Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use new ldap export #17

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Use new ldap export #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
aa647e2
Update code to use new ldap export
pwnbus Jun 2, 2021
6da7658
Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/gsuite_c…
pwnbus Jun 2, 2021
13232f9
Add error handling to ensure script continues
pwnbus Jun 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ email have the ability to single-sign-on into GCP and manage the lifecycle of th

```bash
$ $(maws) # become MAWS-Admin in mozilla-iam
$ cd gsuite_cloud_users_driver
$ npm install
$ node_modules/.bin/serverless deploy
$ cd gsuite_cloud_users_driver
$ ../node_modules/.bin/serverless deploy
```

Verify that the driver has been updated properly in Lambda. Note that
Expand Down
2 changes: 1 addition & 1 deletion gsuite_cloud_users_driver/cloud.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import boto3
import json
import uuid
from apiclient import discovery
from googleapiclient import discovery
from httplib2 import Http
from oauth2client.service_account import ServiceAccountCredentials
from logging import getLogger
Expand Down
30 changes: 24 additions & 6 deletions gsuite_cloud_users_driver/driver.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import logging
import sys
from googleapiclient.http import HttpError
from cloud import Directory
from ldap import User

Expand All @@ -20,9 +21,9 @@ def setup_logging():
user_whitelist = [
'[email protected]',
'[email protected]',
'[email protected]',
'[email protected]',
'[email protected]'
'[email protected]',
'[email protected]',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noted in SE-1879 that we should open a PR to remove elim-owner@ once we get that worked out.

]


Expand Down Expand Up @@ -59,16 +60,33 @@ def handle(event=None, context=None):
)

for user in additions:
directory.create(user)
logger.info('Account created for: {}'.format(user.get('primary_email')))
logger.info("Creating account for: {}".format(user.get('primary_email')))
try:
directory.create(user)
except HttpError as error:
if 'Entity already exists' in str(error):
# We want to know about it, but still want to continue
# for users that previously existed, were suspended, and now show up in ldap
logger.error("User already exists in gcp: {}".format(user))
else:
raise error

for email in disables:
directory.disable(email)
logger.info('Account disabled for: {}'.format(email))
logger.info("Disabling account for: {}".format(email))
try:
directory.disable(email)
except HttpError as error:
if 'Not Authorized to access this resource/api' in str(error):
# We want to know about it, but still want to continue
# for users that we can't disable (admins)
logger.error("Unable to disable user: {}".format(email))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm only producing a log entry for this error, but we may want to change this to be more obvious so we can setup cloudwatch alerts and know when our script hits these errors, as they require some sort of manual intervention.

else:
raise error

logger.info('Infra GCP cloud users driver run complete.')

return 200


if __name__ == '__main__':
handle()
70 changes: 9 additions & 61 deletions gsuite_cloud_users_driver/ldap.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@


class User(object):
"""Retrieve the ldap users from the ldap.xz.json and process."""
"""Retrieve the ldap users from S3 and process."""
def __init__(self):
self.s3 = None
self.ldap_json = None
Expand Down Expand Up @@ -40,8 +40,8 @@ def _connect_s3(self):
def _get_ldap_json(self):
self._connect_s3()
obj = self.s3.Object(
os.getenv('CIS_S3_BUCKET_NAME', 'cis-ldap2s3-publisher-data'),
os.getenv('CIS_LDAP_JSON_FILE', 'ldap-full-profile.json.xz')
os.getenv('CIS_S3_BUCKET_NAME', 'cache.ldap.sso.mozilla.com'),
os.getenv('CIS_LDAP_JSON_FILE', 'ldap_users.json.xz')
)

tarred_json = bytes(obj.get()["Body"].read())
Expand All @@ -62,8 +62,7 @@ def to_emails(self, users):
if self.ldap_json is None:
self._get_ldap_json()

for person in self.ldap_json:
email = self._record_to_primary_email(self.ldap_json[person])
for email in self.ldap_json:
if email.split('@')[1] in self.email_suffix_whitelist:
emails.append('{}@gcp.infra.mozilla.com'.format(email.split('@')[0]))
return emails
Expand All @@ -74,72 +73,21 @@ def to_gsuite_account_structure(self):
if self.ldap_json is None:
self._get_ldap_json()

for person in self.ldap_json:
for email in self.ldap_json:
try:
email = self._record_to_primary_email(self.ldap_json[person])
first_name = self._record_to_first_name(self.ldap_json[person])
last_name = self._record_to_last_name(self.ldap_json[person])
person = self.ldap_json[email]
first_name = person['first_name']
last_name = person['last_name']

if email.split('@')[1] in self.email_suffix_whitelist:
logger.debug('Adding user: {} to the list of potential accounts.'.format(person))
users.append(
{
'first_name': first_name,
'last_name': last_name,
'primary_email': '{}@gcp.infra.mozilla.com'.format(email.split('@')[0])
'primary_email': '{}@gcp.infra.mozilla.com'.format(email.lower().split('@')[0])
}
)
except TypeError as e:
logger.error('Could not process user: {} due to: {}.'.format(person, e))
return users

def _record_to_primary_email(self, user):
return user.get('primaryEmail').lower()

def _record_to_first_name(self, user):
return user.get('firstName')

def _record_to_last_name(self, user):
return user.get('lastName')


# TODO: Delete this? It doesn't seem to be used anywhere.
class Group(object):
def __init__(self, users):
self.users = users
self.groups = []

@property
def all(self):
"""Convert the list of users with emails to a groups data structure."""
if len(self.groups) == 0:
self._generate_grouplist()
self._populate_membership()
return self.groups

def _generate_grouplist(self):
for user in self.users:
# This is for the full profile syntax
user_groups = self.users[user]['access_information']['ldap']['values']
# TODO replace with something like except get only ldap groups maybe?
# user_groups = self.users[user]['groups']
for group in user_groups:
proposed_group = {'group': group, 'members': []}
if proposed_group not in self.groups:
self.groups.append(proposed_group)

def _populate_membership(self):
for group in self.groups:
group_name = group['group']

# Go find all the members
for user in self.users:
# This is for the full profile syntax
# TODO replace with something like except get only ldap groups maybe?
# if group_name in self.users[user]['groups']:
if group_name in self.users[user]['access_information']['ldap']['values']:
idx = self.groups.index(group)
self.groups[idx]['members'].append(self._record_to_primary_email(self.users[user]))

def _record_to_primary_email(self, user):
return '{}@gcp.infra.mozilla.com'.format(user.get('primary_email')['value'].lower().split('@')[0])
Loading