Attachment #9140 for bug #45252

View | Details | Raw Unified | Return to bug 45252 | Differences between
Collapse All | Expand All




import types
import ldap
import univention.uldap
from univention.lib import ordered_set
import univention.admin.uldap
import univention.admin.modules
import univention.admin.objects

						else:
							equal = compare[0] == compare[1]
						if not equal:
							# This is deduplication of LDAP attribute values
							# for S4 -> UCS with preserved order.
							# as the handling of `con_other_attribute` assumes preserved ordering
							# (this is not guaranteed by LDAP).
							# See the MODIFY-case in `sync_from_ucs()` for more.
							if isinstance(value, list):
								ucs_object[ucs_key] = list(ordered_set.OrderedSet(value))
							else:
								ucs_object[ucs_key] = value
							ud.debug(ud.LDAP, ud.INFO, "set key in ucs-object: %s" % ucs_key)
- 
--
.../modules/univention/s4connector/s4/__init__.py  | 253 +++++++++------------
1 file changed, 113 insertions(+), 140 deletions(-)




		#
		elif (object['modtype'] == 'modify' and s4_object) or (object['modtype'] == 'add' and s4_object):
			ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: modify object: %s" % object['dn'])
			ud.debug(ud.LDAP, ud.INFO,
				"sync_from_ucs: old_object: %s" % old_ucs_object)
			ud.debug(ud.LDAP, ud.INFO,
				"sync_from_ucs: new_object: %s" % new_ucs_object)
			object['old_ucs_object'] = old_ucs_object
			object['new_ucs_object'] = new_ucs_object
			attribute_list = set(old_ucs_object.keys() + new_ucs_object.keys())
			if hasattr(self.property[property_type], "con_sync_function"):
				self.property[property_type].con_sync_function(self, property_type, object)
			else:
				# Iterate over attributes and post_attributes
				for attribute_type_name, attribute_type in [('attributes', self.property[property_type].attributes), ('post_attributes', self.property[property_type].post_attributes)]:
					if hasattr(self.property[property_type], attribute_type_name) and attribute_type is not None:
						for attr in attribute_list:
							value = new_ucs_object.get(attr)
							if not self.__has_attribute_value_changed(attr, old_ucs_object, new_ucs_object):
								continue

			def find_case_independent(s4_object, attribute):
				attr = attribute.lower()
				matching = (v for (k, v) in s4_object.iteritems() if k.lower() == attr)
				try:
					values = next(matching)
				except StopIteration:
					values = []
				return set(values)

			# Iterate over attributes and post_attributes
			for attribute_type_name, attribute_type in [('attributes', self.property[property_type].attributes),
					('post_attributes', self.property[property_type].post_attributes)]:
				if hasattr(self.property[property_type], attribute_type_name) and attribute_type is not None:
					for attr in attribute_list:
						if not self.__has_attribute_value_changed(attr, old_ucs_object, new_ucs_object):
							continue

						ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: The following attribute has been changed: %s" % attr)
								s4_attribute = attribute_type[attribute].con_attribute
								s4_other_attribute = attribute_type[attribute].con_other_attribute

						for attribute in attribute_type.keys():
							if attribute_type[attribute].ldap_attribute != attr:
								continue

							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: Found a corresponding mapping defintion: %s" % attribute)
							s4_attribute = attribute_type[attribute].con_attribute
							s4_other_attribute = attribute_type[attribute].con_other_attribute

							if not attribute_type[attribute].sync_mode in ['write', 'sync']:
								ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: %s is in not in write or sync mode. Skipping" % attribute)
								continue

							# Get the UCS attributes
							old_values = set(old_ucs_object.get(attr, []))
							new_values = set(new_ucs_object.get(attr, []))

							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: old_values: %s" % old_values)
							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: new_values: %s" % new_values)
										modify = True
								elif not univention.s4connector.compare_lowercase(list(old_values), list(new_values)):  # FIXME: use defined compare-function from mapping.py
									modify = True

							current_s4_values = find_case_independent(s4_object, s4_attribute)
									ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: no modification necessary for %s" % attribute)
									continue

							compare_function = attribute_type[attribute].compare_function or \
								univention.s4connector.compare_lowercase
							if compare_function(list(old_values), list(new_values)):
								ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: no modification necessary for %s" % attribute)
								continue

							# So, at this point we have the old and the new UCS object.
							# Thus we can create the diff, but we have to check the current S4 object
							to_add = new_values - old_values
							to_remove = old_values - new_values

							if s4_other_attribute:
								# This is the case, where we map from a multi-valued UCS attribute to two S4 attributes.
								# telephoneNumber/otherTelephone (S4) to telephoneNumber (UCS) would be an example.
								#
								# The direct mapping assumes preserved ordering of the multi-valued UCS
								# attributes and places the first value in the primary S4 attribute,
								# the rest in the secondary S4 attributes.
								#
								# The following code handles the correct distribution of the UCS attribute,
								# to two S4 attributes. It also ensures, that the primary S4 attribute keeps
								# its value as long as that value is not removed. If removed the primary
								# attribute is assigned a random value from the UCS attribute.
								current_s4_other_values = find_case_independent(s4_object, s4_other_attribute)

								ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: The current S4 values: %s" % current_s4_values)
								ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: The current S4 other values: %s" % current_s4_other_values)

								# If we removed the value on the UCS side that was contained in the `s4_attribute`,
								# but are adding new values, we choose a random value from the new values.
								new_s4_values = current_s4_values - to_remove
								if not new_s4_values and to_add:
									new_s4_values.add(to_add.pop())
								new_s4_other_values = (current_s4_other_values | to_add) - to_remove - current_s4_values

								if current_s4_values != new_s4_values:
									modlist.append((ldap.MOD_REPLACE, s4_attribute, new_s4_values))
								if current_s4_other_values != new_s4_other_values:
									modlist.append((ldap.MOD_REPLACE, s4_other_attribute, new_s4_other_values))
							else:
								ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: The current S4 values: %s" % current_s4_values)

								if (to_add or to_remove) and attribute_type[attribute].single_value:
									value = new_ucs_object.get(attr)
									modify = not current_s4_values or not value or \
										not compare_function(list(current_s4_values), list(value))
									if modify:
										mapping = getattr(attribute_type[attribute], 'mapping', ())
										if len(mapping) > 0 and mapping[0]:
											ud.debug(ud.LDAP, ud.PROCESS, "Calling single value mapping function")
											value = mapping[0](self, None, object)
										modlist.append((ldap.MOD_REPLACE, s4_attribute, value))
										if new_s4_values:
											modlist.append((ldap.MOD_REPLACE, s4_attribute, new_s4_values))
										else:
											modlist.append((ldap.MOD_REPLACE, s4_attribute, []))

									if current_s4_other_values != new_s4_other_values:
										modlist.append((ldap.MOD_REPLACE, s4_other_attribute, new_s4_other_values))
								else:
									if to_remove:
										r = current_s4_values & to_remove
										if r:
											modlist.append((ldap.MOD_DELETE, s4_attribute, r))
									if to_add:
										a = to_add - current_s4_values
										if a:
											modlist.append((ldap.MOD_ADD, s4_attribute, a))

			if not modlist:
				ud.debug(ud.LDAP, ud.ALL, "nothing to modify: %s" % object['dn'])
			else:
				ud.debug(ud.LDAP, ud.INFO, "to modify: %s" % object['dn'])
				ud.debug(ud.LDAP, ud.ALL, "sync_from_ucs: modlist: %s" % modlist)
				try:
					self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify)
				except:
					ud.debug(ud.LDAP, ud.ERROR, "sync_from_ucs: traceback during modify object: %s" % object['dn'])
					ud.debug(ud.LDAP, ud.ERROR, "sync_from_ucs: traceback due to modlist: %s" % modlist)
					raise
											modlist.append((ldap.MOD_REPLACE, s4_attribute, value))
									else:
										if to_remove:
											r = current_s4_values & to_remove
											if r:
												modlist.append((ldap.MOD_DELETE, s4_attribute, r))
										if to_add:
											a = to_add - current_s4_values
											if a:
												modlist.append((ldap.MOD_ADD, s4_attribute, a))

				if not modlist:
					ud.debug(ud.LDAP, ud.ALL, "nothing to modify: %s" % object['dn'])
				else:
					ud.debug(ud.LDAP, ud.INFO, "to modify: %s" % object['dn'])
					ud.debug(ud.LDAP, ud.ALL, "sync_from_ucs: modlist: %s" % modlist)
					try:
						self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify)
					except:
						ud.debug(ud.LDAP, ud.ERROR, "sync_from_ucs: traceback during modify object: %s" % object['dn'])
						ud.debug(ud.LDAP, ud.ERROR, "sync_from_ucs: traceback due to modlist: %s" % modlist)
						raise

			if hasattr(self.property[property_type], "post_con_modify_functions"):
				for f in self.property[property_type].post_con_modify_functions:
					ud.debug(ud.LDAP, ud.INFO, "Call post_con_modify_functions: %s" % f)
					f(self, property_type, object)
					ud.debug(ud.LDAP, ud.INFO, "Call post_con_modify_functions: %s (done)" % f)
		#
		# DELETE
		#
- 
handling
--
.../modules/univention/s4connector/s4/__init__.py  | 57 ++++++++++++++++------
1 file changed, 41 insertions(+), 16 deletions(-)




import types
import array
import univention.uldap
from univention.lib import ordered_set
import univention.s4connector
import univention.debug2 as ud
from ldap.controls import LDAPControl

from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc import misc


DECODE_IGNORELIST = ['objectSid', 'objectGUID', 'repsFrom', 'replUpToDateVector', 'ipsecData', 'logonHours', 'userCertificate', 'dNSProperty', 'dnsRecord']

LDAP_SERVER_SHOW_DELETED_OID = "1.2.840.113556.1.4.417"

				"sync_from_ucs: new_object: %s" % new_ucs_object)
			object['old_ucs_object'] = old_ucs_object
			object['new_ucs_object'] = new_ucs_object
			attribute_list = ordered_set.OrderedSet(old_ucs_object.keys() + new_ucs_object.keys())

			def find_case_independent(s4_object, attribute):
				attr = attribute.lower()

					values = next(matching)
				except StopIteration:
					values = []
				return ordered_set.OrderedSet(values)

			# Iterate over attributes and post_attributes
			for attribute_type_name, attribute_type in [('attributes', self.property[property_type].attributes),

								continue

							# Get the UCS attributes
							old_values = ordered_set.OrderedSet(old_ucs_object.get(attr, []))
							new_values = ordered_set.OrderedSet(new_ucs_object.get(attr, []))

							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: old_values: %s" % old_values)
							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: new_values: %s" % new_values)

							to_add = new_values - old_values
							to_remove = old_values - new_values

							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: to_add: %s" % to_add)
							ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: to_remove: %s" % to_remove)

							if s4_other_attribute:
								# This is the case, where we map from a multi-valued UCS attribute to two S4 attributes.
								# telephoneNumber/otherTelephone (S4) to telephoneNumber (UCS) would be an example.
								#
								# In Active Directory, for attributes that are split in two the administrator is
								# responsible for keeping a value in `telephoneNumber`. Imagine the following:
								# (a) telephoneNumber = '123', otherTelephone = ['123', '456']
								# In this case, if the administrator deletes the value of `telephoneNumber`,
								# Active Directory does NOT automatically pull a new value from `otherTelephone`.
								#
								# This is impossible to support with the connector. Imagine again case (a). If
								# we delete `123` from `phone` via UDM, AD would be synced into the following
								# state: (b) telephoneNumber = '', otherTelephone = ['456']
								# From now on, whenever we add a new value to `phone` via UDM, for example:
								# (c) phone = ['456', '789'] it MUST be synced as
								# (d) telephoneNumber = '', otherTelephone = ['456', '789'] as '456' came
								# before '789' and '456' is definitely in `otherTelephone`.
								#
								# We therefore implement, that `telephoneNumber` is never empty, as long as there
								# are values in `otherTelephone`. If a modification would delete the value of
								# `telephoneNumber` and at least one value exists in `otherTelephone`, the
								# connector duplicates the first entry of `otherTelephone` into
								# `telephoneNumber`.
								current_s4_other_values = find_case_independent(s4_object, s4_other_attribute)

								ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: The current S4 values: %s" % current_s4_values)
								ud.debug(ud.LDAP, ud.INFO, "sync_from_ucs: The current S4 other values: %s" % current_s4_other_values)

								# If we removed the value on the UCS side that was contained in the `s4_attribute`,
								# but are adding new values, we choose a random value from the new values.
								new_s4_values = current_s4_values - to_remove
								retained_s4_other_values = current_s4_other_values - to_remove

								# If we removed the value on the UCS side that was contained in the `current_s4_values`,
								# but have values, we duplicate the first value from the `new_s4_other_values`.
								if not new_s4_values:
									if retained_s4_other_values:
										new_s4_values.add(retained_s4_other_values[0])
									elif to_add:
										new_s4_values.add(to_add[0])

								# Take the old values without those to be removed. Add the new ones
								# (without duplicating the `new_s4_values`, but preserving existing
								# duplicates in `con_other_attribute`)
								new_s4_other_values = retained_s4_other_values | (to_add - new_s4_values)

								if current_s4_values != new_s4_values:
									modlist.append((ldap.MOD_REPLACE, s4_attribute, new_s4_values))
- 
--
.../52_s4connector/502_other_attribute_sync.py     | 184 +++++++++++++++++++++
1 file changed, 184 insertions(+)
create mode 100755 test/ucs-test/tests/52_s4connector/502_other_attribute_sync.py




#!/usr/share/ucs-test/runner /usr/bin/py.test -s
# coding: utf-8
## desc: "Test the UCS<->AD sync in {read,write,sync} mode for `con_other_attribute`s."
## exposure: dangerous
## packages:
## - univention-s4-connector
## bugs:
##  - 35903
##  - 36480

import pytest

from univention.testing.udm import UCSTestUDM
import univention.testing.connector_common as tcommon
from univention.testing.connector_common import (NormalUser, create_udm_user,
	delete_udm_user, create_con_user, delete_con_user)

import s4connector
from s4connector import (connector_running_on_this_host, connector_setup)

MAPPINGS = (
	# ucs_attribute, con_attribute, con_other_attribute
	('phone', 'telephoneNumber', 'otherTelephone'),
	('homeTelephoneNumber', 'homePhone', 'otherHomePhone'),
	('mobileTelephoneNumber', 'mobile', 'otherMobile'),
	('pagerTelephoneNumber', 'pager', 'otherPager'),
)


def random_number():
	return tcommon.random_string(numeric=True)


# General Information: In Active Directory, for attributes that are split in
# two (e.g. `telephoneNumber` and `otherTelephone`), the administrator is
# responsible for keeping a value in `telephoneNumber`. Imagine the following:
# (a) telephoneNumber = '123', otherTelephone = ['123', '456']
# In this case, if the administrator deletes the value of `telephoneNumber`,
# Active Directory does NOT automatically pull a new value from `otherTelephone`.
#
# This is impossible to support with the connector. Imagine again case (a). If
# we delete `123` from `phone` via UDM, AD would be synced into the following
# state: (b) telephoneNumber = [], otherTelephone = ['456']
# From now on, whenever we add a new value to `phone` via UDM, for example:
# (c) phone = ['456', '789'] it MUST be synced as
# (d) telephoneNumber = [], otherTelephone = ['456', '789'] as '456' came
# before '789' and '456' is definitely in `otherTelephone`.
#
# These tests enforce, that `telephoneNumber` is never empty, as long as there
# are values in `otherTelephone`. If a modification would delete the value of
# `telephoneNumber` and at least one value exists in `otherTelephone`, the
# connector duplicates the first entry of `otherTelephone` into
# `telephoneNumber`.


@pytest.mark.parametrize("attribute", MAPPINGS)
@pytest.mark.parametrize("sync_mode", ["write", "sync"])
@pytest.mark.skipif(not connector_running_on_this_host(),
	reason="Univention S4 Connector not configured.")
def test_attribute_sync_from_udm_to_s4(attribute, sync_mode):
	(ucs_attribute, con_attribute, con_other_attribute) = attribute
	udm_user = NormalUser(selection=("username", "lastname", ucs_attribute))
	primary_value = udm_user.basic.get(ucs_attribute)
	all_values = (primary_value, random_number(), random_number())
	secondary_values = all_values[1:]

	with connector_setup(sync_mode) as s4, UCSTestUDM() as udm:
		# A single `phone` number must be synced to `telephoneNumber` in AD.
		(udm_user_dn, s4_user_dn) = create_udm_user(udm, s4, udm_user, s4connector.wait_for_sync)

		# Additional `phone` values must be synced to `otherTelephone`,
		# `telephoneNumber` must keep its value.
		print("\nModifying UDM user: {}={}\n".format(ucs_attribute, all_values))
		udm.modify_object('users/user', dn=udm_user_dn, set={ucs_attribute: all_values})
		s4connector.wait_for_sync()
		s4.verify_object(s4_user_dn,
			{con_attribute: primary_value, con_other_attribute: secondary_values})
		tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: all_values})

		# If we delete the first `phone` value via UDM, we want to duplicate
		# the first value of `otherTelephone` into `telephoneNumber`.
		(new_primary, next_primary) = secondary_values
		print("\nModifying UDM user: {}={}\n".format(ucs_attribute, secondary_values))
		udm.modify_object('users/user', dn=udm_user_dn, set={ucs_attribute: secondary_values})
		s4connector.wait_for_sync()
		s4.verify_object(s4_user_dn,
			{con_attribute: new_primary, con_other_attribute: secondary_values})
		tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: secondary_values})

		# If we delete a `phone` value via UDM that is duplicated in AD, we want
		# it to be deleted from `telephoneNumber` and `otherTelephone`.
		print("\nModifying UDM user: {}={}\n".format(ucs_attribute, next_primary))
		udm.modify_object('users/user', dn=udm_user_dn, set={ucs_attribute: next_primary})
		s4connector.wait_for_sync()
		s4.verify_object(s4_user_dn,
			{con_attribute: next_primary, con_other_attribute: next_primary})
		tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: next_primary})

		# Setting a completely new `phone` value via UDM, this must be synced
		# to `telephoneNumber` and `otherTelephone` must be empty.
		new_phone_who_dis = random_number()
		print("\nModifying UDM user: {}={}\n".format(ucs_attribute, new_phone_who_dis))
		udm.modify_object('users/user', dn=udm_user_dn, set={ucs_attribute: new_phone_who_dis})
		s4connector.wait_for_sync()
		s4.verify_object(s4_user_dn, {con_attribute: new_phone_who_dis, con_other_attribute: []})
		tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: new_phone_who_dis})

		# No `phone` value via UDM, must result in an empty `telephoneNumber`
		# and `otherTelephone`.
		print("\nModifying UDM user: {}={}\n".format(ucs_attribute, []))
		udm.modify_object('users/user', dn=udm_user_dn, set={ucs_attribute: ''})
		s4connector.wait_for_sync()
		s4.verify_object(s4_user_dn, {con_attribute: [], con_other_attribute: []})
		tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: []})

		delete_udm_user(udm, s4, udm_user_dn, s4_user_dn, s4connector.wait_for_sync)


