Add default and configurable LDAP timeouts
Fixes https://www.pivotaltracker.com/story/show/135885019
This commit is contained in:
parent
e58e04b0e9
commit
e2efb6c458
3 changed files with 39 additions and 6 deletions
|
@ -45,11 +45,14 @@ def get_users_handler(config, _, override_config_dir):
|
||||||
uid_attr = config.get('LDAP_UID_ATTR', 'uid')
|
uid_attr = config.get('LDAP_UID_ATTR', 'uid')
|
||||||
email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
|
email_attr = config.get('LDAP_EMAIL_ATTR', 'mail')
|
||||||
secondary_user_rdns = config.get('LDAP_SECONDARY_USER_RDNS', [])
|
secondary_user_rdns = config.get('LDAP_SECONDARY_USER_RDNS', [])
|
||||||
|
timeout = config.get('LDAP_TIMEOUT')
|
||||||
|
network_timeout = config.get('LDAP_NETWORK_TIMEOUT')
|
||||||
|
|
||||||
allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
|
allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False)
|
||||||
return LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
return LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
||||||
allow_tls_fallback, secondary_user_rdns=secondary_user_rdns,
|
allow_tls_fallback, secondary_user_rdns=secondary_user_rdns,
|
||||||
requires_email=features.MAILING)
|
requires_email=features.MAILING, timeout=timeout,
|
||||||
|
network_timeout=network_timeout)
|
||||||
|
|
||||||
if authentication_type == 'JWT':
|
if authentication_type == 'JWT':
|
||||||
verify_url = config.get('JWT_VERIFY_ENDPOINT')
|
verify_url = config.get('JWT_VERIFY_ENDPOINT')
|
||||||
|
|
|
@ -8,24 +8,34 @@ from data.users.federated import FederatedUsers, UserInformation
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
_DEFAULT_NETWORK_TIMEOUT = 10.0 # seconds
|
||||||
|
_DEFAULT_TIMEOUT = 10.0 # seconds
|
||||||
|
|
||||||
|
|
||||||
class LDAPConnectionBuilder(object):
|
class LDAPConnectionBuilder(object):
|
||||||
def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False):
|
def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False,
|
||||||
|
timeout=None, network_timeout=None):
|
||||||
self._ldap_uri = ldap_uri
|
self._ldap_uri = ldap_uri
|
||||||
self._user_dn = user_dn
|
self._user_dn = user_dn
|
||||||
self._user_pw = user_pw
|
self._user_pw = user_pw
|
||||||
self._allow_tls_fallback = allow_tls_fallback
|
self._allow_tls_fallback = allow_tls_fallback
|
||||||
|
self._timeout = timeout
|
||||||
|
self._network_timeout = network_timeout
|
||||||
|
|
||||||
def get_connection(self):
|
def get_connection(self):
|
||||||
return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw, self._allow_tls_fallback)
|
return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw, self._allow_tls_fallback,
|
||||||
|
self._timeout, self._network_timeout)
|
||||||
|
|
||||||
|
|
||||||
class LDAPConnection(object):
|
class LDAPConnection(object):
|
||||||
def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False):
|
def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False,
|
||||||
|
timeout=None, network_timeout=None):
|
||||||
self._ldap_uri = ldap_uri
|
self._ldap_uri = ldap_uri
|
||||||
self._user_dn = user_dn
|
self._user_dn = user_dn
|
||||||
self._user_pw = user_pw
|
self._user_pw = user_pw
|
||||||
self._allow_tls_fallback = allow_tls_fallback
|
self._allow_tls_fallback = allow_tls_fallback
|
||||||
|
self._timeout = timeout
|
||||||
|
self._network_timeout = network_timeout
|
||||||
self._conn = None
|
self._conn = None
|
||||||
|
|
||||||
def __enter__(self):
|
def __enter__(self):
|
||||||
|
@ -33,6 +43,9 @@ class LDAPConnection(object):
|
||||||
|
|
||||||
self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level)
|
self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level)
|
||||||
self._conn.set_option(ldap.OPT_REFERRALS, 1)
|
self._conn.set_option(ldap.OPT_REFERRALS, 1)
|
||||||
|
self._conn.set_option(ldap.OPT_NETWORK_TIMEOUT,
|
||||||
|
self._network_timeout or _DEFAULT_NETWORK_TIMEOUT)
|
||||||
|
self._conn.set_option(ldap.OPT_TIMEOUT, self._timeout or _DEFAULT_TIMEOUT)
|
||||||
|
|
||||||
if self._allow_tls_fallback:
|
if self._allow_tls_fallback:
|
||||||
logger.debug('TLS Fallback enabled in LDAP')
|
logger.debug('TLS Fallback enabled in LDAP')
|
||||||
|
@ -53,9 +66,12 @@ class LDAPUsers(FederatedUsers):
|
||||||
_LDAPResult = namedtuple('LDAPResult', ['dn', 'attrs'])
|
_LDAPResult = namedtuple('LDAPResult', ['dn', 'attrs'])
|
||||||
|
|
||||||
def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr,
|
||||||
allow_tls_fallback=False, secondary_user_rdns=None, requires_email=True):
|
allow_tls_fallback=False, secondary_user_rdns=None, requires_email=True,
|
||||||
|
timeout=None, network_timeout=None):
|
||||||
super(LDAPUsers, self).__init__('ldap', requires_email)
|
super(LDAPUsers, self).__init__('ldap', requires_email)
|
||||||
self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback)
|
|
||||||
|
self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback,
|
||||||
|
timeout, network_timeout)
|
||||||
self._ldap_uri = ldap_uri
|
self._ldap_uri = ldap_uri
|
||||||
self._uid_attr = uid_attr
|
self._uid_attr = uid_attr
|
||||||
self._email_attr = email_attr
|
self._email_attr = email_attr
|
||||||
|
|
|
@ -275,6 +275,20 @@ class TestLDAP(unittest.TestCase):
|
||||||
self.assertEquals(0, len(response))
|
self.assertEquals(0, len(response))
|
||||||
self.assertEquals('ldap', federated_id)
|
self.assertEquals('ldap', federated_id)
|
||||||
|
|
||||||
|
def test_timeout(self):
|
||||||
|
base_dn = ['dc=quay', 'dc=io']
|
||||||
|
admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
|
||||||
|
admin_passwd = 'password'
|
||||||
|
user_rdn = ['ou=employees']
|
||||||
|
uid_attr = 'uid'
|
||||||
|
email_attr = 'mail'
|
||||||
|
secondary_user_rdns = ['ou=otheremployees']
|
||||||
|
|
||||||
|
with self.assertRaisesRegexp(Exception, "Can't contact LDAP server"):
|
||||||
|
ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
|
||||||
|
uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns,
|
||||||
|
requires_email=False, timeout=5)
|
||||||
|
ldap.query_users('cool')
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
unittest.main()
|
unittest.main()
|
||||||
|
|
Reference in a new issue