First stab at LDAP integration.

data/users.py

@@ -0,0 +1,122 @@
+import ldap
+import logging
+
+
+logger = logging.getLogger(__name__)
+
+
+class DatabaseUsers(object):
+  def __init__(self, app_db):
+    self._app_db = app_db
+
+  def verify_user(self, username_or_email, password):
+    """ Simply delegate to the model implementation. """
+    return self._app_db.verify_user(username_or_email, password)
+
+
+class LDAPConnection(object):
+  def __init__(self, ldap_uri, user_dn, user_pw):
+    self._ldap_uri = ldap_uri
+    self._user_dn = user_dn
+    self._user_pw = user_pw
+    self._conn = None
+
+  def __enter__(self):
+    self._conn = ldap.initialize(self._ldap_uri)
+    self._conn.simple_bind_s(self._user_dn, self._user_pw)
+    return self._conn
+
+  def __exit__(self, exc_type, value, tb):
+    self._conn.unbind_s()
+
+
+class LDAPUsers(object):
+  def __init__(self, app_db, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr,
+               email_attr, passwd_attr):
+    self._app_db = app_db
+    self._ldap_conn = LDAPConnection(ldap_uri, admin_dn, admin_passwd)
+    self._base_dn = base_dn
+    self._user_rdn = user_rdn
+    self._uid_attr = uid_attr
+    self._email_attr = email_attr
+    self._passwd_attr = passwd_attr
+
+  def verify_user(self, username_or_email, password):
+    """ Verify the credentials with LDAP and if they are valid, create or update the user
+        in our database. """
+
+    with self._ldap_conn as conn:
+      user_search_dn = ','.join(self._user_rdn + self._base_dn)
+      query = '(|({0}={2})({1}={2}))'.format(self._uid_attr, self._email_attr,
+                                             username_or_email)
+      user = conn.search_s(user_search_dn, ldap.SCOPE_SUBTREE, query)
+
+      if len(user) != 1:
+        return None
+
+      found_dn, found_response = user[0]
+
+      # First validate the password
+      valid_passwd = conn.compare_s(found_dn, self._passwd_attr, password) == 1
+      if not valid_passwd:
+        return None
+
+      logger.debug('LDAP Response: %s', found_response)
+
+      # Now check if we have the same username in our DB
+      username = found_response[self._uid_attr][0]
+      email = found_response[self._email_attr][0]
+      password = found_response[self._passwd_attr][0]
+      db_user = self._app_db.get_user(username)
+
+      logger.debug('Email: %s', email)
+
+      if not db_user:
+        # We must create the user in our db
+        db_user = self._app_db.create_user(username, 'password_from_ldap', email)
+        db_user.verified = True
+      else:
+        # Update the db attributes from ldap
+        db_user.email = email
+
+      db_user.save()
+
+      return db_user
+
+
+class UserAuthentication(object):
+  def __init__(self, app=None, model=None):
+    self.app = app
+    if app is not None:
+      self.state = self.init_app(app, model)
+    else:
+      self.state = None
+
+  def init_app(self, app, model):
+    authentication_type = app.config.get('AUTHENTICATION_TYPE', 'Database')
+
+    if authentication_type == 'Database':
+      users = DatabaseUsers(model)
+    elif authentication_type == 'LDAP':
+      ldap_uri = app.config.get('LDAP_URI', 'ldap://localhost')
+      base_dn = app.config.get('LDAP_BASE_DN')
+      admin_dn = app.config.get('LDAP_ADMIN_DN')
+      admin_passwd = app.config.get('LDAP_ADMIN_PASSWD')
+      user_rdn = app.config.get('LDAP_USER_RDN', [])
+      uid_attr = app.config.get('LDAP_UID_ATTR', 'uid')
+      email_attr = app.config.get('LDAP_EMAIL_ATTR', 'mail')
+      passwd_attr = app.config.get('LDAP_PASSWD_ATTR', 'userPassword')
+
+      users = LDAPUsers(model, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr,
+                        email_attr, passwd_attr)
+
+    else:
+      raise RuntimeError('Unknown authentication type: %s' % authentication_type)
+
+    # register extension with app
+    app.extensions = getattr(app, 'extensions', {})
+    app.extensions['authentication'] = users
+    return users
+
+  def __getattr__(self, name):
+    return getattr(self.state, name, None)