def check_credentials(email, password, app=None):
"""
Check if given password and email match an user in database.
Password hash comparison is based on BCrypt.
"""
try:
person = persons_service.get_person_by_email(email)
except PersonNotFoundException:
try:
person = persons_service.get_person_by_desktop_login(email)
except PersonNotFoundException:
if app is not None:
app.logger.error("Person not found: %s" % (email))
raise WrongPasswordException()
try:
password_hash = person["password"] or u''
if bcrypt.check_password_hash(password_hash, password):
return person
else:
if app is not None:
app.logger.error("Wrong password for person: %s" % person)
raise WrongPasswordException()
except ValueError:
if app is not None:
app.logger.error("Wrong password for: %s" % person)
raise WrongPasswordException()
def update_person_list_with_ldap_users(users):
for user in users:
first_name = user["first_name"]
last_name = user["last_name"]
desktop_login = user["desktop_login"]
email = user["email"]
active = user.get("active", True)
if "thumbnail" in user and len(user["thumbnail"]) > 0:
thumbnail = user["thumbnail"][0]
else:
thumbnail = ""
person = None
try:
person = persons_service.get_person_by_desktop_login(
desktop_login)
except PersonNotFoundException:
try:
person = persons_service.get_person_by_email(email)
except PersonNotFoundException:
pass
if len(email) == 0 or email == "[]" or type(email) != str:
email = "%s@%s" % (desktop_login, EMAIL_DOMAIN)
if person is None and active is True:
try:
person = persons_service.create_person(
email,
"default".encode("utf-8"),
first_name,
last_name,
desktop_login=desktop_login,
)
print("User %s created." % desktop_login)
except:
print("User %s creation failed (email duplicated?)." %
(desktop_login))
elif person is not None:
try:
active = True
persons_service.update_person(
person["id"],
{
"email": email,
"first_name": first_name,
"last_name": last_name,
"active": active,
},
)
print("User %s updated." % desktop_login)
except:
print("User %s update failed (email duplicated?)." %
(desktop_login))
if person is not None and len(thumbnail) > 0:
save_thumbnail(person, thumbnail)
def ldap_auth_strategy(email, password, app):
"""
Connect to an active directory server to know if given user can be
authenticated.
"""
person = None
try:
person = persons_service.get_person_by_email(email)
except PersonNotFoundException:
person = persons_service.get_person_by_desktop_login(email)
try:
SSL = app.config["LDAP_SSL"]
if app.config["LDAP_IS_AD_SIMPLE"]:
user = "******" % (
person["full_name"],
app.config["LDAP_BASE_DN"],
)
SSL = True
authentication = SIMPLE
elif app.config["LDAP_IS_AD"]:
user = "******" % (
app.config["LDAP_DOMAIN"],
person["desktop_login"],
)
authentication = NTLM
else:
user = "******" % (
person["desktop_login"],
app.config["LDAP_BASE_DN"],
)
authentication = SIMPLE
ldap_server = "%s:%s" % (
app.config["LDAP_HOST"],
app.config["LDAP_PORT"],
)
server = Server(ldap_server, get_info=ALL, use_ssl=SSL)
conn = Connection(
server,
user=user,
password=password,
authentication=authentication,
raise_exceptions=True,
)
conn.bind()
return person
except LDAPSocketOpenError:
app.logger.error("Cannot connect to LDAP/Active directory server %s " %
(ldap_server))
return ldap_auth_strategy_fallback(email, password, app, person)
except LDAPInvalidCredentialsResult:
app.logger.error("LDAP cannot authenticate user: %s" % email)
return ldap_auth_strategy_fallback(email, password, app, person)
def no_password_auth_strategy(email):
"""
If no password auth strategy is configured, it just checks that given email
matches an user in the database.
"""
try:
person = persons_service.get_person_by_email(email)
except PersonNotFoundException:
try:
person = persons_service.get_person_by_desktop_login(email)
except PersonNotFoundException:
return None
return person
def test_get_person_by_desktop_login(self):
self.assertRaises(PersonNotFoundException,
persons_service.get_person_by_desktop_login,
"wrong-login")
person = persons_service.get_person_by_desktop_login(
self.person_desktop_login)
person = persons_service.get_person_by_email(person["email"])
self.assertEqual(self.person_id, person["id"])
persons_service.delete_person(person["id"])
self.assertRaises(PersonNotFoundException,
persons_service.get_person_by_desktop_login,
self.person_desktop_login)
