ldap-ui 0.10.0__py3-none-any.whl → 0.10.2__py3-none-any.whl

ldap_ui/ldap_api.py

@@ -1,15 +1,14 @@
 """
 ReST endpoints for LDAP access.
 
-Directory operations are accessible to the frontend
-through a hand-knit ReST API, responses are usually converted to JSON.
+Directory operations are exposed to the frontend
+by a hand-knit ReST API, responses are usually converted to JSON.
 
 Asynchronous LDAP operations are used as much as possible.
 """
 
 import base64
 import io
-import logging
 from enum import StrEnum
 from http import HTTPStatus
 from typing import Annotated, cast
@@ -35,35 +34,31 @@ from ldap import (
 from ldap.ldapobject import LDAPObject
 from ldap.modlist import addModlist, modifyModlist
 from ldap.schema import SubSchema
-from ldap.schema.models import AttributeType, LDAPSyntax, ObjectClass
+from ldap.schema.models import AttributeType, LDAPSyntax
 
 from . import settings
 from .entities import (
+    AttributeNames,
     Attributes,
-    ChangedAttributes,
     ChangePasswordRequest,
     Entry,
-    Meta,
     Range,
     SearchResult,
     TreeItem,
 )
 from .ldap_helpers import (
     WITH_OPERATIONAL_ATTRS,
-    BinaryAttributes,
+    LdapEntry,
     anonymous_user_search,
     empty,
     get_entry_by_dn,
     get_schema,
     ldap_connect,
-    result,
+    results,
+    unique,
 )
-from .schema import ObjectClass as OC
 from .schema import Schema, frontend_schema
 
-__all__ = ("api",)
-
-
 NO_CONTENT = Response(status_code=HTTPStatus.NO_CONTENT)
 
 # Special fields
@@ -74,17 +69,39 @@ PASSWORDS = ("userPassword",)
 OCTET_STRING = "1.3.6.1.4.1.1466.115.121.1.40"
 INTEGER = "1.3.6.1.4.1.1466.115.121.1.27"
 
-LOG = logging.getLogger("ldap-api")
-
 api = APIRouter(prefix="/api")
 
 
+async def get_root_dse(connection: LDAPObject):
+    "Auto-detect base DN and LDAP schema from root DSE"
+    result = await unique(
+        connection,
+        connection.search(
+            "",
+            SCOPE_BASE,
+            attrlist=WITH_OPERATIONAL_ATTRS,
+        ),
+    )
+    if not settings.BASE_DN:
+        base_dns = result.attr("namingContexts")
+        assert len(base_dns) == 1, f"No unique base DN: {base_dns}"
+        settings.BASE_DN = base_dns[0]
+
+    if not settings.SCHEMA_DN:
+        schema_dns = result.attr("subschemaSubentry")
+        assert schema_dns, "Cannot determine LDAP schema"
+        settings.SCHEMA_DN = schema_dns[0]
+
+
 async def authenticated(
     credentials: Annotated[HTTPBasicCredentials, Depends(HTTPBasic())],
     connection: Annotated[LDAPObject, Depends(ldap_connect)],
 ) -> LDAPObject:
     "Authenticate against the directory"
 
+    if not settings.BASE_DN or not settings.SCHEMA_DN:
+        await get_root_dse(connection)
+
     # Hard-wired credentials
     dn = settings.GET_BIND_DN()
     password = settings.GET_BIND_PASSWORD()
@@ -112,118 +129,96 @@ class Tag(StrEnum):
     NAVIGATION = "Navigation"
 
 
+@api.get(
+    "/tree/base",
+    tags=[Tag.NAVIGATION],
+    operation_id="get_base_entry",
+    include_in_schema=False,  # Overlaps with next endpoint
+)
+async def get_base_entry(connection: AuthenticatedConnection) -> list[TreeItem]:
+    "Get the directory base entry"
+
+    assert settings.BASE_DN, "An LDAP base DN is required!"
+    result = await unique(
+        connection,
+        connection.search(
+            settings.BASE_DN, SCOPE_BASE, attrlist=WITH_OPERATIONAL_ATTRS
+        ),
+    )
+    return [_tree_item(result, settings.BASE_DN)]
+
+
 @api.get("/tree/{basedn:path}", tags=[Tag.NAVIGATION], operation_id="get_tree")
 async def get_tree(basedn: str, connection: AuthenticatedConnection) -> list[TreeItem]:
-    "List directory entries"
-
-    base_level = len(basedn.split(","))
-    scope = SCOPE_ONELEVEL
-    if basedn == "base":
-        scope = SCOPE_BASE
-        assert settings.BASE_DN is not None
-        basedn = settings.BASE_DN
+    "List directory entries below a DN"
 
