2020-10-30 03:05:59 +00:00
|
|
|
"""LDAP Authentication Provider Plugin"""
|
2020-11-16 12:35:23 +00:00
|
|
|
import io
|
2020-10-15 19:58:56 +00:00
|
|
|
import ssl
|
2020-11-15 00:21:32 +00:00
|
|
|
from typing import Optional
|
2020-11-16 01:30:24 +00:00
|
|
|
from flask_ldapconn import LDAPConn
|
|
|
|
|
from flask import current_app as app
|
2020-09-03 22:55:23 +00:00
|
|
|
from ldap3.utils.hashed import hashed
|
2020-10-15 19:58:56 +00:00
|
|
|
from ldap3.core.exceptions import LDAPPasswordIsMandatoryError, LDAPBindError
|
2020-11-16 01:30:24 +00:00
|
|
|
from ldap3 import SUBTREE, MODIFY_REPLACE, MODIFY_ADD, MODIFY_DELETE, HASHED_SALTED_MD5
|
2020-11-17 02:28:04 +00:00
|
|
|
from werkzeug.exceptions import BadRequest, InternalServerError, NotFound
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-11-13 00:20:25 +00:00
|
|
|
from flaschengeist import logger
|
2020-11-17 23:39:25 +00:00
|
|
|
from flaschengeist.plugins import AuthPlugin, after_role_updated
|
2020-11-17 02:28:04 +00:00
|
|
|
from flaschengeist.models.user import User, Role, _Avatar
|
2020-10-30 02:30:46 +00:00
|
|
|
import flaschengeist.controller.userController as userController
|
2020-09-03 22:55:23 +00:00
|
|
|
|
2020-09-01 23:09:24 +00:00
|
|
|
|
2020-10-15 19:58:56 +00:00
|
|
|
class AuthLDAP(AuthPlugin):
|
2020-10-28 13:21:20 +00:00
|
|
|
def __init__(self, cfg):
|
2020-10-15 19:58:56 +00:00
|
|
|
super().__init__()
|
2020-11-13 00:20:25 +00:00
|
|
|
config = {"port": 389, "use_ssl": False}
|
2020-10-28 13:21:20 +00:00
|
|
|
config.update(cfg)
|
2020-08-23 21:58:26 +00:00
|
|
|
app.config.update(
|
2020-11-13 00:20:25 +00:00
|
|
|
LDAP_SERVER=config["host"],
|
|
|
|
|
LDAP_PORT=config["port"],
|
|
|
|
|
LDAP_BINDDN=config["bind_dn"],
|
2020-09-01 23:09:24 +00:00
|
|
|
LDAP_USE_TLS=False,
|
2020-11-13 00:20:25 +00:00
|
|
|
LDAP_USE_SSL=config["use_ssl"],
|
2020-09-01 23:09:24 +00:00
|
|
|
LDAP_TLS_VERSION=ssl.PROTOCOL_TLSv1_2,
|
|
|
|
|
LDAP_REQUIRE_CERT=ssl.CERT_NONE,
|
|
|
|
|
FORCE_ATTRIBUTE_VALUE_AS_LIST=True,
|
2020-08-23 21:58:26 +00:00
|
|
|
)
|
2021-03-07 12:29:43 +00:00
|
|
|
if "secret" in config:
|
|
|
|
|
app.config["LDAP_SECRET"] = config["secret"]
|
2020-08-25 02:36:05 +00:00
|
|
|
self.ldap = LDAPConn(app)
|
2020-11-13 00:20:25 +00:00
|
|
|
self.dn = config["base_dn"]
|
2020-11-14 12:16:30 +00:00
|
|
|
self.default_gid = config["default_gid"]
|
2020-11-16 01:30:24 +00:00
|
|
|
|
2020-10-29 01:07:40 +00:00
|
|
|
# TODO: might not be set if modify is called
|
2020-11-13 00:20:25 +00:00
|
|
|
if "admin_dn" in config:
|
|
|
|
|
self.admin_dn = config["admin_dn"]
|
|
|
|
|
self.admin_secret = config["admin_secret"]
|
|
|
|
|
else:
|
|
|
|
|
self.admin_dn = None
|
2020-08-23 21:58:26 +00:00
|
|
|
|
2020-11-17 23:39:25 +00:00
|
|
|
@after_role_updated
|
|
|
|
|
def _role_updated(role, new_name):
|
|
|
|
|
self.__modify_role(role, new_name)
|
2020-11-16 01:30:24 +00:00
