Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Fix error handling for policy/role recreation #65

Merged
merged 2 commits into from
Aug 8, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions cli/ldap_cmds/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,11 @@
# import oracledb
def ldap_connect(
ldap_host,
ldap_port,
ldap_user,
ldap_password,
ldap_password
):
server = Server(ldap_host)
server = Server(ldap_host, ldap_port)

return Connection(
server=server,
Expand Down
117 changes: 80 additions & 37 deletions cli/ldap_cmds/rbac.py
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ def context_ldif(

# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -171,7 +171,7 @@ def group_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -223,37 +223,61 @@ def policy_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
raise e


log.debug("*********************************")
log.debug("STARTING POLICY LDIFS")
log.debug("*********************************")

policy_files = [file for file in rendered_files if "policy" in Path(file).name]

# first, delete the policies
ldap_config_dict = env.vars.get("LDAP_CONFIG") or ldap_config
policy_tree = "ou=Policies," + ldap_config_dict.get("base_root")

tree = connection.search_s(
policy_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
log.debug(f"Policy tree: {policy_tree}")

try:
tree = connection.search_s(
policy_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug("Entire policy ou does not exist, no need to delete child objects")
tree = None

log.debug("*********************************")
log.debug("DELETING POLICY ENTRIES")
log.debug("*********************************")

if tree is not None:
for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug(f"this is the entry {entry}")
log.debug("error deleting entry")
log.info("No such object found, 32")
log.debug(no_such_object_e)

for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)

log.debug("*********************************")
log.debug("RECREATING POLICY ENTRIES")
log.debug("*********************************")
# loop through the policy files
for file in policy_files:
# parse the ldif into dn and record
#
log.debug(f"Reading file {file}")

records = ldif.LDIFRecordList(open(file, "rb"))
records.parse()
Expand All @@ -277,19 +301,26 @@ def policy_ldifs(
except Exception as e:
log.exception(f"Failed to add {dn}... {attributes}")
raise e
log.debug("*********************************")
log.debug("FINISHED POLICY LDIFS")
log.debug("*********************************")


def role_ldifs(
rendered_files,
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
raise e

log.debug("*********************************")
log.debug("STARTING ROLES")
log.debug("*********************************")

role_files = [file for file in rendered_files if "nd_role" in Path(file).name]

# first, delete the roles
Expand All @@ -299,26 +330,36 @@ def role_ldifs(
"cn=ndRoleCatalogue," + ldap_config_dict.get("base_users"),
"cn=ndRoleGroups," + ldap_config_dict.get("base_users"),
]
for role_tree in role_trees:
tree = connection.search_s(
role_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()

for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)
for role_tree in role_trees:
try:
tree = connection.search_s(
role_tree,
ldap.SCOPE_SUBTREE,
"(objectClass=*)",
)
tree.reverse()
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.debug("Entire role ou does not exist, no need to delete child objects")
tree = None
log.debug("*********************************")
log.debug("DELETING ROLES")
log.debug("*********************************")
if tree is not None:
for entry in tree:
try:
log.debug(entry[0])
connection.delete_ext_s(entry[0], serverctrls=[ldap.controls.simple.ManageDSAITControl()])
print(f"Deleted {entry[0]}")
except ldap.NO_SUCH_OBJECT as no_such_object_e:
log.info("No such object found, 32")
log.debug(no_such_object_e)

# ensure boolean values are Uppercase.. this comes from the ansible yml
# (not yet implemented, probably not needed)

log.debug("*********************************")
log.debug("RECREATING ROLES")
log.debug("*********************************")
# loop through the role files
for file in role_files:
# parse the ldif into dn and record
Expand All @@ -345,7 +386,9 @@ def role_ldifs(
except Exception as e:
log.exception(f"Failed to add {dn}... {attributes}")
raise e

log.debug("*********************************")
log.debug("FINISHED ROLES")
log.debug("*********************************")

# not complete!!
# see https://github.com/ministryofjustice/hmpps-delius-pipelines/blob/master/components/delius-core/playbooks/rbac/import_schemas.yml
Expand All @@ -354,7 +397,7 @@ def schema_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down Expand Up @@ -390,7 +433,7 @@ def user_ldifs(
):
# connect to ldap
try:
connection = ldap.initialize("ldap://" + env.vars.get("LDAP_HOST"))
connection = ldap.initialize(f"ldap://{env.vars.get("LDAP_HOST")}:{env.vars.get('LDAP_PORT')}")
connection.simple_bind_s(env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD"))
except Exception as e:
log.exception(f"Failed to connect to ldap")
Expand Down
8 changes: 7 additions & 1 deletion cli/ldap_cmds/user.py
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ def change_home_areas(
log.info(f"Updating user home areas from {old_home_area} to {new_home_area}")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -106,7 +107,7 @@ def parse_user_role_list(
def add_roles_to_user(username, roles, user_ou="ou=Users", root_dn="dc=moj,dc=com"):
log.info(f"Adding roles {roles} to user {username}")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"), env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD")
env.vars.get("LDAP_HOST"), env.vars.get("LDAP_PORT", 389), env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD")
)
for role in roles:
try:
Expand Down Expand Up @@ -280,6 +281,7 @@ def update_roles(roles, user_ou, root_dn, add, remove, update_notes, user_note,
try:
ldap_connection_action = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -405,6 +407,7 @@ def deactivate_crc_users(user_ou, root_dn):
log.info("Deactivating CRC users")
ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -502,6 +505,7 @@ def user_expiry(user_ou, root_dn):

ldap_connection_lock = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -540,6 +544,7 @@ def user_expiry(user_ou, root_dn):

ldap_connection_unlock = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down Expand Up @@ -578,6 +583,7 @@ def remove_all_user_passwords(user_ou, root_dn):

ldap_connection = ldap_connect(
env.vars.get("LDAP_HOST"),
env.vars.get("LDAP_PORT", 389),
env.vars.get("LDAP_USER"),
env.secrets.get("LDAP_BIND_PASSWORD"),
)
Expand Down
Loading