2014-05-09 21:39:43 +00:00
|
|
|
import ldap
|
|
|
|
import logging
|
|
|
|
|
2014-05-13 16:17:26 +00:00
|
|
|
from util.validation import generate_valid_usernames
|
|
|
|
from data import model
|
2014-05-09 21:39:43 +00:00
|
|
|
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
|
|
|
|
|
|
class DatabaseUsers(object):
|
|
|
|
def verify_user(self, username_or_email, password):
|
|
|
|
""" Simply delegate to the model implementation. """
|
2014-05-13 16:17:26 +00:00
|
|
|
return model.verify_user(username_or_email, password)
|
2014-05-09 21:39:43 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
def user_exists(self, username):
|
|
|
|
return model.get_user(username) is not None
|
|
|
|
|
2014-05-09 21:39:43 +00:00
|
|
|
|
|
|
|
class LDAPConnection(object):
|
|
|
|
def __init__(self, ldap_uri, user_dn, user_pw):
|
|
|
|
self._ldap_uri = ldap_uri
|
|
|
|
self._user_dn = user_dn
|
|
|
|
self._user_pw = user_pw
|
|
|
|
self._conn = None
|
|
|
|
|
|
|
|
def __enter__(self):
|
2015-02-27 22:01:46 +00:00
|
|
|
self._conn = ldap.initialize(self._ldap_uri, trace_level=1)
|
2014-05-09 21:39:43 +00:00
|
|
|
self._conn.simple_bind_s(self._user_dn, self._user_pw)
|
|
|
|
return self._conn
|
|
|
|
|
|
|
|
def __exit__(self, exc_type, value, tb):
|
|
|
|
self._conn.unbind_s()
|
|
|
|
|
|
|
|
|
|
|
|
class LDAPUsers(object):
|
2014-05-13 19:52:20 +00:00
|
|
|
def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr):
|
2014-05-09 21:39:43 +00:00
|
|
|
self._ldap_conn = LDAPConnection(ldap_uri, admin_dn, admin_passwd)
|
2014-05-13 16:17:26 +00:00
|
|
|
self._ldap_uri = ldap_uri
|
2014-05-09 21:39:43 +00:00
|
|
|
self._base_dn = base_dn
|
|
|
|
self._user_rdn = user_rdn
|
|
|
|
self._uid_attr = uid_attr
|
|
|
|
self._email_attr = email_attr
|
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
def _ldap_user_search(self, username_or_email):
|
|
|
|
with self._ldap_conn as conn:
|
|
|
|
logger.debug('Incoming username or email param: %s', username_or_email.__repr__())
|
|
|
|
user_search_dn = ','.join(self._user_rdn + self._base_dn)
|
|
|
|
query = u'(|({0}={2})({1}={2}))'.format(self._uid_attr, self._email_attr,
|
|
|
|
username_or_email)
|
|
|
|
user = conn.search_s(user_search_dn, ldap.SCOPE_SUBTREE, query.encode('utf-8'))
|
|
|
|
|
|
|
|
if len(user) != 1:
|
|
|
|
return None
|
|
|
|
|
|
|
|
return user[0]
|
|
|
|
|
2014-05-09 21:39:43 +00:00
|
|
|
def verify_user(self, username_or_email, password):
|
|
|
|
""" Verify the credentials with LDAP and if they are valid, create or update the user
|
|
|
|
in our database. """
|
|
|
|
|
2014-05-13 16:17:26 +00:00
|
|
|
# Make sure that even if the server supports anonymous binds, we don't allow it
|
|
|
|
if not password:
|
|
|
|
return None
|
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
found_user = self._ldap_user_search(username_or_email)
|
2014-05-09 21:39:43 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
if found_user is None:
|
|
|
|
return None
|
2014-05-09 21:39:43 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
found_dn, found_response = found_user
|
2014-05-09 21:39:43 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
# First validate the password by binding as the user
|
