wip

2020-08-16 20:16:57 +02:00 · 2020-08-16 20:16:57 +02:00 · 5efec79e21
commit 5efec79e21
parent 9f16c8c208
2 changed files with 43 additions and 197 deletions
--- a/test.py
+++ b/test.py
@ -1,179 +0,0 @@
-import ldap
-from pprint import pprint
-
-
-l = ldap.initialize("ldap://ldap")
-l.simple_bind_s("cn=admin,dc=mydomain,dc=tld", "admin")
-
-
-class LDAPObjectHelper:
-    _object_class_by_name = None
-    may = None
-    must = None
-
-    def __init__(self, dn=None, **kwargs):
-        self.dn = dn
-        self.attrs = {}
-        for k, v in kwargs.items():
-            self.attrs[k] = [v] if not isinstance(v, list) else v
-        self.attrs.setdefault("objectClass", self.objectClass)
-
-        by_name = self.ocs_by_name()
-        ocs = [by_name[name] for name in self.objectClass]
-        self.may = []
-        self.must = []
-        for oc in ocs:
-            self.may.extend(oc.may)
-            self.must.extend(oc.must)
-
-    @classmethod
-    def ocs_by_name(cls):
-        if cls._object_class_by_name:
-            return cls._object_class_by_name
-
-        res = l.search_s("cn=subschema", ldap.SCOPE_BASE, "(objectclass=*)", ["*", "+"])
-        subschema_entry = res[0]
-        subschema_subentry = ldap.cidict.cidict(subschema_entry[1])
-        subschema = ldap.schema.SubSchema(subschema_subentry)
-        object_class_oids = subschema.listall(ldap.schema.models.ObjectClass)
-        cls._object_class_by_name = {}
-        for oid in object_class_oids:
-            oc = subschema.get_obj(ldap.schema.models.ObjectClass, oid)
-            for name in oc.names:
-                cls._object_class_by_name[name] = oc
-
-        return cls._object_class_by_name
-
-    def save(self):
-        try:
-            match = bool(l.search_s(self.dn, ldap.SCOPE_SUBTREE))
-        except ldap.NO_SUCH_OBJECT:
-            match = False
-
-        if match:
-            attributes = [
-                (ldap.MOD_REPLACE, k, [elt.encode("utf-8") for elt in v])
-                for k, v in self.attrs.items()
-            ]
-            l.modify_s(self.dn, attributes)
-
-        else:
-            attributes = [
-                (k, [elt.encode("utf-8") for elt in v]) for k, v in self.attrs.items()
-            ]
-            l.add_s(self.dn, attributes)
-
-    @classmethod
-    def get(cls, dn):
-        result = l.search_s(dn, ldap.SCOPE_SUBTREE)
-
-        if not result:
-            return None
-
-        o = cls(
-            dn=dn,
-            **{k: [elt.decode("utf-8") for elt in v] for k, v in result[0][1].items()},
-        )
-
-        return o
-
-    @classmethod
-    def filter(cls, base=None, **kwargs):
-        class_filter = "".join([f"(objectClass={oc})" for oc in cls.objectClass])
-        arg_filter = "".join(f"({k}={v})" for k, v in kwargs.items())
-        filter = f"(&{class_filter}{arg_filter})"
-        result = l.search_s(base or cls.base, ldap.SCOPE_SUBTREE, filter)
-
-        return [
-            cls(
-                dn=dn,
-                **{k: [elt.decode("utf-8") for elt in v] for k, v in args.items()},
-            )
-            for dn, args in result
-        ]
-
-    def __getattr__(self, name):
-        if (self.may and name in self.may) or (self.must and name in self.must):
-            return self.attrs.get(name, [])
-        return super().__getattr__(name)
-
-    def __setattr__(self, name, value):
-        super().__setattr__(name, value)
-        if not isinstance(value, list):
-            value = [value]
-        if (self.may and name in self.may) or (self.must and name in self.must):
-            self.attrs[name] = value
-
-
-class Client(LDAPObjectHelper):
-    objectClass = ["oauthClientIdentity", "oauthClientMetadataAux"]
-    base = "ou=clients,dc=mydomain,dc=tld"
-
-    def get_client_id(self):
-        return self.oauthClientID[0]
-
-    def get_default_redirect_uri(self):
-        return self.oauthRedirectURI[0]
-
-    def get_allowed_scope(self, scope):
-        return self.oauthScopeValue[0]
-
-    def check_redirect_uri(self, redirect_uri):
-        return redirect_uri in self.oauthRedirectURI
-
-    def has_client_secret(self):
-        return self.oauthClientSecret and self.oauthClientSecret[0]
-
-    def check_client_secret(self, client_secret):
-        return client_secret == self.oauthClientSecret[0]
-
-    def check_token_endpoint_auth_method(self, method):
-        return method == self.oauthTokenEndpointAuthMethod[0]
-
-    def check_response_type(self, response_type):
-        return response_type in self.oauthResponseType
-
-    def check_grant_type(self, grant_type):
-        return grant_type in self.oauthGrantType
-
-
-class User(LDAPObjectHelper):
-    objectClass = ["person"]
-    base = "ou=users,dc=mydomain,dc=tld"
-
-
-class Authorization(LDAPObjectHelper):
-    objectClass = ["oauth2Authz"]
-    base = "ou=authorizations,dc=mydomain,dc=tld"
-
-    def get_redirect_uri(self):
-        return Client.get(self.authzClientID[0]).oauthRedirectURI[0]
-
-    def get_scope(self):
-        return self.oauth2ScopeValue[0]
-
-
-class Token(LDAPObjectHelper):
-    objectClass = ["oauth2IdAccessToken"]
-    base = "ou=tokens,dc=mydomain,dc=tld"
-
-    def get_client_id(self):
-        return self.authzClientID[0]
-
-    def get_scope(self):
-        return self.authzScopeValue[0]
-
-    def get_expires_in(self):
-        return self.authzAccessTokenLifetime[0]
-
-    def get_expires_at(self):
-        return self.authzAccessTokenIssueDate[0] + self.authzAccessTokenLifetime[0]
-
-
-# u = User.get("cn=John Doe,ou=users,dc=mydomain,dc=tld")
-# print(u.attrs)
-# u = User.get("cn=Jane Doe,ou=users,dc=mydomain,dc=tld")
-# print(u.attrs)
-
-users = Client.filter()
-pprint([u.attrs for u in users])
--- a/website/models.py
+++ b/website/models.py
@ -17,8 +17,6 @@ class LDAPObjectHelper:
    base = None
    id = None

-    # TODO If ldap attribute is SINGLE-VALUE, do not bother with lists
-
    def __init__(self, dn=None, **kwargs):
        self.attrs = {}
        for k, v in kwargs.items():
@ -59,6 +57,26 @@ class LDAPObjectHelper:

        return cls._object_class_by_name

+    @classmethod
+    def attr_type_by_name(cls):
+        if cls._attribute_type_by_name:
+            return cls._attribute_type_by_name
+
+        res = g.ldap.search_s(
+            "cn=subschema", ldap.SCOPE_BASE, "(objectclass=*)", ["*", "+"]
+        )
+        subschema_entry = res[0]
+        subschema_subentry = ldap.cidict.cidict(subschema_entry[1])
+        subschema = ldap.schema.SubSchema(subschema_subentry)
+        attribute_type_oids = subschema.listall(ldap.schema.models.AttributeType)
+        cls._attribute_type_by_name = {}
+        for oid in attribute_type_oids:
+            oc = subschema.get_obj(ldap.schema.models.AttributeType, oid)
+            for name in oc.names:
+                cls._attribute_type_by_name[name] = oc
+
+        return cls._attribute_type_by_name
+
    def save(self):
        try:
            match = bool(g.ldap.search_s(self.dn, ldap.SCOPE_SUBTREE))
@ -106,15 +124,22 @@ class LDAPObjectHelper:
        ]

    def __getattr__(self, name):
-        if (self.may and name in self.may) or (self.must and name in self.must):
-            return self.attrs.get(name, [])
+        if (not self.may or name not in self.may) and (not self.must or name not in self.must):
            return super().__getattribute__(name)

+        if not self._attribute_type_by_name[name].single_value:
+            return self.attrs.get(name, [])
+
+        return self.attrs.get(name, [None])[0]
+
    def __setattr__(self, name, value):
        super().__setattr__(name, value)
        if not isinstance(value, list):
            value = [value]
        if (self.may and name in self.may) or (self.must and name in self.must):
+            if self._attribute_type_by_name[name].single_value:
+                self.attrs[name] = [value]
+            else:
                self.attrs[name] = value


@ -124,7 +149,7 @@ class User(LDAPObjectHelper):
    id = "cn"

    def __repr__(self):
-        return self.cn[0]
+        return self.cn

    def check_password(self, password):
        return password == "valid"
@ -136,25 +161,25 @@ class Client(LDAPObjectHelper, ClientMixin):
    id = "oauthClientID"

    def get_client_id(self):
-        return self.oauthClientID[0]
+        return self.oauthClientID

    def get_default_redirect_uri(self):
-        return self.oauthRedirectURI[0]
+        return self.oauthRedirectURI

    def get_allowed_scope(self, scope):
-        return self.oauthScope[0]
+        return self.oauthScope

    def check_redirect_uri(self, redirect_uri):
        return redirect_uri in self.oauthRedirectURI

    def has_client_secret(self):
-        return self.oauthClientSecret and self.oauthClientSecret[0]
+        return self.oauthClientSecret and self.oauthClientSecret

    def check_client_secret(self, client_secret):
-        return client_secret == self.oauthClientSecret[0]
+        return client_secret == self.oauthClientSecret

    def check_token_endpoint_auth_method(self, method):
-        return method == self.oauthTokenEndpointAuthMethod[0]
+        return method == self.oauthTokenEndpointAuthMethod

    def check_response_type(self, response_type):
        return response_type in self.oauthResponseType
@ -201,10 +226,10 @@ class AuthorizationCode(LDAPObjectHelper, AuthorizationCodeMixin):
    id = "oauthCode"

    def get_redirect_uri(self):
-        return Client.get(self.authzClientID[0]).oauthRedirectURI[0]
+        return Client.get(self.authzClientID).oauthRedirectURI

    def get_scope(self):
-        return self.oauth2ScopeValue[0]
+        return self.oauth2ScopeValue

    def is_refresh_token_active(self):
        if self.revoked:
@ -228,18 +253,18 @@ class Token(LDAPObjectHelper, TokenMixin):
    id = "oauthAccessToken"

    def get_client_id(self):
-        return self.authzClientID[0]
+        return self.authzClientID

    def get_scope(self):
        return " ".join(self.oauthScope)

    def get_expires_in(self):
-        return int(self.oauthTokenLifetime[0])
+        return int(self.oauthTokenLifetime)

    def get_expires_at(self):
-        issue_date = datetime.datetime.strptime(self.oauthIssueDate[0], "%Y%m%d%H%M%SZ")
+        issue_date = datetime.datetime.strptime(self.oauthIssueDate, "%Y%m%d%H%M%SZ")
        issue_timestamp = (issue_date - datetime.datetime(1970, 1, 1)).total_seconds()
-        return issue_timestamp + int(self.oauthTokenLifetime[0])
+        return issue_timestamp + int(self.oauthTokenLifetime)

    def is_refresh_token_active(self):
        if self.revoked: