Switch to install custom LDAP cert by name

data/users/__init__.py

@@ -46,13 +46,8 @@ def get_users_handler(config, config_provider, override_config_dir):
     email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
 
     allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
-    tls_cert_path = None
-    if config_provider.volume_file_exists(LDAP_CERT_FILENAME):
-      with config_provider.get_volume_file(LDAP_CERT_FILENAME) as f:
-        tls_cert_path = f.name
-
     return LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
-                     tls_cert_path, allow_tls_fallback)
+                     allow_tls_fallback)
 
   if authentication_type == 'JWT':
     verify_url = config.get('JWT_VERIFY_ENDPOINT')

data/users/externalldap.py

@@ -3,31 +3,27 @@ import logging
 import os
 
 from collections import namedtuple
-from datetime import datetime
 from data.users.federated import FederatedUsers, VerifiedCredentials
 
 logger = logging.getLogger(__name__)
 
 
 class LDAPConnectionBuilder(object):
-  def __init__(self, ldap_uri, user_dn, user_pw, tls_cert_path=None, allow_tls_fallback=False):
+  def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False):
     self._ldap_uri = ldap_uri
     self._user_dn = user_dn
     self._user_pw = user_pw
-    self._tls_cert_path = tls_cert_path
     self._allow_tls_fallback = allow_tls_fallback
 
   def get_connection(self):
-    return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw,
-                          self._tls_cert_path, self._allow_tls_fallback )
+    return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw, self._allow_tls_fallback)
 
 
 class LDAPConnection(object):
-  def __init__(self, ldap_uri, user_dn, user_pw, tls_cert_path=None, allow_tls_fallback=False):
+  def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False):
     self._ldap_uri = ldap_uri
     self._user_dn = user_dn
     self._user_pw = user_pw
-    self._tls_cert_path = tls_cert_path
     self._allow_tls_fallback = allow_tls_fallback
 
     self._conn = None
@@ -37,10 +33,6 @@ class LDAPConnection(object):
     self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level)
     self._conn.set_option(ldap.OPT_REFERRALS, 1)
 
-    if self._tls_cert_path is not None:
-      logger.debug('LDAP using custom TLS certificate path %s', self._tls_cert_path)
-      self._conn.set_option(ldap.OPT_X_TLS_CERTFILE, self._tls_cert_path)
-
     if self._allow_tls_fallback:
       logger.debug('TLS Fallback enabled in LDAP')
       self._conn.set_option(ldap.OPT_X_TLS_TRY, 1)
@@ -56,18 +48,15 @@ class LDAPUsers(FederatedUsers):
   _LDAPResult = namedtuple('LDAPResult', ['dn', 'attrs'])
 
   def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
-               tls_cert_path=None, allow_tls_fallback=False):
+               allow_tls_fallback=False):
 
     super(LDAPUsers, self).__init__('ldap')
-    self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, tls_cert_path,
-                                       allow_tls_fallback)
-
+    self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback)
     self._ldap_uri = ldap_uri
     self._base_dn = base_dn
     self._user_rdn = user_rdn
     self._uid_attr = uid_attr
     self._email_attr = email_attr
-    self._tls_cert_path = tls_cert_path
     self._allow_tls_fallback = allow_tls_fallback
 
   def _get_ldap_referral_dn(self, referral_exception):
@@ -159,7 +148,7 @@ class LDAPUsers(FederatedUsers):
     # First validate the password by binding as the user
     try:
       with LDAPConnection(self._ldap_uri, found_dn, password.encode('utf-8'),
-                          self._tls_cert_path, self._allow_tls_fallback):
+                          self._allow_tls_fallback):
         pass
     except ldap.REFERRAL as re:
       referral_dn = self._get_ldap_referral_dn(re)
@@ -168,7 +157,7 @@ class LDAPUsers(FederatedUsers):
 
       try:
         with LDAPConnection(self._ldap_uri, referral_dn, password.encode('utf-8'),
-                            self._tls_cert_path, self._allow_tls_fallback):
+                            self._allow_tls_fallback):
           pass
       except ldap.INVALID_CREDENTIALS:
         logger.exception('Invalid LDAP credentials')