def test_delete_role(ldap_connection): """Delete a AD role in NEXT and all related tables Args: ldap_connection: obj: A bound mock mock_ldap_connection """ create_fake_user(ldap_connection, "jchan", "Jackie C", "Jackiec") user_remote_id = "CN=jchan,OU=Users,OU=Accounts,DC=AD2012,DC=LAB" fake_user = get_fake_user(ldap_connection, "jchan") put_in_inbound_queue(fake_user, "user") create_fake_group(ldap_connection, "sysadmins", "sysadmins", user_remote_id) fake_group = get_fake_group(ldap_connection, "sysadmins") put_in_inbound_queue(fake_group, "group") time.sleep(3) group_distinct_name = "CN=sysadmins,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB" addMembersToGroups.ad_add_members_to_groups(ldap_connection, user_remote_id, group_distinct_name, fix=True) assert is_user_the_role_owner("sysadmins", "jchan") is True assert is_group_in_db("sysadmins") is True role = get_role("sysadmins") role_id = role[0]["role_id"] insert_deleted_entries( ["CN=sysadmins,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB"], "group_deleted", ) time.sleep(3) is_role_removed = wait_for_resource_removal_in_db("roles", "name", "sysadmins") assert is_role_removed is True is_owner_removed = wait_for_resource_removal_in_db("role_owners", "role_id", role_id) assert is_owner_removed is True is_member_removed = wait_for_resource_removal_in_db( "role_members", "role_id", role_id) assert is_member_removed is True
def test_add_group_member(ldap_connection, group, user): """Adds a user as a member of the given group. Args: ldap_connection: obj: A bound mock ldap connection group: obj: dict: common_name: str: A common name of a group AD object. name: str: A name of a group AD object. user: obj: dict: common_name: str: A common name of an AD user object. name: str: A username of an AD user object. given_name: str: A given name of an AD user object. """ user_distinct_name = [ "CN=%s,OU=Users,OU=Accounts,DC=AD2012,DC=LAB" % user["common_name"] ] group_distinct_name = [ "CN=%s,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB" % group["common_name"] ] addMembersToGroups.ad_add_members_to_groups(ldap_connection, user_distinct_name, group_distinct_name, fix=True) update_when_changed(ldap_connection, group_distinct_name) fake_group = get_fake_group(ldap_connection, group["common_name"]) put_in_inbound_queue(fake_group, "group") # wait for the fake group to be ingested by rbac_ledger_sync time.sleep(3) result = is_user_a_role_member(group["common_name"], user["common_name"]) assert result is True
def test_delete_user(ldap_connection): """Deletes a AD user in NEXT Args: ldap_connection: obj: A bound mock mock_ldap_connection """ # Create fake user and attach as owner to a role create_fake_user(ldap_connection, "jchan20", "Jackie Chan", "Jackie") user_remote_id = "CN=jchan20,OU=Users,OU=Accounts,DC=AD2012,DC=LAB" create_fake_group(ldap_connection, "jchan_role", "jchan_role", user_remote_id) group_distinct_name = ( "CN=jchan_role,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB") addMembersToGroups.ad_add_members_to_groups(ldap_connection, user_remote_id, group_distinct_name, fix=True) fake_user = get_fake_user(ldap_connection, "jchan20") put_in_inbound_queue(fake_user, "user") fake_group = get_fake_group(ldap_connection, "jchan_role") put_in_inbound_queue(fake_group, "group") time.sleep(3) # See if owner and role are in the system email = "*****@*****.**" assert is_user_in_db(email) is True assert is_group_in_db("jchan_role") is True # See if all LDAP user has entries in the following # off chain tables: user_mapping and metadata user = get_user_in_db_by_email(email) next_id = user[0]["next_id"] assert get_user_mapping_entry(next_id) assert get_user_metadata_entry(next_id) # See that the owner is assigned to correct role role = get_role("jchan_role") owners = get_role_owners(role[0]["role_id"]) members = get_role_members(role[0]["role_id"]) assert owners[0]["related_id"] == next_id assert members[0]["related_id"] == next_id # Create a NEXT role with LDAP user as an admin and # check for LDAP user's entry in auth table next_role_id = create_next_role_ldap(user=user[0], role_name="managers") admins = get_role_admins(next_role_id) assert admins[0]["related_id"] == next_id assert get_auth_entry(next_id) # Create a NEXT pack with LDAP user as an owner next_pack_id = create_pack_ldap(user=user[0], pack_name="technology department") assert check_user_is_pack_owner(next_pack_id, next_id) # Delete user and verify LDAP user and related off chain # table entries have been deleted, role still exists # and role relationships have been deleted insert_deleted_entries([user_remote_id], "user_deleted") time.sleep(3) assert get_deleted_user_entries(next_id) == [] assert get_pack_owners_by_user(next_id) == [] assert is_group_in_db("jchan_role") is True assert get_role_owners(role[0]["role_id"]) == [] assert get_role_admins(next_role_id) == [] assert get_role_members(role[0]["role_id"]) == [] delete_role_by_name("managers") delete_pack_by_name("technology department")
def _ldap_utilities_add_to_groups_function(self, event, *args, **kwargs): """Function: A function that allows adding multiple users to multiple groups""" log = logging.getLogger(__name__) try: yield StatusMessage("Starting ldap_utilities_add_to_groups") # Instansiate helper (which gets appconfigs from file) helper = LDAPUtilitiesHelper(self.options) yield StatusMessage("Appconfig Settings OK") # Get function inputs input_ldap_multiple_user_dn_asString = helper.get_function_input( kwargs, "ldap_multiple_user_dn" ) # text (required) [string repersentation of an array] input_ldap_multiple_group_dn_asString = helper.get_function_input( kwargs, "ldap_multiple_group_dn" ) # text (required) [string repersentation of an array] yield StatusMessage("Function Inputs OK") if not helper.LDAP_IS_ACTIVE_DIRECTORY: raise FunctionError( "This function only supports an Active Directory connection. Make sure ldap_is_active_directory is set to True in the app.config file" ) try: # Try converting input to an array input_ldap_multiple_user_dn = literal_eval( input_ldap_multiple_user_dn_asString) input_ldap_multiple_group_dn = literal_eval( input_ldap_multiple_group_dn_asString) except Exception: raise ValueError( """input_ldap_multiple_user_dn and input_ldap_multiple_group_dn must be a string repersenation of an array e.g. "['dn=Accounts Group,dc=example,dc=com', 'dn=IT Group,dc=example,dc=com']" """ ) # Instansiate LDAP Server and Connection c = helper.get_ldap_connection() try: # Bind to the connection c.bind() except Exception as err: raise ValueError( "Cannot connect to LDAP Server. Ensure credentials are correct\n Error: {0}" .format(err)) # Inform user msg = "Connected to {0}".format("Active Directory") yield StatusMessage(msg) res = False try: yield StatusMessage("Attempting to add user(s) to group(s)") # perform the removeMermbersFromGroups operation res = ad_add_members_to_groups(c, input_ldap_multiple_user_dn, input_ldap_multiple_group_dn, True) except Exception: raise ValueError("Ensure all user and group DNs exist") finally: # Unbind connection c.unbind() results = { "success": res, "users_dn": input_ldap_multiple_user_dn, "groups_dn": input_ldap_multiple_group_dn } log.info("Completed") # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: yield FunctionError()
def add_user_group(self, user_dn, group_dn): response = ad_add_members_to_groups(self.__ldap__, user_dn, group_dn) return response
def _ldap_md_utilities_add_to_groups_function(self, event, *args, **kwargs): """Function: A function that allows adding multiple users to multiple groups""" try: # Get the wf_instance_id of the workflow this Function was called in wf_instance_id = event.message["workflow_instance"][ "workflow_instance_id"] yield StatusMessage( "Starting 'ldap_md_utilities_add_to_groups' running in workflow '{0}'" .format(wf_instance_id)) # Get the function parameters: ldap_md_domain_name = kwargs.get("ldap_md_domain_name") # text ldap_md_multiple_user_dn = kwargs.get( "ldap_md_multiple_user_dn") # text ldap_md_multiple_group_dn = kwargs.get( "ldap_md_multiple_group_dn") # text log = logging.getLogger(__name__) log.info("ldap_md_domain_name: %s", ldap_md_domain_name) log.info("ldap_md_multiple_user_dn: %s", ldap_md_multiple_user_dn) log.info("ldap_md_multiple_group_dn: %s", ldap_md_multiple_group_dn) yield StatusMessage("Function Inputs OK") # Instansiate helper (which gets appconfigs from file) helper = LDAPUtilitiesHelper(self.options, ldap_md_domain_name) log.info("[app.config] -ldap_server: %s", helper.LDAP_SERVER) log.info("[app.config] -ldap_user_dn: %s", helper.LDAP_USER_DN) yield StatusMessage("Appconfig Settings OK") ############################################## if not helper.LDAP_IS_ACTIVE_DIRECTORY: raise FunctionError( "This function only supports an Active Directory connection. Make sure ldap_is_active_directory is set to True in the app.config file" ) try: # Try converting input to an array ldap_md_multiple_user_dn = literal_eval( ldap_md_multiple_user_dn) ldap_md_multiple_group_dn = literal_eval( ldap_md_multiple_group_dn) except Exception: raise ValueError( """ldap_md_multiple_user_dn and ldap_md_multiple_group_dn must be a string repersenation of an array e.g. "['dn=Accounts Group,dc=example,dc=com', 'dn=IT Group,dc=example,dc=com']" """ ) # Instansiate LDAP Server and Connection c = helper.get_ldap_connection() try: # Bind to the connection c.bind() except Exception as err: raise ValueError( "Cannot connect to LDAP Server. Ensure credentials are correct\n Error: {0}" .format(err)) # Inform user msg = "Connected to {0}".format("Active Directory") yield StatusMessage(msg) res = False try: yield StatusMessage("Attempting to add user(s) to group(s)") # perform the removeMermbersFromGroups operation res = ad_add_members_to_groups(c, ldap_md_multiple_user_dn, ldap_md_multiple_group_dn, True) # Test: res = 'ad_add_members_to_groups(c, ' + str(ldap_md_multiple_user_dn) + ', ' + str(ldap_md_multiple_group_dn) + ', True)' except Exception: raise ValueError("Ensure all user and group DNs exist") finally: # Unbind connection c.unbind() ############################################## results = { "success": res, "domain_name": ldap_md_domain_name, "users_dn": ldap_md_multiple_user_dn, "groups_dn": ldap_md_multiple_group_dn } yield StatusMessage( "Finished 'ldap_md_utilities_add_to_groups' that was running in workflow '{0}'" .format(wf_instance_id)) # Produce a FunctionResult with the results yield FunctionResult(results) except Exception: yield FunctionError()