def get_group_members(self, group_info):
if not self.is_ad:
members = []
member_attrs = list(set(GROUP_MEMBER_MAP.values()))
for member_attr in member_attrs:
if member_attr in group_info:
m = group_info.get(member_attr, [])
if isinstance(m, basestring):
m = [m]
members.extend(m)
return members
else:
group_dn = group_info['distinguishedName']
group_info['dn'] = group_dn
if self._cached_groups is None:
self._cached_groups = self.get_groups(use_lookup_base=True)
child_groups = self.get_children(group_dn)
child_groups.append(group_dn)
members = []
member_attrs = list(set(GROUP_MEMBER_MAP.values()))
for grp_dn in child_groups:
grp = [g for g in self._cached_groups if g[0] == grp_dn][0]
for member_attr in member_attrs:
if member_attr in grp[1]:
m = grp[1].get(member_attr, [])
if isinstance(m, basestring):
m = [m]
members.extend(m)
return list(set(members))
def get_group_members(self, group_info):
if not self.is_ad:
members = []
member_attrs = list(set(GROUP_MEMBER_MAP.values()))
for member_attr in member_attrs:
if member_attr in group_info:
m = group_info.get(member_attr, [])
if isinstance(m, basestring):
m = [m]
members.extend(m)
return members
else:
group_dn = group_info['distinguishedName']
group_info['dn'] = group_dn
if self._cached_groups is None:
self._cached_groups = self.get_groups()
child_groups = self.get_children(group_dn)
child_groups.append(group_dn)
members = []
member_attrs = list(set(GROUP_MEMBER_MAP.values()))
for grp_dn in child_groups:
grp = [g for g in self._cached_groups if g[0] == grp_dn][0]
for member_attr in member_attrs:
if member_attr in grp[1]:
m = grp[1].get(member_attr, [])
if isinstance(m, basestring):
m = [m]
members.extend(m)
return list(set(members))
def manage_editUserRoles(self, user_dn, role_dns=[], REQUEST=None):
""" Edit the roles (groups) of a user """
all_groups = self.getGroups(attr='dn')
cur_groups = self.getGroups(dn=user_dn, attr='dn')
operations = []
luf = self.getLUF()
user = self.getUserByDN(user_dn)
if user is None:
return
for role_dn in role_dns:
if role_dn not in all_groups:
newgroup_type = 'groupOfUniqueNames'
newgroup_member = GROUP_MEMBER_MAP.get(newgroup_type)
newgroup_name = luf._delegate.explode_dn(role_dn, 1)[0]
connection = luf._connect()
attr_list = [ ('objectClass', ['top', newgroup_type])
, ('cn', newgroup_name)
, (newgroup_member, [user_dn, luf._binduid])
]
connection.add_s(role_dn, attr_list)
for group in all_groups:
if group in cur_groups and group not in role_dns:
operations.append({ 'op' : luf._delegate.DELETE
, 'target' : group
, 'type' : luf.getGroupType(group)
} )
elif group in role_dns and group not in cur_groups:
operations.append({ 'op' : luf._delegate.ADD
, 'target' : group
, 'type' : luf.getGroupType(group)
} )
if operations:
connection = luf._connect()
for to_do in operations:
mod_list = ( ( to_do['op']
, GROUP_MEMBER_MAP.get(to_do['type'])
, user_dn
), )
try:
connection.modify_s(to_do['target'], mod_list)
except Exception, e:
msg = str(e)
msg = 'Roles changed for %s' % (user_dn)
def manage_editUserRoles(self, user_dn, role_dns=[], REQUEST=None):
""" Edit the roles (groups) of a user """
all_groups = self.getGroups(attr='dn')
cur_groups = self.getGroups(dn=user_dn, attr='dn')
operations = []
luf = self.getLUF()
user = self.getUserByDN(user_dn)
if user is None:
return
for role_dn in role_dns:
if role_dn not in all_groups:
newgroup_type = 'groupOfUniqueNames'
