u/pc/rhodecode-enterprise-ce-fork-pc Commit - r2736:f1074c0b

ldap: use connection ping only in case of single server specifed.

marcink -

r2736:f1074c0b stable

parent child

rhodecode/authentication/base.py

0 +62 -5

@@ -21,7 +21,8 b''
21	"""	21	"""
22	Authentication modules	22	Authentication modules
23	"""	23	"""
24		24	import socket
		25	import string
25	import colander	26	import colander
26	import copy	27	import copy
27	import logging	28	import logging
@@ -31,14 +32,13 b' import warnings'
31	import functools	32	import functools
32		33
33	from pyramid.threadlocal import get_current_registry	34	from pyramid.threadlocal import get_current_registry
34	from zope.cachedescriptors.property import Lazy as LazyProperty
35		35
36	from rhodecode.authentication.interface import IAuthnPluginRegistry	36	from rhodecode.authentication.interface import IAuthnPluginRegistry
37	from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase	37	from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
38	from rhodecode.lib import caches	38	from rhodecode.lib import caches
39	from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt	39	from rhodecode.lib.auth import PasswordGenerator, _RhodeCodeCryptoBCrypt
40	from rhodecode.lib.utils2 import safe_int	40	from rhodecode.lib.utils2 import safe_int, safe_str
41	from rhodecode.lib.~~utils2~~ import ~~safe_st~~r	41	from rhodecode.lib.exceptions import LdapConnectionError
42	from rhodecode.model.db import User	42	from rhodecode.model.db import User
43	from rhodecode.model.meta import Session	43	from rhodecode.model.meta import Session
44	from rhodecode.model.settings import SettingsModel	44	from rhodecode.model.settings import SettingsModel
@@ -556,6 +556,63 b' class RhodeCodeExternalAuthPlugin(RhodeC'
556	return auth	556	return auth
557		557
558		558
		559	class AuthLdapBase(object):
		560
		561	@classmethod
		562	def _build_servers(cls, ldap_server_type, ldap_server, port):
		563	def host_resolver(host, port, full_resolve=True):
		564	"""
		565	Main work for this function is to prevent ldap connection issues,
		566	and detect them early using a "greenified" sockets
		567	"""
		568	host = host.strip()
		569	if not full_resolve:
		570	return '{}:{}'.format(host, port)
		571
		572	log.debug('LDAP: Resolving IP for LDAP host %s', host)
		573	try:
		574	ip = socket.gethostbyname(host)
		575	log.debug('Got LDAP server %s ip %s', host, ip)
		576	except Exception:
		577	raise LdapConnectionError(
		578	'Failed to resolve host: `{}`'.format(host))
		579
		580	log.debug('LDAP: Checking if IP %s is accessible', ip)
		581	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		582	try:
		583	s.connect((ip, int(port)))
		584	s.shutdown(socket.SHUT_RD)
		585	except Exception:
		586	raise LdapConnectionError(
		587	'Failed to connect to host: `{}:{}`'.format(host, port))
		588
		589	return '{}:{}'.format(host, port)
		590
		591	if len(ldap_server) == 1:
		592	# in case of single server use resolver to detect potential
		593	# connection issues
		594	full_resolve = True
		595	else:
		596	full_resolve = False
		597
		598	return ', '.join(
		599	["{}://{}".format(
		600	ldap_server_type,
		601	host_resolver(host, port, full_resolve=full_resolve))
		602	for host in ldap_server])
		603
		604	@classmethod
		605	def _get_server_list(cls, servers):
		606	return map(string.strip, servers.split(','))
		607
		608	@classmethod
		609	def get_uid(cls, username, server_addresses):
		610	uid = username
		611	for server_addr in server_addresses:
		612	uid = chop_at(username, "@%s" % server_addr)
		613	return uid
		614
		615
559	def loadplugin(plugin_id):	616	def loadplugin(plugin_id):
560	"""	617	"""
561	Loads and returns an instantiated authentication plugin.	618	Loads and returns an instantiated authentication plugin.
@@ -613,7 +670,7 b' def authenticate(username, password, env'
613	authn_registry = get_authn_registry(registry)	670	authn_registry = get_authn_registry(registry)
614	plugins_to_check = authn_registry.get_plugins_for_authentication()	671	plugins_to_check = authn_registry.get_plugins_for_authentication()
615	log.debug('Starting ordered authentication chain using %s plugins',	672	log.debug('Starting ordered authentication chain using %s plugins',
616	plugins_to_check)	673	[x.name for x in plugins_to_check])
617	for plugin in plugins_to_check:	674	for plugin in plugins_to_check:
618	plugin.set_auth_type(auth_type)	675	plugin.set_auth_type(auth_type)
619	plugin.set_calling_scope_repo(acl_repo_name)	676	plugin.set_calling_scope_repo(acl_repo_name)

rhodecode/authentication/plugins/__init__.py

0 +19 0

@@ -0,0 +1,19 b''
	1	# -- coding: utf-8 --
	2
	3	# Copyright (C) 2012-2018 RhodeCode GmbH
	4	#
	5	# This program is free software: you can redistribute it and/or modify
	6	# it under the terms of the GNU Affero General Public License, version 3
	7	# (only), as published by the Free Software Foundation.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU Affero General Public License
	15	# along with this program. If not, see <http://www.gnu.org/licenses/>.
	16	#
	17	# This program is dual-licensed. If you wish to learn more about the
	18	# RhodeCode Enterprise Edition, including its added features, Support services,
	19	# and proprietary license terms, please see https://rhodecode.com/licenses/

rhodecode/authentication/plugins/auth_ldap.py

0 +15 -52

             RhodeCode authentication plugin for LDAP
             """
-            import socket
-            import re
-            import colander
             import logging
             import traceback
-            import string
+            import colander
             from rhodecode.translation import _
             from rhodecode.authentication.base import (
-                RhodeCodeExternalAuthPlugin, chop_at, hybrid_property)
+                RhodeCodeExternalAuthPlugin, AuthLdapBase, hybrid_property)
             from rhodecode.authentication.schema import AuthnPluginSettingsSchemaBase
             from rhodecode.authentication.routes import AuthnPluginResourceBase
             from rhodecode.lib.colander_utils import strip_whitespace
                     widget='string')
-            class AuthLdap(object):
+            class AuthLdap(AuthLdapBase):
-                def _build_servers(self):
-                    def host_resolver(host, port):
-                        """
-                        Main work for this function is to prevent ldap connection issues,
-                        and detect them early using a "greenified" sockets
-                        """
-                        host = host.strip()
-                        log.info('Resolving LDAP host %s', host)
-                        try:
-                            ip = socket.gethostbyname(host)
-                            log.info('Got LDAP server %s ip %s', host, ip)
-                        except Exception:
-                            raise LdapConnectionError(
-                                'Failed to resolve host: `{}`'.format(host))
-                        log.info('Checking LDAP IP access %s', ip)
-                        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-                        try:
-                            s.connect((ip, int(port)))
-                            s.shutdown(socket.SHUT_RD)
-                        except Exception:
-                            raise LdapConnectionError(
-                                'Failed to connect to host: `{}:{}`'.format(host, port))
-                        return '{}:{}'.format(host, port)
-                    port = self.LDAP_SERVER_PORT
-                    return ', '.join(
-                        ["{}://{}".format(
-                            self.ldap_server_type, host_resolver(host, port))
-                         for host in self.SERVER_ADDRESSES])
                 def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
                              tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3,
                     OPT_X_TLS_DEMAND = 2
                     self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,
                                                OPT_X_TLS_DEMAND)
+                    self.LDAP_SERVER = server
                     # split server into list
-                    self.SERVER_ADDRESSES = server.split(',')
+                    self.SERVER_ADDRESSES = self._get_server_list(server)
                     self.LDAP_SERVER_PORT = port
                     # USE FOR READ ONLY BIND TO LDAP SERVER
                     self.LDAP_BIND_DN = safe_str(bind_dn)
                     self.LDAP_BIND_PASS = safe_str(bind_pass)
-                    self.LDAP_SERVER = self._build_servers()
                     self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)
                     self.BASE_DN = safe_str(base_dn)
                     self.LDAP_FILTER = safe_str(ldap_filter)
                 def _get_ldap_conn(self):
-                    log.debug('initializing LDAP connection to:%s', self.LDAP_SERVER)
                     if self.debug:
                         ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
                     ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
                     # init connection now
-                    ldap_conn = ldap.initialize(self.LDAP_SERVER)
+                    ldap_servers = self._build_servers(
+                        self.ldap_server_type,  self.SERVER_ADDRESSES, self.LDAP_SERVER_PORT)
+                    log.debug('initializing LDAP connection to:%s', ldap_servers)
+                    ldap_conn = ldap.initialize(ldap_servers)
                     ldap_conn.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout)
                     ldap_conn.set_option(ldap.OPT_TIMEOUT, self.timeout)
                     ldap_conn.timeout = self.timeout
                     return ldap_conn
-                def get_uid(self, username):
-                    uid = username
-                    for server_addr in self.SERVER_ADDRESSES:
-                        uid = chop_at(username, "@%s" % server_addr)
-                    return uid
                 def fetch_attrs_from_simple_bind(self, server, dn, username, password):
                     try:
                         log.debug('Trying simple bind with %s', dn)
                     :param password: password
                     """
-                    uid = self.get_uid(username)
+                    uid = self.get_uid(username, self.SERVER_ADDRESSES)
+                    user_attrs = {}
+                    dn = ''
                     if not password:
                         msg = "Authenticating user %s with blank password not allowed"
                         ldap_conn = self._get_ldap_conn()
                         filter_ = '(&%s(%s=%s))' % (
                             self.LDAP_FILTER, self.attr_login, username)
-                        log.debug("Authenticating %r filter %s at %s", self.BASE_DN,
+                        log.debug(
-                                  filter_, self.LDAP_SERVER)
+                            "Authenticating %r filter %s", self.BASE_DN, filter_)
                         lobjects = ldap_conn.search_ext_s(
                             self.BASE_DN, self.SEARCH_SCOPE, filter_)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages