Skip to content

Commit

Permalink
🐛 Fix error handling for policy/role recreation (#65)
Browse files Browse the repository at this point in the history 
* 🐛 error handling for policy/role recreation

* 🎨 formatting
  • Loading branch information
@georgepstaylor
georgepstaylor committed Sep 20, 2024
1 parent 3d76fb3 commit 3ddcd76
Show file tree
Hide file tree
Showing 3 changed files with 91 additions and 44 deletions.
8 changes: 2 additions & 6 deletions cli/ldap_cmds/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,8 @@


# import oracledb
def ldap_connect(
ldap_host,
ldap_user,
ldap_password,
):
server = Server(ldap_host)
def ldap_connect(ldap_host, ldap_port, ldap_user, ldap_password):
server = Server(ldap_host, ldap_port)

return Connection(
server=server,
Expand Down
116 changes: 79 additions & 37 deletions cli/ldap_cmds/rbac.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ def context_ldif(

# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get('LDAP_HOST')}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -171,7 +171,7 @@ def group_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get('LDAP_HOST')}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -223,37 +223,59 @@ def policy_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get('LDAP_HOST')}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
raise e

log.debug("*********************************")
log.debug("STARTING POLICY LDIFS")
log.debug("*********************************")

policy_files = [file for file in rendered_files if "policy" in Path(file).name]

# first, delete the policies
ldap_config_dict = env.vars.get("LDAP_CONFIG") or ldap_config
policy_tree = "ou=Policies," + ldap_config_dict.get("base_root")
policy_tree = f"ou=Policies,{ldap_config_dict.get('base_root')}"

tree = connection.search_s(
policy_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
log.debug(f"Policy tree: {policy_tree}")

for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)
try:
tree = connection.search_s(
policy_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug("Entire policy ou does not exist, no need to delete child objects")
tree = None

log.debug("*********************************")
log.debug("DELETING POLICY ENTRIES")
log.debug("*********************************")

if tree is not None:
for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug(f"this is the entry {entry}")
log.debug("error deleting entry")
log.info("No such object found, 32")
log.debug(no_such_object_e)

log.debug("*********************************")
log.debug("RECREATING POLICY ENTRIES")
log.debug("*********************************")
# loop through the policy files
for file in policy_files:
# parse the ldif into dn and record
#
log.debug(f"Reading file {file}")

records = ldif.LDIFRecordList(open(file, "rb"))
records.parse()
Expand All @@ -277,19 +299,26 @@ def policy_ldifs(
except Exception as e:
log.exception(f"Failed to add {dn}... {attributes}")
raise e
log.debug("*********************************")
log.debug("FINISHED POLICY LDIFS")
log.debug("*********************************")


def role_ldifs(
rendered_files,
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get('LDAP_HOST')}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
raise e

log.debug("*********************************")
log.debug("STARTING ROLES")
log.debug("*********************************")

role_files = [file for file in rendered_files if "nd_role" in Path(file).name]

# first, delete the roles
Expand All @@ -299,26 +328,36 @@ def role_ldifs(
"cn=ndRoleCatalogue," + ldap_config_dict.get("base_users"),
"cn=ndRoleGroups," + ldap_config_dict.get("base_users"),
]
for role_tree in role_trees:
tree = connection.search_s(
role_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()

for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)
for role_tree in role_trees:
try:
tree = connection.search_s(
role_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug("Entire role ou does not exist, no need to delete child objects")
tree = None
log.debug("*********************************")
log.debug("DELETING ROLES")
log.debug("*********************************")
if tree is not None:
for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)

# ensure boolean values are Uppercase.. this comes from the ansible yml
# (not yet implemented, probably not needed)

log.debug("*********************************")
log.debug("RECREATING ROLES")
log.debug("*********************************")
# loop through the role files
for file in role_files:
# parse the ldif into dn and record
Expand All @@ -345,6 +384,9 @@ def role_ldifs(
except Exception as e:
log.exception(f"Failed to add {dn}... {attributes}")
raise e
log.debug("*********************************")
log.debug("FINISHED ROLES")
log.debug("*********************************")


# not complete!!
Expand All @@ -354,7 +396,7 @@ def schema_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get('LDAP_HOST')}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -390,7 +432,7 @@ def user_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get('LDAP_HOST')}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down
11 changes: 10 additions & 1 deletion cli/ldap_cmds/user.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ def change_home_areas(
log.info(f"Updating user home areas from {old_home_area} to {new_home_area}")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -106,7 +107,10 @@ def parse_user_role_list(
def add_roles_to_user(username, roles, user_ou="ou=Users", root_dn="dc=moj,dc=com"):
log.info(f"Adding roles {roles} to user {username}")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"), env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD")
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
for role in roles:
try:
Expand Down Expand Up @@ -280,6 +284,7 @@ def update_roles(roles, user_ou, root_dn, add, remove, update_notes, user_note,
try:
ldap_connection_action = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -405,6 +410,7 @@ def deactivate_crc_users(user_ou, root_dn):
log.info("Deactivating CRC users")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -502,6 +508,7 @@ def user_expiry(user_ou, root_dn):

ldap_connection_lock = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -540,6 +547,7 @@ def user_expiry(user_ou, root_dn):

ldap_connection_unlock = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -578,6 +586,7 @@ def remove_all_user_passwords(user_ou, root_dn):

ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down

0 comments on commit 3ddcd76

Please sign in to comment.