|
|
|
|
2020-08-23 21:58:26 +00:00
|
|
|
def login(self, user, password):
|
|
|
|
|
if not user:
|
|
|
|
|
return False
|
2020-10-18 23:41:54 +00:00
|
|
|
return self.ldap.authenticate(user.userid, password, "uid", self.dn)
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2021-01-19 02:29:26 +00:00
|
|
|
def find_user(self, userid, mail=None):
|
|
|
|
|
attr = self.__find(userid, mail)
|
2021-03-14 14:53:14 +00:00
|
|
|
if attr is not None:
|
2021-01-19 02:29:26 +00:00
|
|
|
user = User(userid=attr["uid"][0])
|
|
|
|
|
self.__update(user, attr)
|
|
|
|
|
return user
|
|
|
|
|
|
2020-09-03 15:56:12 +00:00
|
|
|
def update_user(self, user):
|
2021-01-19 02:29:26 +00:00
|
|
|
attr = self.__find(user.userid)
|
|
|
|
|
self.__update(user, attr)
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-11-12 18:29:24 +00:00
|
|
|
def create_user(self, user, password):
|
2020-11-13 00:20:25 +00:00
|
|
|
if self.admin_dn is None:
|
|
|
|
|
logger.error("admin_dn missing in ldap config!")
|
|
|
|
|
raise InternalServerError
|
|
|
|
|
|
2020-11-12 18:29:24 +00:00
|
|
|
try:
|
|
|
|
|
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
|
|
|
|
|
self.ldap.connection.search(
|
2020-11-14 12:16:30 +00:00
|
|
|
"ou=user,{}".format(self.dn),
|
|
|
|
|
"(uidNumber=*)",
|
|
|
|
|
SUBTREE,
|
|
|
|
|
attributes=["uidNumber"],
|
2020-11-12 18:29:24 +00:00
|
|
|
)
|
2020-11-17 02:28:04 +00:00
|
|
|
uid_number = (
|
|
|
|
|
sorted(self.ldap.response(), key=lambda i: i["attributes"]["uidNumber"], reverse=True,)[0][
|
|
|
|
|
"attributes"
|
|
|
|
|
]["uidNumber"]
|
|
|
|
|
+ 1
|
2020-11-14 12:16:30 +00:00
|
|
|
)
|
|
|
|
|
dn = f"cn={user.firstname} {user.lastname},ou=user,{self.dn}"
|
|
|
|
|
object_class = [
|
|
|
|
|
"inetOrgPerson",
|
|
|
|
|
"posixAccount",
|
|
|
|
|
"person",
|
|
|
|
|
"organizationalPerson",
|
|
|
|
|
]
|
2020-11-12 18:29:24 +00:00
|
|
|
attributes = {
|
2020-11-14 12:16:30 +00:00
|
|
|
"sn": user.firstname,
|
|
|
|
|
"givenName": user.lastname,
|
|
|
|
|
"gidNumber": self.default_gid,
|
|
|
|
|
"homeDirectory": f"/home/{user.userid}",
|
|
|
|
|
"loginShell": "/bin/bash",
|
|
|
|
|
"uid": user.userid,
|
|
|
|
|
"userPassword": hashed(HASHED_SALTED_MD5, password),
|
2020-11-17 02:28:04 +00:00
|
|
|
"uidNumber": uid_number,
|
2020-11-12 18:29:24 +00:00
|
|
|
}
|
2020-11-12 21:47:10 +00:00
|
|
|
ldap_conn.add(dn, object_class, attributes)
|
2020-11-13 00:20:25 +00:00
|
|
|
self._set_roles(user)
|
2020-11-12 18:29:24 +00:00
|
|
|
except (LDAPPasswordIsMandatoryError, LDAPBindError):
|
|
|
|
|
raise BadRequest
|
|
|
|
|
|
2020-11-16 01:30:24 +00:00
|
|
|
def modify_user(self, user: User, password=None, new_password=None):
|
|
|
|
|
try:
|
|
|
|
|
dn = user.get_attribute("DN")
|
|
|
|
|
if password:
|
|
|
|
|
ldap_conn = self.ldap.connect(dn, password)
|
|
|
|
|
else:
|
|
|
|
|
if self.admin_dn is None:
|
|
|
|
|
logger.error("admin_dn missing in ldap config!")
