def do_login(cls, request, login, password, contact, entites):
response = None
try:
headers = forget(request)
# Check if user exists in LDAP
connector = get_ldap_connector(request)
data = connector.authenticate(login, password)
if data is not None:
dn = data[0]
headers = remember(request, dn)
if contact:
contact_json = contact.format()
contact_json['entites'] = entites
contact_json = json.dumps(contact_json) if contact else ''
response = Response(
contact_json,
content_type='application/json; charset=UTF-8',
headers=headers)
else:
raise Exception('Invalid credentials')
except Exception as error:
raise error
return response
def do_login(cls, request, login, password):
# Check if user exists in LDAP
try:
connector = get_ldap_connector(request)
except ConfigurationError as error:
LOG.error('Connector is not well configured. Error is : {}'.format(error))
data = connector.authenticate(login, password)
if data is not None:
dn = data[0]
if dn == 'null':
raise Exception('Invalid credentials')
resp_json = {}
resp_json['role_name'] = cls.get_user_group_by_dn(request, dn)
resp_json['dn'] = dn
return resp_json
else:
raise Exception('LDAP authentication failed')
def get_user_groups_entite_by_dn(cls, request, dn):
groups = []
output_json = []
try:
# user = request.authenticated_userid
connector = get_ldap_connector(request)
result = connector.user_groups(dn)
if result is not None:
for r in result:
if r and len(r) > 1:
groups.append(
cls.format_json_attributes(
json.loads(json.dumps(dict(r[1])))))
# Filter to groups of type entite
cn_attribute = request.registry.settings[
'ldap_group_attribute_name']
output_json = [
x for x in groups
if cn_attribute in x and x[cn_attribute].startswith(
request.registry.settings['ldap_entite_groups_prefix'])
]
except Exception as error:
raise error
return output_json
def get_connected_user(cls, request):
user_id = request.authenticated_userid
connector = get_ldap_connector(request)
with connector.manager.connection() as conn:
ret = conn.search(
search_scope=request.registry.settings['ldap_login_query_scope'],
attributes=request.registry.settings['ldap_login_query_attributes'].replace(', ', ',').replace(' , ', ',').replace(' ,', ',').split(','),
search_base=request.registry.settings['ldap_login_query_base_dn'],
search_filter=request.registry.settings['ldap_search_user_filter']
)
result, ret = conn.get_response(ret)
if result is None:
result = []
else:
result = [r['attributes'] for r in result
if 'dn' in r and r['dn'] == user_id]
result = result[0] if result and len(result) > 0 else None
if result is not None:
result = json.loads(json.dumps(dict(result)))
return cls.format_json_attributes(result) if result else {}
def _authenticate_user(
self,
request: Request,
email: typing.Optional[str],
password: typing.Optional[str],
) -> typing.Optional[User]:
"""
Helper to authenticate user in pyramid request
from user email and password
:param request: pyramid request
:return: User or None
"""
app_config = request.registry.settings['CFG']
uapi = UserApi(None, session=request.dbsession, config=app_config)
ldap_connector = None
if AuthType.LDAP in app_config.AUTH_TYPES:
ldap_connector = get_ldap_connector(request)
try:
user = uapi.authenticate(
email=email,
password=password,
ldap_connector=ldap_connector
)
return user
except AuthenticationFailed:
return None
def get_infolica_users(cls, request):
users = []
connector = get_ldap_connector(request)
with connector.manager.connection() as conn:
ret = conn.search(search_scope=request.registry.
settings['ldap_login_query_scope'],
attributes=request.registry.
settings['ldap_login_query_attributes'].replace(
', ',
',').replace(' , ',
',').replace(' ,',
',').split(','),
search_base=request.registry.
settings['ldap_login_query_base_dn'],
search_filter=request.registry.
settings['ldap_search_user_filter'])
result, ret = conn.get_response(ret)
if result is not None:
for r in result:
if 'dn' in r:
user_json = cls.format_json_attributes(
json.loads(json.dumps(dict(r['attributes']))))
user_json['dn'] = r['dn']
users.append(user_json)
return users if users else {}
def get_users_belonging_to_group_entites(cls, request):
users = []
try:
connector = get_ldap_connector(request)
with connector.manager.connection() as conn:
ret = conn.search(
search_scope=request.registry.
settings['ldap_login_query_scope'],
attributes=request.
registry.settings['ldap_login_query_attributes'].replace(
', ', ',').replace(' , ', ',').replace(' ,',
',').split(','),
search_base=request.registry.
