canaille-globuzma/canaille/models.py

import ldap.filter
from flask import current_app
from flask import session

from .ldap_backend.ldapobject import LDAPObject


class User(LDAPObject):
    DEFAULT_OBJECT_CLASS = "inetOrgPerson"
    DEFAULT_FILTER = "(|(uid={login})(mail={login}))"
    DEFAULT_ID_ATTRIBUTE = "cn"

    attribute_table = {
        "id": "dn",
        "user_name": "uid",
        "password": "userPassword",
        "preferred_language": "preferredLanguage",
        "family_name": "sn",
        "given_name": "givenName",
        "formatted_name": "cn",
        "display_name": "displayName",
        "email": "mail",
        "phone_number": "telephoneNumber",
        "formatted_address": "postalAddress",
        "street": "street",
        "postal_code": "postalCode",
        "locality": "l",
        "region": "st",
        "photo": "jpegPhoto",
        "profile_url": "labeledURI",
        "employee_number": "employeeNumber",
        "department": "departmentNumber",
        "title": "title",
        "organization": "o",
        "last_modified": "modifyTimestamp",
    }

    def __init__(self, *args, **kwargs):
        self.read = set()
        self.write = set()
        self.permissions = set()
        self._groups = None
        super().__init__(*args, **kwargs)

    @classmethod
    def get_from_login(cls, login=None, **kwargs):
        filter = (
            (
                current_app.config["LDAP"]
                .get("USER_FILTER", User.DEFAULT_FILTER)
                .format(login=ldap.filter.escape_filter_chars(login))
            )
            if login
            else None
        )
        return cls.get(filter=filter, **kwargs)

    @classmethod
    def get(cls, **kwargs):
        user = super().get(**kwargs)
        if user:
            user.load_permissions()
            user.load_groups()

        return user

    def load_groups(self):
        group_filter = (
            current_app.config["LDAP"]
            .get("GROUP_USER_FILTER", Group.DEFAULT_USER_FILTER)
            .format(user=self)
        )
        escaped_group_filter = ldap.filter.escape_filter_chars(group_filter)
        self._groups = Group.query(filter=escaped_group_filter)

    @classmethod
    def authenticate(cls, login, password, signin=False):
        user = User.get_from_login(login)
        if not user or not user.check_password(password):
            return None

        if signin:
            user.login()

        return user

    def login(self):
        try:
            previous = (
                session["user_id"]
                if isinstance(session["user_id"], list)
                else [session["user_id"]]
            )
            session["user_id"] = previous + [self.id]
        except KeyError:
            session["user_id"] = [self.id]

    @classmethod
    def logout(self):
        try:
            session["user_id"].pop()
            if not session["user_id"]:
                del session["user_id"]
        except KeyError:
            pass

    def has_password(self):
        return bool(self.password)

    def check_password(self, password):
        conn = ldap.initialize(current_app.config["LDAP"]["URI"])

        conn.set_option(
            ldap.OPT_NETWORK_TIMEOUT, current_app.config["LDAP"].get("TIMEOUT")
        )

        try:
            conn.simple_bind_s(self.id, password)
            return True
        except ldap.INVALID_CREDENTIALS:
            return False
        finally:
            conn.unbind_s()

    def set_password(self, password):
        conn = self.ldap_connection()
        conn.passwd_s(
            self.id,
            None,
            password.encode("utf-8"),
        )

    def reload(self):
        super().reload()
        self.load_permissions()
        self.load_groups()

    @property
    def groups(self):
        if self._groups is None:
            self.load_groups()
        return self._groups

