From 54d85916a4bb33fd7b529fde0ceb65380aaf007b Mon Sep 17 00:00:00 2001 From: Jim Madge Date: Wed, 17 Apr 2024 10:41:34 +0100 Subject: [PATCH] Revert some changes of ef7eda247 --- .../infrastructure/stacks/declarative_sre.py | 71 +++++++++---------- pyproject.toml | 2 - 2 files changed, 33 insertions(+), 40 deletions(-) diff --git a/data_safe_haven/infrastructure/stacks/declarative_sre.py b/data_safe_haven/infrastructure/stacks/declarative_sre.py index fd7a42dd20..ea4f937dc9 100644 --- a/data_safe_haven/infrastructure/stacks/declarative_sre.py +++ b/data_safe_haven/infrastructure/stacks/declarative_sre.py @@ -1,7 +1,6 @@ """Pulumi declarative program""" import pulumi -from ldap_filter import Filter from data_safe_haven.config import Config from data_safe_haven.infrastructure.common import get_subscription_id_from_rg @@ -76,45 +75,41 @@ def run(self) -> None: "user_group_name": f"{ldap_group_name_prefix} Users", } ldap_username_attribute = "uid" - - # Construct an LDAP filter for users of this SRE - ldap_user_filter = Filter.AND( - ( - # Users must be a posixAccount - Filter.attribute("objectClass").equal_to("posixAccount"), - # ... that belongs to one of the LDAP groups for this SRE - Filter.OR( - [ - Filter.attribute("memberOf").equal_to( - f"CN={group_name},{ldap_group_search_base}" - ) - for group_name in ldap_group_names.values() - ] + # LDAP filter syntax: https://ldap.com/ldap-filters/ + # LDAP filter for users of this SRE + ldap_user_filter = "".join( + [ + "(&", + # Users are a posixAccount and + "(objectClass=posixAccount)", + # belong to any of these groups + "(|", + *( + f"(memberOf=CN={group_name},{ldap_group_search_base})" + for group_name in ldap_group_names.values() ), - ) - ).to_string() - - # Construct an LDAP filter for groups in this SRE - ldap_group_filter = Filter.AND( - ( - # Groups must be a posixGroup - Filter.attribute("objectClass").equal_to("posixGroup"), - Filter.OR( - # ... that is one of the LDAP groups for this SRE - [ - Filter.attribute("CN").equal_to(group_name) - for group_name in ldap_group_names.values() - ] - # ... or is the primary user group for a member of one of those groups - + [ - Filter.attribute("memberOf").equal_to( - f"CN=Primary user groups for {group_name},{ldap_group_search_base}" - ) - for group_name in ldap_group_names.values() - ] + ")", + ")", + ] + ) + # LDAP filter for groups in this SRE + ldap_group_filter = "".join( + [ + "(&", + # Groups are a posixGroup + "(objectClass=posixGroup)", + "(|", + # which is either one of the LDAP groups + *(f"(CN={group_name})" for group_name in ldap_group_names.values()), + # or is the primary user group for a member of one of those groups + *( + f"(memberOf=CN=Primary user groups for {group_name},{ldap_group_search_base})" + for group_name in ldap_group_names.values() ), - ) - ).to_string() + ")", + ")", + ] + ) # Deploy SRE DNS server dns = SREDnsServerComponent( diff --git a/pyproject.toml b/pyproject.toml index fdd17d9bd5..9deec940bb 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -36,7 +36,6 @@ dependencies = [ "cryptography~=42.0", "dnspython~=2.3", "fqdn~=1.5", - "ldap-filter~=0.2", "msal~=1.21", "psycopg~=3.1", "pulumi~=3.80", @@ -170,7 +169,6 @@ module = [ "chili.*", "cryptography.*", "dns.*", - "ldap_filter.*", "msal.*", "numpy.*", "pandas.*",