upstream/kallithea Files · rhodecode/lib/auth_ldap.py

optimized summary page for disabled stats

marcink - - Load All Authors

File last commit:

r1690:6944b124 beta


                r1719:4a28aff3

beta

Download file

             auth_ldap.py
        
                    153 lines
            
             | 5.6 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / rhodecode / lib / auth_ldap.py
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
      # -*- coding: utf-8 -*-

      """

          rhodecode.controllers.changelog

          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

          RhodeCode authentication library for LDAP

          :created_on: Created on Nov 17, 2010

          :author: marcink

          :copyright: (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com>

          :license: GPLv3, see COPYING for more details.

      """

        marcink
    
fixed license  issue #149

              r1206
            
      # This program is free software: you can redistribute it and/or modify

      # it under the terms of the GNU General Public License as published by

      # the Free Software Foundation, either version 3 of the License, or

      # (at your option) any later version.

        marcink
    
source code cleanup: remove trailing white space, normalize file endings

              r1203
            
      #

        marcink
    
fixed #72 show warning on removal when user still is owner of existing repositories...

              r713
            
      # This program is distributed in the hope that it will be useful,

      # but WITHOUT ANY WARRANTY; without even the implied warranty of

      # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

      # GNU General Public License for more details.

        marcink
    
source code cleanup: remove trailing white space, normalize file endings

              r1203
            
      #

        marcink
    
fixed #72 show warning on removal when user still is owner of existing repositories...

              r713
            
      # You should have received a copy of the GNU General Public License

        marcink
    
fixed license  issue #149

              r1206
            
      # along with this program.  If not, see <http://www.gnu.org/licenses/>.

        marcink
    
added basic ldap auth lib

              r700
            
        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
      import logging

        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
      from rhodecode.lib.exceptions import LdapConnectionError, LdapUsernameError, \

          LdapPasswordError

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
      log = logging.getLogger(__name__)

        marcink
    
added basic ldap auth lib

              r700
            
        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
      try:

          import ldap

      except ImportError:

        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
          # means that python-ldap is not installed

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
          pass

        marcink
    
added basic ldap auth lib

              r700
            
        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
      class AuthLdap(object):

        marcink
    
added basic ldap auth lib

              r700
            
        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
          def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',

        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
                       tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3,

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
                       ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',

        marcink
    
fixed issues with not unique emails when using ldap or container auth.

              r1690
            
                       search_scope = 'SUBTREE', attr_login = 'uid'):

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              self.ldap_version = ldap_version

        "Lorenzo M. Catucci"
    
Enable start_tls connection encryption.

              r1290
            
              ldap_server_type = 'ldap'

              self.TLS_KIND = tls_kind

              if self.TLS_KIND == 'LDAPS':

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
                  port = port or 689

        "Lorenzo M. Catucci"
    
Enable start_tls connection encryption.

              r1290
            
                  ldap_server_type = ldap_server_type + 's'

        marcink
    
fix for issue #277,...

              r1579
            
              OPT_X_TLS_DEMAND = 2

              self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert, 

                                         OPT_X_TLS_DEMAND)

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              self.LDAP_SERVER_ADDRESS = server

              self.LDAP_SERVER_PORT = port

        marcink
    
added basic ldap auth lib

              r700
            
        marcink
    
fixed issues with not unique emails when using ldap or container auth.

              r1690
            
              # USE FOR READ ONLY BIND TO LDAP SERVER

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              self.LDAP_BIND_DN = bind_dn

              self.LDAP_BIND_PASS = bind_pass

        marcink
    
added basic ldap auth lib

              r700
            
        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,

        marcink
    
fix for issue #277,...

              r1579
            
                                                 self.LDAP_SERVER_ADDRESS,

                                                 self.LDAP_SERVER_PORT)

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              self.BASE_DN = base_dn

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
              self.LDAP_FILTER = ldap_filter

        marcink
    
fix for issue #277,...

              r1579
            
              self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
              self.attr_login = attr_login

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
          def authenticate_ldap(self, username, password):

              """Authenticate a user via LDAP and return his/her LDAP properties.

        marcink
    
source code cleanup: remove trailing white space, normalize file endings

              r1203
            
        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              Raises AuthenticationError if the credentials are rejected, or

              EnvironmentError if the LDAP server can't be reached.

        marcink
    
source code cleanup: remove trailing white space, normalize file endings

              r1203
            
        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              :param username: username

              :param password: password

              """

              from rhodecode.lib.helpers import chop_at

              uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)

        marcink
    
fixes #77 and adds extendable base Dn with custom uid specification

              r775
            
        Shawn K. O'Shea
    
Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.

              r1659
            
              if not password:

                  log.debug("Attempt to authenticate LDAP user with blank password rejected.")

                  raise LdapPasswordError()

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              if "," in username:

        marcink
    
fixed #72 show warning on removal when user still is owner of existing repositories...

              r713
            
                  raise LdapUsernameError("invalid character in username: ,")

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              try:

        marcink
    
fix for issue #277,...

              r1579
            
                  if hasattr(ldap,'OPT_X_TLS_CACERTDIR'):

                      ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, 

                                      '/etc/openldap/cacerts')

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
                  ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)

                  ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)

                  ldap.set_option(ldap.OPT_TIMEOUT, 20)

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
                  ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
                  ldap.set_option(ldap.OPT_TIMELIMIT, 15)

        "Lorenzo M. Catucci"
    
Enable start_tls connection encryption.

              r1290
            
                  if self.TLS_KIND != 'PLAIN':

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
                      ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
                  server = ldap.initialize(self.LDAP_SERVER)

                  if self.ldap_version == 2:

                      server.protocol = ldap.VERSION2

                  else:

                      server.protocol = ldap.VERSION3

        marcink
    
added basic ldap auth lib

              r700
            
        "Lorenzo M. Catucci"
    
Enable start_tls connection encryption.

              r1290
            
                  if self.TLS_KIND == 'START_TLS':

                      server.start_tls_s()

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
                  if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:

        marcink
    
fixes a bug with two-pass ldap auth (thanks for TK Soh for that)

              r794
            
                      server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

        marcink
    
added basic ldap auth lib

              r700
            
        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
                  filt = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login,

                                           username)

        marcink
    
pep8

              r1170
            
                  log.debug("Authenticating %r filt %s at %s", self.BASE_DN,

                            filt, self.LDAP_SERVER)

                  lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,

                                                 filt)

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
                  if not lobjects:

                      raise ldap.NO_SUCH_OBJECT()

        marcink
    
fixes #77 and adds extendable base Dn with custom uid specification

              r775
            
        "Lorenzo M. Catucci"
    
Fetch entry after successful bind for being able to read its attributes.

              r1287
            
                  for (dn, _attrs) in lobjects:

        marcink
    
AD fix when search could return empty dn

              r1444
            
                      if dn is None:

                          continue

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
                      try:

                          server.simple_bind_s(dn, password)

        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
                          attrs = server.search_ext_s(dn, ldap.SCOPE_BASE,

                                                      '(objectClass=*)')[0][1]

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
                          break

                      except ldap.INVALID_CREDENTIALS, e:

        marcink
    
pep8

              r1170
            
                          log.debug("LDAP rejected password for user '%s' (%s): %s",

                                    uid, username, dn)

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
        marcink
    
applied patch from issue #138

              r1185
            
                  else:

                      log.debug("No matching LDAP objects for authentication "

                                "of '%s' (%s)", uid, username)

                      raise LdapPasswordError()

        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              except ldap.NO_SUCH_OBJECT, e:

                  log.debug("LDAP says no such user '%s' (%s)", uid, username)

        marcink
    
fixed #72 show warning on removal when user still is owner of existing repositories...

              r713
            
                  raise LdapUsernameError()

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
              except ldap.SERVER_DOWN, e:

        marcink
    
added some fixes to LDAP form re-submition, new simples ldap-settings getter....

              r1292
            
                  raise LdapConnectionError("LDAP can't access "

                                            "authentication server")

        marcink
    
implements #60, ldap configuration and authentication....

              r705
            
        Thayne Harbaugh
    
Improve LDAP authentication...

              r991
            
              return (dn, attrs)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292	# -- coding: utf-8 --
		"""
		rhodecode.controllers.changelog
		~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

		RhodeCode authentication library for LDAP

		:created_on: Created on Nov 17, 2010
		:author: marcink
		:copyright: (C) 2009-2011 Marcin Kuzminski <marcin@python-works.com>
		:license: GPLv3, see COPYING for more details.
		"""
marcink fixed license issue #149	r1206	# This program is free software: you can redistribute it and/or modify
		# it under the terms of the GNU General Public License as published by
		# the Free Software Foundation, either version 3 of the License, or
		# (at your option) any later version.
marcink source code cleanup: remove trailing white space, normalize file endings	r1203	#
marcink fixed #72 show warning on removal when user still is owner of existing repositories...	r713	# This program is distributed in the hope that it will be useful,
		# but WITHOUT ANY WARRANTY; without even the implied warranty of
		# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		# GNU General Public License for more details.
marcink source code cleanup: remove trailing white space, normalize file endings	r1203	#
marcink fixed #72 show warning on removal when user still is owner of existing repositories...	r713	# You should have received a copy of the GNU General Public License
marcink fixed license issue #149	r1206	# along with this program. If not, see <http://www.gnu.org/licenses/>.
marcink added basic ldap auth lib	r700
marcink implements #60, ldap configuration and authentication....	r705	import logging

marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292	from rhodecode.lib.exceptions import LdapConnectionError, LdapUsernameError, \
		LdapPasswordError

marcink implements #60, ldap configuration and authentication....	r705	log = logging.getLogger(__name__)
marcink added basic ldap auth lib	r700
marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292
marcink implements #60, ldap configuration and authentication....	r705	try:
		import ldap
		except ImportError:
marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292	# means that python-ldap is not installed
marcink implements #60, ldap configuration and authentication....	r705	pass
marcink added basic ldap auth lib	r700
marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292
marcink implements #60, ldap configuration and authentication....	r705	class AuthLdap(object):
marcink added basic ldap auth lib	r700
marcink implements #60, ldap configuration and authentication....	r705	def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292	tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3,
Thayne Harbaugh Improve LDAP authentication...	r991	ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
marcink fixed issues with not unique emails when using ldap or container auth.	r1690	search_scope = 'SUBTREE', attr_login = 'uid'):
marcink implements #60, ldap configuration and authentication....	r705	self.ldap_version = ldap_version
"Lorenzo M. Catucci" Enable start_tls connection encryption.	r1290	ldap_server_type = 'ldap'

		self.TLS_KIND = tls_kind

		if self.TLS_KIND == 'LDAPS':
marcink implements #60, ldap configuration and authentication....	r705	port = port or 689
"Lorenzo M. Catucci" Enable start_tls connection encryption.	r1290	ldap_server_type = ldap_server_type + 's'
marcink fix for issue #277,...	r1579
		OPT_X_TLS_DEMAND = 2
		self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,
		OPT_X_TLS_DEMAND)
marcink implements #60, ldap configuration and authentication....	r705	self.LDAP_SERVER_ADDRESS = server
		self.LDAP_SERVER_PORT = port
marcink added basic ldap auth lib	r700
marcink fixed issues with not unique emails when using ldap or container auth.	r1690	# USE FOR READ ONLY BIND TO LDAP SERVER
marcink implements #60, ldap configuration and authentication....	r705	self.LDAP_BIND_DN = bind_dn
		self.LDAP_BIND_PASS = bind_pass
marcink added basic ldap auth lib	r700
marcink implements #60, ldap configuration and authentication....	r705	self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
marcink fix for issue #277,...	r1579	self.LDAP_SERVER_ADDRESS,
		self.LDAP_SERVER_PORT)
marcink implements #60, ldap configuration and authentication....	r705
		self.BASE_DN = base_dn
Thayne Harbaugh Improve LDAP authentication...	r991	self.LDAP_FILTER = ldap_filter
marcink fix for issue #277,...	r1579	self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)
Thayne Harbaugh Improve LDAP authentication...	r991	self.attr_login = attr_login

marcink implements #60, ldap configuration and authentication....	r705	def authenticate_ldap(self, username, password):
		"""Authenticate a user via LDAP and return his/her LDAP properties.
marcink source code cleanup: remove trailing white space, normalize file endings	r1203
marcink implements #60, ldap configuration and authentication....	r705	Raises AuthenticationError if the credentials are rejected, or
		EnvironmentError if the LDAP server can't be reached.
marcink source code cleanup: remove trailing white space, normalize file endings	r1203
marcink implements #60, ldap configuration and authentication....	r705	:param username: username
		:param password: password
		"""

		from rhodecode.lib.helpers import chop_at

		uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
marcink fixes #77 and adds extendable base Dn with custom uid specification	r775
Shawn K. O'Shea Reject LDAP authentication requests with blank password. Per RFC4513 these should be treated as anonymous binds. See the Security Considerations (Section 6.3.1) for more details on this issue.	r1659	if not password:
		log.debug("Attempt to authenticate LDAP user with blank password rejected.")
		raise LdapPasswordError()
marcink implements #60, ldap configuration and authentication....	r705	if "," in username:
marcink fixed #72 show warning on removal when user still is owner of existing repositories...	r713	raise LdapUsernameError("invalid character in username: ,")
marcink implements #60, ldap configuration and authentication....	r705	try:
marcink fix for issue #277,...	r1579	if hasattr(ldap,'OPT_X_TLS_CACERTDIR'):
		ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,
		'/etc/openldap/cacerts')
Thayne Harbaugh Improve LDAP authentication...	r991	ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
		ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
		ldap.set_option(ldap.OPT_TIMEOUT, 20)
marcink implements #60, ldap configuration and authentication....	r705	ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
Thayne Harbaugh Improve LDAP authentication...	r991	ldap.set_option(ldap.OPT_TIMELIMIT, 15)
"Lorenzo M. Catucci" Enable start_tls connection encryption.	r1290	if self.TLS_KIND != 'PLAIN':
Thayne Harbaugh Improve LDAP authentication...	r991	ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
marcink implements #60, ldap configuration and authentication....	r705	server = ldap.initialize(self.LDAP_SERVER)
		if self.ldap_version == 2:
		server.protocol = ldap.VERSION2
		else:
		server.protocol = ldap.VERSION3
marcink added basic ldap auth lib	r700
"Lorenzo M. Catucci" Enable start_tls connection encryption.	r1290	if self.TLS_KIND == 'START_TLS':
		server.start_tls_s()

marcink implements #60, ldap configuration and authentication....	r705	if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
marcink fixes a bug with two-pass ldap auth (thanks for TK Soh for that)	r794	server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
marcink added basic ldap auth lib	r700
marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292	filt = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login,
		username)
marcink pep8	r1170	log.debug("Authenticating %r filt %s at %s", self.BASE_DN,
		filt, self.LDAP_SERVER)
		lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,
		filt)
Thayne Harbaugh Improve LDAP authentication...	r991
		if not lobjects:
		raise ldap.NO_SUCH_OBJECT()
marcink fixes #77 and adds extendable base Dn with custom uid specification	r775
"Lorenzo M. Catucci" Fetch entry after successful bind for being able to read its attributes.	r1287	for (dn, _attrs) in lobjects:
marcink AD fix when search could return empty dn	r1444	if dn is None:
		continue

Thayne Harbaugh Improve LDAP authentication...	r991	try:
		server.simple_bind_s(dn, password)
marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292	attrs = server.search_ext_s(dn, ldap.SCOPE_BASE,
		'(objectClass=*)')[0][1]
Thayne Harbaugh Improve LDAP authentication...	r991	break

		except ldap.INVALID_CREDENTIALS, e:
marcink pep8	r1170	log.debug("LDAP rejected password for user '%s' (%s): %s",
		uid, username, dn)
Thayne Harbaugh Improve LDAP authentication...	r991
marcink applied patch from issue #138	r1185	else:
		log.debug("No matching LDAP objects for authentication "
		"of '%s' (%s)", uid, username)
		raise LdapPasswordError()
Thayne Harbaugh Improve LDAP authentication...	r991
marcink implements #60, ldap configuration and authentication....	r705	except ldap.NO_SUCH_OBJECT, e:
		log.debug("LDAP says no such user '%s' (%s)", uid, username)
marcink fixed #72 show warning on removal when user still is owner of existing repositories...	r713	raise LdapUsernameError()
marcink implements #60, ldap configuration and authentication....	r705	except ldap.SERVER_DOWN, e:
marcink added some fixes to LDAP form re-submition, new simples ldap-settings getter....	r1292	raise LdapConnectionError("LDAP can't access "
		"authentication server")
marcink implements #60, ldap configuration and authentication....	r705
Thayne Harbaugh Improve LDAP authentication...	r991	return (dn, attrs)