def do_login(cls, request, login, password, contact, entites): response = None try: headers = forget(request) # Check if user exists in LDAP connector = get_ldap_connector(request) data = connector.authenticate(login, password) if data is not None: dn = data[0] headers = remember(request, dn) if contact: contact_json = contact.format() contact_json['entites'] = entites contact_json = json.dumps(contact_json) if contact else '' response = Response( contact_json, content_type='application/json; charset=UTF-8', headers=headers) else: raise Exception('Invalid credentials') except Exception as error: raise error return response
def do_login(cls, request, login, password): # Check if user exists in LDAP try: connector = get_ldap_connector(request) except ConfigurationError as error: LOG.error('Connector is not well configured. Error is : {}'.format(error)) data = connector.authenticate(login, password) if data is not None: dn = data[0] if dn == 'null': raise Exception('Invalid credentials') resp_json = {} resp_json['role_name'] = cls.get_user_group_by_dn(request, dn) resp_json['dn'] = dn return resp_json else: raise Exception('LDAP authentication failed')
def get_user_groups_entite_by_dn(cls, request, dn): groups = [] output_json = [] try: # user = request.authenticated_userid connector = get_ldap_connector(request) result = connector.user_groups(dn) if result is not None: for r in result: if r and len(r) > 1: groups.append( cls.format_json_attributes( json.loads(json.dumps(dict(r[1]))))) # Filter to groups of type entite cn_attribute = request.registry.settings[ 'ldap_group_attribute_name'] output_json = [ x for x in groups if cn_attribute in x and x[cn_attribute].startswith( request.registry.settings['ldap_entite_groups_prefix']) ] except Exception as error: raise error return output_json
def get_connected_user(cls, request): user_id = request.authenticated_userid connector = get_ldap_connector(request) with connector.manager.connection() as conn: ret = conn.search( search_scope=request.registry.settings['ldap_login_query_scope'], attributes=request.registry.settings['ldap_login_query_attributes'].replace(', ', ',').replace(' , ', ',').replace(' ,', ',').split(','), search_base=request.registry.settings['ldap_login_query_base_dn'], search_filter=request.registry.settings['ldap_search_user_filter'] ) result, ret = conn.get_response(ret) if result is None: result = [] else: result = [r['attributes'] for r in result if 'dn' in r and r['dn'] == user_id] result = result[0] if result and len(result) > 0 else None if result is not None: result = json.loads(json.dumps(dict(result))) return cls.format_json_attributes(result) if result else {}
def _authenticate_user( self, request: Request, email: typing.Optional[str], password: typing.Optional[str], ) -> typing.Optional[User]: """ Helper to authenticate user in pyramid request from user email and password :param request: pyramid request :return: User or None """ app_config = request.registry.settings['CFG'] uapi = UserApi(None, session=request.dbsession, config=app_config) ldap_connector = None if AuthType.LDAP in app_config.AUTH_TYPES: ldap_connector = get_ldap_connector(request) try: user = uapi.authenticate( email=email, password=password, ldap_connector=ldap_connector ) return user except AuthenticationFailed: return None
def get_infolica_users(cls, request): users = [] connector = get_ldap_connector(request) with connector.manager.connection() as conn: ret = conn.search(search_scope=request.registry. settings['ldap_login_query_scope'], attributes=request.registry. settings['ldap_login_query_attributes'].replace( ', ', ',').replace(' , ', ',').replace(' ,', ',').split(','), search_base=request.registry. settings['ldap_login_query_base_dn'], search_filter=request.registry. settings['ldap_search_user_filter']) result, ret = conn.get_response(ret) if result is not None: for r in result: if 'dn' in r: user_json = cls.format_json_attributes( json.loads(json.dumps(dict(r['attributes'])))) user_json['dn'] = r['dn'] users.append(user_json) return users if users else {}
