refactor

hsadmin/cmd.py

@@ -16,12 +16,13 @@ import string
 import shutil
 import logging
 
-from ldap3 import Server, Connection, LEVEL
+from ldap3 import Server, Connection, LEVEL, MODIFY_REPLACE
 from ldap3.utils.conv import escape_filter_chars
 from ldap3.utils.dn import escape_rdn
 
 import subprocess
 
+from contextlib import contextmanager
 import smtplib
 from jinja2 import Template
 from email.message import EmailMessage
@@ -79,47 +80,68 @@ def main():
             user = input("User: ")
         p = k.get_principal(user)
 
+        with HsLdap.connect(args.admin, admin_pass) as ldap:
 
-        password = generage_password()
-        if args.email_address is not FROM_LDAP:
-            address = args.email_address
-        else:
-            address = get_email_address(args.admin, admin_pass, user)
+            password = generage_password()
+            if args.email_address is not FROM_LDAP:
+                address = args.email_address
+            else:
+                address = ldap.get_email_address(user)
 
-        if args.show_password:
-            print(f'password: "{password}"')
+            if args.show_password:
+                print(f'password: "{password}"')
 
-        action = 'reset' if p is not None else 'create'
-        i = input(
-            f"Type yes to {action} {user}'s password and send email to {address!r}\n"
-        ).strip()
-        if i != "yes":
-            print("Aborted")
-            return
+            action = 'reset' if p is not None else 'create'
+            i = input(
+                f"Type yes to {action} {user}'s password and send email to {address!r}\n"
+            ).strip()
+            if i != "yes":
+                print("Aborted")
+                return
 
-        if p is None:
-            k.add_principal(user, password)
-            print("password created")
-        else:
-            p.change_password(password)
-            print("password changed")
+            if p is None:
+                k.add_principal(user, password)
+                print("password created")
+            else:
+                p.change_password(password)
+                print("password changed")
 
-        send_mail(args.admin, admin_pass, password, user, address)
-        print("email sent")
+            send_mail(args.admin, admin_pass, password, user, address)
+            print("email sent")
+
+            ldap.force_sasl(user)
+            print('LDAP password scheme set to SASL')
     else:
         parser.print_help()
 
+class HsLdap:
+    def __init__(self, connection):
+        self._c = connection
 
-def get_email_address(admin, admin_pass, uid):
-    logging.debug("fetching email address from LDAP")
-    s = Server("ldap.hackerspace.pl", use_ssl=True)
-    with Connection(
-        s,
-        user=f"uid={escape_rdn(admin)},ou=People,dc=hackerspace,dc=pl",
-        password=admin_pass,
-        raise_exceptions=True,
-    ) as c:
-        logging.debug("connected to LDAP server")
+    @classmethod
+    @contextmanager
+    def connect(cls, admin, admin_pass):
+        s = Server("ldap.hackerspace.pl", use_ssl=True)
+        with Connection(
+            s,
+            user=f"uid={escape_rdn(admin)},ou=People,dc=hackerspace,dc=pl",
+            password=admin_pass,
+            raise_exceptions=True,
+        ) as c:
+            logging.debug("connected to LDAP server")
+            yield cls(c)
+
+    def force_sasl(self, uid: str):
+        logging.debug("setting LDAP password scheme to SASL")
+        c = self._c
+        c.modify(
+            f'cn={escape_rdn(uid)},ou=People,dc=hackerspace,dc=pl',
+            {'userPassword': [(MODIFY_REPLACE, ['{crypt}x', f'{uid}@HACKERSPACE.PL'])]}
+        )
+
+    def get_email_address(self, uid):
+        logging.debug("fetching email address from LDAP")
+        c = self._c
         c.search(
             search_base="ou=People,dc=hackerspace,dc=pl",
             search_filter=f"(uid={escape_filter_chars(uid)})",