canaille-globuzma/canaille/configuration.py

import ldap
import os
import smtplib
import socket
import uuid

from cryptography.hazmat.primitives import serialization as crypto_serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.backends import default_backend as crypto_default_backend

ROOT = os.path.dirname(os.path.abspath(__file__))


class ConfigurationException(Exception):
    pass


def validate(config, validate_remote=False):
    validate_keypair(config)
    validate_theme(config)

    if not validate_remote:
        return

    validate_ldap_configuration(config)
    validate_smtp_configuration(config)


def validate_keypair(config):
    if not os.path.exists(config["JWT"]["PUBLIC_KEY"]):
        raise ConfigurationException(
            f'Public key does not exist {config["JWT"]["PUBLIC_KEY"]}'
        )

    if not os.path.exists(config["JWT"]["PRIVATE_KEY"]):
        raise ConfigurationException(
            f'Private key does not exist {config["JWT"]["PRIVATE_KEY"]}'
        )


def validate_ldap_configuration(config):
    from canaille.models import User, Group

    try:
        conn = ldap.initialize(config["LDAP"]["URI"])
        if config["LDAP"].get("TIMEOUT"):
            conn.set_option(ldap.OPT_NETWORK_TIMEOUT, config["LDAP"]["TIMEOUT"])
        conn.simple_bind_s(config["LDAP"]["BIND_DN"], config["LDAP"]["BIND_PW"])

    except ldap.SERVER_DOWN as exc:
        raise ConfigurationException(
            f'Could not connect to the LDAP server \'{config["LDAP"]["URI"]}\''
        ) from exc

    except ldap.INVALID_CREDENTIALS as exc:
        raise ConfigurationException(
            f'LDAP authentication failed with user \'{config["LDAP"]["BIND_DN"]}\''
        ) from exc

    try:
        User.ocs_by_name(conn)
        user = User(
            objectClass=["inetOrgPerson"],
            cn=f"canaille_{uuid.uuid4()}",
            sn=f"canaille_{uuid.uuid4()}",
            uid=f"canaille_{uuid.uuid4()}",
            mail=f"canaille_{uuid.uuid4()}@mydomain.tld",
            userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",
        )
        user.save(conn)
        user.delete(conn)

    except ldap.INSUFFICIENT_ACCESS as exc:
        raise ConfigurationException(
            f'LDAP user \'{config["LDAP"]["BIND_DN"]}\' cannot create '
            f'users at \'{config["LDAP"]["USER_BASE"]}\''
        ) from exc

    try:
        Group.ocs_by_name(conn)

        user = User(
            objectClass=["inetOrgPerson"],
            cn=f"canaille_{uuid.uuid4()}",
            sn=f"canaille_{uuid.uuid4()}",
            uid=f"canaille_{uuid.uuid4()}",
            mail=f"canaille_{uuid.uuid4()}@mydomain.tld",
            userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",
        )
        user.save(conn)

        group = Group(
            objectClass=["groupOfNames"],
            cn=f"canaille_{uuid.uuid4()}",
            member=[user.dn],
        )
        group.save(conn)
        group.delete(conn)

    except ldap.INSUFFICIENT_ACCESS as exc:
        raise ConfigurationException(
            f'LDAP user \'{config["LDAP"]["BIND_DN"]}\' cannot create '
            f'groups at \'{config["LDAP"]["GROUP_BASE"]}\''
        ) from exc

    finally:
        user.delete(conn)

    conn.unbind_s()


def validate_smtp_configuration(config):
    try:
        with smtplib.SMTP(
            host=config["SMTP"]["HOST"],
            port=config["SMTP"]["PORT"],
        ) as smtp:
            if config["SMTP"].get("TLS"):
                smtp.starttls()

            if config["SMTP"].get("LOGIN"):
                smtp.login(
                    user=config["SMTP"]["LOGIN"],
                    password=config["SMTP"].get("PASSWORD"),
                )
    except (socket.gaierror, ConnectionRefusedError) as exc:
        raise ConfigurationException(
            f'Could not connect to the SMTP server \'{config["SMTP"]["HOST"]}\''
        ) from exc

    except smtplib.SMTPAuthenticationError as exc:
        raise ConfigurationException(
            f'SMTP authentication failed with user \'{config["SMTP"]["LOGIN"]}\''
        ) from exc


def validate_theme(config):
    if not config.get("THEME"):
        return

    if not os.path.exists(config["THEME"]) and not os.path.exists(
        os.path.join(ROOT, "themes", config["THEME"])
    ):
        raise ConfigurationException(f'Cannot find theme \'{config["THEME"]}\'')


def setup_dev_keypair(config):
    if os.path.exists(config["JWT"]["PUBLIC_KEY"]) or os.path.exists(
        config["JWT"]["PRIVATE_KEY"]
    ):
        return

    key = rsa.generate_private_key(
        backend=crypto_default_backend(), public_exponent=65537, key_size=2048
    )
    private_key = key.private_bytes(
        crypto_serialization.Encoding.PEM,
        crypto_serialization.PrivateFormat.PKCS8,
        crypto_serialization.NoEncryption(),
    )
    public_key = key.public_key().public_bytes(
        crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH
    )

    with open(config["JWT"]["PUBLIC_KEY"], "wb") as fd:
        fd.write(public_key)

    with open(config["JWT"]["PRIVATE_KEY"], "wb") as fd:
        fd.write(private_key)
implemented a function that checks some parts of the configuration 2021-10-12 18:36:31 +00:00			`import ldap`
flask app refactoring 2021-10-12 16:24:51 +00:00			`import os`
check command 2021-10-13 08:12:44 +00:00			`import smtplib`
			`import socket`
'check' command check ldap permissions 2021-10-26 20:49:36 +00:00			`import uuid`
flask app refactoring 2021-10-12 16:24:51 +00:00
			`from cryptography.hazmat.primitives import serialization as crypto_serialization`
			`from cryptography.hazmat.primitives.asymmetric import rsa`
			`from cryptography.hazmat.backends import default_backend as crypto_default_backend`

use flask-themer to allow theme customization 2021-10-28 13:24:34 +00:00			`ROOT = os.path.dirname(os.path.abspath(__file__))`

flask app refactoring 2021-10-12 16:24:51 +00:00
check command 2021-10-13 08:12:44 +00:00			`class ConfigurationException(Exception):`
			`pass`


flask app refactoring 2021-10-12 16:24:51 +00:00			`def validate(config, validate_remote=False):`
use flask-themer to allow theme customization 2021-10-28 13:24:34 +00:00			`validate_keypair(config)`
			`validate_theme(config)`

			`if not validate_remote:`
			`return`

			`validate_ldap_configuration(config)`
			`validate_smtp_configuration(config)`


			`def validate_keypair(config):`
flask app refactoring 2021-10-12 16:24:51 +00:00			`if not os.path.exists(config["JWT"]["PUBLIC_KEY"]):`
check command 2021-10-13 08:12:44 +00:00			`raise ConfigurationException(`
			`f'Public key does not exist {config["JWT"]["PUBLIC_KEY"]}'`
			`)`
flask app refactoring 2021-10-12 16:24:51 +00:00
			`if not os.path.exists(config["JWT"]["PRIVATE_KEY"]):`
check command 2021-10-13 08:12:44 +00:00			`raise ConfigurationException(`
			`f'Private key does not exist {config["JWT"]["PRIVATE_KEY"]}'`
			`)`
flask app refactoring 2021-10-12 16:24:51 +00:00
check command 2021-10-13 08:12:44 +00:00
			`def validate_ldap_configuration(config):`
'check' command check ldap permissions 2021-10-26 20:49:36 +00:00			`from canaille.models import User, Group`

check command 2021-10-13 08:12:44 +00:00			`try:`
			`conn = ldap.initialize(config["LDAP"]["URI"])`
			`if config["LDAP"].get("TIMEOUT"):`
			`conn.set_option(ldap.OPT_NETWORK_TIMEOUT, config["LDAP"]["TIMEOUT"])`
			`conn.simple_bind_s(config["LDAP"]["BIND_DN"], config["LDAP"]["BIND_PW"])`

			`except ldap.SERVER_DOWN as exc:`
			`raise ConfigurationException(`
			`f'Could not connect to the LDAP server \'{config["LDAP"]["URI"]}\''`
			`) from exc`

			`except ldap.INVALID_CREDENTIALS as exc:`
			`raise ConfigurationException(`
			`f'LDAP authentication failed with user \'{config["LDAP"]["BIND_DN"]}\''`
			`) from exc`

'check' command check ldap permissions 2021-10-26 20:49:36 +00:00			`try:`
			`User.ocs_by_name(conn)`
			`user = User(`
			`objectClass=["inetOrgPerson"],`
			`cn=f"canaille_{uuid.uuid4()}",`
			`sn=f"canaille_{uuid.uuid4()}",`
			`uid=f"canaille_{uuid.uuid4()}",`
			`mail=f"canaille_{uuid.uuid4()}@mydomain.tld",`
			`userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",`
			`)`
			`user.save(conn)`
			`user.delete(conn)`

			`except ldap.INSUFFICIENT_ACCESS as exc:`
			`raise ConfigurationException(`
Fixed double spaces 2021-10-26 20:54:34 +00:00			`f'LDAP user \'{config["LDAP"]["BIND_DN"]}\' cannot create '`
'check' command check ldap permissions 2021-10-26 20:49:36 +00:00			`f'users at \'{config["LDAP"]["USER_BASE"]}\''`
			`) from exc`

			`try:`
			`Group.ocs_by_name(conn)`

			`user = User(`
			`objectClass=["inetOrgPerson"],`
			`cn=f"canaille_{uuid.uuid4()}",`
			`sn=f"canaille_{uuid.uuid4()}",`
			`uid=f"canaille_{uuid.uuid4()}",`
			`mail=f"canaille_{uuid.uuid4()}@mydomain.tld",`
			`userPassword="{SSHA}fw9DYeF/gHTHuVMepsQzVYAkffGcU8Fz",`
			`)`
			`user.save(conn)`

			`group = Group(`
			`objectClass=["groupOfNames"],`
			`cn=f"canaille_{uuid.uuid4()}",`
			`member=[user.dn],`
			`)`
			`group.save(conn)`
			`group.delete(conn)`

			`except ldap.INSUFFICIENT_ACCESS as exc:`
			`raise ConfigurationException(`
Fixed double spaces 2021-10-26 20:54:34 +00:00			`f'LDAP user \'{config["LDAP"]["BIND_DN"]}\' cannot create '`
'check' command check ldap permissions 2021-10-26 20:49:36 +00:00			`f'groups at \'{config["LDAP"]["GROUP_BASE"]}\''`
			`) from exc`

			`finally:`
			`user.delete(conn)`

			`conn.unbind_s()`

check command 2021-10-13 08:12:44 +00:00
			`def validate_smtp_configuration(config):`
			`try:`
			`with smtplib.SMTP(`
			`host=config["SMTP"]["HOST"],`
			`port=config["SMTP"]["PORT"],`
			`) as smtp:`
			`if config["SMTP"].get("TLS"):`
			`smtp.starttls()`

			`if config["SMTP"].get("LOGIN"):`
			`smtp.login(`
			`user=config["SMTP"]["LOGIN"],`
			`password=config["SMTP"].get("PASSWORD"),`
			`)`
			`except (socket.gaierror, ConnectionRefusedError) as exc:`
			`raise ConfigurationException(`
			`f'Could not connect to the SMTP server \'{config["SMTP"]["HOST"]}\''`
			`) from exc`

			`except smtplib.SMTPAuthenticationError as exc:`
			`raise ConfigurationException(`
			`f'SMTP authentication failed with user \'{config["SMTP"]["LOGIN"]}\''`
			`) from exc`
implemented a function that checks some parts of the configuration 2021-10-12 18:36:31 +00:00
flask app refactoring 2021-10-12 16:24:51 +00:00
use flask-themer to allow theme customization 2021-10-28 13:24:34 +00:00			`def validate_theme(config):`
			`if not config.get("THEME"):`
			`return`

			`if not os.path.exists(config["THEME"]) and not os.path.exists(`
			`os.path.join(ROOT, "themes", config["THEME"])`
			`):`
			`raise ConfigurationException(f'Cannot find theme \'{config["THEME"]}\'')`


flask app refactoring 2021-10-12 16:24:51 +00:00			`def setup_dev_keypair(config):`
			`if os.path.exists(config["JWT"]["PUBLIC_KEY"]) or os.path.exists(`
			`config["JWT"]["PRIVATE_KEY"]`
			`):`
			`return`

			`key = rsa.generate_private_key(`
			`backend=crypto_default_backend(), public_exponent=65537, key_size=2048`
			`)`
			`private_key = key.private_bytes(`
			`crypto_serialization.Encoding.PEM,`
			`crypto_serialization.PrivateFormat.PKCS8,`
			`crypto_serialization.NoEncryption(),`
			`)`
			`public_key = key.public_key().public_bytes(`
			`crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH`
			`)`

			`with open(config["JWT"]["PUBLIC_KEY"], "wb") as fd:`
			`fd.write(public_key)`

			`with open(config["JWT"]["PRIVATE_KEY"], "wb") as fd:`
			`fd.write(private_key)`