Faidon Liambotis has uploaded a new change for review. https://gerrit.wikimedia.org/r/298976
Change subject: admin: add an NDA audit helper script ...................................................................... admin: add an NDA audit helper script Hacky Python code currently being used to perform user access and NDA audits with the WMF's Legal department. Change-Id: I5a846618854613b2a04d619e308fb58da3bccfe9 --- A modules/admin/data/nda_audit.py 1 file changed, 105 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/76/298976/1 diff --git a/modules/admin/data/nda_audit.py b/modules/admin/data/nda_audit.py new file mode 100644 index 0000000..75b82ed --- /dev/null +++ b/modules/admin/data/nda_audit.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python +# +# Copyright (c) 2016 Wikimedia Foundation, Inc. +# +# This script parses our data.yaml file for all users and enriches the +# information using information gathered from the production/Labs LDAP tree. It +# finally outputs the information with non-technical labels into a CSV. +# +# It's currently being used to perform user access and NDA audits with the +# WMF's Legal department. + +import sys +import yaml +import ldap +import csv + + +def extract_from_yaml(): + data = open('data.yaml', 'r') + admins = yaml.safe_load(data) + + users = {} + + for username, userdata in admins['users'].items(): + if userdata['ensure'] == 'absent': + continue + + groups = [] + for group, groupdata in admins['groups'].items(): + if username in groupdata['members']: + groups.append(group) + + users[username] = { + 'realname': userdata['realname'], + 'uid': userdata['uid'], + 'prod_groups': groups, + 'has_server_access': (len(userdata['ssh_keys']) > 0), + } + + return users + + +def enrich_from_ldap(users): + # needs some configuration + ldap_conn = ldap.initialize('ldap://%s:389' % 'localhost') + ldap_conn.protocol_version = ldap.VERSION3 + + base_dn = "dc=wikimedia,dc=org" + people_dn = "ou=people," + base_dn + groups_dn = "ou=groups," + base_dn + + for username in users.keys(): + ldapdata = ldap_conn.search_s( + people_dn, + ldap.SCOPE_SUBTREE, + "(&(objectclass=inetOrgPerson)(uid=" + username + "))", + attrlist=['*', '+'] + ) + attrs = ldapdata[0][1] + user_dn = ldapdata[0][0] + + ldapdata = ldap_conn.search_s( + groups_dn, + ldap.SCOPE_SUBTREE, + "(&(objectclass=groupOfNames)(member=" + user_dn + "))", + attrlist=['cn'], + ) + groups = [l[1]['cn'][0] for l in ldapdata] + + users[username]['email'] = ','.join(attrs['mail']) + users[username]['has_nda_group'] = ('nda' in groups) + users[username]['has_wmf_group'] = ('wmf' in groups) + users[username]['ldap_groups'] = groups + + return users + + +def main(): + users = extract_from_yaml() + users = enrich_from_ldap(users) + + userwriter = csv.writer(sys.stdout, delimiter=';') + userwriter.writerow([ + 'Username', + 'Full name', + 'email', + 'Has server access', + 'Has LDAP NDA access', + 'Has LDAP Staff access', + ]) + + for username in sorted(users.keys()): + userdata = users[username] + userwriter.writerow([ + username, + userdata['realname'], + userdata['email'], + ('yes' if userdata['has_server_access'] else 'no'), + ('yes' if userdata['has_nda_group'] else 'no'), + ('yes' if userdata['has_wmf_group'] else 'no'), + ]) + + +if __name__ == '__main__': + main() -- To view, visit https://gerrit.wikimedia.org/r/298976 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I5a846618854613b2a04d619e308fb58da3bccfe9 Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits