def test_normal_creation(self, mock_spawn, mock_send_problem_report):
mock_spawn.return_value.before = b"\n"
create_ldap_entry_with_keytab(
"uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU",
{"a": ["b", "c"], "d": 12, "e": datetime(2016, 11, 5, 12, 0, 0)},
"/nonexist",
"create/admin",
)
mock_spawn.assert_called_with("kinit -t /nonexist create/admin ldapmodify", timeout=10)
mock_spawn.return_value.expect.assert_has_calls(
[
mock.call("SASL data security layer installed."),
mock.call('entry "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU"'),
]
)
mock_spawn.return_value.sendline.assert_has_calls(
[
mock.call(encode(attr, value))
for attr, value in [
("dn", "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU"),
("a", "b"),
("a", "c"),
("d", "12"),
("e", "20161105120000Z"),
]
]
+ [mock.call("changetype: add")],
any_order=True,
)
assert mock_spawn.return_value.sendeof.called
assert not mock_send_problem_report.called
def test_normal_creation(self, mock_spawn, mock_send_problem_report):
mock_spawn.return_value.before = b'\n'
create_ldap_entry_with_keytab(
'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU',
{'a': ['b', 'c'], 'd': ['e']},
'/nonexist',
'create/admin',
)
mock_spawn.assert_called_with(
'kinit -t /nonexist create/admin ldapmodify',
timeout=10,
)
mock_spawn.return_value.expect.assert_has_calls([
mock.call('SASL data security layer installed.'),
mock.call('entry "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU"'),
])
mock_spawn.return_value.sendline.assert_has_calls([
mock.call(encode(attr, value))
for attr, value in [
('dn', 'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU'),
('a', 'b'),
('a', 'c'),
('d', 'e'),
]
] + [mock.call('changetype: add')], any_order=True)
assert mock_spawn.return_value.sendeof.called
assert not mock_send_problem_report.called
def test_normal_creation(self, mock_spawn, mock_send_problem_report):
mock_spawn.return_value.before = b'\n'
create_ldap_entry_with_keytab(
'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU',
{'a': ['b', 'c'], 'd': ['e']},
'/nonexist',
'create/admin',
)
mock_spawn.assert_called_with(
'kinit -t /nonexist create/admin ldapadd',
timeout=10,
)
mock_spawn.return_value.expect.assert_has_calls([
mock.call('SASL data security layer installed.'),
mock.call('adding new entry "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU"'),
])
def encode(attr, value):
return '{attr}:: {value}'.format(
attr=attr,
value=b64encode(value.encode('utf8')).decode('ascii'),
)
mock_spawn.return_value.sendline.assert_has_calls([
mock.call(encode(attr, value))
for attr, value in [
('dn', 'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU'),
('a', 'b'),
('a', 'c'),
('d', 'e'),
]
], any_order=True)
assert mock_spawn.return_value.sendeof.called
assert not mock_send_problem_report.called
def test_unexpected_error(self, mock_spawn, mock_send_problem_report):
mock_spawn.return_value.before = b'\nlol wut is this error\n'
with pytest.raises(ValueError):
create_ldap_entry_with_keytab(
'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU',
{'a': ['b', 'c'], 'd': ['e']},
'/nonexist',
'create/admin',
)
assert mock_send_problem_report.called
def test_unexpected_error(self, mock_spawn, mock_send_problem_report):
mock_spawn.return_value.before = b"\nlol wut is this error\n"
with pytest.raises(ValueError):
create_ldap_entry_with_keytab(
"uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU",
{"a": ["b", "c"], "d": ["e"]},
"/nonexist",
"create/admin",
)
assert mock_send_problem_report.called
def test_unexpected_error(self, mock_spawn, mock_send_problem_report):
mock_spawn.return_value.before = b'\nlol wut is this error\n'
with pytest.raises(ValueError):
create_ldap_entry_with_keytab(
'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU',
{'a': ['b', 'c'], 'd': ['e']},
'/nonexist',
'create/admin',
)
assert mock_send_problem_report.called
def create_account(request, creds, report_status):
"""Create an account as idempotently as possible.""" # TODO: docstring
# TODO: check if kerberos principal already exists; skip this if so
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
# TODO: check if LDAP entry already exists; skip this if so
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid()
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': [str(new_uid)],
'gidNumber': [str(getgrnam('ocf').gr_gid)],
'homeDirectory': [utils.home_dir(request.user_name)],
'loginShell': ['/bin/bash'],
'mail': [request.email],
'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'],
'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')],
}
if request.calnet_uid:
attrs['calnetUid'] = [str(request.calnet_uid)]
else:
attrs['callinkOid'] = [str(request.callink_oid)]
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn,
attrs,
creds.kerberos_keytab,
creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
create_web_dir(request.user_name)
send_created_mail(request)
def create_account(request, creds, report_status):
"""Create an account as idempotently as possible.""" # TODO: docstring
# TODO: check if kerberos principal already exists; skip this if so
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
# TODO: check if LDAP entry already exists; skip this if so
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid()
dn = 'uid={user},{base_people}'.format(