    @groups.setter
    def groups(self, values):
        before = self._groups or []
        after = [v if isinstance(v, Group) else Group.get(id=v) for v in values]
        to_add = set(after) - set(before)
        to_del = set(before) - set(after)
        for group in to_add:
            group.members = group.members + [self]
            group.save()
        for group in to_del:
            group.members = [member for member in group.members if member != self]
            group.save()
        self._groups = after

    def load_permissions(self):
        conn = self.ldap_connection()

        for access_group_name, details in current_app.config["ACL"].items():
            if not details.get("FILTER") or (
                self.id
                and conn.search_s(self.id, ldap.SCOPE_SUBTREE, details["FILTER"])
            ):
                self.permissions |= set(details.get("PERMISSIONS", []))
                self.read |= set(details.get("READ", []))
                self.write |= set(details.get("WRITE", []))

    def can_read(self, field):
        return field in self.read | self.write

    @property
    def can_edit_self(self):
        return "edit_self" in self.permissions

    @property
    def can_use_oidc(self):
        return "use_oidc" in self.permissions

    @property
    def can_manage_users(self):
        return "manage_users" in self.permissions

    @property
    def can_manage_groups(self):
        return "manage_groups" in self.permissions

    @property
    def can_manage_oidc(self):
        return "manage_oidc" in self.permissions

    @property
    def can_delete_account(self):
        return "delete_account" in self.permissions

    @property
    def can_impersonate_users(self):
        return "impersonate_users" in self.permissions


class Group(LDAPObject):
    DEFAULT_OBJECT_CLASS = "groupOfNames"
    DEFAULT_ID_ATTRIBUTE = "cn"
    DEFAULT_NAME_ATTRIBUTE = "cn"
    DEFAULT_USER_FILTER = "member={user.id}"

    attribute_table = {
        "id": "dn",
        "display_name": "cn",
        "members": "member",
        "description": "description",
    }

    @property
    def display_name(self):
        attribute = current_app.config["LDAP"].get(
            "GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE
        )
        return self[attribute][0]
pre-commit tox test 2021-12-20 22:57:27 +00:00			`import ldap.filter`
			`from flask import current_app`
			`from flask import session`

LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`from .ldap_backend.ldapobject import LDAPObject`
draft 2020-08-14 11:18:08 +00:00

Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class User(LDAPObject):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`DEFAULT_OBJECT_CLASS = "inetOrgPerson"`
			`DEFAULT_FILTER = "(\|(uid={login})(mail={login}))"`
			`DEFAULT_ID_ATTRIBUTE = "cn"`

Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`attribute_table = {`
			`"id": "dn",`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`"user_name": "uid",`
			`"password": "userPassword",`
			`"preferred_language": "preferredLanguage",`
			`"family_name": "sn",`
			`"given_name": "givenName",`
			`"formatted_name": "cn",`
			`"display_name": "displayName",`
			`"email": "mail",`
			`"phone_number": "telephoneNumber",`
			`"formatted_address": "postalAddress",`
			`"street": "street",`
			`"postal_code": "postalCode",`
			`"locality": "l",`
			`"region": "st",`
			`"photo": "jpegPhoto",`
			`"profile_url": "labeledURI",`
			`"employee_number": "employeeNumber",`
			`"department": "departmentNumber",`
			`"title": "title",`
			`"organization": "o",`
			`"last_modified": "modifyTimestamp",`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`}`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`def __init__(self, args, *kwargs):`
			`self.read = set()`
			`self.write = set()`
			`self.permissions = set()`
display groups on user list page 2021-12-03 15:49:19 +00:00			`self._groups = None`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`super().__init__(args, *kwargs)`

Admin login 2020-08-19 14:20:57 +00:00			`@classmethod`
Split the User.get method 2023-04-07 19:24:09 +00:00			`def get_from_login(cls, login=None, **kwargs):`
Removed the 'filter' argument from the User model 2023-04-07 18:49:30 +00:00			`filter = (`
			`(`
Escape filters 2021-12-06 14:40:30 +00:00			`current_app.config["LDAP"]`
Documentation improvements 2021-12-03 17:37:25 +00:00			`.get("USER_FILTER", User.DEFAULT_FILTER)`
Escape filters 2021-12-06 14:40:30 +00:00			`.format(login=ldap.filter.escape_filter_chars(login))`
			`)`
Removed the 'filter' argument from the User model 2023-04-07 18:49:30 +00:00			`if login`
			`else None`
			`)`
Split the User.get method 2023-04-07 19:24:09 +00:00			`return cls.get(filter=filter, **kwargs)`
User model utility 2020-10-21 15:15:33 +00:00
Split the User.get method 2023-04-07 19:24:09 +00:00			`@classmethod`
			`def get(cls, **kwargs):`
			`user = super().get(**kwargs)`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`if user:`
Removed the 'conn' argument when it is not needed 2023-04-07 18:43:46 +00:00			`user.load_permissions()`
Avoid to explicitly call User.load_groups 2023-04-08 22:14:51 +00:00			`user.load_groups()`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`return user`

