def test_error(self, mock_check_output):
mock_check_output.side_effect = subprocess.CalledProcessError(
1, [
'/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin',
'get', 'ggroup'
], b'kadmin: get ggroup: no such file or directory')
with pytest.raises(ValueError):
get_kerberos_principal_with_keytab(
'ggroup',
'/some/keytab',
'create/admin',
)
def test_error(self, mock_check_output):
mock_check_output.side_effect = subprocess.CalledProcessError(
1,
['/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup'],
b'kadmin: get ggroup: no such file or directory'
)
with pytest.raises(ValueError):
get_kerberos_principal_with_keytab(
'ggroup',
'/some/keytab',
'create/admin',
)
def test_nonexistent_principal(self, mock_check_output):
mock_check_output.side_effect = subprocess.CalledProcessError(
1,
['/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup'],
b'kadmin: get ggroup: Principal does not exist',
)
assert not get_kerberos_principal_with_keytab(
'ggroup',
'/some/keytab',
'create/admin',
)
def test_existing_principal(self, mock_check_output):
assert get_kerberos_principal_with_keytab(
'ggroup',
'/some/keytab',
'create/admin',
)
mock_check_output.assert_called_once_with(
['/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin', 'get', 'ggroup'],
timeout=10,
stderr=subprocess.STDOUT,
)
def test_nonexistent_principal(self, mock_check_output):
mock_check_output.side_effect = subprocess.CalledProcessError(
1,
[
'/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin',
'get', 'ggroup'
],
b'kadmin: get ggroup: Principal does not exist',
)
assert not get_kerberos_principal_with_keytab(
'ggroup',
'/some/keytab',
'create/admin',
)
def test_existing_principal(self, mock_check_output):
assert get_kerberos_principal_with_keytab(
'ggroup',
'/some/keytab',
'create/admin',
)
mock_check_output.assert_called_once_with(
[
'/usr/bin/kadmin', '-K', '/some/keytab', '-p', 'create/admin',
'get', 'ggroup'
],
timeout=10,
stderr=subprocess.STDOUT,
)
def create_account(request, creds, report_status, known_uid=_KNOWN_UID):
"""Create an account as idempotently as possible.
:param known_uid: where to start searching for unused UIDs (see
_get_first_available_uid)
:return: the UID of the newly created account
"""
# TODO: better docstring
if get_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
):
report_status('kerberos principal already exists; skipping creation')
else:
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
if search.user_attrs(request.user_name):
report_status('LDAP entry already exists; skipping creation')
else:
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid(known_uid)
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': [str(new_uid)],
'gidNumber': [str(getgrnam('ocf').gr_gid)],
'homeDirectory': [utils.home_dir(request.user_name)],
'loginShell': ['/bin/bash'],
'mail': [request.email],
'userPassword':
['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'],
'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')],
}
if request.calnet_uid:
attrs['calnetUid'] = [str(request.calnet_uid)]
else:
attrs['callinkOid'] = [str(request.callink_oid)]
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn,
attrs,
creds.kerberos_keytab,
creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
ensure_web_dir(request.user_name)
send_created_mail(request)
# TODO: logging to syslog, files
return new_uid
def create_account(request, creds, report_status, known_uid=_KNOWN_UID):
"""Create an account as idempotently as possible.
:param known_uid: where to start searching for unused UIDs (see
_get_first_available_uid)
:return: the UID of the newly created account
"""
# TODO: better docstring
if get_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
):
report_status('kerberos principal already exists; skipping creation')
else:
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
if search.user_attrs(request.user_name):
report_status('LDAP entry already exists; skipping creation')
else:
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid(known_uid)
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': new_uid,
'gidNumber': getgrnam('ocf').gr_gid,
'homeDirectory': utils.home_dir(request.user_name),
'loginShell': '/bin/bash',
'mail': [request.email],
'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU',
'creationTime': datetime.now(),
}
if request.calnet_uid:
attrs['calnetUid'] = request.calnet_uid
else:
attrs['callinkOid'] = request.callink_oid
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
ensure_web_dir(request.user_name)
send_created_mail(request)
# TODO: logging to syslog, files
return new_uid