Merge branch 'master' into 69-show-groups

PACKAGING.md

@@ -9,6 +9,8 @@ Make sure your GPG key is in /srv/debian/gpg on potassium-benzoate. See
 [here](https://wiki.csclub.uwaterloo.ca/Debian_Repository#Step_1:_Add_to_Uploaders)
 for instructions.
 
+Make sure you are in the `csc-mirror` group too.
+
 ## Creating the package
 Use Docker/Podman to avoid screwing up your main system.
 For example, to create a package for bullseye (replace `podman` with `docker` in all instances below if you're using Docker):
@@ -58,7 +60,7 @@ podman cp pyceo-packaging:/home/max/repos/pyceo.tar.gz .
 (Replace `/home/max/repos` by the directory in the container with the tarball.)
 Now upload the tarball to a CSC machine, e.g.
 ```
-scp pyceo.tar.gz mannitol:~/
+scp pyceo.tar.gz mannitol:~
 ```
 SSH into that machine and extract the tarball into a separate directory:
 ```

VERSION.txt

@@ -1 +1 @@
-1.0.23
+1.0.24

ceo_common/model/HTTPClient.py

@@ -6,7 +6,7 @@ from requests_gssapi import HTTPSPNEGOAuth
 from zope import component
 from zope.interface import implementer
 
-from ceo_common.interfaces import IConfig, IHTTPClient
+from ceo_common.interfaces import IConfig, IHTTPClient, IKerberosService
 
 
 @implementer(IHTTPClient)
@@ -40,10 +40,18 @@ class HTTPClient:
                 'opportunistic_auth': True,
                 'target_name': gssapi.Name('ceod/' + host),
             }
-            if flask.has_request_context() and 'client_token' in g:
+            if flask.has_request_context():
                 # This is reached when we are the server and the client has
                 # forwarded their credentials to us.
-                spnego_kwargs['creds'] = gssapi.Credentials(token=g.client_token)
+                token = None
+                if g.get('need_admin_creds', False):
+                    # Some Kerberos bindings in some programming languages can't
+                    # perform delegation, so use the admin creds here.
+                    token = component.getUtility(IKerberosService).get_admin_creds_token()
+                elif 'client_token' in g:
+                    token = g.client_token
+                if token is not None:
+                    spnego_kwargs['creds'] = gssapi.Credentials(token=token)
             elif delegate:
                 # This is reached when we are the client and we want to
                 # forward our credentials to the server.

ceod/model/LDAPService.py

@@ -316,12 +316,12 @@ class LDAPService:
         self,
         dry_run: bool = False,
         members: Union[List[str], None] = None,
-        uwldap_batch_size: int = 10,
+        uwldap_batch_size: int = 100,
     ):
         if members:
             filter = '(|' + ''.join([f'(uid={uid})' for uid in members]) + ')'
         else:
-            filter = '(objectClass=*)'
+            filter = '(objectClass=member)'
         conn = self._get_ldap_conn()
         conn.search(
             self.ldap_users_base, filter, attributes=['uid', 'program'])
@@ -336,12 +336,17 @@ class LDAPService:
             batch_uids = uids[i:i + uwldap_batch_size]
             batch_uw_programs = uwldap_srv.get_programs_for_users(batch_uids)
             uw_programs.extend(batch_uw_programs)
+        # uw_programs[i] will be None if the 'ou' attribute was not
+        # present in UWLDAP, or if no UWLDAP entry was found at all
+        for i, uw_program in enumerate(uw_programs):
+            if uw_program in (None, 'expired', 'orphaned'):
+                # If the UWLDAP record is orphaned, nonexistent, or missing
+                # data, assume that the member graduated
+                uw_programs[i] = 'Alumni'
         users_to_change = [
             (uids[i], csc_programs[i], uw_programs[i])
             for i in range(len(uids))
-            if csc_programs[i] != uw_programs[i] and (
-                uw_programs[i] not in (None, 'expired', 'orphaned')
-            )
+            if csc_programs[i] != uw_programs[i]
         ]
         if dry_run:
             return users_to_change

debian/changelog

@@ -1,3 +1,16 @@
+ceo (1.0.24-bullseye1) bullseye; urgency=high
+
+  * Add support for using number in member terms renwewal API
+  * Sort group member listing by WatIAM ID
+  * Add more logging for Cloudstack
+  * Use LDAP instead of NSS
+  * Fix shadowExpire deserialization
+  * Fix email formatting bug in ClubWebHostingService
+  * Check if mail_local_addresses exists in UWLDAP entry
+  * Remove override_dh_systemd_start
+
+ -- Max Erenberg <merenber@csclub.uwaterloo.ca>  Sun, 23 Oct 2022 21:41:00 -0400
+
 ceo (1.0.23-bullseye1) bullseye; urgency=high
 
   * Fix some bugs in ClubWebHostingService.

debian/control

@@ -6,7 +6,8 @@ Standards-Version: 4.3.0
 Vcs-Git: https://git.csclub.uwaterloo.ca/public/pyceo.git
 Vcs-Browser: https://git.csclub.uwaterloo.ca/public/pyceo
 Uploaders: Max Erenberg <merenber@csclub.uwaterloo.ca>,
-    Raymond Li <raymo@csclub.uwaterloo.ca>
+    Raymond Li <raymo@csclub.uwaterloo.ca>,
+    Edwin <e42zhang@csclub.uwaterloo.ca>
 Build-Depends: debhelper (>= 12.1.1),
     python3-dev (>= 3.7),
     python3-venv (>= 3.7),

tests/conftest.py

@@ -298,6 +298,17 @@ def uwldap_srv(cfg, ldap_conn):
     delete_subtree(conn, base_dn)
 
     conn.add(base_dn, 'organizationalUnit')
+    conn.add(
+        f'uid=ctdalek,{base_dn}',
+        ['inetLocalMailRecipient', 'inetOrgPerson', 'organizationalPerson', 'person'],
+        {
+            'mailLocalAddress': 'ctdalek@uwaterloo.internal',
+            'ou': 'Math',
+            'cn': 'Calum T. Dalek',
+            'sn': 'Dalek',
+            'givenName': 'Calum',
+        },
+    )
     _uwldap_srv = UWLDAPService()
     component.getGlobalSiteManager().registerUtility(_uwldap_srv, IUWLDAPService)
     yield _uwldap_srv