diff --git a/app.py b/app.py index 1a7375000..683151607 100644 --- a/app.py +++ b/app.py @@ -167,7 +167,7 @@ analytics = Analytics(app) billing = Billing(app) sentry = Sentry(app) build_logs = BuildLogs(app) -authentication = UserAuthentication(app, OVERRIDE_CONFIG_DIRECTORY) +authentication = UserAuthentication(app, config_provider, OVERRIDE_CONFIG_DIRECTORY) userevents = UserEventsBuilderModule(app) superusers = SuperUserManager(app) signer = Signer(app, OVERRIDE_CONFIG_DIRECTORY) diff --git a/data/users/__init__.py b/data/users/__init__.py index 220c0b6f8..bcdd81912 100644 --- a/data/users/__init__.py +++ b/data/users/__init__.py @@ -27,16 +27,18 @@ def get_federated_service_name(authentication_type): raise Exception('Unknown auth type: %s' % authentication_type) +LDAP_CERT_FILENAME = 'ldap.crt' + class UserAuthentication(object): - def __init__(self, app=None, override_config_dir=None): + def __init__(self, app=None, config_provider=None, override_config_dir=None): self.app_secret_key = None self.app = app if app is not None: - self.state = self.init_app(app, override_config_dir) + self.state = self.init_app(app, config_provider, override_config_dir) else: self.state = None - def init_app(self, app, override_config_dir): + def init_app(self, app, config_provider, override_config_dir): self.app_secret_key = app.config['SECRET_KEY'] authentication_type = app.config.get('AUTHENTICATION_TYPE', 'Database') @@ -52,7 +54,15 @@ class UserAuthentication(object): uid_attr = app.config.get('LDAP_UID_ATTR', 'uid') email_attr = app.config.get('LDAP_EMAIL_ATTR', 'mail') - users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr) + allow_tls_fallback = app.config.get('LDAP_ALLOW_INSECURE_FALLBACK', False) + tls_cert_path = None + if config_provider.volume_file_exists(LDAP_CERT_FILENAME): + with config_provider.get_volume_file(LDAP_CERT_FILENAME) as f: + tls_cert_path = f.name + + users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr, + tls_cert_path, allow_tls_fallback) + elif authentication_type == 'JWT': verify_url = app.config.get('JWT_VERIFY_ENDPOINT') issuer = app.config.get('JWT_AUTH_ISSUER') diff --git a/data/users/externalldap.py b/data/users/externalldap.py index 1fef02396..aba863b5d 100644 --- a/data/users/externalldap.py +++ b/data/users/externalldap.py @@ -10,26 +10,41 @@ logger = logging.getLogger(__name__) class LDAPConnectionBuilder(object): - def __init__(self, ldap_uri, user_dn, user_pw): + def __init__(self, ldap_uri, user_dn, user_pw, tls_cert_path=None, allow_tls_fallback=False): self._ldap_uri = ldap_uri self._user_dn = user_dn self._user_pw = user_pw + self._tls_cert_path = tls_cert_path + self._allow_tls_fallback = allow_tls_fallback def get_connection(self): - return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw) + return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw, + self._tls_cert_path, self._allow_tls_fallback ) class LDAPConnection(object): - def __init__(self, ldap_uri, user_dn, user_pw): + def __init__(self, ldap_uri, user_dn, user_pw, tls_cert_path=None, allow_tls_fallback=False): self._ldap_uri = ldap_uri self._user_dn = user_dn self._user_pw = user_pw + self._tls_cert_path = tls_cert_path + self._allow_tls_fallback = allow_tls_fallback + self._conn = None def __enter__(self): trace_level = 2 if os.environ.get('USERS_DEBUG') == '1' else 0 self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level) self._conn.set_option(ldap.OPT_REFERRALS, 1) + + if self._tls_cert_path is not None: + logger.debug('LDAP using custom TLS certificate path %s', self._tls_cert_path) + self._conn.set_option(ldap.OPT_X_TLS_CERTFILE, self._tls_cert_path) + + if self._allow_tls_fallback: + logger.debug('TLS Fallback enabled in LDAP') + self._conn.set_option(ldap.OPT_X_TLS_TRY, 1) + self._conn.simple_bind_s(self._user_dn, self._user_pw) return self._conn @@ -40,14 +55,20 @@ class LDAPConnection(object): class LDAPUsers(FederatedUsers): _LDAPResult = namedtuple('LDAPResult', ['dn', 'attrs']) - def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr): + def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr, + tls_cert_path=None, allow_tls_fallback=False): + super(LDAPUsers, self).__init__('ldap') - self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd) + self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, tls_cert_path, + allow_tls_fallback) + self._ldap_uri = ldap_uri self._base_dn = base_dn self._user_rdn = user_rdn self._uid_attr = uid_attr self._email_attr = email_attr + self._tls_cert_path = tls_cert_path + self._allow_tls_fallback = allow_tls_fallback def _get_ldap_referral_dn(self, referral_exception): logger.debug('Got referral: %s', referral_exception.args[0]) @@ -137,7 +158,8 @@ class LDAPUsers(FederatedUsers): # First validate the password by binding as the user try: - with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8')): + with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8'), + self._tls_cert_path, self._allow_tls_fallback): pass except ldap.REFERRAL as re: referral_dn = self._get_ldap_referral_dn(re) @@ -145,7 +167,8 @@ class LDAPUsers(FederatedUsers): return (None, 'Invalid username') try: - with LDAPConnection(self._ldap_uri, referral_dn, password.encode('utf-8')): + with LDAPConnection(self._ldap_uri, referral_dn, password.encode('utf-8'), + self._tls_cert_path, self._allow_tls_fallback): pass except ldap.INVALID_CREDENTIALS: logger.exception('Invalid LDAP credentials') diff --git a/static/directives/config/config-setup-tool.html b/static/directives/config/config-setup-tool.html index b7386782e..b9768020b 100644 --- a/static/directives/config/config-setup-tool.html +++ b/static/directives/config/config-setup-tool.html @@ -625,6 +625,27 @@ + + Custom TLS Certificate: + + +
+ If specified, the certificate (in PEM format) for the LDAP TLS connection. +
+ + + Allow insecure: + +
+ + +
+
+ If enabled, LDAP will fallback to insecure non-TLS connections if TLS does not succeed. +
+ + diff --git a/util/config/validator.py b/util/config/validator.py index 4f8853cb5..f15fcdd6d 100644 --- a/util/config/validator.py +++ b/util/config/validator.py @@ -1,6 +1,4 @@ import redis -import os -import json import ldap import peewee import OpenSSL @@ -8,13 +6,14 @@ import logging from StringIO import StringIO from fnmatch import fnmatch +from data.users import LDAP_CERT_FILENAME from data.users.keystone import KeystoneUsers from data.users.externaljwt import ExternalJWTAuthN from data.users.externalldap import LDAPConnection, LDAPUsers from flask import Flask from flask.ext.mail import Mail, Message -from data.database import validate_database_url, User +from data.database import validate_database_url from storage import get_storage_driver from auth.auth_context import get_authenticated_user from util.config.oauth import GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthConfig @@ -30,8 +29,10 @@ SSL_FILENAMES = ['ssl.cert', 'ssl.key'] DB_SSL_FILENAMES = ['database.pem'] JWT_FILENAMES = ['jwt-authn.cert'] ACI_CERT_FILENAMES = ['signing-public.gpg', 'signing-private.gpg'] +LDAP_FILENAMES = [LDAP_CERT_FILENAME] +CONFIG_FILENAMES = (SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_FILENAMES + + LDAP_FILENAMES) -CONFIG_FILENAMES = SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_FILENAMES def get_storage_providers(config): storage_config = config.get('DISTRIBUTED_STORAGE_CONFIG', {}) @@ -323,8 +324,15 @@ def _validate_ldap(config, password): if not ldap_uri.startswith('ldap://') and not ldap_uri.startswith('ldaps://'): raise Exception('LDAP URI must start with ldap:// or ldaps://') + tls_cert_path = None + if config_provider.volume_file_exists(LDAP_CERT_FILENAME): + with config_provider.get_volume_file(LDAP_CERT_FILENAME) as f: + tls_cert_path = f.name + + allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False) + try: - with LDAPConnection(ldap_uri, admin_dn, admin_passwd): + with LDAPConnection(ldap_uri, admin_dn, admin_passwd, tls_cert_path, allow_tls_fallback): pass except ldap.LDAPError as ex: values = ex.args[0] if ex.args else {} @@ -339,7 +347,8 @@ def _validate_ldap(config, password): uid_attr = config.get('LDAP_UID_ATTR', 'uid') email_attr = config.get('LDAP_EMAIL_ATTR', 'mail') - users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr) + users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr, + tls_cert_path, allow_tls_fallback) username = get_authenticated_user().username (result, err_msg) = users.verify_credentials(username, password)