newgroup_member = GROUP_MEMBER_MAP.get(newgroup_type)
newgroup_name = luf._delegate.explode_dn(role_dn, 1)[0]
connection = luf._connect()
attr_list = [('objectClass', ['top', newgroup_type]),
('cn', newgroup_name),
(newgroup_member, [user_dn, luf._binduid])]
connection.add_s(role_dn, attr_list)
for group in all_groups:
if group in cur_groups and group not in role_dns:
operations.append({
'op': luf._delegate.DELETE,
'target': group,
'type': luf.getGroupType(group)
})
elif group in role_dns and group not in cur_groups:
operations.append({
'op': luf._delegate.ADD,
'target': group,
'type': luf.getGroupType(group)
})
if operations:
connection = luf._connect()
for to_do in operations:
mod_list = ((to_do['op'], GROUP_MEMBER_MAP.get(to_do['type']),
user_dn), )
try:
connection.modify_s(to_do['target'], mod_list)
except Exception, e:
msg = str(e)
msg = 'Roles changed for %s' % (user_dn)
def getGroupedUsers(self, groups=None):
""" Retrieve all users that in the groups i know about """
all_dns = {}
users = []
luf = self.getLUF()
possible_members = list(Set(GROUP_MEMBER_MAP.values()))
if groups is None:
groups = self.getGroups()
for group_id, group_dn in groups:
group_details = self.getGroupDetails(group_id)
for attribute_name, dn_list in group_details:
if attribute_name in possible_members:
for dn in dn_list:
all_dns[dn] = 1
for dn in all_dns.keys():
user = luf.getUserByDN(dn)
if user is not None:
users.append(user.__of__(self))
return tuple(users)
def get_groups(self, use_lookup_base=False):
"""Return all LDAP groups below the adapted LDAPUserFolder's
`groups_base` (or the `lookup_groups_base` if `use_lookup_base` is True).
If defined, the `group_filter` property on the adapted LDAPUserFolder
is used to further filter the results.
"""
# Build a filter expression that matches objectClasses for all
# possible group objectClasseses encountered in the wild
possible_classes = ''
for oc in GROUP_MEMBER_MAP.keys():
# concatenate (objectClass=foo) pairs
possible_classes += filter_format('(%s=%s)', ('objectClass', oc))
# Build the final OR expression:
# (|(objectClass=aaa)(objectClass=bbb)(objectClass=ccc))
search_filter = '(|%s)' % possible_classes
custom_filter = self.get_group_filter()
search_filter = self._combine_filters(custom_filter, search_filter)
if use_lookup_base:
base_dn = getattr(
self.context, 'lookup_groups_base', self.context.groups_base)
else:
base_dn = self.context.groups_base
results = self.search(base_dn=base_dn, search_filter=search_filter)
mapped_results = []
for result in results:
mapped_results.append(self.apply_schema_map(result))
return mapped_results
def getGroupedUsers(self, groups=None):
""" Retrieve all users that in the groups i know about """
all_dns = {}
users = []
luf = self.getLUF()
possible_members = list(Set(GROUP_MEMBER_MAP.values()))
if groups is None:
groups = self.getGroups()
for group_id, group_dn in groups:
group_details = self.getGroupDetails(group_id)
for attribute_name, dn_list in group_details:
if attribute_name in possible_members:
for dn in dn_list:
all_dns[dn] = 1
for dn in all_dns.keys():
user = luf.getUserByDN(dn)
if user is not None:
users.append(user.__of__(self))
return tuple(users)
def get_groups(self):
"""Return all LDAP groups below the adapted LDAPUserFolder's
groups_base.
If defined, the `group_filter` property on the adapted LDAPUserFolder
is used to further filter the results.
"""
# Build a filter expression that matches objectClasses for all
# possible group objectClasseses encountered in the wild
possible_classes = ''
for oc in GROUP_MEMBER_MAP.keys():
# concatenate (objectClass=foo) pairs
possible_classes += filter_format('(%s=%s)', ('objectClass', oc))
# Build the final OR expression:
# (|(objectClass=aaa)(objectClass=bbb)(objectClass=ccc))
search_filter = '(|%s)' % possible_classes
custom_filter = self.get_group_filter()
if custom_filter not in [None, '']:
search_filter = self._combine_filters(custom_filter, search_filter)
results = self.search(base_dn=self.context.groups_base,
filter=search_filter)
mapped_results = []
for result in results:
mapped_results.append(self.apply_schema_map(result))
return mapped_results
def getGroups(self, dn='*', attr=None):
""" return group records i know about """
group_list = []
if self.groups_base:
no_show = ('Anonymous', 'Authenticated', 'Shared')
if dn == '*':
group_classes = GROUP_MEMBER_MAP.keys()
filt_list = [
filter_format('(%s=%s)', ('objectClass', g))
for g in group_classes
]
group_filter = '(|%s)' % ''.join(filt_list)
else:
member_attrs = list(Set(GROUP_MEMBER_MAP.values()))
filt_list = [
filter_format('(%s=%s)', (m_attr, dn))
for m_attr in member_attrs
]
group_filter = '(|%s)' % ''.join(filt_list)
luf = self.getLUF()
res = luf._delegate.search(self.groups_base,
self.groups_scope,
group_filter,
attrs=['dn', 'cn'])
if res['size'] > 0:
resultset = res['results']
for i in range(res['size']):
dn = resultset[i].get('dn')
try:
cn = resultset[i].get('cn')[0]
except KeyError: # NDS oddity
cn = luf._delegate.explode_dn(dn, 1)[0]
if attr is None:
group_list.append((cn, dn))
elif attr == 'cn':
group_list.append(cn)
elif attr == 'dn':
group_list.append(dn)
return group_list
def getGroups(self, dn='*', attr=None):
""" return group records i know about """
group_list = []
if self.groups_base:
no_show = ('Anonymous', 'Authenticated', 'Shared')
if dn == '*':
group_classes = GROUP_MEMBER_MAP.keys()
filt_list = [ filter_format('(%s=%s)', ('objectClass', g))
for g in group_classes ]
group_filter = '(|%s)' % ''.join(filt_list)
else:
member_attrs = list(Set(GROUP_MEMBER_MAP.values()))
filt_list = [ filter_format('(%s=%s)', (m_attr, dn))
for m_attr in member_attrs ]
group_filter = '(|%s)' % ''.join(filt_list)
luf = self.getLUF()
res = luf._delegate.search( self.groups_base
, self.groups_scope
, group_filter
, attrs=['dn', 'cn']
)
if res['size'] > 0:
resultset = res['results']
for i in range(res['size']):
dn = resultset[i].get('dn')
try:
cn = resultset[i].get('cn')[0]
except KeyError: # NDS oddity
cn = luf._delegate.explode_dn(dn, 1)[0]
if attr is None:
group_list.append((cn, dn))
elif attr == 'cn':
group_list.append(cn)
elif attr == 'dn':
group_list.append(dn)
return group_list
def manage_editGroupRoles(self, user_dn, role_dns=[], REQUEST=None):
""" Edit the roles (groups) of a group """
from Products.LDAPUserFolder.utils import GROUP_MEMBER_MAP
try:
from Products.LDAPUserFolder.LDAPDelegate import ADD, DELETE
except ImportError:
# Support for LDAPUserFolder >= 2.6
ADD = self._delegate.ADD
DELETE = self._delegate.DELETE
msg = ""
## Log(LOG_DEBUG, "assigning", role_dns, "to", user_dn)
all_groups = self.getGroups(attr='dn')
cur_groups = self.getGroups(dn=user_dn, attr='dn')
group_dns = []
for group in role_dns:
if group.find('=') == -1:
group_dns.append('cn=%s,%s' % (group, self.groups_base))
else:
group_dns.append(group)
if self._local_groups:
if len(role_dns) == 0:
del self._groups_store[user_dn]
else:
self._groups_store[user_dn] = role_dns
else:
for group in all_groups:
member_attr = GROUP_MEMBER_MAP.get(self.getGroupType(group))
if group in cur_groups and group not in group_dns:
action = DELETE
