Nit 824 nit 823 - update user roles and user notes (#18)

* new functions and structure * find common entries in both * refactor + python rewrite foruser roles * remove action * remove debugging * start oracle db * add update notes * typo + rm commented code * refactor + comments * Update __init__.py * fix logger duplicates * re format + remove print debugging * log levels + debugging * Update logger.py * fixes requirements * reformat connection for oracle * Update user.py * Update user.py * Update user.py * Update user.py * Update user.py * Update user.py * Update user.py * Update user.py * bind by name * Update user.py * Update user.py * Update user.py * Update user.py * Update user.py * Update user.py * add handling for user notes
ministryofjustice · Sep 6, 2023 · 5efaeb0 · 5efaeb0
1 parent 84771a2
commit 5efaeb0
Show file tree

Hide file tree

Showing 11 changed files with 405 additions and 142 deletions.
diff --git a/cli/__init__.py b/cli/__init__.py
@@ -1,8 +1,7 @@
 import click
-import cli.ldap.add_roles_to_username, cli.ldap.rbac, cli.ldap.update_user_home_areas
+import cli.ldap.rbac, cli.ldap.user
 
-from cli import git
-import cli.env
+from cli import git, logger
 
 
 @click.group()
@@ -15,16 +14,48 @@ def main_group():
 @click.option("-r", "--root-dn", help="Root DN to add users to", default="dc=moj,dc=com")
 @click.argument("user-role-list", required=True)
 def add_roles_to_users(user_ou, root_dn, user_role_list):
-    cli.ldap.add_roles_to_username.process_user_roles_list(user_role_list, user_ou, root_dn)
+    cli.ldap.user.process_user_roles_list(user_role_list, user_ou, root_dn)
 
 
 # Update user home area
 @click.command()
 @click.option("-o", "--old-home-area", help="name of old home area", required=True)
 @click.option("-n", "--new-home-area", help="name of new home area", required=True)
-def update_user_home_areas(old_home_area, new_home_area):
-    base_dn = env.vars.get("LDAP_CONFIG").get("base_users")
-    cli.ldap.update_user_home_areas.update_user_home_areas(old_home_area, new_home_area, base_dn)
+@click.option("-u", "--user-ou", help="OU to add users to, defaults to ou=Users", default="ou=Users")
+@click.option("-r", "--root-dn", help="Root DN to add users to, defaults to dc=moj,dc=com", default="dc=moj,dc=com")
+def update_user_home_areas(old_home_area, new_home_area, user_ou, root_dn):
+    cli.ldap.user.change_home_areas(old_home_area, new_home_area, user_ou, root_dn)
+
+
+# Update user roles
+@click.command()
+@click.argument("roles", required=True)
+@click.argument("user-note", required=False)
+@click.option("-u", "--user-ou", help="OU to add users to, defaults to ou=Users", default="ou=Users")
+@click.option("-r", "--root-dn", help="Root DN to add users to, defaults to dc=moj,dc=com", default="dc=moj,dc=com")
+@click.option("--add", help="Add role to users", is_flag=True)
+@click.option("--remove", help="Remove role from users", is_flag=True)
+@click.option("--update-notes", help="Remove role from users", is_flag=True)
+@click.option(
+    "-rf",
+    "--role-filter",
+    help='Comma seperated string to generate roles filter from eg "role1,role2,role3"',
+    required=False,
+    default="*",
+)
+@click.option("-uf", "--user-filter", help="Filter to find users", required=False, default="(userSector=*)")
+def update_user_roles(roles, user_ou, root_dn, add, remove, update_notes, user_note, user_filter, role_filter):
+    cli.ldap.user.update_roles(
+        roles,
+        user_ou,
+        root_dn,
+        add,
+        remove,
+        update_notes,
+        user_note=user_note,
+        user_filter=user_filter,
+        role_filter=role_filter,
+    )
 
