habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

*(minor): small refactor

Browse Source
This commit is contained in:
Langhammer, Jens
2019-10-07 16:33:48 +02:00
parent d21ec6c9a5
commit f2acc154cd
300 changed files with 1420 additions and 1788 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
passbook/sources/ldap/__init__.py Normal file
View File

5
passbook/sources/ldap/admin.py Normal file
View File

@ -0,0 +1,5 @@
"""Passbook LDAP Admin"""
from passbook.lib.admin import admin_autoregister
admin_autoregister('passbook_sources_ldap')

11
passbook/sources/ldap/apps.py Normal file
View File

@ -0,0 +1,11 @@
"""Passbook ldap app config"""
from django.apps import AppConfig
class PassbookSourceLDAPConfig(AppConfig):
"""Passbook ldap app config"""
name = 'passbook.sources.ldap'
label = 'passbook_sources_ldap'
verbose_name = 'passbook Sources.LDAP'

23
passbook/sources/ldap/auth.py Normal file
View File

@ -0,0 +1,23 @@
"""passbook LDAP Authentication Backend"""
from django.contrib.auth.backends import ModelBackend
from structlog import get_logger
from passbook.sources.ldap.ldap_connector import LDAPConnector
from passbook.sources.ldap.models import LDAPSource
LOGGER = get_logger()
class LDAPBackend(ModelBackend):
"""Authenticate users against LDAP Server"""
def authenticate(self, **kwargs):
"""Try to authenticate a user via ldap"""
if 'password' not in kwargs:
return None
for source in LDAPSource.objects.filter(enabled=True):
_ldap = LDAPConnector(source)
user = _ldap.auth_user(**kwargs)
if user:
return user
return None

50
passbook/sources/ldap/forms.py Normal file
View File

@ -0,0 +1,50 @@
"""passbook LDAP Forms"""
from django import forms
from django.contrib.admin.widgets import FilteredSelectMultiple
from django.utils.translation import gettext_lazy as _
from passbook.admin.forms.source import SOURCE_FORM_FIELDS
from passbook.core.forms.policies import GENERAL_FIELDS
from passbook.sources.ldap.models import LDAPGroupMembershipPolicy, LDAPSource
class LDAPSourceForm(forms.ModelForm):
"""LDAPSource Form"""
class Meta:
model = LDAPSource
fields = SOURCE_FORM_FIELDS + ['server_uri', 'bind_cn', 'bind_password',
'type', 'domain', 'base_dn', 'create_user',
'reset_password']
widgets = {
'name': forms.TextInput(),
'server_uri': forms.TextInput(),
'bind_cn': forms.TextInput(),
'bind_password': forms.TextInput(),
'domain': forms.TextInput(),
'base_dn': forms.TextInput(),
'policies': FilteredSelectMultiple(_('policies'), False)
}
labels = {
'server_uri': _('Server URI'),
'bind_cn': _('Bind CN'),
'base_dn': _('Base DN'),
}
class LDAPGroupMembershipPolicyForm(forms.ModelForm):
"""LDAPGroupMembershipPolicy Form"""
class Meta:
model = LDAPGroupMembershipPolicy
fields = GENERAL_FIELDS + ['dn', ]
widgets = {
'name': forms.TextInput(),
'dn': forms.TextInput(),
}
labels = {
'dn': _('DN')
}

293
passbook/sources/ldap/ldap_connector.py Normal file
View File

@ -0,0 +1,293 @@
"""Wrapper for ldap3 to easily manage user"""
from time import time
import ldap3
import ldap3.core.exceptions
from structlog import get_logger
from passbook.core.models import User
from passbook.lib.config import CONFIG
from passbook.sources.ldap.models import LDAPSource
LOGGER = get_logger()
USERNAME_FIELD = CONFIG.y('ldap.username_field', 'sAMAccountName')
LOGIN_FIELD = CONFIG.y('ldap.login_field', 'userPrincipalName')
class LDAPConnector:
"""Wrapper for ldap3 to easily manage user authentication and creation"""
_server = None
_connection = None
_source = None
def __init__(self, source: LDAPSource):
self._source = source
if not self._source.enabled:
LOGGER.debug("LDAP not Enabled")
# if not con_args:
# con_args = {}
# if not server_args:
# server_args = {}
# Either use mock argument or test is in argv
# if mock or any('test' in arg for arg in sys.argv):
# self.mock = True
# self.create_users_enabled = True
# con_args['client_strategy'] = ldap3.MOCK_SYNC
# server_args['get_info'] = ldap3.OFFLINE_AD_2012_R2
# if self.mock:
# json_path = os.path.join(os.path.dirname(__file__), 'tests', 'ldap_mock.json')
# self._connection.strategy.entries_from_json(json_path)
self._server = ldap3.Server(source.server_uri) # Implement URI parsing
self._connection = ldap3.Connection(self._server, raise_exceptions=True,
user=source.bind_cn,
password=source.bind_password)
self._connection.bind()
# if CONFIG.y('ldap.server.use_tls'):
# self._connection.start_tls()
# @staticmethod
# def cleanup_mock():
# """Cleanup mock files which are not this PID's"""
# pid = os.getpid()
# json_path = os.path.join(os.path.dirname(__file__), 'test', 'ldap_mock_%d.json' % pid)
# os.unlink(json_path)
# LOGGER.debug("Cleaned up LDAP Mock from PID %d", pid)
# def apply_db(self):
# """Check if any unapplied LDAPModification's are left"""
# to_apply = LDAPModification.objects.filter(_purgeable=False)
# for obj in to_apply:
# try:
# if obj.action == LDAPModification.ACTION_ADD:
# self._connection.add(obj.dn, obj.data)
# elif obj.action == LDAPModification.ACTION_MODIFY:
# self._connection.modify(obj.dn, obj.data)
# # Object has been successfully applied to LDAP
# obj.delete()
# except ldap3.core.exceptions.LDAPException as exc:
# LOGGER.error(exc)
# LOGGER.debug("Recovered %d Modifications from DB.", len(to_apply))
# @staticmethod
# def handle_ldap_error(object_dn, action, data):
# """Custom Handler for LDAP methods to write LDIF to DB"""
# LDAPModification.objects.create(
# dn=object_dn,
# action=action,
# data=data)
# @property
# def enabled(self):
# """Returns whether LDAP is enabled or not"""
# return CONFIG.y('ldap.enabled')
@staticmethod
def encode_pass(password):
"""Encodes a plain-text password so it can be used by AD"""
return '"{}"'.format(password).encode('utf-16-le')
def generate_filter(self, **fields):
"""Generate LDAP filter from **fields."""
filters = []
for item, value in fields.items():
filters.append("(%s=%s)" % (item, value))
ldap_filter = "(&%s)" % "".join(filters)
LOGGER.debug("Constructed filter: '%s'", ldap_filter)
return ldap_filter
def lookup(self, ldap_filter: str):
"""Search email in LDAP and return the DN.
Returns False if nothing was found."""
try:
self._connection.search(self._source.search_base, ldap_filter)
results = self._connection.response
if len(results) >= 1:
if 'dn' in results[0]:
return str(results[0]['dn'])
except ldap3.core.exceptions.LDAPNoSuchObjectResult as exc:
LOGGER.warning(exc)
return False
except ldap3.core.exceptions.LDAPInvalidDnError as exc:
LOGGER.warning(exc)
return False
return False
def _get_or_create_user(self, user_data):
"""Returns a Django user for the given LDAP user data.
If the user does not exist, then it will be created."""
attributes = user_data.get("attributes")
if attributes is None:
LOGGER.warning("LDAP user attributes empty")
return None
# Create the user data.
field_map = {
'username': '%(' + USERNAME_FIELD + ')s',
'name': '%(givenName)s %(sn)s',
'email': '%(mail)s',
}
user_fields = {}
for dj_field, ldap_field in field_map.items():
user_fields[dj_field] = ldap_field % attributes
# Update or create the user.
user, created = User.objects.update_or_create(
defaults=user_fields,
username=user_fields.pop('username', "")
)
# Update groups
# if 'memberOf' in attributes:
# applicable_groups = LDAPGroupMapping.objects.f
# ilter(ldap_dn__in=attributes['memberOf'])
# for group in applicable_groups:
# if group.group not in user.groups.all():
# user.groups.add(group.group)
# user.save()
# If the user was created, set them an unusable password.
if created:
user.set_unusable_password()
user.save()
# All done!
LOGGER.debug("LDAP user lookup succeeded")
return user
def auth_user(self, password, **filters):
"""Try to bind as either user_dn or mail with password.
Returns True on success, otherwise False"""
filters.pop('request')
if not self._source.enabled:
return None
# FIXME: Adapt user_uid
# email = filters.pop(CONFIG.y('passport').get('ldap').get, '')
email = filters.pop('email')
user_dn = self.lookup(self.generate_filter(**{LOGIN_FIELD: email}))
if not user_dn:
return None
# Try to bind as new user
LOGGER.debug("Binding as '%s'", user_dn)
try:
temp_connection = ldap3.Connection(self._server, user=user_dn,
password=password, raise_exceptions=True)
temp_connection.bind()
if self._connection.search(
search_base=self._source.search_base,
search_filter=self.generate_filter(**{LOGIN_FIELD: email}),
search_scope=ldap3.SUBTREE,
attributes=[ldap3.ALL_ATTRIBUTES, ldap3.ALL_OPERATIONAL_ATTRIBUTES],
get_operational_attributes=True,
size_limit=1,
):
response = self._connection.response[0]
# If user has no email set in AD, use UPN
if 'mail' not in response.get('attributes'):
response['attributes']['mail'] = response['attributes']['userPrincipalName']
return self._get_or_create_user(response)
LOGGER.warning("LDAP user lookup failed")
return None
except ldap3.core.exceptions.LDAPInvalidCredentialsResult as exception:
LOGGER.debug("User '%s' failed to login (Wrong credentials)", user_dn)
except ldap3.core.exceptions.LDAPException as exception:
LOGGER.warning(exception)
return None
def is_email_used(self, mail):
"""Checks whether an email address is already registered in LDAP"""
if self._source.create_user:
return self.lookup(self.generate_filter(mail=mail))
return False
def create_ldap_user(self, user, raw_password):
"""Creates a new LDAP User from a django user and raw_password.
Returns True on success, otherwise False"""
if self._source.create_user:
LOGGER.debug("User creation not enabled")
return False
# The dn of our new entry/object
username = user.pk.hex # UUID without dashes
# sAMAccountName is limited to 20 chars
# https://msdn.microsoft.com/en-us/library/ms679635.aspx
username_trunk = username[:20] if len(username) > 20 else username
# AD doesn't like sAMAccountName's with . at the end
username_trunk = username_trunk[:-1] if username_trunk[-1] == '.' else username_trunk
user_dn = 'cn=' + username + ',' + self._source.search_base
LOGGER.debug('New DN: %s', user_dn)
attrs = {
'distinguishedName': str(user_dn),
'cn': str(username),
'description': 't=' + str(time()),
'sAMAccountName': str(username_trunk),
'givenName': str(user.name),
'displayName': str(user.username),
'name': str(user.name),
'mail': str(user.email),
'userPrincipalName': str(username + '@' + self._source.domain),
'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
}
try:
self._connection.add(user_dn, attributes=attrs)
except ldap3.core.exceptions.LDAPException as exception:
LOGGER.warning("Failed to create user ('%s'), saved to DB", exception)
# LDAPConnector.handle_ldap_error(user_dn, LDAPModification.ACTION_ADD, attrs)
LOGGER.debug("Signed up user %s", user.email)
return self.change_password(raw_password, mail=user.email)
def _do_modify(self, diff, **fields):
"""Do the LDAP modification itself"""
user_dn = self.lookup(self.generate_filter(**fields))
try:
self._connection.modify(user_dn, diff)
except ldap3.core.exceptions.LDAPException as exception:
LOGGER.warning("Failed to modify %s ('%s'), saved to DB", user_dn, exception)
# LDAPConnector.handle_ldap_error(user_dn, LDAPModification.ACTION_MODIFY, diff)
LOGGER.debug("modified account '%s' [%s]", user_dn, ','.join(diff.keys()))
return 'result' in self._connection.result and self._connection.result['result'] == 0
def disable_user(self, **fields):
"""Disables LDAP user based on mail or user_dn.
Returns True on success, otherwise False"""
diff = {
'userAccountControl': [(ldap3.MODIFY_REPLACE, [str(66050)])],
}
return self._do_modify(diff, **fields)
def enable_user(self, **fields):
"""Enables LDAP user based on mail or user_dn.
Returns True on success, otherwise False"""
diff = {
'userAccountControl': [(ldap3.MODIFY_REPLACE, [str(66048)])],
}
return self._do_modify(diff, **fields)
def change_password(self, new_password, **fields):
"""Changes LDAP user's password based on mail or user_dn.
Returns True on success, otherwise False"""
diff = {
'unicodePwd': [(ldap3.MODIFY_REPLACE, [LDAPConnector.encode_pass(new_password)])],
}
return self._do_modify(diff, **fields)
def add_to_group(self, group_dn, **fields):
"""Adds mail or user_dn to group_dn
Returns True on success, otherwise False"""
user_dn = self.lookup(**fields)
diff = {
'member': [(ldap3.MODIFY_ADD), [user_dn]]
}
return self._do_modify(diff, user_dn=group_dn)
def remove_from_group(self, group_dn, **fields):
"""Removes mail or user_dn from group_dn
Returns True on success, otherwise False"""
user_dn = self.lookup(**fields)
diff = {
'member': [(ldap3.MODIFY_DELETE), [user_dn]]
}
return self._do_modify(diff, user_dn=group_dn)

48
passbook/sources/ldap/migrations/0001_initial.py Normal file
View File

@ -0,0 +1,48 @@
# Generated by Django 2.2.6 on 2019-10-07 14:07
import django.db.models.deletion
from django.db import migrations, models
class Migration(migrations.Migration):
initial = True
dependencies = [
('passbook_core', '0001_initial'),
]
operations = [
migrations.CreateModel(
name='LDAPSource',
fields=[
('source_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Source')),
('server_uri', models.TextField()),
('bind_cn', models.TextField()),
('bind_password', models.TextField()),
('type', models.CharField(choices=[('ad', 'Active Directory'), ('generic', 'Generic')], max_length=20)),
('domain', models.TextField()),
('base_dn', models.TextField()),
('create_user', models.BooleanField(default=False)),
('reset_password', models.BooleanField(default=True)),
],
options={
'verbose_name': 'LDAP Source',
'verbose_name_plural': 'LDAP Sources',
},
bases=('passbook_core.source',),
),
migrations.CreateModel(
name='LDAPGroupMembershipPolicy',
fields=[
('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
('dn', models.TextField()),
('source', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='passbook_sources_ldap.LDAPSource')),
],
options={
'verbose_name': 'LDAP Group Membership Policy',
'verbose_name_plural': 'LDAP Group Membership Policys',
},
bases=('passbook_core.policy',),
),
]

0
passbook/sources/ldap/migrations/__init__.py Normal file
View File

55
passbook/sources/ldap/models.py Normal file
View File

@ -0,0 +1,55 @@
"""passbook LDAP Models"""
from django.db import models
from django.utils.translation import gettext as _
from passbook.core.models import Policy, Source, User
class LDAPSource(Source):
"""LDAP Authentication source"""
TYPE_ACTIVE_DIRECTORY = 'ad'
TYPE_GENERIC = 'generic'
TYPES = (
(TYPE_ACTIVE_DIRECTORY, _('Active Directory')),
(TYPE_GENERIC, _('Generic')),
)
server_uri = models.TextField()
bind_cn = models.TextField()
bind_password = models.TextField()
type = models.CharField(max_length=20, choices=TYPES)
domain = models.TextField()
base_dn = models.TextField()
create_user = models.BooleanField(default=False)
reset_password = models.BooleanField(default=True)
form = 'passbook.sources.ldap.forms.LDAPSourceForm'
@property
def get_login_button(self):
raise NotImplementedError()
class Meta:
verbose_name = _('LDAP Source')
verbose_name_plural = _('LDAP Sources')
class LDAPGroupMembershipPolicy(Policy):
"""Policy to check if a user is in a certain LDAP Group"""
dn = models.TextField()
source = models.ForeignKey('LDAPSource', on_delete=models.CASCADE)
form = 'passbook.sources.ldap.forms.LDAPGroupMembershipPolicyForm'
def passes(self, user: User):
"""Check if user instance passes this policy"""
raise NotImplementedError()
class Meta:
verbose_name = _('LDAP Group Membership Policy')
verbose_name_plural = _('LDAP Group Membership Policys')

5
passbook/sources/ldap/settings.py Normal file
View File

@ -0,0 +1,5 @@
"""LDAP Settings"""
AUTHENTICATION_BACKENDS = [
'passbook.sources.ldap.auth.LDAPBackend',
]

33
passbook/sources/ldap/templates/ldap/settings.html Normal file
View File

@ -0,0 +1,33 @@
{% extends "_admin/module_default.html" %}
{% load i18n %}
{% load utils %}
{% block title %}
{% title "Settings" %}
{% endblock %}
{% block module_content %}
<h2><clr-icon shape="application" size="32"></clr-icon>{% trans 'LDAP connection' %}</h2>
<div class="row">
<div class="col-md-12">
<div class="card">
<form role="form" method="POST">
<div class="card-block">
<h3><clr-icon shape="cog" size="32"></clr-icon>{% trans 'General settings' %}</h3>
{% include 'partials/form.html' with form=general %}
<h3><clr-icon shape="connect" size="32"></clr-icon>{% trans 'Connection settings' %}</h3>
{% include 'partials/form.html' with form=connection %}
<h3><clr-icon shape="certificate" size="32"></clr-icon>{% trans 'Authentication backend ' %}</h3>
{% include 'partials/form.html' with form=authentication %}
<h3><clr-icon shape="users" size="32"></clr-icon>{% trans 'Create users settings' %}</h3>
{% include 'partials/form.html' with form=create_users %}
</div>
<div class="card-footer">
<button type="submit" value="general" class="btn btn-sm btn-primary">{% trans 'Update' %}</button>
</div>
</form>
</div>
</div>
</div>
{% endblock %}

9
passbook/sources/ldap/urls.py Normal file
View File

@ -0,0 +1,9 @@
# """passbook LDAP Urls"""
# from django.conf.urls import url
# from passbook.mod.auth.ldap import views
# urlpatterns = [
# url(r'^settings/$', views.admin_settings, name='admin_settings'),
# ]

38
passbook/sources/ldap/views.py Normal file
View File

@ -0,0 +1,38 @@
# """passbook LDAP Views"""
# from django.contrib import messages
# from django.contrib.auth.decorators import login_required, user_passes_test
# from django.http import HttpRequest, HttpResponse
# from django.shortcuts import redirect, render
# from django.urls import reverse
# from django.utils.translation import ugettext as _
# from passbook.sources.ldap.forms import (AuthenticationBackendSettings,
# ConnectionSettings,
# CreateUsersSettings,
# GeneralSettingsForm)
# @login_required
# @user_passes_test(lambda u: u.is_superuser)
# def admin_settings(request: HttpRequest) -> HttpResponse:
# """Default view for modules without admin view"""
# form_classes = {
# 'general': GeneralSettingsForm,
# 'connection': ConnectionSettings,
# 'authentication': AuthenticationBackendSettings,
# 'create_users': CreateUsersSettings,
# }
# render_data = {}
# for form_key, form_class in form_classes.items():
# render_data[form_key] = form_class(request.POST if request.method == 'POST' else None)
# if request.method == 'POST':
# update_count = 0
# for form_key, form_class in form_classes.items():
# form = form_class(request.POST)
# if form.is_valid():
# update_count += form.save()
# messages.success(request, _('Successfully updated %d settings.' % update_count))
# return redirect(reverse('passbook_ldap:admin_settings'))
# return render(request, 'ldap/settings.html', render_data)