-    entries = result(
-        connection, connection.search(basedn, scope, attrlist=WITH_OPERATIONAL_ATTRS)
-    )
     return [
-        _tree_item(dn, attrs, base_level, await get_schema(connection))
-        async for dn, attrs in entries
+        _tree_item(entry, basedn)
+        async for entry in results(
+            connection,
+            connection.search(basedn, SCOPE_ONELEVEL, attrlist=WITH_OPERATIONAL_ATTRS),
+        )
     ]
 
 
-def _tree_item(
-    dn: str, attrs: BinaryAttributes, level: int, schema: SubSchema
-) -> TreeItem:
-    structuralObjectClass = next(
-        iter(
-            filter(
-                lambda oc: oc.kind == OC.Kind.structural.value,  # type: ignore
-                map(
-                    lambda o: schema.get_obj(ObjectClass, o.decode()),
-                    attrs["objectClass"],
-                ),
-            )
-        )
-    )
-
+def _tree_item(entry: LdapEntry, base_dn: str) -> TreeItem:
     return TreeItem(
-        dn=dn,
-        structuralObjectClass=structuralObjectClass.names[0],
-        hasSubordinates=attrs["hasSubordinates"][0] == b"TRUE"
-        if "hasSubordinates" in attrs
-        else bool(attrs.get("numSubordinates")),
-        level=len(dn.split(",")) - level,
+        dn=entry.dn,
+        structuralObjectClass=entry.attr("structuralObjectClass")[0],
+        hasSubordinates=entry.hasSubordinates,
+        level=_level(entry.dn) - _level(base_dn),
     )
 
 
-def _entry(res: tuple[str, BinaryAttributes], schema: SubSchema) -> Entry:
-    "Prepare an LDAP entry for transmission"
+def _level(dn: str) -> int:
+    return len(dn.split(","))
 
-    dn, attrs = res
-    ocs = set([oc.decode() for oc in attrs["objectClass"]])
-    must_attrs, _may_attrs = schema.attribute_types(ocs)
-    soc = [
-        oc.names[0]  # type: ignore
-        for oc in map(lambda o: schema.get_obj(ObjectClass, o), ocs)
-        if oc.kind == OC.Kind.structural.value  # type: ignore
-    ]
-    aux = set(
-        schema.get_obj(ObjectClass, a).names[0]  # type: ignore
-        for a in schema.get_applicable_aux_classes(soc[0])
+
+@api.get("/entry/{dn:path}", tags=[Tag.EDITING], operation_id="get_entry")
+async def get_entry(dn: str, connection: AuthenticatedConnection) -> Entry:
+    "Retrieve a directory entry by DN"
+    return _entry(
+        await get_entry_by_dn(connection, dn),
+        await get_schema(connection),
     )
 
-    # 23 suppress userPassword
-    if "userPassword" in attrs:
-        attrs["userPassword"] = [b"*****"]
-
-    # Filter out binary attributes
-    binary = set()
-    for attr in attrs:
-        obj = schema.get_obj(AttributeType, attr)
-
-        # Octet strings are not used consistently.
-        # Try to decode as text and treat as binary on failure
-        if not obj.syntax or obj.syntax == OCTET_STRING:  # type: ignore
-            try:
-                for val in attrs[attr]:
-                    assert val.decode().isprintable()
-            except:  # noqa: E722
-                binary.add(attr)
-
-        else:  # Check human-readable flag in schema
-            syntax = schema.get_obj(LDAPSyntax, obj.syntax)  # type: ignore
-            if syntax.not_human_readable:  # type: ignore
-                binary.add(attr)
 
+def _entry(entry: LdapEntry, schema: SubSchema) -> Entry:
+    "Decode an LDAP entry for transmission"
+
+    binary = sorted(
+        set(attr for attr in entry.attrs if _is_binary(entry, attr, schema))
+    )
     return Entry(
         attrs={
-            k: [
-                base64.b64encode(val).decode() if k in binary else val.decode()
-                for val in values
-            ]
-            for k, values in attrs.items()
+            k: ["*****"]  # 23 suppress userPassword
+            if k == "userPassword"
+            else [base64.b64encode(val).decode() for val in entry.attrs[k]]
+            if k in binary
+            else entry.attr(k)
+            for k in sorted(entry.attrs)
         },
-        meta=Meta(
-            dn=dn,
-            required=[
-                schema.get_obj(AttributeType, a).names[0]  # type: ignore
-                for a in must_attrs
-            ],
-            aux=sorted(aux - ocs),
-            binary=sorted(binary),
-            autoFilled=[],
-        ),
+        dn=entry.dn,
+        binary=binary,
+        autoFilled=[],
+        changed=[],
     )
 
 
-@api.get("/entry/{dn:path}", tags=[Tag.EDITING], operation_id="get_entry")
-async def get_entry(dn: str, connection: AuthenticatedConnection) -> Entry:
-    "Retrieve a directory entry by DN"
-    return _entry(
-        await get_entry_by_dn(connection, dn),
-        await get_schema(connection),
-    )
+def _is_binary(entry: LdapEntry, attr: str, schema: SubSchema) -> bool:
+    "Guess whether an attribute has binary content"
+
+    # Octet strings are not used consistently in schemata.
+    # Try to decode as text and treat as binary on failure
+    attr_type = schema.get_obj(AttributeType, attr)
+    if not attr_type.syntax or attr_type.syntax == OCTET_STRING:  # type: ignore
+        try:
+            return any(not val.isprintable() for val in entry.attr(attr))
+        except UnicodeDecodeError:
+            return True
+
+    # Check human-readable flag
+    return schema.get_obj(LDAPSyntax, attr_type.syntax).not_human_readable  # type: ignore
 
 
 @api.delete(
@@ -235,8 +230,8 @@ async def get_entry(dn: str, connection: AuthenticatedConnection) -> Entry:
 async def delete_entry(dn: str, connection: AuthenticatedConnection) -> None:
     for entry_dn in sorted(
         [
-            dn
-            async for dn, _attrs in result(
+            entry.dn
+            async for entry in results(
                 connection,
                 connection.search(dn, SCOPE_SUBTREE),
             )
@@ -250,37 +245,47 @@ async def delete_entry(dn: str, connection: AuthenticatedConnection) -> None:
 @api.post("/entry/{dn:path}", tags=[Tag.EDITING], operation_id="post_entry")
 async def post_entry(
     dn: str, attributes: Attributes, connection: AuthenticatedConnection
-) -> ChangedAttributes:
-    req = {
-        k: [s.encode() for s in filter(None, v)]  # Omit empty byte strings
-        for k, v in attributes.items()
-        if k not in PHOTOS and k not in PASSWORDS
-    }
-
-    # Get previous values from directory
+) -> AttributeNames:
     entry = await get_entry_by_dn(connection, dn)
-    mods = {k: v for k, v in entry[1].items() if k in req}
-    modlist = modifyModlist(mods, req)
+    schema = await get_schema(connection)
 
+    expected = {
+        attr: _nonempty_byte_strings(attributes, attr)
+        for attr in attributes
+        if attr not in PASSWORDS
+        and (
+            attr not in entry.attrs
+            or not _is_binary(
+                entry, attr, schema
+            )  # FIXME Handle binary attributes properly
+        )
+    }
+
+    actual = {attr: v for attr, v in entry.attrs.items() if attr in expected}
+    modlist = modifyModlist(actual, expected)
     if modlist:  # Apply changes and send changed keys back
         await empty(connection, connection.modify(dn, modlist))
-    return ChangedAttributes(changed=list(sorted(set(m[1] for m in modlist))))
+    return list(sorted(set(m[1] for m in modlist)))
+
+
+def _nonempty_byte_strings(attributes: Attributes, attr: str) -> list[bytes]:
+    return [s.encode() for s in filter(None, attributes[attr])]
 