|
|
|
try:
|
|
|
|
with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8')):
|
|
|
|
pass
|
|
|
|
except ldap.INVALID_CREDENTIALS:
|
|
|
|
return None
|
2014-05-09 21:39:43 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
# Now check if we have a federated login for this user
|
|
|
|
username = found_response[self._uid_attr][0].decode('utf-8')
|
|
|
|
email = found_response[self._email_attr][0]
|
|
|
|
db_user = model.verify_federated_login('ldap', username)
|
2014-05-09 21:39:43 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
if not db_user:
|
|
|
|
# We must create the user in our db
|
|
|
|
valid_username = None
|
|
|
|
for valid_username in generate_valid_usernames(username):
|
|
|
|
if model.is_username_unique(valid_username):
|
|
|
|
break
|
2014-05-13 16:17:26 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
if not valid_username:
|
|
|
|
logger.error('Unable to pick a username for user: %s', username)
|
|
|
|
return None
|
|
|
|
|
2014-05-28 17:51:52 +00:00
|
|
|
db_user = model.create_federated_user(valid_username, email, 'ldap', username,
|
|
|
|
set_password_notification=False)
|
2014-05-13 19:22:31 +00:00
|
|
|
else:
|
|
|
|
# Update the db attributes from ldap
|
|
|
|
db_user.email = email
|
2014-05-28 17:51:52 +00:00
|
|
|
db_user.save()
|
2014-05-09 21:39:43 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
return db_user
|
2014-05-09 21:39:43 +00:00
|
|
|
|
2014-05-13 19:22:31 +00:00
|
|
|
def user_exists(self, username):
|
|
|
|
found_user = self._ldap_user_search(username)
|
|
|
|
return found_user is not None
|
2014-05-09 21:39:43 +00:00
|
|
|
|
|
|
|
|
|
|
|
class UserAuthentication(object):
|
2014-05-13 16:17:26 +00:00
|
|
|
def __init__(self, app=None):
|
2014-05-09 21:39:43 +00:00
|
|
|
self.app = app
|
|
|
|
if app is not None:
|
2014-05-13 16:17:26 +00:00
|
|
|
self.state = self.init_app(app)
|
2014-05-09 21:39:43 +00:00
|
|
|
else:
|
|
|
|
self.state = None
|
|
|
|
|
2014-05-13 16:17:26 +00:00
|
|
|
def init_app(self, app):
|
2014-05-09 21:39:43 +00:00
|
|
|
authentication_type = app.config.get('AUTHENTICATION_TYPE', 'Database')
|
|
|
|
|
|
|
|
if authentication_type == 'Database':
|
2014-05-13 16:17:26 +00:00
|
|
|
users = DatabaseUsers()
|
2014-05-09 21:39:43 +00:00
|
|
|
elif authentication_type == 'LDAP':
|
|
|
|
ldap_uri = app.config.get('LDAP_URI', 'ldap://localhost')
|
|
|
|
base_dn = app.config.get('LDAP_BASE_DN')
|
|
|
|
admin_dn = app.config.get('LDAP_ADMIN_DN')
|
|
|
|
admin_passwd = app.config.get('LDAP_ADMIN_PASSWD')
|
|
|
|
user_rdn = app.config.get('LDAP_USER_RDN', [])
|
|
|
|
uid_attr = app.config.get('LDAP_UID_ATTR', 'uid')
|
|
|
|
email_attr = app.config.get('LDAP_EMAIL_ATTR', 'mail')
|
|
|
|
|
2014-05-13 19:52:20 +00:00
|
|
|
users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr)
|
2014-05-09 21:39:43 +00:00
|
|
|
|
|
|
|
else:
|
|
|
|
raise RuntimeError('Unknown authentication type: %s' % authentication_type)
|
|
|
|
|
|
|
|
# register extension with app
|
|
|
|
app.extensions = getattr(app, 'extensions', {})
|
|
|
|
app.extensions['authentication'] = users
|
|
|
|
return users
|
|
|
|
|
|
|
|
def __getattr__(self, name):
|
|
|
|
return getattr(self.state, name, None)
|