canaille-globuzma/canaille/ldap_backend/backend.py

import logging
import uuid

import ldap
from canaille.configuration import ConfigurationException
from flask import g
from flask import render_template
from flask import request
from flask_babel import gettext as _


def setup_ldap_models(config):
    from .ldapobject import LDAPObject
    from ..models import Group
    from ..models import User

    LDAPObject.root_dn = config["LDAP"]["ROOT_DN"]

    user_base = config["LDAP"]["USER_BASE"]
    if user_base.endswith(config["LDAP"]["ROOT_DN"]):
        user_base = user_base[: -len(config["LDAP"]["ROOT_DN"]) - 1]
    User.base = user_base
    User.id = config["LDAP"].get("USER_ID_ATTRIBUTE", User.DEFAULT_ID_ATTRIBUTE)
    User.object_class = [config["LDAP"].get("USER_CLASS", User.DEFAULT_OBJECT_CLASS)]

    group_base = config["LDAP"].get("GROUP_BASE")
    if group_base.endswith(config["LDAP"]["ROOT_DN"]):
        group_base = group_base[: -len(config["LDAP"]["ROOT_DN"]) - 1]
    Group.base = group_base
    Group.id = config["LDAP"].get("GROUP_ID_ATTRIBUTE", Group.DEFAULT_ID_ATTRIBUTE)
    Group.object_class = [config["LDAP"].get("GROUP_CLASS", Group.DEFAULT_OBJECT_CLASS)]


def setup_backend(app):
    try:  # pragma: no-cover
        if request.endpoint == "static":
            return
    except RuntimeError:
        pass

    try:
        g.ldap = ldap.initialize(app.config["LDAP"]["URI"])
        if app.config["LDAP"].get("TIMEOUT"):
            g.ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, app.config["LDAP"]["TIMEOUT"])
        g.ldap.simple_bind_s(
            app.config["LDAP"]["BIND_DN"], app.config["LDAP"]["BIND_PW"]
        )

    except ldap.SERVER_DOWN:
        message = _("Could not connect to the LDAP server '{uri}'").format(
            uri=app.config["LDAP"]["URI"]
        )
        logging.error(message)
        return (
            render_template(
                "error.html",
                error=500,
                icon="database",
                debug=app.config.get("DEBUG", False),
                description=message,
            ),
            500,
        )

    except ldap.INVALID_CREDENTIALS:
        message = _("LDAP authentication failed with user '{user}'").format(
            user=app.config["LDAP"]["BIND_DN"]
        )
        logging.error(message)
        return (
            render_template(
                "error.html",
                error=500,
                icon="key",
                debug=app.config.get("DEBUG", False),
                description=message,
            ),
            500,
        )


def teardown_backend(app):
    if g.get("ldap"):
        g.ldap.unbind_s()
        g.ldap = None


def init_backend(app):
    setup_ldap_models(app.config)

    @app.before_request
    def before_request():
        if not app.config["TESTING"]:
            return setup_backend(app)

    @app.after_request
    def after_request(response):
        if not app.config["TESTING"]:
            teardown_backend(app)
        return response


def validate_configuration(config):
    from canaille.models import User, Group

    try:
        conn = ldap.initialize(config["LDAP"]["URI"])
        if config["LDAP"].get("TIMEOUT"):
            conn.set_option(ldap.OPT_NETWORK_TIMEOUT, config["LDAP"]["TIMEOUT"])
        conn.simple_bind_s(config["LDAP"]["BIND_DN"], config["LDAP"]["BIND_PW"])

    except ldap.SERVER_DOWN as exc:
        raise ConfigurationException(
            f'Could not connect to the LDAP server \'{config["LDAP"]["URI"]}\''
        ) from exc

    except ldap.INVALID_CREDENTIALS as exc:
        raise ConfigurationException(
            f'LDAP authentication failed with user \'{config["LDAP"]["BIND_DN"]}\''
        ) from exc

    try:
        User.ldap_object_classes(conn)
        user = User(
            objectClass=["inetOrgPerson"],
            cn=f"canaille_{uuid.uuid4()}",
            sn=f"canaille_{uuid.uuid4()}",
            uid=f"canaille_{uuid.uuid4()}",
            mail=f"canaille_{uuid.uuid4()}@mydomain.tld",
            userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",
        )
        user.save(conn)
        user.delete(conn)

