implementing a method to get groups to remove

* implement a way to remove roles from a user without removing groups of roles the user keeps
kakwa · Jun 8, 2015 · 556d1f7 · 556d1f7
1 parent bc85d07
commit 556d1f7
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 0 deletions.
diff --git a/ldapcherry/roles.py b/ldapcherry/roles.py
@@ -228,6 +228,50 @@ def _check_member(self, role, groups, notroles, roles, parentroles, usedgroups):
             parentroles.add(role)
         return True
 
+    def get_groups_to_remove(self, current_roles, roles_to_remove):
+        """get groups to remove from list of roles to remove and current roles"""
+        current_roles = Set(current_roles)
+
+        ret = {}
+        roles_to_remove = Set(roles_to_remove)
+        tmp = Set([])
+        # get sub roles of the role to remove that the user belongs to
+        # if we remove a role, there is no reason to keep the sub roles
+        for r in roles_to_remove:
+            for sr in self._get_subroles(r):
+                if not sr in roles_to_remove and sr in current_roles:
+                    tmp.add(sr)
+
+        roles_to_remove = roles_to_remove.union(tmp)
+        roles = current_roles.difference(Set(roles_to_remove))
+        groups_roles = self._get_groups(roles)
+        groups_roles_to_remove = self._get_groups(roles_to_remove)
+
+        # if groups belongs to roles the user keeps, don't remove it
+        for b in groups_roles_to_remove:
+            if b in groups_roles:
+                groups_roles_to_remove[b] = \
+                    groups_roles_to_remove[b].difference(groups_roles[b])
+        return groups_roles_to_remove
+
+    def _get_groups(self, roles):
+        ret = {}
+        for r in roles:
+            for b in self.flatten[r]['backends_groups']:
+                groups = self.flatten[r]['backends_groups'][b]
+                if b not in ret:
+                    ret[b] = Set(groups)
+                ret[b] = ret[b].union(Set(groups))
+        return ret
+
+    def _get_subroles(self, role):
+        ret = Set([])
+        for sr in self.graph[role]['sub_roles']:
+            tmp = self._get_subroles(sr)
+            tmp.add(sr)
+            ret = ret.union(tmp)
+        return ret
+
     def get_roles(self, groups):
         """get list of roles and list of standalone groups"""
         roles = Set([])

diff --git a/tests/test_Roles.py b/tests/test_Roles.py
@@ -58,6 +58,15 @@ def testRoleContentDuplication(self):
         else:
             raise AssertionError("expected an exception")
 
+    def testGroupsRemove(self):
+        inv = Roles('./tests/cfg/roles.yml')
+        groups = inv.get_groups_to_remove(
+                ['admin-lv2', 'admin-lv3', 'users'],
+                ['admin-lv2']
+        )
+        expected = {'ad': Set(['Administrators', 'Domain Controllers']), 'ldap': Set(['cn=nagios admins,ou=group,dc=example,dc=com', 'cn=puppet admins,ou=group,dc=example,dc=com', 'cn=dns admins,ou=group,dc=example,dc=com'])}
+        assert groups == expected
+
     def testGetGroup(self):
         inv = Roles('./tests/cfg/roles.yml')
         res = inv.get_groups('users')