security-and-privacy/ldapcherry
security-and-privacy
/
ldapcherry
mirror of https://github.com/kakwa/ldapcherry
1
0
Fork 0
Code Releases Activity

implementing nesting roles

This commit is contained in:
kakwa 2015-05-15 01:03:31 +02:00
parent d74893d104
commit 7524a189fe
11 changed files with 295 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
conf/roles.yml
View File

@ -2,47 +2,46 @@ admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
- backend_name: ldap
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
- Administrators
- Domain Controllers
ldap:
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
display_name: Administrators Level 2
backends:
- backend_name: ldap
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
ldap:
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
developpers:
diplay_name: Developpers
display_name: Developpers
backends:
- backend_name: ldap
groups:
- cn=nagios user,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
ldap:
groups:
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users:
diplay_name: Simple Users
display_name: Simple Users
backends:
- backend_name: ldap
groups:
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users

2
ldapcherry/exceptions.py
View File

@ -33,5 +33,3 @@ class MissingRolesFile(Exception):
def __init__(self, rolefile):
self.rolefile = rolefile
self.log = "fail to open role file <%(rolefile)s>" % { 'rolefile' : rolefile}

63
ldapcherry/roles.py
View File

@ -12,7 +12,13 @@ from sets import Set
from ldapcherry.pyyamlwrapper import loadNoDump
from ldapcherry.pyyamlwrapper import DumplicatedKey
from ldapcherry.exceptions import DumplicateRoleKey, MissingKey, DumplicateRoleContent, MissingRolesFile
import yaml
class CustomDumper(yaml.SafeDumper):
"A custom YAML dumper that never emits aliases"
def ignore_aliases(self, _data):
return True
class Roles:
@ -28,10 +34,33 @@ class Roles:
except DumplicatedKey as e:
raise DumplicateRoleKey(e.key)
stream.close()
self.roles = {}
self._nest()
def _is_parent(self, roleid1, roleid2):
role2 = self.roles_raw[roleid2]
role1 = self.roles_raw[roleid1]
if role1 == role2:
return False
# Check if role1 is contained by role2
for b1 in role1['backends']:
if not b1 in role2['backends']:
return False
for group in role1['backends'][b1]['groups']:
if not group in role2['backends'][b1]['groups']:
return False
for b2 in role2['backends']:
if not b2 in role1['backends']:
return True
for group in role2['backends'][b2]['groups']:
if not group in role1['backends'][b2]['groups']:
return True
raise DumplicateRoleContent(roleid1, roleid2)
def _nest(self):
"""nests the roles (creates roles hierarchy)"""
parents = {}
for roleid in self.roles_raw:
role = self.roles_raw[roleid]
@ -45,16 +74,42 @@ class Roles:
# Create the list of backends
for backend in role['backends']:
self.backends.add(backend['name'])
self.backends.add(backend)
# Create the nested groups
for roleid in self.roles_raw:
role = self.roles_raw[roleid]
parents[roleid]=[]
for roleid2 in self.roles_raw:
role2 = self.roles_raw[roleid2]
self.roles = self.roles_raw
if self._is_parent(roleid, roleid2):
parents[roleid].append(roleid2)
def write(self, out_file):
for r in parents:
for p in parents[r]:
for p2 in parents[r]:
if p != p2 and p in parents[p2]:
parents[r].remove(p)
def nest(p):
ret = self.roles_raw[p]
ret['subroles'] = {}
if len(parents[p]) == 0:
return ret
else:
for i in parents[p]:
sub = nest(i)
ret['subroles'][i] = sub
return ret
for p in parents.keys():
if p in parents:
self.roles[p] = nest(p)
def dump_nest(self):
"""write the nested role hierarchy to a file"""
pass
return yaml.dump(self.roles, Dumper=CustomDumper)
def get_roles(self, groups):
"""get list of roles and list of standalone groups"""

