[usit-rt.git] / local / bin / rt-update-groups

#!/usr/bin/perl
#
# Author: Petter Reinholdtsen
# Date:   2005-06-29
#
# Synchronize netgroups and RT groups, and make sure only users with
# group membership are privileged users.
#
# The list of groups to synchronize is generated by looking for the
# regex (netgroupsync: .+) in the group description.

# Location of RT's libs and scripts
# Remember to change to correct path on current RT instance
use lib '/www/data/rt/rt-perl/current-perl10/share/perl5';
use lib '/www/data/rt/rt-perl/current-perl10/lib/perl5';
use lib '/www/data/rt/rt-perl/current-perl10/lib64/perl5';

use lib ("/www/var/rt/local/lib", "/www/var/rt/lib");
use strict;
use warnings;

use Getopt::Std;
use Net::LDAP qw(LDAP_SUCCESS LDAP_PARTIAL_RESULTS);
use Net::LDAP::Util qw(ldap_error_name);
use RT::Interface::CLI qw(CleanEnv);
use RT::User;

my %opts;

getopts("dp", \%opts);

# Map from RT to netgroup group
my %groupmap;

CleanEnv();
RT::LoadConfig();
RT::Init();

my $LdapServer = "ldap.uio.no";
my $LdapNGBase = "cn=netgroups,cn=system,dc=uio,dc=no";
my %system_users = ('root'    => "Superuser",
                    'rt-user' => "Internal user");

# Merge static and dynamic list until all synced groups in RT have
# updated comments.
%groupmap = (%groupmap, get_synced_groups());

# Sync netgroup and RT group.  The netgroup is authorative.  Do this
# often.
#
#  - If a user exist in RT, and is listed in the netgroup but not in
#    the RT group, give it privilege rights and add it to the group.
#
#  - If a is listed in the RT group, but not in the netgroup, remove
#    the user from the RT group.

for my $rtgroupname (sort keys %groupmap) {
    my $netgroupname = $groupmap{$rtgroupname};
    print "Updating RT group $rtgroupname from netgroup $netgroupname\n"
        if $opts{'d'};
    my %in_netgroup;
    map { $in_netgroup{$_} = 1 if defined} netgroup_users($netgroupname);

    # First, revoke membership for users missing in the netgroup
    my $users = get_users_in_rtgroup($rtgroupname);
    while (my $user = $users->Next) {
        my $username = $user->Name;
        next if ($system_users{$username});

        if ( ! $in_netgroup{$username}) {
            my ($status, $statusmsg) = del_rtgroupmember($rtgroupname, $user);
            if (0 != $status) {
                my $msg = "Removed user '$username' as member ".
                    "of group $rtgroupname";
                $RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
            } else {
                my $msg = "Failed do remove user '$username' as member ".
                    "of group $rtgroupname";
                $RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
            }
        }
    }

    # Next, make sure all users in the netgroup are members of the rt group
    my $user = new RT::User($RT::SystemUser);
    for my $username (sort keys %in_netgroup) {
        $user->Load($username);
#
#        if ($user->Id && !is_rtgroupmember($rtgroupname, $user)) {
#
# There is someting strange about the RT api - something has changed in RT4
# Need to look into it ref https://rt.uio.no/Ticket/Display.html?id=954612

        if ($user->Id) {
            my $msg = "Adding user '$username' as member to group $rtgroupname";
            $RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
            add_rtgroupmember($rtgroupname, $user);
        }
    }
}

# Remove privilege rights from privileged users without any user group
# membership.  Do this at night, to reduce the chance of conflict with
# manual group updates.

