scooter 0.0.0 → 3.2.19

data/lib/scooter/httpdispatchers/rbac.rb

@@ -0,0 +1,231 @@
+%w( v1 ).each do |lib|
+  require "scooter/httpdispatchers/rbac/v1/#{lib}"
+end
+
+module Scooter
+  module HttpDispatchers
+    # Methods added here are not representative of endpoints, but are more
+    # generalized to be helper methods to to acquire data, such as getting
+    # the id of a user based on their login name. Be cautious about using
+    # these methods if you are utilizing a dispatcher with credentials;
+    # the user is not guaranteed to have privileges for all the methods
+    # defined here, or the user may not be signed in. If you have a method
+    # defined here that is using the connection object directly, you should
+    # probably be using a method defined in the version module instead.
+    module Rbac
+
+      include Scooter::HttpDispatchers::Rbac::V1
+      include Scooter::Utilities
+
+      def set_rbac_path(connection=self.connection)
+        set_url_prefix
+        connection.url_prefix.path = '/rbac-api'
+      end
+
+      def generate_local_user(options = {})
+        email        = options['email'] || "#{RandomString.generate(8)}@example.com"
+        display_name = options['display_name'] || RandomString.generate(8)
+        login        = options['login'] || RandomString.generate(16)
+        role_ids     = options['role_ids'] || []
+        password     = options['password'] || 'Puppet11'
+
+        user_hash = { 'email'        => email,
+                      'display_name' => display_name,
+                      'login'        => login,
+                      'role_ids'     => role_ids,
+                      'password'     => password }
+
+        response = create_local_user(user_hash)
+        return response if response.env.status != 200
+        Scooter::HttpDispatchers::ConsoleDispatcher.new(@host,
+                                                        login:    login,
+                                                        password: password)
+      end
+
+      def generate_role(options = {})
+        permissions  = options['permissions'] || []
+        user_ids     = options['user_ids'] || []
+        group_ids    = options['group_ids'] || []
+        display_name = options['display_name'] || RandomString.generate
+        description  = options['description'] || RandomString.generate
+
+        role_hash = { 'permissions'  => permissions,
+                      'user_ids'     => user_ids,
+                      'group_ids'    => group_ids,
+                      'display_name' => display_name,
+                      'description'  => description }
+
+        response = create_role(role_hash)
+        return response if response.env.status != 200
+        response.env.body
+      end
+
+      def delete_role_by_name(role_name)
+        role_id = get_role_id(role_name)
+        delete_role(role_id)
+      end
+
+      def add_user_to_role(console_dispatcher, role)
+        user_id = get_user_id_of_console_dispatcher(console_dispatcher)
+        role['user_ids'].push(user_id)
+        replace_role(role)
+      end
+
+      def remove_user_from_role(console_dispatcher, role)
+        user_id = get_user_id_of_console_dispatcher(console_dispatcher)
+        role['user_ids'].delete(user_id)
+        replace_role(role)
+      end
+
+      def get_user_id_of_console_dispatcher(console_dispatcher)
+        return get_user_id_by_login_name('api_user') if console_dispatcher.credentials == nil
+        get_user_id_by_login_name(console_dispatcher.credentials.login)
+      end
+
+      def get_current_user_id
+        get_current_user_data['id']
+      end
+
+      def get_console_dispatcher_data(console_dispatcher)
+        users = get_list_of_users
+        users.each do |user|
+          return user if user['login'] == console_dispatcher.credentials.login
+        end
+        nil #return nil if the console dispatcher is not found
+      end
+
+      def update_console_dispatcher(update_hash, console_dispatcher)
+        user = get_console_dispatcher_data(console_dispatcher)
+        user.merge!(update_hash)
+        update_local_user(user)
+      end
+
+      def revoke_console_dispatcher(console_dispatcher)
+        update_console_dispatcher({ 'is_revoked' => true }, console_dispatcher)
+      end
+
+      def get_user_id_by_login_name(name)
+        users = get_list_of_users
+        users.each do |user|
+          return user['id'] if user['login'] == name
+        end
