def has_member(self, user_identifier): with ldap_context(self.ldap_settings): user_dn, user_data = get_user_by_id(user_identifier, attributes=[self.ldap_settings['member_of_attr']]) if not user_dn: return False if self.ldap_settings['ad_group_style']: group_dn, group_data = get_group_by_id(self.name, attributes=['objectSid']) group_sids = group_data.get('objectSid') token_groups = get_token_groups_from_user_dn(user_dn) return any(group_sid in token_groups for group_sid in group_sids) else: return self.dn in user_data.get(self.ldap_settings['member_of_attr'], [])
def has_member(self, user_identifier): with ldap_context(self.ldap_settings): user_dn, user_data = get_user_by_id( user_identifier, attributes=[self.ldap_settings['member_of_attr']]) if not user_dn: return False if self.ldap_settings['ad_group_style']: group_dn, group_data = get_group_by_id( self.name, attributes=['objectSid']) group_sids = group_data.get('objectSid') token_groups = get_token_groups_from_user_dn(user_dn) return any(group_sid in token_groups for group_sid in group_sids) else: return self.dn in user_data.get( self.ldap_settings['member_of_attr'], [])
def test_get_token_groups_from_user_dn(mocker, user_dn, mock_data, expected): settings = { 'uri': 'ldaps://ldap.example.com:636', 'bind_dn': 'uid=admin,DC=example,DC=com', 'bind_password': '******', 'verify_cert': True, 'cert_file': ' /etc/ssl/certs/ca-certificates.crt', 'starttls': True, 'timeout': 10 } ldap_search = MagicMock(return_value=mock_data) ldap_conn = MagicMock(search_ext_s=ldap_search) mocker.patch('flask_multipass.providers.ldap.util.ReconnectLDAPObject', return_value=ldap_conn) with ldap_context(settings): assert get_token_groups_from_user_dn(user_dn) == expected # Token-Groups must be retrieved from a base scope query ldap_search.assert_called_once_with(user_dn, SCOPE_BASE, sizelimit=1, timeout=settings['timeout'], attrlist=['tokenGroups'])
def get_identity_groups(self, identifier): groups = set() with ldap_context(self.ldap_settings): user_dn, user_data = get_user_by_id(identifier, self._attributes) if not user_dn: return set() if self.ldap_settings['ad_group_style']: for sid in get_token_groups_from_user_dn(user_dn): search_filter = build_group_search_filter( {'objectSid': {sid}}, exact=True) for group_dn, group_data in self._search_groups( search_filter): group_name = to_unicode( group_data[self.ldap_settings['gid']][0]) groups.add(self.group_class(self, group_name, group_dn)) else: # OpenLDAP does not have a way to get all groups for a user including nested ones raise NotImplementedError( 'Only available for active directory') return groups
def test_get_token_groups_from_user_dn(mocker, user_dn, mock_data, expected): settings = { 'uri': 'ldaps://ldap.example.com:636', 'bind_dn': 'uid=admin,DC=example,DC=com', 'bind_password': '******', 'verify_cert': True, 'starttls': True, 'timeout': 10 } ldap_search = MagicMock(return_value=mock_data) ldap_conn = MagicMock(search_ext_s=ldap_search) mocker.patch('flask_multipass.providers.ldap.util.ReconnectLDAPObject', return_value=ldap_conn) with ldap_context(settings): assert get_token_groups_from_user_dn(user_dn) == expected # Token-Groups must be retrieved from a base scope query ldap_search.assert_called_once_with(user_dn, SCOPE_BASE, sizelimit=1, timeout=settings['timeout'], attrlist=['tokenGroups'])