def __init__(self, config):
super().__init__(config)
self.ldap_auth = self._get_ldap_auth()
self.ldap_user_provider = self._get_ldap_user_provider()
if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
self.ldap_groups_provider = self._get_ldap_groups_provider()
self._managed_fields = self.ldap_user_provider.local_fields
def __init__(self, config):
super().__init__(config)
self.ldap_auth = self._get_ldap_auth()
self.ldap_user_provider = self._get_ldap_user_provider()
if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
self.ldap_groups_provider = self._get_ldap_groups_provider()
self._managed_fields = self.ldap_user_provider.local_fields
def test_internal_groups(self):
"""
LDAP don't manage groups here: We must retrieve internal groups of tested user
:return:
"""
lawrence = DBSession.query(User).filter(
User.email == '*****@*****.**').one()
managers = DBSession.query(Group).filter(
Group.group_name == 'managers').one()
lawrence_identity = {'user': lawrence}
# Lawrence is in fixtures: he is in managers group
self._check_db_user('*****@*****.**', 1)
assert lawrence in managers.users
assert False is ini_conf_to_bool(
config.get('ldap_group_enabled', False))
assert ['managers'] == config.get('sa_auth').authmetadata.get_groups(
identity=lawrence_identity, userid=lawrence.email)
should_groups = ['managers']
are_groups = config.get('sa_auth').authmetadata.get_groups(
identity=lawrence_identity, userid=lawrence.email)
eq_(
should_groups, are_groups,
"Permissions should be %s, they are %s" %
(should_groups, are_groups))
def _get_ldap_groups_provider(self):
return LDAPGroupsPlugin(
url=self._config.get('ldap_url'),
base_dn=self._config.get('ldap_base_dn'),
bind_dn=self._config.get('ldap_bind_dn'),
bind_pass=self._config.get('ldap_bind_pass'),
filterstr=self._config.get('ldap_group_filter', '(&(objectClass=group)(member=%(dn)s))'),
name='groups',
start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
)
def _get_ldap_user_provider(self):
return LDAPAttributesPlugin(
url=self._config.get('ldap_url'),
bind_dn=self._config.get('ldap_bind_dn'),
bind_pass=self._config.get('ldap_bind_pass'),
name='user',
# map from LDAP attributes to TurboGears user attributes:
attributes=self._config.get('ldap_user_attributes', 'mail=email'),
flatten=True,
start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
)
def get_permissions(self, identity, userid):
if not ini_conf_to_bool(self._config.get('ldap_group_enabled')):
# TODO - B.S. - 20160212: récupérer identity['user'].groups directement produit
# Parent instance XXX is not bound to a Session. Voir avec Damien.
user = DBSession.query(User).filter(User.email == identity['user'].email).one()
return [p.permission_name for p in user.permissions]
return [p.permission_name for p in identity['user'].permissions]
else:
raise NotImplementedError()
def _get_ldap_groups_provider(self):
return LDAPGroupsPlugin(
url=self._config.get('ldap_url'),
base_dn=self._config.get('ldap_base_dn'),
bind_dn=self._config.get('ldap_bind_dn'),
bind_pass=self._config.get('ldap_bind_pass'),
filterstr=self._config.get(
'ldap_group_filter', '(&(objectClass=group)(member=%(dn)s))'),
name='groups',
start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
)
def _get_ldap_user_provider(self):
return LDAPAttributesPlugin(
url=self._config.get('ldap_url'),
bind_dn=self._config.get('ldap_bind_dn'),
bind_pass=self._config.get('ldap_bind_pass'),
name='user',
# map from LDAP attributes to TurboGears user attributes:
attributes=self._config.get('ldap_user_attributes', 'mail=email'),
flatten=True,
start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
)
def feed_config(self):
super().feed_config()
self._config['auth_backend'] = 'ldapauth'
self._config['sa_auth'].authenticators = [('ldapauth', self.ldap_auth)]
mdproviders = [('ldapuser', self.ldap_user_provider)]
if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
raise ConfigurationError("ldap_group_enabled is not yet available")
mdproviders.append(('ldapgroups', self.ldap_groups_provider))
self._config['sa_auth'].mdproviders = mdproviders
self._config['sa_auth'].authmetadata = LDAPApplicationAuthMetadata(self._config.get('sa_auth'))
def get_permissions(self, identity, userid):
if not ini_conf_to_bool(self._config.get('ldap_group_enabled')):
# TODO - B.S. - 20160212: récupérer identity['user'].groups directement produit
# Parent instance XXX is not bound to a Session. Voir avec Damien.
user = DBSession.query(User).filter(
User.email == identity['user'].email).one()
return [p.permission_name for p in user.permissions]
return [p.permission_name for p in identity['user'].permissions]
else:
raise NotImplementedError()
def _get_ldap_auth(self):
auth_plug = LDAPSearchAuthenticatorPlugin(
url=self._config.get('ldap_url'),
base_dn=self._config.get('ldap_base_dn'),
bind_dn=self._config.get('ldap_bind_dn'),
bind_pass=self._config.get('ldap_bind_pass'),
returned_id='login',
# the LDAP attribute that holds the user name:
naming_attribute=self._config.get('ldap_naming_attribute'),
start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
)
auth_plug.set_auth(self)
return auth_plug
def _get_ldap_auth(self):
auth_plug = LDAPSearchAuthenticatorPlugin(
url=self._config.get('ldap_url'),
base_dn=self._config.get('ldap_base_dn'),
bind_dn=self._config.get('ldap_bind_dn'),
bind_pass=self._config.get('ldap_bind_pass'),
returned_id='login',
# the LDAP attribute that holds the user name:
naming_attribute=self._config.get('ldap_naming_attribute'),
start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
)
auth_plug.set_auth(self)
return auth_plug
def feed_config(self):
super().feed_config()
self._config['auth_backend'] = 'ldapauth'
self._config['sa_auth'].authenticators = [('ldapauth', self.ldap_auth)]
mdproviders = [('ldapuser', self.ldap_user_provider)]
if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
raise ConfigurationError("ldap_group_enabled is not yet available")
mdproviders.append(('ldapgroups', self.ldap_groups_provider))
self._config['sa_auth'].mdproviders = mdproviders
self._config['sa_auth'].authmetadata = LDAPApplicationAuthMetadata(
self._config.get('sa_auth'))