def test_normal_creation(self, mock_spawn, mock_send_problem_report): mock_spawn.return_value.before = b"\n" create_ldap_entry_with_keytab( "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU", {"a": ["b", "c"], "d": 12, "e": datetime(2016, 11, 5, 12, 0, 0)}, "/nonexist", "create/admin", ) mock_spawn.assert_called_with("kinit -t /nonexist create/admin ldapmodify", timeout=10) mock_spawn.return_value.expect.assert_has_calls( [ mock.call("SASL data security layer installed."), mock.call('entry "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU"'), ] ) mock_spawn.return_value.sendline.assert_has_calls( [ mock.call(encode(attr, value)) for attr, value in [ ("dn", "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU"), ("a", "b"), ("a", "c"), ("d", "12"), ("e", "20161105120000Z"), ] ] + [mock.call("changetype: add")], any_order=True, ) assert mock_spawn.return_value.sendeof.called assert not mock_send_problem_report.called
def test_normal_creation(self, mock_spawn, mock_send_problem_report): mock_spawn.return_value.before = b'\n' create_ldap_entry_with_keytab( 'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU', {'a': ['b', 'c'], 'd': ['e']}, '/nonexist', 'create/admin', ) mock_spawn.assert_called_with( 'kinit -t /nonexist create/admin ldapmodify', timeout=10, ) mock_spawn.return_value.expect.assert_has_calls([ mock.call('SASL data security layer installed.'), mock.call('entry "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU"'), ]) mock_spawn.return_value.sendline.assert_has_calls([ mock.call(encode(attr, value)) for attr, value in [ ('dn', 'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU'), ('a', 'b'), ('a', 'c'), ('d', 'e'), ] ] + [mock.call('changetype: add')], any_order=True) assert mock_spawn.return_value.sendeof.called assert not mock_send_problem_report.called
def test_normal_creation(self, mock_spawn, mock_send_problem_report): mock_spawn.return_value.before = b'\n' create_ldap_entry_with_keytab( 'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU', {'a': ['b', 'c'], 'd': ['e']}, '/nonexist', 'create/admin', ) mock_spawn.assert_called_with( 'kinit -t /nonexist create/admin ldapadd', timeout=10, ) mock_spawn.return_value.expect.assert_has_calls([ mock.call('SASL data security layer installed.'), mock.call('adding new entry "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU"'), ]) def encode(attr, value): return '{attr}:: {value}'.format( attr=attr, value=b64encode(value.encode('utf8')).decode('ascii'), ) mock_spawn.return_value.sendline.assert_has_calls([ mock.call(encode(attr, value)) for attr, value in [ ('dn', 'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU'), ('a', 'b'), ('a', 'c'), ('d', 'e'), ] ], any_order=True) assert mock_spawn.return_value.sendeof.called assert not mock_send_problem_report.called
def test_unexpected_error(self, mock_spawn, mock_send_problem_report): mock_spawn.return_value.before = b'\nlol wut is this error\n' with pytest.raises(ValueError): create_ldap_entry_with_keytab( 'uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU', {'a': ['b', 'c'], 'd': ['e']}, '/nonexist', 'create/admin', ) assert mock_send_problem_report.called
def test_unexpected_error(self, mock_spawn, mock_send_problem_report): mock_spawn.return_value.before = b"\nlol wut is this error\n" with pytest.raises(ValueError): create_ldap_entry_with_keytab( "uid=ckuehl,ou=People,dc=OCF,dc=Berkeley,dc=EDU", {"a": ["b", "c"], "d": ["e"]}, "/nonexist", "create/admin", ) assert mock_send_problem_report.called
def create_account(request, creds, report_status): """Create an account as idempotently as possible.""" # TODO: docstring # TODO: check if kerberos principal already exists; skip this if so with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) # TODO: check if LDAP entry already exists; skip this if so with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid() dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': [str(new_uid)], 'gidNumber': [str(getgrnam('ocf').gr_gid)], 'homeDirectory': [utils.home_dir(request.user_name)], 'loginShell': ['/bin/bash'], 'mail': [request.email], 'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'], 'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')], } if request.calnet_uid: attrs['calnetUid'] = [str(request.calnet_uid)] else: attrs['callinkOid'] = [str(request.callink_oid)] with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) create_web_dir(request.user_name) send_created_mail(request)
def create_account(request, creds, report_status): """Create an account as idempotently as possible.""" # TODO: docstring # TODO: check if kerberos principal already exists; skip this if so with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) # TODO: check if LDAP entry already exists; skip this if so with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid() dn = 'uid={user},{base_people}'.format( user=request.user_name, base_people=constants.OCF_LDAP_PEOPLE, ) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': [str(new_uid)], 'gidNumber': [str(getgrnam('ocf').gr_gid)], 'homeDirectory': [utils.home_dir(request.user_name)], 'loginShell': ['/bin/bash'], 'mail': [request.email], 'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'], 'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')], } if request.calnet_uid: attrs['calnetUid'] = [str(request.calnet_uid)] else: attrs['callinkOid'] = [str(request.callink_oid)] with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) create_web_dir(request.user_name) send_created_mail(request)
def create_account(request, creds, report_status): """Create an account as idempotently as possible.""" # TODO: docstring # TODO: check if kerberos principal already exists; skip this if so with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, creds.encryption_key, ), ) # TODO: check if LDAP entry already exists; skip this if so with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid() dn = 'uid={user},{base_people}'.format( user=request.user_name, base_people=constants.OCF_LDAP_PEOPLE, ) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': [str(new_uid)], 'gidNumber': [str(getgrnam('ocf').gr_gid)], 'homeDirectory': [utils.home_dir(request.user_name)], 'loginShell': ['/bin/bash'], 'mail': [request.email], 'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'], } if request.calnet_uid: attrs['calnetUid'] = [str(request.calnet_uid)] else: attrs['callinkOid'] = [str(request.callink_oid)] with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) create_web_dir(request.user_name) send_created_mail(request)
def create_account(request, creds, report_status, known_uid=_KNOWN_UID): """Create an account as idempotently as possible. :param known_uid: where to start searching for unused UIDs (see _get_first_available_uid) :return: the UID of the newly created account """ # TODO: better docstring if get_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, ): report_status('kerberos principal already exists; skipping creation') else: with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) if search.user_attrs(request.user_name): report_status('LDAP entry already exists; skipping creation') else: with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid(known_uid) dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': new_uid, 'gidNumber': getgrnam('ocf').gr_gid, 'homeDirectory': utils.home_dir(request.user_name), 'loginShell': '/bin/bash', 'mail': [request.email], 'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU', 'creationTime': datetime.now(timezone.utc).astimezone(), } if request.calnet_uid: attrs['calnetUid'] = request.calnet_uid else: attrs['callinkOid'] = request.callink_oid with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) ensure_web_dir(request.user_name) send_created_mail(request) # TODO: logging to syslog, files return new_uid
def create_account(request, creds, report_status, known_uid=_KNOWN_UID): """Create an account as idempotently as possible. :param known_uid: where to start searching for unused UIDs (see _get_first_available_uid) :return: the UID of the newly created account """ # TODO: better docstring if get_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, ): report_status('kerberos principal already exists; skipping creation') else: with report_status('Creating', 'Created', 'Kerberos keytab'): create_kerberos_principal_with_keytab( request.user_name, creds.kerberos_keytab, creds.kerberos_principal, password=decrypt_password( request.encrypted_password, RSA.importKey(open(creds.encryption_key).read()), ), ) if search.user_attrs(request.user_name): report_status('LDAP entry already exists; skipping creation') else: with report_status('Finding', 'Found', 'first available UID'): new_uid = _get_first_available_uid(known_uid) dn = utils.dn_for_username(request.user_name) attrs = { 'objectClass': ['ocfAccount', 'account', 'posixAccount'], 'cn': [request.real_name], 'uidNumber': new_uid, 'gidNumber': getgrnam('ocf').gr_gid, 'homeDirectory': utils.home_dir(request.user_name), 'loginShell': '/bin/bash', 'mail': [request.email], 'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU', 'creationTime': datetime.now(), } if request.calnet_uid: attrs['calnetUid'] = request.calnet_uid else: attrs['callinkOid'] = request.callink_oid with report_status('Creating', 'Created', 'LDAP entry'): create_ldap_entry_with_keytab( dn, attrs, creds.kerberos_keytab, creds.kerberos_principal, ) # invalidate passwd cache so that we can immediately chown files # XXX: sometimes this fails, but that's okay because it means # nscd isn't running anyway call(('sudo', 'nscd', '-i', 'passwd')) with report_status('Creating', 'Created', 'home and web directories'): create_home_dir(request.user_name) ensure_web_dir(request.user_name) send_created_mail(request) # TODO: logging to syslog, files return new_uid