#  - Loop over all privileged users, check if they are member of at
#    least one group

if ($opts{'p'}) {
    my $users = get_users_in_rtgroup("privileged");
    while (my $user = $users->Next) {
        my $username = $user->Name;
        next if ($system_users{$username});
        if (! is_member_of_any_group($user)) {
            del_rtgroupmember("privileged", $user);
            my ($status, $statusmsg) = del_rtgroupmember("privileged", $user);
            if (0 != $status) {
                my $msg = "Made user '$username' non-privileged";
                $RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
            } else {
                my $msg = "Failed to make user '$username' non-privileged";
                $RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
            }
        }
    }
}

#
# Locate all groups with "(netgroupsync: <group>)" as part of the
# group description, return a hash with netgroupname => rtgroupname.
#
sub get_synced_groups {
    my %groupmap;

    my $Groups = new RT::Groups($RT::SystemUser);
    $Groups->LimitToUserDefinedGroups();
    $Groups->LimitToEnabled();

    while ( my $Group = $Groups->Next) {
        next unless ($Group->Description =~ m/\(netgroupsync: *(\S+)\)/);
        my $netgroupname = $1;
        $groupmap{$Group->Name} = $netgroupname;
    }
    return %groupmap;
}


sub netgroup_users {
    my $group = shift;
    my $ldap = LdapConnect();
    my @users;
    my %groups;
    my $mesg = $ldap->search(
                          base       => $LdapNGBase,
                          scope      => "one",
                          filter     => "cn=$group",
                          attributes => ["nisNetgroupTriple","memberNisNetgroup"],
                          );
    if ( ($mesg->code != LDAP_SUCCESS) and
         ($mesg->code != LDAP_PARTIAL_RESULTS) ) {
        $RT::Logger->critical("rt-group-sync: Search failed: ",
                              "retval=", $mesg->code, " ",
                              ldap_error_name($mesg->code));
        LdapDisconnect($ldap);
        return undef;
    }

    if (1 != $mesg->count) {
        LdapDisconnect($ldap);
        return undef;
    }

    while (my $entry = $mesg->shift_entry){
        for ($entry->get_value("memberNisNetgroup")) {
             $groups{$_} = 0 unless $groups{$_};
        }
        for ($entry->get_value("nisNetgroupTriple")) {
            m/\(,(.*?),\)/;
            push (@users, $1);
        }
    }
    for (keys %groups) {
	push (@users, netgroup_users ($_)) unless $groups{$_};
	$groups{$_}=1;
    }
    LdapDisconnect($ldap);
    chomp @users;
    return keys %{{ map { $_ => 1 } @users }};
}


sub get_users_in_rtgroup {
    my $rtgroupname = shift;
    my $users;
    if ("privileged" eq $rtgroupname) {
        $users = new RT::Users($RT::SystemUser);
        $users->LimitToPrivileged();
    } else {
        my $group = RT::Group->new($RT::SystemUser);
        $group->LoadUserDefinedGroup($rtgroupname);
        $users = $group->UserMembersObj()
    }
    return $users;
}

sub is_rtgroupmember {
    my ($rtgroupname, $user) = @_;
    return undef unless ($user->Id);
    if ("privileged" eq $rtgroupname) {
        return $user->Privileged;
    } else {
        my $group = RT::Group->new($RT::SystemUser);
        $group->LoadUserDefinedGroup($rtgroupname);
        return 1 if ($group->HasMember($user->PrincipalObj));
    }
    return undef;
}

sub add_rtgroupmember {
    my ($rtgroupname, $user) = @_;
    if ("privileged" eq $rtgroupname) {
        $user->SetPrivileged(1);
    } else {
        # Make sure user is privileged, to make it possible to add it
        # to a group.
        $user->SetPrivileged(1);
        my $group = RT::Group->new($RT::SystemUser);
        $group->LoadUserDefinedGroup($rtgroupname);
        $group->AddMember($user->id);
    }
}

sub del_rtgroupmember {
    my ($rtgroupname, $user) = @_;
    if ("privileged" eq $rtgroupname) {
        return $user->SetPrivileged(0);
    } else {
        my $group = RT::Group->new($RT::SystemUser);
        $group->LoadUserDefinedGroup($rtgroupname);
        return $group->DeleteMember($user->id);
    }
}

sub is_member_of_any_group {
    my $user = shift;
    my $groups = RT::Groups->new($RT::SystemUser);
    $groups->LimitToUserDefinedGroups();
    $groups->WithMember(PrincipalId => $user->id, Recursively => 1);
    return ($groups->Count > 0)
};


sub LdapConnect {

    my $mesg;
    my $ldap = Net::LDAP->new($LdapServer,
                              version => 3);

    unless ($ldap) {
        $RT::Logger->critical("rt-group-sync: Cannot connect to",
                              "LDAP server ", $LdapServer);
        return undef;
    }
    $mesg = $ldap->bind;
    if ($mesg->code != LDAP_SUCCESS) {
        $RT::Logger->critical("rt-group-sync: Cannot bind to LDAP: ",
                              "retval=", $mesg->code, " ",
                              ldap_error_name($mesg->code));
        return undef;
    }
    return $ldap;
}

sub LdapDisconnect {
    my $ldap = shift;
    my $mesg = $ldap->unbind();
    if ($mesg->code != LDAP_SUCCESS) {
        $RT::Logger->critical("LdapDisconnect: unbind failed: ",
                              "retval=", $mesg->code, " ",
                              ldap_error_name($mesg->code));
    }
}
Commit	Line	Data
84fb5b46 MKG	1	#!/usr/bin/perl
	2	#
	3	# Author: Petter Reinholdtsen
	4	# Date: 2005-06-29
	5	#
	6	# Synchronize netgroups and RT groups, and make sure only users with
	7	# group membership are privileged users.
	8	#
	9	# The list of groups to synchronize is generated by looking for the
	10	# regex (netgroupsync: .+) in the group description.
	11
	12	# Location of RT's libs and scripts
	13	# Remember to change to correct path on current RT instance
	14	use lib '/www/data/rt/rt-perl/current-perl10/share/perl5';
	15	use lib '/www/data/rt/rt-perl/current-perl10/lib/perl5';
	16	use lib '/www/data/rt/rt-perl/current-perl10/lib64/perl5';
	17
	18	use lib ("/www/var/rt/local/lib", "/www/var/rt/lib");
	19	use strict;
	20	use warnings;
	21
	22	use Getopt::Std;
	23	use Net::LDAP qw(LDAP_SUCCESS LDAP_PARTIAL_RESULTS);
	24	use Net::LDAP::Util qw(ldap_error_name);
	25	use RT::Interface::CLI qw(CleanEnv);
	26	use RT::User;
	27
	28	my %opts;
	29
	30	getopts("dp", \%opts);
	31
	32	# Map from RT to netgroup group
	33	my %groupmap;
	34
	35	CleanEnv();
	36	RT::LoadConfig();
	37	RT::Init();
	38
	39	my $LdapServer = "ldap.uio.no";
	40	my $LdapNGBase = "cn=netgroups,cn=system,dc=uio,dc=no";
	41	my %system_users = ('root' => "Superuser",
	42	'rt-user' => "Internal user");
	43
	44	# Merge static and dynamic list until all synced groups in RT have
	45	# updated comments.
	46	%groupmap = (%groupmap, get_synced_groups());
	47
	48	# Sync netgroup and RT group. The netgroup is authorative. Do this
	49	# often.
	50	#
	51	# - If a user exist in RT, and is listed in the netgroup but not in
	52	# the RT group, give it privilege rights and add it to the group.
	53	#
	54	# - If a is listed in the RT group, but not in the netgroup, remove
	55	# the user from the RT group.
	56
	57	for my $rtgroupname (sort keys %groupmap) {
	58	my $netgroupname = $groupmap{$rtgroupname};
	59	print "Updating RT group $rtgroupname from netgroup $netgroupname\n"
	60	if $opts{'d'};
	61	my %in_netgroup;
	62	map { $in_netgroup{$_} = 1 if defined} netgroup_users($netgroupname);
