def test_admin_io_error(self):
try:
os.rename('/etc/ldap.secret', '/etc/ldap.secret.test')
with self.assertRaises(ConnectionError) as cm:
UDM.admin()
assert str(cm.exception) == 'Could not read secret file'
finally:
os.rename('/etc/ldap.secret.test', '/etc/ldap.secret')
def test_caching(self):
assert UDM.admin().version(0).get('users/user') is UDM.admin().version(
0).get('users/user')
assert UDM.admin().version(0).get(
'users/user') is not UDM.admin().version(1).get('users/user')
assert UDM.admin().version(1).get('users/user') is UDM.admin().version(
1).get('users/user')
assert UDM.admin().version(0).get(
'users/user') is not UDM.admin().version(0).get('groups/group')
assert UDM.admin().version(0).get(
'users/user') is not UDM.machine().version(0).get('users/user')
def setUpClass(cls):
# we want to use only 1 class for all UDM modules
cls.udm = UDM.admin().version(0)
cls.udm._module_object_cache.clear()
univention.admin.modules.update()
cls.avail_modules = sorted(
[mod for mod in univention.admin.modules.modules.keys()])
def test_without_object_type(self):
ucr_test = UCSTestConfigRegistry()
ucr_test.load()
udm = UDM.admin().version(1)
with self.assertRaises(NoObject):
udm.obj_by_dn('cn=backup,%s' % ucr_test['ldap/base'])
def _check_copied_user(orig_dn, orig_username, copied_username):
attribute_list = [
'title', 'initials', 'preferredDeliveryMethod', 'pwdChangeNextLogin',
'employeeNumber', 'homePostalAddress', 'mobileTelephoneNumber',
'pagerTelephoneNumber', 'birthday', 'jpegPhoto', 'unixhome',
'userCertificate', 'certificateIssuerCountry',
'certificateIssuerState', 'certificateIssuerLocation',
'certificateIssuerOrganisation', 'certificateIssuerMail',
'certificateSubjectCountry', 'certificateSubjectState',
'certificateSubjectLocation', 'certificateSubjectOrganisation',
'certificateSubjectOrganisationalUnit', 'certificateSubjectCommonName',
'certificateSubjectMail', 'certificateDateNotBefore',
'certificateDateNotAfter', 'certificateVersion', 'certificateSerial'
]
udm_admin = UDM.admin().version(1)
orig_user = list(
udm_admin.get('users/user').search('username=%s' %
(orig_username, )))[0]
copied_user = list(
udm_admin.get('users/user').search('username=%s' %
(copied_username, )))[0]
orig_user_props = orig_user.props.__dict__
copied_user_props = copied_user.props.__dict__
for attribute in attribute_list:
print("Checking that %s is not copied" % (attribute, ))
if attribute != 'jpegPhoto':
assert orig_user_props[attribute] != copied_user_props[attribute]
else:
assert copied_user_props[attribute] is None
return copied_user.__dict__['dn']
def test_non_existing_dn(self):
ucr_test = UCSTestConfigRegistry()
ucr_test.load()
udm = UDM.admin().version(1)
with self.assertRaises(NoObject):
udm.obj_by_dn('cn=fantasy,' + ucr_test['ldap/hostdn'])
def setUpClass(cls):
cls.udm = UDM.admin().version(1)
user_mod1 = cls.udm.get('users/user')
assert user_mod1.__class__.__name__ == 'UsersUserModule', 'Wrong UDM module.'
user_mod2 = cls.udm.get('users/user')
assert user_mod1 is user_mod2, 'UDM module object cache miss.'
