new release: 0.6.6-beta

LDAP rewrite

See merge request BeryJu.org/passbook!28

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 0.6.4-beta
+current_version = 0.6.6-beta
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.gitlab-ci.yml

@@ -27,7 +27,7 @@ create-base-image:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/base.Dockerfile --destination docker.beryju.org/passbook/base:latest --destination docker.beryju.org/passbook/base:0.6.4-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/base.Dockerfile --destination docker.beryju.org/passbook/base:latest
   stage: build-base-image
   only:
     refs:
@@ -41,7 +41,7 @@ build-dev-image:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/dev.Dockerfile --destination docker.beryju.org/passbook/dev:latest --destination docker.beryju.org/passbook/dev:0.6.4-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/dev.Dockerfile --destination docker.beryju.org/passbook/dev:latest
   stage: build-dev-image
   only:
     refs:
@@ -70,13 +70,13 @@ migrations:
 #   services:
 #   - postgres:latest
 #   - redis:latest
-# pylint:
+pylint:
-#   script:
+  script:
-#     - pylint passbook
+    - pylint passbook
-#   stage: test
+  stage: test
-#   services:
+  services:
-#   - postgres:latest
+  - postgres:latest
-#   - redis:latest
+  - redis:latest
 coverage:
   script:
     - coverage run manage.py test
@@ -95,7 +95,7 @@ build-passbook-server:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.6.4-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination docker.beryju.org/passbook/server:latest --destination docker.beryju.org/passbook/server:0.6.6-beta
   only:
     - tags
     - /^version/.*$/
@@ -107,7 +107,7 @@ build-passbook-static:
   before_script:
     - echo "{\"auths\":{\"docker.beryju.org\":{\"auth\":\"$DOCKER_AUTH\"}}}" > /kaniko/.docker/config.json
   script:
-    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/static.Dockerfile --destination docker.beryju.org/passbook/static:latest --destination docker.beryju.org/passbook/static:0.6.4-beta
+    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/static.Dockerfile --destination docker.beryju.org/passbook/static:latest --destination docker.beryju.org/passbook/static:0.6.6-beta
   only:
     - tags
     - /^version/.*$/

Dockerfile

@@ -1,6 +1,6 @@
 FROM docker.beryju.org/passbook/base:latest
 
-COPY --chown=passbook:passbook ./passbook/ /app/passbook
+COPY ./passbook/ /app/passbook
 COPY ./manage.py /app/
 COPY ./docker/uwsgi.ini /app/
 

Pipfile

@@ -35,17 +35,17 @@ service_identity = "*"
 signxml = "*"
 urllib3 = {extras = ["secure"],version = "*"}
 structlog = "*"
+pyuwsgi = "*"
 
 [requires]
 python_version = "3.7"
 
 [dev-packages]
-astroid = "==2.2.5"
 coverage = "*"
 isort = "*"
 pylint = "==2.3.1"
-pylint-django = "==2.0.10"
+pylint-django = "*"
-prospector = "==1.1.7"
+prospector = "*"
 django-debug-toolbar = "*"
 bumpversion = "*"
 unittest-xml-reporting = "*"

Pipfile.lock

@@ -1,7 +1,7 @@
 {
     "_meta": {
         "hash": {
-            "sha256": "53d7190ea62f504dc1a36eae952a273e0b2d9f313f23031099d039c3146235b7"
+            "sha256": "94b3d5140f0c31dac1fc77af75a0df30ae4fb0571bf6b7fcd722487c63dc1872"
         },
         "pipfile-spec": 6,
         "requires": {
@@ -101,10 +101,10 @@
         },
         "cheroot": {
             "hashes": [
-                "sha256:6168371ab9aaf574ac5f75675f244bbfebf990202bf75048065e9d675b9ae719",
+                "sha256:3ff64073efa35b39d5e107410f5c79664dc8c6c5990651e970740c80ab8878a8",
-                "sha256:8cc7c28961db2e13d0cac6b234a589a314c1844f7bbf54e67888ac9a2e25ac59"
+                "sha256:d523a1525258730026aa35b86c8c47c8d0e3892fb89f0f39157d4b32a50edf05"
             ],
-            "version": "==7.0.0"
+            "version": "==8.1.0"
         },
         "cherrypy": {
             "hashes": [
@@ -459,10 +459,10 @@
         },
         "pyasn1-modules": {
             "hashes": [
-                "sha256:43c17a83c155229839cc5c6b868e8d0c6041dba149789b6d6e28801c64821722",
+                "sha256:0c35a52e00b672f832e5846826f1fb7507907f7d52fba6faa9e3c4cbe874fe4b",
-                "sha256:e30199a9d221f1b26c885ff3d87fd08694dbbe18ed0e8e405a2a7126d30ce4c0"
+                "sha256:b6ada4f840fe51abf5a6bd545b45bf537bea62221fa0dde2e8a553ed9f06a4e3"
             ],
-            "version": "==0.2.6"
+            "version": "==0.2.7"
         },
         "pycparser": {
             "hashes": [
@@ -564,6 +564,36 @@
             ],
             "version": "==2019.3"
         },
+        "pyuwsgi": {
+            "hashes": [
+                "sha256:15a4626740753b0d0dfeeac7d367f9b2e89ab6af16c195927e60f75359fc1bbc",
+                "sha256:24c40c3b889eb9f283d43feffbc0f7c7fc024e914451425156ddb68af3df1e71",
+                "sha256:393737bd43a7e38f0a4a1601a37a69c4bf893635b37665ff958170fdb604fdb7",
+                "sha256:5a08308f87e639573c1efaa5966a6d04410cd45a73c4586a932fe3ee4b56369d",
+                "sha256:5f4b36c0dbb9931c4da8008aa423158be596e3b4a23cec95a958631603a94e45",
+                "sha256:7c31794f71bbd0ccf542cab6bddf38aa69e84e31ae0f9657a2e18ebdc150c01a",
+                "sha256:802ec6dad4b6707b934370926ec1866603abe31ba03c472f56149001b3533ba1",
+                "sha256:814d73d4569add69a6c19bb4a27cd5adb72b196e5e080caed17dbda740402072",
+                "sha256:829299cd117cf8abe837796bf587e61ce6bfe18423a3a1c510c21e9825789c2c",
+                "sha256:85f2210ceae5f48b7d8fad2240d831f4b890cac85cd98ca82683ac6aa481dfc8",
+                "sha256:861c94442b28cd64af033e88e0f63c66dbd5609f67952dc18694098b47a43f3a",
+                "sha256:957bc6316ffc8463795d56d9953d58e7f32aa5aad1c5ac80bc45c69f3299961e",
+                "sha256:9760c3f56fb5f15852d163429096600906478e9ed2c189a52f2bb21d8a2a986c",
+                "sha256:a4b24703ea818196d0be1dc64b3b57b79c67e8dee0cfa207a4216220912035a7",
+                "sha256:ad7f4968c1ddbf139a306d9b075360d959cc554d994ba5e1f512af9a40e62357",
+                "sha256:b1127d34b90f74faf1707718c57a4193ac028b9f4aec0238638983132297d456",
+                "sha256:bcb04d6ec644b3e08d03c64851e06edd7110489261e50627a4bcadf66ff6920e",
+                "sha256:bebfebb9ee83d7cf37668bf54275b677b7ae283e84a944f9f3ac6a4b66f95d4b",
+                "sha256:c29892dafc65a8b6eb95823fa4bac7754ca3fd1c28ab8d2a973289531b340a27",
+                "sha256:cb296b50b51ba022b0090b28d032ff1dd395a6db03672b65a39e83532edad527",
+                "sha256:ce777ebdf49ce736fc04abf555b5c41ab3f130127543a689dcf8d4871cd18fe4",
+                "sha256:d8b4bf930b6a19bc9ee982b9163d948c87501ad91b71516924e8ed25fe85d2ee",
+                "sha256:e2a420f2c4d35f3ec0b7e752a80d7bd385e2c5a64f67c05f2d2d74230e3114b6",
+                "sha256:fed899ce96f4f2b4d1b9f338dd145a4040ee1d8a5152213af0dd8d4a4d36e9fe"
+            ],
+            "index": "pypi",
+            "version": "==2.0.18.post0"
+        },
         "pyyaml": {
             "hashes": [
                 "sha256:0113bc0ec2ad727182326b61326afa3d1d8280ae1122493553fd6f4397f33df9",
@@ -737,7 +767,6 @@
                 "sha256:6560e1e1749f68c64a4b5dee4e091fce798d2f0d84ebe638cf0e0585a343acf4",
                 "sha256:b65db1bbaac9f9f4d190199bb8680af6f6f84fd3769a5ea883df8a91fe68b4c4"
             ],
-            "index": "pypi",
             "version": "==2.2.5"
         },
         "autopep8": {

base.Dockerfile

@@ -1,18 +1,20 @@
-FROM python:3.7-slim-stretch
+FROM python:3.7-slim-buster as locker
 
 COPY ./Pipfile /app/
 COPY ./Pipfile.lock /app/
 
 WORKDIR /app/
 
-RUN apt-get update && \
+RUN pip install pipenv && \
-    apt-get install -y --no-install-recommends build-essential && \
+    pipenv lock -r > requirements.txt && \
-    pip install pipenv uwsgi --no-cache-dir && \
+    pipenv lock -rd > requirements-dev.txt
-    apt-get remove -y --purge build-essential && \
-    apt-get autoremove -y --purge && \
-    rm -rf /var/lib/apt/lists/*
 
-RUN pipenv lock -r > requirements.txt && \
+FROM python:3.7-slim-buster
-    pipenv --rm && \
+
-    pip install -r requirements.txt  --no-cache-dir && \
+COPY --from=locker /app/requirements.txt /app/
+COPY --from=locker /app/requirements-dev.txt /app/
+
+WORKDIR /app/
+
+RUN pip install -r requirements.txt  --no-cache-dir && \
     adduser --system --no-create-home --uid 1000 --group --home /app passbook

dev.Dockerfile

@@ -1,5 +1,3 @@
 FROM docker.beryju.org/passbook/base:latest
 
-RUN pipenv lock --dev -r > requirements-dev.txt && \
+RUN pip install -r /app/requirements-dev.txt  --no-cache-dir
-    pipenv --rm && \
-    pip install -r /app/requirements-dev.txt  --no-cache-dir

docker-compose.yml

@@ -49,6 +49,7 @@ services:
       - -E
       - -B
       - -A=passbook.root.celery
+      - -s=/tmp/celerybeat-schedule
     networks:
       - internal
     labels:

docker/nginx.conf

@@ -39,7 +39,7 @@ http {
         gzip on;
         gzip_types application/javascript image/* text/css;
         gunzip on;
-        add_header X-passbook-Version 0.6.4-beta;
+        add_header X-passbook-Version 0.6.6-beta;
         add_header Vary X-passbook-Version;
         root /data/;
 

helm/passbook/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "0.6.4-beta"
+appVersion: "0.6.6-beta"
 description: A Helm chart for passbook.
 name: passbook
-version: "0.6.4-beta"
+version: "0.6.6-beta"
 icon: https://git.beryju.org/uploads/-/system/project/avatar/108/logo.png

helm/passbook/templates/worker-deployment.yaml

@@ -36,6 +36,7 @@ spec:
             - -E
             - -B
             - -A=passbook.root.celery
+            - -s=/tmp/celerybeat-schedule
           volumeMounts:
             - mountPath: /etc/passbook
               name: config-volume

helm/passbook/values.yaml

@@ -2,7 +2,7 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 image:
-  tag: 0.6.4-beta
+  tag: 0.6.6-beta
 
 nameOverride: ""
 

passbook/__init__.py

@@ -1,2 +1,2 @@
 """passbook"""
-__version__ = '0.6.4-beta'
+__version__ = '0.6.6-beta'

passbook/admin/forms/users.py

@@ -11,7 +11,7 @@ class UserForm(forms.ModelForm):
     class Meta:
 
         model = User
-        fields = ['username', 'name', 'email', 'is_staff', 'is_active']
+        fields = ['username', 'name', 'email', 'is_staff', 'is_active', 'attributes']
         widgets = {
             'name': forms.TextInput
         }

passbook/audit/models.py

@@ -60,7 +60,8 @@ class AuditEntry(UUIDModel):
             # User 255.255.255.255 as fallback if IP cannot be determined
             request_ip=client_ip or '255.255.255.255',
             context=kwargs)
-        LOGGER.debug("Logged %s from %s (%s)", action, user, client_ip)
+        LOGGER.debug("Created Audit entry", action=action,
+                     user=user, from_ip=client_ip, context=kwargs)
         return entry
 
     def save(self, *args, **kwargs):

passbook/core/forms/groups.py

@@ -26,7 +26,7 @@ class GroupForm(forms.ModelForm):
     class Meta:
 
         model = Group
-        fields = ['name', 'parent', 'members', 'tags']
+        fields = ['name', 'parent', 'members', 'attributes']
         widgets = {
             'name': forms.TextInput(),
         }

passbook/core/migrations/0003_auto_20191011_0914.py

@@ -0,0 +1,29 @@
+# Generated by Django 2.2.6 on 2019-10-11 09:14
+
+import django.contrib.postgres.fields.jsonb
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_core', '0002_nonce_description'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='group',
+            old_name='tags',
+            new_name='attributes',
+        ),
+        migrations.AddField(
+            model_name='source',
+            name='property_mappings',
+            field=models.ManyToManyField(blank=True, default=None, to='passbook_core.PropertyMapping'),
+        ),
+        migrations.AddField(
+            model_name='user',
+            name='attributes',
+            field=django.contrib.postgres.fields.jsonb.JSONField(blank=True, default=dict),
+        ),
+    ]

passbook/core/models.py

@@ -32,7 +32,7 @@ class Group(UUIDModel):
     name = models.CharField(_('name'), max_length=80)
     parent = models.ForeignKey('Group', blank=True, null=True,
                                on_delete=models.SET_NULL, related_name='children')
-    tags = JSONField(default=dict, blank=True)
+    attributes = JSONField(default=dict, blank=True)
 
     def __str__(self):
         return f"Group {self.name}"
@@ -51,6 +51,8 @@ class User(AbstractUser):
     groups = models.ManyToManyField('Group')
     password_change_date = models.DateTimeField(auto_now_add=True)
 
+    attributes = JSONField(default=dict, blank=True)
+
     def set_password(self, password):
         if self.pk:
             password_changed.send(sender=self, user=self, password=password)
@@ -143,6 +145,7 @@ class Source(PolicyModel):
     name = models.TextField()
     slug = models.SlugField()
     enabled = models.BooleanField(default=True)
+    property_mappings = models.ManyToManyField('PropertyMapping', default=None, blank=True)
 
     form = '' # ModelForm-based class ued to create/edit instance
 

passbook/core/static/css/passbook.css

@@ -1,3 +1,7 @@
+.navbar-brand-name {
+    height: 35px;
+}
+
 .dynamic-array-widget .array-item {
   display: flex;
   align-items: center;
@@ -23,7 +27,6 @@
 }
 
