Joseph Schorr
parent
f0af2ca9c3
commit
42515ed9ec
5 changed files with 81 additions and 18 deletions
|
|
@ -27,16 +27,18 @@ def get_federated_service_name(authentication_type):
|
|||
raise Exception('Unknown auth type: %s' % authentication_type)
|
||||
|
||||
|
||||
LDAP_CERT_FILENAME = 'ldap.crt'
|
||||
|
||||
class UserAuthentication(object):
|
||||
def __init__(self, app=None, override_config_dir=None):
|
||||
def __init__(self, app=None, config_provider=None, override_config_dir=None):
|
||||
self.app_secret_key = None
|
||||
self.app = app
|
||||
if app is not None:
|
||||
self.state = self.init_app(app, override_config_dir)
|
||||
self.state = self.init_app(app, config_provider, override_config_dir)
|
||||
else:
|
||||
self.state = None
|
||||
|
||||
def init_app(self, app, override_config_dir):
|
||||
def init_app(self, app, config_provider, override_config_dir):
|
||||
self.app_secret_key = app.config['SECRET_KEY']
|
||||
|
||||
authentication_type = app.config.get('AUTHENTICATION_TYPE', 'Database')
|
||||
|
|
@ -52,7 +54,15 @@ class UserAuthentication(object):
|
|||
uid_attr = app.config.get('LDAP_UID_ATTR', 'uid')
|
||||
email_attr = app.config.get('LDAP_EMAIL_ATTR', 'mail')
|
||||
|
||||
users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr)
|
||||
allow_tls_fallback = app.config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
|
||||
tls_cert_path = None
|
||||
if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
|
||||
with config_provider.get_volume_file(LDAP_CERT_FILENAME) as f:
|
||||
tls_cert_path = f.name
|
||||
|
||||
users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
||||
tls_cert_path, allow_tls_fallback)
|
||||
|
||||
elif authentication_type == 'JWT':
|
||||
verify_url = app.config.get('JWT_VERIFY_ENDPOINT')
|
||||
issuer = app.config.get('JWT_AUTH_ISSUER')
|
||||
|
|
|
|||
|
|
@ -10,26 +10,41 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
|
||||
class LDAPConnectionBuilder(object):
|
||||
def __init__(self, ldap_uri, user_dn, user_pw):
|
||||
def __init__(self, ldap_uri, user_dn, user_pw, tls_cert_path=None, allow_tls_fallback=False):
|
||||
self._ldap_uri = ldap_uri
|
||||
self._user_dn = user_dn
|
||||
self._user_pw = user_pw
|
||||
self._tls_cert_path = tls_cert_path
|
||||
self._allow_tls_fallback = allow_tls_fallback
|
||||
|
||||
def get_connection(self):
|
||||
return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw)
|
||||
return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw,
|
||||
self._tls_cert_path, self._allow_tls_fallback )
|
||||
|
||||
|
||||
class LDAPConnection(object):
|
||||
def __init__(self, ldap_uri, user_dn, user_pw):
|
||||
def __init__(self, ldap_uri, user_dn, user_pw, tls_cert_path=None, allow_tls_fallback=False):
|
||||
self._ldap_uri = ldap_uri
|
||||
self._user_dn = user_dn
|
||||
self._user_pw = user_pw
|
||||
self._tls_cert_path = tls_cert_path
|
||||
self._allow_tls_fallback = allow_tls_fallback
|
||||
|
||||
self._conn = None
|
||||
|
||||
def __enter__(self):
|
||||
trace_level = 2 if os.environ.get('USERS_DEBUG') == '1' else 0
|
||||
self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level)
|
||||
self._conn.set_option(ldap.OPT_REFERRALS, 1)
|
||||
|
||||
if self._tls_cert_path is not None:
|
||||
logger.debug('LDAP using custom TLS certificate path %s', self._tls_cert_path)
|
||||
self._conn.set_option(ldap.OPT_X_TLS_CERTFILE, self._tls_cert_path)
|
||||
|
||||
if self._allow_tls_fallback:
|
||||
logger.debug('TLS Fallback enabled in LDAP')
|
||||
self._conn.set_option(ldap.OPT_X_TLS_TRY, 1)
|
||||
|
||||
self._conn.simple_bind_s(self._user_dn, self._user_pw)
|
||||
return self._conn
|
||||
|
||||
|
|
@ -40,14 +55,20 @@ class LDAPConnection(object):
|
|||
class LDAPUsers(FederatedUsers):
|
||||
_LDAPResult = namedtuple('LDAPResult', ['dn', 'attrs'])
|
||||
|
||||
def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr):
|
||||
def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
||||
tls_cert_path=None, allow_tls_fallback=False):
|
||||
|
||||
super(LDAPUsers, self).__init__('ldap')
|
||||
self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd)
|
||||
self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, tls_cert_path,
|
||||
allow_tls_fallback)
|
||||
|
||||
self._ldap_uri = ldap_uri
|
||||
self._base_dn = base_dn
|
||||
self._user_rdn = user_rdn
|
||||
self._uid_attr = uid_attr
|
||||
self._email_attr = email_attr
|
||||
self._tls_cert_path = tls_cert_path
|
||||
self._allow_tls_fallback = allow_tls_fallback
|
||||
|
||||
def _get_ldap_referral_dn(self, referral_exception):
|
||||
logger.debug('Got referral: %s', referral_exception.args[0])
|
||||
|
|
@ -137,7 +158,8 @@ class LDAPUsers(FederatedUsers):
|
|||
|
||||
# First validate the password by binding as the user
|
||||
try:
|
||||
with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8')):
|
||||
with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8'),
|
||||
self._tls_cert_path, self._allow_tls_fallback):
|
||||
pass
|
||||
except ldap.REFERRAL as re:
|
||||
referral_dn = self._get_ldap_referral_dn(re)
|
||||
|
|
@ -145,7 +167,8 @@ class LDAPUsers(FederatedUsers):
|
|||
return (None, 'Invalid username')
|
||||
|
||||
try:
|
||||
with LDAPConnection(self._ldap_uri, referral_dn, password.encode('utf-8')):
|
||||
with LDAPConnection(self._ldap_uri, referral_dn, password.encode('utf-8'),
|
||||
self._tls_cert_path, self._allow_tls_fallback):
|
||||
pass
|
||||
except ldap.INVALID_CREDENTIALS:
|
||||
logger.exception('Invalid LDAP credentials')
|
||||
|
|
|
|||
Reference in a new issue