def test_error(self, mock_check_output): mock_check_output.side_effect = subprocess.CalledProcessError( 1, [ '/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup' ], b'kadmin: get ggroup: no such file or directory') with pytest.raises(ValueError): get_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', )
def test_error(self, mock_check_output): mock_check_output.side_effect = subprocess.CalledProcessError( 1, ['/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup'], b'kadmin: get ggroup: no such file or directory' ) with pytest.raises(ValueError): get_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', )
def test_nonexistent_principal(self, mock_check_output): mock_check_output.side_effect = subprocess.CalledProcessError( 1, ['/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup'], b'kadmin: get ggroup: Principal does not exist', ) assert not get_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', )
def test_existing_principal(self, mock_check_output): assert get_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', ) mock_check_output.assert_called_once_with( ['/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup'], timeout=10, stderr=subprocess.STDOUT, )
def test_nonexistent_principal(self, mock_check_output): mock_check_output.side_effect = subprocess.CalledProcessError( 1, [ '/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup' ], b'kadmin: get ggroup: Principal does not exist', ) assert not get_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', )
def test_existing_principal(self, mock_check_output): assert get_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', ) mock_check_output.assert_called_once_with( [ '/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup' ], timeout=10, stderr=subprocess.STDOUT, )
def create_account(request, creds, report_status, known_uid=_KNOWN_UID): """Create an account as idempotently as possible. :param known_uid: where to start searching for unused UIDs (see _get_first_available_uid) :return: the UID of the newly created account """ # TODO: better docstring if get_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, ): report_status('kerberos principal already exists; skipping creation') else: with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) if search.user_attrs(request.user_name): report_status('LDAP entry already exists; skipping creation') else: with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid(known_uid) dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': [str(new_uid)], 'gidNumber': [str(getgrnam('ocf').gr_gid)], 'homeDirectory': [utils.home_dir(request.user_name)], 'loginShell': ['/bin/bash'], 'mail': [request.email], 'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'], 'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')], } if request.calnet_uid: attrs['calnetUid'] = [str(request.calnet_uid)] else: attrs['callinkOid'] = [str(request.callink_oid)] with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) ensure_web_dir(request.user_name) send_created_mail(request) # TODO: logging to syslog, files return new_uid
def create_account(request, creds, report_status, known_uid=_KNOWN_UID): """Create an account as idempotently as possible. :param known_uid: where to start searching for unused UIDs (see _get_first_available_uid) :return: the UID of the newly created account """ # TODO: better docstring if get_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, ): report_status('kerberos principal already exists; skipping creation') else: with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) if search.user_attrs(request.user_name): report_status('LDAP entry already exists; skipping creation') else: with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid(known_uid) dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': new_uid, 'gidNumber': getgrnam('ocf').gr_gid, 'homeDirectory': utils.home_dir(request.user_name), 'loginShell': '/bin/bash', 'mail': [request.email], 'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU', 'creationTime': datetime.now(), } if request.calnet_uid: attrs['calnetUid'] = request.calnet_uid else: attrs['callinkOid'] = request.callink_oid with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) ensure_web_dir(request.user_name) send_created_mail(request) # TODO: logging to syslog, files return new_uid