security-and-privacy/ldapcherry
security-and-privacy/ldapcherry
1
0
Fork 0
mirror of https://github.com/kakwa/ldapcherry synced 2024-05-29 07:08:04 +02:00
Code Releases Activity

implementing nesting roles

Browse Source
This commit is contained in:
kakwa 2015-05-15 01:03:31 +02:00
parent d74893d104
commit 7524a189fe
11 changed files with 295 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
conf/roles.yml
View File

@ -2,47 +2,46 @@ admin-lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
LC_admins: True LC_admins: True
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=dns admins,ou=group,dc=example,dc=com - cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- backend_name: ad ad:
groups: groups:
- Domain Users - Domain Users
- Administrators - Administrators
- Domain Controllers - Domain Controllers
admin-lv2: admin-lv2:
display_name: Administrators Level 2 display_name: Administrators Level 2
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=nagios admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- backend_name: ad ad:
groups: groups:
- Domain Users - Domain Users
developpers: developpers:
diplay_name: Developpers display_name: Developpers
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=nagios user,ou=group,dc=example,dc=com - cn=developpers,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com ad:
- backend_name: ad groups:
groups: - Domain Users
- Domain Users
users: users:
diplay_name: Simple Users display_name: Simple Users
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=users,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- backend_name: ad ad:
groups: groups:
- Domain Users - Domain Users

2
ldapcherry/exceptions.py
View File

@ -33,5 +33,3 @@ class MissingRolesFile(Exception):
def __init__(self, rolefile): def __init__(self, rolefile):
self.rolefile = rolefile self.rolefile = rolefile
self.log = "fail to open role file <%(rolefile)s>" % { 'rolefile' : rolefile} self.log = "fail to open role file <%(rolefile)s>" % { 'rolefile' : rolefile}

63
ldapcherry/roles.py
View File

@ -12,7 +12,13 @@ from sets import Set
from ldapcherry.pyyamlwrapper import loadNoDump from ldapcherry.pyyamlwrapper import loadNoDump
from ldapcherry.pyyamlwrapper import DumplicatedKey from ldapcherry.pyyamlwrapper import DumplicatedKey
from ldapcherry.exceptions import DumplicateRoleKey, MissingKey, DumplicateRoleContent, MissingRolesFile from ldapcherry.exceptions import DumplicateRoleKey, MissingKey, DumplicateRoleContent, MissingRolesFile
import yaml
class CustomDumper(yaml.SafeDumper):
"A custom YAML dumper that never emits aliases"
def ignore_aliases(self, _data):
return True
class Roles: class Roles:
@ -28,10 +34,33 @@ class Roles:
except DumplicatedKey as e: except DumplicatedKey as e:
raise DumplicateRoleKey(e.key) raise DumplicateRoleKey(e.key)
stream.close() stream.close()
self.roles = {}
self._nest() self._nest()
def _is_parent(self, roleid1, roleid2):
role2 = self.roles_raw[roleid2]
role1 = self.roles_raw[roleid1]
if role1 == role2:
return False
# Check if role1 is contained by role2
for b1 in role1['backends']:
if not b1 in role2['backends']:
return False
for group in role1['backends'][b1]['groups']:
if not group in role2['backends'][b1]['groups']:
return False
for b2 in role2['backends']:
if not b2 in role1['backends']:
return True
for group in role2['backends'][b2]['groups']:
if not group in role1['backends'][b2]['groups']:
return True
raise DumplicateRoleContent(roleid1, roleid2)
def _nest(self): def _nest(self):
"""nests the roles (creates roles hierarchy)""" """nests the roles (creates roles hierarchy)"""
parents = {}
for roleid in self.roles_raw: for roleid in self.roles_raw:
role = self.roles_raw[roleid] role = self.roles_raw[roleid]
@ -45,16 +74,42 @@ class Roles:
# Create the list of backends # Create the list of backends
for backend in role['backends']: for backend in role['backends']:
self.backends.add(backend['name']) self.backends.add(backend)
# Create the nested groups # Create the nested groups
for roleid in self.roles_raw:
role = self.roles_raw[roleid]
parents[roleid]=[]
for roleid2 in self.roles_raw: for roleid2 in self.roles_raw:
role2 = self.roles_raw[roleid2] role2 = self.roles_raw[roleid2]
self.roles = self.roles_raw if self._is_parent(roleid, roleid2):
parents[roleid].append(roleid2)
def write(self, out_file): for r in parents:
for p in parents[r]:
for p2 in parents[r]:
if p != p2 and p in parents[p2]:
parents[r].remove(p)
def nest(p):
ret = self.roles_raw[p]
ret['subroles'] = {}
if len(parents[p]) == 0:
return ret
else:
for i in parents[p]:
sub = nest(i)
ret['subroles'][i] = sub
return ret
for p in parents.keys():
if p in parents:
self.roles[p] = nest(p)
def dump_nest(self):
"""write the nested role hierarchy to a file""" """write the nested role hierarchy to a file"""
pass return yaml.dump(self.roles, Dumper=CustomDumper)
def get_roles(self, groups): def get_roles(self, groups):
"""get list of roles and list of standalone groups""" """get list of roles and list of standalone groups"""

20
misc/debug_roles.py Normal file
View File

@ -0,0 +1,20 @@
from ldapcherry.roles import Roles
from ldapcherry.exceptions import DumplicateRoleKey, MissingKey, DumplicateRoleContent, MissingRolesFile
from ldapcherry.pyyamlwrapper import DumplicatedKey, RelationError
from yaml import load, dump
import yaml
try:
from yaml import CLoader as Loader, CDumper as Dumper
except ImportError:
from yaml import Loader, Dumper
class CustomDumper(yaml.SafeDumper):
"A custom YAML dumper that never emits aliases"
def ignore_aliases(self, _data):
return True
inv = Roles('./conf/roles.yml')
print
print inv.dump_nest()

48
tests/cfg/roles.yml
View File

@ -1,48 +0,0 @@
admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
- name: ldap
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- name: ad
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
display_name: Administrators Level 2
backends:
- name: ldap
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- name: ad
groups:
- Domain Users
developpers:
display_name: Developpers
backends:
- name: ldap
groups:
- cn=nagios user,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
- name: ad
groups:
- Domain Users
users:
display_name: Simple Users
backends:
- name: ldap
groups:
- cn=users,ou=group,dc=example,dc=com
- name: ad
groups:
- Domain Users

1
tests/cfg/roles.yml Symbolic link
View File

@ -0,0 +1 @@
../../conf/roles.yml

19
tests/cfg/roles_content_dump.yml
View File

@ -1,19 +0,0 @@
users2:
diplay_name: Simple Users2
backends:
- backend_name: ldap
groups:
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users
users:
diplay_name: Simple Users
LC_admins: True
backends:
- backend_name: ldap
groups:
- cn=users,ou=group,dc=example,dc=com
- backend_name: ad
groups:
- Domain Users

57
tests/cfg/roles_content_dup.yml Normal file
View File

@ -0,0 +1,57 @@
admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
ldap:
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
display_name: Administrators Level 2
backends:
ldap:
groups:
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
developpers:
display_name: Developpers
backends:
ldap:
groups:
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users:
display_name: Simple Users
backends:
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users2:
display_name: Simple Users 2
backends:
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users

61
tests/cfg/roles_key_dup.yml
View File

@ -1,26 +1,47 @@
admin-lv2: admin-lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
LC_admins: True LC_admins: True
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=dns admins,ou=group,dc=example,dc=com - cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- backend_name: ad ad:
groups: groups:
- Domain Users - Domain Users
- Administrators - Administrators
- Domain Controllers - Domain Controllers
admin-lv2: admin-lv3:
display_name: Administrators Level 2 display_name: Administrators Level 2
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=nagios admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- backend_name: ad ad:
groups: groups:
- Domain Users - Domain Users
developpers:
display_name: Developpers
backends:
ldap:
groups:
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users:
display_name: Simple Users
backends:
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users

39
tests/cfg/roles_missing_backends.yml Normal file
View File

@ -0,0 +1,39 @@
admin-lv3:
display_name: Administrators Level 3
LC_admins: True
backends:
ldap:
groups:
- cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
- Administrators
- Domain Controllers
admin-lv2:
display_name: Administrators Level 2
developpers:
display_name: Developpers
backends:
ldap:
groups:
- cn=developpers,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users
users:
display_name: Simple Users
backends:
ldap:
groups:
- cn=users,ou=group,dc=example,dc=com
ad:
groups:
- Domain Users

70
tests/cfg/roles_missing_diplay_name.yml
View File

@ -2,43 +2,45 @@ admin-lv3:
display_name: Administrators Level 3 display_name: Administrators Level 3
LC_admins: True LC_admins: True
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=dns admins,ou=group,dc=example,dc=com - cn=dns admins,ou=group,dc=example,dc=com
- cn=nagios admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=puppet admins,ou=group,dc=example,dc=com - cn=puppet admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- backend_name: ad ad:
groups: groups:
- Domain Users - Domain Users
- Administrators - Administrators
- Domain Controllers - Domain Controllers
admin-lv2: admin-lv2:
display_name: Administrators Level 2
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=nagios admins,ou=group,dc=example,dc=com - cn=nagios admins,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- backend_name: ad ad:
groups: groups:
- Domain Users - Domain Users
developpers: developpers:
display_name: Developpers
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=nagios user,ou=group,dc=example,dc=com - cn=developpers,ou=group,dc=example,dc=com
- cn=developpers,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- cn=users,ou=group,dc=example,dc=com ad:
- backend_name: ad groups:
groups: - Domain Users
- Domain Users
users: users:
diplay_name: Simple Users display_name: Simple Users
backends: backends:
- backend_name: ldap ldap:
groups: groups:
- cn=users,ou=group,dc=example,dc=com - cn=users,ou=group,dc=example,dc=com
- backend_name: ad ad:
groups: groups:
- Domain Users - Domain Users

11
tests/test_Roles.py
View File

@ -10,7 +10,6 @@ from ldapcherry.roles import Roles
from ldapcherry.exceptions import DumplicateRoleKey, MissingKey, DumplicateRoleContent, MissingRolesFile from ldapcherry.exceptions import DumplicateRoleKey, MissingKey, DumplicateRoleContent, MissingRolesFile
from ldapcherry.pyyamlwrapper import DumplicatedKey, RelationError from ldapcherry.pyyamlwrapper import DumplicatedKey, RelationError
class TestError(object): class TestError(object):
def testNominal(self): def testNominal(self):
@ -26,6 +25,14 @@ class TestError(object):
else: else:
raise AssertionError("expected an exception") raise AssertionError("expected an exception")
def testMissingBackends(self):
try:
inv = Roles('./tests/cfg/roles_missing_backends.yml')
except MissingKey:
return
else:
raise AssertionError("expected an exception")
def testRoleKeyDuplication(self): def testRoleKeyDuplication(self):
try: try:
inv = Roles('./tests/cfg/roles_key_dup.yml') inv = Roles('./tests/cfg/roles_key_dup.yml')
@ -45,7 +52,7 @@ class TestError(object):
def testRoleContentDuplication(self): def testRoleContentDuplication(self):
try: try:
inv = Roles('./tests/cfg/roles_content_dump.yml') inv = Roles('./tests/cfg/roles_content_dup.yml')
except DumplicateRoleContent: except DumplicateRoleContent:
return return
else: else: