add membership sync
This commit is contained in:
parent
d54d82ae95
commit
0bb2754bca
@ -187,6 +187,40 @@ class Application
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
MatchedMembership = Struct.new :role_name, :member_of, :state
|
||||||
|
|
||||||
|
def match_memberships(ldap_roles, pg_roles)
|
||||||
|
ldap_by_dn = ldap_roles.inject({}){|h,r| h[r.dn] = r; h }
|
||||||
|
ldap_by_m2m = ldap_roles.inject([]){|a,r|
|
||||||
|
next a unless r.member_dns
|
||||||
|
a + r.member_dns.map{|dn|
|
||||||
|
if member_of=ldap_by_dn[dn]
|
||||||
|
[r.name, member_of.name]
|
||||||
|
else
|
||||||
|
log.warn{"ldap member with dn #{dn} is unknown"}
|
||||||
|
nil
|
||||||
|
end
|
||||||
|
}.compact
|
||||||
|
}
|
||||||
|
|
||||||
|
pg_by_name = pg_roles.inject({}){|h,r| h[r.name] = r; h }
|
||||||
|
pg_by_m2m = pg_roles.inject([]){|a,r|
|
||||||
|
next a unless r.member_names
|
||||||
|
a + r.member_names.map{|name|
|
||||||
|
member_of = pg_by_name[name]
|
||||||
|
unless member_of
|
||||||
|
log.warn{"pg member with name #{name} is unknown"}
|
||||||
|
end
|
||||||
|
[r.name, member_of.name]
|
||||||
|
}.compact
|
||||||
|
}
|
||||||
|
|
||||||
|
memberships = (ldap_by_m2m & pg_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :keep }
|
||||||
|
memberships += (ldap_by_m2m - pg_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :grant }
|
||||||
|
memberships += (pg_by_m2m - ldap_by_m2m).map{|r,mo| MatchedMembership.new r, mo, :revoke }
|
||||||
|
return memberships
|
||||||
|
end
|
||||||
|
|
||||||
def grant_membership(role_name, add_members)
|
def grant_membership(role_name, add_members)
|
||||||
add_members_escaped = add_members.map{|m| "\"#{m}\"" }.join(",")
|
add_members_escaped = add_members.map{|m| "\"#{m}\"" }.join(",")
|
||||||
pg_exec "GRANT \"#{role_name}\" TO #{add_members_escaped}"
|
pg_exec "GRANT \"#{role_name}\" TO #{add_members_escaped}"
|
||||||
@ -197,20 +231,20 @@ class Application
|
|||||||
pg_exec "REVOKE \"#{role_name}\" FROM #{rm_members_escaped}"
|
pg_exec "REVOKE \"#{role_name}\" FROM #{rm_members_escaped}"
|
||||||
end
|
end
|
||||||
|
|
||||||
def sync_membership_to_pg(roles)
|
def sync_membership_to_pg(memberships)
|
||||||
roles.each do |role|
|
grants = {}
|
||||||
case role.state
|
memberships.select{|ms| ms.state==:grant }.each do |ms|
|
||||||
when :create
|
grants[ms.role_name] ||= []
|
||||||
if role.ldap.member_dns
|
grants[ms.role_name] << ms.member_of
|
||||||
role.ldap.member_dns.each{|dn| }
|
end
|
||||||
|
revokes = {}
|
||||||
|
memberships.select{|ms| ms.state==:revoke }.each do |ms|
|
||||||
|
revokes[ms.role_name] ||= []
|
||||||
|
revokes[ms.role_name] << ms.member_of
|
||||||
end
|
end
|
||||||
|
|
||||||
grant all
|
grants.each{|role_name, members| grant_membership(role_name, members) }
|
||||||
when :keep
|
revokes.each{|role_name, members| revoke_membership(role_name, members) }
|
||||||
grant new
|
|
||||||
revoke old
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def start!
|
def start!
|
||||||
@ -234,8 +268,16 @@ class Application
|
|||||||
"user/group stat: create: #{mroles.count{|u| u.state==:create }} drop: #{mroles.count{|u| u.state==:drop }} keep: #{mroles.count{|u| u.state==:keep }}"
|
"user/group stat: create: #{mroles.count{|u| u.state==:create }} drop: #{mroles.count{|u| u.state==:drop }} keep: #{mroles.count{|u| u.state==:keep }}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
mmemberships = match_memberships(ldap_users+ldap_groups, pg_users+pg_groups)
|
||||||
|
log.info{
|
||||||
|
mmemberships.each do |mmembership|
|
||||||
|
log.debug{ "#{mmembership.state} #{mmembership.role_name} to #{mmembership.member_of}" }
|
||||||
|
end
|
||||||
|
"mambership stat: grant: #{mmemberships.count{|u| u.state==:grant }} revoke: #{mmemberships.count{|u| u.state==:revoke }} keep: #{mmemberships.count{|u| u.state==:keep }}"
|
||||||
|
}
|
||||||
|
|
||||||
sync_roles_to_pg(mroles)
|
sync_roles_to_pg(mroles)
|
||||||
# sync_membership_to_pg(mroles)
|
sync_membership_to_pg(mmemberships)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.run(argv)
|
def self.run(argv)
|
||||||
|
Reference in New Issue
Block a user