20
misc/debug_roles.py Normal file
View File

@ -0,0 +1,20 @@
from ldapcherry.roles import Roles
from ldapcherry.exceptions import DumplicateRoleKey, MissingKey, DumplicateRoleContent, MissingRolesFile
from ldapcherry.pyyamlwrapper import DumplicatedKey, RelationError
from yaml import load, dump
import yaml
try:
from yaml import CLoader as Loader, CDumper as Dumper
except ImportError:
from yaml import Loader, Dumper
class CustomDumper(yaml.SafeDumper):
"A custom YAML dumper that never emits aliases"
def ignore_aliases(self, _data):
return True
inv = Roles('./conf/roles.yml')
print
print inv.dump_nest()

48
tests/cfg/roles.yml
View File

@ -1,48 +0,0 @@
admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
- name: ldap
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- name: ad
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
display_name: Administrators Level 2
backends:
- name: ldap
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- name: ad
groups:
- Domain Users
developpers:
display_name: Developpers
backends:
- name: ldap
groups:
- cn=nagios user,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- name: ad
groups:
- Domain Users
users:
display_name: Simple Users
backends:
- name: ldap
groups:
- cn=users,ou=group,dc=example,dc=com
- name: ad
groups:
- Domain Users

1
tests/cfg/roles.yml Symbolic link
View File

@ -0,0 +1 @@
../../conf/roles.yml

19
tests/cfg/roles_content_dump.yml
View File

@ -1,19 +0,0 @@
users2:
diplay_name: Simple Users2
backends:
- backend_name: ldap
groups:
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
users:
diplay_name: Simple Users
LC_admins: True
backends:
- backend_name: ldap
groups:
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users

57
tests/cfg/roles_content_dup.yml Normal file
View File

@ -0,0 +1,57 @@
admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
ldap:
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
display_name: Administrators Level 2
backends:
ldap:
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
developpers:
display_name: Developpers
backends:
ldap:
groups:
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users:
display_name: Simple Users
backends:
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users2:
display_name: Simple Users 2
backends:
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users

61
tests/cfg/roles_key_dup.yml
View File

@ -1,26 +1,47 @@
admin-lv2:
admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
- backend_name: ldap
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
- Administrators
- Domain Controllers
ldap:
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
admin-lv3:
display_name: Administrators Level 2
backends:
- backend_name: ldap
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
ldap:
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
developpers:
display_name: Developpers
backends:
ldap:
groups:
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users:
display_name: Simple Users
backends:
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users

39
tests/cfg/roles_missing_backends.yml Normal file
View File

@ -0,0 +1,39 @@
admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
ldap:
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
display_name: Administrators Level 2
developpers:
display_name: Developpers
backends:
ldap:
groups:
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users:
display_name: Simple Users
backends:
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users

70
tests/cfg/roles_missing_diplay_name.yml
View File

@ -2,43 +2,45 @@ admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
- backend_name: ldap
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
- Administrators
- Domain Controllers
ldap:
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
display_name: Administrators Level 2
backends:
- backend_name: ldap
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
ldap:
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
developpers:
display_name: Developpers
backends:
- backend_name: ldap
groups:
- cn=nagios user,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
ldap:
groups:
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users:
diplay_name: Simple Users
display_name: Simple Users
backends:
- backend_name: ldap
groups:
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users

11
tests/test_Roles.py
View File

@ -10,7 +10,6 @@ from ldapcherry.roles import Roles
from ldapcherry.exceptions import DumplicateRoleKey, MissingKey, DumplicateRoleContent, MissingRolesFile
from ldapcherry.pyyamlwrapper import DumplicatedKey, RelationError
class TestError(object):
def testNominal(self):
@ -26,6 +25,14 @@ class TestError(object):
else:
raise AssertionError("expected an exception")
def testMissingBackends(self):
try:
inv = Roles('./tests/cfg/roles_missing_backends.yml')
except MissingKey:
return
else:
raise AssertionError("expected an exception")
def testRoleKeyDuplication(self):
try:
inv = Roles('./tests/cfg/roles_key_dup.yml')
@ -45,7 +52,7 @@ class TestError(object):
def testRoleContentDuplication(self):
try:
inv = Roles('./tests/cfg/roles_content_dump.yml')
inv = Roles('./tests/cfg/roles_content_dup.yml')
except DumplicateRoleContent:
return
else: