Projet

Général

Profil

0001-Manage-LDAP-extra-attributes-19365.patch

Paul Marillonnet, 31 mars 2020 10:19

Télécharger (10,7 ko)

Voir les différences: 

Subject: [PATCH] Manage LDAP extra attributes (#19365)

This extra attributes are retreived by making other LDAP queries
with parameters composed by looping on an user object's attribute
values. A mapping will be apply on corresponding objects's attributes
and resulting informations are compiled in a list and serialize in
JSON (configurable, but JSON is the only format available for now)

 src/authentic2/backends/ldap_backend.py | 71 +++++++++++++++++++++
 tests/test_ldap.py                      | 83 ++++++++++++++++++++++++-
 2 files changed, 153 insertions(+), 1 deletion(-)
src/authentic2/backends/ldap_backend.py
33 33 
import random
34 34 
import base64
35 35 
import os
36 
import json
36 37 

  		




  37
  38
  
    
# code originaly copied from by now merely inspired by

  		




  38
  39
  
    
# http://www.amherst.k12.oh.us/django-ldap.html

  		




  ......




  449
  450
  
    
        'mandatory_attributes_values': {},

  		




  450
  451
  
    
        # mapping from LDAP attributes name to other names

  		




  451
  452
  
    
        'attribute_mappings': [],

  		




  
  453
  
    
        # extra attributes retrieve by making other LDAP search using user object informations

  		




  
  454
  
    
        'extra_attributes': {},

  		




  452
  455
  
    
        # realm for selecting an ldap configuration or formatting usernames

  		




  453
  456
  
    
        'realm': 'ldap',

  		




  454
  457
  
    
        # template for building username

  		




  ......




  957
  960
  
    
            from_ldap = mapping.get('from_ldap')

  		




  958
  961
  
    
            if from_ldap:

  		




  959
  962
  
    
                attributes.add(from_ldap)

  		




  
  963
  
    
        for extra_at in block.get('extra_attributes', {}):

  		




  
  964
  
    
            if 'loop_over_attribute' in block['extra_attributes'][extra_at]:

  		




  
  965
  
    
                attributes.add(block['extra_attributes'][extra_at]['loop_over_attribute'])

  		




  
  966
  
    
            at_mapping = block['extra_attributes'][extra_at].get('mapping', {})

  		




  
  967
  
    
            for key in at_mapping:

  		




  
  968
  
    
                if at_mapping[key] != 'dn':

  		




  
  969
  
    
                    attributes.add(at_mapping[key])

  		




  960
  970
  
    
        return list(set(attribute.lower() for attribute in attributes))

  		




  961
  971
  
    

  		




  962
  972
  
    
    @classmethod

  		




  ......




  988
  998
  
    
            new = set(old) | set(attribute_map[from_attribute])

  		




  989
  999
  
    
            attribute_map[to_attribute] = list(new)

  		




  990
  1000
  
    
        attribute_map['dn'] = force_text(dn)

  		




  
  1001
  
    

  		




  
  1002
  
    
        # extra attributes

  		




  
  1003
  
    
        attribute_map = cls.get_ldap_extra_attributes(block, conn, dn, attribute_map)

  		




  
  1004
  
    

  		




  
  1005
  
    
        return attribute_map

  		




  
  1006
  
    

  		




  
  1007
  
    
    @classmethod

  		




  
  1008
  
    
    def get_ldap_extra_attributes(cls, block, conn, dn, attribute_map):

  		




  
  1009
  
    
        '''Retrieve extra attributes from LDAP'''

  		




  
  1010
  
    

  		




  
  1011
  
    
        ldap_scopes = {

  		




  
  1012
  
    
            'base': ldap.SCOPE_BASE,

  		




  
  1013
  
    
            'one': ldap.SCOPE_ONELEVEL,

  		




  
  1014
  
    
            'sub': ldap.SCOPE_SUBTREE,

  		




  
  1015
  
    
        }

  		




  
  1016
  
    
        log.debug(u'Attrs before extra attributes : %s' % attribute_map)

  		




  
  1017
  
    
        for extra_attribute_name in block.get('extra_attributes', {}):

  		




  
  1018
  
    
            extra_attribute_config = block['extra_attributes'][extra_attribute_name]

  		




  
  1019
  
    
            extra_attribute_values = []

  		




  
  1020
  
    
            if 'loop_over_attribute' in extra_attribute_config:

  		




  
  1021
  
    
                extra_attribute_config['loop_over_attribute'] = extra_attribute_config['loop_over_attribute'].lower()

  		




  
  1022
  
    
                if extra_attribute_config['loop_over_attribute'] not in attribute_map:

  		




  
  1023
  
    
                    log.debug('loop_over_attribute %s not present (or empty) in user object attributes retreived. Pass.' % extra_attribute_config['loop_over_attribute'])

  		




  
  1024
  
    
                    continue

  		




  
  1025
  
    
                if 'filter' not in extra_attribute_config and 'basedn' not in extra_attribute_config:

  		




  
  1026
  
    
                    log.warning('Extra attribute %s not correctly configured : you need to defined at least one of filter or basedn parameters' % extra_attribute_name)

  		




  
  1027
  
    
                for item in attribute_map[extra_attribute_config['loop_over_attribute']]:

  		




  
  1028
  
    
                    ldap_filter = force_text(extra_attribute_config.get('filter', 'objectClass=*')).format(item=item, **attribute_map)

  		




  
  1029
  
    
                    ldap_basedn = force_text(extra_attribute_config.get('basedn', block.get('basedn'))).format(item=item, **attribute_map)

  		




  
  1030
  
    
                    ldap_scope = ldap_scopes.get(extra_attribute_config.get('scope', 'sub'), ldap.SCOPE_SUBTREE)

  		




  
  1031
  
    
                    ldap_attributes_mapping = extra_attribute_config.get('mapping', {})

  		




  
  1032
  
    
                    ldap_attributes_names = filter(lambda a: a != 'dn', ldap_attributes_mapping.values())

  		




  
  1033
  
    
                    try:

  		




  
  1034
  
    
                        results = conn.search_s(ldap_basedn, ldap_scope, ldap_filter, list(ldap_attributes_names))

  		




  
  1035
  
    
                    except ldap.LDAPError:

  		




  
  1036
  
    
                        log.exception('unable to retrieve extra attribute %s for item %s' % (extra_attribute_name, item))

  		




  
  1037
  
    
                        continue

  		




  
  1038
  
    
                    item_value = {}

  		




  
  1039
  
    
                    for obj in results:

  		




  
  1040
  
    
                        log.debug(u'Object retrieved for extra attr %s with item %s : %s' % (extra_attribute_name, item, obj))

  		




  
  1041
  
    
                        obj_attributes = cls.normalize_ldap_results(obj[1])

  		




  
  1042
  
    
                        obj_attributes[dn] = obj[0]

  		




  
  1043
  
    
                        log.debug(u'Object attributes normalized for extra attr %s with item %s : %s' % (extra_attribute_name, item, obj_attributes))

  		




  
  1044
  
    
                        for key in ldap_attributes_mapping:

  		




  
  1045
  
    
                            item_value[key] = obj_attributes.get(ldap_attributes_mapping[key].lower())

  		




  
  1046
  
    
                            log.debug(u'Object attribute %s value retrieved for extra attr %s with item %s : %s' % (ldap_attributes_mapping[key], extra_attribute_name, item, item_value[key]))

  		




  
  1047
  
    
                            if not item_value[key]:

  		




  
  1048
  
    
                                del item_value[key]

  		




  
  1049
  
    
                            elif len(item_value[key]) == 1:

  		




  
  1050
  
    
                                item_value[key] = item_value[key][0]

  		




  
  1051
  
    
                    extra_attribute_values.append(item_value)

  		




  
  1052
  
    
            else:

  		




  
  1053
  
    
                log.warning('loop_over_attribute not defined for extra attribute %s' % extra_attribute_name)

  		




  
  1054
  
    
            extra_attribute_serialization = extra_attribute_config.get('serialization', None)

  		




  
  1055
  
    
            if extra_attribute_serialization is None:

  		




  
  1056
  
    
                attribute_map[extra_attribute_name] = extra_attribute_values

  		




  
  1057
  
    
            elif extra_attribute_serialization == 'json':

  		




  
  1058
  
    
                attribute_map[extra_attribute_name] = json.dumps(extra_attribute_values)

  		




  
  1059
  
    
            else:

  		




  
  1060
  
    
                log.warning('Invalid serialization type "%s" for extra attribute %s' % (extra_attribute_serialization, extra_attribute_name))

  		




  991
  1061
  
    
        return attribute_map

  		




  992
  1062
  
    

  		




  993
  1063
  
    
    @classmethod

  		




  ......