|
|
|
|
|
raise InternalServerError
|
|
|
|
|
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
|
|
|
|
|
modifier = {}
|
|
|
|
|
for name, ldap_name in [
|
|
|
|
|
("firstname", "givenName"),
|
|
|
|
|
("lastname", "sn"),
|
|
|
|
|
("mail", "mail"),
|
|
|
|
|
("display_name", "displayName"),
|
|
|
|
|
]:
|
|
|
|
|
if hasattr(user, name):
|
|
|
|
|
modifier[ldap_name] = [(MODIFY_REPLACE, [getattr(user, name)])]
|
|
|
|
|
if new_password:
|
|
|
|
|
# TODO: Use secure hash!
|
|
|
|
|
salted_password = hashed(HASHED_SALTED_MD5, new_password)
|
|
|
|
|
modifier["userPassword"] = [(MODIFY_REPLACE, [salted_password])]
|
|
|
|
|
ldap_conn.modify(dn, modifier)
|
|
|
|
|
self._set_roles(user)
|
|
|
|
|
except (LDAPPasswordIsMandatoryError, LDAPBindError):
|
|
|
|
|
raise BadRequest
|
|
|
|
|
|
2020-11-17 02:28:04 +00:00
|
|
|
def get_avatar(self, user):
|
2020-11-16 01:30:24 +00:00
|
|
|
self.ldap.connection.search(
|
|
|
|
|
"ou=user,{}".format(self.dn),
|
|
|
|
|
"(uid={})".format(user.userid),
|
|
|
|
|
SUBTREE,
|
2021-01-27 01:34:04 +00:00
|
|
|
attributes=["jpegPhoto"],
|
2020-11-16 01:30:24 +00:00
|
|
|
)
|
|
|
|
|
r = self.ldap.connection.response[0]["attributes"]
|
2020-11-17 02:28:04 +00:00
|
|
|
|
2021-01-27 01:34:04 +00:00
|
|
|
if "jpegPhoto" in r and len(r["jpegPhoto"]) > 0:
|
2020-11-17 02:28:04 +00:00
|
|
|
avatar = _Avatar()
|
2020-11-16 01:30:24 +00:00
|
|
|
avatar.mimetype = "image/jpeg"
|
|
|
|
|
avatar.binary.extend(r["jpegPhoto"][0])
|
2020-11-17 02:28:04 +00:00
|
|
|
return avatar
|
|
|
|
|
else:
|
|
|
|
|
raise NotFound
|
2020-11-16 01:30:24 +00:00
|
|
|
|
2020-11-17 02:28:04 +00:00
|
|
|
def set_avatar(self, user, avatar: _Avatar):
|
2021-01-18 17:31:13 +00:00
|
|
|
if self.admin_dn is None:
|
|
|
|
|
logger.error("admin_dn missing in ldap config!")
