search

ocf / ocflib

Python libraries for account and server management
https://pypi.python.org/pypi/ocflib
Other
15 stars 32 forks source link

Privileged ldap #157

Closed ja5087 closed 5 years ago

ja5087 commented 5 years ago

addresses #142

dkess commented 5 years ago

Code looks good, however now tests are failing because the test runner can't find the password file. I think the best way to deal with this would be to move the tests to the manual section and prompt for the password there.

ja5087 commented 5 years ago

I'm going to try and mock the function instead of moving the tests to manual (where they may never get run), but that isn't working yet

dkess commented 5 years ago

Thanks for this, I think the new code is good now.

Instead of mocking functions, I'd say it's fine to give the test runner access to the password (it's accessible to all staff anyways) and actually running the functions. This will probably require a PR to Puppet.

dkess commented 5 years ago

This commit needs to be temporary reverted, as it breaks ocfweb. We got the following rootspam this morning: (i've redacted some extra information here)

A problem was encountered and reported via ocflib:

An exception occured in ocfweb:

Traceback (most recent call last):
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/base.py", line 124, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/ocfweb/ocfweb/auth.py", line 53, in wrapper
    return fn(request, *args, **kwargs)
  File "/opt/ocfweb/ocfweb/account/register.py", line 51, in request_account
    if not user_attrs_ucb(calnet_uid):
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/account/search.py", line 56, in user_attrs_ucb
    base=UCB_LDAP_PEOPLE)
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/account/search.py", line 47, in user_attrs
    with connection(dn, password) as c:
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/infra/ldap.py", line 81, in ldap_ucb_privileged
    password = _read_ucb_password()
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/infra/ldap.py", line 256, in _read_ucb_password
    with open(UCB_LDAP_PASSWORD_PATH, 'r') as passwordFile:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/ucbldap.passwd'

Request:
  * Host: www.ocf.berkeley.edu
  * Path: /account/register/
  * Method: GET
  * Secure: True

Request Headers:
{'CSRF_COOKIE': '<REDACTED>',
 'HTTP_CONNECTION': 'close',
 'HTTP_COOKIE': '<REDACTED>',
 'HTTP_HOST': 'www.ocf.berkeley.edu',
 'HTTP_REFERER': 'https://auth.berkeley.edu/cas/login?((redacted))

 'HTTP_VIA': '1.1 www.ocf.berkeley.edu',
 'HTTP_X_FORWARDED_HOST': 'www.ocf.berkeley.edu',
 'HTTP_X_FORWARDED_PROTO': 'https',
 'HTTP_X_FORWARDED_SERVER': 'www.ocf.berkeley.edu',
 'PATH_INFO': '/account/register/',
 'QUERY_STRING': '',
 'RAW_URI': '/account/register/',
 'REMOTE_ADDR': '127.0.0.1',
 'REMOTE_PORT': '52574',
 'REQUEST_METHOD': 'GET',
 'SCRIPT_NAME': '',
 'SERVER_NAME': '127.0.0.1',
 'SERVER_PORT': '8080',
 'SERVER_PROTOCOL': 'HTTP/1.0',
 'SERVER_SOFTWARE': 'gunicorn/19.9.0',
 'gunicorn.socket': <socket.socket fd=9, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('127.0.0.1', 8080), raddr=('127.0.0.1', 52574)>,
 'wsgi.errors': <gunicorn.http.wsgi.WSGIErrorsWrapper object at 0x7f6f312256d8>,
 'wsgi.file_wrapper': <class 'gunicorn.http.wsgi.FileWrapper'>,
 'wsgi.input': <gunicorn.http.body.Body object at 0x7f6f31225860>,
 'wsgi.multiprocess': True,
 'wsgi.multithread': False,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'https',
 'wsgi.version': (1, 0)}

Session:
{'calnet_uid': ((redacted)), 'login_return_path': '/about/staff'}

====
Hostname: ce044e06d63a
Callstack:
    at /opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/misc/mail.py:95 (send_problem_report)
        by /opt/ocfweb/ocfweb/middleware/errors.py:86 (process_exception)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/base.py:166 (process_exception_by_middleware)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/base.py:126 (_get_response)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/ocfweb/middleware/errors.py:42 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/base.py:78 (get_response)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/wsgi.py:142 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:176 (handle_request)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:135 (handle)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:30 (accept)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:68 (run_for_one)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:124 (run)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/base.py:134 (init_process)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/arbiter.py:583 (spawn_worker)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/arbiter.py:616 (spawn_workers)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/arbiter.py:545 (manage_workers)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/arbiter.py:203 (run)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/app/base.py:72 (run)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/app/base.py:223 (run)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/app/wsgiapp.py:61 (run)
        by /opt/ocfweb/venv/bin/gunicorn:11 (<module>)

Looks like this is happening because the password file isn't inside the docker container that ocfweb is running in. We'll have to change the container configuration. The password should also perhaps be part of the ocfweb development configuration.