canaille-globuzma/canaille/core/models.py

import ldap.filter
from canaille.backends.ldap.ldapobject import LDAPObject
from flask import current_app
from flask import session


class User(LDAPObject):
    DEFAULT_OBJECT_CLASS = "inetOrgPerson"
    DEFAULT_FILTER = "(|(uid={login})(mail={login}))"
    DEFAULT_ID_ATTRIBUTE = "cn"

    attribute_table = {
        "id": "dn",
        "user_name": "uid",
        "password": "userPassword",
        "preferred_language": "preferredLanguage",
        "family_name": "sn",
        "given_name": "givenName",
        "formatted_name": "cn",
        "display_name": "displayName",
        "email": "mail",
        "phone_number": "telephoneNumber",
        "formatted_address": "postalAddress",
        "street": "street",
        "postal_code": "postalCode",
        "locality": "l",
        "region": "st",
        "photo": "jpegPhoto",
        "profile_url": "labeledURI",
        "employee_number": "employeeNumber",
        "department": "departmentNumber",
        "title": "title",
        "organization": "o",
        "last_modified": "modifyTimestamp",
        "groups": "memberOf",
    }

    def __init__(self, *args, **kwargs):
        self.read = set()
        self.write = set()
        self.permissions = set()
        super().__init__(*args, **kwargs)

    @classmethod
    def get_from_login(cls, login=None, **kwargs):
        filter = (
            (
                current_app.config["BACKENDS"]["LDAP"]
                .get("USER_FILTER", User.DEFAULT_FILTER)
                .format(login=ldap.filter.escape_filter_chars(login))
            )
            if login
            else None
        )
        return cls.get(filter=filter, **kwargs)

    @classmethod
    def get(cls, **kwargs):
        user = super().get(**kwargs)
        if user:
            user.load_permissions()

        return user

    @classmethod
    def acl_filter_to_ldap_filter(cls, filter_):
        if isinstance(filter_, dict):
            base = "".join(
                f"({cls.attribute_table.get(key, key)}={value})"
                for key, value in filter_.items()
            )
            return f"(&{base})" if len(filter_) > 1 else base

        if isinstance(filter_, list):
            return (
                "(|"
                + "".join(cls.acl_filter_to_ldap_filter(mapping) for mapping in filter_)
                + ")"
            )

        return filter_

    @classmethod
    def authenticate(cls, login, password, signin=False):
        user = User.get_from_login(login)
        if not user or not user.check_password(password):
            return None

        if signin:
            user.login()

        return user

    def login(self):
        try:
            previous = (
                session["user_id"]
                if isinstance(session["user_id"], list)
                else [session["user_id"]]
            )
            session["user_id"] = previous + [self.id]
        except KeyError:
            session["user_id"] = [self.id]

    @classmethod
    def logout(self):
        try:
            session["user_id"].pop()
            if not session["user_id"]:
                del session["user_id"]
        except (IndexError, KeyError):
            pass

    def has_password(self):
        return bool(self.password)

    def check_password(self, password):
        conn = ldap.initialize(current_app.config["BACKENDS"]["LDAP"]["URI"])

        conn.set_option(
            ldap.OPT_NETWORK_TIMEOUT,
            current_app.config["BACKENDS"]["LDAP"].get("TIMEOUT"),
        )

        try:
            conn.simple_bind_s(self.id, password)
            return True
        except ldap.INVALID_CREDENTIALS:
            return False
        finally:
            conn.unbind_s()

    def set_password(self, password):
        conn = self.ldap_connection()
        conn.passwd_s(
            self.id,
            None,
            password.encode("utf-8"),
        )

    def reload(self):
        super().reload()
        self.load_permissions()

    def save(self, *args, **kwargs):
        group_attr = self.attribute_table.get("groups", "groups")
        new_groups = self.changes.get(group_attr)
        if not new_groups:
            return super().save(*args, **kwargs)

        old_groups = self.attrs.get(group_attr) or []
        new_groups = [
            v if isinstance(v, Group) else Group.get(id=v) for v in new_groups
        ]
        to_add = set(new_groups) - set(old_groups)
        to_del = set(old_groups) - set(new_groups)

        del self.changes[group_attr]
        super().save(*args, **kwargs)

        for group in to_add:
            group.members = group.members + [self]
            group.save()

        for group in to_del:
            group.members = [member for member in group.members if member != self]
            group.save()

