canaille-globuzma/canaille/installation.py

import os
from contextlib import contextmanager

import ldap.modlist
import ldif
from cryptography.hazmat.backends import default_backend as crypto_default_backend
from cryptography.hazmat.primitives import serialization as crypto_serialization
from cryptography.hazmat.primitives.asymmetric import rsa

from .oidc.models import AuthorizationCode
from .oidc.models import Client
from .oidc.models import Consent
from .oidc.models import Token


class InstallationException(Exception):
    pass


def install(config):
    setup_ldap_tree(config)
    setup_keypair(config)
    setup_schemas(config)


@contextmanager
def ldap_connection(config):
    conn = ldap.initialize(config["LDAP"]["URI"])
    if config["LDAP"].get("TIMEOUT"):
        conn.set_option(ldap.OPT_NETWORK_TIMEOUT, config["LDAP"]["TIMEOUT"])

    conn.simple_bind_s(config["LDAP"]["BIND_DN"], config["LDAP"]["BIND_PW"])

    try:
        yield conn
    finally:
        conn.unbind_s()


def setup_ldap_tree(config):
    with ldap_connection(config) as conn:
        Token.initialize(conn)
        AuthorizationCode.initialize(conn)
        Client.initialize(conn)
        Consent.initialize(conn)


def setup_keypair(config):
    if os.path.exists(config["JWT"]["PUBLIC_KEY"]) or os.path.exists(
        config["JWT"]["PRIVATE_KEY"]
    ):
        return

    key = rsa.generate_private_key(
        backend=crypto_default_backend(), public_exponent=65537, key_size=2048
    )
    private_key = key.private_bytes(
        crypto_serialization.Encoding.PEM,
        crypto_serialization.PrivateFormat.PKCS8,
        crypto_serialization.NoEncryption(),
    )
    public_key = key.public_key().public_bytes(
        crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH
    )

    with open(config["JWT"]["PUBLIC_KEY"], "wb") as fd:
        fd.write(public_key)

    with open(config["JWT"]["PRIVATE_KEY"], "wb") as fd:
        fd.write(private_key)


def setup_schemas(config):
    with open("canaille/ldap_backend/schemas/oauth2-openldap.ldif") as fd:
        parser = ldif.LDIFRecordList(fd)
        parser.parse()

    try:
        with ldap_connection(config) as conn:
            for dn, entry in parser.all_records:
                add_modlist = ldap.modlist.addModlist(entry)
                conn.add_s(dn, add_modlist)

    except ldap.INSUFFICIENT_ACCESS as exc:
        raise InstallationException(
            f"The user '{config['LDAP']['BIND_DN']}' has insufficient permissions to install LDAP schemas."
        ) from exc
install command creates jwt keypair 2021-11-13 18:11:56 +00:00			`import os`
Installation command 2021-11-14 17:58:26 +00:00			`from contextlib import contextmanager`
pre-commit tox test 2021-12-20 22:57:27 +00:00
			`import ldap.modlist`
			`import ldif`
			`from cryptography.hazmat.backends import default_backend as crypto_default_backend`
install command creates jwt keypair 2021-11-13 18:11:56 +00:00			`from cryptography.hazmat.primitives import serialization as crypto_serialization`
			`from cryptography.hazmat.primitives.asymmetric import rsa`
pre-commit tox test 2021-12-20 22:57:27 +00:00
split oidc code from the rest 2022-01-11 18:49:06 +00:00			`from .oidc.models import AuthorizationCode`
			`from .oidc.models import Client`
			`from .oidc.models import Consent`
			`from .oidc.models import Token`
basic installation command 2021-11-08 17:09:05 +00:00

Installation command 2021-11-14 17:58:26 +00:00			`class InstallationException(Exception):`
			`pass`


basic installation command 2021-11-08 17:09:05 +00:00			`def install(config):`
			`setup_ldap_tree(config)`
install command creates jwt keypair 2021-11-13 18:11:56 +00:00			`setup_keypair(config)`
Installation command 2021-11-14 17:58:26 +00:00			`setup_schemas(config)`
basic installation command 2021-11-08 17:09:05 +00:00

Installation command 2021-11-14 17:58:26 +00:00			`@contextmanager`
			`def ldap_connection(config):`
basic installation command 2021-11-08 17:09:05 +00:00			`conn = ldap.initialize(config["LDAP"]["URI"])`
			`if config["LDAP"].get("TIMEOUT"):`
			`conn.set_option(ldap.OPT_NETWORK_TIMEOUT, config["LDAP"]["TIMEOUT"])`

			`conn.simple_bind_s(config["LDAP"]["BIND_DN"], config["LDAP"]["BIND_PW"])`
Installation command 2021-11-14 17:58:26 +00:00
			`try:`
			`yield conn`
			`finally:`
			`conn.unbind_s()`


			`def setup_ldap_tree(config):`
			`with ldap_connection(config) as conn:`
			`Token.initialize(conn)`
			`AuthorizationCode.initialize(conn)`
			`Client.initialize(conn)`
			`Consent.initialize(conn)`
install command creates jwt keypair 2021-11-13 18:11:56 +00:00

			`def setup_keypair(config):`
			`if os.path.exists(config["JWT"]["PUBLIC_KEY"]) or os.path.exists(`
			`config["JWT"]["PRIVATE_KEY"]`
			`):`
			`return`

			`key = rsa.generate_private_key(`
			`backend=crypto_default_backend(), public_exponent=65537, key_size=2048`
			`)`
			`private_key = key.private_bytes(`
			`crypto_serialization.Encoding.PEM,`
			`crypto_serialization.PrivateFormat.PKCS8,`
			`crypto_serialization.NoEncryption(),`
			`)`
			`public_key = key.public_key().public_bytes(`
			`crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH`
			`)`

			`with open(config["JWT"]["PUBLIC_KEY"], "wb") as fd:`
			`fd.write(public_key)`

			`with open(config["JWT"]["PRIVATE_KEY"], "wb") as fd:`
			`fd.write(private_key)`
Installation command 2021-11-14 17:58:26 +00:00

			`def setup_schemas(config):`
Fixed some packaging issues 2022-03-08 18:22:52 +00:00			`with open("canaille/ldap_backend/schemas/oauth2-openldap.ldif") as fd:`
Installation command 2021-11-14 17:58:26 +00:00			`parser = ldif.LDIFRecordList(fd)`
			`parser.parse()`

			`try:`
			`with ldap_connection(config) as conn:`
			`for dn, entry in parser.all_records:`
			`add_modlist = ldap.modlist.addModlist(entry)`
			`conn.add_s(dn, add_modlist)`

			`except ldap.INSUFFICIENT_ACCESS as exc:`
			`raise InstallationException(`
			`f"The user '{config['LDAP']['BIND_DN']}' has insufficient permissions to install LDAP schemas."`
			`) from exc`