security-and-privacy/ldapcherry
security-and-privacy/ldapcherry
1
0
Fork 0
mirror of https://github.com/kakwa/ldapcherry synced 2024-06-01 08:38:04 +02:00
Code Releases Activity

simplify roles configuration (backend groups)

Browse Source
This commit is contained in:
kakwa 2015-06-04 23:34:31 +02:00
parent 2b52e121d1
commit 1735f5da20
9 changed files with 171 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
conf/roles.yml
View File

@ -1,47 +1,39 @@
admin-lv3: admin-lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
backends: backends_groups:
ldap: ldap:
groups: - cn=dns admins,ou=group,dc=example,dc=com
- cn=dns admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users - Administrators
- Administrators - Domain Controllers
- Domain Controllers
admin-lv2: admin-lv2:
display_name: Administrators Level 2 display_name: Administrators Level 2
LC_admins: True LC_admins: True
backends: backends_groups:
ldap: ldap:
groups: - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
developpers: developpers:
display_name: Developpers display_name: Developpers
backends: backends_groups:
ldap: ldap:
groups: - cn=developpers,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
users: users:
display_name: Simple Users display_name: Simple Users
backends: backends_groups:
ldap: ldap:
groups: - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users

57
ldapcherry/roles.py
View File

@ -34,10 +34,35 @@ class Roles:
except DumplicatedKey as e: except DumplicatedKey as e:
raise DumplicateRoleKey(e.key) raise DumplicateRoleKey(e.key)
stream.close() stream.close()
self.graph = {}
self.roles = {} self.roles = {}
self.flatten = {}
self.admin_roles = [] self.admin_roles = []
self._nest() self._nest()
def _merge_groups(self, backends_list):
ret = {}
for backends in backends_list:
for b in backends:
if not b in ret:
ret[b] = Set([])
for group in backends[b]:
ret[b].add(group)
return ret
def _flatten(self, roles=None, groups=[]):
if roles is None:
roles = copy(self.roles_raw)
for roleid in role:
role = self.roles_raw[roleid]
if 'subroles' in role:
self._flatten(role['subroles'], role)
del role['subroles']
self.flatten[roleid] = role
pass
def _set_admin(self, role): def _set_admin(self, role):
for r in role['subroles']: for r in role['subroles']:
self.admin_roles.append(r) self.admin_roles.append(r)
@ -54,19 +79,19 @@ class Roles:
return False return False
# Check if role1 is contained by role2 # Check if role1 is contained by role2
for b1 in role1['backends']: for b1 in role1['backends_groups']:
if not b1 in role2['backends']: if not b1 in role2['backends_groups']:
return False return False
for group in role1['backends'][b1]['groups']: for group in role1['backends_groups'][b1]:
if not group in role2['backends'][b1]['groups']: if not group in role2['backends_groups'][b1]:
return False return False
# If role2 is inside role1, roles are equal, throw exception # If role2 is inside role1, roles are equal, throw exception
for b2 in role2['backends']: for b2 in role2['backends_groups']:
if not b2 in role1['backends']: if not b2 in role1['backends_groups']:
return True return True
for group in role2['backends'][b2]['groups']: for group in role2['backends_groups'][b2]:
if not group in role1['backends'][b2]['groups']: if not group in role1['backends_groups'][b2]:
return True return True
raise DumplicateRoleContent(roleid1, roleid2) raise DumplicateRoleContent(roleid1, roleid2)
@ -81,11 +106,11 @@ class Roles:
raise MissingKey('display_name', role, self.role_file) raise MissingKey('display_name', role, self.role_file)
# Backend is mandatory # Backend is mandatory
if not 'backends' in role: if not 'backends_groups' in role:
raise MissingKey('backends', role, self.role_file) raise MissingKey('backends_groups', role, self.role_file)
# Create the list of backends # Create the list of backends
for backend in role['backends']: for backend in role['backends_groups']:
self.backends.add(backend) self.backends.add(backend)
# Create the nested groups # Create the nested groups
@ -145,8 +170,8 @@ class Roles:
# (parentroles is a list of roles that the user is member of by # (parentroles is a list of roles that the user is member of by
# being member of one of their subroles) # being member of one of their subroles)
if not (role in parentroles or role in roles): if not (role in parentroles or role in roles):
for b in self.roles[role]['backends']: for b in self.roles[role]['backends_groups']:
for g in self.roles[role]['backends'][b]['groups']: for g in self.roles[role]['backends_groups'][b]:
if b not in groups: if b not in groups:
notroles.add(role) notroles.add(role)
return False return False
@ -155,10 +180,10 @@ class Roles:
return False return False
# add groups of the role to usedgroups # add groups of the role to usedgroups
for b in self.roles[role]['backends']: for b in self.roles[role]['backends_groups']:
if not b in usedgroups: if not b in usedgroups:
usedgroups[b] = Set([]) usedgroups[b] = Set([])
for g in self.roles[role]['backends'][b]['groups']: for g in self.roles[role]['backends_groups'][b]:
usedgroups[b].add(g) usedgroups[b].add(g)
flag = True flag = True
@ -212,7 +237,7 @@ class Roles:
"""get the list of groups from role""" """get the list of groups from role"""
if not role in self.roles_raw: if not role in self.roles_raw:
raise MissingRole(role) raise MissingRole(role)
return self.roles_raw[role]['backends'] return self.roles_raw[role]['backends_groups']
def is_admin(self, roles): def is_admin(self, roles):
"""determine from a list of roles if is ldapcherry administrator""" """determine from a list of roles if is ldapcherry administrator"""