 
 @api.put("/entry/{dn:path}", tags=[Tag.EDITING], operation_id="put_entry")
 async def put_entry(
     dn: str, attributes: Attributes, connection: AuthenticatedConnection
-) -> ChangedAttributes:
+) -> AttributeNames:
     modlist = addModlist(
         {
-            k: [s.encode() for s in filter(None, v)]  # Omit empty byte strings
-            for k, v in attributes.items()
-            if k not in PHOTOS
+            attr: _nonempty_byte_strings(attributes, attr)
+            for attr in attributes
+            if attr not in PHOTOS
         }
     )
     if modlist:
         await empty(connection, connection.add(dn, modlist))
-    return ChangedAttributes(changed=["dn"])  # Dummy
+    return ["dn"]  # Dummy
 
 
 @api.post(
@@ -307,15 +312,15 @@ async def get_blob(
 ) -> Response:
     "Retrieve a binary attribute"
 
-    _dn, attrs = await get_entry_by_dn(connection, dn)
+    entry = await get_entry_by_dn(connection, dn)
 
-    if attr not in attrs or len(attrs[attr]) <= index:
+    if attr not in entry.attrs or len(entry.attrs[attr]) <= index:
         raise HTTPException(
-            HTTPStatus.NOT_FOUND.value, f"Attribute {attr} not found for DN {dn}"
+            HTTPStatus.NOT_FOUND, f"Attribute {attr} not found for DN {dn}"
         )
 
     return Response(
-        attrs[attr][index],
+        entry.attrs[attr][index],
         media_type="application/octet-stream",
         headers={"Content-Disposition": f'attachment; filename="{attr}-{index:d}.bin"'},
     )
@@ -335,12 +340,14 @@ async def put_blob(
     connection: AuthenticatedConnection,
 ) -> None:
     "Upload a binary attribute"
-    _dn, attrs = await get_entry_by_dn(connection, dn)
+    entry = await get_entry_by_dn(connection, dn)
     data = await blob.read(cast(int, blob.size))
-    if attr in attrs:
+    if attr in entry.attrs:
         await empty(
             connection,
-            connection.modify(dn, [(1, attr, None), (0, attr, attrs[attr] + [data])]),
+            connection.modify(
+                dn, [(1, attr, None), (0, attr, entry.attrs[attr] + [data])]
+            ),
         )
     else:
         await empty(connection, connection.modify(dn, [(0, attr, [data])]))
@@ -356,13 +363,13 @@ async def delete_blob(
     attr: str, index: int, dn: str, connection: AuthenticatedConnection
 ) -> None:
     "Remove a binary attribute"
-    _dn, attrs = await get_entry_by_dn(connection, dn)
-    if attr not in attrs or len(attrs[attr]) <= index:
+    entry = await get_entry_by_dn(connection, dn)
+    if attr not in entry.attrs or len(entry.attrs[attr]) <= index:
         raise HTTPException(
-            HTTPStatus.NOT_FOUND.value, f"Attribute {attr} not found for DN {dn}"
+            HTTPStatus.NOT_FOUND, f"Attribute {attr} not found for DN {dn}"
         )
     await empty(connection, connection.modify(dn, [(1, attr, None)]))
-    data = attrs[attr][:index] + attrs[attr][index + 1 :]
+    data = entry.attrs[attr][:index] + entry.attrs[attr][index + 1 :]
     if data:
         await empty(connection, connection.modify(dn, [(0, attr, data)]))
 
@@ -386,29 +393,21 @@ async def check_password(
     "/change-password/{dn:path}",
     tags=[Tag.EDITING],
     operation_id="post_change_password",
+    status_code=HTTPStatus.NO_CONTENT,
 )
 async def change_password(
     dn: str, args: ChangePasswordRequest, connection: AuthenticatedConnection
-) -> str | None:
+) -> None:
     "Update passwords"
     if args.new1:
         await empty(
             connection,
             connection.passwd(dn, args.old or None, args.new1),
         )
-        _dn, attrs = await get_entry_by_dn(connection, dn)
-        attrs["userPassword"][0].decode()
-
     else:
         await empty(connection, connection.modify(dn, [(1, "userPassword", None)]))
 
 
-def _cn(entry: dict) -> str | None:
-    "Try to extract a CN"
-    if "cn" in entry and entry["cn"]:
-        return entry["cn"][0].decode()
-
-
 @api.get(
     "/ldif/{dn:path}",
     include_in_schema=False,  # Used as a link target, no API call
@@ -419,8 +418,8 @@ async def export_ldif(dn: str, connection: AuthenticatedConnection) -> Response:
     out = io.StringIO()
     writer = ldif.LDIFWriter(out)
 
