE_ASPS: true
+    DELETE_TOKENS: true
+    INVALIDATE_BACKUP_CODES: true
+    ORG_UNIT_CHANGE: true
+    ORG_UNIT_RESET: true
+  google_gmail: &google_gmail
+    SET_OOO_MSG: false
+    DISABLE_IMAP: true
+    DISABLE_POP: true
+  google_calendar: &google_calendar
+    CHANGE_EVENTS_OWNERSHIP: true
+    REMOVE_FUTURE_EVENTS: true
+  google_drive: &google_drive
+    NEW_FILES_OWNER: true
+    FILE_SEARCH: true
+  pagerduty: &pagerduty
+    REMOVE_FROM_ONCALLS: true
+  duo: &duo
+    REMOVE_FROM_DUO: false
+
+action_groups:
+  offboard:
+    <<: *google_admin
+    <<: *google_gmail
+    <<: *google_calendar
+    <<: *pagerduty
+  lost_asset:
+    - RESET_PASSWORD
+    - DELETE_ASPS
+    - DELETE_TOKENS
+    - INVALIDATE_BACKUP_CODES
+    - DISABLE_IMAP
+    - DISABLE_POP
@@ -0,0 +1,32 @@
+run_service = Process(
+  name = 'run_service',
+  cmdline = '''
+    chmod +x ./gate-keeping-service.pex &&
+    unzip ./gate-keeping-service.pex &&
+    unzip -o ./gate-keeping-service-res.zip &&
+    ./gate-keeping-service.pex --port {{thermos.ports[http]}} --env {{environment}}
+  ''')
+
+stage_src = Packer.copy('gate-keeping-service')
+stage_res = Packer.copy('gate-keeping-service-res')
+
+task = SequentialTask(
+  name = 'gate-keeping-service',
+  processes = [stage_src, stage_res, run_service],
+  resources = Resources(cpu = 2, ram = 8 * GB, disk = 1 * GB))
+
+job = Service(
+  name = 'gate-keeping-service',
+  task = task,
+  role = 'gate-keeping-services',
+  contact = 'CHANGE_ME',
+  announce = Announcer(),
+  constraints = job_constraints)
+
+jobs = [
+  job(cluster = 'dc1', environment = 'devel', instances = 1),
+  job(cluster = 'dc2a', environment = 'test', instances = 1),
+  job(cluster = 'dc2b', environment = 'test', instances = 1),
+  job(cluster = 'dc3a', environment = 'prod', instances = 1),
+  job(cluster = 'dc3b', environment = 'prod', instances = 1),
+]
@@ -0,0 +1,85 @@
+from flask_wtf import FlaskForm
+from wtforms import BooleanField, StringField, TextAreaField, validators
+
+
+"""
+Note: field names must match the method names used by the various API client libraries.
+Libraries are located under twexit/lib.
+"""
+
+
+class BaseForm(FlaskForm):
+  def __iter__(self):
+    token = self.csrf_token
+    yield token
+
+    field_names = {token.name}
+    for cls in self.__class__.__bases__:
+      for field in cls():
+        field_name = field.name
+        if field_name not in field_names:
+          field_names.add(field_name)
+          yield self[field_name]
+
+    for field_name in self._fields:
+      if field_name not in field_names:
+        yield self[field_name]
+
+
+class UserIdForm(BaseForm):
+  USER_ID = StringField('LDAP user name', [validators.DataRequired(), validators.Length(min=2)])
+
+
+class GoogleAdminApiForm(BaseForm):
+  RESET_PASSWORD = BooleanField('Reset Google apps password')
+  DELETE_ASPS = BooleanField('Purge application specific passwords')
+  DELETE_TOKENS = BooleanField('Purge 3rd party access tokens')
+  INVALIDATE_BACKUP_CODES = BooleanField('Invalidate backup codes')
+  ORG_UNIT_CHANGE = BooleanField('Move to Offboarded OU')
+  ORG_UNIT_RESET = BooleanField('Restore move to Offboarded OU')
+
+
+class GoogleGmailApiForm(BaseForm):
+  SET_OOO_MSG = BooleanField('Set Out Of Office message')
+  OOO_MSG_TEXT = TextAreaField('Message text', [validators.Length(min=2)])
+  DISABLE_IMAP = BooleanField('Disable IMAP email')
+  DISABLE_POP = BooleanField('Disable POP email')
+
+
+class GoogleCalendarApiForm(BaseForm):
+  CHANGE_EVENTS_OWNERSHIP = BooleanField('Change events ownership')
+  GCAL_NEW_OWNER = StringField('LDAP of new owner', [validators.Length(min=2)])
+  REMOVE_FUTURE_EVENTS = BooleanField('Delete future dated events')
+
+
+class PagerDutyApiForm(BaseForm):
+  REMOVE_FROM_ONCALLS = BooleanField('Remove from OnCall rotas')
+
+
+class DuoApiForm(BaseForm):
+  REMOVE_FROM_DUO = BooleanField('Remove from DUO')
+
+
+class GoogleApiForms(GoogleAdminApiForm, GoogleGmailApiForm, GoogleCalendarApiForm):
+  pass
+
+
+class OffboardForm(UserIdForm, GoogleApiForms, PagerDutyApiForm, DuoApiForm):
+  pass
+
+
+class LostAssetForm(UserIdForm, GoogleAdminApiForm, GoogleGmailApiForm):
+  pass
+
+
+class GoogleMailForwardingForm(BaseForm):
+  SET_MAIL_FORWARDING = BooleanField('Set a mail forwarding address')
+
+
+class GoogleDriveForm(BaseForm):
+  FILE_SEARCH = StringField('File Search Query', [validators.Length(min=2)])
+  NEW_OWNER = StringField('New files owner', [validators.DataRequired(), validators.Length(min=2)])
+
+
+class FilesOwnershipTransferForm(UserIdForm, GoogleDriveForm):
+  pass