canaille-globuzma/canaille/models.py

import ldap.filter
from flask import current_app
from flask import session

from .ldap_backend.ldapobject import LDAPObject


class User(LDAPObject):
    DEFAULT_OBJECT_CLASS = "inetOrgPerson"
    DEFAULT_FILTER = "(|(uid={login})(mail={login}))"
    DEFAULT_ID_ATTRIBUTE = "cn"

    def __init__(self, *args, **kwargs):
        self.read = set()
        self.write = set()
        self.permissions = set()
        self._groups = None
        super().__init__(*args, **kwargs)

    @classmethod
    def get(cls, login=None, dn=None, filter=None, conn=None):
        conn = conn or cls.ldap()

        if login:
            filter = (
                current_app.config["LDAP"]
                .get("USER_FILTER", User.DEFAULT_FILTER)
                .format(login=ldap.filter.escape_filter_chars(login))
            )

        user = super().get(dn, filter, conn)
        if user:
            user.load_permissions(conn)

        return user

    def load_groups(self, conn=None):
        try:
            group_filter = (
                current_app.config["LDAP"]
                .get("GROUP_USER_FILTER", Group.DEFAULT_USER_FILTER)
                .format(user=self)
            )
            escaped_group_filter = ldap.filter.escape_filter_chars(group_filter)
            self._groups = Group.filter(filter=escaped_group_filter, conn=conn)
        except KeyError:
            pass

    @classmethod
    def authenticate(cls, login, password, signin=False):
        user = User.get(login)
        if not user or not user.check_password(password):
            return None

        if signin:
            user.login()

        return user

    def login(self):
        try:
            previous = (
                session["user_dn"]
                if isinstance(session["user_dn"], list)
                else [session["user_dn"]]
            )
            session["user_dn"] = previous + [self.dn]
        except KeyError:
            session["user_dn"] = [self.dn]

    @classmethod
    def logout(self):
        try:
            if isinstance(session["user_dn"], list):
                session["user_dn"].pop()
            else:
                del session["user_dn"]
        except (IndexError, KeyError):
            pass

    def has_password(self):
        return bool(self.userPassword)

    def check_password(self, password):
        conn = ldap.initialize(current_app.config["LDAP"]["URI"])

        if current_app.config["LDAP"].get("TIMEOUT"):
            conn.set_option(
                ldap.OPT_NETWORK_TIMEOUT, current_app.config["LDAP"]["TIMEOUT"]
            )

        try:
            conn.simple_bind_s(self.dn, password)
            return True
        except ldap.INVALID_CREDENTIALS:
            return False
        finally:
            conn.unbind_s()

    def set_password(self, password, conn=None):
        conn = conn or self.ldap()

        try:
            conn.passwd_s(
                self.dn,
                None,
                password.encode("utf-8"),
            )

        except ldap.LDAPError:
            return False

        return True

    @property
    def name(self):
        return self.cn[0]

    @property
    def groups(self):
        if self._groups is None:
            self.load_groups()
        return self._groups

    def set_groups(self, values):
        before = self._groups
        after = [v if isinstance(v, Group) else Group.get(dn=v) for v in values]
        to_add = set(after) - set(before)
        to_del = set(before) - set(after)
        for group in to_add:
            group.add_member(self)
        for group in to_del:
            group.remove_member(self)
        self._groups = after

    def load_permissions(self, conn=None):
        conn = conn or self.ldap()

        for access_group_name, details in current_app.config["ACL"].items():
            if not details.get("FILTER") or (
                self.dn
                and conn.search_s(self.dn, ldap.SCOPE_SUBTREE, details["FILTER"])
            ):
                self.permissions |= set(details.get("PERMISSIONS", []))
                self.read |= set(details.get("READ", []))
                self.write |= set(details.get("WRITE", []))

    def can_read(self, field):
        return field in self.read | self.write

    def can_write(self, field):
        return field in self.write

    @property
    def can_edit_self(self):
        return "edit_self" in self.permissions

    @property
    def can_use_oidc(self):
        return "use_oidc" in self.permissions

    @property
    def can_manage_users(self):
        return "manage_users" in self.permissions

    @property
    def can_manage_groups(self):
        return "manage_groups" in self.permissions

    @property
    def can_manage_oidc(self):
        return "manage_oidc" in self.permissions

    @property
    def can_delete_account(self):
        return "delete_account" in self.permissions

    @property
    def can_impersonate_users(self):
        return "impersonate_users" in self.permissions


class Group(LDAPObject):
    DEFAULT_OBJECT_CLASS = "groupOfNames"
    DEFAULT_ID_ATTRIBUTE = "cn"
    DEFAULT_NAME_ATTRIBUTE = "cn"
    DEFAULT_USER_FILTER = "member={user.dn}"

    @property
    def name(self):
        attribute = current_app.config["LDAP"].get(
            "GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE
        )
        return self[attribute][0]

    def get_members(self, conn=None):
        return [
            User.get(dn=user_dn, conn=conn)
            for user_dn in self.member
            if User.get(dn=user_dn, conn=conn)
        ]

    def add_member(self, user):
        self.member = self.member + [user.dn]
        self.save()

    def remove_member(self, user):
        self.member = [m for m in self.member if m != user.dn]
        self.save()
pre-commit tox test 2021-12-20 22:57:27 +00:00			`import ldap.filter`
			`from flask import current_app`
			`from flask import session`

LdapObject an have attribute name different than the schema 2022-01-11 16:57:58 +00:00			`from .ldap_backend.ldapobject import LDAPObject`
draft 2020-08-14 11:18:08 +00:00

Renamed LDAPObjectHelper into LDAPObject 2020-09-24 13:16:25 +00:00			`class User(LDAPObject):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`DEFAULT_OBJECT_CLASS = "inetOrgPerson"`
			`DEFAULT_FILTER = "(\|(uid={login})(mail={login}))"`
			`DEFAULT_ID_ATTRIBUTE = "cn"`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`def __init__(self, args, *kwargs):`
			`self.read = set()`
			`self.write = set()`
			`self.permissions = set()`
display groups on user list page 2021-12-03 15:49:19 +00:00			`self._groups = None`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`super().__init__(args, *kwargs)`

Admin login 2020-08-19 14:20:57 +00:00			`@classmethod`
User model utility 2020-10-21 15:15:33 +00:00			`def get(cls, login=None, dn=None, filter=None, conn=None):`
Admin login 2020-08-19 14:20:57 +00:00			`conn = conn or cls.ldap()`

User model utility 2020-10-21 15:15:33 +00:00			`if login:`
Escape filters 2021-12-06 14:40:30 +00:00			`filter = (`
			`current_app.config["LDAP"]`
Documentation improvements 2021-12-03 17:37:25 +00:00			`.get("USER_FILTER", User.DEFAULT_FILTER)`
Escape filters 2021-12-06 14:40:30 +00:00			`.format(login=ldap.filter.escape_filter_chars(login))`
			`)`
User model utility 2020-10-21 15:15:33 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`user = super().get(dn, filter, conn)`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`if user:`
Permissions overhaul 2021-12-02 17:23:14 +00:00			`user.load_permissions(conn)`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Admin login 2020-08-19 14:20:57 +00:00			`return user`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`def load_groups(self, conn=None):`
Hide group entry if there is no group available 2021-07-01 09:36:35 +00:00			`try:`
Documentation improvements 2021-12-03 17:37:25 +00:00			`group_filter = (`
			`current_app.config["LDAP"]`
			`.get("GROUP_USER_FILTER", Group.DEFAULT_USER_FILTER)`
			`.format(user=self)`
Hide group entry if there is no group available 2021-07-01 09:36:35 +00:00			`)`
Escape filters 2021-12-06 14:40:30 +00:00			`escaped_group_filter = ldap.filter.escape_filter_chars(group_filter)`
			`self._groups = Group.filter(filter=escaped_group_filter, conn=conn)`
Hide group entry if there is no group available 2021-07-01 09:36:35 +00:00			`except KeyError:`
			`pass`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Alternate login filters 2020-08-20 08:45:33 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def authenticate(cls, login, password, signin=False):`
User model utility 2020-10-21 15:15:33 +00:00			`user = User.get(login)`
Alternate login filters 2020-08-20 08:45:33 +00:00			`if not user or not user.check_password(password):`
			`return None`
Admin login 2020-08-19 14:20:57 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`if signin:`
			`user.login()`

Alternate login filters 2020-08-20 08:45:33 +00:00			`return user`
draft 2020-08-14 11:18:08 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`def login(self):`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`try:`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`previous = (`
			`session["user_dn"]`
			`if isinstance(session["user_dn"], list)`
			`else [session["user_dn"]]`
			`)`
			`session["user_dn"] = previous + [self.dn]`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`except KeyError:`
			`session["user_dn"] = [self.dn]`
User refactoring 2020-08-21 08:23:39 +00:00
Session compatibility fix 2020-12-29 08:31:46 +00:00			`@classmethod`
User refactoring 2020-08-21 08:23:39 +00:00			`def logout(self):`
			`try:`
Session compatibility fix 2020-12-29 08:31:46 +00:00			`if isinstance(session["user_dn"], list):`
			`session["user_dn"].pop()`
			`else:`
			`del session["user_dn"]`
Admins can impersonate users. Fixes #39 2020-12-11 10:52:37 +00:00			`except (IndexError, KeyError):`
User refactoring 2020-08-21 08:23:39 +00:00			`pass`

Password setup for new users. Fixes #37 2020-11-16 14:39:58 +00:00			`def has_password(self):`
			`return bool(self.userPassword)`

draft 2020-08-14 11:18:08 +00:00			`def check_password(self, password):`
Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`conn = ldap.initialize(current_app.config["LDAP"]["URI"])`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00
			`if current_app.config["LDAP"].get("TIMEOUT"):`
			`conn.set_option(`
			`ldap.OPT_NETWORK_TIMEOUT, current_app.config["LDAP"]["TIMEOUT"]`
			`)`

Actually authentify against LDAP password 2020-08-19 11:49:38 +00:00			`try:`
			`conn.simple_bind_s(self.dn, password)`
			`return True`
			`except ldap.INVALID_CREDENTIALS:`
			`return False`
			`finally:`
			`conn.unbind_s()`
draft 2020-08-14 11:18:08 +00:00
Password edition in user profile 2020-10-21 08:26:31 +00:00			`def set_password(self, password, conn=None):`
			`conn = conn or self.ldap()`

			`try:`
			`conn.passwd_s(`
fixed forgotten ldap connection timeout options 2021-10-13 14:04:08 +00:00			`self.dn,`
			`None,`
			`password.encode("utf-8"),`
Password edition in user profile 2020-10-21 08:26:31 +00:00			`)`

			`except ldap.LDAPError:`
			`return False`

			`return True`

Some authorization_code work 2020-08-17 15:49:49 +00:00			`@property`
			`def name(self):`
			`return self.cn[0]`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`@property`
			`def groups(self):`
display groups on user list page 2021-12-03 15:49:19 +00:00			`if self._groups is None:`
			`self.load_groups()`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`return self._groups`

Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`def set_groups(self, values):`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`before = self._groups`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`after = [v if isinstance(v, Group) else Group.get(dn=v) for v in values]`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`to_add = set(after) - set(before)`
			`to_del = set(before) - set(after)`
			`for group in to_add:`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`group.add_member(self)`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`for group in to_del:`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`group.remove_member(self)`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`self._groups = after`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`def load_permissions(self, conn=None):`
			`conn = conn or self.ldap()`

			`for access_group_name, details in current_app.config["ACL"].items():`
			`if not details.get("FILTER") or (`
			`self.dn`
			`and conn.search_s(self.dn, ldap.SCOPE_SUBTREE, details["FILTER"])`
			`):`
			`self.permissions \|= set(details.get("PERMISSIONS", []))`
			`self.read \|= set(details.get("READ", []))`
			`self.write \|= set(details.get("WRITE", []))`

jpegPhoto profile form 2021-12-08 17:06:50 +00:00			`def can_read(self, field):`
			`return field in self.read \| self.write`

Fixed a typo 2022-11-01 17:15:17 +00:00			`def can_write(self, field):`
jpegPhoto profile form 2021-12-08 17:06:50 +00:00			`return field in self.write`

Added an option to disable self edition 2022-04-05 15:16:09 +00:00			`@property`
			`def can_edit_self(self):`
			`return "edit_self" in self.permissions`

Option to not use OIDC 2021-12-06 23:07:32 +00:00			`@property`
			`def can_use_oidc(self):`
			`return "use_oidc" in self.permissions`

Permissions overhaul 2021-12-02 17:23:14 +00:00			`@property`
			`def can_manage_users(self):`
			`return "manage_users" in self.permissions`

			`@property`
			`def can_manage_groups(self):`
			`return "manage_groups" in self.permissions`

			`@property`
			`def can_manage_oidc(self):`
			`return "manage_oidc" in self.permissions`

			`@property`
			`def can_delete_account(self):`
			`return "delete_account" in self.permissions`

			`@property`
			`def can_impersonate_users(self):`
			`return "impersonate_users" in self.permissions`

Issue 12 groups 2021-06-03 13:00:11 +00:00
			`class Group(LDAPObject):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`DEFAULT_OBJECT_CLASS = "groupOfNames"`
			`DEFAULT_ID_ATTRIBUTE = "cn"`
			`DEFAULT_NAME_ATTRIBUTE = "cn"`
			`DEFAULT_USER_FILTER = "member={user.dn}"`

Show groups and enable group creation 2021-07-01 16:21:20 +00:00			`@property`
			`def name(self):`
Documentation improvements 2021-12-03 17:37:25 +00:00			`attribute = current_app.config["LDAP"].get(`
			`"GROUP_NAME_ATTRIBUTE", Group.DEFAULT_NAME_ATTRIBUTE`
			`)`
Show groups and enable group creation 2021-07-01 16:21:20 +00:00			`return self[attribute][0]`

Issue 12 groups 2021-06-03 13:00:11 +00:00			`def get_members(self, conn=None):`
Fix bug on groups with non-existent members 2021-10-29 12:19:46 +00:00			`return [`
			`User.get(dn=user_dn, conn=conn)`
			`for user_dn in self.member`
			`if User.get(dn=user_dn, conn=conn)`
			`]`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`def add_member(self, user):`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`self.member = self.member + [user.dn]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`self.save()`
Issue 12 groups 2021-06-03 13:00:11 +00:00
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`def remove_member(self, user):`
Issue 12 groups 2021-06-03 13:00:11 +00:00			`self.member = [m for m in self.member if m != user.dn]`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`self.save()`