Skip to content

Commit

Permalink
🐛 error handling for policy/role recreation
Browse files Browse the repository at this point in the history
  • Loading branch information
georgepstaylor committed Aug 8, 2024
1 parent 80d767e commit 611ca69
Show file tree
Hide file tree
Showing 3 changed files with 90 additions and 40 deletions.
5 changes: 3 additions & 2 deletions cli/ldap_cmds/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,11 @@
# import oracledb
def ldap_connect(
ldap_host,
ldap_port,
ldap_user,
ldap_password,
ldap_password
):
server = Server(ldap_host)
server = Server(ldap_host, ldap_port)

return Connection(
server=server,
Expand Down
117 changes: 80 additions & 37 deletions cli/ldap_cmds/rbac.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ def context_ldif(

# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -171,7 +171,7 @@ def group_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -223,37 +223,61 @@ def policy_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
raise e


log.debug("*********************************")
log.debug("STARTING POLICY LDIFS")
log.debug("*********************************")

policy_files = [file for file in rendered_files if "policy" in Path(file).name]

# first, delete the policies
ldap_config_dict = env.vars.get("LDAP_CONFIG") or ldap_config
policy_tree = "ou=Policies," + ldap_config_dict.get("base_root")

tree = connection.search_s(
policy_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
log.debug(f"Policy tree: {policy_tree}")

try:
tree = connection.search_s(
policy_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug("Entire policy ou does not exist, no need to delete child objects")
tree = None

log.debug("*********************************")
log.debug("DELETING POLICY ENTRIES")
log.debug("*********************************")

if tree is not None:
for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug(f"this is the entry {entry}")
log.debug("error deleting entry")
log.info("No such object found, 32")
log.debug(no_such_object_e)

for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)

log.debug("*********************************")
log.debug("RECREATING POLICY ENTRIES")
log.debug("*********************************")
# loop through the policy files
for file in policy_files:
# parse the ldif into dn and record
#
log.debug(f"Reading file {file}")

records = ldif.LDIFRecordList(open(file, "rb"))
records.parse()
Expand All @@ -277,19 +301,26 @@ def policy_ldifs(
except Exception as e:
log.exception(f"Failed to add {dn}... {attributes}")
raise e
log.debug("*********************************")
log.debug("FINISHED POLICY LDIFS")
log.debug("*********************************")


def role_ldifs(
rendered_files,
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
raise e

log.debug("*********************************")
log.debug("STARTING ROLES")
log.debug("*********************************")

role_files = [file for file in rendered_files if "nd_role" in Path(file).name]

# first, delete the roles
Expand All @@ -299,26 +330,36 @@ def role_ldifs(
"cn=ndRoleCatalogue," + ldap_config_dict.get("base_users"),
"cn=ndRoleGroups," + ldap_config_dict.get("base_users"),
]
for role_tree in role_trees:
tree = connection.search_s(
role_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()

for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)
for role_tree in role_trees:
try:
tree = connection.search_s(
role_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug("Entire role ou does not exist, no need to delete child objects")
tree = None
log.debug("*********************************")
log.debug("DELETING ROLES")
log.debug("*********************************")
if tree is not None:
for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)

# ensure boolean values are Uppercase.. this comes from the ansible yml
# (not yet implemented, probably not needed)

log.debug("*********************************")
log.debug("RECREATING ROLES")
log.debug("*********************************")
# loop through the role files
for file in role_files:
# parse the ldif into dn and record
Expand All @@ -345,7 +386,9 @@ def role_ldifs(
except Exception as e:
log.exception(f"Failed to add {dn}... {attributes}")
raise e

log.debug("*********************************")
log.debug("FINISHED ROLES")
log.debug("*********************************")

# not complete!!
# see https://github.com/ministryofjustice/hmpps-delius-pipelines/blob/master/components/delius-core/playbooks/rbac/import_schemas.yml
Expand All @@ -354,7 +397,7 @@ def schema_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -390,7 +433,7 @@ def user_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down
8 changes: 7 additions & 1 deletion cli/ldap_cmds/user.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ def change_home_areas(
log.info(f"Updating user home areas from {old_home_area} to {new_home_area}")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -106,7 +107,7 @@ def parse_user_role_list(
def add_roles_to_user(username, roles, user_ou="ou=Users", root_dn="dc=moj,dc=com"):
log.info(f"Adding roles {roles} to user {username}")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"), env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD")
env.vars.get("LDAP_HOST"), env.vars.get("LDAP_PORT", 389), env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD")
)
for role in roles:
try:
Expand Down Expand Up @@ -280,6 +281,7 @@ def update_roles(roles, user_ou, root_dn, add, remove, update_notes, user_note,
try:
ldap_connection_action = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -405,6 +407,7 @@ def deactivate_crc_users(user_ou, root_dn):
log.info("Deactivating CRC users")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -502,6 +505,7 @@ def user_expiry(user_ou, root_dn):

ldap_connection_lock = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -540,6 +544,7 @@ def user_expiry(user_ou, root_dn):

ldap_connection_unlock = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -578,6 +583,7 @@ def remove_all_user_passwords(user_ou, root_dn):

ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down

0 comments on commit 611ca69

Please sign in to comment.