 /* Selector */
-
 .selector {
     display: flex;
     width: 100%;

passbook/core/tasks.py

@@ -1,6 +1,5 @@
 """passbook core tasks"""
-from datetime import datetime
+from django.utils.timezone import now
-
 from structlog import get_logger
 
 from passbook.core.models import Nonce
@@ -11,5 +10,5 @@ LOGGER = get_logger()
 @CELERY_APP.task()
 def clean_nonces():
     """Remove expired nonces"""
-    amount, _ = Nonce.objects.filter(expires__lt=datetime.now(), expiring=True).delete()
+    amount, _ = Nonce.objects.filter(expires__lt=now(), expiring=True).delete()
     LOGGER.debug("Deleted expired nonces", amount=amount)

passbook/factors/email/factor.py

@@ -23,11 +23,11 @@ class EmailFactorView(AuthenticationFactor):
 
     def get(self, request, *args, **kwargs):
         nonce = Nonce.objects.create(user=self.pending_user)
-        LOGGER.debug("DEBUG %s", str(nonce.uuid))
         # Send mail to user
         message = TemplateEmailMessage(
             subject=_('Forgotten password'),
             template_name='email/account_password_reset.html',
+            to=[self.pending_user.email],
             template_context={
                 'url': self.request.build_absolute_uri(
                     reverse('passbook_core:auth-password-reset',

passbook/factors/email/migrations/0002_auto_20191011_1224.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.6 on 2019-10-11 12:24
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_factors_email', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='emailfactor',
+            name='timeout',
+            field=models.IntegerField(default=10),
+        ),
+    ]

passbook/factors/email/models.py

@@ -15,7 +15,7 @@ class EmailFactor(Factor):
     password = models.TextField(default='', blank=True)
     use_tls = models.BooleanField(default=False)
     use_ssl = models.BooleanField(default=False)
-    timeout = models.IntegerField(default=0)
+    timeout = models.IntegerField(default=10)
 
     ssl_keyfile = models.TextField(default=None, blank=True, null=True)
     ssl_certfile = models.TextField(default=None, blank=True, null=True)

passbook/factors/email/tasks.py

@@ -4,10 +4,13 @@ from typing import Any, Dict, List
 
 from celery import group
 from django.core.mail import EmailMessage
+from structlog import get_logger
 
 from passbook.factors.email.models import EmailFactor
 from passbook.root.celery import CELERY_APP
 
+LOGGER = get_logger()
+
 
 def send_mails(factor: EmailFactor, *messages: List[EmailMessage]):
     """Wrapper to convert EmailMessage to dict and send it from worker"""
@@ -31,6 +34,7 @@ def _send_mail_task(self, email_factor_pk: int, message: Dict[Any, Any]):
     for key, value in message.items():
         setattr(message_object, key, value)
     message_object.from_email = factor.from_address
+    LOGGER.debug("Sending mail", to=message_object.to)
     try:
         num_sent = factor.backend.send_messages([message_object])
     except SMTPException as exc:

passbook/factors/password/factor.py

@@ -30,7 +30,7 @@ def authenticate(request, backends, **credentials) -> Optional[User]:
             signature = Signature.from_callable(backend.authenticate)
             signature.bind(request, **credentials)
         except TypeError:
-            LOGGER.debug("Backend doesn't accept our arguments", backend=backend)
+            LOGGER.warning("Backend doesn't accept our arguments", backend=backend)
             # This backend doesn't accept these credentials as arguments. Try the next one.
             continue
         LOGGER.debug('Attempting authentication...', backend=backend)

passbook/factors/view.py

@@ -134,7 +134,7 @@ class AuthenticationView(UserPassesTestMixin, View):
             LOGGER.debug("Rendering Factor", next_factor=next_factor)
             return _redirect_with_qs('passbook_core:auth-process', self.request.GET)
         # User passed all factors
-        LOGGER.debug("User passed all factors, logging in")
+        LOGGER.debug("User passed all factors, logging in", user=self.pending_user)
         return self._user_passed()
 
     def user_invalid(self):

passbook/root/celery.py

@@ -2,7 +2,9 @@
 import os
 from logging.config import dictConfig
 
-from celery import Celery, signals
+from celery import Celery
+from celery.signals import (after_task_publish, setup_logging, task_postrun,
+                            task_prerun)
 from django.conf import settings
 from structlog import get_logger
 
@@ -10,39 +12,39 @@ from structlog import get_logger
 os.environ.setdefault("DJANGO_SETTINGS_MODULE", "passbook.root.settings")
 
 LOGGER = get_logger()
-
-
 CELERY_APP = Celery('passbook')
 
 
 # pylint: disable=unused-argument
-@signals.setup_logging.connect
+@setup_logging.connect
 def config_loggers(*args, **kwags):
     """Apply logging settings from settings.py to celery"""
     dictConfig(settings.LOGGING)
 
 
 # pylint: disable=unused-argument
-@signals.after_task_publish.connect
+@after_task_publish.connect
 def after_task_publish(sender=None, headers=None, body=None, **kwargs):
     """Log task_id after it was published"""
     info = headers if 'task' in headers else body
-    LOGGER.debug('%-40s published (name=%s)', info.get('id'), info.get('task'))
+    LOGGER.debug('Task published', task_id=info.get('id', ''), task_name=info.get('task', ''))
 
 
 # pylint: disable=unused-argument
-@signals.task_prerun.connect
+@task_prerun.connect
 def task_prerun(task_id, task, *args, **kwargs):
     """Log task_id on worker"""
-    LOGGER.debug('%-40s started (name=%s)', task_id, task.__name__)
+    LOGGER.debug('Task started', task_id=task_id, task_name=task.__name__)
 
 
 # pylint: disable=unused-argument
-@signals.task_postrun.connect
+@task_postrun.connect
 def task_postrun(task_id, task, *args, retval=None, state=None, **kwargs):
     """Log task_id on worker"""
-    LOGGER.debug('%-40s finished (name=%s, state=%s)',
+    LOGGER.debug('Task finished',
-                 task_id, task.__name__, state)
+                 task_id=task_id,
+                 task_name=task.__name__,
+                 state=state)
 
 
 # Using a string here means the worker doesn't have to serialize

passbook/root/settings.py

@@ -307,7 +307,12 @@ if any('test' in arg for arg in sys.argv):
     CELERY_TASK_ALWAYS_EAGER = True
 
 
-_DISALLOWED_ITEMS = ['INSTALLED_APPS', 'MIDDLEWARE', 'AUTHENTICATION_BACKENDS']
+_DISALLOWED_ITEMS = [
+    'INSTALLED_APPS',
+    'MIDDLEWARE',
+    'AUTHENTICATION_BACKENDS',
+    'CELERY_BEAT_SCHEDULE'
+]
 # Load subapps's INSTALLED_APPS
 for _app in INSTALLED_APPS:
     if _app.startswith('passbook'):
@@ -318,6 +323,7 @@ for _app in INSTALLED_APPS:
             INSTALLED_APPS.extend(getattr(app_settings, 'INSTALLED_APPS', []))
             MIDDLEWARE.extend(getattr(app_settings, 'MIDDLEWARE', []))
             AUTHENTICATION_BACKENDS.extend(getattr(app_settings, 'AUTHENTICATION_BACKENDS', []))
+            CELERY_BEAT_SCHEDULE.update(getattr(app_settings, 'CELERY_BEAT_SCHEDULE', {}))
             for _attr in dir(app_settings):
                 if not _attr.startswith('__') and _attr not in _DISALLOWED_ITEMS:
                     globals()[_attr] = getattr(app_settings, _attr)

passbook/sources/ldap/auth.py

@@ -1,8 +1,9 @@
 """passbook LDAP Authentication Backend"""
 from django.contrib.auth.backends import ModelBackend
+from django.http import HttpRequest
 from structlog import get_logger
 
-from passbook.sources.ldap.ldap_connector import LDAPConnector
+from passbook.sources.ldap.connector import Connector
 from passbook.sources.ldap.models import LDAPSource
 
 LOGGER = get_logger()
@@ -11,12 +12,13 @@ LOGGER = get_logger()
 class LDAPBackend(ModelBackend):
     """Authenticate users against LDAP Server"""
 
-    def authenticate(self, **kwargs):
+    def authenticate(self, request: HttpRequest, **kwargs):
         """Try to authenticate a user via ldap"""
         if 'password' not in kwargs:
             return None
         for source in LDAPSource.objects.filter(enabled=True):
-            _ldap = LDAPConnector(source)
+            LOGGER.debug("LDAP Auth attempt", source=source)
+            _ldap = Connector(source)
             user = _ldap.auth_user(**kwargs)
             if user:
                 return user

passbook/sources/ldap/connector.py

@@ -0,0 +1,158 @@
+"""Wrapper for ldap3 to easily manage user"""
+from typing import Any, Dict, Optional
+
+import ldap3
+import ldap3.core.exceptions
+from structlog import get_logger
+
+from passbook.core.models import Group, User
+from passbook.sources.ldap.models import LDAPSource
+
+LOGGER = get_logger()
+
+
+class Connector:
+    """Wrapper for ldap3 to easily manage user authentication and creation"""
+
+    _server: ldap3.Server
+    _connection = ldap3.Connection
+    _source: LDAPSource
+
+    def __init__(self, source: LDAPSource):
+        self._source = source
+        self._server = ldap3.Server(source.server_uri) # Implement URI parsing
+
+    def bind(self):
+        """Bind using Source's Credentials"""
+        self._connection = ldap3.Connection(self._server, raise_exceptions=True,
+                                            user=self._source.bind_cn,
+                                            password=self._source.bind_password)
+
+        self._connection.bind()
+        if self._source.start_tls:
+            self._connection.start_tls()
+
+    @staticmethod
+    def encode_pass(password: str) -> bytes:
+        """Encodes a plain-text password so it can be used by AD"""
+        return '"{}"'.format(password).encode('utf-16-le')
+
+    @property
+    def base_dn_users(self) -> str:
+        """Shortcut to get full base_dn for user lookups"""
+        return ','.join([self._source.additional_user_dn, self._source.base_dn])
+
+    @property
+    def base_dn_groups(self) -> str:
+        """Shortcut to get full base_dn for group lookups"""
+        return ','.join([self._source.additional_group_dn, self._source.base_dn])
+
+    def sync_groups(self):
+        """Iterate over all LDAP Groups and create passbook_core.Group instances"""
+        if not self._source.sync_groups:
+            LOGGER.debug("Group syncing is disabled for this Source")
+            return
+        groups = self._connection.extend.standard.paged_search(
+            search_base=self.base_dn_groups,
+            search_filter=self._source.group_object_filter,
+            search_scope=ldap3.SUBTREE,
+            attributes=ldap3.ALL_ATTRIBUTES)
+        for group in groups:
+            attributes = group.get('attributes', {})
+            _, created = Group.objects.update_or_create(
+                attributes__ldap_uniq=attributes.get(self._source.object_uniqueness_field, ''),
+                parent=self._source.sync_parent_group,
+                # defaults=self._build_object_properties(attributes),
+                defaults={
+                    'name': attributes.get('name', ''),
+                    'attributes': {
+                        'ldap_uniq': attributes.get(self._source.object_uniqueness_field, ''),
+                        'distinguishedName': attributes.get('distinguishedName')
+                    }
+                }
+            )
+            LOGGER.debug("Synced group", group=attributes.get('name', ''), created=created)
+
+    def sync_users(self):
+        """Iterate over all LDAP Users and create passbook_core.User instances"""
+        users = self._connection.extend.standard.paged_search(
+            search_base=self.base_dn_users,
+            search_filter=self._source.user_object_filter,
+            search_scope=ldap3.SUBTREE,
+            attributes=ldap3.ALL_ATTRIBUTES)
+        for user in users:
+            attributes = user.get('attributes', {})
+            _, created = User.objects.update_or_create(
+                attributes__ldap_uniq=attributes.get(self._source.object_uniqueness_field, ''),
+                defaults=self._build_object_properties(attributes),
+            )
+            LOGGER.debug("Synced User", user=attributes.get('name', ''), created=created)
+
+    def sync_membership(self):
+        """Iterate over all Users and assign Groups using memberOf Field"""
+        users = self._connection.extend.standard.paged_search(
+            search_base=self.base_dn_users,
+            search_filter=self._source.user_object_filter,
+            search_scope=ldap3.SUBTREE,
+            attributes=[
+                self._source.user_group_membership_field,
+                self._source.object_uniqueness_field])
+        group_cache: Dict[str, Group] = {}
+        for user in users:
+            member_of = user.get('attributes', {}).get(self._source.user_group_membership_field, [])
+            uniq = user.get('attributes', {}).get(self._source.object_uniqueness_field, [])
+            for group_dn in member_of:
+                # Check if group_dn is within our base_dn_groups, and skip if not
+                if not group_dn.endswith(self.base_dn_groups):
+                    continue
+                # Check if we fetched the group already, and if not cache it for later
+                if group_dn not in group_cache:
+                    groups = Group.objects.filter(attributes__distinguishedName=group_dn)
+                    if not groups.exists():
+                        LOGGER.warning("Group does not exist in our DB yet, run sync_groups first.",
+                                       group=group_dn)
+                        return
+                    group_cache[group_dn] = groups.first()
+                group = group_cache[group_dn]
+                users = User.objects.filter(attributes__ldap_uniq=uniq)
+                group.user_set.add(*list(users))
+        # Now that all users are added, lets write everything
+        for _, group in group_cache.items():
+            group.save()
+        LOGGER.debug("Successfully updated group membership")
+
+    def _build_object_properties(self, attributes: Dict[str, Any]) -> Dict[str, Dict[Any, Any]]:
+        properties = {
+            'attributes': {}
+        }
+        for mapping in self._source.property_mappings.all().select_subclasses():
+            properties[mapping.object_field] = attributes.get(mapping.ldap_property, '')
+        if self._source.object_uniqueness_field in attributes:
+            properties['attributes']['ldap_uniq'] = \
+                attributes.get(self._source.object_uniqueness_field)
+        properties['attributes']['distinguishedName'] = attributes.get('distinguishedName')
+        return properties
+
+    def auth_user(self, password: str, **filters: Dict[str, str]) -> Optional[User]:
+        """Try to bind as either user_dn or mail with password.
+        Returns True on success, otherwise False"""
+        users = User.objects.filter(**filters)
+        if not users.exists():
+            return None
+        user = users.first()
+        if 'distinguishedName' not in user.attributes:
+            LOGGER.debug("User doesn't have DN set, assuming not LDAP imported.", user=user)
+            return None
+        # Try to bind as new user
+        LOGGER.debug("Attempting Binding as user", user=user)
+        try:
+            temp_connection = ldap3.Connection(self._server,
+                                               user=user.attributes.get('distinguishedName'),
+                                               password=password, raise_exceptions=True)
+            temp_connection.bind()
+            return user
+        except ldap3.core.exceptions.LDAPInvalidCredentialsResult as exception:
+            LOGGER.debug("LDAPInvalidCredentialsResult", user=user)
+        except ldap3.core.exceptions.LDAPException as exception:
+            LOGGER.warning(exception)
+        return None

passbook/sources/ldap/forms.py

@@ -5,8 +5,7 @@ from django.contrib.admin.widgets import FilteredSelectMultiple
 from django.utils.translation import gettext_lazy as _
 
 from passbook.admin.forms.source import SOURCE_FORM_FIELDS
-from passbook.core.forms.policies import GENERAL_FIELDS
+from passbook.sources.ldap.models import LDAPPropertyMapping, LDAPSource
-from passbook.sources.ldap.models import LDAPGroupMembershipPolicy, LDAPSource
 
 
 class LDAPSourceForm(forms.ModelForm):
@@ -15,36 +14,56 @@ class LDAPSourceForm(forms.ModelForm):
     class Meta:
 
         model = LDAPSource
-        fields = SOURCE_FORM_FIELDS + ['server_uri', 'bind_cn', 'bind_password',
+        fields = SOURCE_FORM_FIELDS + [
-                                       'type', 'domain', 'base_dn', 'create_user',
+            'server_uri',
-                                       'reset_password']
+            'bind_cn',
+            'bind_password',
+            'start_tls',
+            'base_dn',
+            'additional_user_dn',
+            'additional_group_dn',
+            'user_object_filter',
+            'group_object_filter',
+            'user_group_membership_field',
+            'object_uniqueness_field',
+            'sync_groups',
+            'sync_parent_group',
+            'property_mappings',
+        ]
         widgets = {
             'name': forms.TextInput(),
             'server_uri': forms.TextInput(),
             'bind_cn': forms.TextInput(),
             'bind_password': forms.TextInput(),
-            'domain': forms.TextInput(),
             'base_dn': forms.TextInput(),
-            'policies': FilteredSelectMultiple(_('policies'), False)
+            'additional_user_dn': forms.TextInput(),
+            'additional_group_dn': forms.TextInput(),
+            'user_object_filter': forms.TextInput(),
+            'group_object_filter': forms.TextInput(),
+            'user_group_membership_field': forms.TextInput(),
+            'object_uniqueness_field': forms.TextInput(),
+            'policies': FilteredSelectMultiple(_('policies'), False),
+            'property_mappings': FilteredSelectMultiple(_('Property Mappings'), False)
         }
         labels = {
             'server_uri': _('Server URI'),
             'bind_cn': _('Bind CN'),
+            'start_tls': _('Enable Start TLS'),
             'base_dn': _('Base DN'),
+            'additional_user_dn': _('Addition User DN'),
+            'additional_group_dn': _('Addition Group DN'),
         }
 
 
-class LDAPGroupMembershipPolicyForm(forms.ModelForm):
+class LDAPPropertyMappingForm(forms.ModelForm):
-    """LDAPGroupMembershipPolicy Form"""
+    """LDAP Property Mapping form"""
 
     class Meta:
 
-        model = LDAPGroupMembershipPolicy
+        model = LDAPPropertyMapping
-        fields = GENERAL_FIELDS + ['dn', ]
+        fields = ['name', 'ldap_property', 'object_field']
         widgets = {
             'name': forms.TextInput(),
-            'dn': forms.TextInput(),
+            'ldap_property': forms.TextInput(),
-        }
+            'object_field': forms.TextInput(),
-        labels = {
-            'dn': _('DN')
         }