|
|
|
|
|
raise InternalServerError
|
|
|
|
|
|
2020-11-16 01:30:24 +00:00
|
|
|
if avatar.mimetype != "image/jpeg":
|
2020-11-16 12:35:23 +00:00
|
|
|
# Try converting using Pillow (if installed)
|
|
|
|
|
try:
|
|
|
|
|
from PIL import Image
|
2020-11-17 02:28:04 +00:00
|
|
|
|
2020-11-16 12:35:23 +00:00
|
|
|
image = Image.open(io.BytesIO(avatar.binary))
|
|
|
|
|
image_bytes = io.BytesIO()
|
|
|
|
|
image.save(image_bytes, format="JPEG")
|
|
|
|
|
avatar.binary = image_bytes.getvalue()
|
|
|
|
|
avatar.mimetype = "image/jpeg"
|
|
|
|
|
except ImportError:
|
|
|
|
|
logger.debug("Pillow not installed for image conversion")
|
|
|
|
|
raise BadRequest("Unsupported image format")
|
|
|
|
|
except IOError:
|
|
|
|
|
logger.debug(f"Could not convert avatar from '{avatar.mimetype}' to JPEG")
|
|
|
|
|
raise BadRequest("Unsupported image format")
|
|
|
|
|
|
2020-11-16 01:30:24 +00:00
|
|
|
dn = user.get_attribute("DN")
|
|
|
|
|
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
|
|
|
|
|
ldap_conn.modify(dn, {"jpegPhoto": [(MODIFY_REPLACE, [avatar.binary])]})
|
|
|
|
|
|
2021-01-19 02:29:26 +00:00
|
|
|
def __find(self, userid, mail=None):
|
|
|
|
|
"""Find attributes of an user by uid or mail in LDAP"""
|
|
|
|
|
con = self.ldap.connection
|
|
|
|
|
if not con:
|
|
|
|
|
con = self.ldap.connect(self.admin_dn, self.admin_secret)
|
|
|
|
|
con.search(
|
|
|
|
|
f"ou=user,{self.dn}",
|
|
|
|
|
f"(| (uid={userid})(mail={mail}))" if mail else f"(uid={userid})",
|
|
|
|
|
SUBTREE,
|
|
|
|
|
attributes=["uid", "givenName", "sn", "mail"],
|
|
|
|
|
)
|
2021-03-14 14:53:14 +00:00
|
|
|
return con.response[0]["attributes"] if len(con.response) > 0 else None
|
2021-01-19 02:29:26 +00:00
|
|
|
|
|
|
|
|
def __update(self, user, attr):
|
|
|
|
|
"""Update an User object with LDAP attributes"""
|
|
|
|
|
if attr["uid"][0] == user.userid:
|
|
|
|
|
user.set_attribute("DN", self.ldap.connection.response[0]["dn"])
|
|
|
|
|
user.firstname = attr["givenName"][0]
|
|
|
|
|
user.lastname = attr["sn"][0]
|
|
|
|
|
if attr["mail"]:
|
|
|
|
|
user.mail = attr["mail"][0]
|
|
|
|
|
if "displayName" in attr:
|
|
|
|
|
user.display_name = attr["displayName"][0]
|
|
|
|
|
userController.set_roles(user, self._get_groups(user.userid), create=True)
|
|
|
|
|
|
2020-11-17 02:28:04 +00:00
|
|
|
def __modify_role(
|
|
|
|
|
self,
|
2020-11-17 23:39:25 +00:00
|
|
|
role: Role,
|
|
|
|
|
new_name: Optional[str],
|
2020-11-17 02:28:04 +00:00
|
|
|
):
|
|
|
|
|
if self.admin_dn is None:
|
|
|
|
|
logger.error("admin_dn missing in ldap config!")