        self.attrs[group_attr] = new_groups

    def load_permissions(self):
        conn = self.ldap_connection()

        for access_group_name, details in current_app.config["ACL"].items():
            filter_ = self.acl_filter_to_ldap_filter(details.get("FILTER"))
            if not filter_ or (
                self.id and conn.search_s(self.id, ldap.SCOPE_SUBTREE, filter_)
            ):
                self.permissions |= set(details.get("PERMISSIONS", []))
                self.read |= set(details.get("READ", []))
                self.write |= set(details.get("WRITE", []))

    def can_read(self, field):
        return field in self.read | self.write

    @property
    def can_edit_self(self):
        return "edit_self" in self.permissions

    @property
    def can_use_oidc(self):
        return "use_oidc" in self.permissions

    @property
    def can_manage_users(self):
        return "manage_users" in self.permissions

    @property
    def can_manage_groups(self):
        return "manage_groups" in self.permissions

    @property
    def can_manage_oidc(self):
        return "manage_oidc" in self.permissions

    @property
    def can_delete_account(self):
        return "delete_account" in self.permissions

    @property
    def can_impersonate_users(self):
        return "impersonate_users" in self.permissions


class Group(LDAPObject):
    DEFAULT_OBJECT_CLASS = "groupOfNames"
    DEFAULT_ID_ATTRIBUTE = "cn"
    DEFAULT_NAME_ATTRIBUTE = "cn"

    attribute_table = {
        "id": "dn",
        "display_name": "cn",
        "members": "member",
        "description": "description",
    }

    @property
    def display_name(self):
        attribute = current_app.config["BACKENDS"]["LDAP"].get(
            "GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE
        )
        return self[attribute][0]
pre-commit tox test 2021-12-20 22:57:27 +00:00			`import ldap.filter`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00			`from canaille.backends.ldap.ldapobject import LDAPObject`
pre-commit tox test 2021-12-20 22:57:27 +00:00			`from flask import current_app`
			`from flask import session`

draft 2020-08-14 11:18:08 +00:00
Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class User(LDAPObject):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`DEFAULT_OBJECT_CLASS = "inetOrgPerson"`
			`DEFAULT_FILTER = "(\|(uid={login})(mail={login}))"`
			`DEFAULT_ID_ATTRIBUTE = "cn"`

Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`attribute_table = {`
			`"id": "dn",`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`"user_name": "uid",`
			`"password": "userPassword",`
			`"preferred_language": "preferredLanguage",`
			`"family_name": "sn",`
			`"given_name": "givenName",`
			`"formatted_name": "cn",`
			`"display_name": "displayName",`
			`"email": "mail",`
			`"phone_number": "telephoneNumber",`
			`"formatted_address": "postalAddress",`
			`"street": "street",`
			`"postal_code": "postalCode",`
			`"locality": "l",`
			`"region": "st",`
			`"photo": "jpegPhoto",`
			`"profile_url": "labeledURI",`
			`"employee_number": "employeeNumber",`
			`"department": "departmentNumber",`
			`"title": "title",`
			`"organization": "o",`
			`"last_modified": "modifyTimestamp",`
Update User group when `save` is called 2023-04-17 16:09:52 +00:00			`"groups": "memberOf",`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`}`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`def __init__(self, args, *kwargs):`
			`self.read = set()`
			`self.write = set()`
			`self.permissions = set()`
			`super().__init__(args, *kwargs)`

Admin login 2020-08-19 14:20:57 +00:00			`@classmethod`
Split the User.get method 2023-04-07 19:24:09 +00:00			`def get_from_login(cls, login=None, **kwargs):`
Removed the 'filter' argument from the User model 2023-04-07 18:49:30 +00:00			`filter = (`
			`(`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`current_app.config["BACKENDS"]["LDAP"]`
Documentation improvements 2021-12-03 17:37:25 +00:00			`.get("USER_FILTER", User.DEFAULT_FILTER)`
Escape filters 2021-12-06 14:40:30 +00:00			`.format(login=ldap.filter.escape_filter_chars(login))`
			`)`
Removed the 'filter' argument from the User model 2023-04-07 18:49:30 +00:00			`if login`
			`else None`
			`)`
Split the User.get method 2023-04-07 19:24:09 +00:00			`return cls.get(filter=filter, **kwargs)`
User model utility 2020-10-21 15:15:33 +00:00
Split the User.get method 2023-04-07 19:24:09 +00:00			`@classmethod`
			`def get(cls, **kwargs):`
			`user = super().get(**kwargs)`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`if user:`
Removed the 'conn' argument when it is not needed 2023-04-07 18:43:46 +00:00			`user.load_permissions()`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`return user`

ACL filters are no more LDAP filters but user attribute mappings. 2023-04-14 16:46:42 +00:00			`@classmethod`
			`def acl_filter_to_ldap_filter(cls, filter_):`
			`if isinstance(filter_, dict):`
Update User group when `save` is called 2023-04-17 16:09:52 +00:00			`base = "".join(`
			`f"({cls.attribute_table.get(key, key)}={value})"`
			`for key, value in filter_.items()`
ACL filters are no more LDAP filters but user attribute mappings. 2023-04-14 16:46:42 +00:00			`)`
Update User group when `save` is called 2023-04-17 16:09:52 +00:00			`return f"(&{base})" if len(filter_) > 1 else base`
ACL filters are no more LDAP filters but user attribute mappings. 2023-04-14 16:46:42 +00:00
			`if isinstance(filter_, list):`
			`return (`
			`"(\|"`
			`+ "".join(cls.acl_filter_to_ldap_filter(mapping) for mapping in filter_)`
			`+ ")"`
			`)`

			`return filter_`

Alternate login filters 2020-08-20 08:45:33 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def authenticate(cls, login, password, signin=False):`
Split the User.get method 2023-04-07 19:24:09 +00:00			`user = User.get_from_login(login)`
Alternate login filters 2020-08-20 08:45:33 +00:00			`if not user or not user.check_password(password):`
			`return None`
Admin login 2020-08-19 14:20:57 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`if signin:`
			`user.login()`

Alternate login filters 2020-08-20 08:45:33 +00:00			`return user`
draft 2020-08-14 11:18:08 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`def login(self):`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`try:`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`previous = (`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`session["user_id"]`
			`if isinstance(session["user_id"], list)`
			`else [session["user_id"]]`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`)`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`session["user_id"] = previous + [self.id]`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`except KeyError:`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`session["user_id"] = [self.id]`
User refactoring 2020-08-21 08:23:39 +00:00
Session compatibility fix 2020-12-29 08:31:46 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def logout(self):`
			`try:`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`session["user_id"].pop()`
			`if not session["user_id"]:`
			`del session["user_id"]`
User.logout excepts IndexError in case of invalid sessions 2023-04-18 18:36:48 +00:00			`except (IndexError, KeyError):`
User refactoring 2020-08-21 08:23:39 +00:00			`pass`

Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00			`def has_password(self):`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`return bool(self.password)`
Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00
draft 2020-08-14 11:18:08 +00:00			`def check_password(self, password):`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`conn = ldap.initialize(current_app.config["BACKENDS"]["LDAP"]["URI"])`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00
removed useless guards for LDAP timeout 2022-12-27 19:25:59 +00:00			`conn.set_option(`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`ldap.OPT_NETWORK_TIMEOUT,`
			`current_app.config["BACKENDS"]["LDAP"].get("TIMEOUT"),`
removed useless guards for LDAP timeout 2022-12-27 19:25:59 +00:00			`)`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`try:`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`conn.simple_bind_s(self.id, password)`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`return True`
			`except ldap.INVALID_CREDENTIALS:`
			`return False`
			`finally:`
			`conn.unbind_s()`
draft 2020-08-14 11:18:08 +00:00
Removed the 'conn' argument when it is not needed 2023-04-07 18:43:46 +00:00			`def set_password(self, password):`
			`conn = self.ldap_connection()`
Removed unnecessary try/except blocks 2022-12-13 17:48:40 +00:00			`conn.passwd_s(`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`self.id,`
Removed unnecessary try/except blocks 2022-12-13 17:48:40 +00:00			`None,`
			`password.encode("utf-8"),`
			`)`
Password edition in user profile 2020-10-21 08:26:31 +00:00
Use LDAPObject.reload in tests instead of LDAPObject.get 2023-04-08 19:34:09 +00:00			`def reload(self):`
			`super().reload()`
Avoid to explicitly call User.load_groups 2023-04-08 22:14:51 +00:00			`self.load_permissions()`
Use LDAPObject.reload in tests instead of LDAPObject.get 2023-04-08 19:34:09 +00:00
Update User group when `save` is called 2023-04-17 16:09:52 +00:00			`def save(self, args, *kwargs):`
			`group_attr = self.attribute_table.get("groups", "groups")`
			`new_groups = self.changes.get(group_attr)`
			`if not new_groups:`
			`return super().save(args, *kwargs)`