+        nil #return nil if name is not found
+      end
+
+      def delete_local_console_dispatcher(console_dispatcher)
+        uuid = get_user_id_of_console_dispatcher(console_dispatcher)
+        delete_local_user(uuid)
+      end
+
+      def get_group_data_by_name(name)
+        groups = get_list_of_groups
+        groups.each do |group|
+          return group if name == group['login']
+        end
+        nil #return nil if name is not found
+      end
+
+      def get_group_id(group_name)
+        groups = get_list_of_groups
+        groups.each do |group|
+          return group['id'] if group_name == group['display_name']
+        end
+        nil #return nil if group_name not found
+      end
+
+      def get_role_by_name(role_name)
+        roles = get_list_of_roles
+        roles.each do |role|
+          return role if role['display_name'] == role_name
+        end
+        nil # return nil if role_name not found
+      end
+
+      def get_role_id(role_name)
+        roles = get_list_of_roles
+        roles.each do |role|
+          return role['id'] if role['display_name'] == role_name
+        end
+        nil #return nil if role_name not found
+      end
+
+      def reset_console_dispatcher_password(console_dispatcher, password)
+        token = get_password_reset_token_for_console_dispatcher(console_dispatcher)
+        reset_local_user_password(token, password)
+        console_dispatcher.credentials.password = password
+      end
+
+      def reset_console_dispatcher_password_to_default(console_dispatcher)
+        token = get_password_reset_token_for_console_dispatcher(console_dispatcher)
+        reset_local_user_password(token, 'Puppet11')
+        console_dispatcher.credentials.password = 'Puppet11'
+      end
+
+      def get_password_reset_token_for_console_dispatcher(console_dispatcher)
+        uuid = get_user_id_of_console_dispatcher(console_dispatcher)
+        create_password_reset_token(uuid)
+      end
+
+      def acquire_token_with_credentials(lifetime=nil)
+        @token = acquire_token(credentials.login, credentials.password, lifetime)
+      end
+
+      def rbac_database_matches_self?(host_name)
+        original_host_name = self.host
+        begin
+          self.host = host_name.to_s
+          initialize_connection
+          other_users  = get_list_of_users
+          other_groups = get_list_of_groups
+          other_roles  = get_list_of_roles
+        ensure
+          self.host = original_host_name
+          initialize_connection
+        end
+
+        self_users  = get_list_of_users
+        self_groups = get_list_of_groups
+        self_roles  = get_list_of_roles
+
+        errors = ''
+        errors << "Users do not match\r\n" unless users_match?(self_users, other_users)
+        errors << "Groups do not match\r\n" unless groups_match?(self_groups, other_groups)
+        errors << "Roles do not match\r\n" unless roles_match?(self_roles, other_roles)
+
+        @faraday_logger.warn(errors.chomp) unless errors.empty?
+        errors.empty?
+      end
+
+      private
+
+      def users_match?(other_users, self_users)
+        other_users == self_users
+      end
+
+      def groups_match?(other_groups, self_groups)
+        other_groups == self_groups
+      end
+
+      def roles_match?(other_roles, self_roles)
+        return false unless other_roles.size == self_roles.size
+        other_roles.each_index { |idx| return false unless role_matches?(other_roles[idx], self_roles[idx]) }
+        true
+      end
+
+      def role_matches?(role1, role2)
+        keys_with_expected_diffs = ['permissions']
+        same_num_fields          = (role1.size == role2.size)
+        same_byte_length         = (role1.to_s.size == role2.to_s.size)
+        same_num_fields && same_byte_length && same_role_contents?(role1, role2, keys_with_expected_diffs)
+      end
+
+      def same_role_contents?(role1, role2, keys_to_ignore)
+        role1.keys.each do |key|
+          next if keys_to_ignore.include?(key)
+          return false unless role1[key] == role2[key]
+        end
+        true
+      end
+    end
+  end
+end

data/lib/scooter/httpdispatchers/rbac/v1/directory_service.rb

@@ -0,0 +1,68 @@
+module Scooter
+  module HttpDispatchers
+    module Rbac
+      module V1
+        # Methods defined here are broken out from the rest of the RBAC
+        # endpoints because they use a ldapdispatcher object to determine
+        # various settings for the ds endpoint.