|
|
|
|
|
raise InternalServerError
|
|
|
|
|
try:
|
|
|
|
|
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
|
2020-11-17 23:39:25 +00:00
|
|
|
ldap_conn.search(f"ou=group,{self.dn}", f"(cn={role.name})", SUBTREE, attributes=["cn"])
|
|
|
|
|
if len(ldap_conn.response) > 0:
|
2020-11-17 02:28:04 +00:00
|
|
|
dn = ldap_conn.response[0]["dn"]
|
2020-11-17 23:39:25 +00:00
|
|
|
if new_name:
|
|
|
|
|
ldap_conn.modify_dn(dn, f"cn={new_name}")
|
2020-11-17 02:28:04 +00:00
|
|
|
else:
|
|
|
|
|
ldap_conn.delete(dn)
|
|
|
|
|
|
|
|
|
|
except (LDAPPasswordIsMandatoryError, LDAPBindError):
|
|
|
|
|
raise BadRequest
|
|
|
|
|
|
2020-09-02 11:07:21 +00:00
|
|
|
def _get_groups(self, uid):
|
2020-09-03 22:55:23 +00:00
|
|
|
groups = []
|
|
|
|
|
self.ldap.connection.search(
|
2020-11-14 12:16:30 +00:00
|
|
|
"ou=group,{}".format(self.dn),
|
|
|
|
|
"(memberUID={})".format(uid),
|
|
|
|
|
SUBTREE,
|
|
|
|
|
attributes=["cn"],
|
2020-09-03 22:55:23 +00:00
|
|
|
)
|
|
|
|
|
groups_data = self.ldap.connection.response
|
|
|
|
|
for data in groups_data:
|
|
|
|
|
groups.append(data["attributes"]["cn"][0])
|
|
|
|
|
return groups
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-11-17 02:28:04 +00:00
|
|
|
def _get_all_roles(self):
|
2020-11-14 12:16:30 +00:00
|
|
|
self.ldap.connection.search(
|
|
|
|
|
f"ou=group,{self.dn}",
|
|
|
|
|
"(cn=*)",
|
|
|
|
|
SUBTREE,
|
|
|
|
|
attributes=["cn", "gidNumber", "memberUid"],
|
|
|
|
|
)
|
|
|
|
|
return self.ldap.response()
|
|
|
|
|
|
2020-11-13 00:20:25 +00:00
|
|
|
def _set_roles(self, user: User):
|
2020-11-12 21:47:10 +00:00
|
|
|
try:
|
|
|
|
|
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
|
2020-11-12 22:42:03 +00:00
|
|
|
|
2020-11-17 02:28:04 +00:00
|
|
|
ldap_roles = self._get_all_roles()
|
2020-11-14 12:16:30 +00:00
|
|
|
|
2020-11-15 18:44:49 +00:00
|
|
|
gid_numbers = sorted(ldap_roles, key=lambda i: i["attributes"]["gidNumber"], reverse=True)
|
2020-11-14 12:16:30 +00:00
|
|
|
gid_number = gid_numbers[0]["attributes"]["gidNumber"] + 1
|
2020-11-12 22:42:03 +00:00
|
|
|
|
|
|
|
|
for user_role in user.roles:
|
2020-11-15 18:44:49 +00:00
|
|
|
if user_role not in [role["attributes"]["cn"][0] for role in ldap_roles]:
|
2020-11-14 12:16:30 +00:00
|
|
|
ldap_conn.add(
|
|
|
|
|
f"cn={user_role},ou=group,{self.dn}",
|
|
|
|
|
["posixGroup"],
|
|
|
|
|
attributes={"gidNumber": gid_number},
|
|
|
|
|
)
|
2020-11-12 22:42:03 +00:00
|
|
|
|
2020-11-17 02:28:04 +00:00
|
|
|
ldap_roles = self._get_all_roles()
|
2020-11-12 22:42:03 +00:00
|
|
|
|
2020-11-12 21:47:10 +00:00
|
|
|
for ldap_role in ldap_roles:
|
|
|
|
|
if ldap_role["attributes"]["cn"][0] in user.roles:
|
2020-11-14 12:16:30 +00:00
|
|
|
modify = {"memberUid": [(MODIFY_ADD, [user.userid])]}
|
2020-11-12 21:47:10 +00:00
|
|
|
else:
|
2020-11-14 12:16:30 +00:00
|
|
|
modify = {"memberUid": [(MODIFY_DELETE, [user.userid])]}
|
2020-11-12 22:42:03 +00:00
|
|
|
ldap_conn.modify(ldap_role["dn"], modify)
|
2020-11-12 21:47:10 +00:00
|
|
|
|
2020-11-15 00:21:32 +00:00
|
|
|
except (LDAPPasswordIsMandatoryError, LDAPBindError):
|
|
|
|
|
raise BadRequest
|