@pytest.mark.parametrize("attribute", MAPPINGS)
@pytest.mark.parametrize("sync_mode", ["read", "sync"])
@pytest.mark.skipif(not connector_running_on_this_host(),
	reason="Univention S4 Connector not configured.")
def test_attribute_sync_from_s4_to_udm(attribute, sync_mode):
	(ucs_attribute, con_attribute, con_other_attribute) = attribute
	udm_user = NormalUser(selection=("username", "lastname", ucs_attribute))
	primary_value = udm_user.basic.get(ucs_attribute)
	all_values = (primary_value, random_number(), random_number())
	secondary_values = all_values[1:]

	with connector_setup(sync_mode) as s4:
		# A single `telephoneNumber` must be synced to `phone` in UDM.
		(basic_s4_user, s4_user_dn, udm_user_dn) = create_con_user(s4,
			udm_user, s4connector.wait_for_sync)

		# Additional values in `otherTelephone` must be appended to `phone`.
		print("\nModifying S4 user: {}={}, {}={}\n".format(con_attribute,
			primary_value, con_other_attribute, secondary_values))
		s4.set_attributes(s4_user_dn,
			**{con_attribute: primary_value, con_other_attribute: secondary_values})
		s4connector.wait_for_sync()
		tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: all_values})
		s4.verify_object(s4_user_dn,
			{con_attribute: primary_value, con_other_attribute: secondary_values})

		if sync_mode == "sync":  # otherwise the connector can't write into AD
			# If we delete the value of `telephoneNumber` from AD, we expect to get
			# the first value of `otherTelephone` duplicated into
			# `telephoneNumber`.
			(new_primary, _) = secondary_values
			print("\nModifying S4 user: {}={}\n".format(con_attribute, []))
			s4.set_attributes(s4_user_dn, **{con_attribute: []})
			s4connector.wait_for_sync()
			tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: secondary_values})
			s4.verify_object(s4_user_dn,
				{con_attribute: new_primary, con_other_attribute: secondary_values})

			# Deleting the duplicate from `otherTelephone` must retain the value of
			# `telephoneNumber` and `phone` in UDM.
			print("\nModifying S4 user: {}={}\n".format(con_other_attribute, []))
			s4.set_attributes(s4_user_dn, **{con_other_attribute: []})
			s4connector.wait_for_sync()
			tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: new_primary})
			s4.verify_object(s4_user_dn,
				{con_attribute: new_primary, con_other_attribute: []})

		# Setting a new `telephoneNumber` and no `otherTelephone` in AD must
		# result in a single new value in `phone`.
		new_phone_who_dis = random_number()
		print("\nModifying S4 user: {}={}\n".format(con_attribute, new_phone_who_dis))
		s4.set_attributes(s4_user_dn, **{con_attribute: new_phone_who_dis, con_other_attribute: []})
		s4connector.wait_for_sync()
		tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: new_phone_who_dis})
		s4.verify_object(s4_user_dn,
			{con_attribute: new_phone_who_dis, con_other_attribute: []})

		# Setting no `telephoneNumber` and no `otherTelephone` in AD must
		# result in no value in `phone`.
		print("\nModifying S4 user: {}={}\n".format(con_attribute, []))
		s4.set_attributes(s4_user_dn, **{con_attribute: [], con_other_attribute: []})
		s4connector.wait_for_sync()
		tcommon.verify_udm_object("users/user", udm_user_dn, {ucs_attribute: []})
		s4.verify_object(s4_user_dn, {con_attribute: [], con_other_attribute: []})

		delete_con_user(s4, s4_user_dn, udm_user_dn, s4connector.wait_for_sync)

Return to bug 45252