 
 @click.command()
@@ -38,6 +69,9 @@ def rbac_uplift(rbac_repo_tag):
 main_group.add_command(add_roles_to_users)
 main_group.add_command(rbac_uplift)
 main_group.add_command(update_user_home_areas)
+main_group.add_command(update_user_roles)
+
+logger.configure_logging()
 
 if __name__ == "__main__":
     main_group()
diff --git a/cli/database/__init__.py b/cli/database/__init__.py
@@ -0,0 +1,13 @@
+import oracledb
+from cli import env
+from cli.logger import log
+
+
+def connection():
+    try:
+        conn = oracledb.connect(env.secrets.get("DB_CONNECTION_STRING"))
+        log.debug("Created database connection successfully")
+        return conn
+    except Exception as e:
+        log.exception(e)
+        raise e
diff --git a/cli/git/__init__.py b/cli/git/__init__.py
@@ -1,10 +1,8 @@
-from github import Github, Auth
 from git import Repo
 import jwt
 import time
 import requests
 import logging
-from cli import env
 
 
 def get_access_token(app_id, private_key, installation_id):

diff --git a/cli/ldap/__init__.py b/cli/ldap/__init__.py
@@ -1,10 +1,10 @@
 from ldap3 import Server, Connection, ALL
-from logging import log
 
 
 # import oracledb
 def ldap_connect(ldap_host, ldap_user, ldap_password):
-    server = Server(ldap_host, get_info=ALL)
+    server = Server(ldap_host)
+
     return Connection(
         server=server, user=ldap_user, password=ldap_password, auto_bind="NO_TLS", authentication="SIMPLE"
     )

diff --git a/cli/ldap/add_roles_to_username.py b/cli/ldap/add_roles_to_username.py
diff --git a/cli/ldap/rbac.py b/cli/ldap/rbac.py
@@ -1,11 +1,9 @@
-import re
-
 import ldap3.utils.hashed
 from cli.ldap import ldap_connect
 from cli import env
 import cli.git as git
 import glob
-from cli.logging import log
+from cli.logger import log
 from pathlib import Path
 import cli.template
 from ldif import LDIFParser
@@ -73,10 +71,15 @@ def context_ldif(rendered_files):
                 env.vars.get("LDAP_HOST"), env.vars.get("LDAP_USER"), env.secrets.get("LDAP_BIND_PASSWORD")
             )
             ldap_connection.add(dn, attributes=record)
-            if any(result not in [0, 68] for result in ldap_connection.result["result"]):
-                log.debug(ldap_connection.result)
-                log.debug(ldap_connection.response)
-                raise Exception(f"Failed to add context {dn}, status: {ldap_connection.result['result']}")
+            print(ldap_connection.result["result"])
+            if ldap_connection.result["result"] == 0:
+                print(f"Successfully added context")
+            elif ldap_connection.result["result"] == 68:
+                print(f"{dn} already exists")
+            else:
+                print(ldap_connection.result)
+                print(ldap_connection.response)
+                raise Exception(f"Failed to add  {dn}... {record}")
 
 
 def group_ldifs(rendered_files):
@@ -98,12 +101,14 @@ def group_ldifs(rendered_files):
             if record.get("description"):
                 print("updating description")
                 ldap_connection.modify(dn, {"description": [(ldap3.MODIFY_REPLACE, record["description"])]})
-                if any(result not in [0, 68] for result in ldap_connection.result["result"]):
-                    log.debug(ldap_connection.result)
-                    log.debug(ldap_connection.response)
-                    raise Exception(
-                        f"Failed to update description for group {dn}, status: {ldap_connection.result['result']}"
-                    )
+                if ldap_connection.result["result"] == 0:
+                    print(f"Successfully added groups")
+                elif ldap_connection.result["result"] == 68:
+                    print(f"{dn} already exists")
+                else:
+                    print(ldap_connection.result)
+                    print(ldap_connection.response)
+                    raise Exception(f"Failed to add  {dn}... {record}")
 
 
 def policy_ldifs(rendered_files):
@@ -126,10 +131,14 @@ def policy_ldifs(rendered_files):
             # print(record)
             # add the record to ldap
             ldap_connection.add(dn, attributes=record)
-            if any(result not in [0, 68] for result in ldap_connection.result["result"]):
-                log.debug(ldap_connection.result)
-                log.debug(ldap_connection.response)
-                raise Exception(f"Failed to add policy {dn}, status: {ldap_connection.result['result']}")
+            if ldap_connection.result["result"] == 0:
+                print(f"Successfully added policies")
+            elif ldap_connection.result["result"] == 68:
+                print(f"{dn} already exists")
+            else:
+                print(ldap_connection.result)
+                print(ldap_connection.response)
+                raise Exception(f"Failed to add  {dn}... {record}")
 
 
 def role_ldifs(rendered_files):
@@ -156,10 +165,14 @@ def role_ldifs(rendered_files):
             # print(record)
             # add the record to ldap
             ldap_connection.add(dn, attributes=record)
-            if any(result not in [0, 68] for result in ldap_connection.result["result"]):
-                log.debug(ldap_connection.result)
-                log.debug(ldap_connection.response)
-                raise Exception(f"Failed to add role {dn}, status: {ldap_connection.result['result']}")
+            if ldap_connection.result["result"] == 0:
+                print(f"Successfully added roles")
+            elif ldap_connection.result["result"] == 68:
+                print(f"{dn} already exists")
+            else:
+                print(ldap_connection.result)
+                print(ldap_connection.response)
+                raise Exception(f"Failed to add  {dn}... {record}")
 
 
 # not complete!!
@@ -182,10 +195,14 @@ def schema_ldifs(rendered_files):
             # print(record)
             # add the record to ldap
             ldap_connection.add(dn, attributes=record)
-            if any(result not in [0, 68] for result in ldap_connection.result["result"]):
-                log.debug(ldap_connection.result)
-                log.debug(ldap_connection.response)
-                raise Exception(f"Failed to add schema {dn}, status: {ldap_connection.result['result']}")
+            if ldap_connection.result["result"] == 0:
+                print(f"Successfully added schemas")
+            elif ldap_connection.result["result"] == 68:
+                print(f"{dn} already exists")
+            else:
+                print(ldap_connection.result)
+                print(ldap_connection.response)
+                raise Exception(f"Failed to add  {dn}... {record}")
 
 
 def user_ldifs(rendered_files):
@@ -202,13 +219,16 @@ def user_ldifs(rendered_files):
         # loop through the records
         for dn, record in parser.parse():
             print("got entry record: %s" % dn)
+
+            # for each user find child entries and delete them
+            ldap_connection.search(dn, "(objectclass=*)", search_scope=ldap3.SUBTREE)
+            for entry in ldap_connection.entries:
+                print(entry.entry_dn)
+                ldap_connection.delete(entry.entry_dn)
+
             # print(record)
             # add the record to ldap
             ldap_connection.delete(dn)
-            if any(result not in [0, 68] for result in ldap_connection.result["result"]):
-                log.debug(ldap_connection.result)
-                log.debug(ldap_connection.response)
-                raise Exception(f"Failed to delete user {dn}, status: {ldap_connection.result['result']}")
 
     # loop through the user files
     for file in user_files:
@@ -220,10 +240,14 @@ def user_ldifs(rendered_files):
             # print(record)
             # add the record to ldap
             ldap_connection.add(dn, attributes=record)
-            if any(result not in [0, 68] for result in ldap_connection.result["result"]):
-                log.debug(ldap_connection.result)
-                log.debug(ldap_connection.response)
-                raise Exception(f"Failed to add user {dn}, status: {ldap_connection.result['result']}")
+            if ldap_connection.result["result"] == 0:
+                print(f"Successfully added users")
+            elif ldap_connection.result["result"] == 68:
+                print(f"{dn} already exists")
+            else:
+                print(ldap_connection.result)
+                print(ldap_connection.response)
+                raise Exception(f"Failed to add  {dn}... {record}")
 
 
 def main(rbac_repo_tag, clone_path="./rbac"):

diff --git a/cli/ldap/update_user_home_areas.py b/cli/ldap/update_user_home_areas.py