elif group in group_dns and group not in cur_groups:
action = ADD
else:
action = None
if action is not None:
msg = self._delegate.modify(
group
, action
, {member_attr : [user_dn]}
)
## Log(LOG_DEBUG, "group", group, "subgroup", user_dn, "result", msg)
if msg:
raise RuntimeError, msg
def manage_editGroupRoles(self, user_dn, role_dns=[], REQUEST=None):
""" Edit the roles (groups) of a group """
from Products.LDAPUserFolder.utils import GROUP_MEMBER_MAP
try:
from Products.LDAPUserFolder.LDAPDelegate import ADD, DELETE
except ImportError:
# Support for LDAPUserFolder >= 2.6
ADD = self._delegate.ADD
DELETE = self._delegate.DELETE
msg = ""
## Log(LOG_DEBUG, "assigning", role_dns, "to", user_dn)
all_groups = self.getGroups(attr='dn')
cur_groups = self.getGroups(dn=user_dn, attr='dn')
group_dns = []
for group in role_dns:
if group.find('=') == -1:
group_dns.append('cn=%s,%s' % (group, self.groups_base))
else:
group_dns.append(group)
if self._local_groups:
if len(role_dns) == 0:
del self._groups_store[user_dn]
else:
self._groups_store[user_dn] = role_dns
else:
for group in all_groups:
member_attr = GROUP_MEMBER_MAP.get(self.getGroupType(group))
if group in cur_groups and group not in group_dns:
action = DELETE
elif group in group_dns and group not in cur_groups:
action = ADD
else:
action = None
if action is not None:
msg = self._delegate.modify(group, action,
{member_attr: [user_dn]})
## Log(LOG_DEBUG, "group", group, "subgroup", user_dn, "result", msg)
if msg:
raise RuntimeError, msg
def getGroupDetails(self, encoded_cn):
""" Return all group details """
result = []
cn = urllib.unquote(encoded_cn)
luf = self.getLUF()
res = luf._delegate.search(self.groups_base, self.groups_scope,
'(cn=%s)' % cn,
list(Set(GROUP_MEMBER_MAP.values())))
if res['exception']:
result = (('Exception', res['exception']), )
elif res['size'] > 0:
result = res['results'][0].items()
result.sort()
return tuple(result)
def getUsersByRole(self, acl_folder, groups=None):
""" Return all those users that are in a group """
all_dns = {}
res = []
res_append = res.append
member_attrs = GROUP_MEMBER_MAP.values()
if groups is None: return ()
for group_id, group_dn in groups:
dn = self.getRootDN(acl_folder)
scope = self.getGroupScope(acl_folder)
result = self.delegate.search(dn, scope, filter_format('(cn=%s)', (group_id,)), ['uniqueMember', 'member'])
for val in result['results']:
for dn in val['uniqueMember']:
info = self.delegate.search(base=dn, scope=ldap.SCOPE_BASE)
[ res_append(i) for i in info['results'] ]
return res
def getUsersByRole(self, acl_folder, groups=None):
""" Return all those users that are in a group """
all_dns = {}
res = []
res_append = res.append
member_attrs = GROUP_MEMBER_MAP.values()
if groups is None: return ()
for group_id, group_dn in groups:
dn = self.getRootDN(acl_folder)
scope = self.getGroupScope(acl_folder)
result = self.delegate.search(dn, scope, filter_format('(cn=%s)', (group_id,)), ['uniqueMember', 'member'])
for val in result['results']:
for dn in val['uniqueMember']:
info = self.delegate.search(base=dn, scope=ldap.SCOPE_BASE)
[ res_append(i) for i in info['results'] ]
return res
def getGroupDetails(self, encoded_cn):
""" Return all group details """
result = []
cn = urllib.unquote(encoded_cn)
luf = self.getLUF()
res = luf._delegate.search( self.groups_base
, self.groups_scope
, '(cn=%s)' % cn
, list(Set(GROUP_MEMBER_MAP.values()))
)
if res['exception']:
result = (('Exception', res['exception']),)
elif res['size'] > 0:
result = res['results'][0].items()
result.sort()
return tuple(result)
def get_groups(self, use_lookup_base=False):
"""Return all LDAP groups below the adapted LDAPUserFolder's
`groups_base` (or the `lookup_groups_base` if `use_lookup_base` is True).