settings['ldap_login_query_base_dn'],
search_filter=request.registry.
settings['ldap_search_user_filter'])
result, ret = conn.get_response(ret)
if result is not None:
for r in result:
if 'dn' in r and len(
cls.get_user_groups_entite_by_dn(request,
r['dn'])) > 0:
user_json = cls.format_json_attributes(
json.loads(json.dumps(dict(r['attributes']))))
user_json['dn'] = r['dn']
users.append(user_json)
except Exception as error:
raise error
return users if users else {}
def auth_ldap(request, login, password):
from pyramid_ldap3 import (
get_ldap_connector,
groupfinder)
connector = get_ldap_connector(request)
data = connector.authenticate(login, password)
if data is not None:
dn = data[0]
headers = remember(request, dn)
return HTTPFound(location=request.route_url('home'), headers=headers)
else:
return HTTPForbidden()
def get_user_group_by_dn(cls, request, dn):
connector = get_ldap_connector(request)
result = connector.user_groups(dn)
if result is not None:
groups = [cls.format_json_attributes(json.loads(json.dumps(dict(r[1])))) for r in result if r and len(r) > 1]
if groups and len(groups) > 0:
cn_attribute = request.registry.settings['ldap_group_attribute_id']
for group in groups:
if group[cn_attribute].startswith(request.registry.settings['infolica_groups_prefix']):
return group[cn_attribute]
return None
def login(self, context, request: TracimRequest, hapic_data=None):
"""
Logs the user into the system.
In case of success, the JSON returned is the user profile.
In that case, a cookie is created with a session_key and an expiration date.
Eg. : `session_key=932d2ad68f3a094c2d4da563ccb921e6479729f5b5f707eba91d4194979df20831be48a0; expires=Mon, 22-Oct-2018 19:37:02 GMT; Path=/; SameSite=Lax`
"""
login = hapic_data.body
app_config = request.registry.settings["CFG"] # type: CFG
uapi = UserApi(None, session=request.dbsession, config=app_config)
ldap_connector = None
if AuthType.LDAP in app_config.AUTH_TYPES:
ldap_connector = get_ldap_connector(request)
user = uapi.authenticate(login.email, login.password, ldap_connector)
remember(request, user.user_id)
return uapi.get_user_with_context(user)
def get_user_groups_by_dn(cls, request, dn):
groups = []
try:
connector = get_ldap_connector(request)
result = connector.user_groups(dn)
if result is not None:
for r in result:
if r and len(r) > 1:
groups.append(
cls.format_json_attributes(
json.loads(json.dumps(dict(r[1])))))
except Exception as error:
raise error
return groups
def login(request):
url = request.current_route_url()
login = ''
password = ''
error = ''
if 'form.submitted' in request.POST:
login = request.POST['login']
password = request.POST['password']
connector = get_ldap_connector(request)
data = connector.authenticate(login, password)
if data is not None:
dn = data[0]
headers = remember(request, dn)
return HTTPFound('/', headers=headers)
error = 'Invalid credentials'
return dict(login_url=url, login=login, password=password, error=error)
def _authenticate_user(
self, request: Request, login: typing.Optional[str], password: typing.Optional[str],
) -> typing.Optional[User]:
"""
Helper to authenticate user in pyramid request
from user email or username and password
:param request: pyramid request
:return: User or None
"""
app_config = request.registry.settings["CFG"] # type: CFG
uapi = UserApi(None, session=request.dbsession, config=app_config)
ldap_connector = None
if AuthType.LDAP in app_config.AUTH_TYPES:
ldap_connector = get_ldap_connector(request)
try:
user = uapi.authenticate(login=login, password=password, ldap_connector=ldap_connector,)
return user
except AuthenticationFailed:
return None
def ldap_user_validator(request, username, password):
connector = get_ldap_connector(request)
cm = connector.manager
data = None
with cm.connection() as conn:
try:
ldap_settings = request.registry.settings['ldap']
base_dn = ldap_settings['base_dn']
filter_tmpl = ldap_settings['filter_tmpl'].replace('%(login)s', username)
message_id = conn.search(
base_dn, filter_tmpl, ldap.SUBTREE,
ldap.DEREF_ALWAYS)
result = conn.get_response(message_id)[0]
if len(result) > 0:
data = result[0]['dn']
conn.unbind()
except Exception as e:
log.exception(e)
conn.unbind()
conn = None
try:
conn = cm.connection(data, password)
conn.unbind()
except Exception as e:
log.exception(e)
if conn is not None:
conn.unbind()
data = None
connection = Connections()
connection.login = username
connection.application = request.host
if data is not None:
connection.action = "CONNECT"
DBSession.add(connection)
return username
else:
connection.action = "CONNECT ERROR"
DBSession.add(connection)
return None
def login(self, context, request: TracimRequest, hapic_data=None):
"""
Logs the user into the system.
