Telos4/DoorAdmin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fixed formatting

Browse Source
This commit is contained in:
Simon Pirkelmann 2022-09-12 22:20:40 +02:00
parent 5fb652c1d2
commit 3a6ea5926b
1 changed files with 43 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
imaginaerraum_door_admin/auth.py
View File

@ -38,7 +38,10 @@ class ExtendedLoginForm(LoginForm):
authorized = super(ExtendedLoginForm, self).validate() authorized = super(ExtendedLoginForm, self).validate()
if authorized: if authorized:
current_app.logger.info(f"User with credentials '{self.email.data}' authorized through local database") current_app.logger.info(
f"User with credentials '{self.email.data}' authorized "
f"through local database"
)
else: else:
# run LDAP authorization # run LDAP authorization
# if the authorization succeeds we also get the new_user_data # if the authorization succeeds we also get the new_user_data
@ -71,32 +74,41 @@ class ExtendedLoginForm(LoginForm):
if authorized: if authorized:
# if there was no user in the database before we create a new # if there was no user in the database before we create a new
# user # user
self.user = security.datastore.create_user(username=new_user_data['username'], email=new_user_data['email'], self.user = security.datastore.create_user(
password=new_user_data['password'], roles=new_user_data['roles']) username=new_user_data['username'],
email=new_user_data['email'],
password=new_user_data['password'],
roles=new_user_data['roles']
)
security.datastore.commit() security.datastore.commit()
current_app.logger.info(f"New admin user '{new_user_data['username']} <{new_user_data['email']}>' created after" current_app.logger.info(
" successful LDAP authorization") f"New admin user '{new_user_data['username']} "
f"<{new_user_data['email']}>' created after successful "
f"LDAP authorization"
)
# if any of the authorization methods is successful we authorize the user # if any of the authorization methods is successful we authorize
# the user
return authorized return authorized
def validate_ldap(self): def validate_ldap(self):
"""Validate the user and password through an LDAP server. """Validate the user and password through an LDAP server.
If the connection completes successfully the given user and password is authorized. If the connection completes successfully the given user and password
Then the permissions and additional information of the user are obtained through an LDAP search. is authorized. Then the permissions and additional information of the
The data is stored in a dict which will be used later to create/update the entry for the user in the local user are obtained through an LDAP search.
database. The data is stored in a dict which will be used later to create/update
the entry for the user in the local database.
Parameters Parameters
---------- ----------
Returns Returns
------- -------
bool : result of the authorization process (True = success, False = failure) bool : result of the authorization process (True = success,
dict : dictionary with information about an authorized user (contains username, email, hashed password, False = failure)
roles) dict : dictionary with information about an authorized user
(contains username, email, hashed password, roles)
""" """
ldap_server = ldap3.Server(current_app.config['LDAP_URL']) ldap_server = ldap3.Server(current_app.config['LDAP_URL'])
ldap_user_group = current_app.config['LDAP_USER_GROUP'] ldap_user_group = current_app.config['LDAP_USER_GROUP']
@ -107,15 +119,20 @@ class ExtendedLoginForm(LoginForm):
password = self.password.data password = self.password.data
try: try:
user = f"uid={username},ou={ldap_user_group},dc={ldap_domain},dc={ldap_domain_ext}" user = f"uid={username},ou={ldap_user_group},dc={ldap_domain}," \
con = ldap3.Connection(ldap_server, f"dc={ldap_domain_ext}"
con = ldap3.Connection(
ldap_server,
user=user, user=user,
password=password, auto_bind=True) password=password,
auto_bind=True
)
except ldap3.core.exceptions.LDAPBindError as e: except ldap3.core.exceptions.LDAPBindError as e:
# server reachable but user unauthorized -> fail # server reachable but user unauthorized -> fail
return False, None return False, None
except LDAPSocketOpenError as e: except LDAPSocketOpenError as e:
# server not reachable -> fail (but will try authorization from local database later) # server not reachable -> fail (but will try authorization from
# local database later)
return False, None return False, None
except Exception as e: except Exception as e:
# for other Exceptions we just fail # for other Exceptions we just fail
@ -127,15 +144,18 @@ class ExtendedLoginForm(LoginForm):
new_user_data['password'] = hash_password(password) new_user_data['password'] = hash_password(password)
new_user_data['roles'] = [] new_user_data['roles'] = []
search_base = f"ou={ldap_user_group},dc={ldap_domain},dc={ldap_domain_ext}" search_base = f"ou={ldap_user_group},dc={ldap_domain},dc={ldap_domain_ext}"
search_filter = f"(&(uid={username})(memberof=cn=Keyholders,ou=Groups,dc={ldap_domain},dc={ldap_domain_ext}))" search_filter = f"(&(uid={username})(memberof=cn=Keyholders," \
lock_permission = con.search(search_base, search_filter, f"ou=Groups,dc={ldap_domain},dc={ldap_domain_ext}))"
attributes=ldap3.ALL_ATTRIBUTES) lock_permission = con.search(
search_base, search_filter, attributes=ldap3.ALL_ATTRIBUTES
)
if lock_permission: if lock_permission:
new_user_data['email'] = con.entries[0].mail.value new_user_data['email'] = con.entries[0].mail.value
else: else:
return False, None return False, None
search_filter = f'(&(uid={username})(memberof=cn=Vorstand,ou=Groups,dc={ldap_domain},dc={ldap_domain_ext}))' search_filter = f'(&(uid={username})(memberof=cn=Vorstand,ou=Groups,' \
f'dc={ldap_domain},dc={ldap_domain_ext}))'
token_granting_permission = con.search(search_base, search_filter) token_granting_permission = con.search(search_base, search_filter)
if token_granting_permission: if token_granting_permission:
new_user_data['roles'].append('admin') new_user_data['roles'].append('admin')