""" This module defines `Celery`_ tasks to manage LDAP entities. .. _Celery: http://www.celeryproject.org/ """ from __future__ import absolute_import from copy import deepcopy from django.core.exceptions import ObjectDoesNotExist from celery import shared_task from celery.utils.log import get_task_logger from celery.exceptions import Reject from ldapentities.models import ( LdapGroup, LdapUser, ) _LOGGER = get_task_logger(__name__) @shared_task def create_ldap_group(groupname, gid, description): """ This task creates an :py:class:`LDAP group ` if it does not exist yet. If a group with the given name exists its group id and description attributes are updated. :param str groupname: the group name :param int gid: the group id :param str description: description text for the group :return: dictionary containing groupname, gid, description and :py:const:`group_dn` set to the distinguished name of the newly created or existing LDAP group :rtype: dict """ try: ldapgroup = LdapGroup.objects.get(name=groupname) _LOGGER.info( 'LDAP group %s with groupname %s already exists', ldapgroup.dn, groupname) ldapgroup.gid = gid except LdapGroup.DoesNotExist: ldapgroup = LdapGroup(gid=gid, name=groupname) _LOGGER.info('created LDAP group %s', ldapgroup.dn) ldapgroup.description = description ldapgroup.save() _LOGGER.info('set description of LDAP group %s', ldapgroup.dn) return { 'groupname': groupname, 'gid': gid, 'description': description, 'group_dn': ldapgroup.dn, } @shared_task def create_ldap_user(username, uid, gid, gecos, homedir, shell, password): """ This task creates an :py:class:`LDAP user ` if it does not exist yet. The task is rejected if the primary group of the user is not defined. The user's fields are updated if the user already exists. :param str username: the user name :param int uid: the user id :param int gid: the user's primary group's id :param str gecos: the text for the GECOS field :param str homedir: the user's home directory :param str shell: the user's login shell :param str or None password: the clear text password, if :py:const:`None` is passed the password is not touched :raises celery.exceptions.Reject: if the specified primary group does not exist :return: dictionary containing username, uid, gid, gecos, homedir, shell, password and :py:const:`user_dn` set to the distinguished name of the newly created or existing LDAP user :rtype: dict """ try: ldapuser = LdapUser.objects.get(username=username) _LOGGER.info( 'LDAP user %s with username %s already exists', ldapuser.dn, username) except LdapUser.DoesNotExist: ldapuser = LdapUser(username=username) try: ldapgroup = LdapGroup.objects.get(gid=gid) except ObjectDoesNotExist as exc: _LOGGER.error('LDAP group with gid %d does not exist', gid) raise Reject(exc, requeue=False) ldapuser.uid = uid ldapuser.group = gid ldapuser.gecos = gecos ldapuser.home_directory = homedir ldapuser.login_shell = shell ldapuser.username = username ldapuser.common_name = username if password is not None: ldapuser.set_password(password) _LOGGER.info('set password for LDAP user %s', ldapuser.dn) ldapuser.save() _LOGGER.info('LDAP user %s created', ldapuser.dn) if ldapuser.username in ldapgroup.members: _LOGGER.info( 'LDAP user %s is already member of LDAP group %s', ldapuser.dn, ldapgroup.dn) else: ldapgroup.members.append(ldapuser.username) ldapgroup.save() _LOGGER.info( 'LDAP user %s has been added to LDAP group %s', ldapuser.dn, ldapgroup.dn) return { 'username': username, 'uid': uid, 'gid': gid, 'gecos': gecos, 'homedir': homedir, 'shell': shell, 'user_dn': ldapuser.dn, } @shared_task def set_ldap_user_password(username, password): """ This task sets the password of an existing :py:class:`LDAP user `. :param str username: the user name :param str password: teh clear text password :return: dictionary containing the username and a flag :py:const:`password_set` that is set to :py:const:`True` if the password has been set, :py:const:`False` if the user does not exist. :rtype: dict """ retval = {'username': username, 'password_set': False} try: ldapuser = LdapUser.objects.get(username=username) except LdapUser.DoesNotExist: _LOGGER.info('there is no LDAP user with username %s', username) return retval ldapuser.set_password(password) ldapuser.save() _LOGGER.info("set new password for LDAP user %s", ldapuser.dn) retval['password_set'] = True return retval @shared_task(bind=True) def add_ldap_user_to_group(self, username, groupname): """ This task adds the specified user to the given group. This task does nothing if the user is already member of the group. :param str username: the user name :param str groupname: the group name :raises celery.exceptions.Retry: if the user does not exist yet, :py:func:`create_ldap_user` should be called before :return: dictionary containing the username, groupname and a flag :py:const`added` that is as a :py:const:`True` if the user has been added to the group otherwise to :py:const:`False` :rtype: dict """ retval = {'username': username, 'groupname': groupname, 'added': False} try: ldapgroup = LdapGroup.objects.get(name=groupname) ldapuser = LdapUser.objects.get(username=username) except LdapGroup.DoesNotExist: _LOGGER.error('LDAP group with groupname %s does not exist', groupname) except LdapUser.DoesNotExist as exc: _LOGGER.error('LDAP user with username %s does not exist', username) self.retry(exc=exc, time_limit=5) else: if ldapuser.username not in ldapgroup.members: ldapgroup.members.append(ldapuser.username) ldapgroup.save() _LOGGER.info( 'LDAP user %s has been added to LDAP group %s', ldapuser.username, ldapgroup.dn) else: _LOGGER.info( 'LDAP user %s is already in LDAP group %s', ldapuser.username, ldapgroup.dn) retval['added'] = True return retval @shared_task def remove_ldap_user_from_group(username, groupname): """ This task removes the given user from the given group. :param str username: the user name :param str groupname: the group name :return: dictionary containing the input parameters and a flag :py:const:`removed` that is set to :py:const:`True` if the user has been removed, False otherwise :rtype: dict """ retval = {'username': username, 'groupname': groupname, 'removed': False} try: ldapgroup = LdapGroup.objects.get(name=groupname) ldapuser = LdapUser.objects.get(username=username) except LdapGroup.DoesNotExist: _LOGGER.error('LDAP group with groupname %s does not exist', groupname) except LdapUser.DoesNotExist: _LOGGER.error('LDAP user with username %s does not exist', username) else: if ldapuser.username in ldapgroup.members: ldapgroup.members.remove(ldapuser.username) _LOGGER.info( 'removed LDAP user %s from LDAP group %s', ldapuser.dn, ldapgroup.dn) ldapgroup.save() retval['removed'] = True else: _LOGGER.info( 'LDAP user %s is not a member of LDAP group %s', ldapuser.dn, ldapgroup.dn) return retval @shared_task def delete_ldap_user(username, *args, **kwargs): """ This task deletes the given user. :param str username: the user name :return: dictionary containing the username and a flag :py:const:`deleted` that is set to :py:const:`True` if the user has been deleted and is set to :py:const:`False` otherwise :rtype: dict .. note:: This variant can only be used at the beginning of a Celery task chain or as a standalone task. Use :py:func:`ldaptasks.tasks.delete_ldap_user_chained` at other positions in the task chain """ retval = {'username': username, 'deleted': False} try: ldapuser = LdapUser.objects.get(username=username) except LdapUser.DoesNotExist: _LOGGER.info('there is no LDAP user with username %s', username) else: try: ldapgroup = LdapGroup.objects.get(gid=ldapuser.group) except LdapGroup.DoesNotExist: _LOGGER.info( 'LDAP group %s of LDAP user %s does not exist', ldapuser.group, ldapuser.dn) else: if ldapuser.username in ldapgroup.members: ldapgroup.members.remove(ldapuser.username) ldapgroup.save() _LOGGER.info( 'removed LDAP user %s from LDAP group %s', ldapuser.dn, ldapgroup.dn) userdn = ldapuser.dn ldapuser.delete() _LOGGER.info('deleted LDAP user %s', userdn) retval['deleted'] = True return retval @shared_task def delete_ldap_user_chained(previous_result, *args, **kwargs): """ This task deletes the given user. :param dict previous_result: a dictionary describing the result of the previous step in the Celery task chain. This dictionary must contain a :py:const:`username` key :return: a copy of the :py:obj:`previous_result` dictionary with a new :py:const:`deleted` key set to :py:const:`True` if the user has been deleted and set to :py:const:`False` otherwise :rtype: dict """ username = previous_result['username'] retval = deepcopy(previous_result) retval.update(delete_ldap_user(username)) return retval @shared_task def delete_ldap_group_if_empty(groupname): """ This task deletes the given group if it is empty. :param str groupname: the group name :return: dictionary that contains the groupname and a flag :py:const:`deleted` that is set to :py:const:`True` if the group has been deleted and is set to :py:const:`False` otherwise :rtype: dict """ retval = {'groupname': groupname, 'deleted': False} try: ldapgroup = LdapGroup.objects.get(name=groupname) except LdapGroup.DoesNotExist: _LOGGER.info('LDAP group with groupname %s does not exist', groupname) else: if len(ldapgroup.members) == 0: groupdn = ldapgroup.dn ldapgroup.delete() _LOGGER.info( 'deleted LDAP group %s', groupdn) retval['deleted'] = True else: _LOGGER.info( 'LDAP group %s has not been deleted. It still has %d members', ldapgroup.dn, len(ldapgroup.members)) return retval @shared_task def delete_ldap_group(groupname): """ This task deletes the given group. :param str groupname: the group name :return: dictionary that contains the groupname and a flag :py:const:`deleted` that is set to :py:const:`True` if the group has been deleted and is set to :py:const:`False` otherwise :rtype: dict """ retval = {'groupname': groupname, 'deleted': False} try: ldapgroup = LdapGroup.objects.get(name=groupname) except LdapGroup.DoesNotExist: _LOGGER.info('LDAP group with name %s does not exist', groupname) else: groupdn = ldapgroup.dn ldapgroup.delete() _LOGGER.info('deleted LDAP group %s', groupdn) retval['deleted'] = True return retval