			`old_groups = self.attrs.get(group_attr) or []`
			`new_groups = [`
			`v if isinstance(v, Group) else Group.get(id=v) for v in new_groups`
			`]`
			`to_add = set(new_groups) - set(old_groups)`
			`to_del = set(old_groups) - set(new_groups)`

			`del self.changes[group_attr]`
			`super().save(args, *kwargs)`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`for group in to_add:`
Group methods refactoring 2023-04-07 22:31:22 +00:00			`group.members = group.members + [self]`
Do not directly save objects in Group.all/remove_member 2023-03-09 09:50:05 +00:00			`group.save()`
Update User group when `save` is called 2023-04-17 16:09:52 +00:00
Issue 12 groups 2021-06-03 13:00:11 +00:00			`for group in to_del:`
Group methods refactoring 2023-04-07 22:31:22 +00:00			`group.members = [member for member in group.members if member != self]`
Do not directly save objects in Group.all/remove_member 2023-03-09 09:50:05 +00:00			`group.save()`
Update User group when `save` is called 2023-04-17 16:09:52 +00:00
			`self.attrs[group_attr] = new_groups`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Removed the 'conn' argument when it is not needed 2023-04-07 18:43:46 +00:00			`def load_permissions(self):`
			`conn = self.ldap_connection()`
Permissions overhaul 2021-12-02 17:23:14 +00:00
			`for access_group_name, details in current_app.config["ACL"].items():`
ACL filters are no more LDAP filters but user attribute mappings. 2023-04-14 16:46:42 +00:00			`filter_ = self.acl_filter_to_ldap_filter(details.get("FILTER"))`
			`if not filter_ or (`
			`self.id and conn.search_s(self.id, ldap.SCOPE_SUBTREE, filter_)`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`):`
			`self.permissions \|= set(details.get("PERMISSIONS", []))`
			`self.read \|= set(details.get("READ", []))`
			`self.write \|= set(details.get("WRITE", []))`

jpegPhoto profile form 2021-12-08 17:06:50 +00:00			`def can_read(self, field):`
			`return field in self.read \| self.write`

Added an option to disable self edition 2022-04-05 15:16:09 +00:00			`@property`
			`def can_edit_self(self):`
			`return "edit_self" in self.permissions`

Option to not use OIDC 2021-12-06 23:07:32 +00:00			`@property`
			`def can_use_oidc(self):`
			`return "use_oidc" in self.permissions`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`@property`
			`def can_manage_users(self):`
			`return "manage_users" in self.permissions`

			`@property`
			`def can_manage_groups(self):`
			`return "manage_groups" in self.permissions`

			`@property`
			`def can_manage_oidc(self):`
			`return "manage_oidc" in self.permissions`

			`@property`
			`def can_delete_account(self):`
			`return "delete_account" in self.permissions`

			`@property`
			`def can_impersonate_users(self):`
			`return "impersonate_users" in self.permissions`

Issue 12 groups 2021-06-03 13:00:11 +00:00
			`class Group(LDAPObject):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`DEFAULT_OBJECT_CLASS = "groupOfNames"`
			`DEFAULT_ID_ATTRIBUTE = "cn"`
			`DEFAULT_NAME_ATTRIBUTE = "cn"`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00
			`attribute_table = {`
			`"id": "dn",`
Renamed group attributes to match SCIM naming convention 2023-02-05 18:39:52 +00:00			`"display_name": "cn",`
			`"members": "member",`
			`"description": "description",`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`}`
Documentation improvements 2021-12-03 17:37:25 +00:00
Show groups and enable group creation 2021-07-01 16:21:20 +00:00			`@property`
Renamed group attributes to match SCIM naming convention 2023-02-05 18:39:52 +00:00			`def display_name(self):`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`attribute = current_app.config["BACKENDS"]["LDAP"].get(`
Documentation improvements 2021-12-03 17:37:25 +00:00			`"GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE`
			`)`
Show groups and enable group creation 2021-07-01 16:21:20 +00:00			`return self[attribute][0]`