If defined, the `group_filter` property on the adapted LDAPUserFolder
is used to further filter the results.
"""
# Build a filter expression that matches objectClasses for all
# possible group objectClasseses encountered in the wild
possible_classes = ''
for oc in GROUP_MEMBER_MAP.keys():
# concatenate (objectClass=foo) pairs
possible_classes += filter_format('(%s=%s)', ('objectClass', oc))
# Build the final OR expression:
# (|(objectClass=aaa)(objectClass=bbb)(objectClass=ccc))
search_filter = '(|%s)' % possible_classes
custom_filter = self.get_group_filter()
search_filter = self._combine_filters(custom_filter, search_filter)
if use_lookup_base:
base_dn = getattr(
self.context, 'lookup_groups_base', self.context.groups_base)
else:
base_dn = self.context.groups_base
results = self.search(base_dn=base_dn, filter=search_filter)
mapped_results = []
for result in results:
dn, entry = result
if dn is None:
# This is likely a referral to be hunted down by
# client-chasing. We don't support those.
logger.info('Skipping referral: %r' % (result, ))
continue
mapped_results.append(self.apply_schema_map(result))
return mapped_results
def getUsersByRole(self, acl_folder, groups=None):
""" Return all those users that are in a group """
all_dns = {}
res = []
res_append = res.append
member_attrs = GROUP_MEMBER_MAP.values()
if groups is None:
return ()
for group_id, group_dn in groups:
dn = self.getRootDN(acl_folder)
scope = self.getGroupScope(acl_folder)
delegate = self.get_ldap_delegate()
result = delegate.search(dn, scope, filter_format("(cn=%s)", (group_id,)), ["uniqueMember", "member"])
for val in result["results"]:
for dn in val["uniqueMember"]:
p_username = self._user_id_from_dn(dn)
info = self.get_source_user_info(p_username)
res_append(info)
return res
def getUsersByRole(self, acl_folder, groups=None):
""" Return all those users that are in a group """
all_dns = {}
res = []
res_append = res.append
member_attrs = GROUP_MEMBER_MAP.values()
if groups is None: return ()
for group_id, group_dn in groups:
dn = self.getRootDN(acl_folder)
scope = self.getGroupScope(acl_folder)
delegate = self.get_ldap_delegate()
result = delegate.search(dn, scope,
filter_format('(cn=%s)', (group_id, )),
['uniqueMember', 'member'])
for val in result['results']:
for dn in val['uniqueMember']:
p_username = self._user_id_from_dn(dn)
info = self.get_source_user_info(p_username)
res_append(info)
return res
def getAdditionalRoles(self, user, already_added=()):
""" extend the user roles """
my_path = self.absolute_url(1)
add_role_dict = {}
if user is None:
return []
if self.recurse == 1:
self_path = self.getPhysicalPath()
other_satellites = self.superValues('LDAPUserSatellite')
other_satellites.reverse()
for sat in other_satellites:
if sat.getPhysicalPath() != self_path:
add_role_list = sat.getAdditionalRoles(user, already_added)
newly_added = {}
for add_role in add_role_list:
newly_added[add_role] = 1
for add_role in already_added:
newly_added[add_role] = 1
already_added = tuple(newly_added.keys())
luf = self.getLUF()
user_id = user.getId()
user_expiration = user._created + luf.getCacheTimeout('authenticated')
if ( self._cache('users').has_key(user_id) and
self._cache('expiration').get(user_id, 0) >= user_expiration ):
logger.debug('Used cached user "%s"' % user_id)
return self._cache('users').get(user_id)
if self.groups_base: # We were given a search base, so search there
user_dn = user.getUserDN()
member_attrs = list(Set(GROUP_MEMBER_MAP.values()))
filt_list = [ filter_format('(%s=%s)', (m_attr, user_dn))
for m_attr in member_attrs ]
group_filter = '(|%s)' % ''.join(filt_list)
res = luf._delegate.search( self.groups_base
, self.groups_scope
, group_filter
, attrs = ['dn', 'cn']
)
if res['size'] > 0:
resultset = res['results']
for i in range(res['size']):
dn = resultset[i].get('dn')
try:
cn = resultset[i].get('cn')[0]
except KeyError: # NDS oddity
cn = luf._delegate.explode_dn(dn, 1)[0]
add_role_dict[cn] = 1
for add_role in already_added:
add_role_dict[add_role] = 1
already_added = ()
if self.groups_map: # We have a group mapping, so map away
user_roles = list(user.getRoles())
roles = user_roles[:]
roles.extend(add_role_dict.keys())
roles.extend(list(user._getLDAPGroups()))
for role in roles:
mapped_roles = self.groups_map.get(role, [])
for mapped_role in mapped_roles:
if mapped_role and mapped_role not in user_roles:
add_role_dict[mapped_role] = 1
added_roles = add_role_dict.keys()
if added_roles:
add_roles = ', '.join(added_roles)
logger.debug('Added roles "%s" to user "%s"' % (add_roles, user_id))
self._cacheRoles(user_id, added_roles, user_expiration)
return added_roles
def getAdditionalRoles(self, user, already_added=()):
""" extend the user roles """
my_path = self.absolute_url(1)
add_role_dict = {}
if user is None:
return []
if self.recurse == 1:
self_path = self.getPhysicalPath()
other_satellites = self.superValues('LDAPUserSatellite')
other_satellites.reverse()
for sat in other_satellites:
if sat.getPhysicalPath() != self_path:
add_role_list = sat.getAdditionalRoles(user, already_added)
newly_added = {}
for add_role in add_role_list:
newly_added[add_role] = 1
for add_role in already_added:
newly_added[add_role] = 1
already_added = tuple(newly_added.keys())
luf = self.getLUF()
user_id = user.getId()
user_expiration = user._created + luf.getCacheTimeout('authenticated')
if (self._cache('users').has_key(user_id) and
self._cache('expiration').get(user_id, 0) >= user_expiration):
logger.debug('Used cached user "%s"' % user_id)
return self._cache('users').get(user_id)
if self.groups_base: # We were given a search base, so search there
user_dn = user.getUserDN()
member_attrs = list(Set(GROUP_MEMBER_MAP.values()))
filt_list = [
filter_format('(%s=%s)', (m_attr, user_dn))
for m_attr in member_attrs
]
group_filter = '(|%s)' % ''.join(filt_list)
res = luf._delegate.search(self.groups_base,
self.groups_scope,
group_filter,
attrs=['dn', 'cn'])
if res['size'] > 0:
resultset = res['results']
for i in range(res['size']):
dn = resultset[i].get('dn')
try:
cn = resultset[i].get('cn')[0]
except KeyError: # NDS oddity
cn = luf._delegate.explode_dn(dn, 1)[0]
add_role_dict[cn] = 1
for add_role in already_added:
add_role_dict[add_role] = 1
already_added = ()
if self.groups_map: # We have a group mapping, so map away
user_roles = list(user.getRoles())
roles = user_roles[:]
roles.extend(add_role_dict.keys())
roles.extend(list(user._getLDAPGroups()))
for role in roles:
mapped_roles = self.groups_map.get(role, [])
for mapped_role in mapped_roles:
if mapped_role and mapped_role not in user_roles:
add_role_dict[mapped_role] = 1
added_roles = add_role_dict.keys()
if added_roles:
add_roles = ', '.join(added_roles)
logger.debug('Added roles "%s" to user "%s"' %
(add_roles, user_id))
self._cacheRoles(user_id, added_roles, user_expiration)
return added_roles
