ldapcherry/ldapcherry/backend/backendLdap.py

# -*- coding: utf-8 -*-
# vim:set expandtab tabstop=4 shiftwidth=4:
#
# The MIT License (MIT)
# LdapCherry
# Copyright (c) 2014 Carpentier Pierre-Francois

import cherrypy
import ldap
import ldap.modlist as modlist
import logging
import ldapcherry.backend
import re

class DelUserDontExists(Exception):
    def __init__(self, user):
        self.user = user
        self.log = "cannot remove user, user <%(user)s> does not exist" % { 'user' : user}


class Backend(ldapcherry.backend.Backend):

    def __init__(self, config, logger, name, attrslist):
        self.config = config
        self._logger = logger
        self.backend_name = name
        self.binddn = self.get_param('binddn')
        self.bindpassword = self.get_param('password')
        self.ca = self.get_param('ca', False)
        self.checkcert = self.get_param('checkcert', 'on')
        self.starttls = self.get_param('starttls', 'off')
        self.uri = self.get_param('uri')
        self.timeout = self.get_param('timeout', 1)
        self.userdn = self.get_param('userdn')
        self.groupdn = self.get_param('groupdn')
        self.user_filter_tmpl = self.get_param('user_filter_tmpl')
        self.group_filter_tmpl = self.get_param('group_filter_tmpl')
        self.search_filter_tmpl = self.get_param('search_filter_tmpl')
        self.dn_user_attr = self.get_param('dn_user_attr')
        self.objectclasses = []
        for o in re.split('\W+', self.get_param('objectclasses')):
            self.objectclasses.append(self._str(o))

        self.attrlist = []
        for a in attrslist:
            self.attrlist.append(self._str(a))

    def _str(self, s):
            try:
                return str(s)
            except UnicodeEncodeError:
                return unicode(s).encode('unicode_escape')

    def auth(self, username, password):

        binddn = self._get_user(username, False)
        if not binddn is None:
            ldap_client = self._connect()
            try:
                ldap_client.simple_bind_s(binddn, password)
            except ldap.INVALID_CREDENTIALS:
                ldap_client.unbind_s()
                return False
            ldap_client.unbind_s()
            return True
        else:
            return False

    def add_to_group(self):
        pass

    def set_attrs(self, attrs):
        pass

    def rm_from_group(self,username):
        pass

    def add_user(self, attrs):
        ldap_client = self._bind()
        attrs_str = {}
        for a in attrs:
            attrs_str[self._str(a)] = self._str(attrs[a])
        attrs_str['objectClass'] = self.objectclasses
        dn = self.dn_user_attr + '=' + attrs[self.dn_user_attr] + ',' + self.userdn
        ldif = modlist.addModlist(attrs_str)
        try:
            ldap_client.add_s(dn,ldif)
        except ldap.OBJECT_CLASS_VIOLATION as e:
            info = e[0]['info']
            desc = e[0]['desc']
            self._logger(
                    logging.ERROR,
                    "Configuration error, " + desc + ", " + info,
                )
            raise e
        except ldap.INSUFFICIENT_ACCESS as e:
            info = e[0]['info']
            desc = e[0]['desc']
            self._logger(
                    logging.ERROR,
                    "Access error, " + desc + ", " + info,
                )
            raise e
        except ldap.ALREADY_EXISTS as e:
            desc = e[0]['desc']
            self._logger(
                    logging.ERROR,
                    "adding user failed, " + desc,
                )
            raise e

    def del_user(self, username):
        ldap_client = self._bind()
        dn = self._get_user(username, False)
        if not dn is None:
            ldap_client.delete_s(dn)
        else:
            raise DelUserDontExists(username)

    def _bind(self):
        ldap_client = self._connect()
        try:
            ldap_client.simple_bind_s(self.binddn, self.bindpassword)
        except ldap.INVALID_CREDENTIALS as e:
            self._logger(
                    logging.ERROR,
                    "Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",
                )
            ldap_client.unbind_s()
            raise e
        except ldap.SERVER_DOWN as e:
            self._logger(
                    logging.ERROR,
                    "Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",
                )
            ldap_client.unbind_s()
            raise e 
        return ldap_client


    def _search(self, searchfilter, attrs):
        ldap_client = self._bind()
        try:
            r = ldap_client.search_s(self.userdn,
                    ldap.SCOPE_SUBTREE,
                    searchfilter,
                    attrlist=attrs
            )
        except ldap.FILTER_ERROR as e:
            self._logger(
                    logging.ERROR,
                    "Bad search filter, check '" + self.backend_name + ".*_filter_tmpl' params",
                )
            ldap_client.unbind_s()
            raise e

        ldap_client.unbind_s()
        return r


    def search(self, searchstring):

        searchfilter = self.search_filter_tmpl % {
            'searchstring': searchstring
        }

        return self._search(searchfilter, None)

    def get_user(self, username):
        ret = {}
        attrs_tmp = self._get_user(username)[1]
        for attr in attrs_tmp: 
            value_tmp = attrs_tmp[attr]
            if len(value_tmp) == 1:
                ret[attr] = value_tmp[0]
            else:
                ret[attr] = value_tmp
        return ret 

    def _get_user(self, username, attrs=True):
        if attrs:
            a = self.attrlist
        else:
            a = None

        user_filter = self.user_filter_tmpl % {
            'username': username
        }

        r = self._search(user_filter, a)

        if len(r) == 0:
            return None

        if attrs:
            dn_entry = r[0]
        else:
            dn_entry = r[0][0]
        return dn_entry

    def _connect(self):
        ldap_client = ldap.initialize(self.uri)
        ldap_client.set_option(ldap.OPT_REFERRALS, 0)
        ldap_client.set_option(ldap.OPT_TIMEOUT, self.timeout)
        if self.starttls == 'on':
            ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
        else:
            ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
        if self.ca and self.checkcert == 'on':
            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
        #else:
        #    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
        if self.checkcert == 'off':
            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
        else:
            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
        if self.starttls == 'on': 
            try:
                ldap_client.start_tls_s()
            except ldap.OPERATIONS_ERROR as e:
                self._logger(
                    logging.ERROR,
                    "cannot use starttls with ldaps:// uri (uri: " + self.uri + ")",
                )
                raise e
                #raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
        return ldap_client
adding skeleton for most files 2015-04-15 21:13:14 +02:00			`# -- coding: utf-8 --`
			`# vim:set expandtab tabstop=4 shiftwidth=4:`
			`#`
			`# The MIT License (MIT)`
			`# LdapCherry`
			`# Copyright (c) 2014 Carpentier Pierre-Francois`

begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`import cherrypy`
			`import ldap`
adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`import ldap.modlist as modlist`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`import logging`
implementing loading backends * fix conf file * add exceptions * fix modules skeletons 2015-05-20 14:21:43 +02:00			`import ldapcherry.backend`
adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`import re`

			`class DelUserDontExists(Exception):`
			`def __init__(self, user):`
			`self.user = user`
			`self.log = "cannot remove user, user <%(user)s> does not exist" % { 'user' : user}`

implementing loading backends * fix conf file * add exceptions * fix modules skeletons 2015-05-20 14:21:43 +02:00
adding skeleton for most files 2015-04-15 21:13:14 +02:00			`class Backend(ldapcherry.backend.Backend):`

add passing attributes list to backend 2015-05-22 10:27:46 +02:00			`def __init__(self, config, logger, name, attrslist):`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`self.config = config`
fix backend name (collision with libraries name) 2015-05-21 08:52:06 +02:00			`self._logger = logger`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`self.backend_name = name`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.binddn = self.get_param('binddn')`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`self.bindpassword = self.get_param('password')`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.ca = self.get_param('ca', False)`
			`self.checkcert = self.get_param('checkcert', 'on')`
			`self.starttls = self.get_param('starttls', 'off')`
			`self.uri = self.get_param('uri')`
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`self.timeout = self.get_param('timeout', 1)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`self.userdn = self.get_param('userdn')`
			`self.groupdn = self.get_param('groupdn')`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`self.user_filter_tmpl = self.get_param('user_filter_tmpl')`
adding search template 2015-05-25 18:52:14 +02:00			`self.group_filter_tmpl = self.get_param('group_filter_tmpl')`
			`self.search_filter_tmpl = self.get_param('search_filter_tmpl')`
adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`self.dn_user_attr = self.get_param('dn_user_attr')`
			`self.objectclasses = []`
			`for o in re.split('\W+', self.get_param('objectclasses')):`
			`self.objectclasses.append(self._str(o))`

multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`self.attrlist = []`
			`for a in attrslist:`
adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`self.attrlist.append(self._str(a))`

			`def _str(self, s):`
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`try:`
adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`return str(s)`
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`except UnicodeEncodeError:`
adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`return unicode(s).encode('unicode_escape')`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
			`def auth(self, username, password):`

reimplement get_user in ldap backend 2015-05-26 22:50:42 +02:00			`binddn = self._get_user(username, False)`
more logical return for get_user 2015-05-24 15:11:49 +02:00			`if not binddn is None:`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap_client = self._connect()`
			`try:`
			`ldap_client.simple_bind_s(binddn, password)`
			`except ldap.INVALID_CREDENTIALS:`
			`ldap_client.unbind_s()`
			`return False`
			`ldap_client.unbind_s()`
			`return True`
			`else:`
			`return False`

			`def add_to_group(self):`
			`pass`

			`def set_attrs(self, attrs):`
			`pass`

fix method arguments 2015-05-24 15:20:17 +02:00			`def rm_from_group(self,username):`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`pass`

adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`def add_user(self, attrs):`
			`ldap_client = self._bind()`
			`attrs_str = {}`
			`for a in attrs:`
			`attrs_str[self._str(a)] = self._str(attrs[a])`
			`attrs_str['objectClass'] = self.objectclasses`
			`dn = self.dn_user_attr + '=' + attrs[self.dn_user_attr] + ',' + self.userdn`
			`ldif = modlist.addModlist(attrs_str)`
			`try:`
			`ldap_client.add_s(dn,ldif)`
			`except ldap.OBJECT_CLASS_VIOLATION as e:`
			`info = e[0]['info']`
			`desc = e[0]['desc']`
			`self._logger(`
			`logging.ERROR,`
			`"Configuration error, " + desc + ", " + info,`
			`)`
			`raise e`
			`except ldap.INSUFFICIENT_ACCESS as e:`
			`info = e[0]['info']`
			`desc = e[0]['desc']`
			`self._logger(`
			`logging.ERROR,`
			`"Access error, " + desc + ", " + info,`
			`)`
			`raise e`
			`except ldap.ALREADY_EXISTS as e:`
			`desc = e[0]['desc']`
			`self._logger(`
			`logging.ERROR,`
			`"adding user failed, " + desc,`
			`)`
			`raise e`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
			`def del_user(self, username):`
adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`ldap_client = self._bind()`
reimplement get_user in ldap backend 2015-05-26 22:50:42 +02:00			`dn = self._get_user(username, False)`
adding methods add_user and del_user * adding add_user * adding del_user * adding unit tests * adding configuration parameters for adding users 2015-05-26 00:33:36 +02:00			`if not dn is None:`
			`ldap_client.delete_s(dn)`
			`else:`
			`raise DelUserDontExists(username)`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
factoring binding to the ldap 2015-05-25 22:17:17 +02:00			`def _bind(self):`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`ldap_client = self._connect()`
			`try:`
			`ldap_client.simple_bind_s(self.binddn, self.bindpassword)`
			`except ldap.INVALID_CREDENTIALS as e:`
			`self._logger(`
			`logging.ERROR,`
			`"Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",`
			`)`
code factoring 2015-05-25 19:52:54 +02:00			`ldap_client.unbind_s()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`raise e`
			`except ldap.SERVER_DOWN as e:`
			`self._logger(`
			`logging.ERROR,`
			`"Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",`
			`)`
code factoring 2015-05-25 19:52:54 +02:00			`ldap_client.unbind_s()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`raise e`
factoring binding to the ldap 2015-05-25 22:17:17 +02:00			`return ldap_client`

implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00
factoring binding to the ldap 2015-05-25 22:17:17 +02:00			`def _search(self, searchfilter, attrs):`
			`ldap_client = self._bind()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`try:`
			`r = ldap_client.search_s(self.userdn,`
			`ldap.SCOPE_SUBTREE,`
code factoring 2015-05-25 19:52:54 +02:00			`searchfilter,`
			`attrlist=attrs`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`)`
			`except ldap.FILTER_ERROR as e:`
code factoring 2015-05-25 19:52:54 +02:00			`self._logger(`
			`logging.ERROR,`
			`"Bad search filter, check '" + self.backend_name + ".*_filter_tmpl' params",`
			`)`
			`ldap_client.unbind_s()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`raise e`
code factoring 2015-05-25 19:52:54 +02:00
			`ldap_client.unbind_s()`
implementing search users * adding search * adding unit tests 2015-05-25 19:30:41 +02:00			`return r`
adding skeleton of method search user 2015-05-24 17:32:03 +02:00
code factoring 2015-05-25 19:52:54 +02:00
			`def search(self, searchstring):`

			`searchfilter = self.search_filter_tmpl % {`
			`'searchstring': searchstring`
			`}`

			`return self._search(searchfilter, None)`

reimplement get_user in ldap backend 2015-05-26 22:50:42 +02:00			`def get_user(self, username):`
			`ret = {}`
			`attrs_tmp = self._get_user(username)[1]`
			`for attr in attrs_tmp:`
			`value_tmp = attrs_tmp[attr]`
			`if len(value_tmp) == 1:`
			`ret[attr] = value_tmp[0]`
			`else:`
			`ret[attr] = value_tmp`
			`return ret`

			`def _get_user(self, username, attrs=True):`
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`if attrs:`
			`a = self.attrlist`
			`else:`
			`a = None`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`user_filter = self.user_filter_tmpl % {`
			`'username': username`
			`}`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
code factoring 2015-05-25 19:52:54 +02:00			`r = self._search(user_filter, a)`

begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`if len(r) == 0:`
more logical return for get_user 2015-05-24 15:11:49 +02:00			`return None`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`if attrs:`
			`dn_entry = r[0]`
			`else:`
			`dn_entry = r[0][0]`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`return dn_entry`

			`def _connect(self):`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`ldap_client = ldap.initialize(self.uri)`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap_client.set_option(ldap.OPT_REFERRALS, 0)`
multiple changes * implemeting recover user attributes * adding a unit test for unavailable ldap * adding a parameter timeout to set the ldap timeout connexion 2015-05-22 20:05:24 +02:00			`ldap_client.set_option(ldap.OPT_TIMEOUT, self.timeout)`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`if self.starttls == 'on':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`else:`
			`ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)`
			`if self.ca and self.checkcert == 'on':`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)`
many fixes in unit tests + fix in params + fix in constant Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined) 2015-05-22 01:16:53 +02:00			`#else:`
			`# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`if self.checkcert == 'off':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)`
			`else:`
			`ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)`
multiple changes * change parameters name for Backend Ldap * fix default value handling in backends get_param * correct exception in backends get_param * fix syntaxe error * add backend name in test_BackendLdap.py 2015-05-21 21:40:13 +02:00			`if self.starttls == 'on':`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`try:`
			`ldap_client.start_tls_s()`
adding close connexion and exception handling 2015-05-22 01:48:27 +02:00			`except ldap.OPERATIONS_ERROR as e:`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`self._logger(`
			`logging.ERROR,`
correct the way variables are recovered by ldap backend 2015-05-21 19:55:11 +02:00			`"cannot use starttls with ldaps:// uri (uri: " + self.uri + ")",`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`)`
adding close connexion and exception handling 2015-05-22 01:48:27 +02:00			`raise e`
			`#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")`
begin ldap backend implementation 2015-05-20 17:13:18 +02:00			`return ldap_client`