cls.udm_test = UCSTestUDM()
cls.ucr_test = UCSTestConfigRegistry()
cls.ucr_test.load()
try:
cls.mail_domain = cls.ucr_test['mail/hosteddomains'].split()[0]
except (AttributeError, IndexError):
cls.mail_domain = cls.ucr_test['domainname']
try:
cls.udm_test.create_object(
'mail/domain',
position='cn=domain,cn=mail,{}'.format(
cls.ucr_test['ldap/base']),
name=cls.mail_domain,
wait_for_replication=True)
except UCSTestUDM_CreateUDMObjectFailed as exc:
print('Creating mail domain {!r} failed: {}'.format(
cls.mail_domain, exc))
def test_modify_user_homePostalAddress_as_dict(self):
addresses = [
PostalAddress(random_string(), random_string(), random_string()),
PostalAddress(random_string(), random_string(), random_string()),
PostalAddress(random_string(), random_string(), random_string()),
]
dn, username = self.udm_test.create_user()
utils.verify_ldap_object(
dn,
expected_attr={
'uid': [username],
'homePostalAddress': [],
},
)
obj = UDM.admin().version(1).get('users/user').get(dn)
assert username == obj.props.username
obj.props.homePostalAddress.extend([ad._asdict() for ad in addresses])
obj.save()
utils.verify_ldap_object(
dn,
expected_attr={
'homePostalAddress': [
'{street}${zipcode}${city}'.format(**ad._asdict())
for ad in addresses
],
},
)
def user_info(udm):
''' The created user will have all properties set that were removed from being copyable (Bug 49823)'''
dn, username = udm.create_user(
gecos='',
displayName='',
title='Univ',
initials='U.U.',
preferredDeliveryMethod='any',
pwdChangeNextLogin='******',
employeeNumber='42',
homePostalAddress='Mary-Somervile 28359 Bremen',
mobileTelephoneNumber='+49 421 12345-0',
pagerTelephoneNumber='+49 421 23456-0',
birthday='2000-01-01',
jpegPhoto=
'/9j/4AAQSkZJRgABAQAAAQABAAD/4QBiRXhpZgAATU0AKgAAAAgABQESAAMAAAABAAEAAAEaAAUAAAABAAAASgEbAAUAAAABAAAAUgEoAAMAAAABAAEAAAITAAMAAAABAAEAAAAAAAAAAAABAAAAAQAAAAEAAAAB/9sAQwADAgICAgIDAgICAwMDAwQGBAQEBAQIBgYFBgkICgoJCAkJCgwPDAoLDgsJCQ0RDQ4PEBAREAoMEhMSEBMPEBAQ/9sAQwEDAwMEAwQIBAQIEAsJCxAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ/8AAEQgAAQABAwERAAIRAQMRAf/EABQAAQAAAAAAAAAAAAAAAAAAAAX/xAAUEAEAAAAAAAAAAAAAAAAAAAAA/8QAFAEBAAAAAAAAAAAAAAAAAAAACP/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/ADBHP1//2Q==',
unixhome='/home/username',
userCertificate=
"MIICEjCCAXsCAg36MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYDVQQGEwJKUDEOMAwGA1UECBMFVG9reW8xEDAOBgNVBAcTB0NodW8ta3UxETAPBgNVBAoTCEZyYW5rNEREMRgwFgYDVQQLEw9XZWJDZXJ0IFN1cHBvcnQxGDAWBgNVBAMTD0ZyYW5rNEREIFdlYiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIwODIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAm/xmkHmEQrurE/0re/jeFRLl8ZPjBop7uLHhnia7lQG/5zDtZIUC3RVpqDSwBuw/NTweGyuP+o8AG98HxqxTBwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBABS2TLuBeTPmcaTaUW/LCB2NYOy8GMdzR1mx8iBIu2H6/E2tiY3RIevV2OW61qY2/XRQg7YPxx3ffeUugX9F4J/iPnnu1zAxxyBy2VguKv4SWjRFoRkIfIlHX0qVviMhSlNy2ioFLy7JcPZb+v3ftDGywUqcBiVDoea0Hn+GmxZACg==",
)
copied_username = "******" % (username, )
yield {
'orig_dn': dn,
'orig_username': username,
'copied_username': copied_username
}
for user in UDM.admin().version(1).get('users/user').search(
'username=%s' % (copied_username, )):
user.delete()
def test_error_in_version(self):
with self.assertRaises(NoApiVersionSet):
UDM.admin().get('users/user')
with self.assertRaises(ApiVersionNotSupported):
UDM.admin().version('1')
with self.assertRaises(ApiVersionMustNotChange):
UDM.admin().version(0).version(1)
with self.assertRaises(ApiVersionNotSupported):
UDM.admin().version(20).get('users/user')
def test_existing_dn(self):
ucr_test = UCSTestConfigRegistry()
ucr_test.load()
udm = UDM.admin().version(1)
obj = udm.obj_by_dn(ucr_test['ldap/hostdn'])
assert obj._udm_module == udm.get('computers/domaincontroller_master')
assert obj.props.name == ucr_test['hostname']
def udm_schema_obj_exists(name):
name = os.path.splitext(os.path.basename(name))[0]
udm = UDM.admin().version(1)
try:
udm.get('settings/ldapschema').get_by_id(name)
except NoObject:
return False
else:
return True
def run_module():
module_args = dict(
module=dict(type='str', required=True),
position=dict(type='str', required=False),
set_properties=dict(type='list', required=False),
unset_properties=dict(type='list', required=False),
dn=dict(type='str', required=False),
filter=dict(type='str', required=False),
state=dict(type='str',
default='present',