Removed the 'conn' argument when it is not needed 2023-04-07 18:43:46 +00:00			`def load_groups(self):`
Removed unnecessary try/except blocks 2022-12-13 17:48:40 +00:00			`group_filter = (`
			`current_app.config["LDAP"]`
			`.get("GROUP_USER_FILTER", Group.DEFAULT_USER_FILTER)`
			`.format(user=self)`
			`)`
			`escaped_group_filter = ldap.filter.escape_filter_chars(group_filter)`
Removed the 'conn' argument when it is not needed 2023-04-07 18:43:46 +00:00			`self._groups = Group.query(filter=escaped_group_filter)`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Alternate login filters 2020-08-20 08:45:33 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def authenticate(cls, login, password, signin=False):`
Split the User.get method 2023-04-07 19:24:09 +00:00			`user = User.get_from_login(login)`
Alternate login filters 2020-08-20 08:45:33 +00:00			`if not user or not user.check_password(password):`
			`return None`
Admin login 2020-08-19 14:20:57 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`if signin:`
			`user.login()`

Alternate login filters 2020-08-20 08:45:33 +00:00			`return user`
draft 2020-08-14 11:18:08 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`def login(self):`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`try:`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`previous = (`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`session["user_id"]`
			`if isinstance(session["user_id"], list)`
			`else [session["user_id"]]`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`)`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`session["user_id"] = previous + [self.id]`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`except KeyError:`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`session["user_id"] = [self.id]`
User refactoring 2020-08-21 08:23:39 +00:00
Session compatibility fix 2020-12-29 08:31:46 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def logout(self):`
			`try:`
avoid ldap related session variable names 2022-12-29 00:10:07 +00:00			`session["user_id"].pop()`
			`if not session["user_id"]:`
			`del session["user_id"]`
Session vars are always lists 2022-12-10 19:47:47 +00:00			`except KeyError:`
User refactoring 2020-08-21 08:23:39 +00:00			`pass`

Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00			`def has_password(self):`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`return bool(self.password)`
Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00
draft 2020-08-14 11:18:08 +00:00			`def check_password(self, password):`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`conn = ldap.initialize(current_app.config["LDAP"]["URI"])`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00
removed useless guards for LDAP timeout 2022-12-27 19:25:59 +00:00			`conn.set_option(`
			`ldap.OPT_NETWORK_TIMEOUT, current_app.config["LDAP"].get("TIMEOUT")`
			`)`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`try:`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`conn.simple_bind_s(self.id, password)`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`return True`
			`except ldap.INVALID_CREDENTIALS:`
			`return False`
			`finally:`
			`conn.unbind_s()`
draft 2020-08-14 11:18:08 +00:00
Removed the 'conn' argument when it is not needed 2023-04-07 18:43:46 +00:00			`def set_password(self, password):`
			`conn = self.ldap_connection()`
Removed unnecessary try/except blocks 2022-12-13 17:48:40 +00:00			`conn.passwd_s(`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`self.id,`
Removed unnecessary try/except blocks 2022-12-13 17:48:40 +00:00			`None,`
			`password.encode("utf-8"),`
			`)`
Password edition in user profile 2020-10-21 08:26:31 +00:00
Use LDAPObject.reload in tests instead of LDAPObject.get 2023-04-08 19:34:09 +00:00			`def reload(self):`
			`super().reload()`
Avoid to explicitly call User.load_groups 2023-04-08 22:14:51 +00:00			`self.load_permissions()`
			`self.load_groups()`
Use LDAPObject.reload in tests instead of LDAPObject.get 2023-04-08 19:34:09 +00:00
Issue 12 groups 2021-06-03 13:00:11 +00:00			`@property`
			`def groups(self):`
display groups on user list page 2021-12-03 15:49:19 +00:00			`if self._groups is None:`
			`self.load_groups()`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`return self._groups`

