def create_home_dir(user):
"""Create home directory for user. Makes a directory with appropriate
permissions, then copies in OCF's skeleton dotfiles.
"""
home = utils.home_dir(user)
subprocess.check_call(
['sudo', 'install', '-d', '--mode=0700', '--group=ocf',
'--owner=' + user, home])
def create_account(request, creds, report_status):
"""Create an account as idempotently as possible.""" # TODO: docstring
# TODO: check if kerberos principal already exists; skip this if so
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
# TODO: check if LDAP entry already exists; skip this if so
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid()
dn = 'uid={user},{base_people}'.format(
user=request.user_name,
base_people=constants.OCF_LDAP_PEOPLE,
)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': [str(new_uid)],
'gidNumber': [str(getgrnam('ocf').gr_gid)],
'homeDirectory': [utils.home_dir(request.user_name)],
'loginShell': ['/bin/bash'],
'mail': [request.email],
'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'],
'creationTime': [datetime.now().strftime('%Y%m%d%H%M%SZ')],
}
if request.calnet_uid:
attrs['calnetUid'] = [str(request.calnet_uid)]
else:
attrs['callinkOid'] = [str(request.callink_oid)]
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
create_web_dir(request.user_name)
send_created_mail(request)
def create_home_dir(user):
"""Create home directory for user. Makes a directory with appropriate
permissions, then copies in OCF's skeleton dotfiles.
"""
home = utils.home_dir(user)
subprocess.check_call(
['sudo', 'install', '-d', '--mode=0700', '--group=ocf',
'--owner=' + user, home])
for name in ['bashrc', 'bash_profile', 'bash_logout']:
path = os.path.join(os.path.dirname(__file__), 'rc', name)
subprocess.check_call(
['sudo', 'install', '--mode=0600', '--group=ocf',
'--owner=' + user, path, os.path.join(home, '.' + name)])
def create_account(request, creds, report_status):
"""Create an account as idempotently as possible.""" # TODO: docstring
# TODO: check if kerberos principal already exists; skip this if so
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
creds.encryption_key,
),
)
# TODO: check if LDAP entry already exists; skip this if so
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid()
dn = 'uid={user},{base_people}'.format(
user=request.user_name,
base_people=constants.OCF_LDAP_PEOPLE,
)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': [str(new_uid)],
'gidNumber': [str(getgrnam('ocf').gr_gid)],
'homeDirectory': [utils.home_dir(request.user_name)],
'loginShell': ['/bin/bash'],
'mail': [request.email],
'userPassword': ['{SASL}' + request.user_name + '@OCF.BERKELEY.EDU'],
}
if request.calnet_uid:
attrs['calnetUid'] = [str(request.calnet_uid)]
else:
attrs['callinkOid'] = [str(request.callink_oid)]
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
create_web_dir(request.user_name)
send_created_mail(request)
def create_web_dir(user):
"""Create web directory for user with appropriate permissions.
All users are given a working web directory and public_html symlink at
account creation. They can later use `makehttp` to fix these if they bork
the permissions or symlink.
"""
path = utils.web_dir(user)
# create web directory
subprocess.check_call([
'sudo', 'install',
'-d', '--mode=0755', '--group=ocf', '--owner=' + user,
'--',
path,
])
# symlink it from ~user/public_html
subprocess.check_call([
'sudo', '-u', user,
'ln', '-fs', '--', path, os.path.join(utils.home_dir(user), 'public_html'),
])
def create_account(request, creds, report_status, known_uid=_KNOWN_UID):
"""Create an account as idempotently as possible.
:param known_uid: where to start searching for unused UIDs (see
_get_first_available_uid)
:return: the UID of the newly created account
"""
# TODO: better docstring
if get_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
):
report_status('kerberos principal already exists; skipping creation')
else:
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
if search.user_attrs(request.user_name):
report_status('LDAP entry already exists; skipping creation')
else:
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid(known_uid)
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': new_uid,
'gidNumber': getgrnam('ocf').gr_gid,
'homeDirectory': utils.home_dir(request.user_name),
'loginShell': '/bin/bash',
'mail': [request.email],
'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU',
'creationTime': datetime.now(),
}
if request.calnet_uid:
attrs['calnetUid'] = request.calnet_uid
else:
attrs['callinkOid'] = request.callink_oid
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn, attrs, creds.kerberos_keytab, creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
ensure_web_dir(request.user_name)
send_created_mail(request)
# TODO: logging to syslog, files
return new_uid
def create_home_dir(user):
"""Create home directory for user with appropriate permissions."""
home = utils.home_dir(user)
subprocess.check_call(
['sudo', 'install', '-d', '--mode=0700', '--group=ocf',
'--owner=' + user, home])
def test_home_dir_errors_bad_user(self, user):
with pytest.raises(ValueError):
home_dir(user)
def test_home_dir(self, user, expected):
assert home_dir(user) == expected
def create_account(request, creds, report_status, known_uid=_KNOWN_UID):
"""Create an account as idempotently as possible.
:param known_uid: where to start searching for unused UIDs (see
_get_first_available_uid)
:return: the UID of the newly created account
"""
# TODO: better docstring
if get_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
):
report_status('kerberos principal already exists; skipping creation')
else:
with report_status('Creating', 'Created', 'Kerberos keytab'):
create_kerberos_principal_with_keytab(
request.user_name,
creds.kerberos_keytab,
creds.kerberos_principal,
password=decrypt_password(
request.encrypted_password,
RSA.importKey(open(creds.encryption_key).read()),
),
)
if search.user_attrs(request.user_name):
report_status('LDAP entry already exists; skipping creation')
else:
with report_status('Finding', 'Found', 'first available UID'):
new_uid = _get_first_available_uid(known_uid)
dn = utils.dn_for_username(request.user_name)
attrs = {
'objectClass': ['ocfAccount', 'account', 'posixAccount'],
'cn': [request.real_name],
'uidNumber': new_uid,
'gidNumber': getgrnam('ocf').gr_gid,
'homeDirectory': utils.home_dir(request.user_name),
'loginShell': '/bin/bash',
'mail': [request.email],
'userPassword': '******' + request.user_name + '@OCF.BERKELEY.EDU',
'creationTime': datetime.now(timezone.utc).astimezone(),
}
if request.calnet_uid:
attrs['calnetUid'] = request.calnet_uid
else:
attrs['callinkOid'] = request.callink_oid
with report_status('Creating', 'Created', 'LDAP entry'):
create_ldap_entry_with_keytab(
dn,
attrs,
creds.kerberos_keytab,
creds.kerberos_principal,
)
# invalidate passwd cache so that we can immediately chown files
# XXX: sometimes this fails, but that's okay because it means
# nscd isn't running anyway
call(('sudo', 'nscd', '-i', 'passwd'))
with report_status('Creating', 'Created', 'home and web directories'):
create_home_dir(request.user_name)
ensure_web_dir(request.user_name)
send_created_mail(request)
# TODO: logging to syslog, files
return new_uid
def create_home_dir(user):
"""Create home directory for user with appropriate permissions."""
home = utils.home_dir(user)
subprocess.check_call(
['sudo', 'install', '-d', '--mode=0700', '--group=ocf',
'--owner=' + user, home])
def test_home_dir_errors_bad_user(self, user):
with pytest.raises(ValueError):
home_dir(user)
def test_home_dir(self, user, expected):
assert home_dir(user) == expected