In case of success, the JSON returned is the user profile.
In that case, a cookie is created with a session_key and an expiration date.
Eg. : `session_key=932d2ad68f3a094c2d4da563ccb921e6479729f5b5f707eba91d4194979df20831be48a0; expires=Mon, 22-Oct-2018 19:37:02 GMT; Path=/; SameSite=Lax`
"""
login = hapic_data.body
app_config = request.registry.settings['CFG'] # type: CFG
uapi = UserApi(
None,
session=request.dbsession,
config=app_config,
)
ldap_connector = None
if AuthType.LDAP in app_config.AUTH_TYPES:
ldap_connector = get_ldap_connector(request)
user = uapi.authenticate(login.email, login.password, ldap_connector)
remember(request, user.user_id)
return uapi.get_user_with_context(user)
def login(request):
url = request.current_route_url()
login = ''
password = ''
error = ''
if 'form.submitted' in request.POST:
login = request.POST['login']
password = request.POST['password']
connector = get_ldap_connector(request)
data = connector.authenticate(login, password)
if data is not None:
dn = data[0]
headers = remember(request, dn)
return HTTPFound('/', headers=headers)
error = 'Invalid credentials'
return dict(
login_url=url,
login=login,
password=password,
error=error)
def _callFUT(self, request):
from pyramid_ldap3 import get_ldap_connector
return get_ldap_connector(request)
def get_user_from_request(request):
from c2cgeoportal_commons.models import DBSession
from c2cgeoportal_commons.models.main import Role
class O(object):
pass
username = unauthenticated_userid(request)
if username is not None:
default_mymaps_role = int(request.registry.settings['default_mymaps_role'])
user = O()
user.id = 0
user.username = username
user.email = None
user.is_mymaps_admin = False
user.mymaps_role = default_mymaps_role
user.ogc_role = -1
user.sn = None
user.is_password_changed = None
user.role_name = None
connector = get_ldap_connector(request)
cm = connector.manager
# 0 means 'Tous publics'
roletheme = 0
with cm.connection() as conn:
ldap_settings = request.registry.settings['ldap']
base_dn = ldap_settings['base_dn']
filter_tmpl = ldap_settings['filter_tmpl'].replace('%(login)s', username)
message_id = conn.search(
base_dn, filter_tmpl, ldap.SUBTREE,
ldap.DEREF_ALWAYS, ldap.ALL_ATTRIBUTES)
result = conn.get_response(message_id)[0]
if len(result) == 1:
obj = result[0]['raw_attributes']
if 'roleTheme' in obj:
# This is the plain c2cgeoportal role used for authentication.
# Notably in the admin interface.
# The role with name role_admin has id 645.
roletheme = obj['roleTheme'][0].decode()
if 'mail' in obj:
user.mail = obj['mail'][0].decode()
if 'sn' in obj:
user.sn = obj['sn'][0].decode()
else:
user.sn = user.mail
if 'isMymapsAdmin' in obj:
user.is_mymaps_admin = "TRUE" == obj['isMymapsAdmin'][0].upper().decode()
if 'roleMymaps' in obj:
# This role is used for myMaps.
user.mymaps_role = int(obj['roleMymaps'][0])
if 'roleOGC' in obj:
# This role is used by the print proxy and internal WMS proxy.
user.ogc_role = int(obj['roleOGC'][0])
conn.unbind()
try:
# Loading the plain c2cgeoportal role used for authentication.
user.role = DBSession.query(Role).filter_by(id=roletheme).one()
except Exception as e:
# Fallback to the "Tous publics" role
user.role = DBSession.query(Role).filter_by(id=0).one()
log.exception(e)
user.role_name = user.role.name
user.functionalities = []
return user
def _call_fut(self, request, realm=None):
from pyramid_ldap3 import get_ldap_connector
return get_ldap_connector(request, realm)
def _callFUT(self, request):
from pyramid_ldap3 import get_ldap_connector
return get_ldap_connector(request)
def groupfinder(dn, request):
connector = get_ldap_connector(request)
group_list = connector.user_groups(dn)
if group_list is None:
return None
return [dn for dn, attrs in group_list]
