Add LDAP group owner import and small rework

2ef3e434 · Czémán Arnold · 6f558426 · 2ef3e434 · 2ef3e434
Commit 2ef3e434 authored Feb 15, 2017 by Czémán Arnold
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 20 deletions

circle/circle/settings/base.py
+5 -3

circle/dashboard/models.py
+47 -17

No files found.
--- a/circle/circle/settings/base.py
+++ b/circle/circle/settings/base.py
@@ -651,6 +651,8 @@ if get_env_variable('LDAP_AUTH', 'FALSE') == 'TRUE':
    )

    # org_id attribute
-    if get_env_variable('LDAP_ORG_ID_ATTRIBUTE', False):
-        LDAP_ORG_ID_ATTRIBUTE = get_env_variable(
-            'LDAP_ORG_ID_ATTRIBUTE')
+    LDAP_ORG_ID_ATTRIBUTE = (
+        get_env_variable('LDAP_ORG_ID_ATTRIBUTE', "") == "TRUE")
+
+    LDAP_GROUP_OWNER_ATTRIBUTE = get_env_variable("LDAP_GROUP_OWNER_ATTRIBUTE",
+                                                  "owner")
--- a/circle/dashboard/models.py
+++ b/circle/dashboard/models.py
@@ -401,36 +401,48 @@ if hasattr(settings, 'SAML_ORG_ID_ATTRIBUTE'):
    pre_user_save.connect(saml_save_org_id)


-if hasattr(settings, 'LDAP_ORG_ID_ATTRIBUTE'):
+if (hasattr(settings, 'LDAP_ORG_ID_ATTRIBUTE') and
+   settings.LDAP_ORG_ID_ATTRIBUTE):
    logger.debug("Register ldap_save_org_id to django-ldap-auth populate user")
-    from django_auth_ldap.backend import populate_user
+    from django_auth_ldap.backend import populate_user, LDAPSettings
+    import ldap
+
+    def ldap_connect(ldap_settings):
+        conn = ldap.initialize(ldap_settings.SERVER_URI)
+        for opt, value in ldap_settings.CONNECTION_OPTIONS.items():
+            conn.set_option(opt, value)
+        conn.simple_bind_s(ldap_settings.BIND_DN, ldap_settings.BIND_PASSWORD)
+        return conn
+
+    def owns(conn, ldap_settings, ownerattr, user_dn, group_name):
+        group = ldap_settings.GROUP_SEARCH.search_with_additional_term_string(
+            "(cn=%s)" % group_name).execute(conn)
+        if len(group) == 0:
+            return False
+        group = group[0]
+        owners = group[1].get(ownerattr, [])
+        return user_dn in map(unicode.upper, owners)

    def ldap_save_org_id(sender, user, ldap_user, **kwargs):
        logger.debug("ldap_save_org_id called by %s", user.username)
-        attributes = ldap_user.attrs
-        attr = settings.LDAP_ORG_ID_ATTRIBUTE
-        try:
-            value = attributes[attr][0].upper()
-        except Exception as e:
-            value = None
-            logger.info("ldap_save_org_id couldn't find attribute. %s",
-                        unicode(e))
+        user_dn = ldap_user.dn.upper()

        if user.pk is None:
            user.save()
            logger.debug("ldap_save_org_id saved user %s", unicode(user))

        profile, created = Profile.objects.get_or_create(user=user)
-        if created or profile.org_id != value:
+        if created or profile.org_id != user_dn:
            logger.info("org_id of %s added to user %s's profile",
-                        value, user.username)
-            profile.org_id = value
+                        user_dn, user.username)
+            profile.org_id = user_dn
            profile.save()
        else:
            logger.debug("org_id of %s already added to user %s's profile",
-                         value, user.username)
-        logger.error(ldap_user.group_dns)
-        for group in ldap_user.group_names:
+                         user_dn, user.username)
+
+        group_dns = map(unicode.upper, ldap_user.group_dns)
+        for group in group_dns:
            try:
                g = GroupProfile.search(group)
            except Group.DoesNotExist:
@@ -440,10 +452,28 @@ if hasattr(settings, 'LDAP_ORG_ID_ATTRIBUTE'):
                             group, unicode(g))
                g.user_set.add(user)

-        for i in FutureMember.objects.filter(org_id__iexact=value):
+        for i in FutureMember.objects.filter(org_id__iexact=user_dn):
            i.group.user_set.add(user)
            i.delete()

+        ownerattr = settings.LDAP_GROUP_OWNER_ATTRIBUTE
+        ldap_settings = LDAPSettings()
+        # connection will close, when object destroys
+        # https://www.python-ldap.org/doc/html/ldap.html#ldap-objects
+        conn = ldap_connect(ldap_settings)
+        for group in zip(group_dns, ldap_user.group_names):
+            try:
+                g = GroupProfile.search(group[0])
+            except Group.DoesNotExist:
+                logger.debug('cant find ownergroup %s', group[0])
+            else:
+                if owns(conn, ldap_settings, ownerattr, user_dn, group[1]):
+                    logger.debug('could find ownergroup %s (%s)',
+                                 group[0], unicode(g))
+                    g.profile.set_level(user, 'owner')
+                else:
+                    logger.debug('cant find ownergroup %s', group[0])
+
        return False  # User did not change

    populate_user.connect(ldap_save_org_id)