Skip to content

Commit

Permalink
Merge branch 'master' into production
Browse files Browse the repository at this point in the history
  • Loading branch information
Johaney-s committed Dec 6, 2021
2 parents bc0e774 + 997b63f commit ed84513
Show file tree
Hide file tree
Showing 30 changed files with 891 additions and 1,459 deletions.
143 changes: 143 additions & 0 deletions gen/ad_admin_group_mu_ucn
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
#!/usr/bin/perl
use feature "switch";
use Switch;
use strict;
use warnings;
use perunServicesInit;
use perunServicesUtils;
no if $] >= 5.017011, warnings => 'experimental::smartmatch';

local $::SERVICE_NAME = "ad_admin_group_mu_ucn";
local $::PROTOCOL_VERSION = "3.0.0";
my $SCRIPT_VERSION = "3.0.0";

sub addMemberToGroup;
sub processWorkplaces;
sub processGroup;
sub createGroup;
sub processTree;
sub writeDebug;

perunServicesInit::init;
my $DIRECTORY = perunServicesInit::getDirectory;
my $fileName = "$DIRECTORY/$::SERVICE_NAME".".ldif";

#Get hierarchical data without expired members
my $data = perunServicesInit::getHashedDataWithGroups(1);
my $DEBUG = 0;

#Constants
our $A_LOGIN; *A_LOGIN = \'urn:perun:user:attribute-def:def:login-namespace:mu-adm';
our $A_R_GROUP_NAME; *A_R_GROUP_NAME = \'urn:perun:resource:attribute-def:def:adGroupName';
our $A_MR_V_IS_BANNED; *A_MR_V_IS_BANNED = \'urn:perun:member_resource:attribute-def:virt:isBanned';
our $A_R_DESCRIPTION; *A_R_DESCRIPTION = \'urn:perun:resource:attribute-def:core:description';

# Default description of group in Active Directory
my $defaultDescription = "no-desc in Perun";
# OUs for groups and users
my $adOuNameGroups = "OU=PrivilegedGroups,OU=MU,DC=ucn,DC=muni,DC=cz";
my $adOuNameUsers = "OU=PrivilegedUsers,OU=MU,DC=ucn,DC=muni,DC=cz";

our $groups = {};
our $usersByGroups = {};

# FOR EACH RESOURCE
foreach my $resourceId ($data->getResourceIds()) {
processGroup($resourceId);
}

#
# Print group data LDIF
#
open FILE,">:encoding(UTF-8)","$fileName" or die "Cannot open $fileName: $! \n";

for my $group (sort keys %$groups) {

print FILE "dn: CN=" . $group . "," . $adOuNameGroups . "\n";
print FILE "cn: " . $group . "\n";
print FILE "samAccountName: " . $group . "\n";
print FILE "description: " . $groups->{$group}->{"description"} . "\n";
print FILE "objectClass: group\n";
print FILE "objectClass: top\n";

my @groupMembers = sort keys %{$usersByGroups->{$group}};
for my $member (@groupMembers) {
print FILE "member: " . $member . "\n";
}

# there must be empty line after each entry
print FILE "\n";

}

close FILE;

perunServicesInit::finalize;

####################
# Helper functions #
####################

sub addMemberToGroup {
my $memberId = shift;
my $group = shift;
my $resourceId = shift;

my $login = $data->getUserAttributeValue( member => $memberId, attrName => $A_LOGIN );
my $isBanned = $data->getMemberResourceAttributeValue( member => $memberId, resource => $resourceId, attrName => $A_MR_V_IS_BANNED );

addMember($login, $group, $isBanned)
}

sub processGroup {
my $resourceId = shift;

my $group = $data->getResourceAttributeValue( resource => $resourceId, attrName => $A_R_GROUP_NAME );
my $description = $data->getResourceAttributeValue( resource => $resourceId, attrName => $A_R_DESCRIPTION );

writeDebug("Process Standard Group: '$group'", 1);
createGroup($group, $description);

writeDebug("Continue to add members", 3);
foreach my $memberId ($data->getMemberIdsForResource( resource => $resourceId )) {
addMemberToGroup($memberId, $group, $resourceId);
}
}

sub createGroup {
my $name = shift;
my $description = shift;

# Ensure that there is one group with specific name
$groups->{$name}->{"description"} = $description || $defaultDescription;
writeDebug("Group created", 3);
}

sub addMember {
my $login = shift;
my $group = shift;
my $isBanned = shift;

#skip banned members
return if $isBanned;

# allow only UČOadm, 9UČOadm logins

return unless $login;
if ($login =~ /^9[0-9]{6}adm$/ or $login =~ /^[0-9]{1,6}adm$/) {

