Exemplo n.º 1
0
 def test_constructor_with_bad_arg(self):
     ''' Test the constructor to succeed with a bad argument, but result in
         an unusable object
     '''
     conf = config.Config(1)
     with self.assertRaises(TypeError):
         conf.run()
Exemplo n.º 2
0
def explicit_audit(args):
    ''' Perform an LDAP audit. Find all users, evaluate how well they match to
        profiles, and generate a report.
    '''
    configs = config.Config(args.config)
    ldap_user, ldap_password = ldap_creds(configs)
    prof = args.profile_dir + '/%s' % args.profile
    prof = profile.Profile(prof)
    if args.environment:
        env = configs.environments.pop(args.environment)
        ldap_conn = LDAP.LDAP(env,
                              user=ldap_user,
                              password=ldap_password,
                              basedn=configs.basedn)
    else:
        ldap_conn = LDAP.LDAP.from_config(configs).next()
    if args.users:
        users = args.users
    else:
        users = [i for i in ldap_conn.get_all_uids()]
    audits = defaultdict(list)
    for user in users:
        usearch = ldap_conn.user_search(user)
        the_audit = (prof
                     .audit(usearch,
                            explicit=True,
                            ignore_inherited=args.ignore))
        if the_audit['value'] != 3:
            continue
        key = the_audit.pop('name')
        audits[key].append(the_audit)
    if args.html:
        print profile.audits2html(audits)
    else:
        print yaml.dump(audits, default_flow_style=False)
Exemplo n.º 3
0
def userenable(args):
    """ Enable a user; move user out of purgatory at a minimum.
    """
    configs = config.Config(args.config)
    ldap_user, ldap_password = ldap_creds(configs)
    prof = args.profile_dir + '/%s' % args.profile
    prof = profile.Profile(prof)
    host = configs.environments.pop(args.environment)
    origin_ldap = LDAP.LDAP(host,
                            user=ldap_user,
                            password=ldap_password,
                            basedn=configs.basedn)
    user_obj = origin_ldap.get_user(args.user)
    if not user_obj:
        raise RuntimeError('%s not found. Please contact PLOPS.' % args.user)
    origin_ldap.move_user(args.user, LDAP.USERS)
    user = origin_ldap.user_search(args.user)
    diff = prof.audit(user, explicit=True, ignore_inherited=True)
    if not 'profile match' in diff['text'].lower():
        print 'Permissions to be changed via "%s" profile:' % prof.name
        if isinstance(diff['diff'], list):
            print diff['text']
        print yaml.dump(diff['diff'], default_flow_style=False)
    origin_ldap.enforce_profile(args.user, prof, args.jira)
    user_obj = origin_ldap.get_user(args.user, LDAP.USERS)
    for _, host in configs.environments.items():
        next_ldap = LDAP.LDAP(host,
                              user=ldap_user,
                              password=ldap_password,
                              basedn=configs.basedn)
        next_user_obj = next_ldap.get_user(args.user)
        if not next_user_obj:
            next_ldap.add_object(user_obj, ignore_attrs=['dn'])
            modded_user = next_ldap.user_search(args.user)
            if not modded_user:
                raise RuntimeError('Adding user object to tree %s failed. \
Please contact PLOPS.' % next_ldap.host)
            print yaml.dump(modded_user, default_flow_style=False)
            return
        next_ldap.move_user(args.user, LDAP.USERS)
        next_user = next_ldap.user_search(args.user)
        diff = prof.audit(next_user, explicit=True, ignore_inherited=True)
        if not 'profile match' in diff['text'].lower():
            print 'Permissions to be changed via "%s" profile:' % prof.name
            if isinstance(diff['diff'], list):
                print diff['text']
            print yaml.dump(diff['diff'], default_flow_style=False)
        next_ldap.enforce_profile(args.user, prof, args.jira)
        modded_user = next_ldap.user_search(args.user)
        if modded_user:
            print yaml.dump(modded_user, default_flow_style=False)
Exemplo n.º 4
0
def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-c',
                        '--config',
                        default=CONFIG,
                        help='Regular expression to match profile file names \
                        against')
    args = parser.parse_args()
    conf = config.Config(args.config)
    phx = LDAP.LDAP.from_config(conf).next()
    dumper = UserDumper()
    all_users = phx.get_all_uids()
    for user in all_users:
        dumper.add(phx.user_search(user))
    print dumper.dump()
Exemplo n.º 5
0
def userdisable(args):
    """ Disable a user; move user into purgatory at a minimum.
    """
    configs = config.Config(args.config)
    ldap_user, ldap_password = ldap_creds(configs)
    for _, host in configs.environments.items():
        print "Working on ldap host %s" % host
        next_ldap = LDAP.LDAP(host,
                              user=ldap_user,
                              password=ldap_password,
                              basedn=configs.basedn)
        next_ldap.disable_user(args.user)
        modded_user = next_ldap.user_search(args.user)
        if modded_user:
            print yaml.dump(modded_user, default_flow_style=False)
Exemplo n.º 6
0
 def setUp(self):
     ''' Create a config.Config object for testing with a temporary file
     '''
     self.config_yaml = {
         'user': '',
         'password': '',
         'basedn': 'basedn',
         'environment': {
             'jcadev': 'jcadev',
             'jcint': 'jcint',
             'phx': 'phx'
         }
     }
     with open('ldap_yaml', 'w') as ldap_yaml:
         ldap_yaml.write(yaml.dump(self.config_yaml))
     self.conf = config.Config('ldap_yaml')
Exemplo n.º 7
0
def useradjust(args):
    """ Give a user a new profile on all environments
    """
    configs = config.Config(args.config)
    ldap_user, ldap_password = ldap_creds(configs)
    prof = args.profile_dir + '/%s' % args.profile
    prof = profile.Profile(prof)
    env = configs.environments.pop(args.environment)
    origin_ldap = LDAP.LDAP(env,
                            user=ldap_user,
                            password=ldap_password,
                            basedn=configs.basedn)
    user_obj = origin_ldap.get_user(args.user, LDAP.USERS)
    user = origin_ldap.user_search(args.user)
    diff = prof.audit(user, explicit=True, ignore_inherited=True)
    if not 'profile match' in diff['text'].lower():
        print 'Permissions to be changed via "%s" profile:' % prof.name
        if isinstance(diff['diff'], list):
            print diff['text']
        print yaml.dump(diff['diff'], default_flow_style=False)
    origin_ldap.enforce_profile(args.user, prof)
    for _, host in configs.environments.items():
        next_ldap = LDAP.LDAP(host,
                              user=ldap_user,
                              password=ldap_password,
                              basedn=configs.basedn)
        next_user = next_ldap.user_search(args.user)
        if not next_user.found:
            print ('User %s not found on %s. Full dict: "%s"'
                   % (args.user, next_ldap.host, next_user))
            try:
                next_ldap.add_object(user_obj, ignore_attrs=['dn'])
            # pylint: disable=no-member
            except LDAP.ldap.ALREADY_EXISTS: # definitely exists
                print ('User %s already exists on %s but is also "not found"???'
                       % (args.user, next_ldap.host))
            next_user = next_ldap.user_search(args.user)
        diff = prof.audit(next_user, explicit=True, ignore_inherited=True)
        if not 'profile match' in diff['text'].lower():
            print 'Permissions to be changed via "%s" profile:' % prof.name
            if isinstance(diff['diff'], list):
                print diff['text']
            print yaml.dump(diff['diff'], default_flow_style=False)
        next_ldap.enforce_profile(args.user, prof)
Exemplo n.º 8
0
def usersearch(args):
    """ Perform a user search against LDAP
    """
    configs = config.Config(args.config)
    results = {}
    for ldap_conn in LDAP.LDAP.from_config(configs, env=args.environment):
        if args.raw:
            if args.common_name:
                result = ldap_conn.get_user(args.user, filterfield='cn')
            else:
                result = ldap_conn.get_user(args.user)
        else:
            if args.common_name:
                result = ldap_conn.cn_search(args.user)
            else:
                result = ldap_conn.user_search(args.user)
            result = (result.dict()
                      if result.found
                      else '%s not found' % args.user)
        results[ldap_conn.host] = result
    print yaml.dump(results, default_flow_style=False)
Exemplo n.º 9
0
def propagate_pubkeys(args):
    ''' Copy a user's public key from chosen LDAP environment to other
        environments.
    '''
    configs = config.Config(args.config)
    ldap_user, ldap_password = ldap_creds(configs)
    origin = configs.environments.pop(args.environment)
    ldap_conn = LDAP.LDAP(origin,
                          user=ldap_user,
                          password=ldap_password,
                          basedn=configs.basedn)
    user = ldap_conn.search(basedn=configs.basedn,
                            filterstr='(uid=%s)' % args.user).next()
    for _, host in configs.environments.items():
        next_ldap = LDAP.LDAP(host,
                              user=ldap_user,
                              password=ldap_password,
                              basedn=configs.basedn)
        nextuser = next_ldap.search(basedn=configs.basedn,
                                    filterstr='(uid=%s)' % args.user).next()
        next_ldap.replace_attribute('sshPublicKey', nextuser, user.sshPublicKey)
        print 'Copied public key for user %s to LDAP host %s' % (args.user,
                                                                 next_ldap.host)
Exemplo n.º 10
0
def audit(args):
    ''' Perform an LDAP audit. Find all users, evaluate how well they match to
        profiles, and generate a report.
    '''
    configs = config.Config(args.config)
    ldap_user, ldap_password = ldap_creds(configs)
    profiles = [i for i in profile.Profile.from_directory(args.profile_dir)]
    if args.environment:
        env = configs.environments.pop(args.environment)
        ldap_conn = LDAP.LDAP(env,
                              user=ldap_user,
                              password=ldap_password,
                              basedn=configs.basedn)
    else:
        ldap_conn = LDAP.LDAP.from_config(configs).next()
    if args.users:
        users = args.users
    else:
        users = [i for i in ldap_conn.get_all_uids()]
    audits = defaultdict(list)
    for user in users:
        usearch = ldap_conn.user_search(user)
        usearch.found = True # set this explicitly since we obtained the list
                              # of users from LDAP
        the_audit = (profile
                     .Profile
                     .bulk_audit(usearch,
                                 profiles=profiles,
                                 ignore_inherited=args.ignore,
                                 explicit=args.explicit))
        key = the_audit.pop('name')
        audits[key].append(the_audit)
    if args.html:
        print profile.audits2html(audits)
    else:
        print yaml.dump(audits, default_flow_style=False)
Exemplo n.º 11
0
 def test_constructor_with_arg(self):
     ''' Test the constructor to create a Config object with an argument
     '''
     self.assertTrue(isinstance(config.Config('ldap_yml'), config.Config))
Exemplo n.º 12
0
 def test_constructor(self):
     ''' Test the constructor to fail without an argument
     '''
     # pylint: disable=no-value-for-parameter
     with self.assertRaises(TypeError):
         config.Config()