upstream/kallithea Commit - r705:9e9f1b91

implements , ldap configuration and authentication....

marcink -

r705:9e9f1b91 beta

parent child

rhodecode/config/routing.py

0 +2 0

                  #ADMIN PERMISSIONS REST ROUTES
                  map.resource('permission', 'permissions', controller='admin/permissions', path_prefix='/_admin')
+                 map.connect('permissions_ldap', '/_admin/permissions_ldap', controller='admin/permissions', action='ldap')
                  #ADMIN SETTINGS REST ROUTES
                  with map.submapper(path_prefix='/_admin', controller='admin/settings') as m:

rhodecode/controllers/admin/permissions.py

0 +55 -3

              from pylons.i18n.translation import _
              from rhodecode.lib import helpers as h
              from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator
+             from rhodecode.lib.auth_ldap import LdapImportError
              from rhodecode.lib.base import BaseController, render
-             from rhodecode.model.forms import UserForm, DefaultPermissionsForm
+             from rhodecode.model.forms import LdapSettingsForm, DefaultPermissionsForm
              from rhodecode.model.permission import PermissionModel
+             from rhodecode.model.settings import SettingsModel
              from rhodecode.model.user import UserModel
              import formencode
              import logging
                          form_result = _form.to_python(dict(request.POST))
                          form_result.update({'perm_user_name':id})
                          permission_model.update(form_result)
-                         h.flash(_('Default permissions updated succesfully'),
+                         h.flash(_('Default permissions updated successfully'),
                                  category='success')
                      except formencode.Invalid, errors:
                          c.perms_choices = self.perms_choices
                          c.register_choices = self.register_choices
                          c.create_choices = self.create_choices
+                         defaults = errors.value
+                         defaults.update(SettingsModel().get_ldap_settings())
                          return htmlfill.render(
                              render('admin/permissions/permissions.html'),
-                             defaults=errors.value,
+                             defaults=defaults,
                              errors=errors.error_dict or {},
                              prefix_error=False,
                              encoding="UTF-8")
                          default_user = UserModel().get_by_username('default')
                          defaults = {'_method':'put',
                                      'anonymous':default_user.active}
+                         defaults.update(SettingsModel().get_ldap_settings())
                          for p in default_user.user_perms:
                              if p.permission.permission_name.startswith('repository.'):
                                  defaults['default_perm'] = p.permission.permission_name
                                      force_defaults=True,)
                      else:
                          return redirect(url('admin_home'))
+                 def ldap(self, id_user='default'):
+                     """
+                     POST ldap create and store ldap settings
+                     """
+                     settings_model = SettingsModel()
+                     _form = LdapSettingsForm()()
+                     try:
+                         form_result = _form.to_python(dict(request.POST))
+                         try:
+                             for k, v in form_result.items():
+                                 if k.startswith('ldap_'):
+                                     setting = settings_model.get(k)
+                                     setting.app_settings_value = v
+                                     self.sa.add(setting)
+                             self.sa.commit()
+                             h.flash(_('Ldap settings updated successfully'),
+                                 category='success')
+                         except:
+                             raise
+                     except LdapImportError:
+                         h.flash(_('Unable to activate ldap. The "ldap-python" library '
+                                   'is missing.'),
+                                 category='warning')
+                     except formencode.Invalid, errors:
+                         c.perms_choices = self.perms_choices
+                         c.register_choices = self.register_choices
+                         c.create_choices = self.create_choices
+                         return htmlfill.render(
+                             render('admin/permissions/permissions.html'),
+                             defaults=errors.value,
+                             errors=errors.error_dict or {},
+                             prefix_error=False,
+                             encoding="UTF-8")
+                     except Exception:
+                         log.error(traceback.format_exc())
+                         h.flash(_('error occured during update of ldap settings'),
+                                 category='error')
+                     return redirect(url('edit_permission', id=id_user))