coices=['present', 'absent'],
required=False),
options=dict(type='list', required=False),
policies=dict(type='list', required=False),
)
module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
result = dict(changed=False, meta=dict(changed_objects=[]), message='')
if not have_udm:
module.fail_json(msg='The Python "univention.udm" is not available',
**result)
params = module.params
udm_con = UDM.admin() # connection to UDM
udm_con.version(1)
udm_mod = udm_con.get(module.params['module'])
stats = Stats()
if params['state'] == 'present':
if params['dn']:
_create_or_modify_object(udm_mod, module, stats)
if params['filter']:
for obj in udm_mod.search(params['filter']):
_modify_object(udm_mod, module, obj, stats)
if not params['dn'] and not params['filter']:
properties = {
x['property']: x['value']
for x in params['set_properties']
}
obj = None
obj_id = properties.get('uid') or properties.get('name')
if obj_id:
obj = udm_mod.get_by_id(obj_id)
if obj:
_modify_object(udm_mod, module, obj, stats)
else:
_create_object(udm_mod, module, stats)
elif params['state'] == 'absent':
_remove_objects(udm_mod, module, stats)
result['meta']['changed_objects'] = stats.changed_objects
result['meta']['message'] = 'changed objects: %s' " ".join(
stats.changed_objects)
module.exit_json(**result)
def _deregister_account(self, username):
try:
user = UDM.admin().version(2).get('users/user').get_by_id(username)
user.props.DeregisteredThroughSelfService = 'TRUE'
user.props.DeregistrationTimestamp = datetime.datetime.strftime(datetime.datetime.utcnow(), DEREGISTRATION_TIMESTAMP_FORMATTING)
user.props.disabled = True
user.save()
try:
self._notify_about_account_deregistration(user.props.username, user.props.PasswordRecoveryEmail)
except Exception:
MODULE.error("_deregister_account(): sending of email failed: {}".format(traceback.format_exc()))
return
except Exception:
MODULE.error("_deregister_account(): {}".format(traceback.format_exc()))
raise
def verify_contact(self, token, username, method):
MODULE.info('verify_contact(): token: {} username: {} method: {}'.format(token, username, method))
ucr.load()
if ucr.is_false('umc/self-service/account-verification/backend/enabled', True):
msg = _('The account verification was disabled via the Univention Configuration Registry.')
MODULE.error('verify_contact(): {}'.format(msg))
raise UMC_Error(msg)
users_mod = UDM.admin().version(1).get('users/user')
try:
user = users_mod.get_by_id(username)
except NoObject:
return {
'success': False,
'failType': 'INVALID_INFORMATION',
}
next_steps = ucr.get('umc/self-service/account-verification/next-steps/%s' % self.locale.language, '')
if not next_steps:
next_steps = ucr.get('umc/self-service/account-verification/next-steps', '')
plugin = self._get_send_plugin(method)
if getattr(user.props, plugin.udm_property) == 'TRUE': # cleanup. map property to actual boolean?
return {
'success': True,
'successType': 'ALREADY_VERIFIED',
'data': {
'username': username,
'nextSteps': next_steps,
}
}
self._check_token(username, token, token_application=plugin.message_application())
setattr(user.props, plugin.udm_property, 'TRUE')
user.save()
self.db.delete_tokens(token=token, username=username)
return {
'success': True,
'successType': 'VERIFIED',
'data': {
'username': username,
'nextSteps': next_steps,
}
}
def get_writable_udm(binddn=None, bindpwdfile=None):
# type: (Optional[str], Optional[str]) -> univention.udm.udm.UDM
if binddn:
if not bindpwdfile:
error('"binddn" provided but not "bindpwdfile".')
try:
with open(bindpwdfile, 'r') as f:
bindpwd = f.read().strip()
except IOError as err:
error('Could not open "bindpwdfile" "%s": %s' % (
bindpwdfile,
err,
))
ucr = ConfigRegistry()
ucr.load()
try:
udm = UDM.credentials(binddn, bindpwd, ucr.get('ldap/base'),
ucr.get('ldap/master'),
ucr.get('ldap/master/port'))
except univention.udm.exceptions.ConnectionError as err:
error(
'Could not connect to server "%s" with provided "binddn" "%s" and "bindpwdfile" "%s": %s'
% (
ucr.get('ldap/master'),
binddn,
bindpwdfile,
err,
))
else:
try:
udm = UDM.admin()
except univention.udm.exceptions.ConnectionError as err:
error(
'Could not create a writable connection to UDM on this server. Try to provide "binddn" and "bindpwdfile": %s'
% (err, ))
udm.version(2)
return udm
def setUpClass(cls):
cls.udm = UDM.admin().version(2)
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.
#
# this is just a "one-shot", non-packaged script
# that generates the DiaryEvent objects on a live UCS Master
# python $0 2> errors >> /usr/lib/python2.7/dist-packages/univention/admindiary/events.py
from __future__ import print_function
import sys
from univention.lib.i18n import Translation
from univention.udm import UDM
from univention.udm.helpers import get_all_udm_module_names
udm = UDM.admin().version(2)
translation = Translation(None)
def modules():
for m in get_all_udm_module_names():
yield udm.get(m)._orig_udm_module
def print_events(m):
name = m.module
icon = 'domain'
if name.startswith('users/'):
icon = 'users'
if name.startswith('groups/'):
def setUpClass(cls):
cls.udm = UDM.admin().version(1)
cls.udm_test = UCSTestUDM()
cls.ucr_test = UCSTestConfigRegistry()
cls.ucr_test.load()
def create_extended_attr():
ucr = ConfigRegistry()
ucr.load()
sea_mod = UDM.admin().version(1).get('settings/extended_attribute')
ldap_base = ucr.get('ldap/base')
ucsschool_id_connector_last_update = sea_mod.new(superordinate='cn=univention,{}'.format(ldap_base))
ucsschool_id_connector_last_update.position = 'cn=custom attributes,cn=univention,{}'.format(ldap_base)
props = {
'name': 'ucsschool_id_connector_last_update',
'CLIName': 'ucsschool_id_connector_last_update',
'shortDescription': 'Date of last update by the UCS@school ID Connector app.',
'module': 'users/user',
'tabName': 'UCS@school',
'tabPosition': '9',
'groupName': 'ID Sync',
'groupPosition': '2',
'translationGroupName': [('de_DE', 'ID Sync', )],
'syntax': 'string',
'default': '',
'multivalue': '0',
'valueRequired': '0',
'mayChange': '1',
'doNotSearch': '1',
'objectClass': 'univentionFreeAttributes',
'ldapMapping': 'univentionFreeAttribute14',
'deleteObjectClass': '0',
'overwriteTab': '0',
'fullWidth': '1',
'disableUDMWeb': '0',
}
for key, value in props.items():
setattr(ucsschool_id_connector_last_update.props, key, value)
ucsschool_id_connector_last_update.options.extend(('ucsschoolStudent', 'ucsschoolTeacher', 'ucsschoolStaff', 'ucsschoolAdministrator'))
try:
ucsschool_id_connector_last_update.save()
except CreateError:
print('Extended attr: "ucsschool_id_connector_last_update" already exists. Ignoring.')
ucsschool_id_connector_pw = sea_mod.new(superordinate='cn=univention,{}'.format(ldap_base))
ucsschool_id_connector_pw.position = 'cn=custom attributes,cn=univention,{}'.format(ldap_base)
props = {
'name': 'ucsschool_id_connector_pw',
'CLIName': 'ucsschool_id_connector_pw',
'shortDescription': 'UCS@school ID Connector password sync.',
'module': 'users/user',
'syntax': 'string',
'default': '',
'multivalue': '0',
'valueRequired': '0',
'mayChange': '1',
'doNotSearch': '1',
'objectClass': 'univentionFreeAttributes',
'ldapMapping': 'univentionFreeAttribute15',
'deleteObjectClass': '0',
'overwriteTab': '0',
'fullWidth': '1',
'disableUDMWeb': '1',
}
for key, value in props.items():
setattr(ucsschool_id_connector_pw.props, key, value)
ucsschool_id_connector_pw.options.extend(('ucsschoolStudent', 'ucsschoolTeacher', 'ucsschoolStaff', 'ucsschoolAdministrator'))
try:
ucsschool_id_connector_pw.save()
except CreateError:
print('Extended attr: "ucsschool_id_connector_pw" already exists. Ignoring.')
def test_admin(self):
mod = UDM.admin().version(0).get('users/user')
assert mod.connection.binddn == 'cn=admin,{}'.format(self.ucr_test['ldap/base'])
def setUpClass(cls):
cls.udm = UDM.admin().version(1)
cls.udm._module_object_cache.clear()