def test_remove_group_member(ldap_connection, group, user):
"""removes a user as a member of the given group.
Args:
ldap_connection:
obj: A bound mock mock_ldap_connection
group:
obj: dict:
common_name:
str: A common name of a group AD object.
name:
str: A name of a group AD object.
user:
obj: dict:
common_name:
str: A common name of an AD user object.
name:
str: A username of an AD user object.
given_name:
str: A given name of an AD user object.
"""
user_distinct_name = [
"CN=%s,OU=Users,OU=Accounts,DC=AD2012,DC=LAB" % user["common_name"]
]
group_distinct_name = [
"CN=%s,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB" %
group["common_name"]
]
removeMembersFromGroups.ad_remove_members_from_groups(ldap_connection,
user_distinct_name,
group_distinct_name,
fix=True)
update_when_changed(ldap_connection, group_distinct_name)
fake_group = get_fake_group(ldap_connection, group["common_name"])
put_in_inbound_queue(fake_group, "group")
# wait for the fake group to be ingested by rbac_ledger_sync
time.sleep(3)
result = is_user_a_role_member(group["common_name"], user["common_name"])
assert result is False
def _ldap_utilities_remove_from_groups_function(self, event, *args, **kwargs):
"""Function: A function that allows you to remove multiple from multiple groups"""
log = logging.getLogger(__name__)
try:
yield StatusMessage("Starting ldap_utilities_remove_from_groups")
# Instansiate helper (which gets appconfigs from file)
helper = LDAPUtilitiesHelper(self.options)
yield StatusMessage("Appconfig Settings OK")
# Get function inputs
input_ldap_multiple_user_dn_asString = helper.get_function_input(kwargs, "ldap_multiple_user_dn") # text (required) [string repersentation of an array]
input_ldap_multiple_group_dn_asString = helper.get_function_input(kwargs, "ldap_multiple_group_dn") # text (required) [string repersentation of an array]
yield StatusMessage("Function Inputs OK")
if not helper.LDAP_IS_ACTIVE_DIRECTORY:
raise FunctionError("This function only supports an Active Directory connection. Make sure ldap_is_active_directory is set to True in the app.config file")
try:
# Try converting input to an array
input_ldap_multiple_user_dn = literal_eval(input_ldap_multiple_user_dn_asString)
input_ldap_multiple_group_dn = literal_eval(input_ldap_multiple_group_dn_asString)
except Exception:
raise ValueError("""input_ldap_multiple_user_dn and input_ldap_multiple_group_dn must be a string repersenation of an array e.g. "['dn=Accounts Group,dc=example,dc=com', 'dn=IT Group,dc=example,dc=com']" """)
# Instansiate LDAP Server and Connection
c = helper.get_ldap_connection()
try:
# Bind to the connection
c.bind()
except Exception as err:
raise ValueError("Cannot connect to LDAP Server. Ensure credentials are correct\n Error: {0}".format(err))
# Inform user
msg = "Connected to {0}".format("Active Directory")
yield StatusMessage(msg)
res = False
users_dn = []
try:
yield StatusMessage("Attempting to remove user(s) from group(s)")
# perform the removeMermbersFromGroups operation
res = ad_remove_members_from_groups(c, input_ldap_multiple_user_dn, input_ldap_multiple_group_dn, True)
# Return list of users that were removed, and ignore users that do not exist, not valid, or not member of group
if res and "changes" in c.request:
users_dn = c.request["changes"][0]["attribute"]["value"]
except Exception:
raise ValueError("Ensure all group DNs exist")
finally:
# Unbind connection
c.unbind()
results = {
"success": res,
"users_dn": users_dn if len(users_dn) > 0 else None,
"groups_dn": input_ldap_multiple_group_dn
}
log.info("Completed")
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def _ldap_md_utilities_remove_from_groups_function(self, event, *args, **kwargs):
"""Function: A function that allows you to remove multiple from multiple groups"""
try:
# Get the wf_instance_id of the workflow this Function was called in
wf_instance_id = event.message["workflow_instance"]["workflow_instance_id"]
yield StatusMessage("Starting 'ldap_md_utilities_remove_from_groups' running in workflow '{0}'".format(wf_instance_id))
# Get the function parameters:
ldap_md_domain_name = kwargs.get("ldap_md_domain_name") # text
ldap_md_multiple_user_dn = kwargs.get("ldap_md_multiple_user_dn") # text
ldap_md_multiple_group_dn = kwargs.get("ldap_md_multiple_group_dn") # text
log = logging.getLogger(__name__)
log.info("ldap_md_domain_name: %s", ldap_md_domain_name)
log.info("ldap_md_multiple_user_dn: %s", ldap_md_multiple_user_dn)
log.info("ldap_md_multiple_group_dn: %s", ldap_md_multiple_group_dn)
yield StatusMessage("Function Inputs OK")
# Instansiate helper (which gets appconfigs from file)
helper = LDAPUtilitiesHelper(self.options, ldap_md_domain_name)
log.info("[app.config] -ldap_server: %s", helper.LDAP_SERVER)
log.info("[app.config] -ldap_user_dn: %s", helper.LDAP_USER_DN)
yield StatusMessage("Appconfig Settings OK")
##############################################
if not helper.LDAP_IS_ACTIVE_DIRECTORY:
raise FunctionError("This function only supports an Active Directory connection. Make sure ldap_is_active_directory is set to True in the app.config file")
try:
# Try converting input to an array
ldap_md_multiple_user_dn = literal_eval(ldap_md_multiple_user_dn)
ldap_md_multiple_group_dn = literal_eval(ldap_md_multiple_group_dn)
except Exception:
raise ValueError("""ldap_md_multiple_user_dn and ldap_md_multiple_group_dn must be a string repersenation of an array e.g. "['dn=Accounts Group,dc=example,dc=com', 'dn=IT Group,dc=example,dc=com']" """)
# Instansiate LDAP Server and Connection
c = helper.get_ldap_connection()
try:
# Bind to the connection
c.bind()
except Exception as err:
raise ValueError("Cannot connect to LDAP Server. Ensure credentials are correct\n Error: {0}".format(err))
# Inform user
msg = "Connected to {0}".format("Active Directory")
yield StatusMessage(msg)
res = False
users_dn = []
try:
yield StatusMessage("Attempting to remove user(s) from group(s)")
# perform the removeMermbersFromGroups operation
res = ad_remove_members_from_groups(c, ldap_md_multiple_user_dn, ldap_md_multiple_group_dn, True)
# Test: res = 'ad_remove_members_from_groups(c, ' + str(ldap_md_multiple_user_dn) + ', ' + str(ldap_md_multiple_group_dn) + ', True)'
# Return list of users that were removed, and ignore users that do not exist, not valid, or not member of group
if res and "changes" in c.request:
users_dn = c.request["changes"][0]["attribute"]["value"]
except Exception:
raise ValueError("Ensure all group DNs exist")
finally:
# Unbind connection
c.unbind()
##############################################
results = {
"success": res,
"domain_name": ldap_md_domain_name,
"users_dn": users_dn if len(users_dn) > 0 else None,
"groups_dn": ldap_md_multiple_group_dn
}
yield StatusMessage("Finished 'ldap_md_utilities_remove_from_groups' that was running in workflow '{0}'".format(wf_instance_id))
# Produce a FunctionResult with the results
yield FunctionResult(results)
except Exception:
yield FunctionError()
def delete_user_group(self, user_dn, group_dn):
response = ad_remove_members_from_groups(self.__ldap__, user_dn,
group_dn, True)
return response