def get_users_belonging_to_group_entites(cls, request): users = [] try: connector = get_ldap_connector(request) with connector.manager.connection() as conn: ret = conn.search( search_scope=request.registry. settings['ldap_login_query_scope'], attributes=request. registry.settings['ldap_login_query_attributes'].replace( ', ', ',').replace(' , ', ',').replace(' ,', ',').split(','), search_base=request.registry. settings['ldap_login_query_base_dn'], search_filter=request.registry. settings['ldap_search_user_filter']) result, ret = conn.get_response(ret) if result is not None: for r in result: if 'dn' in r and len( cls.get_user_groups_entite_by_dn(request, r['dn'])) > 0: user_json = cls.format_json_attributes( json.loads(json.dumps(dict(r['attributes'])))) user_json['dn'] = r['dn'] users.append(user_json) except Exception as error: raise error return users if users else {}
def auth_ldap(request, login, password): from pyramid_ldap3 import ( get_ldap_connector, groupfinder) connector = get_ldap_connector(request) data = connector.authenticate(login, password) if data is not None: dn = data[0] headers = remember(request, dn) return HTTPFound(location=request.route_url('home'), headers=headers) else: return HTTPForbidden()
def get_user_group_by_dn(cls, request, dn): connector = get_ldap_connector(request) result = connector.user_groups(dn) if result is not None: groups = [cls.format_json_attributes(json.loads(json.dumps(dict(r[1])))) for r in result if r and len(r) > 1] if groups and len(groups) > 0: cn_attribute = request.registry.settings['ldap_group_attribute_id'] for group in groups: if group[cn_attribute].startswith(request.registry.settings['infolica_groups_prefix']): return group[cn_attribute] return None
def login(self, context, request: TracimRequest, hapic_data=None): """ Logs the user into the system. In case of success, the JSON returned is the user profile. In that case, a cookie is created with a session_key and an expiration date. Eg. : `session_key=932d2ad68f3a094c2d4da563ccb921e6479729f5b5f707eba91d4194979df20831be48a0; expires=Mon, 22-Oct-2018 19:37:02 GMT; Path=/; SameSite=Lax` """ login = hapic_data.body app_config = request.registry.settings["CFG"] # type: CFG uapi = UserApi(None, session=request.dbsession, config=app_config) ldap_connector = None if AuthType.LDAP in app_config.AUTH_TYPES: ldap_connector = get_ldap_connector(request) user = uapi.authenticate(login.email, login.password, ldap_connector) remember(request, user.user_id) return uapi.get_user_with_context(user)
def get_user_groups_by_dn(cls, request, dn): groups = [] try: connector = get_ldap_connector(request) result = connector.user_groups(dn) if result is not None: for r in result: if r and len(r) > 1: groups.append( cls.format_json_attributes( json.loads(json.dumps(dict(r[1]))))) except Exception as error: raise error return groups
def login(request): url = request.current_route_url() login = '' password = '' error = '' if 'form.submitted' in request.POST: login = request.POST['login'] password = request.POST['password'] connector = get_ldap_connector(request) data = connector.authenticate(login, password) if data is not None: dn = data[0] headers = remember(request, dn) return HTTPFound('/', headers=headers) error = 'Invalid credentials' return dict(login_url=url, login=login, password=password, error=error)
def _authenticate_user( self, request: Request, login: typing.Optional[str], password: typing.Optional[str], ) -> typing.Optional[User]: """ Helper to authenticate user in pyramid request from user email or username and password :param request: pyramid request :return: User or None """ app_config = request.registry.settings["CFG"] # type: CFG uapi = UserApi(None, session=request.dbsession, config=app_config) ldap_connector = None if AuthType.LDAP in app_config.AUTH_TYPES: ldap_connector = get_ldap_connector(request) try: user = uapi.authenticate(login=login, password=password, ldap_connector=ldap_connector,) return user except AuthenticationFailed: return None
def ldap_user_validator(request, username, password): connector = get_ldap_connector(request) cm = connector.manager data = None with cm.connection() as conn: try: ldap_settings = request.registry.settings['ldap'] base_dn = ldap_settings['base_dn'] filter_tmpl = ldap_settings['filter_tmpl'].replace('%(login)s', username) message_id = conn.search( base_dn, filter_tmpl, ldap.SUBTREE, ldap.DEREF_ALWAYS) result = conn.get_response(message_id)[0] if len(result) > 0: data = result[0]['dn'] conn.unbind() except Exception as e: log.exception(e) conn.unbind() conn = None try: conn = cm.connection(data, password) conn.unbind() except Exception as e: log.exception(e) if conn is not None: conn.unbind() data = None connection = Connections() connection.login = username connection.application = request.host if data is not None: connection.action = "CONNECT" DBSession.add(connection) return username else: connection.action = "CONNECT ERROR" DBSession.add(connection) return None
