authentik/passbook/sources/ldap/connector.py

"""Wrapper for ldap3 to easily manage user"""
from typing import Any, Dict, Optional

import ldap3
import ldap3.core.exceptions
from structlog import get_logger

from passbook.core.models import Group, User
from passbook.sources.ldap.models import LDAPSource

LOGGER = get_logger()


class Connector:
    """Wrapper for ldap3 to easily manage user authentication and creation"""

    _server: ldap3.Server
    _connection = ldap3.Connection
    _source: LDAPSource

    def __init__(self, source: LDAPSource):
        self._source = source
        self._server = ldap3.Server(source.server_uri) # Implement URI parsing

    def bind(self):
        """Bind using Source's Credentials"""
        self._connection = ldap3.Connection(self._server, raise_exceptions=True,
                                            user=self._source.bind_cn,
                                            password=self._source.bind_password)

        self._connection.bind()
        if self._source.start_tls:
            self._connection.start_tls()

    @staticmethod
    def encode_pass(password: str) -> bytes:
        """Encodes a plain-text password so it can be used by AD"""
        return '"{}"'.format(password).encode('utf-16-le')

    @property
    def base_dn_users(self) -> str:
        """Shortcut to get full base_dn for user lookups"""
        return ','.join([self._source.additional_user_dn, self._source.base_dn])

    @property
    def base_dn_groups(self) -> str:
        """Shortcut to get full base_dn for group lookups"""
        return ','.join([self._source.additional_group_dn, self._source.base_dn])

    def sync_groups(self):
        """Iterate over all LDAP Groups and create passbook_core.Group instances"""
        if not self._source.sync_groups:
            LOGGER.debug("Group syncing is disabled for this Source")
            return
        groups = self._connection.extend.standard.paged_search(
            search_base=self.base_dn_groups,
            search_filter=self._source.group_object_filter,
            search_scope=ldap3.SUBTREE,
            attributes=ldap3.ALL_ATTRIBUTES)
        for group in groups:
            attributes = group.get('attributes', {})
            _, created = Group.objects.update_or_create(
                attributes__ldap_uniq=attributes.get(self._source.object_uniqueness_field, ''),
                parent=self._source.sync_parent_group,
                # defaults=self._build_object_properties(attributes),
                defaults={
                    'name': attributes.get('name', ''),
                    'attributes': {
                        'ldap_uniq': attributes.get(self._source.object_uniqueness_field, ''),
                        'distinguishedName': attributes.get('distinguishedName')
                    }
                }
            )
            LOGGER.debug("Synced group", group=attributes.get('name', ''), created=created)

    def sync_users(self):
        """Iterate over all LDAP Users and create passbook_core.User instances"""
        users = self._connection.extend.standard.paged_search(
            search_base=self.base_dn_users,
            search_filter=self._source.user_object_filter,
            search_scope=ldap3.SUBTREE,
            attributes=ldap3.ALL_ATTRIBUTES)
        for user in users:
            attributes = user.get('attributes', {})
            _, created = User.objects.update_or_create(
                attributes__ldap_uniq=attributes.get(self._source.object_uniqueness_field, ''),
                defaults=self._build_object_properties(attributes),
            )
            LOGGER.debug("Synced User", user=attributes.get('name', ''), created=created)

    def sync_membership(self):
        """Iterate over all Users and assign Groups using memberOf Field"""
        users = self._connection.extend.standard.paged_search(
            search_base=self.base_dn_users,
            search_filter=self._source.user_object_filter,
            search_scope=ldap3.SUBTREE,
            attributes=[
                self._source.user_group_membership_field,
                self._source.object_uniqueness_field])
        group_cache: Dict[str, Group] = {}
        for user in users:
            member_of = user.get('attributes', {}).get(self._source.user_group_membership_field, [])
            uniq = user.get('attributes', {}).get(self._source.object_uniqueness_field, [])
            for group_dn in member_of:
                # Check if group_dn is within our base_dn_groups, and skip if not
                if not group_dn.endswith(self.base_dn_groups):
                    continue
                # Check if we fetched the group already, and if not cache it for later
                if group_dn not in group_cache:
                    groups = Group.objects.filter(attributes__distinguishedName=group_dn)
                    if not groups.exists():
                        LOGGER.warning("Group does not exist in our DB yet, run sync_groups first.",
                                       group=group_dn)
                        return
                    group_cache[group_dn] = groups.first()
                group = group_cache[group_dn]
                users = User.objects.filter(attributes__ldap_uniq=uniq)
                group.user_set.add(*list(users))
        # Now that all users are added, lets write everything
        for _, group in group_cache.items():
            group.save()
        LOGGER.debug("Successfully updated group membership")

