quay/data/users.py

import ldap
import logging

from util.validation import generate_valid_usernames
from data import model

logger = logging.getLogger(__name__)


class DatabaseUsers(object):
  def verify_user(self, username_or_email, password):
    """ Simply delegate to the model implementation. """
    return model.verify_user(username_or_email, password)

  def user_exists(self, username):
    return model.get_user(username) is not None


class LDAPConnection(object):
  def __init__(self, ldap_uri, user_dn, user_pw):
    self._ldap_uri = ldap_uri
    self._user_dn = user_dn
    self._user_pw = user_pw
    self._conn = None

  def __enter__(self):
    self._conn = ldap.initialize(self._ldap_uri)
    self._conn.simple_bind_s(self._user_dn, self._user_pw)
    return self._conn

  def __exit__(self, exc_type, value, tb):
    self._conn.unbind_s()


class LDAPUsers(object):
  def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr):
    self._ldap_conn = LDAPConnection(ldap_uri, admin_dn, admin_passwd)
    self._ldap_uri = ldap_uri
    self._base_dn = base_dn
    self._user_rdn = user_rdn
    self._uid_attr = uid_attr
    self._email_attr = email_attr

  def _ldap_user_search(self, username_or_email):
    with self._ldap_conn as conn:
      logger.debug('Incoming username or email param: %s', username_or_email.__repr__())
      user_search_dn = ','.join(self._user_rdn + self._base_dn)
      query = u'(|({0}={2})({1}={2}))'.format(self._uid_attr, self._email_attr,
                                              username_or_email)
      user = conn.search_s(user_search_dn, ldap.SCOPE_SUBTREE, query.encode('utf-8'))

      if len(user) != 1:
        return None

      return user[0]

  def verify_user(self, username_or_email, password):
    """ Verify the credentials with LDAP and if they are valid, create or update the user
        in our database. """

    # Make sure that even if the server supports anonymous binds, we don't allow it
    if not password:
      return None

    found_user = self._ldap_user_search(username_or_email)

    if found_user is None:
      return None

    found_dn, found_response = found_user

    # First validate the password by binding as the user
    try:
      with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8')):
        pass
    except ldap.INVALID_CREDENTIALS:
      return None

    # Now check if we have a federated login for this user
    username = found_response[self._uid_attr][0].decode('utf-8')
    email = found_response[self._email_attr][0]
    db_user = model.verify_federated_login('ldap', username)

    if not db_user:
      # We must create the user in our db
      valid_username = None
      for valid_username in generate_valid_usernames(username):
        if model.is_username_unique(valid_username):
          break

      if not valid_username:
        logger.error('Unable to pick a username for user: %s', username)
        return None

      db_user = model.create_federated_user(valid_username, email, 'ldap', username,
                                            set_password_notification=False)
    else:
      # Update the db attributes from ldap
      db_user.email = email
      db_user.save()

    return db_user

  def user_exists(self, username):
    found_user = self._ldap_user_search(username)
    return found_user is not None


class UserAuthentication(object):
  def __init__(self, app=None):
    self.app = app
    if app is not None:
      self.state = self.init_app(app)
    else:
      self.state = None

  def init_app(self, app):
    authentication_type = app.config.get('AUTHENTICATION_TYPE', 'Database')

    if authentication_type == 'Database':
      users = DatabaseUsers()
    elif authentication_type == 'LDAP':
      ldap_uri = app.config.get('LDAP_URI', 'ldap://localhost')
      base_dn = app.config.get('LDAP_BASE_DN')
      admin_dn = app.config.get('LDAP_ADMIN_DN')
      admin_passwd = app.config.get('LDAP_ADMIN_PASSWD')
      user_rdn = app.config.get('LDAP_USER_RDN', [])
      uid_attr = app.config.get('LDAP_UID_ATTR', 'uid')
      email_attr = app.config.get('LDAP_EMAIL_ATTR', 'mail')

      users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr)

    else:
      raise RuntimeError('Unknown authentication type: %s' % authentication_type)

    # register extension with app
    app.extensions = getattr(app, 'extensions', {})
    app.extensions['authentication'] = users
    return users

  def __getattr__(self, name):
    return getattr(self.state, name, None)
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00			`import ldap`
			`import logging`

Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`from util.validation import generate_valid_usernames`
			`from data import model`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
			`logger = logging.getLogger(__name__)`


			`class DatabaseUsers(object):`
			`def verify_user(self, username_or_email, password):`
			`""" Simply delegate to the model implementation. """`
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`return model.verify_user(username_or_email, password)`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`def user_exists(self, username):`
			`return model.get_user(username) is not None`

First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
			`class LDAPConnection(object):`
			`def __init__(self, ldap_uri, user_dn, user_pw):`
			`self._ldap_uri = ldap_uri`
			`self._user_dn = user_dn`
			`self._user_pw = user_pw`
			`self._conn = None`

			`def __enter__(self):`
			`self._conn = ldap.initialize(self._ldap_uri)`
			`self._conn.simple_bind_s(self._user_dn, self._user_pw)`
			`return self._conn`

			`def __exit__(self, exc_type, value, tb):`
			`self._conn.unbind_s()`


			`class LDAPUsers(object):`
Remove the passwd attr ldap config. 2014-05-13 19:52:20 +00:00			`def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr):`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00			`self._ldap_conn = LDAPConnection(ldap_uri, admin_dn, admin_passwd)`
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`self._ldap_uri = ldap_uri`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00			`self._base_dn = base_dn`
			`self._user_rdn = user_rdn`
			`self._uid_attr = uid_attr`
			`self._email_attr = email_attr`

Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`def _ldap_user_search(self, username_or_email):`
			`with self._ldap_conn as conn:`
			`logger.debug('Incoming username or email param: %s', username_or_email.__repr__())`
			`user_search_dn = ','.join(self._user_rdn + self._base_dn)`
			`query = u'(\|({0}={2})({1}={2}))'.format(self._uid_attr, self._email_attr,`
			`username_or_email)`
			`user = conn.search_s(user_search_dn, ldap.SCOPE_SUBTREE, query.encode('utf-8'))`

			`if len(user) != 1:`
			`return None`

			`return user[0]`

First stab at LDAP integration. 2014-05-09 21:39:43 +00:00			`def verify_user(self, username_or_email, password):`
			`""" Verify the credentials with LDAP and if they are valid, create or update the user`
			`in our database. """`

Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`# Make sure that even if the server supports anonymous binds, we don't allow it`
			`if not password:`
			`return None`

Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`found_user = self._ldap_user_search(username_or_email)`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`if found_user is None:`
			`return None`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`found_dn, found_response = found_user`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`# First validate the password by binding as the user`
			`try:`
			`with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8')):`
			`pass`
			`except ldap.INVALID_CREDENTIALS:`
			`return None`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`# Now check if we have a federated login for this user`
			`username = found_response[self._uid_attr][0].decode('utf-8')`
			`email = found_response[self._email_attr][0]`
			`db_user = model.verify_federated_login('ldap', username)`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`if not db_user:`
			`# We must create the user in our db`
			`valid_username = None`
			`for valid_username in generate_valid_usernames(username):`
			`if model.is_username_unique(valid_username):`
			`break`
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`if not valid_username:`
			`logger.error('Unable to pick a username for user: %s', username)`
			`return None`

Eliminate a lot of the if cases in create_user by separating them out. Add a limit to the number of users which can be created based on the license. Add support for creating and loading licenses. 2014-05-28 17:51:52 +00:00			`db_user = model.create_federated_user(valid_username, email, 'ldap', username,`
			`set_password_notification=False)`
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`else:`
			`# Update the db attributes from ldap`
			`db_user.email = email`
Eliminate a lot of the if cases in create_user by separating them out. Add a limit to the number of users which can be created based on the license. Add support for creating and loading licenses. 2014-05-28 17:51:52 +00:00			`db_user.save()`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`return db_user`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
Fix the registry to work with unicode usernames in LDAP. 2014-05-13 19:22:31 +00:00			`def user_exists(self, username):`
			`found_user = self._ldap_user_search(username)`
			`return found_user is not None`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00

			`class UserAuthentication(object):`
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`def __init__(self, app=None):`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00			`self.app = app`
			`if app is not None:`
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`self.state = self.init_app(app)`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00			`else:`
			`self.state = None`

Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`def init_app(self, app):`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00			`authentication_type = app.config.get('AUTHENTICATION_TYPE', 'Database')`

			`if authentication_type == 'Database':`
Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call. 2014-05-13 16:17:26 +00:00			`users = DatabaseUsers()`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00			`elif authentication_type == 'LDAP':`
			`ldap_uri = app.config.get('LDAP_URI', 'ldap://localhost')`
			`base_dn = app.config.get('LDAP_BASE_DN')`
			`admin_dn = app.config.get('LDAP_ADMIN_DN')`
			`admin_passwd = app.config.get('LDAP_ADMIN_PASSWD')`
			`user_rdn = app.config.get('LDAP_USER_RDN', [])`
			`uid_attr = app.config.get('LDAP_UID_ATTR', 'uid')`
			`email_attr = app.config.get('LDAP_EMAIL_ATTR', 'mail')`

Remove the passwd attr ldap config. 2014-05-13 19:52:20 +00:00			`users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr)`
First stab at LDAP integration. 2014-05-09 21:39:43 +00:00
			`else:`
			`raise RuntimeError('Unknown authentication type: %s' % authentication_type)`

			`# register extension with app`
			`app.extensions = getattr(app, 'extensions', {})`
			`app.extensions['authentication'] = users`
			`return users`

			`def __getattr__(self, name):`
			`return getattr(self.state, name, None)`