def test_inspect_ldap_roles(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import LDAPEntry, SyncManager
from ldap2pg.role import Role
ql.return_value = [LDAPEntry('dn')]
manager = SyncManager(
ldapconn=mocker.Mock(),
inspector=mocker.Mock(name='inspector'),
)
manager.inspector.roles_blacklist = ['blacklisted']
rule0 = mocker.Mock(name='rule0', attributes_map={})
rule0.generate.return_value = [Role('alice', options=dict(LOGIN=True))]
rule1 = mocker.Mock(name='rule1', attributes_map={})
rule1.generate.return_value = [Role('bob')]
rule2 = mocker.Mock(name='rule2', attributes_map={})
rule2.generate.return_value = [Role('blacklisted')]
# Minimal effective syncmap
syncmap = [
dict(roles=[]),
dict(
ldap=dict(base='ou=users,dc=tld', filter='*', attributes=['cn']),
roles=[rule0, rule1, rule2],
),
]
ldaproles, _ = manager.inspect_ldap(syncmap=syncmap)
assert 'alice' in ldaproles
assert 'bob' in ldaproles
def test_query_ldap_joins_filtered_allowed(mocker):
from ldap2pg.manager import SyncManager, LDAPEntry
search_result = [
('cn=A,ou=people,dc=global', {
'cn': ['A'],
'member': ['cn=P,ou=people,dc=global']
}),
]
sub_search_result = []
manager = SyncManager(ldapconn=mocker.Mock())
manager.ldapconn.search_s.side_effect = [search_result, sub_search_result]
entries = manager.query_ldap(
base='ou=people,dc=global',
filter='(objectClass=group)',
scope=2,
attributes=['cn', 'member'],
joins={
'member':
dict(
base='ou=people,dc=global',
scope=2,
filter='(objectClass=group)',
attributes=['cn'],
allow_missing_attributes=[],
)
},
allow_missing_attributes=['member'],
)
assert 2 == manager.ldapconn.search_s.call_count
expected_entries = [
LDAPEntry(
'cn=A,ou=people,dc=global',
{
'cn': ['A'],
'member': ['cn=P,ou=people,dc=global'],
},
{
'member': [],
},
),
]
assert expected_entries == entries
def test_inspect_ldap_roles_comment_error(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import LDAPEntry, SyncManager, UserError
from ldap2pg.role import CommentError
ql.return_value = [LDAPEntry('dn')]
rule = mocker.Mock(name='rule', attributes_map={})
rule.generate.side_effect = CommentError("message")
rule.comment.formats = ['From {desc}']
mapping = dict(
ldap=dict(base='ou=users,dc=tld', filter='*', attributes=['cn']),
roles=[rule],
)
manager = SyncManager()
with pytest.raises(UserError):
manager.inspect_ldap(syncmap=[mapping])
def test_inspect_ldap_missing_attribute(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, UserError, LDAPEntry
from ldap2pg.role import RoleRule
manager = SyncManager()
# Don't return member attribute.
ql.return_value = [LDAPEntry('dn0')]
with pytest.raises(UserError) as ei:
list(
manager.inspect_ldap([
dict(
ldap=dict(base='...'),
# Request member attribute.
roles=[RoleRule(names=['{member.cn}'])],
)
]))
assert 'Missing attribute: member' in str(ei.value)
def test_inspect_ldap_unexpected_dn(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, UserError, LDAPEntry
from ldap2pg.role import RoleRule
manager = SyncManager()
ql.return_value = [
LDAPEntry('dn0', {
'member': ['cn=member0', 'baddn=o0', 'cn=member1'],
})
]
list(
manager.inspect_ldap([
dict(
description="Test query desc",
ldapsearch=dict(on_unexpected_dn='warn'),
roles=[RoleRule(names=['{member.cn}'])],
)
]))
list(
manager.inspect_ldap([
dict(ldapsearch=dict(on_unexpected_dn='ignore'),
roles=[RoleRule(names=['{member.cn}'])])
]))
with pytest.raises(UserError):
list(
manager.inspect_ldap([
dict(
ldapsearch=dict(),
roles=[RoleRule(names=['{member.cn}'])],
)
]))
def test_entry_build_vars():
from ldap2pg.ldap import LDAPEntry
from ldap2pg.manager import SyncManager
entry = LDAPEntry(
dn='cn=my0,uo=gr0,dc=acme,dc=tld',
attributes=dict(
cn=['my0'],
member=[
'cn=m0,uo=gr0',
'cn=m1,uo=gr0',
],
simple=[
'cn=s0,uo=gr1',
'cn=s1,uo=gr1',
'cn=s2,uo=gr1',
],
),
children=dict(member=[
LDAPEntry(
'cn=m0,uo=gr0',
dict(mail=['*****@*****.**', '*****@*****.**']),
),
LDAPEntry(
'cn=m1,uo=gr0',
dict(mail=['*****@*****.**']),
),
]),
)
map_ = dict(
__self__=['dn', 'cn', 'dn.cn'],
member=['cn', 'dn', 'mail', 'dn.cn'],
simple=['cn'],
)
manager = SyncManager()
vars_ = manager.build_format_vars(entry, map_, on_unexpected_dn='fail')
wanted = dict(
__self__=[
dict(
dn=[dict(
dn="cn=my0,uo=gr0,dc=acme,dc=tld",
cn="my0",
)],
cn=["my0"],
)
],
member=[
dict(
dn=[dict(dn="cn=m0,uo=gr0", cn="m0")],
cn=["m0"],
mail=["*****@*****.**", "*****@*****.**"],
),
dict(
dn=[dict(dn="cn=m1,uo=gr0", cn="m1")],
cn=["m1"],
mail=["*****@*****.**"],
),
],
simple=[
dict(
dn=["cn=s0,uo=gr1"],
cn=["s0"],
),
dict(
dn=["cn=s1,uo=gr1"],
cn=["s1"],
),
dict(
dn=["cn=s2,uo=gr1"],
cn=["s2"],
),
],
)
assert wanted == vars_