def test_errors(self, mock_spawn): mock_spawn.return_value.before.decode.return_value = ( 'kadmin: kadm5_create_principal: Principal already exists') with pytest.raises(ValueError): create_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', )
def test_errors(self, mock_spawn): mock_spawn.return_value.before.decode.return_value = ( 'kadmin: kadm5_create_principal: Principal already exists' ) with pytest.raises(ValueError): create_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', )
def create_account(request, creds, report_status): """Create an account as idempotently as possible.""" # TODO: docstring # TODO: check if kerberos principal already exists; skip this if so with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) # TODO: check if LDAP entry already exists; skip this if so with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid() dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': [str(new_uid)], 'gidNumber': [str(getgrnam('ocf').gr_gid)], 'homeDirectory': [utils.home_dir(request.user_name)], 'loginShell': ['/bin/bash'], 'mail': [request.email], 'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'], 'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')], } if request.calnet_uid: attrs['calnetUid'] = [str(request.calnet_uid)] else: attrs['callinkOid'] = [str(request.callink_oid)] with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) create_web_dir(request.user_name) send_created_mail(request)
def create_account(request, creds, report_status): """Create an account as idempotently as possible.""" # TODO: docstring # TODO: check if kerberos principal already exists; skip this if so with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) # TODO: check if LDAP entry already exists; skip this if so with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid() dn = 'uid={user},{base_people}'.format( user=request.user_name, base_people=constants.OCF_LDAP_PEOPLE, ) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': [str(new_uid)], 'gidNumber': [str(getgrnam('ocf').gr_gid)], 'homeDirectory': [utils.home_dir(request.user_name)], 'loginShell': ['/bin/bash'], 'mail': [request.email], 'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'], 'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')], } if request.calnet_uid: attrs['calnetUid'] = [str(request.calnet_uid)] else: attrs['callinkOid'] = [str(request.callink_oid)] with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) create_web_dir(request.user_name) send_created_mail(request)
def test_random_password(self, mock_spawn): create_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', ) mock_spawn.assert_called_with( ('/usr/bin/kadmin -K /some/keytab -p create/admin add ' + '--use-defaults ggroup'), timeout=10, ) assert len(mock_spawn.return_value.sendline.call_args[0][0]) == 100
def create_account(request, creds, report_status): """Create an account as idempotently as possible.""" # TODO: docstring # TODO: check if kerberos principal already exists; skip this if so with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, creds.encryption_key, ), ) # TODO: check if LDAP entry already exists; skip this if so with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid() dn = 'uid={user},{base_people}'.format( user=request.user_name, base_people=constants.OCF_LDAP_PEOPLE, ) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': [str(new_uid)], 'gidNumber': [str(getgrnam('ocf').gr_gid)], 'homeDirectory': [utils.home_dir(request.user_name)], 'loginShell': ['/bin/bash'], 'mail': [request.email], 'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'], } if request.calnet_uid: attrs['calnetUid'] = [str(request.calnet_uid)] else: attrs['callinkOid'] = [str(request.callink_oid)] with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) create_web_dir(request.user_name) send_created_mail(request)
def test_normal_password(self, mock_spawn): create_kerberos_principal_with_keytab( 'ggroup', '/some/keytab', 'create/admin', password='******', ) mock_spawn.assert_called_with( ('/usr/bin/kadmin -K /some/keytab -p create/admin add ' + '--use-defaults ggroup'), timeout=10, ) mock_spawn.return_value.sendline.assert_has_calls( [mock.call('hunter2'), mock.call('hunter2')], )
def create_account(request, creds, report_status, known_uid=_KNOWN_UID): """Create an account as idempotently as possible. :param known_uid: where to start searching for unused UIDs (see _get_first_available_uid) :return: the UID of the newly created account """ # TODO: better docstring if get_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, ): report_status('kerberos principal already exists; skipping creation') else: with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) if search.user_attrs(request.user_name): report_status('LDAP entry already exists; skipping creation') else: with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid(known_uid) dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': new_uid, 'gidNumber': getgrnam('ocf').gr_gid, 'homeDirectory': utils.home_dir(request.user_name), 'loginShell': '/bin/bash', 'mail': [request.email], 'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU', 'creationTime': datetime.now(timezone.utc).astimezone(), } if request.calnet_uid: attrs['calnetUid'] = request.calnet_uid else: attrs['callinkOid'] = request.callink_oid with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) ensure_web_dir(request.user_name) send_created_mail(request) # TODO: logging to syslog, files return new_uid
def create_account(request, creds, report_status, known_uid=_KNOWN_UID): """Create an account as idempotently as possible. :param known_uid: where to start searching for unused UIDs (see _get_first_available_uid) :return: the UID of the newly created account """ # TODO: better docstring if get_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, ): report_status('kerberos principal already exists; skipping creation') else: with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) if search.user_attrs(request.user_name): report_status('LDAP entry already exists; skipping creation') else: with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid(known_uid) dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': new_uid, 'gidNumber': getgrnam('ocf').gr_gid, 'homeDirectory': utils.home_dir(request.user_name), 'loginShell': '/bin/bash', 'mail': [request.email], 'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU', 'creationTime': datetime.now(), } if request.calnet_uid: attrs['calnetUid'] = request.calnet_uid else: attrs['callinkOid'] = request.callink_oid with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) ensure_web_dir(request.user_name) send_created_mail(request) # TODO: logging to syslog, files return new_uid