Rename config validation source files

util/config/validator.py

@@ -28,10 +28,10 @@ from util.registry.torrent import torrent_jwt
 from util.security.signing import SIGNING_ENGINES
 from util.security.ssl import load_certificate, CertInvalidException, KeyInvalidException
 
-from util.config.validators.database import DatabaseValidator
-from util.config.validators.buildlogredis import RedisValidator
-from util.config.validators.registrystorage import StorageValidator
-from util.config.validators.email import EmailValidator
+from util.config.validators.validate_database import DatabaseValidator
+from util.config.validators.validate_redis import RedisValidator
+from util.config.validators.validate_storage import StorageValidator
+from util.config.validators.validate_email import EmailValidator
 
 logger = logging.getLogger(__name__)
 

util/config/validators/validate_ldap.py

@@ -0,0 +1,59 @@
+from app import app
+from util.config.validators import BaseValidator
+
+class LDAPValidator(BaseValidator):
+  name = "ldap"
+
+  @classmethod
+  def validate(cls, config, user, user_password):
+    """ Validates the LDAP connection. """
+    if config.get('AUTHENTICATION_TYPE', 'Database') != 'LDAP':
+      return
+
+    # If there is a custom LDAP certificate, then reinstall the certificates for the container.
+    if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
+      subprocess.check_call(['/conf/init/certs_install.sh'])
+
+    # Note: raises ldap.INVALID_CREDENTIALS on failure
+    admin_dn = config.get('LDAP_ADMIN_DN')
+    admin_passwd = config.get('LDAP_ADMIN_PASSWD')
+
+    if not admin_dn:
+      raise ConfigValidationException('Missing Admin DN for LDAP configuration')
+
+    if not admin_passwd:
+      raise ConfigValidationException('Missing Admin Password for LDAP configuration')
+
+    ldap_uri = config.get('LDAP_URI', 'ldap://localhost')
+    if not ldap_uri.startswith('ldap://') and not ldap_uri.startswith('ldaps://'):
+      raise ConfigValidationException('LDAP URI must start with ldap:// or ldaps://')
+
+    allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
+
+    try:
+      with LDAPConnection(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback):
+        pass
+    except ldap.LDAPError as ex:
+      values = ex.args[0] if ex.args else {}
+      if not isinstance(values, dict):
+        raise ConfigValidationException(str(ex.args))
+
+      raise ConfigValidationException(values.get('desc', 'Unknown error'))
+
+    # Verify that the superuser exists. If not, raise an exception.
+    base_dn = config.get('LDAP_BASE_DN')
+    user_rdn = config.get('LDAP_USER_RDN', [])
+    uid_attr = config.get('LDAP_UID_ATTR', 'uid')
+    email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
+    requires_email = config.get('FEATURE_MAILING', True)
+
+    users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
+                      allow_tls_fallback, requires_email=requires_email)
+
+    username = user_obj.username
+    (result, err_msg) = users.verify_credentials(username, password)
+    if not result:
+      msg = ('Verification of superuser %s failed: %s. \n\nThe user either does not exist ' +
+             'in the remote authentication system ' +
+             'OR LDAP auth is misconfigured.') % (username, err_msg)
+      raise ConfigValidationException(msg)