    def _build_object_properties(self, attributes: Dict[str, Any]) -> Dict[str, Dict[Any, Any]]:
        properties = {
            'attributes': {}
        }
        for mapping in self._source.property_mappings.all().select_subclasses():
            properties[mapping.object_field] = attributes.get(mapping.ldap_property, '')
        if self._source.object_uniqueness_field in attributes:
            properties['attributes']['ldap_uniq'] = \
                attributes.get(self._source.object_uniqueness_field)
        properties['attributes']['distinguishedName'] = attributes.get('distinguishedName')
        return properties

    def auth_user(self, password: str, **filters: Dict[str, str]) -> Optional[User]:
        """Try to bind as either user_dn or mail with password.
        Returns True on success, otherwise False"""
        users = User.objects.filter(**filters)
        if not users.exists():
            return None
        user = users.first()
        if 'distinguishedName' not in user.attributes:
            LOGGER.debug("User doesn't have DN set, assuming not LDAP imported.", user=user)
            return None
        # Try to bind as new user
        LOGGER.debug("Attempting Binding as user", user=user)
        try:
            temp_connection = ldap3.Connection(self._server,
                                               user=user.attributes.get('distinguishedName'),
                                               password=password, raise_exceptions=True)
            temp_connection.bind()
            return user
        except ldap3.core.exceptions.LDAPInvalidCredentialsResult as exception:
            LOGGER.debug("LDAPInvalidCredentialsResult", user=user)
        except ldap3.core.exceptions.LDAPException as exception:
            LOGGER.warning(exception)
        return None
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Wrapper for ldap3 to easily manage user"""`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`from typing import Any, Dict, Optional`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`import ldap3`
			`import ldap3.core.exceptions`
*(minor): stdlib logging to structlog 2019-10-01 08:24:10 +00:00			`from structlog import get_logger`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`from passbook.core.models import Group, User`
*(minor): small refactor 2019-10-07 14:33:48 +00:00			`from passbook.sources.ldap.models import LDAPSource`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
*(minor): remove __name__ param from get_logger 2019-10-04 08:08:53 +00:00			`LOGGER = get_logger()`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00

ldap(major): start rewrite 2019-10-10 15:36:09 +00:00			`class Connector:`
ldap: rewrite Connector to use Source DB Entries 2018-11-26 17:12:04 +00:00			`"""Wrapper for ldap3 to easily manage user authentication and creation"""`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
ldap(major): start rewrite 2019-10-10 15:36:09 +00:00			`_server: ldap3.Server`
			`_connection = ldap3.Connection`
			`_source: LDAPSource`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
ldap: rewrite Connector to use Source DB Entries 2018-11-26 17:12:04 +00:00			`def __init__(self, source: LDAPSource):`
			`self._source = source`
			`self._server = ldap3.Server(source.server_uri) # Implement URI parsing`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00
			`def bind(self):`
			`"""Bind using Source's Credentials"""`
ldap: rewrite Connector to use Source DB Entries 2018-11-26 17:12:04 +00:00			`self._connection = ldap3.Connection(self._server, raise_exceptions=True,`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`user=self._source.bind_cn,`
			`password=self._source.bind_password)`
ldap: rewrite Connector to use Source DB Entries 2018-11-26 17:12:04 +00:00
			`self._connection.bind()`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`if self._source.start_tls:`
ldap(major): start rewrite 2019-10-10 15:36:09 +00:00			`self._connection.start_tls()`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00
			`@staticmethod`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`def encode_pass(password: str) -> bytes:`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Encodes a plain-text password so it can be used by AD"""`
			`return '"{}"'.format(password).encode('utf-16-le')`

sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`@property`
			`def base_dn_users(self) -> str:`
			`"""Shortcut to get full base_dn for user lookups"""`
			`return ','.join([self._source.additional_user_dn, self._source.base_dn])`

			`@property`
			`def base_dn_groups(self) -> str:`
			`"""Shortcut to get full base_dn for group lookups"""`
			`return ','.join([self._source.additional_group_dn, self._source.base_dn])`

			`def sync_groups(self):`
			`"""Iterate over all LDAP Groups and create passbook_core.Group instances"""`
sources/ldap(major): implement membership sync, add more settings 2019-10-11 11:41:12 +00:00			`if not self._source.sync_groups:`
			`LOGGER.debug("Group syncing is disabled for this Source")`
			`return`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`groups = self._connection.extend.standard.paged_search(`
			`search_base=self.base_dn_groups,`
			`search_filter=self._source.group_object_filter,`
			`search_scope=ldap3.SUBTREE,`
			`attributes=ldap3.ALL_ATTRIBUTES)`
			`for group in groups:`
			`attributes = group.get('attributes', {})`
			`_, created = Group.objects.update_or_create(`
sources/ldap(major): implement membership sync, add more settings 2019-10-11 11:41:12 +00:00			`attributes__ldap_uniq=attributes.get(self._source.object_uniqueness_field, ''),`
			`parent=self._source.sync_parent_group,`
			`# defaults=self._build_object_properties(attributes),`
			`defaults={`
			`'name': attributes.get('name', ''),`
			`'attributes': {`
			`'ldap_uniq': attributes.get(self._source.object_uniqueness_field, ''),`
			`'distinguishedName': attributes.get('distinguishedName')`
			`}`
			`}`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`)`
			`LOGGER.debug("Synced group", group=attributes.get('name', ''), created=created)`

