2020-10-30 03:05:59 +00:00
|
|
|
"""LDAP Authentication Provider Plugin"""
|
|
|
|
|
|
2020-10-15 19:58:56 +00:00
|
|
|
import ssl
|
2020-09-03 22:55:23 +00:00
|
|
|
from ldap3.utils.hashed import hashed
|
2020-10-29 01:07:40 +00:00
|
|
|
from ldap3 import SUBTREE, MODIFY_REPLACE, HASHED_SALTED_MD5
|
2020-10-15 19:58:56 +00:00
|
|
|
from ldap3.core.exceptions import LDAPPasswordIsMandatoryError, LDAPBindError
|
2020-08-23 21:58:26 +00:00
|
|
|
from flask import current_app as app
|
2020-08-25 02:36:05 +00:00
|
|
|
from flask_ldapconn import LDAPConn
|
2020-10-15 19:58:56 +00:00
|
|
|
from werkzeug.exceptions import BadRequest
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-10-30 02:30:46 +00:00
|
|
|
from flaschengeist.plugins import AuthPlugin
|
|
|
|
|
from flaschengeist.models.user import User
|
|
|
|
|
import flaschengeist.controller.userController as userController
|
2020-09-03 22:55:23 +00:00
|
|
|
|
2020-09-01 23:09:24 +00:00
|
|
|
|
2020-10-15 19:58:56 +00:00
|
|
|
class AuthLDAP(AuthPlugin):
|
2020-10-28 13:21:20 +00:00
|
|
|
def __init__(self, cfg):
|
2020-10-15 19:58:56 +00:00
|
|
|
super().__init__()
|
2020-08-23 21:58:26 +00:00
|
|
|
|
2020-10-28 13:21:20 +00:00
|
|
|
config = {"PORT": 389, "USE_SSL": False}
|
|
|
|
|
config.update(cfg)
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-08-23 21:58:26 +00:00
|
|
|
app.config.update(
|
2020-09-01 23:09:24 +00:00
|
|
|
LDAP_SERVER=config["URL"],
|
2020-10-28 13:21:20 +00:00
|
|
|
LDAP_PORT=config["PORT"],
|
2020-09-01 23:09:24 +00:00
|
|
|
LDAP_BINDDN=config["BINDDN"],
|
|
|
|
|
LDAP_USE_TLS=False,
|
2020-10-28 13:21:20 +00:00
|
|
|
LDAP_USE_SSL=config["USE_SSL"],
|
2020-09-01 23:09:24 +00:00
|
|
|
LDAP_TLS_VERSION=ssl.PROTOCOL_TLSv1_2,
|
|
|
|
|
LDAP_REQUIRE_CERT=ssl.CERT_NONE,
|
|
|
|
|
FORCE_ATTRIBUTE_VALUE_AS_LIST=True,
|
2020-08-23 21:58:26 +00:00
|
|
|
)
|
2020-08-25 02:36:05 +00:00
|
|
|
if "SECRET" in config:
|
|
|
|
|
app.config["LDAP_SECRET"] = (config["SECRET"],)
|
|
|
|
|
self.ldap = LDAPConn(app)
|
|
|
|
|
self.dn = config["BASEDN"]
|
2020-10-29 01:07:40 +00:00
|
|
|
# TODO: might not be set if modify is called
|
2020-10-28 13:21:20 +00:00
|
|
|
if "ADMIN_DN" in config:
|
|
|
|
|
self.admin_dn = config["ADMIN_DN"]
|
|
|
|
|
self.admin_secret = config["ADMIN_SECRET"]
|
2020-08-23 21:58:26 +00:00
|
|
|
|
|
|
|
|
def login(self, user, password):
|
|
|
|
|
if not user:
|
|
|
|
|
return False
|
2020-10-18 23:41:54 +00:00
|
|
|
return self.ldap.authenticate(user.userid, password, "uid", self.dn)
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-09-03 15:56:12 +00:00
|
|
|
def update_user(self, user):
|
2020-09-01 23:09:24 +00:00
|
|
|
self.ldap.connection.search(
|
|
|
|
|
"ou=user,{}".format(self.dn),
|
2020-10-18 23:41:54 +00:00
|
|
|
"(uid={})".format(user.userid),
|
2020-09-01 23:09:24 +00:00
|
|
|
SUBTREE,
|
|
|
|
|
attributes=["uid", "givenName", "sn", "mail"],
|
|
|
|
|
)
|
2020-08-25 02:36:05 +00:00
|
|
|
r = self.ldap.connection.response[0]["attributes"]
|
2020-10-18 23:41:54 +00:00
|
|
|
if r["uid"][0] == user.userid:
|
2020-09-02 11:07:21 +00:00
|
|
|
user.set_attribute("DN", self.ldap.connection.response[0]["dn"])
|
2020-08-25 02:36:05 +00:00
|
|
|
user.firstname = r["givenName"][0]
|
|
|
|
|
user.lastname = r["sn"][0]
|
|
|
|
|
if r["mail"]:
|
|
|
|
|
user.mail = r["mail"][0]
|
|
|
|
|
if "displayName" in r:
|
2020-09-02 11:07:21 +00:00
|
|
|
user.display_name = r["displayName"][0]
|
2020-11-12 15:58:40 +00:00
|
|
|
userController.set_roles(user, self._get_groups(user.userid), create=True)
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-11-12 18:29:24 +00:00
|
|
|
def create_user(self, user, password):
|
|
|
|
|
try:
|
|
|
|
|
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
|
|
|
|
|
self.ldap.connection.search(
|
|
|
|
|
"ou=user,{}".format(self.dn), "(uidNumber=*)", SUBTREE, attributes=["uidNumber"]
|
|
|
|
|
)
|
|
|
|
|
uidNumbers = sorted(self.ldap.response(), key = lambda i: i['attributes']['uidNumber'], reverse=True)
|
|
|
|
|
uidNumber = uidNumbers[0]['attributes']['uidNumber'] + 1
|
|
|
|
|
dn = f'cn={user.firstname} {user.lastname},ou=user,{self.dn}'
|
|
|
|
|
object_class = ['inetOrgPerson', 'posixAccount', 'person', 'organizationalPerson']
|
|
|
|
|
attributes = {
|
|
|
|
|
'sn': user.firstname,
|
|
|
|
|
'givenName': user.lastname,
|
|
|
|
|
'gidNumber': 15000,
|
|
|
|
|
'homeDirectory': f'/home/{user.userid}',
|
|
|
|
|
'loginShell': '/bin/bash',
|
|
|
|
|
'uid': user.userid,
|
|
|
|
|
'userPassword': hashed(HASHED_SALTED_MD5, password),
|
|
|
|
|
'uidNumber': uidNumber
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
test = ldap_conn.add(dn, object_class, attributes)
|
|
|
|
|
print(test)
|
|
|
|
|
except (LDAPPasswordIsMandatoryError, LDAPBindError):
|
|
|
|
|
raise BadRequest
|
|
|
|
|
except Exception as e:
|
|
|
|
|
pass
|
|
|
|
|
|
2020-09-02 11:07:21 +00:00
|
|
|
def _get_groups(self, uid):
|
2020-09-03 22:55:23 +00:00
|
|
|
groups = []
|
|
|
|
|
|
|
|
|
|
self.ldap.connection.search(
|
|
|
|
|
"ou=user,{}".format(self.dn), "(uid={})".format(uid), SUBTREE, attributes=["gidNumber"]
|
|
|
|
|
)
|
2020-11-12 18:29:24 +00:00
|
|
|
|
|
|
|
|
# Maingroup ist uninteressant
|
|
|
|
|
|
|
|
|
|
#main_group_number = self.ldap.connection.response[0]["attributes"]["gidNumber"]
|
|
|
|
|
#if main_group_number:
|
|
|
|
|
# if type(main_group_number) is list:
|
|
|
|
|
# main_group_number = main_group_number[0]
|
|
|
|
|
# self.ldap.connection.search(
|
|
|
|
|
# "ou=group,{}".format(self.dn), "(gidNumber={})".format(main_group_number), attributes=["cn"]
|
|
|
|
|
# )
|
|
|
|
|
# groups.append(self.ldap.connection.response[0]["attributes"]["cn"][0])
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-09-03 22:55:23 +00:00
|
|
|
self.ldap.connection.search(
|
|
|
|
|
"ou=group,{}".format(self.dn), "(memberUID={})".format(uid), SUBTREE, attributes=["cn"]
|
|
|
|
|
)
|
|
|
|
|
groups_data = self.ldap.connection.response
|
|
|
|
|
for data in groups_data:
|
|
|
|
|
groups.append(data["attributes"]["cn"][0])
|
|
|
|
|
return groups
|
2020-08-25 02:36:05 +00:00
|
|
|
|
2020-09-03 22:55:23 +00:00
|
|
|
def modify_user(self, user: User, password, new_password=None):
|
|
|
|
|
try:
|
2020-10-27 12:36:23 +00:00
|
|
|
dn = user.get_attribute("DN")
|
2020-10-24 18:09:45 +00:00
|
|
|
if password:
|
|
|
|
|
ldap_conn = self.ldap.connect(dn, password)
|
|
|
|
|
else:
|
|
|
|
|
ldap_conn = self.ldap.connect(self.admin_dn, self.admin_secret)
|
2020-09-03 23:01:00 +00:00
|
|
|
modifier = {}
|
|
|
|
|
for name, ldap_name in [
|
|
|
|
|
("firstname", "givenName"),
|
|
|
|
|
("lastname", "sn"),
|
|
|
|
|
("mail", "mail"),
|
|
|
|
|
("display_name", "displayName"),
|
|
|
|
|
]:
|
2020-10-24 18:09:45 +00:00
|
|
|
if hasattr(user, name):
|
2020-09-03 23:01:00 +00:00
|
|
|
modifier[ldap_name] = [(MODIFY_REPLACE, [getattr(user, name)])]
|
2020-09-03 22:55:23 +00:00
|
|
|
if new_password:
|
2020-10-28 19:30:21 +00:00
|
|
|
# TODO: Use secure hash!
|
|
|
|
|
salted_password = hashed(HASHED_SALTED_MD5, new_password)
|
2020-09-03 22:55:23 +00:00
|
|
|
modifier["userPassword"] = [(MODIFY_REPLACE, [salted_password])]
|
2020-09-03 23:01:00 +00:00
|
|
|
ldap_conn.modify(dn, modifier)
|
2020-09-03 22:55:23 +00:00
|
|
|
except (LDAPPasswordIsMandatoryError, LDAPBindError):
|
|
|
|
|
raise BadRequest
|