rhodecode/controllers/admin/settings.py

0 +6 -11

              from rhodecode.lib.auth import LoginRequired, HasPermissionAllDecorator, \
                  HasPermissionAnyDecorator
              from rhodecode.lib.base import BaseController, render
+             from rhodecode.lib.celerylib import tasks, run_task
              from rhodecode.lib.utils import repo2db_mapper, invalidate_cache, \
                  set_rhodecode_config, get_hg_settings, get_hg_ui_settings
-             from rhodecode.model.db import RhodeCodeSettings, RhodeCodeUi, Repository
+             from rhodecode.model.db import RhodeCodeUi, Repository
              from rhodecode.model.forms import UserForm, ApplicationSettingsForm, \
                  ApplicationUiSettingsForm
              from rhodecode.model.scm import ScmModel
+             from rhodecode.model.settings import SettingsModel
              from rhodecode.model.user import UserModel
-             from rhodecode.lib.celerylib import tasks, run_task
              from sqlalchemy import func
              import formencode
              import logging
                          application_form = ApplicationSettingsForm()()
                          try:
                              form_result = application_form.to_python(dict(request.POST))
+                             settings_model = SettingsModel()
                              try:
-                                 hgsettings1 = self.sa.query(RhodeCodeSettings)\
-                                     .filter(RhodeCodeSettings.app_settings_name \
-                                             == 'title').one()
+                                 hgsettings1 = settings_model.get('title')
                                  hgsettings1.app_settings_value = form_result['rhodecode_title']
-                                 hgsettings2 = self.sa.query(RhodeCodeSettings)\
-                                     .filter(RhodeCodeSettings.app_settings_name \
-                                             == 'realm').one()
+                                 hgsettings2 = settings_model('realm')
                                  hgsettings2.app_settings_value = form_result['rhodecode_realm']

rhodecode/lib/auth.py

0 +42 -5

              from pylons import config, session, url, request
              from pylons.controllers.util import abort, redirect
              from rhodecode.lib.utils import get_repo_slug
+             from rhodecode.lib.auth_ldap import AuthLdap, UsernameError, PasswordError
              from rhodecode.model import meta
              from rhodecode.model.user import UserModel
              from rhodecode.model.caching_query import FromCache
              from decorator import decorator
              import logging
              import random
+             import traceback
              log = logging.getLogger(__name__)
              def authfunc(environ, username, password):
                  """
-                 Authentication function used in Mercurial/Git/ and access controll,
+                 Authentication function used in Mercurial/Git/ and access control,
                  firstly checks for db authentication then if ldap is enabled for ldap
-                 authentication
+                 authentication, also creates ldap user if not in database
                  :param environ: needed only for using in Basic auth, can be None
                  :param username: username
                  :param password: password
                  """
+                 user_model = UserModel()
+                 user = user_model.get_by_username(username, cache=False)
-                 user = UserModel().get_by_username(username, cache=False)
-                 if user:
+                 if user is not None and user.is_ldap is False:
                      if user.active:
                          if user.username == 'default' and user.active:
                      else:
                          log.error('user %s is disabled', username)
+                 else:
+                     from rhodecode.model.settings import SettingsModel
+                     ldap_settings = SettingsModel().get_ldap_settings()
+                     #======================================================================
+                     # FALLBACK TO LDAP AUTH IN ENABLE
+                     #======================================================================
+                     if ldap_settings.get('ldap_active', False):
+                         kwargs = {
+                               'server':ldap_settings.get('ldap_host', ''),
+                               'base_dn':ldap_settings.get('ldap_base_dn', ''),
+                               'port':ldap_settings.get('ldap_port'),
+                               'bind_dn':ldap_settings.get('ldap_dn_user'),
+                               'bind_pass':ldap_settings.get('ldap_dn_pass'),
+                               'use_ldaps':ldap_settings.get('ldap_ldaps'),
+                               'ldap_version':3,
+                               }
+                         log.debug('Checking for ldap authentication')
+                         try:
+                             aldap = AuthLdap(**kwargs)
+                             res = aldap.authenticate_ldap(username, password)
+                             authenticated = res[1]['uid'][0] == username
+                             if authenticated and user_model.create_ldap(username, password):
+                                 log.info('created new ldap user')
+                             return authenticated
+                         except (UsernameError, PasswordError):
+                             return False
+                         except:
+                             log.error(traceback.format_exc())
+                             return False
                  return False
              class  AuthUser(object):

rhodecode/lib/auth_ldap.py

0 +73 -66

		@@ -1,7 +1,3 b''
1		import logging
2		logging.basicConfig(level=logging.DEBUG)
3		log = logging.getLogger('ldap')
4
5	1	#==============================================================================
6	2	# LDAP
7	3	#Name = Just a description for the auth modes page
		@@ -11,76 +7,87 b" log = logging.getLogger('ldap')"
11	7	#Account = DepartmentName\UserName (or UserName@MyDomain depending on AD server)
12	8	#Password = <password>
13	9	#Base DN = DC=DepartmentName,DC=OrganizationName,DC=local
14		#
15		#On-the-fly user creation = yes
16		#Attributes
17		# Login = sAMAccountName
18		# Firstname = givenName
19		# Lastname = sN
20		# Email = mail
21	10
22	11	#==============================================================================
23		class UsernameError(Exception):pass
24		class PasswordError(Exception):pass
	12
	13	from rhodecode.lib.exceptions import LdapImportError, UsernameError, \
	14	PasswordError, ConnectionError
	15	import logging
	16
	17	log = logging.getLogger(__name__)
25	18
26		LDAP_USE_LDAPS = False
27		ldap_server_type = 'ldap'
28		LDAP_SERVER_ADDRESS = 'myldap.com'
29		LDAP_SERVER_PORT = '389'
	19	try:
	20	import ldap
	21	except ImportError:
	22	pass
30	23
31		#USE FOR READ ONLY BIND TO LDAP SERVER
32		LDAP_BIND_DN = ''
33		LDAP_BIND_PASS = ''
	24	class AuthLdap(object):
34	25
35		if LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
36		LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
37		LDAP_SERVER_ADDRESS,
38		LDAP_SERVER_PORT)
39
40		BASE_DN = "ou=people,dc=server,dc=com"
41		AUTH_DN = "uid=%s,%s"
	26	def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
	27	use_ldaps=False, ldap_version=3):
	28	self.ldap_version = ldap_version
	29	if use_ldaps:
	30	port = port or 689
	31	self.LDAP_USE_LDAPS = use_ldaps
	32	self.LDAP_SERVER_ADDRESS = server
	33	self.LDAP_SERVER_PORT = port
42	34
43		def authenticate_ldap(username, password):
44		"""Authenticate a user via LDAP and return his/her LDAP properties.
	35	#USE FOR READ ONLY BIND TO LDAP SERVER
	36	self.LDAP_BIND_DN = bind_dn
	37	self.LDAP_BIND_PASS = bind_pass
45	38
46		Raises AuthenticationError if the credentials are rejected, or
47		EnvironmentError if the LDAP server can't be reached.
48		"""
49		try:
50		import ldap
51		except ImportError:
52		raise Exception('Could not import ldap make sure You install python-ldap')
	39	ldap_server_type = 'ldap'
	40	if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
	41	self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
	42	self.LDAP_SERVER_ADDRESS,
	43	self.LDAP_SERVER_PORT)
	44
	45	self.BASE_DN = base_dn
	46	self.AUTH_DN = "uid=%s,%s"
53	47
54		from rhodecode.lib.helpers import chop_at
55
56		uid = chop_at(username, "@%s" % LDAP_SERVER_ADDRESS)
57		dn = AUTH_DN % (uid, BASE_DN)
58		log.debug("Authenticating %r at %s", dn, LDAP_SERVER)
59		if "," in username:
60		raise UsernameError("invalid character in username: ,")
61		try:
62		#ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts')
63		server = ldap.initialize(LDAP_SERVER)
64		server.protocol = ldap.VERSION3
65
66		if LDAP_BIND_DN and LDAP_BIND_PASS:
67		server.simple_bind_s(AUTH_DN % (LDAP_BIND_DN,
68		LDAP_BIND_PASS),
69		password)
	48	def authenticate_ldap(self, username, password):
	49	"""Authenticate a user via LDAP and return his/her LDAP properties.
	50
	51	Raises AuthenticationError if the credentials are rejected, or
	52	EnvironmentError if the LDAP server can't be reached.
70	53
71		server.simple_bind_s(dn, password)
72		properties = server.search_s(dn, ldap.SCOPE_SUBTREE)
73		if not properties:
74		raise ldap.NO_SUCH_OBJECT()
75		except ldap.NO_SUCH_OBJECT, e:
76		log.debug("LDAP says no such user '%s' (%s)", uid, username)
77		raise UsernameError()
78		except ldap.INVALID_CREDENTIALS, e:
79		log.debug("LDAP rejected password for user '%s' (%s)", uid, username)
80		raise PasswordError()
81		except ldap.SERVER_DOWN, e:
82		raise EnvironmentError("can't access authentication server")
83		return properties
	54	:param username: username
	55	:param password: password
	56	"""
	57
	58	from rhodecode.lib.helpers import chop_at
	59
	60	uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
	61	dn = self.AUTH_DN % (uid, self.BASE_DN)
	62	log.debug("Authenticating %r at %s", dn, self.LDAP_SERVER)
	63	if "," in username:
	64	raise UsernameError("invalid character in username: ,")
	65	try:
	66	ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/openldap/cacerts')
	67	ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
	68	server = ldap.initialize(self.LDAP_SERVER)
	69	if self.ldap_version == 2:
	70	server.protocol = ldap.VERSION2
	71	else:
	72	server.protocol = ldap.VERSION3
84	73
	74	if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
	75	server.simple_bind_s(self.AUTH_DN % (self.LDAP_BIND_DN,
	76	self.BASE_DN),
	77	self.LDAP_BIND_PASS)
85	78
86		print authenticate_ldap('test', 'test')
	79	server.simple_bind_s(dn, password)
	80	properties = server.search_s(dn, ldap.SCOPE_SUBTREE)
	81	if not properties:
	82	raise ldap.NO_SUCH_OBJECT()
	83	except ldap.NO_SUCH_OBJECT, e:
	84	log.debug("LDAP says no such user '%s' (%s)", uid, username)
	85	raise UsernameError()
	86	except ldap.INVALID_CREDENTIALS, e:
	87	log.debug("LDAP rejected password for user '%s' (%s)", uid, username)
	88	raise PasswordError()
	89	except ldap.SERVER_DOWN, e:
	90	raise ConnectionError("LDAP can't access authentication server")
	91
	92	return properties[0]
	93

rhodecode/model/forms.py

0 +29 -2

              from pylons import session
              from pylons.i18n.translation import _
              from rhodecode.lib.auth import authfunc, get_crypt_password
+             from rhodecode.lib.exceptions import LdapImportError
              from rhodecode.model import meta
              from rhodecode.model.user import UserModel
              from rhodecode.model.repo import RepoModel
                  messages = {
                          'invalid_password':_('invalid password'),
                          'invalid_login':_('invalid user name'),
-                         'disabled_account':_('Your acccount is disabled')
+                         'disabled_account':_('Your account is disabled')
                          }
                  #error mapping
                      return value
+             class LdapLibValidator(formencode.validators.FancyValidator):
+                 def to_python(self, value, state):
+                     try:
+                         import ldap
+                     except ImportError:
+                         raise LdapImportError
+                     return value
              #===============================================================================
              # FORMS
              #===============================================================================
                  class _DefaultPermissionsForm(formencode.Schema):
                      allow_extra_fields = True
                      filter_extra_fields = True
-                     overwrite_default = OneOf(['true', 'false'], if_missing='false')
+                     overwrite_default = StringBoolean(if_missing=False)
                      anonymous = OneOf(['True', 'False'], if_missing=False)
                      default_perm = OneOf(perms_choices)
                      default_register = OneOf(register_choices)
                      default_create = OneOf(create_choices)
                  return _DefaultPermissionsForm
+             def LdapSettingsForm():
+                 class _LdapSettingsForm(formencode.Schema):
+                     allow_extra_fields = True
+                     filter_extra_fields = True
+                     pre_validators = [LdapLibValidator]
+                     ldap_active = StringBoolean(if_missing=False)
+                     ldap_host = UnicodeString(strip=True,)
+                     ldap_port = Number(strip=True,)
+                     ldap_ldaps = StringBoolean(if_missing=False)
+                     ldap_dn_user = UnicodeString(strip=True,)
+                     ldap_dn_pass = UnicodeString(strip=True,)
+                     ldap_base_dn = UnicodeString(strip=True,)
+                 return _LdapSettingsForm

rhodecode/model/permission.py

0 0 -5

                          log.error(traceback.format_exc())
                          self.sa.rollback()
                          raise

rhodecode/model/settings.py

0 +11 0

                  def get_ldap_settings(self):
+                     """
+                     Returns ldap settings from database
+                     :returns:
+                     ldap_active
+                     ldap_host
+                     ldap_port
+                     ldap_ldaps
+                     ldap_dn_user
+                     ldap_dn_pass
+                     ldap_base_dn
+                     """
                      r = self.sa.query(RhodeCodeSettings)\
                              .filter(RhodeCodeSettings.app_settings_name\

rhodecode/model/user.py

0 +30 0

		@@ -68,6 +68,36 b' class UserModel(object):'
68	68	self.sa.rollback()
69	69	raise
70	70
	71	def create_ldap(self, username, password):
	72	"""
	73	Checks if user is in database, if not creates this user marked
	74	as ldap user
	75	:param username:
	76	:param password:
	77	"""
	78
	79	if self.get_by_username(username) is None:
	80	try:
	81	new_user = User()
	82	new_user.username = username
	83	new_user.password = password
	84	new_user.email = '%s@ldap.server' % username
	85	new_user.active = True
	86	new_user.is_ldap = True
	87	new_user.name = '%s@ldap' % username
	88	new_user.lastname = ''
	89
	90
	91	self.sa.add(new_user)
	92	self.sa.commit()
	93	return True
	94	except:
	95	log.error(traceback.format_exc())
	96	self.sa.rollback()
	97	raise
	98
	99	return False
	100
71	101	def create_registration(self, form_data):
72	102	from rhodecode.lib.celerylib import tasks, run_task
73	103	try:

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages