Privileged ldap

[ja5087]

addresses #142

[dkess]

Thanks for doing this, it's a welcome change. I think it should be slightly re-organized but other than that this lgtm!

[dkess]

Code looks good, however now tests are failing because the test runner can't find the password file. I think the best way to deal with this would be to move the tests to the manual section and prompt for the password there.

[ja5087]

I'm going to try and mock the function instead of moving the tests to manual (where they may never get run), but that isn't working yet

[dkess]

Thanks for this, I think the new code is good now.

Instead of mocking functions, I'd say it's fine to give the test runner access to the password (it's accessible to all staff anyways) and actually running the functions. This will probably require a PR to Puppet.

[dkess]

lgtm, however at some point we should remove the mock and really test the function

[dkess]

This commit needs to be temporary reverted, as it breaks ocfweb. We got the following rootspam this morning: (i've redacted some extra information here)

A problem was encountered and reported via ocflib:

An exception occured in ocfweb:

Traceback (most recent call last):
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/base.py", line 124, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/ocfweb/ocfweb/auth.py", line 53, in wrapper
    return fn(request, *args, **kwargs)
  File "/opt/ocfweb/ocfweb/account/register.py", line 51, in request_account
    if not user_attrs_ucb(calnet_uid):
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/account/search.py", line 56, in user_attrs_ucb
    base=UCB_LDAP_PEOPLE)
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/account/search.py", line 47, in user_attrs
    with connection(dn, password) as c:
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/infra/ldap.py", line 81, in ldap_ucb_privileged
    password = _read_ucb_password()
  File "/opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/infra/ldap.py", line 256, in _read_ucb_password
    with open(UCB_LDAP_PASSWORD_PATH, 'r') as passwordFile:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/ucbldap.passwd'



Request:
  * Host: www.ocf.berkeley.edu
  * Path: /account/register/
  * Method: GET
  * Secure: True

Request Headers:
{'CSRF_COOKIE': '<REDACTED>',
 'HTTP_CONNECTION': 'close',
 'HTTP_COOKIE': '<REDACTED>',
 'HTTP_HOST': 'www.ocf.berkeley.edu',
 'HTTP_REFERER': 'https://auth.berkeley.edu/cas/login?((redacted))

 'HTTP_VIA': '1.1 www.ocf.berkeley.edu',
 'HTTP_X_FORWARDED_HOST': 'www.ocf.berkeley.edu',
 'HTTP_X_FORWARDED_PROTO': 'https',
 'HTTP_X_FORWARDED_SERVER': 'www.ocf.berkeley.edu',
 'PATH_INFO': '/account/register/',
 'QUERY_STRING': '',
 'RAW_URI': '/account/register/',
 'REMOTE_ADDR': '127.0.0.1',
 'REMOTE_PORT': '52574',
 'REQUEST_METHOD': 'GET',
 'SCRIPT_NAME': '',
 'SERVER_NAME': '127.0.0.1',
 'SERVER_PORT': '8080',
 'SERVER_PROTOCOL': 'HTTP/1.0',
 'SERVER_SOFTWARE': 'gunicorn/19.9.0',
 'gunicorn.socket': <socket.socket fd=9, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('127.0.0.1', 8080), raddr=('127.0.0.1', 52574)>,
 'wsgi.errors': <gunicorn.http.wsgi.WSGIErrorsWrapper object at 0x7f6f312256d8>,
 'wsgi.file_wrapper': <class 'gunicorn.http.wsgi.FileWrapper'>,
 'wsgi.input': <gunicorn.http.body.Body object at 0x7f6f31225860>,
 'wsgi.multiprocess': True,
 'wsgi.multithread': False,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'https',
 'wsgi.version': (1, 0)}

Session:
{'calnet_uid': ((redacted)), 'login_return_path': '/about/staff'}


====
Hostname: ce044e06d63a
Callstack:
    at /opt/ocfweb/venv/lib/python3.5/site-packages/ocflib/misc/mail.py:95 (send_problem_report)
        by /opt/ocfweb/ocfweb/middleware/errors.py:86 (process_exception)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/base.py:166 (process_exception_by_middleware)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/base.py:126 (_get_response)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/ocfweb/middleware/errors.py:42 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/utils/deprecation.py:91 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/exception.py:34 (inner)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/base.py:78 (get_response)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/django/core/handlers/wsgi.py:142 (__call__)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:176 (handle_request)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:135 (handle)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:30 (accept)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:68 (run_for_one)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/sync.py:124 (run)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/workers/base.py:134 (init_process)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/arbiter.py:583 (spawn_worker)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/arbiter.py:616 (spawn_workers)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/arbiter.py:545 (manage_workers)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/arbiter.py:203 (run)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/app/base.py:72 (run)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/app/base.py:223 (run)
        by /opt/ocfweb/venv/lib/python3.5/site-packages/gunicorn/app/wsgiapp.py:61 (run)
        by /opt/ocfweb/venv/bin/gunicorn:11 (<module>)

Looks like this is happening because the password file isn't inside the docker container that ocfweb is running in. We'll have to change the container configuration. The password should also perhaps be part of the ocfweb development configuration.