  1137
  1207
  
    
        for block in cls.get_config():

  		




  1138
  1208
  
    
            names.update(cls.get_ldap_attributes_names(block))

  		




  1139
  1209
  
    
            names.update(map_text(block['mandatory_attributes_values']).keys())

  		




  
  1210
  
    
            names.update(map_text(block.get('extra_attributes', {})).keys())

  		




  1140
  1211
  
    
        return [(a, '%s (LDAP)' % a) for a in sorted(names)]

  		




  1141
  1212
  
    

  		




  1142
  1213
  
    
    @classmethod

  		












  

    
      tests/test_ldap.py
    
  





  41
  41
  
    
from authentic2 import crypto, models

  		




  42
  42
  
    

  		




  43
  43
  
    
import utils

  		




  
  44
  
    
import json

  		




  44
  45
  
    

  		




  45
  46
  
    
User = get_user_model()

  		




  46
  47
  
    

  		




  ......




  53
  54
  
    
PASS = 'passé'

  		




  54
  55
  
    
UPASS = u'passé'

  		




  55
  56
  
    
EMAIL = 'etienne.michu@example.net'

  		




  
  57
  
    
CARLICENSE = '123445ABC'

  		




  
  58
  
    

  		




  
  59
  
    
EO_O = "EO"

  		




  
  60
  
    
EO_STREET = "169 rue du Chateau"

  		




  
  61
  
    
EO_POSTALCODE = "75014"

  		




  
  62
  
    
EO_CITY = "PARIS"

  		




  
  63
  
    

  		




  
  64
  
    
EE_O = "EE"

  		




  
  65
  
    
EE_STREET = "44 rue de l'Ouest"

  		




  
  66
  
    
EE_POSTALCODE = "75014"

  		




  
  67
  
    
EE_CITY = "PARIS"

  		




  56
  68
  
    

  		




  57
  69
  
    
base_dir = os.path.dirname(__file__)

  		




  58
  70
  
    
key_file = os.path.join(base_dir, 'key.pem')

  		




  ......




  89
  101
  
    
l: Paris

  		




  90
  102
  
    
mail: etienne.michu@example.net

  		




  91
  103
  
    
jpegPhoto:: ACOE

  		




  
  104
  
    
carLicense: {cl}

  		




  
  105
  
    
o: EO

  		




  
  106
  
    
o: EE

  		




  92
  107
  
    

  		




  93
  108
  
    
dn: cn=group1,o=ôrga

  		




  94
  109
  
    
objectClass: groupOfNames

  		




  95
  110
  
    
member: {dn}

  		




  96
  111
  
    

  		




  97
  
  
    
'''.format(dn=DN, uid=UID, password=PASS))

  		




  
  112
  
    
dn: o={eo_o},o=orga

  		




  
  113
  
    
objectClass: organization

  		




  
  114
  
    
o: {eo_o}

  		




  
  115
  
    
postalAddress: {eo_street}

  		




  
  116
  
    
postalCode: {eo_postalcode}

  		




  
  117
  
    
l: {eo_city}

  		




  
  118
  
    

  		




  
  119
  
    
dn: o={ee_o},o=orga

  		




  
  120
  
    
objectClass: organization

  		




  
  121
  
    
o: {ee_o}

  		




  
  122
  
    
postalAddress: {ee_street}

  		




  
  123
  
    
postalCode: {ee_postalcode}

  		




  
  124
  
    
l: {ee_city}

  		




  
  125
  
    

  		




  
  126
  
    
'''.format(dn=DN, uid=UID, password=PASS, cl=CARLICENSE,

  		




  
  127
  
    
           eo_o=EO_O, eo_street=EO_STREET, eo_postalcode=EO_POSTALCODE, eo_city=EO_CITY,

  		




  
  128
  
    
           ee_o=EE_O, ee_street=EE_STREET, ee_postalcode=EE_POSTALCODE, ee_city=EE_CITY

  		




  
  129
  
    
          )

  		




  
  130
  
    
    )

  		




  98
  131
  
    
    for i in range(5):

  		




  99
  132
  
    
        slapd.add_ldif('''dn: uid=mïchu{i},o=ôrga

  		




  100
  133
  
    
objectClass: inetOrgPerson

  		




  ......




  383
  416
  
    
    assert not response.context['user'].is_superuser

  		




  384
  417
  
    

  		




  385
  418
  
    

  		




  
  419
  
    
def test_get_mapped_attributes(slapd, settings, db, client):

  		




  
  420
  
    
    settings.LDAP_AUTH_SETTINGS = [{

  		




  
  421
  
    
        'url': [slapd.ldap_url],

  		




  
  422
  
    
        'basedn': 'o=ôrga',

  		




  
  423
  
    
        'use_tls': False,

  		




  
  424
  
    
        'groupstaff': ['cn=group1,o=orga'],

  		




  
  425
  
    
        'attributes': ['uid', 'carLicense'],

  		




  
  426
  
    
    }]

  		




  
  427
  
    
    user = authenticate(username='etienne.michu', password=UPASS)

  		




  
  428
  
    
    fetched_attrs = user.get_attributes(object(), {})

  		




  
  429
  
    
    assert UID in fetched_attrs.get('uid')

  		




  
  430
  
    
    assert CARLICENSE in fetched_attrs.get('carlicense')

  		




  
  431
  
    

  		




  
  432
  
    

  		




  
  433
  
    
def test_get_extra_mapped_attributes(slapd, settings, db, client):

  		




  
  434
  
    
    settings.LDAP_AUTH_SETTINGS = [{

  		




  
  435
  
    
        'url': [slapd.ldap_url],

  		




  
  436
  
    
        'basedn': 'o=ôrga',

  		




  
  437
  
    
        'use_tls': False,

  		




  
  438
  
    
        'groupstaff': ['cn=group1,o=orga'],

  		




  
  439
  
    
        'attributes': ['uid'],

  		




  
  440
  
    
        'extra_attributes': {

  		




  
  441
  
    
            'orga': {

  		




  
  442
  
    
                'loop_over_attribute': 'o',

  		




  
  443
  
    
                'filter': '(&(objectclass=organization)(o={item}))',

  		




  
  444
  
    
                'basedn': 'o=orga',

  		




  
  445
  
    
                'scope': 'sub',

  		




  
  446
  
    
                'mapping': {

  		




  
  447
  
    
                    'id': 'o',

  		




  
  448
  
    
                    'street': 'postalAddress',

  		




  
  449
  
    
                    'city': 'l',

  		




  
  450
  
    
                    'postal_code': 'postalCode',

  		




  
  451
  
    
                },

  		




  
  452
  
    
                'serialization': 'json'

  		




  
  453
  
    
            }

  		




  
  454
  
    
        },

  		




  
  455
  
    
    }]

  		




  
  456
  
    
    user = authenticate(username='etienne.michu', password=UPASS)

  		




  
  457
  
    
    fetched_attrs = user.get_attributes(object(), {})

  		




  
  458
  
    
    assert UID in fetched_attrs.get('uid')

  		




  
  459
  
    
    assert 'orga' in fetched_attrs

  		




  
  460
  
    
    orgas = json.loads(fetched_attrs.get('orga'))

  		




  
  461
  
    
    assert isinstance(orgas, list)

  		




  
  462
  
    
    assert len(orgas) == 2

  		




  
  463
  
    
    assert {'id': EO_O, 'street': EO_STREET, 'city': EO_CITY, 'postal_code': EO_POSTALCODE} in orgas

  		




  
  464
  
    
    assert {'id': EE_O, 'street': EE_STREET, 'city': EE_CITY, 'postal_code': EE_POSTALCODE} in orgas

  		




  
  465
  
    

  		




  
  466
  
    

  		




  386
  467
  
    
def test_get_users(slapd, settings, db, monkeypatch):

  		




  387
  468
  
    
    import django.db.models.base

  		




  388
  469
  
    
    from types import MethodType

  		




  389
  
  
    
-