			`def sync_users(self):`
			`"""Iterate over all LDAP Users and create passbook_core.User instances"""`
			`users = self._connection.extend.standard.paged_search(`
			`search_base=self.base_dn_users,`
			`search_filter=self._source.user_object_filter,`
			`search_scope=ldap3.SUBTREE,`
			`attributes=ldap3.ALL_ATTRIBUTES)`
			`for user in users:`
			`attributes = user.get('attributes', {})`
			`_, created = User.objects.update_or_create(`
sources/ldap(major): implement membership sync, add more settings 2019-10-11 11:41:12 +00:00			`attributes__ldap_uniq=attributes.get(self._source.object_uniqueness_field, ''),`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`defaults=self._build_object_properties(attributes),`
			`)`
			`LOGGER.debug("Synced User", user=attributes.get('name', ''), created=created)`

			`def sync_membership(self):`
			`"""Iterate over all Users and assign Groups using memberOf Field"""`
sources/ldap(major): implement membership sync, add more settings 2019-10-11 11:41:12 +00:00			`users = self._connection.extend.standard.paged_search(`
			`search_base=self.base_dn_users,`
			`search_filter=self._source.user_object_filter,`
			`search_scope=ldap3.SUBTREE,`
			`attributes=[`
			`self._source.user_group_membership_field,`
			`self._source.object_uniqueness_field])`
			`group_cache: Dict[str, Group] = {}`
			`for user in users:`
			`member_of = user.get('attributes', {}).get(self._source.user_group_membership_field, [])`
			`uniq = user.get('attributes', {}).get(self._source.object_uniqueness_field, [])`
			`for group_dn in member_of:`
			`# Check if group_dn is within our base_dn_groups, and skip if not`
			`if not group_dn.endswith(self.base_dn_groups):`
			`continue`
			`# Check if we fetched the group already, and if not cache it for later`
			`if group_dn not in group_cache:`
			`groups = Group.objects.filter(attributes__distinguishedName=group_dn)`
			`if not groups.exists():`
			`LOGGER.warning("Group does not exist in our DB yet, run sync_groups first.",`
			`group=group_dn)`
			`return`
			`group_cache[group_dn] = groups.first()`
			`group = group_cache[group_dn]`
			`users = User.objects.filter(attributes__ldap_uniq=uniq)`
			`group.user_set.add(*list(users))`
			`# Now that all users are added, lets write everything`
			`for _, group in group_cache.items():`
			`group.save()`
			`LOGGER.debug("Successfully updated group membership")`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00
			`def _build_object_properties(self, attributes: Dict[str, Any]) -> Dict[str, Dict[Any, Any]]:`
			`properties = {`
			`'attributes': {}`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`}`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`for mapping in self._source.property_mappings.all().select_subclasses():`
			`properties[mapping.object_field] = attributes.get(mapping.ldap_property, '')`
sources/ldap(major): implement membership sync, add more settings 2019-10-11 11:41:12 +00:00			`if self._source.object_uniqueness_field in attributes:`
			`properties['attributes']['ldap_uniq'] = \`
			`attributes.get(self._source.object_uniqueness_field)`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`properties['attributes']['distinguishedName'] = attributes.get('distinguishedName')`
			`return properties`

			`def auth_user(self, password: str, **filters: Dict[str, str]) -> Optional[User]:`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`"""Try to bind as either user_dn or mail with password.`
			`Returns True on success, otherwise False"""`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`users = User.objects.filter(**filters)`
			`if not users.exists():`
ldap: rewrite Connector to use Source DB Entries 2018-11-26 17:12:04 +00:00			`return None`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`user = users.first()`
			`if 'distinguishedName' not in user.attributes:`
			`LOGGER.debug("User doesn't have DN set, assuming not LDAP imported.", user=user)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`return None`
			`# Try to bind as new user`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`LOGGER.debug("Attempting Binding as user", user=user)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`try:`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`temp_connection = ldap3.Connection(self._server,`
			`user=user.attributes.get('distinguishedName'),`
ldap: rewrite Connector to use Source DB Entries 2018-11-26 17:12:04 +00:00			`password=password, raise_exceptions=True)`
			`temp_connection.bind()`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`return user`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`except ldap3.core.exceptions.LDAPInvalidCredentialsResult as exception:`
sources/ldap(major): add sync_users and sync_groups, rewrite auth_user method 2019-10-11 10:53:48 +00:00			`LOGGER.debug("LDAPInvalidCredentialsResult", user=user)`
add working oauth and ldap client 2018-11-11 12:41:48 +00:00			`except ldap3.core.exceptions.LDAPException as exception:`
			`LOGGER.warning(exception)`
			`return None`