def _get_or_create_ldap_user(ldap_user_dict): """Get or create a CKAN user from the data returned by the LDAP server @param ldap_user_dict: Dictionary as returned by _find_ldap_user @return: The CKAN username of an existing user """ # Look for existing user, and if found return it. ldap_user = LdapUser.by_ldap_id(ldap_user_dict['username']) if ldap_user: # TODO: Update the user detail. return ldap_user.user.name # Check whether we have a name conflict (based on the ldap name, without mapping it to allowed chars) exists = _ckan_user_exists(ldap_user_dict['username']) if exists['exists'] and not exists['is_ldap']: raise UserConflictError( _('There is a username conflict. Please inform the site administrator.' )) # If a user with the same ckan name already exists but is an LDAP user, this means (given that we didn't # find it above) that the conflict arises from having mangled another user's LDAP name. There will not # however be a conflict based on what is entered in the user prompt - so we can go ahead. The current # user's id will just be mangled to something different. # Now get a unique user name, and create the CKAN user and the LdapUser entry. user_name = _get_unique_user_name(ldap_user_dict['username']) user_dict = { 'name': user_name, 'email': ldap_user_dict['email'], 'password': str(uuid.uuid4()) } if 'fullname' in ldap_user_dict: user_dict['fullname'] = ldap_user_dict['fullname'] if 'about' in ldap_user_dict: user_dict['about'] = ldap_user_dict['about'] ckan_user = p.toolkit.get_action('user_create')(context={ 'ignore_auth': True }, data_dict=user_dict) ldap_user = LdapUser(user_id=ckan_user['id'], ldap_id=ldap_user_dict['username']) ckan.model.Session.add(ldap_user) ckan.model.Session.commit() # Add the user to it's group if needed if 'ldap.organization.id' in config: p.toolkit.get_action('member_create')( context={ 'ignore_auth': True }, data_dict={ 'id': config['ldap.organization.id'], 'object': user_name, 'object_type': 'user', 'capacity': config['ldap.organization.role'] }) return user_name
def user_update(next_auth, context, data_dict): '''Ensure LDAP users cannot be edited, and name clash with ldap users :param next_auth: the next auth function in the chain :param context: :param data_dict: ''' user_obj = None try: user_obj = auth.get_user_object(context, data_dict) except toolkit.ObjectNotFound: pass # Prevent edition of LDAP users (if so configured) if toolkit.config[ u'ckanext.ldap.prevent_edits'] and user_obj and LdapUser.by_user_id( user_obj.id): return { u'success': False, u'msg': toolkit._(u'Cannot edit LDAP users') } # Prevent name clashes! if u'name' in data_dict and user_obj and user_obj.name != data_dict[ u'name']: ldap_user_dict = find_ldap_user(data_dict[u'name']) if ldap_user_dict: if len(user_obj.ldap_user) == 0 or user_obj.ldap_user[0].ldap_id != \ ldap_user_dict[u'ldap_id']: return { u'success': False, u'msg': toolkit._(u'An LDAP user by that name already exists') } return next_auth(context, data_dict)
def _get_or_create_ldap_user(ldap_user_dict): """Get or create a CKAN user from the data returned by the LDAP server @param ldap_user_dict: Dictionary as returned by _find_ldap_user @return: The CKAN username of an existing user """ # Look for existing user, and if found return it. ldap_user = LdapUser.by_ldap_id(ldap_user_dict['username']) if ldap_user: # TODO: Update the user detail. return ldap_user.user.name # Check whether we have a name conflict (based on the ldap name, without mapping it to allowed chars) exists = _ckan_user_exists(ldap_user_dict['username']) if exists['exists'] and not exists['is_ldap']: raise UserConflictError(_('There is a username conflict. Please inform the site administrator.')) # If a user with the same ckan name already exists but is an LDAP user, this means (given that we didn't # find it above) that the conflict arises from having mangled another user's LDAP name. There will not # however be a conflict based on what is entered in the user prompt - so we can go ahead. The current # user's id will just be mangled to something different. # Now get a unique user name, and create the CKAN user and the LdapUser entry. user_name = _get_unique_user_name(ldap_user_dict['username']) user_dict = { 'name': user_name, 'email': ldap_user_dict['email'], 'password': str(uuid.uuid4()) } if 'fullname' in ldap_user_dict: user_dict['fullname'] = ldap_user_dict['fullname'] if 'about' in ldap_user_dict: user_dict['about'] = ldap_user_dict['about'] ckan_user = p.toolkit.get_action('user_create')( context={'ignore_auth': True}, data_dict=user_dict ) ldap_user = LdapUser(user_id=ckan_user['id'], ldap_id = ldap_user_dict['username']) ckan.model.Session.add(ldap_user) ckan.model.Session.commit() # Add the user to it's group if needed if 'ldap.organization.id' in config: p.toolkit.get_action('member_create')( context={'ignore_auth': True}, data_dict={ 'id': config['ldap.organization.id'], 'object': user_name, 'object_type': 'user', 'capacity': config['ldap.organization.role'] } ) return user_name
def _ckan_user_exists(user_name): """Check if a CKAN user name exists, and if that user is an LDAP user. @param user_name: User name to check @return: Dictionary defining 'exists' and 'ldap'. """ try: user = p.toolkit.get_action('user_show')(data_dict = {'id': user_name}) except p.toolkit.ObjectNotFound: return {'exists': False, 'is_ldap': False} ldap_user = LdapUser.by_user_id(user['id']) if ldap_user: return {'exists': True, 'is_ldap': True} else: return {'exists': True, 'is_ldap': False}
def ckan_user_exists(user_name): '''Check if a CKAN user name exists, and if that user is an LDAP user. :param user_name: User name to check :returns: Dictionary defining 'exists' and 'ldap'. ''' try: user = get_user_dict(user_name) except toolkit.ObjectNotFound: return {u'exists': False, u'is_ldap': False} ldap_user = LdapUser.by_user_id(user[u'id']) if ldap_user: return {u'exists': True, u'is_ldap': True} else: return {u'exists': True, u'is_ldap': False}
def user_update(context, data_dict): """Ensure LDAP users cannot be edited, and name clash with ldap users""" user_obj = None try: user_obj = ckan.logic.auth.get_user_object(context, data_dict) except ckan.logic.NotFound: pass # Prevent edition of LDAP users (if so configured) if config['ldap.prevent_edits'] and user_obj and LdapUser.by_user_id(user_obj.id): return {'success': False, 'msg': _('Cannot edit LDAP users')} # Prevent name clashes! if 'name' in data_dict and user_obj and user_obj.name != data_dict['name']: ldap_user_dict = _find_ldap_user(data_dict['name']) if ldap_user_dict: if len(user_obj.ldap_user) == 0 or user_obj.ldap_user[0].ldap_id != ldap_user_dict['ldap_id']: return {'success': False, 'msg': _('An LDAP user by that name already exists')} return ckan_user_update(context, data_dict)
def get_or_create_ldap_user(ldap_user_dict): '''Get or create a CKAN user from the data returned by the LDAP server :param ldap_user_dict: Dictionary as returned by _find_ldap_user :returns: The CKAN username of an existing user ''' # Look for existing user, and if found return it. ldap_user = LdapUser.by_ldap_id(ldap_user_dict[u'username']) if ldap_user: # TODO: Update the user detail. return ldap_user.user.name user_dict = {} update = False # Check whether we have a name conflict (based on the ldap name, without mapping # it to allowed chars) exists = ckan_user_exists(ldap_user_dict[u'username']) if exists[u'exists'] and not exists[u'is_ldap']: # If ckanext.ldap.migrate is set, update exsting user_dict. if not toolkit.config[u'ckanext.ldap.migrate']: raise UserConflictError( toolkit. _(u'There is a username conflict. Please inform the site administrator.' )) else: user_dict = get_user_dict(ldap_user_dict[u'username']) update = True # If a user with the same ckan name already exists but is an LDAP user, this means # (given that we didn't find it above) that the conflict arises from having mangled # another user's LDAP name. There will not however be a conflict based on what is # entered in the user prompt - so we can go ahead. The current user's id will just # be mangled to something different. # Now get a unique user name (if not "migrating"), and create the CKAN user and # the LdapUser entry. user_name = user_dict[u'name'] if update else get_unique_user_name( ldap_user_dict[u'username']) user_dict.update({ u'name': user_name, u'email': ldap_user_dict[u'email'], u'password': str(uuid.uuid4()) }) if u'fullname' in ldap_user_dict: user_dict[u'fullname'] = ldap_user_dict[u'fullname'] if u'about' in ldap_user_dict: user_dict[u'about'] = ldap_user_dict[u'about'] if update: ckan_user = toolkit.get_action(u'user_update')(context={ u'ignore_auth': True }, data_dict=user_dict) else: ckan_user = toolkit.get_action(u'user_create')(context={ u'ignore_auth': True }, data_dict=user_dict) ldap_user = LdapUser(user_id=ckan_user[u'id'], ldap_id=ldap_user_dict[u'username']) Session.add(ldap_user) Session.commit() # Add the user to it's group if needed if u'ckanext.ldap.organization.id' in toolkit.config: toolkit.get_action(u'member_create')( context={ u'ignore_auth': True }, data_dict={ u'id': toolkit.config[u'ckanext.ldap.organization.id'], u'object': user_name, u'object_type': u'user', u'capacity': toolkit.config[u'ckanext.ldap.organization.role'] }) return user_name
def add_ckan_user(context,data_dict): # Lookup Ldap if config.get('ckanext.ldap.uri'): cnx = ldap.initialize(config['ckanext.ldap.uri']) else: raise ValidationError({ 'ckan.ldap.uri': 'not speciifed in development/production.ini'}) try: check_name = data_dict['name'] except: raise ValidationError({ 'name': 'missing; use -d option'}) if check_name == None or check_name == "": raise ValidationError({ 'name': ' is missing; use -d option'}) if config.get('ckanext.ldap.auth.dn'): try: cnx.bind_s(config['ckanext.ldap.auth.dn'], config['ckanext.ldap.auth.password']) except ldap.SERVER_DOWN: log.error('LDAP server is not reachable') raise EnvironmentError({ 'LDAP server': 'is not reachable'}) except ldap.INVALID_CREDENTIALS: log.error('LDAP server credentials (ckanext.ldap.auth.dn and ckanext.ldap.auth.password) invalid') raise EnvironmentError({ 'LDAP server': 'credentials (ckanext.ldap.auth.dn and ckanext.ldap.auth.password) invalid'}) #print "Hello" filter_str = config['ckanext.ldap.search.filter'].format(login=ldap.filter.escape_filter_chars(data_dict['name'])) attributes = [config['ckanext.ldap.username']] if 'ckanext.ldap.fullname' in config: attributes.append(config['ckanext.ldap.fullname']) if 'ckanext.ldap.email' in config: attributes.append(config['ckanext.ldap.email']) try: ret = _ldap_search(cnx, filter_str, attributes, non_unique='log') if ret is None and 'ckanext.ldap.search.alt' in config: filter_str = config['ckanext.ldap.search.alt'].format(login=ldap.filter.escape_filter_chars(data_dict['name'])) ret = _ldap_search(cnx, filter_str, attributes, non_unique='raise') finally: cnx.unbind() ldap_user_dict = ret #print ldap_user_dict if not ldap_user_dict: raise ValidationError({ data_dict['name']: 'user not found in ldap'}) # check if we already have an entry in the ldap table #print ldap_user_dict entry_exits = LdapUser.by_ldap_id(ldap_user_dict['username']) if entry_exits: raise ValidationError({ ldap_user_dict['username']: '******'}) # Now get a unique user name, and create the CKAN user user_name = _get_unique_user_name(data_dict['name']) if 'email' in ldap_user_dict: user_mail = ldap_user_dict['email'] else: user_mail = "" user_dict = { 'name': user_name, 'email': user_mail, 'password': str(uuid.uuid4()) } if 'fullname' in ldap_user_dict: user_dict['fullname'] = ldap_user_dict['fullname'] if 'about' in ldap_user_dict: user_dict['about'] = ldap_user_dict['about'] ckan_user = plugins.toolkit.get_action('user_create')( context={'ignore_auth': False}, data_dict=user_dict ) #print "Hello2" # Add the user to it's group if needed - JUST ONE LDAP SPECIFC ORGANIZATION - not for us; Anja 21.6.17 if 'ckanext.ldap.organization.id' in config: plugins.toolkit.get_action('member_create')( context={'ignore_auth': False}, data_dict={ 'id': config['ckanext.ldap.organization.id'], 'object': user_name, 'object_type': 'user', 'capacity': config['ckanext.ldap.organization.role'] } ) # Check the users email address and add it to the appropiate organization as Editor #print ldap_user_dict['email'] user_org = _check_mail_org(ldap_user_dict['email']) if not user_org: # check ccca-extern if 'ckanext.iauth.special_org' in config: user_org = config.get( 'ckanext.iauth.special_org') #print "************ 2" #print user_org # check if org exists try: check_org = tk.get_action('organization_show')(context, {'id':user_org}) except: user_org = None pass #print user_name if user_org: plugins.toolkit.get_action('member_create')( context={'ignore_auth': False}, data_dict={ 'id': user_org, 'object': user_name, 'object_type': 'user', 'capacity': 'editor' } ) #' TODO': check oben if already an entry for ldap_id!!!!! # Add LdapUser entry = Database entry with match ckan_id - ldap_id ldap_user = LdapUser(user_id=ckan_user['id'], ldap_id = ldap_user_dict['username']) ckan.model.Session.add(ldap_user) ckan.model.Session.commit() if user_org: return "Hooray! User " + user_name + " successfully created in CKAN and added as an Editor to the Organization " + user_org.encode('ascii','ignore') else: return "Hooray! User " + user_name + " successfully created in CKAN (no Organization was applicable)"