Add an alembic migration for the full initial database with the data. Switch LDAP to using bind and creating a federated login entry. Add LDAP support to the registry and index endpoints. Add a username transliteration and suggestion mechanism. Switch the database and model to require a manual initialization call.
This commit is contained in:
Jake Moshenko
parent
08ccad7fe4
commit
5fdccfe3e6
12 changed files with 739 additions and 75 deletions
|
|
@ -1,17 +1,16 @@
|
|||
import ldap
|
||||
import logging
|
||||
|
||||
from util.validation import generate_valid_usernames
|
||||
from data import model
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class DatabaseUsers(object):
|
||||
def __init__(self, app_db):
|
||||
self._app_db = app_db
|
||||
|
||||
def verify_user(self, username_or_email, password):
|
||||
""" Simply delegate to the model implementation. """
|
||||
return self._app_db.verify_user(username_or_email, password)
|
||||
return model.verify_user(username_or_email, password)
|
||||
|
||||
|
||||
class LDAPConnection(object):
|
||||
|
|
@ -31,10 +30,10 @@ class LDAPConnection(object):
|
|||
|
||||
|
||||
class LDAPUsers(object):
|
||||
def __init__(self, app_db, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr,
|
||||
email_attr, passwd_attr):
|
||||
self._app_db = app_db
|
||||
def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
||||
passwd_attr):
|
||||
self._ldap_conn = LDAPConnection(ldap_uri, admin_dn, admin_passwd)
|
||||
self._ldap_uri = ldap_uri
|
||||
self._base_dn = base_dn
|
||||
self._user_rdn = user_rdn
|
||||
self._uid_attr = uid_attr
|
||||
|
|
@ -45,36 +44,47 @@ class LDAPUsers(object):
|
|||
""" Verify the credentials with LDAP and if they are valid, create or update the user
|
||||
in our database. """
|
||||
|
||||
# Make sure that even if the server supports anonymous binds, we don't allow it
|
||||
if not password:
|
||||
return None
|
||||
|
||||
with self._ldap_conn as conn:
|
||||
user_search_dn = ','.join(self._user_rdn + self._base_dn)
|
||||
query = '(|({0}={2})({1}={2}))'.format(self._uid_attr, self._email_attr,
|
||||
username_or_email)
|
||||
user = conn.search_s(user_search_dn, ldap.SCOPE_SUBTREE, query)
|
||||
query = u'(|({0}={2})({1}={2}))'.format(self._uid_attr, self._email_attr,
|
||||
username_or_email)
|
||||
user = conn.search_s(user_search_dn, ldap.SCOPE_SUBTREE, query.encode('utf-8'))
|
||||
|
||||
if len(user) != 1:
|
||||
return None
|
||||
|
||||
found_dn, found_response = user[0]
|
||||
|
||||
# First validate the password
|
||||
valid_passwd = conn.compare_s(found_dn, self._passwd_attr, password) == 1
|
||||
if not valid_passwd:
|
||||
# First validate the password by binding as the user
|
||||
try:
|
||||
with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8')):
|
||||
pass
|
||||
except ldap.INVALID_CREDENTIALS:
|
||||
return None
|
||||
|
||||
logger.debug('LDAP Response: %s', found_response)
|
||||
|
||||
# Now check if we have the same username in our DB
|
||||
username = found_response[self._uid_attr][0]
|
||||
# Now check if we have a federated login for this user
|
||||
username = unicode(found_response[self._uid_attr][0].decode('utf-8'))
|
||||
email = found_response[self._email_attr][0]
|
||||
password = found_response[self._passwd_attr][0]
|
||||
db_user = self._app_db.get_user(username)
|
||||
|
||||
logger.debug('Email: %s', email)
|
||||
db_user = model.verify_federated_login('ldap', username)
|
||||
|
||||
if not db_user:
|
||||
# We must create the user in our db
|
||||
db_user = self._app_db.create_user(username, 'password_from_ldap', email)
|
||||
valid_username = None
|
||||
for valid_username in generate_valid_usernames(username):
|
||||
if model.is_username_unique(valid_username):
|
||||
break
|
||||
|
||||
if not valid_username:
|
||||
logger.error('Unable to pick a username for user: %s', username)
|
||||
return None
|
||||
|
||||
db_user = model.create_user(valid_username, None, email, add_change_pw_notification=False)
|
||||
db_user.verified = True
|
||||
model.attach_federated_login(db_user, 'ldap', username)
|
||||
else:
|
||||
# Update the db attributes from ldap
|
||||
db_user.email = email
|
||||
|
|
@ -85,18 +95,18 @@ class LDAPUsers(object):
|
|||
|
||||
|
||||
class UserAuthentication(object):
|
||||
def __init__(self, app=None, model=None):
|
||||
def __init__(self, app=None):
|
||||
self.app = app
|
||||
if app is not None:
|
||||
self.state = self.init_app(app, model)
|
||||
self.state = self.init_app(app)
|
||||
else:
|
||||
self.state = None
|
||||
|
||||
def init_app(self, app, model):
|
||||
def init_app(self, app):
|
||||
authentication_type = app.config.get('AUTHENTICATION_TYPE', 'Database')
|
||||
|
||||
if authentication_type == 'Database':
|
||||
users = DatabaseUsers(model)
|
||||
users = DatabaseUsers()
|
||||
elif authentication_type == 'LDAP':
|
||||
ldap_uri = app.config.get('LDAP_URI', 'ldap://localhost')
|
||||
base_dn = app.config.get('LDAP_BASE_DN')
|
||||
|
|
@ -107,8 +117,8 @@ class UserAuthentication(object):
|
|||
email_attr = app.config.get('LDAP_EMAIL_ATTR', 'mail')
|
||||
passwd_attr = app.config.get('LDAP_PASSWD_ATTR', 'userPassword')
|
||||
|
||||
users = LDAPUsers(model, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr,
|
||||
email_attr, passwd_attr)
|
||||
users = LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
||||
passwd_attr)
|
||||
|
||||
else:
|
||||
raise RuntimeError('Unknown authentication type: %s' % authentication_type)
|
||||
|
|
|
|||
Reference in a new issue