Add isClubRep attribute (#27)

Closes #24. Co-authored-by: Max Erenberg <> Reviewed-on: #27 Co-authored-by: Max Erenberg <merenber@csclub.uwaterloo.ca> Co-committed-by: Max Erenberg <merenber@csclub.uwaterloo.ca>
1 year ago · e3c50d867a
parent 1fcc49ef12
commit e3c50d867a
15 changed files with 128 additions and 10 deletions
--- a/.drone/csc.schema
+++ b/.drone/csc.schema
@ -20,10 +20,14 @@ attributetype ( 1.3.6.1.4.1.27934.1.1.5 NAME 'nonMemberTerm'
    EQUALITY caseIgnoreIA5Match
    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )

+attributetype ( 1.3.6.1.4.1.27934.1.1.6 NAME 'isClubRep'
+    EQUALITY booleanMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
+
 objectclass ( 1.3.6.1.4.1.27934.1.2.1 NAME 'member'
    SUP top AUXILIARY
    MUST ( cn $ uid )
-    MAY ( studentid $ program $ term $ nonMemberTerm $ description $ position ) )
+    MAY ( studentid $ program $ term $ nonMemberTerm $ description $ position $ isClubRep ) )

 objectclass ( 1.3.6.1.4.1.27934.1.2.2 NAME 'club'
    SUP top AUXILIARY
--- a/README.md
+++ b/README.md
@ -2,9 +2,11 @@
 [![Build Status](https://ci.csclub.uwaterloo.ca/api/badges/public/pyceo/status.svg?ref=refs/heads/v1)](https://ci.csclub.uwaterloo.ca/public/pyceo)

 CEO (**C**SC **E**lectronic **O**ffice) is the tool used by CSC to manage
-club accounts and memberships. See [architecture.md](architecture.md) for an
+club accounts and memberships. See [docs/architecture.md](docs/architecture.md) for an
 overview of its architecture.

+The API documentation is available as a plain HTML file in [docs/redoc-static.html](docs/redoc-static.html).
+
 ## Development
 ### Docker
 If you are not modifying code related to email or Mailman, then you may use
--- a/ceo/utils.py
+++ b/ceo/utils.py
@ -105,6 +105,8 @@ def user_dict_kv(d: Dict) -> List[Tuple[str]]:
        pairs.append(('home directory', d['home_directory']))
    if 'is_club' in d:
        pairs.append(('is a club', str(d['is_club'])))
+    if 'is_club_rep' in d:
+        pairs.append(('is a club rep', str(d['is_club_rep'])))
    if 'forwarding_addresses' in d:
        if len(d['forwarding_addresses']) > 0:
            pairs.append(('forwarding addresses', d['forwarding_addresses'][0]))
--- a/ceo_common/interfaces/IUser.py
+++ b/ceo_common/interfaces/IUser.py
@ -19,6 +19,7 @@ class IUser(Interface):
    non_member_terms = Attribute('list of terms for which this person was '
                                 'a club rep')
    mail_local_addresses = Attribute('email aliases')
+    is_club_rep = Attribute('whether this user is a club rep or not')

    # Non-LDAP attributes
    ldap3_entry = Attribute('cached ldap3.Entry instance for this user')
--- a/ceod/api/members.py
+++ b/ceod/api/members.py
@ -20,12 +20,17 @@ bp = Blueprint('members', __name__)
@authz_restrict_to_staff
 def create_user():
    body = request.get_json(force=True)
+    terms = body.get('terms')
+    non_member_terms = body.get('non_member_terms')
+    if (terms and non_member_terms) or not (terms or non_member_terms):
+        raise BadRequest('Must specify either terms or non-member terms')
+
    txn = AddMemberTransaction(
        uid=body['uid'],
        cn=body['cn'],
        program=body.get('program'),
-        terms=body.get('terms'),
-        non_member_terms=body.get('non_member_terms'),
+        terms=terms,
+        non_member_terms=non_member_terms,
        forwarding_addresses=body.get('forwarding_addresses'),
    )
    return create_streaming_response(txn)
@ -67,6 +72,11 @@ def patch_user(auth_user: str, username: str):
@authz_restrict_to_staff
 def renew_user(username: str):
    body = request.get_json(force=True)
+    terms = body.get('terms')
+    non_member_terms = body.get('non_member_terms')
+    if (terms and non_member_terms) or not (terms or non_member_terms):
+        raise BadRequest('Must specify either terms or non-member terms')
+
    ldap_srv = component.getUtility(ILDAPService)
    user = ldap_srv.get_user(username)
    if body.get('terms'):
--- a/ceod/model/LDAPService.py
+++ b/ceod/model/LDAPService.py
@ -197,6 +197,8 @@ class LDAPService:
            entry.position = user.positions
        if user.mail_local_addresses:
            entry.mailLocalAddress = user.mail_local_addresses
+        if user.is_club_rep:
+            entry.isClubRep = True
        if not user.is_club():
            entry.userPassword = '{SASL}%s@%s' % (user.uid, self.ldap_sasl_realm)

--- a/ceod/model/User.py
+++ b/ceod/model/User.py
@ -6,6 +6,7 @@ import ldap3
 from zope import component
 from zope.interface import implementer

+from .utils import should_be_club_rep
 from .validators import is_valid_shell, is_valid_term
 from ceo_common.interfaces import ILDAPService, IKerberosService, IFileService, \
    IUser, IConfig, IMailmanService
@ -26,6 +27,7 @@ class User:
        home_directory: Union[str, None] = None,
        positions: Union[List[str], None] = None,
        mail_local_addresses: Union[List[str], None] = None,
+        is_club_rep: Union[bool, None] = None,
        is_club: bool = False,
        ldap3_entry: Union[ldap3.Entry, None] = None,
    ):
@ -52,6 +54,14 @@ class User:
        self.positions = positions or []
        self.mail_local_addresses = mail_local_addresses or []
        self._is_club = is_club
+        if is_club_rep is None:
+            if is_club:
+                # not a real user
+                self.is_club_rep = False
+            else:
+                self.is_club_rep = should_be_club_rep(terms, non_member_terms)
+        else:
+            self.is_club_rep = is_club_rep
        self.ldap3_entry = ldap3_entry

        self.ldap_srv = component.getUtility(ILDAPService)
@ -66,6 +76,7 @@ class User:
            'login_shell': self.login_shell,
            'home_directory': self.home_directory,
            'is_club': self.is_club(),
+            'is_club_rep': self.is_club_rep,
            'program': self.program or 'Unknown',
        }
        if self.terms:
@ -131,6 +142,7 @@ class User:
            home_directory=attrs['homeDirectory'][0],
            positions=attrs.get('position'),
            mail_local_addresses=attrs.get('mailLocalAddress'),
+            is_club_rep=attrs.get('isClubRep', [False])[0],
            is_club=('club' in attrs['objectClass']),
            ldap3_entry=entry,
        )
@ -148,7 +160,10 @@ class User:
                raise Exception('%s is not a valid term' % term)
        with self.ldap_srv.entry_ctx_for_user(self) as entry:
            entry.term.add(terms)
+            if entry.isClubRep.value:
+                entry.isClubRep.remove()
        self.terms.extend(terms)
+        self.is_club_rep = False

    def add_non_member_terms(self, terms: List[str]):
        for term in terms:
@ -156,7 +171,9 @@ class User:
                raise Exception('%s is not a valid term' % term)
        with self.ldap_srv.entry_ctx_for_user(self) as entry:
            entry.nonMemberTerm.add(terms)
+            entry.isClubRep = True
        self.non_member_terms.extend(terms)
+        self.is_club_rep = True

    def set_positions(self, positions: List[str]):
        with self.ldap_srv.entry_ctx_for_user(self) as entry:
--- a/ceod/model/utils.py
+++ b/ceod/model/utils.py
@ -1,4 +1,6 @@
-from typing import Dict, List
+from typing import Dict, List, Union
+
+from ceo_common.model import Term


 def bytes_to_strings(data: Dict[str, List[bytes]]) -> Dict[str, List[str]]:
@ -25,3 +27,16 @@ def dn_to_uid(dn: str) -> str:
        -> 'ctdalek'
    """
    return dn.split(',', 1)[0].split('=')[1]
+
+
+def should_be_club_rep(terms: Union[None, List[str]],
+                       non_member_terms: Union[None, List[str]]) -> bool:
+    """Returns True iff a user's most recent term was a non-member term."""
+    if not non_member_terms:
+        # no non-member terms => was only ever a member
+        return False
+    if not terms:
+        # no member terms => was only ever a club rep
+        return True
+    # decide using the most recent term (member or non-member)
+    return max(map(Term, non_member_terms)) > max(map(Term, terms))
--- a/ceod/transactions/members/RenewMemberTransaction.py
+++ b/ceod/transactions/members/RenewMemberTransaction.py
@ -3,7 +3,6 @@ from typing import Union, List
 from zope import component

 from ..AbstractTransaction import AbstractTransaction
-from ceo_common.errors import BadRequest
 from ceo_common.interfaces import ILDAPService


@ -23,8 +22,6 @@ class RenewMemberTransaction(AbstractTransaction):
    ):
        super().__init__()
        self.username = username
-        if (terms and non_member_terms) or not (terms or non_member_terms):
-            raise BadRequest('Must specify either terms or non-member terms')
        self.terms = terms
        self.non_member_terms = non_member_terms
        self.ldap_srv = component.getUtility(ILDAPService)
--- a/docs/architecture.md
+++ b/docs/architecture.md
--- a/one_time_scripts/is_club_rep.py
+++ b/one_time_scripts/is_club_rep.py
@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+"""
+This is a script which adds the isClubRep attribute to all LDAP user records
+whose most recent nonMemberTerm is later than their most recent (member) term.
+
+GSSAPI is used for LDAP authentication, so make sure to run `kinit` first.
+Also, make sure to run this script from the top-level of the git directory
+(see the sys.path hack below).
+"""
+import os
+import sys
+
+import ldap3
+
+sys.path.append(os.getcwd())
+from ceod.model.utils import should_be_club_rep
+
+# modify as necessary
+LDAP_URI = "ldaps://auth1.csclub.uwaterloo.ca"
+LDAP_MEMBERS_BASE = "ou=People,dc=csclub,dc=uwaterloo,dc=ca"
+
+conn = ldap3.Connection(
+    LDAP_URI, authentication=ldap3.SASL, sasl_mechanism=ldap3.KERBEROS,
+    auto_bind=True, raise_exceptions=True)
+conn.search(LDAP_MEMBERS_BASE, '(objectClass=member)',
+            attributes=['uid', 'isClubRep', 'term', 'nonMemberTerm'])
+total_records_updated = 0
+for entry in conn.entries:
+    if not should_be_club_rep(entry.term.values, entry.nonMemberTerm.values):
+        continue
+    if entry.isClubRep.value:
+        continue
+    changes = {'isClubRep': [(ldap3.MODIFY_REPLACE, [True])]}
+    conn.modify(entry.entry_dn, changes)
+    print('Modified %s' % entry.uid.value)
+    total_records_updated += 1
+print('Total records updated: %d' % total_records_updated)
--- a/setup.cfg
+++ b/setup.cfg
@ -2,4 +2,4 @@
 ignore =
    # line too long
    E501
-exclude = .git,.vscode,venv,__pycache__,__init__.py,build,dist
+exclude = .git,.vscode,venv,__pycache__,__init__.py,build,dist,one_time_scripts
--- a/tests/ceo/cli/test_members.py
+++ b/tests/ceo/cli/test_members.py
@ -20,6 +20,7 @@ def test_members_get(cli_setup, ldap_user):
        f"login shell:          {ldap_user.login_shell}\n"
        f"home directory:       {ldap_user.home_directory}\n"
        f"is a club:            {ldap_user.is_club()}\n"
+        f"is a club rep:        {ldap_user.is_club_rep}\n"
        "forwarding addresses: \n"
        f"member terms:         {','.join(ldap_user.terms)}\n"
    )
@ -58,7 +59,8 @@ def test_members_add(cli_setup):
        "login shell:          /bin/bash\n"
        "home directory:       [a-z0-9/_-]+/test_1\n"
        "is a club:            False\n"
-        "forwarding addresses: test_1@uwaterloo.internal\n"
+        "is a club rep:        False\n"
+        "forwarding addresses: test_1@uwaterloo\\.internal\n"
        "member terms:         [sfw]\\d{4}\n"
        "password:             \\S+\n$"
    ), re.MULTILINE)
--- a/tests/ceod/api/test_members.py
+++ b/tests/ceod/api/test_members.py
@ -56,6 +56,7 @@ def test_api_create_user(cfg, create_user_resp, mock_mail_server):
            "login_shell": "/bin/bash",
            "home_directory": "/tmp/test_users/test_1",
            "is_club": False,
+            "is_club_rep": False,
            "program": "Math",
            "terms": ["s2021"],
            "forwarding_addresses": ['test_1@uwaterloo.internal'],
@ -175,6 +176,7 @@ def test_api_renew_user(cfg, client, create_user_result, ldap_conn):
    _, data = client.get(f'/api/members/{uid}')
    assert data['terms'] == old_terms + new_terms
    assert data['non_member_terms'] == old_non_member_terms + new_non_member_terms
+    assert data['is_club_rep']

    # cleanup
    base_dn = cfg.get('ldap_users_base')
@ -182,6 +184,7 @@ def test_api_renew_user(cfg, client, create_user_result, ldap_conn):
    changes = {
        'term': [(ldap3.MODIFY_REPLACE, old_terms)],
        'nonMemberTerm': [(ldap3.MODIFY_REPLACE, old_non_member_terms)],
+        'isClubRep': [(ldap3.MODIFY_REPLACE, [])],
    }
    ldap_conn.modify(dn, changes)

--- a/tests/ceod/model/test_user.py
+++ b/tests/ceod/model/test_user.py
@ -162,6 +162,7 @@ def test_user_to_dict(cfg):
        'login_shell': '/bin/bash',
        'home_directory': user.home_directory,
        'is_club': False,
+        'is_club_rep': False,
    }
    assert user.to_dict() == expected

@ -172,3 +173,28 @@ def test_user_to_dict(cfg):
    user.create_home_dir()
    expected['forwarding_addresses'] = []
    assert user.to_dict(True) == expected
+
+
+def test_user_is_club_rep(ldap_user, ldap_srv):
+    user = User(
+        uid='test_jsmith',
+        cn='John Smith',
+        program='Math',
+        terms=['s2021'],
+    )
+    assert not user.is_club_rep
+    club_rep = User(
+        uid='test_jdoe',
+        cn='John Doe',
+        program='Math',
+        non_member_terms=['s2021'],
+    )
+    assert club_rep.is_club_rep
+
+    ldap_user.add_terms(['f2021'])
+    assert not ldap_user.is_club_rep
+    assert not ldap_srv.get_user(ldap_user.uid).is_club_rep
+
+    ldap_user.add_non_member_terms(['w2022'])
+    assert ldap_user.is_club_rep
+    assert ldap_srv.get_user(ldap_user.uid).is_club_rep