From 1735f5da2038ffe06dea0abda24acc745d325630 Mon Sep 17 00:00:00 2001 From: kakwa Date: Thu, 4 Jun 2015 23:34:31 +0200 Subject: [PATCH] simplify roles configuration (backend groups) --- conf/roles.yml | 46 +++++++---------- ldapcherry/roles.py | 57 +++++++++++++++------ tests/cfg/attributes_missing_mandatory.yml | 22 ++++---- tests/cfg/roles.yml | 46 +++++++---------- tests/cfg/roles_content_dup.yml | 58 +++++++++------------- tests/cfg/roles_key_dup.yml | 50 ++++++++----------- tests/cfg/roles_missing_backends.yml | 36 ++++++-------- tests/cfg/roles_missing_diplay_name.yml | 46 +++++++---------- tests/test_Roles.py | 4 +- 9 files changed, 171 insertions(+), 194 deletions(-) diff --git a/conf/roles.yml b/conf/roles.yml index 9201be3..c3bafe4 100644 --- a/conf/roles.yml +++ b/conf/roles.yml @@ -1,47 +1,39 @@ admin-lv3: display_name: Administrators Level 3 - backends: + backends_groups: ldap: - groups: - - cn=dns admins,ou=group,dc=example,dc=com - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=puppet admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=dns admins,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=puppet admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users - - Administrators - - Domain Controllers + - Domain Users + - Administrators + - Domain Controllers admin-lv2: display_name: Administrators Level 2 LC_admins: True - backends: + backends_groups: ldap: - groups: - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users developpers: display_name: Developpers - backends: + backends_groups: ldap: - groups: - - cn=developpers,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=developpers,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users users: display_name: Simple Users - backends: + backends_groups: ldap: - groups: - - cn=users,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users diff --git a/ldapcherry/roles.py b/ldapcherry/roles.py index eee44db..4e5a899 100644 --- a/ldapcherry/roles.py +++ b/ldapcherry/roles.py @@ -34,10 +34,35 @@ class Roles: except DumplicatedKey as e: raise DumplicateRoleKey(e.key) stream.close() + self.graph = {} self.roles = {} + self.flatten = {} self.admin_roles = [] self._nest() + def _merge_groups(self, backends_list): + ret = {} + for backends in backends_list: + for b in backends: + if not b in ret: + ret[b] = Set([]) + for group in backends[b]: + ret[b].add(group) + return ret + + def _flatten(self, roles=None, groups=[]): + if roles is None: + roles = copy(self.roles_raw) + for roleid in role: + role = self.roles_raw[roleid] + if 'subroles' in role: + self._flatten(role['subroles'], role) + del role['subroles'] + + self.flatten[roleid] = role + + pass + def _set_admin(self, role): for r in role['subroles']: self.admin_roles.append(r) @@ -54,19 +79,19 @@ class Roles: return False # Check if role1 is contained by role2 - for b1 in role1['backends']: - if not b1 in role2['backends']: + for b1 in role1['backends_groups']: + if not b1 in role2['backends_groups']: return False - for group in role1['backends'][b1]['groups']: - if not group in role2['backends'][b1]['groups']: + for group in role1['backends_groups'][b1]: + if not group in role2['backends_groups'][b1]: return False # If role2 is inside role1, roles are equal, throw exception - for b2 in role2['backends']: - if not b2 in role1['backends']: + for b2 in role2['backends_groups']: + if not b2 in role1['backends_groups']: return True - for group in role2['backends'][b2]['groups']: - if not group in role1['backends'][b2]['groups']: + for group in role2['backends_groups'][b2]: + if not group in role1['backends_groups'][b2]: return True raise DumplicateRoleContent(roleid1, roleid2) @@ -81,11 +106,11 @@ class Roles: raise MissingKey('display_name', role, self.role_file) # Backend is mandatory - if not 'backends' in role: - raise MissingKey('backends', role, self.role_file) + if not 'backends_groups' in role: + raise MissingKey('backends_groups', role, self.role_file) # Create the list of backends - for backend in role['backends']: + for backend in role['backends_groups']: self.backends.add(backend) # Create the nested groups @@ -145,8 +170,8 @@ class Roles: # (parentroles is a list of roles that the user is member of by # being member of one of their subroles) if not (role in parentroles or role in roles): - for b in self.roles[role]['backends']: - for g in self.roles[role]['backends'][b]['groups']: + for b in self.roles[role]['backends_groups']: + for g in self.roles[role]['backends_groups'][b]: if b not in groups: notroles.add(role) return False @@ -155,10 +180,10 @@ class Roles: return False # add groups of the role to usedgroups - for b in self.roles[role]['backends']: + for b in self.roles[role]['backends_groups']: if not b in usedgroups: usedgroups[b] = Set([]) - for g in self.roles[role]['backends'][b]['groups']: + for g in self.roles[role]['backends_groups'][b]: usedgroups[b].add(g) flag = True @@ -212,7 +237,7 @@ class Roles: """get the list of groups from role""" if not role in self.roles_raw: raise MissingRole(role) - return self.roles_raw[role]['backends'] + return self.roles_raw[role]['backends_groups'] def is_admin(self, roles): """determine from a list of roles if is ldapcherry administrator""" diff --git a/tests/cfg/attributes_missing_mandatory.yml b/tests/cfg/attributes_missing_mandatory.yml index 1ffbc45..6129986 100644 --- a/tests/cfg/attributes_missing_mandatory.yml +++ b/tests/cfg/attributes_missing_mandatory.yml @@ -7,21 +7,21 @@ cn: args: - $first-name - $name - bakends: + backends: ldap: cn ad: CN first-name: description: "First name of the user" display_name: "First Name" type: string - bakends: + backends: ldap: givenName ad: givenName name: description: "Family name of the user" display_name: "Name" type: string - bakends: + backends: ldap: sn ad: sn email: @@ -34,7 +34,7 @@ email: - $first-name - $last-name - '@example.com' - bakends: + backends: ldap: email ad: EMAIL uid: @@ -46,7 +46,7 @@ uid: args: - $first-name - $last-name - bakends: + backends: ldap: uid ad: UID uidNumber: @@ -58,7 +58,7 @@ uidNumber: args: - $first-name - $last-name - bakends: + backends: ldap: uidNumber ad: UIDNumber gidNumber: @@ -66,7 +66,7 @@ gidNumber: display_name: "GID Number" type: int default: 10000 - bakends: + backends: ldap: gidNumber ad: GIDNumber shell: @@ -78,7 +78,7 @@ shell: - /bin/bash - /bin/zsh - /bin/sh - bakends: + backends: ldap: shell ad: SHELL home: @@ -91,7 +91,7 @@ home: - $first-name - $last-name - /home/ - bakends: + backends: ldap: home ad: Home @@ -100,7 +100,7 @@ password: display_name: "Password" self: True type: password - bakends: + backends: ldap: userPassword ad: userPassword logscript: @@ -108,5 +108,5 @@ logscript: display_name: "Login script" type: fix value: login1.bat - bakends: + backends: ad: logonScript diff --git a/tests/cfg/roles.yml b/tests/cfg/roles.yml index 9201be3..c3bafe4 100644 --- a/tests/cfg/roles.yml +++ b/tests/cfg/roles.yml @@ -1,47 +1,39 @@ admin-lv3: display_name: Administrators Level 3 - backends: + backends_groups: ldap: - groups: - - cn=dns admins,ou=group,dc=example,dc=com - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=puppet admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=dns admins,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=puppet admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users - - Administrators - - Domain Controllers + - Domain Users + - Administrators + - Domain Controllers admin-lv2: display_name: Administrators Level 2 LC_admins: True - backends: + backends_groups: ldap: - groups: - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users developpers: display_name: Developpers - backends: + backends_groups: ldap: - groups: - - cn=developpers,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=developpers,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users users: display_name: Simple Users - backends: + backends_groups: ldap: - groups: - - cn=users,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users diff --git a/tests/cfg/roles_content_dup.yml b/tests/cfg/roles_content_dup.yml index e80a04c..1b802de 100644 --- a/tests/cfg/roles_content_dup.yml +++ b/tests/cfg/roles_content_dup.yml @@ -1,57 +1,47 @@ -admin-lv3: +admin -lv3: display_name: Administrators Level 3 LC_admins: True - backends: + backends_groups: ldap: - groups: - - cn=dns admins,ou=group,dc=example,dc=com - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=puppet admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=dns admins,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=puppet admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users - - Administrators - - Domain Controllers + - Domain Users + - Administrators + - Domain Controllers -admin-lv2: +admin -lv2: display_name: Administrators Level 2 - backends: + backends_groups: ldap: - groups: - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users developpers: display_name: Developpers - backends: + backends_groups: ldap: - groups: - - cn=developpers,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=developpers,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users users: display_name: Simple Users - backends: + backends_groups: ldap: - groups: - - cn=users,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users users2: display_name: Simple Users 2 - backends: + backends_groups: ldap: - groups: - - cn=users,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users diff --git a/tests/cfg/roles_key_dup.yml b/tests/cfg/roles_key_dup.yml index a5e3d8f..b40e865 100644 --- a/tests/cfg/roles_key_dup.yml +++ b/tests/cfg/roles_key_dup.yml @@ -1,47 +1,39 @@ -admin-lv3: +admin -lv3: display_name: Administrators Level 3 LC_admins: True - backends: + backends_groups: ldap: - groups: - - cn=dns admins,ou=group,dc=example,dc=com - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=puppet admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=dns admins,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=puppet admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users - - Administrators - - Domain Controllers + - Domain Users + - Administrators + - Domain Controllers -admin-lv3: +admin -lv3: display_name: Administrators Level 2 - backends: + backends_groups: ldap: - groups: - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users developpers: display_name: Developpers - backends: + backends_groups: ldap: - groups: - - cn=developpers,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=developpers,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users users: display_name: Simple Users - backends: + backends_groups: ldap: - groups: - - cn=users,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users diff --git a/tests/cfg/roles_missing_backends.yml b/tests/cfg/roles_missing_backends.yml index f10a1a2..d5d593c 100644 --- a/tests/cfg/roles_missing_backends.yml +++ b/tests/cfg/roles_missing_backends.yml @@ -1,39 +1,33 @@ admin-lv3: display_name: Administrators Level 3 LC_admins: True - backends: + backends_groups: ldap: - groups: - - cn=dns admins,ou=group,dc=example,dc=com - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=puppet admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=dns admins,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=puppet admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users - - Administrators - - Domain Controllers + - Domain Users + - Administrators + - Domain Controllers admin-lv2: display_name: Administrators Level 2 developpers: display_name: Developpers - backends: + backends_groups: ldap: - groups: - - cn=developpers,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=developpers,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users users: display_name: Simple Users - backends: + backends_groups: ldap: - groups: - - cn=users,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users diff --git a/tests/cfg/roles_missing_diplay_name.yml b/tests/cfg/roles_missing_diplay_name.yml index 082000e..27392a1 100644 --- a/tests/cfg/roles_missing_diplay_name.yml +++ b/tests/cfg/roles_missing_diplay_name.yml @@ -1,46 +1,38 @@ admin-lv3: display_name: Administrators Level 3 LC_admins: True - backends: + backends_groups: ldap: - groups: - - cn=dns admins,ou=group,dc=example,dc=com - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=puppet admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=dns admins,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=puppet admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users - - Administrators - - Domain Controllers + - Domain Users + - Administrators + - Domain Controllers admin-lv2: - backends: + backends_groups: ldap: - groups: - - cn=nagios admins,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=nagios admins,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users developpers: display_name: Developpers - backends: + backends_groups: ldap: - groups: - - cn=developpers,ou=group,dc=example,dc=com - - cn=users,ou=group,dc=example,dc=com + - cn=developpers,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users users: display_name: Simple Users - backends: + backends_groups: ldap: - groups: - - cn=users,ou=group,dc=example,dc=com + - cn=users,ou=group,dc=example,dc=com ad: - groups: - - Domain Users + - Domain Users diff --git a/tests/test_Roles.py b/tests/test_Roles.py index e59f385..6d4b53c 100644 --- a/tests/test_Roles.py +++ b/tests/test_Roles.py @@ -62,8 +62,8 @@ class TestError(object): inv = Roles('./tests/cfg/roles.yml') res = inv.get_groups('users') expected = { - 'ad': {'groups': ['Domain Users']}, - 'ldap': {'groups': ['cn=users,ou=group,dc=example,dc=com']} + 'ad': ['Domain Users'], + 'ldap': ['cn=users,ou=group,dc=example,dc=com'] } assert res == expected