Add default and configurable LDAP timeouts
Fixes https://www.pivotaltracker.com/story/show/135885019
This commit is contained in:
		
							parent
							
								
									e58e04b0e9
								
							
						
					
					
						commit
						e2efb6c458
					
				
					 3 changed files with 39 additions and 6 deletions
				
			
		|  | @ -45,11 +45,14 @@ def get_users_handler(config, _, override_config_dir): | ||||||
|     uid_attr = config.get('LDAP_UID_ATTR', 'uid') |     uid_attr = config.get('LDAP_UID_ATTR', 'uid') | ||||||
|     email_attr = config.get('LDAP_EMAIL_ATTR', 'mail') |     email_attr = config.get('LDAP_EMAIL_ATTR', 'mail') | ||||||
|     secondary_user_rdns = config.get('LDAP_SECONDARY_USER_RDNS', []) |     secondary_user_rdns = config.get('LDAP_SECONDARY_USER_RDNS', []) | ||||||
|  |     timeout = config.get('LDAP_TIMEOUT') | ||||||
|  |     network_timeout = config.get('LDAP_NETWORK_TIMEOUT') | ||||||
| 
 | 
 | ||||||
|     allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False) |     allow_tls_fallback = config.get('LDAP_ALLOW_INSECURE_FALLBACK', False) | ||||||
|     return LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr, |     return LDAPUsers(ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr, | ||||||
|                      allow_tls_fallback, secondary_user_rdns=secondary_user_rdns, |                      allow_tls_fallback, secondary_user_rdns=secondary_user_rdns, | ||||||
|                      requires_email=features.MAILING) |                      requires_email=features.MAILING, timeout=timeout, | ||||||
|  |                      network_timeout=network_timeout) | ||||||
| 
 | 
 | ||||||
|   if authentication_type == 'JWT': |   if authentication_type == 'JWT': | ||||||
|     verify_url = config.get('JWT_VERIFY_ENDPOINT') |     verify_url = config.get('JWT_VERIFY_ENDPOINT') | ||||||
|  |  | ||||||
|  | @ -8,24 +8,34 @@ from data.users.federated import FederatedUsers, UserInformation | ||||||
| 
 | 
 | ||||||
| logger = logging.getLogger(__name__) | logger = logging.getLogger(__name__) | ||||||
| 
 | 
 | ||||||
|  | _DEFAULT_NETWORK_TIMEOUT = 10.0 # seconds | ||||||
|  | _DEFAULT_TIMEOUT = 10.0 # seconds | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
| class LDAPConnectionBuilder(object): | class LDAPConnectionBuilder(object): | ||||||
|   def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False): |   def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False, | ||||||
|  |                timeout=None, network_timeout=None): | ||||||
|     self._ldap_uri = ldap_uri |     self._ldap_uri = ldap_uri | ||||||
|     self._user_dn = user_dn |     self._user_dn = user_dn | ||||||
|     self._user_pw = user_pw |     self._user_pw = user_pw | ||||||
|     self._allow_tls_fallback = allow_tls_fallback |     self._allow_tls_fallback = allow_tls_fallback | ||||||
|  |     self._timeout = timeout | ||||||
|  |     self._network_timeout = network_timeout | ||||||
| 
 | 
 | ||||||
|   def get_connection(self): |   def get_connection(self): | ||||||
|     return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw, self._allow_tls_fallback) |     return LDAPConnection(self._ldap_uri, self._user_dn, self._user_pw, self._allow_tls_fallback, | ||||||
|  |                           self._timeout, self._network_timeout) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| class LDAPConnection(object): | class LDAPConnection(object): | ||||||
|   def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False): |   def __init__(self, ldap_uri, user_dn, user_pw, allow_tls_fallback=False, | ||||||
|  |                timeout=None, network_timeout=None): | ||||||
|     self._ldap_uri = ldap_uri |     self._ldap_uri = ldap_uri | ||||||
|     self._user_dn = user_dn |     self._user_dn = user_dn | ||||||
|     self._user_pw = user_pw |     self._user_pw = user_pw | ||||||
|     self._allow_tls_fallback = allow_tls_fallback |     self._allow_tls_fallback = allow_tls_fallback | ||||||
|  |     self._timeout = timeout | ||||||
|  |     self._network_timeout = network_timeout | ||||||
|     self._conn = None |     self._conn = None | ||||||
| 
 | 
 | ||||||
|   def __enter__(self): |   def __enter__(self): | ||||||
|  | @ -33,6 +43,9 @@ class LDAPConnection(object): | ||||||
| 
 | 
 | ||||||
|     self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level) |     self._conn = ldap.initialize(self._ldap_uri, trace_level=trace_level) | ||||||
|     self._conn.set_option(ldap.OPT_REFERRALS, 1) |     self._conn.set_option(ldap.OPT_REFERRALS, 1) | ||||||
|  |     self._conn.set_option(ldap.OPT_NETWORK_TIMEOUT, | ||||||
|  |                           self._network_timeout or _DEFAULT_NETWORK_TIMEOUT) | ||||||
|  |     self._conn.set_option(ldap.OPT_TIMEOUT, self._timeout or _DEFAULT_TIMEOUT) | ||||||
| 
 | 
 | ||||||
|     if self._allow_tls_fallback: |     if self._allow_tls_fallback: | ||||||
|       logger.debug('TLS Fallback enabled in LDAP') |       logger.debug('TLS Fallback enabled in LDAP') | ||||||
|  | @ -53,9 +66,12 @@ class LDAPUsers(FederatedUsers): | ||||||
|   _LDAPResult = namedtuple('LDAPResult', ['dn', 'attrs']) |   _LDAPResult = namedtuple('LDAPResult', ['dn', 'attrs']) | ||||||
| 
 | 
 | ||||||
|   def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr, |   def __init__(self, ldap_uri, base_dn, admin_dn, admin_passwd, user_rdn, uid_attr, email_attr, | ||||||
|                allow_tls_fallback=False, secondary_user_rdns=None, requires_email=True): |                allow_tls_fallback=False, secondary_user_rdns=None, requires_email=True, | ||||||
|  |                timeout=None, network_timeout=None): | ||||||
|     super(LDAPUsers, self).__init__('ldap', requires_email) |     super(LDAPUsers, self).__init__('ldap', requires_email) | ||||||
|     self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback) | 
 | ||||||
|  |     self._ldap = LDAPConnectionBuilder(ldap_uri, admin_dn, admin_passwd, allow_tls_fallback, | ||||||
|  |                                        timeout, network_timeout) | ||||||
|     self._ldap_uri = ldap_uri |     self._ldap_uri = ldap_uri | ||||||
|     self._uid_attr = uid_attr |     self._uid_attr = uid_attr | ||||||
|     self._email_attr = email_attr |     self._email_attr = email_attr | ||||||
|  |  | ||||||
|  | @ -275,6 +275,20 @@ class TestLDAP(unittest.TestCase): | ||||||
|       self.assertEquals(0, len(response)) |       self.assertEquals(0, len(response)) | ||||||
|       self.assertEquals('ldap', federated_id) |       self.assertEquals('ldap', federated_id) | ||||||
| 
 | 
 | ||||||
|  |   def test_timeout(self): | ||||||
|  |     base_dn = ['dc=quay', 'dc=io'] | ||||||
|  |     admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io' | ||||||
|  |     admin_passwd = 'password' | ||||||
|  |     user_rdn = ['ou=employees'] | ||||||
|  |     uid_attr = 'uid' | ||||||
|  |     email_attr = 'mail' | ||||||
|  |     secondary_user_rdns = ['ou=otheremployees'] | ||||||
|  | 
 | ||||||
|  |     with self.assertRaisesRegexp(Exception, "Can't contact LDAP server"): | ||||||
|  |       ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn, | ||||||
|  |                        uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns, | ||||||
|  |                        requires_email=False, timeout=5) | ||||||
|  |       ldap.query_users('cool') | ||||||
| 
 | 
 | ||||||
| if __name__ == '__main__': | if __name__ == '__main__': | ||||||
|   unittest.main() |   unittest.main() | ||||||
|  |  | ||||||
		Reference in a new issue