# # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one # or more contributor license agreements. Licensed under the Elastic License 2.0; # you may not use this file except in compliance with the Elastic License 2.0. # """This module allows to run a deletion sync against a Sharepoint Server instance. It will attempt to remove from Enterprise Search instance the documents that have been deleted from the third-party system.""" import csv import os from ees_sharepoint.base_command import BaseCommand from .checkpointing import Checkpoint from .sync_sharepoint import get_results from .usergroup_permissions import Permissions class PermissionSyncDisabledException(Exception): """Exception raised when permission sync is disabled, but expected to be enabled. Attributes: message -- explanation of the error """ def __init__(self, message="Provided configuration was invalid"): super().__init__(message) self.message = message class PermissionSyncCommand(BaseCommand): """This class contains logic to sync user permissions from Sharepoint Server. It can be used to run the job that will periodically sync permissions from Sharepoint Server to Elastic Enteprise Search.""" def __init__(self, args): super().__init__(args) config = self.config self.ws_source = config.get_value("workplace_search.source_id") self.objects = config.get_value("objects") self.site_collections = config.get_value("sharepoint.site_collections") self.enable_permission = config.get_value("enable_document_permission") self.mapping_sheet_path = config.get_value("sharepoint_workplace_user_mapping") self.checkpoint = Checkpoint(config, self.logger) self.permissions = Permissions(self.sharepoint_client, self.workplace_search_custom_client, self.logger) def get_users_id(self): """This method returns the dictionary of dictionaries containing users and their id as a key value pair for all the site-collections.""" user_ids = {} for collection in self.site_collections: user_id_collection = {} rel_url = f"sites/{collection}/_api/web/siteusers" response = self.sharepoint_client.get(rel_url, "?", "permission_users") if not response: self.logger.error("Could not fetch the SharePoint users") continue users = get_results(self.logger, response.json(), "sharepoint_users") for user in users: user_id_collection[user["Title"]] = user["Id"] user_ids.update({collection: user_id_collection}) return user_ids def get_user_groups(self, user_ids): """This method returns the groups of each user in all the site-collections :param user_ids: user ids to fetch the groups of the specific user""" user_group = {} for collection in self.site_collections: user_group_collection = {} rel_url = f"sites/{collection}/" for name, user_id in user_ids[collection].items(): response = self.permissions.fetch_groups(rel_url, user_id) if response: groups = get_results(self.logger, response.json(), "user_groups") if groups: user_group_collection[name] = [group["Title"] for group in groups] user_group.update({collection: user_group_collection}) return user_group def workplace_add_permission(self, permissions): """This method when invoked would index the permission provided in the paramater for the user in paramter user_name :param permissions: dictionary of dictionaries containing permissions of all the users in each site-collection.""" for collection in self.site_collections: for user_name, permission_list in permissions[collection].items(): self.workplace_search_custom_client.add_permissions(user_name, permission_list) def sync_permissions(self): """This method when invoked, checks the permission of SharePoint users and update those user permissions in the Workplace Search.""" rows = {} if os.path.exists(self.mapping_sheet_path) and os.path.getsize(self.mapping_sheet_path) > 0: with open(self.mapping_sheet_path) as file: csvreader = csv.reader(file) for row in csvreader: rows[row[0]] = row[1] users = self.get_users_id() user_names = {} user_groups = {} if users: for collection in self.site_collections: user_name_collection = {} for user, user_id in users[collection].items(): user_name_collection.update({rows.get(user, user): user_id}) user_names.update({collection: user_name_collection}) user_groups = self.get_user_groups(user_names) # delete all the permissions present in workplace search self.permissions.remove_all_permissions() if user_groups: # add all the updated permissions self.workplace_add_permission(user_groups) def execute(self): """Runs the permission indexing logic""" logger = self.logger config = self.config logger.info("Starting the permission indexing..") enable_permission = config.get_value("enable_document_permission") if not enable_permission: logger.warn("Exiting as the enable permission flag is set to False") raise PermissionSyncDisabledException self.sync_permissions()