    except ldap.INSUFFICIENT_ACCESS as exc:
        raise ConfigurationException(
            f'LDAP user \'{config["LDAP"]["BIND_DN"]}\' cannot create '
            f'users at \'{config["LDAP"]["USER_BASE"]}\''
        ) from exc

    try:
        Group.ldap_object_classes(conn)

        user = User(
            objectClass=["inetOrgPerson"],
            cn=f"canaille_{uuid.uuid4()}",
            sn=f"canaille_{uuid.uuid4()}",
            uid=f"canaille_{uuid.uuid4()}",
            mail=f"canaille_{uuid.uuid4()}@mydomain.tld",
            userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",
        )
        user.save(conn)

        group = Group(
            objectClass=["groupOfNames"],
            cn=f"canaille_{uuid.uuid4()}",
            member=[user.dn],
        )
        group.save(conn)
        group.delete(conn)

    except ldap.INSUFFICIENT_ACCESS as exc:
        raise ConfigurationException(
            f'LDAP user \'{config["LDAP"]["BIND_DN"]}\' cannot create '
            f'groups at \'{config["LDAP"]["GROUP_BASE"]}\''
        ) from exc

    finally:
        user.delete(conn)

    conn.unbind_s()
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`import logging`
			`import uuid`

			`import ldap`
			`from canaille.configuration import ConfigurationException`
			`from flask import g`
			`from flask import render_template`
			`from flask import request`
			`from flask_babel import gettext as _`


setup_ldap_models takes a config parameter instead of an app parameter 2022-05-18 11:44:54 +00:00			`def setup_ldap_models(config):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`from .ldapobject import LDAPObject`
			`from ..models import Group`
			`from ..models import User`

setup_ldap_models takes a config parameter instead of an app parameter 2022-05-18 11:44:54 +00:00			`LDAPObject.root_dn = config["LDAP"]["ROOT_DN"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00
setup_ldap_models takes a config parameter instead of an app parameter 2022-05-18 11:44:54 +00:00			`user_base = config["LDAP"]["USER_BASE"]`
			`if user_base.endswith(config["LDAP"]["ROOT_DN"]):`
			`user_base = user_base[: -len(config["LDAP"]["ROOT_DN"]) - 1]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`User.base = user_base`
setup_ldap_models takes a config parameter instead of an app parameter 2022-05-18 11:44:54 +00:00			`User.id = config["LDAP"].get("USER_ID_ATTRIBUTE", User.DEFAULT_ID_ATTRIBUTE)`
			`User.object_class = [config["LDAP"].get("USER_CLASS", User.DEFAULT_OBJECT_CLASS)]`

			`group_base = config["LDAP"].get("GROUP_BASE")`
			`if group_base.endswith(config["LDAP"]["ROOT_DN"]):`
			`group_base = group_base[: -len(config["LDAP"]["ROOT_DN"]) - 1]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`Group.base = group_base`
setup_ldap_models takes a config parameter instead of an app parameter 2022-05-18 11:44:54 +00:00			`Group.id = config["LDAP"].get("GROUP_ID_ATTRIBUTE", Group.DEFAULT_ID_ATTRIBUTE)`
			`Group.object_class = [config["LDAP"].get("GROUP_CLASS", Group.DEFAULT_OBJECT_CLASS)]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00

			`def setup_backend(app):`
			`try: # pragma: no-cover`
			`if request.endpoint == "static":`
			`return`
			`except RuntimeError:`
			`pass`

			`try:`
			`g.ldap = ldap.initialize(app.config["LDAP"]["URI"])`
			`if app.config["LDAP"].get("TIMEOUT"):`
			`g.ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, app.config["LDAP"]["TIMEOUT"])`
			`g.ldap.simple_bind_s(`
			`app.config["LDAP"]["BIND_DN"], app.config["LDAP"]["BIND_PW"]`
			`)`

			`except ldap.SERVER_DOWN:`
			`message = _("Could not connect to the LDAP server '{uri}'").format(`
			`uri=app.config["LDAP"]["URI"]`
			`)`
			`logging.error(message)`
			`return (`
			`render_template(`
			`"error.html",`
			`error=500,`
			`icon="database",`
			`debug=app.config.get("DEBUG", False),`
			`description=message,`
			`),`
			`500,`
			`)`

			`except ldap.INVALID_CREDENTIALS:`
			`message = _("LDAP authentication failed with user '{user}'").format(`
			`user=app.config["LDAP"]["BIND_DN"]`
			`)`
			`logging.error(message)`
			`return (`
			`render_template(`
			`"error.html",`
			`error=500,`
			`icon="key",`
			`debug=app.config.get("DEBUG", False),`
			`description=message,`
			`),`
			`500,`
			`)`


			`def teardown_backend(app):`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`if g.get("ldap"):`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`g.ldap.unbind_s()`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`g.ldap = None`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00

			`def init_backend(app):`
setup_ldap_models takes a config parameter instead of an app parameter 2022-05-18 11:44:54 +00:00			`setup_ldap_models(app.config)`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00
			`@app.before_request`
			`def before_request():`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`if not app.config["TESTING"]:`
			`return setup_backend(app)`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00
			`@app.after_request`
			`def after_request(response):`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`if not app.config["TESTING"]:`
			`teardown_backend(app)`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`return response`


			`def validate_configuration(config):`
			`from canaille.models import User, Group`

			`try:`
			`conn = ldap.initialize(config["LDAP"]["URI"])`
			`if config["LDAP"].get("TIMEOUT"):`
			`conn.set_option(ldap.OPT_NETWORK_TIMEOUT, config["LDAP"]["TIMEOUT"])`
			`conn.simple_bind_s(config["LDAP"]["BIND_DN"], config["LDAP"]["BIND_PW"])`

			`except ldap.SERVER_DOWN as exc:`
			`raise ConfigurationException(`
			`f'Could not connect to the LDAP server \'{config["LDAP"]["URI"]}\''`
			`) from exc`

			`except ldap.INVALID_CREDENTIALS as exc:`
			`raise ConfigurationException(`
			`f'LDAP authentication failed with user \'{config["LDAP"]["BIND_DN"]}\''`
			`) from exc`

			`try:`
			`User.ldap_object_classes(conn)`
			`user = User(`
			`objectClass=["inetOrgPerson"],`
			`cn=f"canaille_{uuid.uuid4()}",`
			`sn=f"canaille_{uuid.uuid4()}",`
			`uid=f"canaille_{uuid.uuid4()}",`
			`mail=f"canaille_{uuid.uuid4()}@mydomain.tld",`
			`userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",`
			`)`
			`user.save(conn)`
			`user.delete(conn)`

			`except ldap.INSUFFICIENT_ACCESS as exc:`
			`raise ConfigurationException(`
			`f'LDAP user \'{config["LDAP"]["BIND_DN"]}\' cannot create '`
			`f'users at \'{config["LDAP"]["USER_BASE"]}\''`
			`) from exc`

			`try:`
			`Group.ldap_object_classes(conn)`

			`user = User(`
			`objectClass=["inetOrgPerson"],`
			`cn=f"canaille_{uuid.uuid4()}",`
			`sn=f"canaille_{uuid.uuid4()}",`
			`uid=f"canaille_{uuid.uuid4()}",`
			`mail=f"canaille_{uuid.uuid4()}@mydomain.tld",`
			`userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",`
			`)`
			`user.save(conn)`

			`group = Group(`
			`objectClass=["groupOfNames"],`
			`cn=f"canaille_{uuid.uuid4()}",`
			`member=[user.dn],`
			`)`
			`group.save(conn)`
			`group.delete(conn)`

			`except ldap.INSUFFICIENT_ACCESS as exc:`
			`raise ConfigurationException(`
			`f'LDAP user \'{config["LDAP"]["BIND_DN"]}\' cannot create '`
			`f'groups at \'{config["LDAP"]["GROUP_BASE"]}\''`
			`) from exc`

			`finally:`
			`user.delete(conn)`

			`conn.unbind_s()`