-    async for dn, attrs in result(connection, connection.search(dn, SCOPE_SUBTREE)):
-        writer.unparse(dn, attrs)
+    async for entry in results(connection, connection.search(dn, SCOPE_SUBTREE)):
+        writer.unparse(dn, entry.attrs)
 
     file_name = dn.split(",")[0].split("=")[1]
     return PlainTextResponse(
@@ -440,18 +439,22 @@ class LDIFReader(ldif.LDIFParser):
         self.count += 1
 
 
-@api.post("/ldif", tags=[Tag.EDITING], operation_id="post_ldif")
+@api.post(
+    "/ldif",
+    tags=[Tag.EDITING],
+    operation_id="post_ldif",
+    status_code=HTTPStatus.NO_CONTENT,
+)
 async def upload_ldif(
     ldif: Annotated[str, Body()], connection: AuthenticatedConnection
-) -> Response:
+) -> None:
     "Import LDIF"
 
     reader = LDIFReader(ldif.encode(), connection)
     try:
         reader.parse()
-        return NO_CONTENT
     except ValueError as e:
-        return Response(e.args[0], HTTPStatus.UNPROCESSABLE_ENTITY)
+        raise HTTPException(HTTPStatus.UNPROCESSABLE_ENTITY, e.args[0])
 
 
 @api.get("/search/{query:path}", tags=[Tag.NAVIGATION], operation_id="search")
@@ -469,10 +472,15 @@ async def search(query: str, connection: AuthenticatedConnection) -> list[Search
 
     # Collect results
     res = []
-    async for dn, attrs in result(
+    async for entry in results(
         connection, connection.search(settings.BASE_DN, SCOPE_SUBTREE, query)
     ):
-        res.append(SearchResult(dn=dn, name=_cn(attrs) or dn))
+        res.append(
+            SearchResult(
+                dn=entry.dn,
+                name=entry.attr("cn")[0] if "cn" in entry.attrs else entry.dn,
+            )
+        )
         if len(res) >= settings.SEARCH_MAX:
             break
     return res
@@ -490,15 +498,16 @@ async def list_subtree(
 ) -> list[TreeItem]:
     "List the subtree below a DN"
 
-    start = len(root_dn.split(","))
     return sorted(
         [
-            _tree_item(dn, attrs, start, await get_schema(connection))
-            async for dn, attrs in result(
+            _tree_item(entry, root_dn)
+            async for entry in results(
                 connection,
-                connection.search(root_dn, SCOPE_SUBTREE),
+                connection.search(
+                    root_dn, SCOPE_SUBTREE, attrlist=WITH_OPERATIONAL_ATTRS
+                ),
             )
-            if root_dn != dn
+            if root_dn != entry.dn
         ],
         key=lambda item: tuple(reversed(item.dn.lower().split(","))),
     )
@@ -513,8 +522,8 @@ async def attribute_range(attribute: str, connection: AuthenticatedConnection) -
 
     values = set(
         [
-            int(attrs[attribute][0])
-            async for dn, attrs in result(
+            int(entry.attrs[attribute][0])
+            async for entry in results(
                 connection,
                 connection.search(
                     settings.BASE_DN,
@@ -529,7 +538,7 @@ async def attribute_range(attribute: str, connection: AuthenticatedConnection) -
 
     if not values:
         raise HTTPException(
-            HTTPStatus.NOT_FOUND.value, f"No values found for attribute {attribute}"
+            HTTPStatus.NOT_FOUND, f"No values found for attribute {attribute}"
         )
 
     minimum, maximum = min(values), max(values)
@@ -549,4 +558,5 @@ async def attribute_range(attribute: str, connection: AuthenticatedConnection) -
 )
 async def ldap_schema(connection: AuthenticatedConnection) -> Schema:
     "Dump the LDAP schema as JSON"
+    assert settings.SCHEMA_DN, "An LDAP schema DN is required!"
     return frontend_schema(await get_schema(connection))

ldap_ui/ldap_helpers.py

@@ -10,6 +10,7 @@ like retrieving a unique result or waiting for an
 operation to complete without results.
 """
 
+from dataclasses import dataclass
 from http import HTTPStatus
 from typing import AsyncGenerator, Generator
 