+        module DirectoryService
+
+          def ds_default_settings(ldapdispatcher)
+            base_dn_to_chomp = ',' + ldapdispatcher.base
+            user_rdn = ldapdispatcher.users_dn.chomp(base_dn_to_chomp)
+            group_rdn = ldapdispatcher.groups_dn.chomp(base_dn_to_chomp)
+            settings                      = {
+                "id"                     => 1,
+                "display_name"           => 'test_ds',
+                "help_link"              => 'https://example.com',
+                "hostname"               => ldapdispatcher.host,
+                "port"                   => ldapdispatcher.port,
+                "login"                  => ldapdispatcher.admin_dn,
+                "password"               => ldapdispatcher.return_default_password,
+                "connect_timeout"        => 20,
+                "ssl"                    => true,
+                "base_dn"                => ldapdispatcher.base,
+                "user_lookup_attr"       => 'cn',
+                "user_email_attr"        => 'mail',
+                "user_display_name_attr" => 'displayName',
+                "group_object_class"     => '*',
+                "group_name_attr"        => 'name',
+                "group_member_attr"      => 'uniqueMember',
+                "group_lookup_attr"      => 'cn',
+                "user_rdn"               => user_rdn,
+                "group_rdn"              => group_rdn
+              }
+
+              # Change the group_member_attr to just member if windows is the
+              # directory service, because AD doesn't support the attribute
+              # uniqueMember
+              settings['group_member_attr'] = 'member' if ldapdispatcher.is_windows_ad?
+              settings
+          end
+
+          def attach_ds_to_rbac(ldapdispatcher=nil, options={})
+            settings = ldapdispatcher ? ds_default_settings(ldapdispatcher) : {}
+            settings.merge!(options)
+
+            set_rbac_path
+            @connection.put('v1/ds') do |req|
+              req.body = settings
+            end
+          end
+
+          def test_attach_ds_to_rbac(ldapdispatcher=nil, options={})
+            settings = ldapdispatcher ? ds_default_settings(ldapdispatcher) : {}
+            settings.merge!(options)
+
+            set_rbac_path
+            @connection.put('v1/ds/test') do |req|
+              req.body = settings
+            end
+          end
+
+        end
+      end
+    end
+  end
+end
+

data/lib/scooter/httpdispatchers/rbac/v1/v1.rb

@@ -0,0 +1,116 @@
+%w( directory_service ).each do |lib|
+  require "scooter/httpdispatchers/rbac/v1/#{lib}"
+end
+module Scooter
+  module HttpDispatchers
+    module Rbac
+      # Methods here are generally representative of endpoints, and depending
+      # on the method, return either a Faraday response object or some sort of
+      # instance of the object created/modified.
+      module V1
+
+        include Scooter::HttpDispatchers::Rbac::V1::DirectoryService
+
+        def create_local_user(options)
+          set_rbac_path
+          @connection.post 'v1/users' do |request|
+            request.body = options
+          end
+        end
+
+        def update_local_user(update_hash)
+          set_rbac_path
+          @connection.put "v1/users/#{update_hash['id']}" do |request|
+            request.body = update_hash
+          end
+        end
+
+        def delete_local_user(user_id)
+          set_rbac_path
+          @connection.delete "v1/users/#{user_id}"
+        end
+
+        def get_single_user_data(uuid)
+          set_rbac_path
+          @connection.get("v1/users/#{uuid}").env.body
+        end
+
+        def get_current_user_data
+          set_rbac_path
+          @connection.get('v1/users/current').env.body
+        end
+
+        # The ParseJson middleware throws an exception because this returns
+        # json headers while simply returning a token. In order to avoid this
+        # middleware throwing an error, we catch the exception and parse the
+        # ParsingError object for a token in the error message.
+        def create_password_reset_token(uuid)
+          set_rbac_path
+          begin
+            token = @connection.post("v1/users/#{uuid}/password/reset").env.body
+          rescue Faraday::ParsingError => error
+            # Use a regex to parse the token from the ParsingError object
+            regex = /\'(.+)\'/
+            token = regex.match(error.message)[1]
+          end
+          token
+        end
+
+        def get_list_of_users
+          set_rbac_path
+          @connection.get('v1/users').env.body
+        end
+
+        def get_list_of_groups
+          set_rbac_path
+          @connection.get('v1/groups').env.body
+        end
+
+        def import_ldap_group(group_name, role_ids=[])
+          set_rbac_path
+          @connection.post('v1/groups') do |request|
+            request.body = {'login' => group_name,
+                            'role_ids' => role_ids}
+          end
+        end
+
+        def get_list_of_roles
+          set_rbac_path
+          @connection.get('v1/roles').env.body
+        end
+
+        def create_role(options)
+          set_rbac_path
+          @connection.post('v1/roles') do |request|
+            request.body = options
+          end
+        end
+
+        def replace_role(role)
+          set_rbac_path
+          @connection.put("v1/roles/#{role['id']}") do |request|
+            request.body = role
+          end
+        end
+
+        def delete_role(role_id)
+          set_rbac_path
+          @connection.delete("v1/roles/#{role_id}")
+        end
+
+        def acquire_token(login, password, lifetime=nil)
+          set_rbac_path
+          response = @connection.post "v1/auth/token" do |request|
+            creds= {}
+            creds[:login] = login
+            creds[:password] = password
+            creds[:lifetime] = lifetime if lifetime
+            request.body = creds
+          end
+          response.env.body['token']
+        end
+
+      end
+    end
+  end
+end

data/lib/scooter/ldap.rb

@@ -0,0 +1,349 @@
+%w( ldap_fixtures ).each do |lib|
+  require "scooter/ldap/#{lib}"
+end
+module Scooter
+  module LDAP
+
+    DEFAULT_DS_PORT = 636
+    DEFAULT_USER_PASSWORD = 'Puppet11'
+
+    # == Quick-start guide for the impatient
+    # === Quick example creating an LDAPDispatcher object with a beaker config:
+    #
+    #  #Example beaker configuration
+    #  #
+    #  #HOSTS:
+    #  #  win_2008_r2_x64:
+    #  #    roles:
+    #  #      - directory_service
+    #  #    platform: windows-2008r2-x86_64
+    #
+    #  require 'scooter'
+    #  ldapdispatcher = Scooter::LDAP::LDAPDispatcher.new(directory_service)
+    #  # If you are not using the default static fixtures, you probably want
+    #  # to change the credentials for your LDAP instance
+    #  ldapdispatcher.auth(user_dn, password)
+    #  # This is the normal method you would use to set up a standard test
+    #  # environment, with groups of writers(poets, lyricists, novelists)
+    #  # to populate your directory_service
+    #  ldapdispatcher.create_default_test_groups_and_users
+    class LDAPDispatcher < Net::LDAP
+
+
+      attr_accessor :test_uid
+      attr_reader :ds_type, :users_dn, :groups_dn, :ds_users
+
+      # Instantiating an object of type Scooter::LDAP::LDAPDispatcher extends
+      # the Net::LDAP class to include helper methods to make test setup and
+      # cleanup more consistent and reliable for beaker tests involving the
+      # Puppet RBAC Service. LDAPDispatcher objects require either a Unix::Host
+      # or Windows::Host object passed in as a parameter, which will dictate how
+      # helper methods construct a test environment of groups and users.
+      #
+      # Unlike the Net::LDAP, LDAPDispatcher <i>does</i> test the network
+      # connection during initialization and raises a warning if it fails.
+      # @param host [Unix::Host, Windows::Host] the DS host object defined in
+      #   your Beaker config
+      # @param options [hash] any params you would like to override; you are
+      #   likely to want to do this if you are not using the static Puppet LDAP
+      #   fixtures
+      def initialize(host, options={})
+        
+        # All initialized LDAPDispatcher objects will have test_uids to ensure
+        # no collisions when creating entries in the directory services.
+        @test_uid = Scooter::Utilities::RandomString.generate(4)
+        if host.is_a? Windows::Host
+          @ds_type = :ad
+        elsif host.is_a? Unix::Host
+          @ds_type = :openldap
+        else
+          raise "host must be Unix::Host or Windows::Host, not #{host.class}"
+        end
+
+        generated_args = {}
+        generated_args[:host] = host.reachable_name
+        generated_args[:port] = DEFAULT_DS_PORT
+        generated_args[:encryption] = {:method => :simple_tls}
+        generated_args[:base] = return_default_base
+
+        generated_args.merge!(options)
+        super(generated_args)
+
+        # If we didn't pass in an :auth hash, generate the default settings
+        # using the auth method of Net::LDAP
+        if !options[:auth]
+          self.auth admin_dn, return_default_password
+        end
+
+        if !bind
+          warn "Problem binding to #{host}, #{get_operation_result}\n
+                username: #{admin_dn}, pw: #{return_default_password}"
+        end
+      end
+
+      def return_default_password
+        "Puppet11"
+      end
+
+      def return_default_base
+        'dc=delivery,dc=puppetlabs,dc=net'
+      end
+
+      def is_openldap?
+        true if @ds_type == :openldap
+      end
+
+      def is_windows_ad?
+        true if @ds_type == :ad
+      end
+
+      def admin_dn
+        if is_windows_ad?
+          "cn=Administrator,cn=Users,#{return_default_base}"
+        else
+          "cn=admin,#{return_default_base}"
+        end
+      end
+
+      def create_temp_ou(base_string='test_')
+        ou = base_string + @test_uid
+        dn = "ou=#{ou},#{self.base}"
+        attr = {:objectClass => ['top', 'organizationalUnit'],
+                :ou => ou}
+        add(:dn => dn, :attributes => attr)
+
+        if get_operation_result.code != 0
+          raise "OU creation failed: #{get_operation_result}, #{dn}"
+        end
+
+        dn
+      end
+
+      # This method should execute after a test's completion; the group's ou
+      # and users's ou will be deleted, as will any entity with those
+      # respective ou's in their distinguished name.
+      # === Example beaker teardown
+      #
+      #  Example beaker teardown
+      #
+      #  teardown do
+      #    ldapdispatcher.delete_users_and_groups_organizational_units
+      #  end
+      def delete_users_and_groups_organizational_units
+        delete_all_dn_entries(@groups_dn)
+        delete_all_dn_entries(@users_dn)
+      end
+
+      def delete_all_dn_entries(dn)
+        entries = search(:base => dn, :attributes => ['dn'])
+        entries.each do |entry|
+          delete :dn => entry.dn
+        end
+
+        #This needs to be repeated because it may have failed deleting a group
+        #that still had users associated.
+        entries.each do |entry|
+          delete :dn => entry.dn
+        end
+
+        #This request should return nil; all entities with the dn provided
+        #should now be deleted.
+        entries = search(:base => dn, :attributes => ['dn'])
+        if entries != nil
+          raise "Problem deleting all entries for this dn: #{dn}"
+        end
+      end
+
+      def create_ds_user(attributes, users_dn=self.users_dn)
+        default_attributes = {:objectClass => ['top',
+                                               'person',
+                                               'organizationalPerson',
+                                               'inetOrgPerson']}
+
+        if is_windows_ad?
+          default_attributes[:userAccountControl] = ['544']
+        end
+
+        default_attributes.merge!(attributes)
+
+        add(:dn => "cn=#{default_attributes[:cn]},#{users_dn}",
+            :attributes => default_attributes)
+
+        if get_operation_result.code != 0
+          raise "Creating user failed: #{get_operation_result}\n
+                #{default_attributes}"
+        end
+      end
+
+      def create_ds_group(attributes, groups_dn=self.groups_dn)
+
+        #When Openldap, you must specify :member entries in the attributes
+        default_attributes = {:objectClass => ["top", "groupOfUniqueNames"]}
+
+        if is_windows_ad?
+          default_attributes[:objectClass] = ["top", "group"]
+        end
+
+        default_attributes.merge!(attributes)
+
+        add(:dn => "cn=#{default_attributes[:cn]},#{groups_dn}",
+            :attributes => default_attributes)
+
+        if get_operation_result.code != 0
+          raise "Creating group failed: #{get_operation_result},\n
+                #{default_attributes}"
+        end
+      end
+
+      def create_ou_for_users_and_groups
+        @users_dn = create_temp_ou('users')
+        @groups_dn = create_temp_ou('groups')
+      end
+
+      # This is the primary method most tests will use. It creates two
+      # organizational units, or ou's, to base all your testing around. There is
+      # one ou for groups and one for users. Most testing can be covered by
+      # simply running the method <tt>create_default_test_groups_and_users</tt>.
+      def create_default_test_groups_and_users
+
+        create_ou_for_users_and_groups
+
+        create_default_users
+
+        if is_windows_ad?
+          create_windows_ad_default_users_and_test_groups
+        elsif is_openldap?
+          create_openldap_default_users_and_test_groups
+        end
+
+      end
+
+      def create_default_users
+        users = Scooter::LDAP::LDAPFixtures.users(@test_uid)
+
+        users.each do |name, hash|
+          create_ds_user(hash)
+          update_user_password("CN=#{hash[:cn]},#{users_dn}", DEFAULT_USER_PASSWORD)
+          hash[:password] = DEFAULT_USER_PASSWORD
+        end
+        @ds_users = users
+      end
+
+      #This is used to encode passwords for Windows AD
+      #See URL: http://msdn.microsoft.com/en-us/library/cc223248.aspx
+      def str_to_unicode_pwd(str) #:nodoc:
+        ('"' + str + '"').encode("utf-16le").force_encoding("utf-8")
+      end
+
+      def update_user_password(user_dn, password) #:nodoc:
+        if is_windows_ad?
+          password = str_to_unicode_pwd(password)
+          ops = [[:replace, :unicodePwd, password]]
+        else
+          ops = [[:replace, :userPassword, password]]
+        end
+
+        modify :dn => user_dn, :operations => ops
+
+        if get_operation_result.code != 0
+          raise "Updating password failed: #{get_operation_result}\n
+                #{ops}"
+        end
+      end
+
+      private
+      def create_openldap_default_users_and_test_groups #:nodoc:
+
+        #add novelists
+        novelists =["cn=#{ds_users['arthur'][:cn]},#{users_dn}",
+                    "cn=#{ds_users['howard'][:cn]},#{users_dn}",
+                    "cn=#{ds_users['oscar'][:cn]},#{users_dn}"]
+
+        create_ds_group({ :cn           => "novelists#{@test_uid}",
+                          :uniqueMember => novelists })
+
+        #add poets
+        poets = ["cn=#{ds_users['sylvia'][:cn]},#{users_dn}",
+                 "cn=#{ds_users['jorge'][:cn]},#{users_dn}",
+                 "cn=#{ds_users['oscar'][:cn]},#{users_dn}"]
+
+        create_ds_group({ :cn           => "poets#{@test_uid}",
+                          :uniqueMember => poets })
+
+        #add lyricists
+        lyricists = ["cn=#{ds_users['stephen'][:cn]},#{users_dn}"]
+
+        create_ds_group({ :cn           => "lyricists#{@test_uid}",
+                          :uniqueMember => lyricists })
+
+        #add writers
+        writers = ["cn=#{ds_users['guillermo'][:cn]},#{users_dn}",
+                   "cn=novelists#{test_uid},#{groups_dn}",
+                   "cn=poets#{test_uid},#{groups_dn}",
+                   "cn=lyricists#{test_uid},#{groups_dn}"]
+
+        create_ds_group({ :cn           => "writers#{@test_uid}",
+                          :uniqueMember => writers })
+
+      end
+
+      def create_windows_ad_default_users_and_test_groups #:nodoc:
+
+        writers_cn = "writers#{@test_uid}"
+        poets_cn = "poets#{@test_uid}"
+        novelists_cn = "novelists#{@test_uid}"
+        lyricists_cn = "lyricists#{@test_uid}"
+
+        create_ds_group(:cn => lyricists_cn)
+        create_ds_group(:cn => novelists_cn)
+        create_ds_group(:cn => poets_cn)
+        create_ds_group(:cn => writers_cn)
+
+        add_attribute("cn=#{writers_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{lyricists_cn},#{groups_dn}")
+
+        add_attribute("cn=#{writers_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{poets_cn},#{groups_dn}")
+
+        add_attribute("cn=#{writers_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{novelists_cn},#{groups_dn}")
+
+        add_attribute("cn=#{novelists_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{ds_users['howard'][:cn]},#{users_dn}")
+
+        add_attribute("cn=#{novelists_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{ds_users['arthur'][:cn]},#{users_dn}")
+
+        add_attribute("cn=#{novelists_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{ds_users['oscar'][:cn]},#{users_dn}")
+
+        add_attribute("cn=#{poets_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{ds_users['sylvia'][:cn]},#{users_dn}")
+
+        add_attribute("cn=#{poets_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{ds_users['jorge'][:cn]},#{users_dn}")
+
+        add_attribute("cn=#{poets_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{ds_users['oscar'][:cn]},#{users_dn}")
+
+        add_attribute("cn=#{writers_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{ds_users['guillermo'][:cn]},#{users_dn}")
+
+        add_attribute("cn=#{lyricists_cn},#{groups_dn}",
+                      :member,
+                      "cn=#{ds_users['stephen'][:cn]},#{users_dn}")
+
+      end
+    end
+  end
+end