canaille-globuzma/canaille/backends/ldap/backend.py

import logging
import os
import uuid
from contextlib import contextmanager

import ldap.modlist
import ldif
from flask import current_app

from canaille.app import models
from canaille.app.configuration import ConfigurationException
from canaille.app.i18n import gettext as _
from canaille.backends import BaseBackend

from .utils import listify


@contextmanager
def ldap_connection(config):
    conn = ldap.initialize(config["BACKENDS"]["LDAP"]["URI"])
    conn.set_option(ldap.OPT_NETWORK_TIMEOUT, config["BACKENDS"]["LDAP"].get("TIMEOUT"))
    conn.simple_bind_s(
        config["BACKENDS"]["LDAP"]["BIND_DN"], config["BACKENDS"]["LDAP"]["BIND_PW"]
    )

    try:
        yield conn
    finally:
        conn.unbind_s()


def install_schema(config, schema_path):
    from canaille.app.installation import InstallationException

    with open(schema_path) as fd:
        parser = ldif.LDIFRecordList(fd)
        parser.parse()

    try:
        with ldap_connection(config) as conn:
            for dn, entry in parser.all_records:
                add_modlist = ldap.modlist.addModlist(entry)
                conn.add_s(dn, add_modlist)

    except ldap.INSUFFICIENT_ACCESS as exc:
        raise InstallationException(
            f"The user '{config['BACKENDS']['LDAP']['BIND_DN']}' has insufficient permissions to install LDAP schemas."
        ) from exc


class Backend(BaseBackend):
    def __init__(self, config):
        super().__init__(config)
        self._connection = None
        setup_ldap_models(config)

    @classmethod
    def install(cls, config):
        cls.setup_schemas(config)
        with cls(config).session():
            models.Token.install()
            models.AuthorizationCode.install()
            models.Client.install()
            models.Consent.install()

    @classmethod
    def setup_schemas(cls, config):
        from .ldapobject import LDAPObject

        with cls(config).session():
            if "oauthClient" not in LDAPObject.ldap_object_classes(force=True):
                install_schema(
                    config,
                    os.path.dirname(__file__) + "/schemas/oauth2-openldap.ldif",
                )

    @property
    def connection(self):
        if self._connection:
            return self._connection

        try:
            self._connection = ldap.initialize(self.config["BACKENDS"]["LDAP"]["URI"])
            self._connection.set_option(
                ldap.OPT_NETWORK_TIMEOUT,
                self.config["BACKENDS"]["LDAP"].get("TIMEOUT"),
            )
            self._connection.simple_bind_s(
                self.config["BACKENDS"]["LDAP"]["BIND_DN"],
                self.config["BACKENDS"]["LDAP"]["BIND_PW"],
            )

        except ldap.SERVER_DOWN as exc:
            message = _("Could not connect to the LDAP server '{uri}'").format(
                uri=self.config["BACKENDS"]["LDAP"]["URI"]
            )
            logging.error(message)
            raise ConfigurationException(message) from exc

        except ldap.INVALID_CREDENTIALS as exc:
            message = _("LDAP authentication failed with user '{user}'").format(
                user=self.config["BACKENDS"]["LDAP"]["BIND_DN"]
            )
            logging.error(message)
            raise ConfigurationException(message) from exc

        return self._connection

    def teardown(self):
        if self._connection:  # pragma: no branch
            self._connection.unbind_s()
            self._connection = None

    @classmethod
    def validate(cls, config):
        from canaille.app import models

        with cls(config).session():
            try:
                user = models.User(
                    formatted_name=f"canaille_{uuid.uuid4()}",
                    family_name=f"canaille_{uuid.uuid4()}",
                    user_name=f"canaille_{uuid.uuid4()}",
                    emails=f"canaille_{uuid.uuid4()}@mydomain.tld",
                    password="correct horse battery staple",
                )
                user.save()
                user.delete()

            except ldap.INSUFFICIENT_ACCESS as exc:
                raise ConfigurationException(
                    f'LDAP user \'{config["BACKENDS"]["LDAP"]["BIND_DN"]}\' cannot create '
                    f'users at \'{config["BACKENDS"]["LDAP"]["USER_BASE"]}\''
                ) from exc

            try:
                models.Group.ldap_object_classes()

                user = models.User(
                    cn=f"canaille_{uuid.uuid4()}",
                    family_name=f"canaille_{uuid.uuid4()}",
                    user_name=f"canaille_{uuid.uuid4()}",
                    emails=f"canaille_{uuid.uuid4()}@mydomain.tld",
                    password="correct horse battery staple",
                )
                user.save()

                group = models.Group(
                    display_name=f"canaille_{uuid.uuid4()}",
                    members=[user],
                )
                group.save()
                group.delete()

            except ldap.INSUFFICIENT_ACCESS as exc:
                raise ConfigurationException(
                    f'LDAP user \'{config["BACKENDS"]["LDAP"]["BIND_DN"]}\' cannot create '
                    f'groups at \'{config["BACKENDS"]["LDAP"]["GROUP_BASE"]}\''
                ) from exc

            finally:
                user.delete()

    @classmethod
    def login_placeholder(cls):
        user_filter = current_app.config["BACKENDS"]["LDAP"].get(
            "USER_FILTER", models.User.DEFAULT_FILTER
        )
        placeholders = []

        if "cn={{login" in user_filter.replace(" ", ""):
            placeholders.append(_("John Doe"))

        if "uid={{login" in user_filter.replace(" ", ""):
            placeholders.append(_("jdoe"))

        if "mail={{login" in user_filter.replace(" ", "") or not placeholders:
            placeholders.append(_("john@doe.com"))

        return _(" or ").join(placeholders)

    def has_account_lockability(self):
        from .ldapobject import LDAPObject

        try:
            return "pwdEndTime" in LDAPObject.ldap_object_attributes()
        except ldap.SERVER_DOWN:  # pragma: no cover
            return False


def setup_ldap_models(config):
    from canaille.app import models

    from .ldapobject import LDAPObject

    LDAPObject.root_dn = config["BACKENDS"]["LDAP"]["ROOT_DN"]

    user_base = config["BACKENDS"]["LDAP"]["USER_BASE"].replace(
        f',{config["BACKENDS"]["LDAP"]["ROOT_DN"]}', ""
    )
    models.User.base = user_base
    models.User.rdn_attribute = config["BACKENDS"]["LDAP"].get(
        "USER_RDN", models.User.DEFAULT_RDN
    )
    object_class = config["BACKENDS"]["LDAP"].get(
        "USER_CLASS", models.User.DEFAULT_OBJECT_CLASS
    )
    models.User.ldap_object_class = listify(object_class)

    group_base = (
        config["BACKENDS"]["LDAP"]
        .get("GROUP_BASE", "")
        .replace(f',{config["BACKENDS"]["LDAP"]["ROOT_DN"]}', "")
    )
    models.Group.base = group_base or None
    models.Group.rdn_attribute = config["BACKENDS"]["LDAP"].get(
        "GROUP_RDN", models.Group.DEFAULT_RDN
    )
    object_class = config["BACKENDS"]["LDAP"].get(
        "GROUP_CLASS", models.Group.DEFAULT_OBJECT_CLASS
    )
    models.Group.ldap_object_class = listify(object_class)
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`import logging`
Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00			`import os`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`import uuid`
Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00			`from contextlib import contextmanager`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00
Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00			`import ldap.modlist`
			`import ldif`
chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00			`from flask import current_app`

Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00			`from canaille.app import models`
			`from canaille.app.configuration import ConfigurationException`
feat: flask-babel and pytz are now part of the front extras 2023-09-01 08:46:56 +00:00			`from canaille.app.i18n import gettext as _`
Renamed Backend in BaseBackend 2023-06-05 16:10:37 +00:00			`from canaille.backends import BaseBackend`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00
listify utility 2023-06-22 11:09:44 +00:00			`from .utils import listify`

LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00
Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00			`@contextmanager`
			`def ldap_connection(config):`
			`conn = ldap.initialize(config["BACKENDS"]["LDAP"]["URI"])`
			`conn.set_option(ldap.OPT_NETWORK_TIMEOUT, config["BACKENDS"]["LDAP"].get("TIMEOUT"))`
			`conn.simple_bind_s(`
			`config["BACKENDS"]["LDAP"]["BIND_DN"], config["BACKENDS"]["LDAP"]["BIND_PW"]`
			`)`

			`try:`
			`yield conn`
			`finally:`
			`conn.unbind_s()`


			`def install_schema(config, schema_path):`
			`from canaille.app.installation import InstallationException`

			`with open(schema_path) as fd:`
			`parser = ldif.LDIFRecordList(fd)`
			`parser.parse()`

			`try:`
			`with ldap_connection(config) as conn:`
			`for dn, entry in parser.all_records:`
			`add_modlist = ldap.modlist.addModlist(entry)`
Do not event attempt to add oauth schema if present 2023-05-24 14:59:36 +00:00			`conn.add_s(dn, add_modlist)`
Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00
			`except ldap.INSUFFICIENT_ACCESS as exc:`
			`raise InstallationException(`
			`f"The user '{config['BACKENDS']['LDAP']['BIND_DN']}' has insufficient permissions to install LDAP schemas."`
			`) from exc`


Renamed Backend in BaseBackend 2023-06-05 16:10:37 +00:00			`class Backend(BaseBackend):`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def __init__(self, config):`
Backend singleton logic moved to backend.Backend 2023-05-20 16:39:49 +00:00			`super().__init__(config)`
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`self._connection = None`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`setup_ldap_models(config)`
Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00
			`@classmethod`
refactor: LDAP backend initialization 2023-12-27 09:57:22 +00:00			`def install(cls, config):`
Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00			`cls.setup_schemas(config)`
refactor: no more explicit conn argument in the LDAP backend 2023-12-25 13:03:47 +00:00			`with cls(config).session():`
			`models.Token.install()`
			`models.AuthorizationCode.install()`
			`models.Client.install()`
			`models.Consent.install()`
Moved LDAP schema installation in the ldap backend module 2023-04-10 09:44:30 +00:00
			`@classmethod`
			`def setup_schemas(cls, config):`
Do not event attempt to add oauth schema if present 2023-05-24 14:59:36 +00:00			`from .ldapobject import LDAPObject`

refactor: no more explicit conn argument in the LDAP backend 2023-12-25 13:03:47 +00:00			`with cls(config).session():`
			`if "oauthClient" not in LDAPObject.ldap_object_classes(force=True):`
Do not event attempt to add oauth schema if present 2023-05-24 14:59:36 +00:00			`install_schema(`
			`config,`
			`os.path.dirname(__file__) + "/schemas/oauth2-openldap.ldif",`
			`)`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`@property`
			`def connection(self):`
			`if self._connection:`
			`return self._connection`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
			`try:`
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`self._connection = ldap.initialize(self.config["BACKENDS"]["LDAP"]["URI"])`
			`self._connection.set_option(`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00			`ldap.OPT_NETWORK_TIMEOUT,`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`self.config["BACKENDS"]["LDAP"].get("TIMEOUT"),`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00			`)`
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`self._connection.simple_bind_s(`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`self.config["BACKENDS"]["LDAP"]["BIND_DN"],`
			`self.config["BACKENDS"]["LDAP"]["BIND_PW"],`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00			`)`

fix: LDAP backend connection error display 2023-12-25 12:55:33 +00:00			`except ldap.SERVER_DOWN as exc:`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00			`message = _("Could not connect to the LDAP server '{uri}'").format(`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`uri=self.config["BACKENDS"]["LDAP"]["URI"]`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00			`)`
			`logging.error(message)`
fix: LDAP backend connection error display 2023-12-25 12:55:33 +00:00			`raise ConfigurationException(message) from exc`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
fix: LDAP backend connection error display 2023-12-25 12:55:33 +00:00			`except ldap.INVALID_CREDENTIALS as exc:`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00			`message = _("LDAP authentication failed with user '{user}'").format(`
Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`user=self.config["BACKENDS"]["LDAP"]["BIND_DN"]`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00			`)`
			`logging.error(message)`
fix: LDAP backend connection error display 2023-12-25 12:55:33 +00:00			`raise ConfigurationException(message) from exc`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`return self._connection`
compatibility bugfix for flask 2.3 2023-06-03 11:42:23 +00:00
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`def teardown(self):`
			`if self._connection: # pragma: no branch`
			`self._connection.unbind_s()`
			`self._connection = None`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
			`@classmethod`
			`def validate(cls, config):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`with cls(config).session():`
			`try:`
			`user = models.User(`
			`formatted_name=f"canaille_{uuid.uuid4()}",`
			`family_name=f"canaille_{uuid.uuid4()}",`
			`user_name=f"canaille_{uuid.uuid4()}",`
			`emails=f"canaille_{uuid.uuid4()}@mydomain.tld",`
			`password="correct horse battery staple",`
			`)`
			`user.save()`
			`user.delete()`

			`except ldap.INSUFFICIENT_ACCESS as exc:`
			`raise ConfigurationException(`
			`f'LDAP user \'{config["BACKENDS"]["LDAP"]["BIND_DN"]}\' cannot create '`
			`f'users at \'{config["BACKENDS"]["LDAP"]["USER_BASE"]}\''`
			`) from exc`

			`try:`
			`models.Group.ldap_object_classes()`

			`user = models.User(`
			`cn=f"canaille_{uuid.uuid4()}",`
			`family_name=f"canaille_{uuid.uuid4()}",`
			`user_name=f"canaille_{uuid.uuid4()}",`
			`emails=f"canaille_{uuid.uuid4()}@mydomain.tld",`
			`password="correct horse battery staple",`
			`)`
			`user.save()`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`group = models.Group(`
			`display_name=f"canaille_{uuid.uuid4()}",`
			`members=[user],`
			`)`
			`group.save()`
			`group.delete()`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`except ldap.INSUFFICIENT_ACCESS as exc:`
			`raise ConfigurationException(`
			`f'LDAP user \'{config["BACKENDS"]["LDAP"]["BIND_DN"]}\' cannot create '`
			`f'groups at \'{config["BACKENDS"]["LDAP"]["GROUP_BASE"]}\''`
			`) from exc`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
feat: ldap connection is lazilly opened 2023-12-25 13:21:09 +00:00			`finally:`
			`user.delete()`
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00			`@classmethod`
			`def login_placeholder(cls):`
			`user_filter = current_app.config["BACKENDS"]["LDAP"].get(`
			`"USER_FILTER", models.User.DEFAULT_FILTER`
			`)`
			`placeholders = []`

USER_FILTER is parsed with jinja 2023-07-04 16:34:16 +00:00			`if "cn={{login" in user_filter.replace(" ", ""):`
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00			`placeholders.append(_("John Doe"))`

USER_FILTER is parsed with jinja 2023-07-04 16:34:16 +00:00			`if "uid={{login" in user_filter.replace(" ", ""):`
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00			`placeholders.append(_("jdoe"))`

USER_FILTER is parsed with jinja 2023-07-04 16:34:16 +00:00			`if "mail={{login" in user_filter.replace(" ", "") or not placeholders:`
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00			`placeholders.append(_("john@doe.com"))`

			`return _(" or ").join(placeholders)`

Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00			`def has_account_lockability(self):`
			`from .ldapobject import LDAPObject`

fix: when LDAP servers are down, rendering error pages would raise an exception 2023-10-02 12:06:06 +00:00			`try:`
			`return "pwdEndTime" in LDAPObject.ldap_object_attributes()`
tests: back to 100% coverage 2023-11-16 17:06:23 +00:00			`except ldap.SERVER_DOWN: # pragma: no cover`
fix: when LDAP servers are down, rendering error pages would raise an exception 2023-10-02 12:06:06 +00:00			`return False`
Implemented LDAP ppolicy support. 2022-11-01 11:25:21 +00:00
The LDAP Backend is now a class 2023-04-08 18:42:38 +00:00
setup_ldap_models takes a config parameter instead of an app parameter 2022-05-18 11:44:54 +00:00			`def setup_ldap_models(config):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00
chore: use isort instead of reoder-python-imports 2024-03-15 18:58:06 +00:00			`from .ldapobject import LDAPObject`

Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`LDAPObject.root_dn = config["BACKENDS"]["LDAP"]["ROOT_DN"]`
LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`user_base = config["BACKENDS"]["LDAP"]["USER_BASE"].replace(`
			`f',{config["BACKENDS"]["LDAP"]["ROOT_DN"]}', ""`
			`)`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`models.User.base = user_base`
			`models.User.rdn_attribute = config["BACKENDS"]["LDAP"].get(`
Renamed configuration entries - USER_ID_ATTRIBUTE is now USER_RDN - GROUP_ID_ATTRIBUTE is now GROUP_RDN 2023-06-27 16:47:59 +00:00			`"USER_RDN", models.User.DEFAULT_RDN`
Renamed LDAPObject.rdn in LDAPObject.rdn_attribute 2023-03-08 15:25:50 +00:00			`)`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`object_class = config["BACKENDS"]["LDAP"].get(`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`"USER_CLASS", models.User.DEFAULT_OBJECT_CLASS`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`)`
listify utility 2023-06-22 11:09:44 +00:00			`models.User.ldap_object_class = listify(object_class)`
setup_ldap_models takes a config parameter instead of an app parameter 2022-05-18 11:44:54 +00:00
ldap_backend: improved coverage 2022-12-13 18:04:33 +00:00			`group_base = (`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`config["BACKENDS"]["LDAP"]`
Add nonce to the claims_supported server metadata list 2022-12-15 10:59:00 +00:00			`.get("GROUP_BASE", "")`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`.replace(f',{config["BACKENDS"]["LDAP"]["ROOT_DN"]}', "")`
ldap_backend: improved coverage 2022-12-13 18:04:33 +00:00			`)`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`models.Group.base = group_base or None`
			`models.Group.rdn_attribute = config["BACKENDS"]["LDAP"].get(`
Renamed configuration entries - USER_ID_ATTRIBUTE is now USER_RDN - GROUP_ID_ATTRIBUTE is now GROUP_RDN 2023-06-27 16:47:59 +00:00			`"GROUP_RDN", models.Group.DEFAULT_RDN`
Renamed LDAPObject.rdn in LDAPObject.rdn_attribute 2023-03-08 15:25:50 +00:00			`)`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`object_class = config["BACKENDS"]["LDAP"].get(`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`"GROUP_CLASS", models.Group.DEFAULT_OBJECT_CLASS`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`)`
listify utility 2023-06-22 11:09:44 +00:00			`models.Group.ldap_object_class = listify(object_class)`