22
tests/cfg/attributes_missing_mandatory.yml
View File

@ -7,21 +7,21 @@ cn:
args: args:
- $first-name - $first-name
- $name - $name
bakends: backends:
ldap: cn ldap: cn
ad: CN ad: CN
first-name: first-name:
description: "First name of the user" description: "First name of the user"
display_name: "First Name" display_name: "First Name"
type: string type: string
bakends: backends:
ldap: givenName ldap: givenName
ad: givenName ad: givenName
name: name:
description: "Family name of the user" description: "Family name of the user"
display_name: "Name" display_name: "Name"
type: string type: string
bakends: backends:
ldap: sn ldap: sn
ad: sn ad: sn
email: email:
@ -34,7 +34,7 @@ email:
- $first-name - $first-name
- $last-name - $last-name
- '@example.com' - '@example.com'
bakends: backends:
ldap: email ldap: email
ad: EMAIL ad: EMAIL
uid: uid:
@ -46,7 +46,7 @@ uid:
args: args:
- $first-name - $first-name
- $last-name - $last-name
bakends: backends:
ldap: uid ldap: uid
ad: UID ad: UID
uidNumber: uidNumber:
@ -58,7 +58,7 @@ uidNumber:
args: args:
- $first-name - $first-name
- $last-name - $last-name
bakends: backends:
ldap: uidNumber ldap: uidNumber
ad: UIDNumber ad: UIDNumber
gidNumber: gidNumber:
@ -66,7 +66,7 @@ gidNumber:
display_name: "GID Number" display_name: "GID Number"
type: int type: int
default: 10000 default: 10000
bakends: backends:
ldap: gidNumber ldap: gidNumber
ad: GIDNumber ad: GIDNumber
shell: shell:
@ -78,7 +78,7 @@ shell:
- /bin/bash - /bin/bash
- /bin/zsh - /bin/zsh
- /bin/sh - /bin/sh
bakends: backends:
ldap: shell ldap: shell
ad: SHELL ad: SHELL
home: home:
@ -91,7 +91,7 @@ home:
- $first-name - $first-name
- $last-name - $last-name
- /home/ - /home/
bakends: backends:
ldap: home ldap: home
ad: Home ad: Home
@ -100,7 +100,7 @@ password:
display_name: "Password" display_name: "Password"
self: True self: True
type: password type: password
bakends: backends:
ldap: userPassword ldap: userPassword
ad: userPassword ad: userPassword
logscript: logscript:
@ -108,5 +108,5 @@ logscript:
display_name: "Login script" display_name: "Login script"
type: fix type: fix
value: login1.bat value: login1.bat
bakends: backends:
ad: logonScript ad: logonScript

46
tests/cfg/roles.yml
View File

@ -1,47 +1,39 @@
admin-lv3: admin-lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
backends: backends_groups:
ldap: ldap:
groups: - cn=dns admins,ou=group,dc=example,dc=com
- cn=dns admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users - Administrators
- Administrators - Domain Controllers
- Domain Controllers
admin-lv2: admin-lv2:
display_name: Administrators Level 2 display_name: Administrators Level 2
LC_admins: True LC_admins: True
backends: backends_groups:
ldap: ldap:
groups: - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
developpers: developpers:
display_name: Developpers display_name: Developpers
backends: backends_groups:
ldap: ldap:
groups: - cn=developpers,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
users: users:
display_name: Simple Users display_name: Simple Users
backends: backends_groups:
ldap: ldap:
groups: - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users