	63
	64	# First, revoke membership for users missing in the netgroup
65	my $users = get_users_in_rtgroup($rtgroupname);
66	while (my $user = $users->Next) {
67	my $username = $user->Name;
68	next if ($system_users{$username});
69
70	if ( ! $in_netgroup{$username}) {
71	my ($status, $statusmsg) = del_rtgroupmember($rtgroupname, $user);
72	if (0 != $status) {
73	my $msg = "Removed user '$username' as member ".
74	"of group $rtgroupname";
75	$RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
76	} else {
77	my $msg = "Failed do remove user '$username' as member ".
78	"of group $rtgroupname";
79	$RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
80	}
81	}
82	}
83
84	# Next, make sure all users in the netgroup are members of the rt group
85	my $user = new RT::User($RT::SystemUser);
86	for my $username (sort keys %in_netgroup) {
87	$user->Load($username);
88	#
89	# if ($user->Id && !is_rtgroupmember($rtgroupname, $user)) {
90	#
91	# There is someting strange about the RT api - something has changed in RT4
92	# Need to look into it ref https://rt.uio.no/Ticket/Display.html?id=954612
93
94	if ($user->Id) {
95	my $msg = "Adding user '$username' as member to group $rtgroupname";
96	$RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
97	add_rtgroupmember($rtgroupname, $user);
98	}
99	}
100	}
101
102	# Remove privilege rights from privileged users without any user group
103	# membership. Do this at night, to reduce the chance of conflict with
104	# manual group updates.
105
106	# - Loop over all privileged users, check if they are member of at
107	# least one group
108
109	if ($opts{'p'}) {
110	my $users = get_users_in_rtgroup("privileged");
111	while (my $user = $users->Next) {
112	my $username = $user->Name;
113	next if ($system_users{$username});
114	if (! is_member_of_any_group($user)) {
115	del_rtgroupmember("privileged", $user);
116	my ($status, $statusmsg) = del_rtgroupmember("privileged", $user);
117	if (0 != $status) {
118	my $msg = "Made user '$username' non-privileged";
119	$RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
120	} else {
121	my $msg = "Failed to make user '$username' non-privileged";
122	$RT::Logger->info("$msg"); print "$msg\n" if $opts{'d'};
123	}
124	}
125	}
126	}
127
128	#
129	# Locate all groups with "(netgroupsync: <group>)" as part of the
130	# group description, return a hash with netgroupname => rtgroupname.
131	#
132	sub get_synced_groups {
133	my %groupmap;
134
135	my $Groups = new RT::Groups($RT::SystemUser);
136	$Groups->LimitToUserDefinedGroups();
137	$Groups->LimitToEnabled();
138
139	while ( my $Group = $Groups->Next) {
140	next unless ($Group->Description =~ m/\(netgroupsync: *(\S+)\)/);
141	my $netgroupname = $1;
142	$groupmap{$Group->Name} = $netgroupname;
143	}
144	return %groupmap;
145	}
146
147
148
149	sub netgroup_users {
150	my $group = shift;
151	my $ldap = LdapConnect();
152	my @users;
153	my %groups;
154	my $mesg = $ldap->search(
155	base => $LdapNGBase,
156	scope => "one",
157	filter => "cn=$group",
158	attributes => ["nisNetgroupTriple","memberNisNetgroup"],
159	);
160	if ( ($mesg->code != LDAP_SUCCESS) and
161	($mesg->code != LDAP_PARTIAL_RESULTS) ) {
162	$RT::Logger->critical("rt-group-sync: Search failed: ",
163	"retval=", $mesg->code, " ",
164	ldap_error_name($mesg->code));
165	LdapDisconnect($ldap);
166	return undef;
167	}
168
169	if (1 != $mesg->count) {
170	LdapDisconnect($ldap);
171	return undef;
172	}
173
174	while (my $entry = $mesg->shift_entry){
175	for ($entry->get_value("memberNisNetgroup")) {
176	$groups{$_} = 0 unless $groups{$_};
177	}
178	for ($entry->get_value("nisNetgroupTriple")) {
179	m/\(,(.*?),\)/;
180	push (@users, $1);
181	}
182	}
183	for (keys %groups) {
184	push (@users, netgroup_users ($_)) unless $groups{$_};
185	$groups{$_}=1;
186	}
187	LdapDisconnect($ldap);
188	chomp @users;
189	return keys %{{ map { $_ => 1 } @users }};
190	}
191
192
193	sub get_users_in_rtgroup {
194	my $rtgroupname = shift;
195	my $users;
196	if ("privileged" eq $rtgroupname) {
197	$users = new RT::Users($RT::SystemUser);
198	$users->LimitToPrivileged();
199	} else {
200	my $group = RT::Group->new($RT::SystemUser);
201	$group->LoadUserDefinedGroup($rtgroupname);
202	$users = $group->UserMembersObj()
203	}
204	return $users;
205	}
206
207	sub is_rtgroupmember {
208	my ($rtgroupname, $user) = @_;
209	return undef unless ($user->Id);
210	if ("privileged" eq $rtgroupname) {
211	return $user->Privileged;
212	} else {
213	my $group = RT::Group->new($RT::SystemUser);
214	$group->LoadUserDefinedGroup($rtgroupname);
215	return 1 if ($group->HasMember($user->PrincipalObj));
216	}
217	return undef;
218	}
219
220	sub add_rtgroupmember {
221	my ($rtgroupname, $user) = @_;
222	if ("privileged" eq $rtgroupname) {
223	$user->SetPrivileged(1);
224	} else {
225	# Make sure user is privileged, to make it possible to add it
226	# to a group.
227	$user->SetPrivileged(1);
228	my $group = RT::Group->new($RT::SystemUser);
229	$group->LoadUserDefinedGroup($rtgroupname);
230	$group->AddMember($user->id);
231	}
232	}
233
234	sub del_rtgroupmember {
235	my ($rtgroupname, $user) = @_;
236	if ("privileged" eq $rtgroupname) {
237	return $user->SetPrivileged(0);
238	} else {
239	my $group = RT::Group->new($RT::SystemUser);
240	$group->LoadUserDefinedGroup($rtgroupname);
241	return $group->DeleteMember($user->id);
242	}
243	}
244
245	sub is_member_of_any_group {
246	my $user = shift;
247	my $groups = RT::Groups->new($RT::SystemUser);
248	$groups->LimitToUserDefinedGroups();
249	$groups->WithMember(PrincipalId => $user->id, Recursively => 1);
250	return ($groups->Count > 0)
251	};
252
253
254
255	sub LdapConnect {
256
257	my $mesg;
258	my $ldap = Net::LDAP->new($LdapServer,
259	version => 3);
260
261	unless ($ldap) {
262	$RT::Logger->critical("rt-group-sync: Cannot connect to",
263	"LDAP server ", $LdapServer);
264	return undef;
265	}
266	$mesg = $ldap->bind;
267	if ($mesg->code != LDAP_SUCCESS) {
268	$RT::Logger->critical("rt-group-sync: Cannot bind to LDAP: ",
269	"retval=", $mesg->code, " ",
270	ldap_error_name($mesg->code));
271	return undef;
272	}
273	return $ldap;
274	}
275
276	sub LdapDisconnect {
277	my $ldap = shift;
278	my $mesg = $ldap->unbind();
279	if ($mesg->code != LDAP_SUCCESS) {
280	$RT::Logger->critical("LdapDisconnect: unbind failed: ",
281	"retval=", $mesg->code, " ",
282	ldap_error_name($mesg->code));
283	}
284	}
285