user=request.user_name,
base_people=constants.OCF_LDAP_PEOPLE,
)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': [str(new_uid)],
'gidNumber': [str(getgrnam('ocf').gr_gid)],
'homeDirectory': [utils.home_dir(request.user_name)],
'loginShell': ['/bin/bash'],
'mail': [request.email],
'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'],
'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')],
}
if request.calnet_uid:
attrs['calnetUid'] = [str(request.calnet_uid)]
else:
attrs['callinkOid'] = [str(request.callink_oid)]
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
create_web_dir(request.user_name)
send_created_mail(request)
def create_account(request, creds, report_status):
"""Create an account as idempotently as possible.""" # TODO: docstring
# TODO: check if kerberos principal already exists; skip this if so
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
creds.encryption_key,
),
)
# TODO: check if LDAP entry already exists; skip this if so
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid()
dn = 'uid={user},{base_people}'.format(
user=request.user_name,
base_people=constants.OCF_LDAP_PEOPLE,
)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': [str(new_uid)],
'gidNumber': [str(getgrnam('ocf').gr_gid)],
'homeDirectory': [utils.home_dir(request.user_name)],
'loginShell': ['/bin/bash'],
'mail': [request.email],
'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'],
}
if request.calnet_uid:
attrs['calnetUid'] = [str(request.calnet_uid)]
else:
attrs['callinkOid'] = [str(request.callink_oid)]
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn,
attrs,
creds.kerberos_keytab,
creds.kerberos_principal,
)
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
create_web_dir(request.user_name)
send_created_mail(request)
def create_account(request, creds, report_status):
"""Create an account as idempotently as possible.""" # TODO: docstring
# TODO: check if kerberos principal already exists; skip this if so
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
creds.encryption_key,
),
)
# TODO: check if LDAP entry already exists; skip this if so
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid()
dn = 'uid={user},{base_people}'.format(
user=request.user_name,
base_people=constants.OCF_LDAP_PEOPLE,
)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': [str(new_uid)],
'gidNumber': [str(getgrnam('ocf').gr_gid)],
'homeDirectory': [utils.home_dir(request.user_name)],
'loginShell': ['/bin/bash'],
'mail': [request.email],
'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'],
}
if request.calnet_uid:
attrs['calnetUid'] = [str(request.calnet_uid)]
else:
attrs['callinkOid'] = [str(request.callink_oid)]
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
create_web_dir(request.user_name)
send_created_mail(request)
def create_account(request, creds, report_status, known_uid=_KNOWN_UID):
"""Create an account as idempotently as possible.
:param known_uid: where to start searching for unused UIDs (see
_get_first_available_uid)
:return: the UID of the newly created account
"""
# TODO: better docstring
if get_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
):
report_status('kerberos principal already exists; skipping creation')
else:
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
if search.user_attrs(request.user_name):
report_status('LDAP entry already exists; skipping creation')
else:
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid(known_uid)
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': new_uid,
'gidNumber': getgrnam('ocf').gr_gid,
'homeDirectory': utils.home_dir(request.user_name),
'loginShell': '/bin/bash',
'mail': [request.email],
'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU',
'creationTime': datetime.now(timezone.utc).astimezone(),
}
if request.calnet_uid:
attrs['calnetUid'] = request.calnet_uid
else:
attrs['callinkOid'] = request.callink_oid
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
ensure_web_dir(request.user_name)
send_created_mail(request)
# TODO: logging to syslog, files
return new_uid
def create_account(request, creds, report_status, known_uid=_KNOWN_UID):
"""Create an account as idempotently as possible.
:param known_uid: where to start searching for unused UIDs (see
_get_first_available_uid)
:return: the UID of the newly created account
"""
# TODO: better docstring
if get_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
):
report_status('kerberos principal already exists; skipping creation')
else:
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
if search.user_attrs(request.user_name):
report_status('LDAP entry already exists; skipping creation')
else:
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid(known_uid)
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': new_uid,
'gidNumber': getgrnam('ocf').gr_gid,
'homeDirectory': utils.home_dir(request.user_name),
'loginShell': '/bin/bash',
'mail': [request.email],
'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU',
'creationTime': datetime.now(),
}
if request.calnet_uid:
attrs['calnetUid'] = request.calnet_uid
else:
attrs['callinkOid'] = request.callink_oid
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
ensure_web_dir(request.user_name)
send_created_mail(request)
# TODO: logging to syslog, files
return new_uid