Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
CIRCLE
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
94
Merge Requests
10
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
20758843
authored
Mar 08, 2017
by
Czémán Arnold
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
dashboard: Extend org id support in ldap authentication
parent
31419716
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
90 additions
and
37 deletions
+90
-37
circle/circle/settings/base.py
+10
-1
circle/dashboard/ldap_utils.py
+69
-26
circle/dashboard/models.py
+1
-1
circle/dashboard/views/group.py
+9
-8
circle/dashboard/views/util.py
+1
-1
No files found.
circle/circle/settings/base.py
View file @
20758843
...
@@ -602,10 +602,13 @@ if get_env_variable('LDAP_AUTH', 'FALSE') == 'TRUE':
...
@@ -602,10 +602,13 @@ if get_env_variable('LDAP_AUTH', 'FALSE') == 'TRUE':
"ONELEVEL"
:
ldap
.
SCOPE_SUBTREE
,
"ONELEVEL"
:
ldap
.
SCOPE_SUBTREE
,
}
}
LDAP_GROUP_MEMBER_ATTRIBUTE
=
(
get_env_variable
(
"LDAP_GROUP_MEMBER_ATTRIBUTE"
,
"member"
))
LDAP_GROUP_MAP
=
{
LDAP_GROUP_MAP
=
{
"POSIX"
:
PosixGroupType
(),
"POSIX"
:
PosixGroupType
(),
"NIS"
:
NISGroupType
(),
"NIS"
:
NISGroupType
(),
"MEMBER_DN"
:
MemberDNGroupType
(),
"MEMBER_DN"
:
MemberDNGroupType
(
LDAP_GROUP_MEMBER_ATTRIBUTE
),
"GROUP_OF_NAMES"
:
GroupOfNamesType
(),
"GROUP_OF_NAMES"
:
GroupOfNamesType
(),
"GROUP_OF_UNIQUE_NAMES"
:
GroupOfUniqueNamesType
(),
"GROUP_OF_UNIQUE_NAMES"
:
GroupOfUniqueNamesType
(),
"AD"
:
ActiveDirectoryGroupType
(),
"AD"
:
ActiveDirectoryGroupType
(),
...
@@ -659,5 +662,11 @@ if get_env_variable('LDAP_AUTH', 'FALSE') == 'TRUE':
...
@@ -659,5 +662,11 @@ if get_env_variable('LDAP_AUTH', 'FALSE') == 'TRUE':
LDAP_ORG_ID_ATTRIBUTE
=
(
LDAP_ORG_ID_ATTRIBUTE
=
(
get_env_variable
(
"LDAP_ORG_ID_ATTRIBUTE"
,
""
)
==
"TRUE"
)
get_env_variable
(
"LDAP_ORG_ID_ATTRIBUTE"
,
""
)
==
"TRUE"
)
LDAP_USER_ORG_ID_ATTRIBUTE
=
(
get_env_variable
(
"LDAP_USER_ORG_ID_ATTRIBUTE"
,
"DN"
))
LDAP_GROUP_ORG_ID_ATTRIBUTE
=
(
get_env_variable
(
"LDAP_GROUP_ORG_ID_ATTRIBUTE"
,
"DN"
))
LDAP_GROUP_OWNER_ATTRIBUTE
=
get_env_variable
(
"LDAP_GROUP_OWNER_ATTRIBUTE"
,
LDAP_GROUP_OWNER_ATTRIBUTE
=
get_env_variable
(
"LDAP_GROUP_OWNER_ATTRIBUTE"
,
"owner"
)
"owner"
)
circle/dashboard/ldap_utils.py
View file @
20758843
...
@@ -35,64 +35,107 @@ def ldap_connect():
...
@@ -35,64 +35,107 @@ def ldap_connect():
return
conn
return
conn
def
get_group
(
conn
,
group_dn
):
group
=
LDAPSearch
(
group_dn
,
ldap
.
SCOPE_BASE
,
"cn=*"
)
.
execute
(
conn
)
if
len
(
group
)
==
0
:
return
None
return
group
[
0
][
1
]
def
get_group_org_id
(
conn
,
group_dn
):
group_org_id_attr
=
settings
.
LDAP_GROUP_ORG_ID_ATTRIBUTE
if
group_org_id_attr
==
"DN"
:
return
group_dn
.
upper
()
else
:
group
=
get_group
(
conn
,
group_dn
)
if
group
is
None
:
logger
.
error
(
"LDAP communication error, "
"while query group object."
)
return
None
group_org_id
=
group
.
get
(
group_org_id_attr
)
if
group_org_id
is
None
:
logger
.
error
(
"Group org id attribute '
%
s' does not exist!"
,
group_org_id_attr
)
return
None
return
group_org_id
[
0
]
.
upper
()
def
get_user_org_id
(
ldap_user
):
user_org_id_attr
=
settings
.
LDAP_USER_ORG_ID_ATTRIBUTE
if
user_org_id_attr
==
"DN"
:
return
ldap_user
.
dn
.
upper
()
else
:
user_org_id
=
ldap_user
.
attrs
.
get
(
user_org_id_attr
)
if
user_org_id
is
None
:
logger
.
error
(
"User org id attribute '
%
s' does not exist!"
,
user_org_id_attr
)
return
user_org_id
[
0
]
def
owns
(
conn
,
user_dn
,
group_dn
):
def
owns
(
conn
,
user_dn
,
group_dn
):
ownerattr
=
settings
.
LDAP_GROUP_OWNER_ATTRIBUTE
ownerattr
=
settings
.
LDAP_GROUP_OWNER_ATTRIBUTE
group
=
LDAPSearch
(
group_dn
.
lower
(),
ldap
.
SCOPE_BASE
,
"cn=*"
)
.
execute
(
con
n
)
group
=
get_group
(
conn
,
group_d
n
)
if
len
(
group
)
==
0
:
if
group
is
None
:
return
False
return
False
group
=
group
[
0
]
owners
=
group
.
get
(
ownerattr
,
[])
owners
=
group
[
1
]
.
get
(
ownerattr
,
[])
return
user_dn
in
owners
logger
.
error
(
owners
)
return
user_dn
in
map
(
unicode
.
upper
,
owners
)
def
ldap_save_org_id
(
sender
,
user
,
ldap_user
,
**
kwargs
):
def
ldap_save_org_id
(
sender
,
user
,
ldap_user
,
**
kwargs
):
logger
.
debug
(
"ldap_save_org_id called by
%
s"
,
user
.
username
)
logger
.
debug
(
"ldap_save_org_id called by
%
s"
,
user
.
username
)
user_dn
=
ldap_user
.
dn
.
upper
()
user_org_id
=
get_user_org_id
(
ldap_user
)
if
user_org_id
is
None
:
return
if
user
.
pk
is
None
:
if
user
.
pk
is
None
:
user
.
save
()
user
.
save
()
logger
.
debug
(
"ldap_save_org_id saved user
%
s"
,
unicode
(
user
))
logger
.
debug
(
"ldap_save_org_id saved user
%
s"
,
unicode
(
user
))
profile
,
created
=
Profile
.
objects
.
get_or_create
(
user
=
user
)
profile
,
created
=
Profile
.
objects
.
get_or_create
(
user
=
user
)
if
created
or
profile
.
org_id
!=
user_
dn
:
if
created
or
profile
.
org_id
!=
user_
org_id
:
logger
.
info
(
"org_id of
%
s added to user
%
s's profile"
,
logger
.
info
(
"org_id of
%
s added to user
%
s's profile"
,
user_
dn
,
user
.
username
)
user_
org_id
,
user
.
username
)
profile
.
org_id
=
user_
dn
profile
.
org_id
=
user_
org_id
profile
.
save
()
profile
.
save
()
else
:
else
:
logger
.
debug
(
"org_id of
%
s already added to user
%
s's profile"
,
logger
.
debug
(
"org_id of
%
s already added to user
%
s's profile"
,
user_
dn
,
user
.
username
)
user_
org_id
,
user
.
username
)
group_dns
=
map
(
unicode
.
upper
,
ldap_user
.
group_dns
)
# connection will close, when object destroys
for
group
in
group_dns
:
# https://www.python-ldap.org/doc/html/ldap.html#ldap-objects
conn
=
ldap_connect
()
for
group_dn
in
ldap_user
.
group_dns
:
group_org_id
=
get_group_org_id
(
conn
,
group_dn
)
if
group_org_id
is
None
:
continue
try
:
try
:
g
=
GroupProfile
.
search
(
group
)
g
=
GroupProfile
.
search
(
group
_org_id
)
except
Group
.
DoesNotExist
:
except
Group
.
DoesNotExist
:
logger
.
debug
(
'cant find membergroup
%
s'
,
group
)
logger
.
debug
(
'cant find membergroup
%
s'
,
group
_org_id
)
else
:
else
:
logger
.
debug
(
'could find membergroup
%
s (
%
s)'
,
logger
.
debug
(
'could find membergroup
%
s (
%
s)'
,
group
,
unicode
(
g
))
group
_org_id
,
unicode
(
g
))
g
.
user_set
.
add
(
user
)
g
.
user_set
.
add
(
user
)
for
i
in
FutureMember
.
objects
.
filter
(
org_id__iexact
=
user_
dn
):
for
i
in
FutureMember
.
objects
.
filter
(
org_id__iexact
=
user_
org_id
):
i
.
group
.
user_set
.
add
(
user
)
i
.
group
.
user_set
.
add
(
user
)
i
.
delete
()
i
.
delete
()
# connection will close, when object destroys
for
group_dn
in
ldap_user
.
group_dns
:
# https://www.python-ldap.org/doc/html/ldap.html#ldap-objects
group_org_id
=
get_group_org_id
(
conn
,
group_dn
)
conn
=
ldap_connect
()
if
group_org_id
is
None
:
for
group
in
group_dns
:
continue
try
:
try
:
g
=
GroupProfile
.
search
(
group
)
g
=
GroupProfile
.
search
(
group
_org_id
)
except
Group
.
DoesNotExist
:
except
Group
.
DoesNotExist
:
logger
.
debug
(
'cant find ownergroup
%
s'
,
group
)
logger
.
debug
(
'cant find ownergroup
%
s'
,
group
_org_id
)
else
:
else
:
if
owns
(
conn
,
user_dn
,
group
):
if
owns
(
conn
,
ldap_user
.
dn
,
group_dn
):
logger
.
debug
(
'could find ownergroup
%
s (
%
s)'
,
logger
.
debug
(
'could find ownergroup
%
s (
%
s)'
,
group
,
unicode
(
g
))
group
_org_id
,
unicode
(
g
))
g
.
profile
.
set_level
(
user
,
'owner'
)
g
.
profile
.
set_level
(
user
,
'owner'
)
else
:
else
:
logger
.
debug
(
'cant find ownergroup
%
s'
,
group
)
logger
.
debug
(
'cant find ownergroup
%
s'
,
group
_org_id
)
return
False
# User did not change
return
False
# User did not change
circle/dashboard/models.py
View file @
20758843
...
@@ -175,7 +175,7 @@ class Profile(Model):
...
@@ -175,7 +175,7 @@ class Profile(Model):
max_length
=
32
,
max_length
=
32
,
default
=
settings
.
LANGUAGE_CODE
,
blank
=
False
)
default
=
settings
.
LANGUAGE_CODE
,
blank
=
False
)
org_id
=
CharField
(
# may be populated from eduPersonOrgId field
org_id
=
CharField
(
# may be populated from eduPersonOrgId field
unique
=
True
,
blank
=
True
,
null
=
True
,
max_length
=
64
,
unique
=
True
,
blank
=
True
,
null
=
True
,
max_length
=
255
,
help_text
=
_
(
'Unique identifier of the person, e.g. a student number.'
))
help_text
=
_
(
'Unique identifier of the person, e.g. a student number.'
))
instance_limit
=
IntegerField
(
default
=
5
)
instance_limit
=
IntegerField
(
default
=
5
)
use_gravatar
=
BooleanField
(
use_gravatar
=
BooleanField
(
...
...
circle/dashboard/views/group.py
View file @
20758843
...
@@ -82,22 +82,23 @@ class GroupCodeMixin(object):
...
@@ -82,22 +82,23 @@ class GroupCodeMixin(object):
newgroups
.
append
(
group
)
newgroups
.
append
(
group
)
if
ldap_available
:
if
ldap_available
:
from
..ldap_utils
import
owns
,
ldap_connect
,
get_group_org_id
ldap_user
=
getattr
(
request
.
user
,
"ldap_user"
,
None
)
ldap_user
=
getattr
(
request
.
user
,
"ldap_user"
,
None
)
if
ldap_user
is
None
:
if
ldap_user
is
None
:
return
newgroups
return
newgroups
from
..ldap_utils
import
owns
,
ldap_connect
user_dn
=
ldap_user
.
dn
user_dn
=
ldap_user
.
dn
.
upper
()
group_dns
=
map
(
unicode
.
upper
,
ldap_user
.
group_dns
)
# connection will close, when object destroys
# connection will close, when object destroys
# https://www.python-ldap.org/doc/html/ldap.html#ldap-objects
# https://www.python-ldap.org/doc/html/ldap.html#ldap-objects
conn
=
ldap_connect
()
conn
=
ldap_connect
()
for
group
in
group_dns
:
for
group_dn
in
ldap_user
.
group_dns
:
group_org_id
=
get_group_org_id
(
conn
,
group_dn
)
if
group_org_id
is
None
:
continue
try
:
try
:
GroupProfile
.
search
(
group
)
GroupProfile
.
search
(
group
_org_id
)
except
Group
.
DoesNotExist
:
except
Group
.
DoesNotExist
:
if
owns
(
conn
,
user_dn
,
group
):
if
owns
(
conn
,
user_dn
,
group_dn
):
newgroups
.
append
(
group
)
newgroups
.
append
(
group_org_id
)
return
newgroups
return
newgroups
...
...
circle/dashboard/views/util.py
View file @
20758843
...
@@ -58,7 +58,7 @@ from ..forms import TransferOwnershipForm
...
@@ -58,7 +58,7 @@ from ..forms import TransferOwnershipForm
logger
=
logging
.
getLogger
(
__name__
)
logger
=
logging
.
getLogger
(
__name__
)
saml_available
=
hasattr
(
settings
,
"SAML_CONFIG"
)
saml_available
=
hasattr
(
settings
,
"SAML_CONFIG"
)
ldap_available
=
hasattr
(
settings
,
"AUTH_LDAP_SERVER_URI"
)
ldap_available
=
getattr
(
settings
,
"LDAP_ORG_ID_ATTRIBUTE"
,
False
)
def
external_auth_available
():
def
external_auth_available
():
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment