Merge pull request #54 from 1Password/sl/fix/manage-owner-permissions

scottisloud · web-flow · commit 9d28b218a70c · 2024-01-26T17:14:42.000-08:00
Sl/fix/manage owner permissions
diff --git a/migration/cleanup-scripts/move_items_to_tracked_vault.py b/migration/cleanup-scripts/move_items_to_tracked_vault.py
@@ -2,6 +2,7 @@
 import json
 import os
 import subprocess
+import sys
 
 scriptPath = os.path.dirname(__file__)
 outputPath = scriptPath  # Optionally choose an alternative output path here.
@@ -19,6 +20,19 @@ def __init__(self, name, uuid, itemCount, created, updated):
 # Get a list of vaults the logged-in user has access to
 # Skips any Private vaults and the Metadata vault.
 # Fetches all vault details and returns them as a Python object
+def getOwnerGroupUUID():
+    results = subprocess.run(
+        ["op", "group", "get", "Owners", "--format=json"],
+        capture_output=True,
+        check=True,
+    )
+    if results.returncode != 0:
+        sys.exit(
+            "Unable to get the UUID of the Owners group. Ensure you are signed into 1Password and are a member of the Owners group."
+        )
+    return json.loads(results.stdout)["id"]
+
+
 def getVaults():
     vaults = []
     try:
@@ -75,10 +89,32 @@ def identifyTrackedVault(vaultGroupName, vaults):
     return dataVault, trackedVault, otherVaults
 
 
+def getOwnerPermissions(vaultID, ownerID):
+    groupListResults = subprocess.run(
+        [
+            "op",
+            "vault",
+            "group",
+            "list",
+            f"{vaultID}",
+            "--format=json",
+        ],
+        capture_output=True,
+    )
+    if groupListResults.returncode != 0:
+        print(
+            f"\t⚠️ Unable to get a list of groups with access to vault with UUID {vaultID} and cannot record Owner's permissions."
+        )
+    jsonData = json.loads(groupListResults.stdout)
+    ownerDetails = [group for group in jsonData if group["id"] == ownerID]
+    ownerPermissions = ",".join(ownerDetails[0]["permissions"])
+    return ownerPermissions
+
+
 def grantOwnerPermissions(vaultID):
     ownerPermissions = "view_items,create_items,edit_items,archive_items,delete_items,view_and_copy_passwords,view_item_history,import_items,export_items,copy_and_share_items,print_items,manage_vault"
     print(f"\tUpdating permissions on duplicate vault with UUID: {vaultID}")
-    subprocess.run(
+    results = subprocess.run(
         [
             "op",
             "vault",
@@ -91,6 +127,47 @@ def grantOwnerPermissions(vaultID):
         ],
         capture_output=True,
     )
+    if results.returncode != 0:
+        print(
+            f"⚠️ Unable to set Owner permissions on vault with UUID: {vaultID}. Error: {results.stderr}"
+        )
+
+
+def resetOwnerPermissions(trackedVault, ownerPermissions):
+    allPermissions = "view_items,create_items,edit_items,archive_items,delete_items,view_and_copy_passwords,view_item_history,import_items,export_items,copy_and_share_items,print_items,manage_vault"
+    print(
+        f"\tResetting owner permissions on tracked vault with UUID: {trackedVault.uuid}"
+    )
+    subprocess.run(
+        [
+            "op",
+            "vault",
+            "group",
+            "revoke",
+            f"--vault={trackedVault.uuid}",
+            f"--group=Owners",
+            f"--permissions={allPermissions}",
+            "--no-input",
+        ],
+        capture_output=True,
+    )
+    results = subprocess.run(
+        [
+            "op",
+            "vault",
+            "group",
+            "grant",
+            f"--vault={trackedVault.uuid}",
+            f"--group=Owners",
+            f"--permissions={ownerPermissions}",
+            "--no-input",
+        ],
+        capture_output=True,
+    )
+    if results.returncode != 0:
+        print(
+            f"⚠️ Unable to reset Owner permissions on vault with UUID: {trackedVault.uuid}. Error: {results.stderr}"
+        )
 
 
 def getVaultItems(vaultID):
@@ -164,15 +241,13 @@ def revokeUntrackedVaultPermissions(untrackedVaults):
         allgroups = json.loads(
             subprocess.run(
                 ["op", "vault", "group", "list", vault.uuid, "--format=json"],
-                check=True,
                 capture_output=True,
                 text=True,
             ).stdout
         )
         allUsers = json.loads(
             subprocess.run(
                 ["op", "vault", "user", "list", vault.uuid, "--format=json"],
-                check=True,
                 capture_output=True,
                 text=True,
             ).stdout
@@ -222,6 +297,7 @@ def main():
     vaults = []
     vaultGroups = {}
     vaultDetails = getVaults()
+    ownerGroupUUID = getOwnerGroupUUID()
 
     for vault in vaultDetails:
         vaults.append(
@@ -247,6 +323,7 @@ def main():
         vaultGroups[vault.name].append(vault)
 
     for vaultGroupName, vaults in vaultGroups.items():
+        ownerPermissionsTracked = ""
         if len(vaults) == 1:
             print(
                 f"Vault with name '{vaultGroupName}' is unique. Skipping de-duplication."
@@ -256,12 +333,13 @@ def main():
         print(
             f"\tGranting Owners group required permissions for vault named '{vaultGroupName}'"
         )
-        for vault in vaults:
-            grantOwnerPermissions(vault.uuid)
-
         trackedVault, dataVault, otherVaults = identifyTrackedVault(
             vaultGroupName, vaults
         )
+        ownerPermissionsTracked = getOwnerPermissions(trackedVault.uuid, ownerGroupUUID)
+        for vault in vaults:
+            grantOwnerPermissions(vault.uuid)
+
         otherVaultNames = "none"
         if len(otherVaults) > 0:
             otherVaultNames = ""
@@ -275,6 +353,7 @@ def main():
         untrackedVaults = otherVaults
         untrackedVaults.append(dataVault)
         renameUntrackedVaults(untrackedVaults)
+        resetOwnerPermissions(trackedVault, ownerPermissionsTracked)
         revokeUntrackedVaultPermissions(untrackedVaults)
 
 