Group methods refactoring 2023-04-07 22:31:22 +00:00			`@groups.setter`
			`def groups(self, values):`
Avoid to explicitly call User.load_groups 2023-04-08 22:14:51 +00:00			`before = self._groups or []`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`after = [v if isinstance(v, Group) else Group.get(id=v) for v in values]`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`to_add = set(after) - set(before)`
			`to_del = set(before) - set(after)`
			`for group in to_add:`
Group methods refactoring 2023-04-07 22:31:22 +00:00			`group.members = group.members + [self]`
Do not directly save objects in Group.all/remove_member 2023-03-09 09:50:05 +00:00			`group.save()`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`for group in to_del:`
Group methods refactoring 2023-04-07 22:31:22 +00:00			`group.members = [member for member in group.members if member != self]`
Do not directly save objects in Group.all/remove_member 2023-03-09 09:50:05 +00:00			`group.save()`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`self._groups = after`

Removed the 'conn' argument when it is not needed 2023-04-07 18:43:46 +00:00			`def load_permissions(self):`
			`conn = self.ldap_connection()`
Permissions overhaul 2021-12-02 17:23:14 +00:00
			`for access_group_name, details in current_app.config["ACL"].items():`
			`if not details.get("FILTER") or (`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`self.id`
			`and conn.search_s(self.id, ldap.SCOPE_SUBTREE, details["FILTER"])`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`):`
			`self.permissions \|= set(details.get("PERMISSIONS", []))`
			`self.read \|= set(details.get("READ", []))`
			`self.write \|= set(details.get("WRITE", []))`

jpegPhoto profile form 2021-12-08 17:06:50 +00:00			`def can_read(self, field):`
			`return field in self.read \| self.write`

Added an option to disable self edition 2022-04-05 15:16:09 +00:00			`@property`
			`def can_edit_self(self):`
			`return "edit_self" in self.permissions`

Option to not use OIDC 2021-12-06 23:07:32 +00:00			`@property`
			`def can_use_oidc(self):`
			`return "use_oidc" in self.permissions`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`@property`
			`def can_manage_users(self):`
			`return "manage_users" in self.permissions`

			`@property`
			`def can_manage_groups(self):`
			`return "manage_groups" in self.permissions`

			`@property`
			`def can_manage_oidc(self):`
			`return "manage_oidc" in self.permissions`

			`@property`
			`def can_delete_account(self):`
			`return "delete_account" in self.permissions`

			`@property`
			`def can_impersonate_users(self):`
			`return "impersonate_users" in self.permissions`

Issue 12 groups 2021-06-03 13:00:11 +00:00
			`class Group(LDAPObject):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`DEFAULT_OBJECT_CLASS = "groupOfNames"`
			`DEFAULT_ID_ATTRIBUTE = "cn"`
			`DEFAULT_NAME_ATTRIBUTE = "cn"`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`DEFAULT_USER_FILTER = "member={user.id}"`

			`attribute_table = {`
			`"id": "dn",`
Renamed group attributes to match SCIM naming convention 2023-02-05 18:39:52 +00:00			`"display_name": "cn",`
			`"members": "member",`
			`"description": "description",`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`}`
Documentation improvements 2021-12-03 17:37:25 +00:00
Show groups and enable group creation 2021-07-01 16:21:20 +00:00			`@property`
Renamed group attributes to match SCIM naming convention 2023-02-05 18:39:52 +00:00			`def display_name(self):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`attribute = current_app.config["LDAP"].get(`
			`"GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE`
			`)`
Show groups and enable group creation 2021-07-01 16:21:20 +00:00			`return self[attribute][0]`