58
tests/cfg/roles_content_dup.yml
View File

@ -1,57 +1,47 @@
admin-lv3: admin -lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
LC_admins: True LC_admins: True
backends: backends_groups:
ldap: ldap:
groups: - cn=dns admins,ou=group,dc=example,dc=com
- cn=dns admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users - Administrators
- Administrators - Domain Controllers
- Domain Controllers
admin-lv2: admin -lv2:
display_name: Administrators Level 2 display_name: Administrators Level 2
backends: backends_groups:
ldap: ldap:
groups: - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
developpers: developpers:
display_name: Developpers display_name: Developpers
backends: backends_groups:
ldap: ldap:
groups: - cn=developpers,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
users: users:
display_name: Simple Users display_name: Simple Users
backends: backends_groups:
ldap: ldap:
groups: - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
users2: users2:
display_name: Simple Users 2 display_name: Simple Users 2
backends: backends_groups:
ldap: ldap:
groups: - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users

50
tests/cfg/roles_key_dup.yml
View File

@ -1,47 +1,39 @@
admin-lv3: admin -lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
LC_admins: True LC_admins: True
backends: backends_groups:
ldap: ldap:
groups: - cn=dns admins,ou=group,dc=example,dc=com
- cn=dns admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users - Administrators
- Administrators - Domain Controllers
- Domain Controllers
admin-lv3: admin -lv3:
display_name: Administrators Level 2 display_name: Administrators Level 2
backends: backends_groups:
ldap: ldap:
groups: - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
developpers: developpers:
display_name: Developpers display_name: Developpers
backends: backends_groups:
ldap: ldap:
groups: - cn=developpers,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
users: users:
display_name: Simple Users display_name: Simple Users
backends: backends_groups:
ldap: ldap:
groups: - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users

36
tests/cfg/roles_missing_backends.yml
View File

@ -1,39 +1,33 @@
admin-lv3: admin-lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
LC_admins: True LC_admins: True
backends: backends_groups:
ldap: ldap:
groups: - cn=dns admins,ou=group,dc=example,dc=com
- cn=dns admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users - Administrators
- Administrators - Domain Controllers
- Domain Controllers
admin-lv2: admin-lv2:
display_name: Administrators Level 2 display_name: Administrators Level 2
developpers: developpers:
display_name: Developpers display_name: Developpers
backends: backends_groups:
ldap: ldap:
groups: - cn=developpers,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
users: users:
display_name: Simple Users display_name: Simple Users
backends: backends_groups:
ldap: ldap:
groups: - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users

46
tests/cfg/roles_missing_diplay_name.yml
View File

@ -1,46 +1,38 @@
admin-lv3: admin-lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
LC_admins: True LC_admins: True
backends: backends_groups:
ldap: ldap:
groups: - cn=dns admins,ou=group,dc=example,dc=com
- cn=dns admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users - Administrators
- Administrators - Domain Controllers
- Domain Controllers
admin-lv2: admin-lv2:
backends: backends_groups:
ldap: ldap:
groups: - cn=nagios admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
developpers: developpers:
display_name: Developpers display_name: Developpers
backends: backends_groups:
ldap: ldap:
groups: - cn=developpers,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users
users: users:
display_name: Simple Users display_name: Simple Users
backends: backends_groups:
ldap: ldap:
groups: - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad: ad:
groups: - Domain Users
- Domain Users

4
tests/test_Roles.py
View File

@ -62,8 +62,8 @@ class TestError(object):
inv = Roles('./tests/cfg/roles.yml') inv = Roles('./tests/cfg/roles.yml')
res = inv.get_groups('users') res = inv.get_groups('users')
expected = { expected = {
'ad': {'groups': ['Domain Users']}, 'ad': ['Domain Users'],
'ldap': {'groups': ['cn=users,ou=group,dc=example,dc=com']} 'ldap': ['cn=users,ou=group,dc=example,dc=com']
} }
assert res == expected assert res == expected