def login(self, context, request: TracimRequest, hapic_data=None): """ Logs the user into the system. In case of success, the JSON returned is the user profile. In that case, a cookie is created with a session_key and an expiration date. Eg. : `session_key=932d2ad68f3a094c2d4da563ccb921e6479729f5b5f707eba91d4194979df20831be48a0; expires=Mon, 22-Oct-2018 19:37:02 GMT; Path=/; SameSite=Lax` """ login = hapic_data.body app_config = request.registry.settings['CFG'] # type: CFG uapi = UserApi( None, session=request.dbsession, config=app_config, ) ldap_connector = None if AuthType.LDAP in app_config.AUTH_TYPES: ldap_connector = get_ldap_connector(request) user = uapi.authenticate(login.email, login.password, ldap_connector) remember(request, user.user_id) return uapi.get_user_with_context(user)
def login(request): url = request.current_route_url() login = '' password = '' error = '' if 'form.submitted' in request.POST: login = request.POST['login'] password = request.POST['password'] connector = get_ldap_connector(request) data = connector.authenticate(login, password) if data is not None: dn = data[0] headers = remember(request, dn) return HTTPFound('/', headers=headers) error = 'Invalid credentials' return dict( login_url=url, login=login, password=password, error=error)
def _callFUT(self, request): from pyramid_ldap3 import get_ldap_connector return get_ldap_connector(request)
def get_user_from_request(request): from c2cgeoportal_commons.models import DBSession from c2cgeoportal_commons.models.main import Role class O(object): pass username = unauthenticated_userid(request) if username is not None: default_mymaps_role = int(request.registry.settings['default_mymaps_role']) user = O() user.id = 0 user.username = username user.email = None user.is_mymaps_admin = False user.mymaps_role = default_mymaps_role user.ogc_role = -1 user.sn = None user.is_password_changed = None user.role_name = None connector = get_ldap_connector(request) cm = connector.manager # 0 means 'Tous publics' roletheme = 0 with cm.connection() as conn: ldap_settings = request.registry.settings['ldap'] base_dn = ldap_settings['base_dn'] filter_tmpl = ldap_settings['filter_tmpl'].replace('%(login)s', username) message_id = conn.search( base_dn, filter_tmpl, ldap.SUBTREE, ldap.DEREF_ALWAYS, ldap.ALL_ATTRIBUTES) result = conn.get_response(message_id)[0] if len(result) == 1: obj = result[0]['raw_attributes'] if 'roleTheme' in obj: # This is the plain c2cgeoportal role used for authentication. # Notably in the admin interface. # The role with name role_admin has id 645. roletheme = obj['roleTheme'][0].decode() if 'mail' in obj: user.mail = obj['mail'][0].decode() if 'sn' in obj: user.sn = obj['sn'][0].decode() else: user.sn = user.mail if 'isMymapsAdmin' in obj: user.is_mymaps_admin = "TRUE" == obj['isMymapsAdmin'][0].upper().decode() if 'roleMymaps' in obj: # This role is used for myMaps. user.mymaps_role = int(obj['roleMymaps'][0]) if 'roleOGC' in obj: # This role is used by the print proxy and internal WMS proxy. user.ogc_role = int(obj['roleOGC'][0]) conn.unbind() try: # Loading the plain c2cgeoportal role used for authentication. user.role = DBSession.query(Role).filter_by(id=roletheme).one() except Exception as e: # Fallback to the "Tous publics" role user.role = DBSession.query(Role).filter_by(id=0).one() log.exception(e) user.role_name = user.role.name user.functionalities = [] return user
def _call_fut(self, request, realm=None): from pyramid_ldap3 import get_ldap_connector return get_ldap_connector(request, realm)
def _callFUT(self, request): from pyramid_ldap3 import get_ldap_connector return get_ldap_connector(request)
def groupfinder(dn, request): connector = get_ldap_connector(request) group_list = connector.user_groups(dn) if group_list is None: return None return [dn for dn, attrs in group_list]