@@ -32,7 +33,23 @@ from . import settings
 # Constant to add technical attributes in LDAP search results
 WITH_OPERATIONAL_ATTRS = ("*", "+")
 
-BinaryAttributes = dict[str, list[bytes]]
+
+@dataclass(frozen=True)
+class LdapEntry:
+    dn: str
+    attrs: dict[str, list[bytes]]
+
+    def attr(self, name: str) -> list[str]:
+        return [v.decode() for v in self.attrs[name]]
+
+    @property
+    def hasSubordinates(self):
+        return (
+            self.attr("hasSubordinates") == ["TRUE"]
+            if "hasSubordinates" in self.attrs
+            else bool(self.attrs.get("numSubordinates"))
+        )
+
 
 sub_schema: SubSchema | None = None
 
@@ -58,24 +75,24 @@ def ldap_connect() -> Generator[LDAPObject, None, None]:
 
 async def anonymous_user_search(connection: LDAPObject, username: str) -> str | None:
     try:
-        # No BIND_PATTERN, try anonymous search
-        dn, _attrs = await unique(
-            connection,
-            connection.search(
-                settings.BASE_DN,
-                SCOPE_SUBTREE,
-                settings.GET_BIND_DN_FILTER(username),
-            ),
-        )
-        return dn
+        return (
+            await unique(
+                connection,
+                connection.search(
+                    settings.BASE_DN,
+                    SCOPE_SUBTREE,
+                    settings.GET_BIND_DN_FILTER(username),
+                ),
+            )
+        ).dn
 
     except HTTPException:
         pass  # No unique result
 
 
-async def result(
+async def results(
     connection: LDAPObject, msgid: int
-) -> AsyncGenerator[tuple[str, BinaryAttributes], None]:
+) -> AsyncGenerator[LdapEntry, None]:
     "Stream LDAP result entries without blocking other tasks"
 
     while True:
@@ -85,27 +102,27 @@ async def result(
         elif r_data == []:  # Operation completed
             break
         else:
-            yield r_data[0]  # type: ignore
+            yield LdapEntry(*r_data[0])  # type: ignore
 
 
 async def unique(
     connection: LDAPObject,
     msgid: int,
-) -> tuple[str, BinaryAttributes]:
+) -> LdapEntry:
     "Asynchronously collect a unique result"
 
     res = None
-    async for r in result(connection, msgid):
+    async for r in results(connection, msgid):
         if res is None:
             res = r
         else:
             connection.abandon(msgid)
             raise HTTPException(
-                HTTPStatus.INTERNAL_SERVER_ERROR.value,
+                HTTPStatus.INTERNAL_SERVER_ERROR,
                 "Non-unique result",
             )
     if res is None:
-        raise HTTPException(HTTPStatus.NOT_FOUND.value, "Empty search result")
+        raise HTTPException(HTTPStatus.NOT_FOUND, "Empty search result")
     return res
 
 
@@ -115,15 +132,15 @@ async def empty(
 ) -> None:
     "Asynchronously wait for an empty result"
 
-    async for r in result(connection, msgid):
+    async for r in results(connection, msgid):
         connection.abandon(msgid)
-        raise HTTPException(HTTPStatus.INTERNAL_SERVER_ERROR.value, "Unexpected result")
+        raise HTTPException(HTTPStatus.INTERNAL_SERVER_ERROR, "Unexpected result")
 
 
 async def get_entry_by_dn(
     connection: LDAPObject,
     dn: str,
-) -> tuple[str, BinaryAttributes]:
+) -> LdapEntry:
     "Asynchronously retrieve an LDAP entry by its DN"
 
     return await unique(connection, connection.search(dn, SCOPE_BASE))
@@ -133,7 +150,7 @@ async def get_schema(connection: LDAPObject) -> SubSchema:
     global sub_schema
     # See: https://hub.packtpub.com/python-ldap-applications-part-4-ldap-schema/
     if sub_schema is None:
-        _dn, schema = await unique(
+        result = await unique(
             connection,
             connection.search(
                 settings.SCHEMA_DN,
@@ -141,5 +158,5 @@ async def get_schema(connection: LDAPObject) -> SubSchema:
                 attrlist=WITH_OPERATIONAL_ATTRS,
             ),
         )
-        sub_schema = SubSchema(schema, check_uniqueness=2)
+        sub_schema = SubSchema(result.attrs, check_uniqueness=2)
     return sub_schema