# store UČO and 9UČO users
$usersByGroups->{$group}->{"CN=" . $login . "," . $adOuNameUsers} = 1

}
}

sub writeDebug {
my $message = shift;
my $indentation = shift;

return unless $DEBUG;

print "\t" x $indentation;
print $message . "\n";
}
118 changes: 118 additions & 0 deletions gen/ad_admin_user_mu_ucn
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
#!/usr/bin/perl
use feature "switch";
use strict;
use warnings;
use perunServicesInit;
use perunServicesUtils;
use MIME::Base64;
use utf8;
use Encode;

local $::SERVICE_NAME = "ad_admin_user_mu_ucn";
local $::PROTOCOL_VERSION = "3.0.0";
my $SCRIPT_VERSION = "3.0.0";

perunServicesInit::init;
my $DIRECTORY = perunServicesInit::getDirectory;
my $fileName = "$DIRECTORY/$::SERVICE_NAME".".ldif";

my $data = perunServicesInit::getHashedHierarchicalData(1);

#Constants
our $A_F_DOMAIN; *A_F_DOMAIN = \'urn:perun:facility:attribute-def:def:adDomain';

our $A_LOGIN; *A_LOGIN = \'urn:perun:user:attribute-def:def:login-namespace:mu-adm';
our $A_FIRST_NAME; *A_FIRST_NAME = \'urn:perun:user:attribute-def:core:firstName';
our $A_LAST_NAME; *A_LAST_NAME = \'urn:perun:user:attribute-def:core:lastName';
our $A_DISPLAY_NAME; *A_DISPLAY_NAME = \'urn:perun:user:attribute-def:core:displayName';
our $A_MAIL; *A_MAIL = \'urn:perun:user:attribute-def:def:preferredMail';

our $A_MEMBER_STATUS; *A_MEMBER_STATUS = \'urn:perun:member:attribute-def:core:status';

our $STATUS_VALID; *STATUS_VALID = \'VALID';
our $STATUS_EXPIRED; *STATUS_EXPIRED = \'EXPIRED';

# Get the facility ID
my $facilityId = $data->getFacilityId();

# CHECK ON FACILITY ATTRIBUTES
if (!defined($data->getFacilityAttributeValue( attrName => $A_F_DOMAIN ))) {
exit 1;
}

my $baseDN = "OU=PrivilegedUsers,OU=MU,DC=ucn,DC=muni,DC=cz";
my $domain = $data->getFacilityAttributeValue( attrName => $A_F_DOMAIN );
my $uac = "66048";

# GATHER USERS
my $users; # $users->{$login}->{ATTR} = $attrValue;

#
# AGGREGATE DATA
#
# FOR EACH RESOURCE
foreach my $resourceId ( $data->getResourceIds() ){

# EACH USER ON RESOURCE
foreach my $memberId ($data->getMemberIdsForResource( resource => $resourceId )) {

my $login = $data->getUserAttributeValue( member => $memberId, attrName => $A_LOGIN );
next unless $login;
my $memberStatus = $data->getMemberAttributeValue( member => $memberId, attrName => $A_MEMBER_STATUS );
next unless ($memberStatus eq $STATUS_VALID);

# store standard attrs
$users->{$login}->{"DN"} = "CN=" . $login . "," . $baseDN;
$users->{$login}->{$A_FIRST_NAME} = $data->getUserAttributeValue(member => $memberId, attrName => $A_FIRST_NAME);
$users->{$login}->{$A_LAST_NAME} = $data->getUserAttributeValue(member => $memberId, attrName => $A_LAST_NAME);
$users->{$login}->{$A_DISPLAY_NAME} = $data->getUserAttributeValue(member => $memberId, attrName => $A_DISPLAY_NAME);
$users->{$login}->{$A_MAIL} = $data->getUserAttributeValue(member => $memberId, attrName => $A_MAIL);
}
}

#
# PRINT user data LDIF
#
open FILE,">$fileName" or die "Cannot open $fileName: $! \n";
binmode FILE, ":utf8";

# FOR EACH USER ON FACILITY
my @logins = sort keys %{$users};
for my $login (@logins) {

# print attributes, which are never empty
print FILE "dn: " . $users->{$login}->{"DN"} . "\n";

print FILE "cn: " . $login . "\n";
print FILE "samAccountName: " . $login . "\n";
print FILE "userPrincipalName: " . $login . "\@" . $domain . "\n";
# enable accounts (if not) using service propagation
print FILE "userAccountControl: " . $uac . "\n";

# skip attributes which are empty and LDAP can't handle it (FIRST_NAME, EMAIL)
my $sn = $users->{$login}->{$A_LAST_NAME};
my $givenName = $users->{$login}->{$A_FIRST_NAME};
my $displayName = ($users->{$login}->{$A_FIRST_NAME} || "") . " " . ($users->{$login}->{$A_LAST_NAME} || "") . " (adm)";
my $mail = $users->{$login}->{$A_MAIL};

if (defined $displayName and length $displayName) {
print FILE "displayName: " . $displayName . "\n";
}
if (defined $sn and length $sn) {
print FILE "sn: " . $sn . "\n";
}
if (defined $givenName and length $givenName) {
print FILE "givenName: " . $givenName . "\n";
}
if (defined $mail and length $mail) {
print FILE "mail: " . $mail . "\n";
}

# There MUST be an empty line after each entry, so entry sorting and diff works on slave part
print FILE "\n";

}

close(FILE);

perunServicesInit::finalize;
72 changes: 0 additions & 72 deletions gen/mailman_vsup

This file was deleted.

Loading

0 comments on commit ed84513

Please sign in to comment.