passbook/sources/ldap/ldap_connector.py

@@ -1,293 +0,0 @@
-"""Wrapper for ldap3 to easily manage user"""
-from time import time
-
-import ldap3
-import ldap3.core.exceptions
-from structlog import get_logger
-
-from passbook.core.models import User
-from passbook.lib.config import CONFIG
-from passbook.sources.ldap.models import LDAPSource
-
-LOGGER = get_logger()
-
-USERNAME_FIELD = CONFIG.y('ldap.username_field', 'sAMAccountName')
-LOGIN_FIELD = CONFIG.y('ldap.login_field', 'userPrincipalName')
-
-
-class LDAPConnector:
-    """Wrapper for ldap3 to easily manage user authentication and creation"""
-
-    _server = None
-    _connection = None
-    _source = None
-
-    def __init__(self, source: LDAPSource):
-        self._source = source
-
-        if not self._source.enabled:
-            LOGGER.debug("LDAP not Enabled")
-
-        # if not con_args:
-        #     con_args = {}
-        # if not server_args:
-        #     server_args = {}
-        # Either use mock argument or test is in argv
-        # if mock or any('test' in arg for arg in sys.argv):
-        #     self.mock = True
-        #     self.create_users_enabled = True
-        #     con_args['client_strategy'] = ldap3.MOCK_SYNC
-        #     server_args['get_info'] = ldap3.OFFLINE_AD_2012_R2
-        # if self.mock:
-        #     json_path = os.path.join(os.path.dirname(__file__), 'tests', 'ldap_mock.json')
-        #     self._connection.strategy.entries_from_json(json_path)
-
-        self._server = ldap3.Server(source.server_uri) # Implement URI parsing
-        self._connection = ldap3.Connection(self._server, raise_exceptions=True,
-                                            user=source.bind_cn,
-                                            password=source.bind_password)
-
-        self._connection.bind()
-        # if CONFIG.y('ldap.server.use_tls'):
-        #     self._connection.start_tls()
-
-    # @staticmethod
-    # def cleanup_mock():
-    #     """Cleanup mock files which are not this PID's"""
-    #     pid = os.getpid()
-    #     json_path = os.path.join(os.path.dirname(__file__), 'test', 'ldap_mock_%d.json' % pid)
-    #     os.unlink(json_path)
-    #     LOGGER.debug("Cleaned up LDAP Mock from PID %d", pid)
-
-    # def apply_db(self):
-    #     """Check if any unapplied LDAPModification's are left"""
-    #     to_apply = LDAPModification.objects.filter(_purgeable=False)
-    #     for obj in to_apply:
-    #         try:
-    #             if obj.action == LDAPModification.ACTION_ADD:
-    #                 self._connection.add(obj.dn, obj.data)
-    #             elif obj.action == LDAPModification.ACTION_MODIFY:
-    #                 self._connection.modify(obj.dn, obj.data)
-
-    #             # Object has been successfully applied to LDAP
-    #             obj.delete()
-    #         except ldap3.core.exceptions.LDAPException as exc:
-    #             LOGGER.error(exc)
-    #     LOGGER.debug("Recovered %d Modifications from DB.", len(to_apply))
-
-    # @staticmethod
-    # def handle_ldap_error(object_dn, action, data):
-    #     """Custom Handler for LDAP methods to write LDIF to DB"""
-    #     LDAPModification.objects.create(
-    #         dn=object_dn,
-    #         action=action,
-    #         data=data)
-
-    # @property
-    # def enabled(self):
-    #     """Returns whether LDAP is enabled or not"""
-    #     return CONFIG.y('ldap.enabled')
-
-    @staticmethod
-    def encode_pass(password):
-        """Encodes a plain-text password so it can be used by AD"""
-        return '"{}"'.format(password).encode('utf-16-le')
-
-    def generate_filter(self, **fields):
-        """Generate LDAP filter from **fields."""
-        filters = []
-        for item, value in fields.items():
-            filters.append("(%s=%s)" % (item, value))
-        ldap_filter = "(&%s)" % "".join(filters)
-        LOGGER.debug("Constructed filter: '%s'", ldap_filter)
-        return ldap_filter
-
-    def lookup(self, ldap_filter: str):
-        """Search email in LDAP and return the DN.
-        Returns False if nothing was found."""
-        try:
-            self._connection.search(self._source.search_base, ldap_filter)
-            results = self._connection.response
-            if len(results) >= 1:
-                if 'dn' in results[0]:
-                    return str(results[0]['dn'])
-        except ldap3.core.exceptions.LDAPNoSuchObjectResult as exc:
-            LOGGER.warning(exc)
-            return False
-        except ldap3.core.exceptions.LDAPInvalidDnError as exc:
-            LOGGER.warning(exc)
-            return False
-        return False
-
-    def _get_or_create_user(self, user_data):
-        """Returns a Django user for the given LDAP user data.
-        If the user does not exist, then it will be created."""
-        attributes = user_data.get("attributes")
-        if attributes is None:
-            LOGGER.warning("LDAP user attributes empty")
-            return None
-        # Create the user data.
-        field_map = {
-            'username': '%(' + USERNAME_FIELD + ')s',
-            'name': '%(givenName)s %(sn)s',
-            'email': '%(mail)s',
-        }
-        user_fields = {}
-        for dj_field, ldap_field in field_map.items():
-            user_fields[dj_field] = ldap_field % attributes
-
-        # Update or create the user.
-        user, created = User.objects.update_or_create(
-            defaults=user_fields,
-            username=user_fields.pop('username', "")
-        )
-
-        # Update groups
-        # if 'memberOf' in attributes:
-        #     applicable_groups = LDAPGroupMapping.objects.f
-        # ilter(ldap_dn__in=attributes['memberOf'])
-        #     for group in applicable_groups:
-        #         if group.group not in user.groups.all():
-        #             user.groups.add(group.group)
-        #             user.save()
-
-        # If the user was created, set them an unusable password.
-        if created:
-            user.set_unusable_password()
-            user.save()
-        # All done!
-        LOGGER.debug("LDAP user lookup succeeded")
-        return user
-
-    def auth_user(self, password, **filters):
-        """Try to bind as either user_dn or mail with password.
-        Returns True on success, otherwise False"""
-        filters.pop('request')
-        if not self._source.enabled:
-            return None
-        # FIXME: Adapt user_uid
-        # email = filters.pop(CONFIG.y('passport').get('ldap').get, '')
-        email = filters.pop('email')
-        user_dn = self.lookup(self.generate_filter(**{LOGIN_FIELD: email}))
-        if not user_dn:
-            return None
-        # Try to bind as new user
-        LOGGER.debug("Binding as '%s'", user_dn)
-        try:
-            temp_connection = ldap3.Connection(self._server, user=user_dn,
-                                               password=password, raise_exceptions=True)
-            temp_connection.bind()
-            if self._connection.search(
-                    search_base=self._source.search_base,
-                    search_filter=self.generate_filter(**{LOGIN_FIELD: email}),
-                    search_scope=ldap3.SUBTREE,
-                    attributes=[ldap3.ALL_ATTRIBUTES, ldap3.ALL_OPERATIONAL_ATTRIBUTES],
-                    get_operational_attributes=True,
-                    size_limit=1,
-            ):
-                response = self._connection.response[0]
-                # If user has no email set in AD, use UPN
-                if 'mail' not in response.get('attributes'):
-                    response['attributes']['mail'] = response['attributes']['userPrincipalName']
-                return self._get_or_create_user(response)
-            LOGGER.warning("LDAP user lookup failed")
-            return None
-        except ldap3.core.exceptions.LDAPInvalidCredentialsResult as exception:
-            LOGGER.debug("User '%s' failed to login (Wrong credentials)", user_dn)
-        except ldap3.core.exceptions.LDAPException as exception:
-            LOGGER.warning(exception)
-        return None
-
-    def is_email_used(self, mail):
-        """Checks whether an email address is already registered in LDAP"""
-        if self._source.create_user:
-            return self.lookup(self.generate_filter(mail=mail))
-        return False
-
-    def create_ldap_user(self, user, raw_password):
-        """Creates a new LDAP User from a django user and raw_password.
-        Returns True on success, otherwise False"""
-        if self._source.create_user:
-            LOGGER.debug("User creation not enabled")
-            return False
-        # The dn of our new entry/object
-        username = user.pk.hex # UUID without dashes
-        # sAMAccountName is limited to 20 chars
-        # https://msdn.microsoft.com/en-us/library/ms679635.aspx
-        username_trunk = username[:20] if len(username) > 20 else username
-        # AD doesn't like sAMAccountName's with . at the end
-        username_trunk = username_trunk[:-1] if username_trunk[-1] == '.' else username_trunk
-        user_dn = 'cn=' + username + ',' + self._source.search_base
-        LOGGER.debug('New DN: %s', user_dn)
-        attrs = {
-            'distinguishedName': str(user_dn),
-            'cn': str(username),
-            'description': 't=' + str(time()),
-            'sAMAccountName': str(username_trunk),
-            'givenName': str(user.name),
-            'displayName': str(user.username),
-            'name': str(user.name),
-            'mail': str(user.email),
-            'userPrincipalName': str(username + '@' + self._source.domain),
-            'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
-        }
-        try:
-            self._connection.add(user_dn, attributes=attrs)
-        except ldap3.core.exceptions.LDAPException as exception:
-            LOGGER.warning("Failed to create user ('%s'), saved to DB", exception)
-            # LDAPConnector.handle_ldap_error(user_dn, LDAPModification.ACTION_ADD, attrs)
-        LOGGER.debug("Signed up user %s", user.email)
-        return self.change_password(raw_password, mail=user.email)
-
-    def _do_modify(self, diff, **fields):
-        """Do the LDAP modification itself"""
-        user_dn = self.lookup(self.generate_filter(**fields))
-        try:
-            self._connection.modify(user_dn, diff)
-        except ldap3.core.exceptions.LDAPException as exception:
-            LOGGER.warning("Failed to modify %s ('%s'), saved to DB", user_dn, exception)
-            # LDAPConnector.handle_ldap_error(user_dn, LDAPModification.ACTION_MODIFY, diff)
-        LOGGER.debug("modified account '%s' [%s]", user_dn, ','.join(diff.keys()))
-        return 'result' in self._connection.result and self._connection.result['result'] == 0
-
-    def disable_user(self, **fields):
-        """Disables LDAP user based on mail or user_dn.
-        Returns True on success, otherwise False"""
-        diff = {
-            'userAccountControl': [(ldap3.MODIFY_REPLACE, [str(66050)])],
-        }
-        return self._do_modify(diff, **fields)
-
-    def enable_user(self, **fields):
-        """Enables LDAP user based on mail or user_dn.
-        Returns True on success, otherwise False"""
-        diff = {
-            'userAccountControl': [(ldap3.MODIFY_REPLACE, [str(66048)])],
-        }
-        return self._do_modify(diff, **fields)
-
-    def change_password(self, new_password, **fields):
-        """Changes LDAP user's password based on mail or user_dn.
-        Returns True on success, otherwise False"""
-        diff = {
-            'unicodePwd': [(ldap3.MODIFY_REPLACE, [LDAPConnector.encode_pass(new_password)])],
-        }
-        return self._do_modify(diff, **fields)
-
-    def add_to_group(self, group_dn, **fields):
-        """Adds mail or user_dn to group_dn
-        Returns True on success, otherwise False"""
-        user_dn = self.lookup(**fields)
-        diff = {
-            'member': [(ldap3.MODIFY_ADD), [user_dn]]
-        }
-        return self._do_modify(diff, user_dn=group_dn)
-
-    def remove_from_group(self, group_dn, **fields):
-        """Removes mail or user_dn from group_dn
-        Returns True on success, otherwise False"""
-        user_dn = self.lookup(**fields)
-        diff = {
-            'member': [(ldap3.MODIFY_DELETE), [user_dn]]
-        }
-        return self._do_modify(diff, user_dn=group_dn)

passbook/sources/ldap/migrations/0001_initial.py

@@ -1,5 +1,6 @@
-# Generated by Django 2.2.6 on 2019-10-07 14:07
+# Generated by Django 2.2.6 on 2019-10-08 20:43
 
+import django.core.validators
 import django.db.models.deletion
 from django.db import migrations, models
 
@@ -13,18 +14,33 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
+        migrations.CreateModel(
+            name='LDAPPropertyMapping',
+            fields=[
+                ('propertymapping_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.PropertyMapping')),
+                ('ldap_property', models.TextField()),
+                ('object_field', models.TextField()),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=('passbook_core.propertymapping',),
+        ),
         migrations.CreateModel(
             name='LDAPSource',
             fields=[
                 ('source_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Source')),
-                ('server_uri', models.TextField()),
+                ('server_uri', models.URLField(validators=[django.core.validators.URLValidator(schemes=['ldap', 'ldaps'])])),
                 ('bind_cn', models.TextField()),
                 ('bind_password', models.TextField()),
-                ('type', models.CharField(choices=[('ad', 'Active Directory'), ('generic', 'Generic')], max_length=20)),
+                ('start_tls', models.BooleanField(default=False)),
-                ('domain', models.TextField()),
                 ('base_dn', models.TextField()),
-                ('create_user', models.BooleanField(default=False)),
+                ('additional_user_dn', models.TextField(help_text='Prepended to Base DN for User-queries.')),
-                ('reset_password', models.BooleanField(default=True)),
+                ('additional_group_dn', models.TextField(help_text='Prepended to Base DN for Group-queries.')),
+                ('user_object_filter', models.TextField()),
+                ('group_object_filter', models.TextField()),
+                ('sync_groups', models.BooleanField(default=True)),
+                ('sync_parent_group', models.ForeignKey(blank=True, default=None, on_delete=django.db.models.deletion.SET_DEFAULT, to='passbook_core.Group')),
             ],
             options={
                 'verbose_name': 'LDAP Source',
@@ -32,17 +48,4 @@ class Migration(migrations.Migration):
             },
             bases=('passbook_core.source',),
         ),
-        migrations.CreateModel(
-            name='LDAPGroupMembershipPolicy',
-            fields=[
-                ('policy_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='passbook_core.Policy')),
-                ('dn', models.TextField()),
-                ('source', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='passbook_sources_ldap.LDAPSource')),
-            ],
-            options={
-                'verbose_name': 'LDAP Group Membership Policy',
-                'verbose_name_plural': 'LDAP Group Membership Policys',
-            },
-            bases=('passbook_core.policy',),
-        ),
     ]

passbook/sources/ldap/migrations/0002_auto_20191011_0825.py

@@ -0,0 +1,17 @@
+# Generated by Django 2.2.6 on 2019-10-11 08:25
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_sources_ldap', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='ldappropertymapping',
+            options={'verbose_name': 'LDAP Property Mapping', 'verbose_name_plural': 'LDAP Property Mappings'},
+        ),
+    ]

passbook/sources/ldap/migrations/0003_auto_20191011_0825.py

@@ -0,0 +1,32 @@
+# Generated by Django 2.2.6 on 2019-10-11 08:25
+
+from django.apps.registry import Apps
+from django.db import migrations
+
+
+def create_default_ad_property_mappings(apps: Apps, schema_editor):
+    LDAPPropertyMapping = apps.get_model('passbook_sources_ldap', 'LDAPPropertyMapping')
+    mapping = {
+        'name': 'name',
+        'givenName': 'first_name',
+        'sn': 'last_name',
+        'sAMAccountName': 'username',
+        'mail': 'email'
+    }
+    for ldap_property, object_field in mapping.items():
+        LDAPPropertyMapping.objects.get_or_create(
+            ldap_property=ldap_property,
+            object_field=object_field,
+            defaults={
+                'name': f"Autogenerated LDAP Mapping: {ldap_property} -> {object_field}"
+            })
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_sources_ldap', '0002_auto_20191011_0825'),
+    ]
+
+    operations = [
+        migrations.RunPython(create_default_ad_property_mappings)
+    ]

passbook/sources/ldap/migrations/0004_auto_20191011_0839.py

@@ -0,0 +1,25 @@
+# Generated by Django 2.2.6 on 2019-10-11 08:39
+
+import django.core.validators
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_sources_ldap', '0003_auto_20191011_0825'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='ldapsource',
+            name='server_uri',
+            field=models.TextField(validators=[django.core.validators.URLValidator(schemes=['ldap', 'ldaps'])]),
+        ),
+        migrations.AlterField(
+            model_name='ldapsource',
+            name='sync_parent_group',
+            field=models.ForeignKey(blank=True, default=None, null=True, on_delete=django.db.models.deletion.SET_DEFAULT, to='passbook_core.Group'),
+        ),
+    ]

passbook/sources/ldap/migrations/0005_auto_20191011_1059.py

@@ -0,0 +1,33 @@
+# Generated by Django 2.2.6 on 2019-10-11 10:59
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('passbook_sources_ldap', '0004_auto_20191011_0839'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='ldapsource',
+            name='object_uniqueness_field',
+            field=models.TextField(default='objectSid', help_text='Field which contains a unique Identifier.'),
+        ),
+        migrations.AddField(
+            model_name='ldapsource',
+            name='user_group_membership_field',
+            field=models.TextField(default='memberOf', help_text='Field which contains Groups of user.'),
+        ),
+        migrations.AlterField(
+            model_name='ldapsource',
+            name='group_object_filter',
+            field=models.TextField(default='(objectCategory=Group)', help_text='Consider Objects matching this filter to be Groups.'),
+        ),
+        migrations.AlterField(
+            model_name='ldapsource',
+            name='user_object_filter',
+            field=models.TextField(default='(objectCategory=Person)', help_text='Consider Objects matching this filter to be Users.'),
+        ),
+    ]

passbook/sources/ldap/models.py

@@ -1,30 +1,36 @@
 """passbook LDAP Models"""
 
+from django.core.validators import URLValidator
 from django.db import models
 from django.utils.translation import gettext as _
 
-from passbook.core.models import Policy, Source, User
+from passbook.core.models import Group, PropertyMapping, Source
 
 
 class LDAPSource(Source):
     """LDAP Authentication source"""
 
-    TYPE_ACTIVE_DIRECTORY = 'ad'
+    server_uri = models.TextField(validators=[URLValidator(schemes=['ldap', 'ldaps'])])
-    TYPE_GENERIC = 'generic'
-    TYPES = (
-        (TYPE_ACTIVE_DIRECTORY, _('Active Directory')),
-        (TYPE_GENERIC, _('Generic')),
-    )
-
-    server_uri = models.TextField()
     bind_cn = models.TextField()
     bind_password = models.TextField()
-    type = models.CharField(max_length=20, choices=TYPES)
+    start_tls = models.BooleanField(default=False)
 
-    domain = models.TextField()
     base_dn = models.TextField()
-    create_user = models.BooleanField(default=False)
+    additional_user_dn = models.TextField(help_text=_('Prepended to Base DN for User-queries.'))
-    reset_password = models.BooleanField(default=True)
+    additional_group_dn = models.TextField(help_text=_('Prepended to Base DN for Group-queries.'))
+
+    user_object_filter = models.TextField(default="(objectCategory=Person)", help_text=_(
+        'Consider Objects matching this filter to be Users.'))
+    user_group_membership_field = models.TextField(default="memberOf", help_text=_(
+        "Field which contains Groups of user."))
+    group_object_filter = models.TextField(default="(objectCategory=Group)", help_text=_(
+        'Consider Objects matching this filter to be Groups.'))
+    object_uniqueness_field = models.TextField(default="objectSid", help_text=_(
+        'Field which contains a unique Identifier.'))
+
+    sync_groups = models.BooleanField(default=True)
+    sync_parent_group = models.ForeignKey(Group, blank=True, null=True,
+                                          default=None, on_delete=models.SET_DEFAULT)
 
     form = 'passbook.sources.ldap.forms.LDAPSourceForm'
 
@@ -37,19 +43,19 @@ class LDAPSource(Source):
         verbose_name = _('LDAP Source')
         verbose_name_plural = _('LDAP Sources')
 
-class LDAPGroupMembershipPolicy(Policy):
-    """Policy to check if a user is in a certain LDAP Group"""
 
-    dn = models.TextField()
+class LDAPPropertyMapping(PropertyMapping):
-    source = models.ForeignKey('LDAPSource', on_delete=models.CASCADE)
+    """Map LDAP Property to User or Group object"""
 
-    form = 'passbook.sources.ldap.forms.LDAPGroupMembershipPolicyForm'
+    ldap_property = models.TextField()
+    object_field = models.TextField()
 
-    def passes(self, user: User):
+    form = 'passbook.sources.ldap.forms.LDAPPropertyMappingForm'
-        """Check if user instance passes this policy"""
+
-        raise NotImplementedError()
+    def __str__(self):
+        return f"LDAP Property Mapping {self.ldap_property} -> {self.object_field}"
 
     class Meta:
 
-        verbose_name = _('LDAP Group Membership Policy')
+        verbose_name = _('LDAP Property Mapping')
-        verbose_name_plural = _('LDAP Group Membership Policys')
+        verbose_name_plural = _('LDAP Property Mappings')

passbook/sources/ldap/settings.py

@@ -1,5 +1,13 @@
 """LDAP Settings"""
+from celery.schedules import crontab
 
 AUTHENTICATION_BACKENDS = [
     'passbook.sources.ldap.auth.LDAPBackend',
 ]
+
+CELERY_BEAT_SCHEDULE = {
+    'sync': {
+        'task': 'passbook.sources.ldap.tasks.sync',
+        'schedule': crontab(minute=0)  # Run every hour
+    }
+}

passbook/sources/ldap/tasks.py

@@ -0,0 +1,31 @@
+"""LDAP Sync tasks"""
+from passbook.root.celery import CELERY_APP
+from passbook.sources.ldap.connector import Connector
+from passbook.sources.ldap.models import LDAPSource
+
+
+@CELERY_APP.task()
+def sync_groups(source_pk: int):
+    """Sync LDAP Groups on background worker"""
+    source = LDAPSource.objects.get(pk=source_pk)
+    connector = Connector(source)
+    connector.bind()
+    connector.sync_groups()
+
+@CELERY_APP.task()
+def sync_users(source_pk: int):
+    """Sync LDAP Users on background worker"""
+    source = LDAPSource.objects.get(pk=source_pk)
+    connector = Connector(source)
+    connector.bind()
+    connector.sync_users()
+
+@CELERY_APP.task()
+def sync():
+    """Sync all sources"""
+    for source in LDAPSource.objects.filter(enabled=True):
+        connector = Connector(source)
+        connector.bind()
+        connector.sync_users()
+        connector.sync_groups()
+        connector.sync_membership()

passbook/sources/ldap/templates/ldap/settings.html

@@ -1,33 +0,0 @@
-{% extends "_admin/module_default.html" %}
-
-{% load i18n %}
-{% load utils %}
-
-{% block title %}
-{% title "Settings" %}
-{% endblock %}
-
-{% block module_content %}
-<h2><clr-icon shape="application" size="32"></clr-icon>{% trans 'LDAP connection' %}</h2>
-<div class="row">
-  <div class="col-md-12">
-    <div class="card">
-      <form role="form" method="POST">
-        <div class="card-block">
-          <h3><clr-icon shape="cog" size="32"></clr-icon>{% trans 'General settings' %}</h3>
-          {% include 'partials/form.html' with form=general %}
-          <h3><clr-icon shape="connect" size="32"></clr-icon>{% trans 'Connection settings' %}</h3>
-          {% include 'partials/form.html' with form=connection %}
-          <h3><clr-icon shape="certificate" size="32"></clr-icon>{% trans 'Authentication backend ' %}</h3>
-          {% include 'partials/form.html' with form=authentication %}
-          <h3><clr-icon shape="users" size="32"></clr-icon>{% trans 'Create users settings' %}</h3>
-          {% include 'partials/form.html' with form=create_users %}
-        </div>
-        <div class="card-footer">
-          <button type="submit" value="general" class="btn btn-sm btn-primary">{% trans 'Update' %}</button>
-        </div>
-      </form>
-    </div>
-  </div>
-</div>
-{% endblock %}

passbook/sources/ldap/urls.py

@@ -1,9 +0,0 @@
-# """passbook LDAP Urls"""
-
-# from django.conf.urls import url
-
-# from passbook.mod.auth.ldap import views
-
-# urlpatterns = [
-#     url(r'^settings/$', views.admin_settings, name='admin_settings'),
-# ]

passbook/sources/ldap/views.py

@@ -1,38 +0,0 @@
-# """passbook LDAP Views"""
-
-
-# from django.contrib import messages
-# from django.contrib.auth.decorators import login_required, user_passes_test
-# from django.http import HttpRequest, HttpResponse
-# from django.shortcuts import redirect, render
-# from django.urls import reverse
-# from django.utils.translation import ugettext as _
-
-# from passbook.sources.ldap.forms import (AuthenticationBackendSettings,
-#                                            ConnectionSettings,
-#                                            CreateUsersSettings,
-#                                            GeneralSettingsForm)
-
-
-# @login_required
-# @user_passes_test(lambda u: u.is_superuser)
-# def admin_settings(request: HttpRequest) -> HttpResponse:
-#     """Default view for modules without admin view"""
-#     form_classes = {
-#         'general': GeneralSettingsForm,
-#         'connection': ConnectionSettings,
-#         'authentication': AuthenticationBackendSettings,
-#         'create_users': CreateUsersSettings,
-#     }
-#     render_data = {}
-#     for form_key, form_class in form_classes.items():
-#         render_data[form_key] = form_class(request.POST if request.method == 'POST' else None)
-#     if request.method == 'POST':
-#         update_count = 0
-#         for form_key, form_class in form_classes.items():
-#             form = form_class(request.POST)
-#             if form.is_valid():
-#                 update_count += form.save()
-#         messages.success(request, _('Successfully updated %d settings.' % update_count))
-#         return redirect(reverse('passbook_ldap:admin_settings'))
-#     return render(request, 'ldap/settings.html', render_data)