def _validate_security_rules(self) -> None:
"""Checks if the security rules defined in the plugin configuration are valid boolean expressions or raises
a ConfigurationError exception otherwise."""
def _get_error_msg_for(rule_name: str) -> str:
return f"Invalid boolean expression for '{rule_name}' in {self.label} file source plugin configuration."
if self.requires_roles and not BooleanExpressionEvaluator.is_valid_expression(self.requires_roles):
raise ConfigurationError(_get_error_msg_for("requires_roles"))
if self.requires_groups and not BooleanExpressionEvaluator.is_valid_expression(self.requires_groups):
raise ConfigurationError(_get_error_msg_for("requires_groups"))
def check_config(self, username, email, options):
ok = True
failure_mode = False # reject but continue
if options.get('continue-on-failure', 'False') == 'False':
failure_mode = None # reject and do not continue
if string_as_bool(options.get('login-use-username', False)):
if not username:
log.debug(
'LDAP authenticate: username must be used to login, cannot be None'
)
return ok, failure_mode
else:
if not email:
log.debug(
'LDAP authenticate: email must be used to login, cannot be None'
)
return ok, failure_mode
auto_create_roles = string_as_bool(
options.get('auto-create-roles', False))
auto_create_groups = string_as_bool(
options.get('auto-create-groups', False))
self.auto_create_roles_or_groups = auto_create_roles or auto_create_groups
auto_assign_roles_to_groups_only = string_as_bool(
options.get('auto-assign-roles-to-groups-only', False))
if auto_assign_roles_to_groups_only and not (auto_create_roles
and auto_create_groups):
raise ConfigurationError(
"If 'auto-assign-roles-to-groups-only' is True, auto-create-roles and "
"auto-create-groups have to be True as well.")
self.role_search_attribute = options.get(self.role_search_option, None)
return ok, failure_mode
def make_manager(db_url, database):
if db_url.startswith('postgres'):
return PosgresDatabaseManager(db_url, database)
elif db_url.startswith('sqlite'):
return SqliteDatabaseManager(db_url, database)
elif db_url.startswith('mysql'):
return MySQLDatabaseManager(db_url, database)
else:
raise ConfigurationError(f'Invalid database URL: {db_url}')
def check(self):
# Check that required directories exist; attempt to create otherwise
paths_to_check = [
self.file_path,
self.hgweb_config_dir,
self.template_path,
self.tool_data_path,
self.template_cache_path,
os.path.join(self.tool_data_path, 'shared', 'jars'),
]
for path in paths_to_check:
self._ensure_directory(path)
# Check that required files exist.
if not os.path.isfile(self.datatypes_config):
raise ConfigurationError('File not found: %s' % self.datatypes_config)
def _get_subs(d, k, params):
if k not in d or not d[k]:
raise ConfigurationError("Missing '%s' parameter in LDAP options" % k)
return str(d[k]).format(**params)
def ldap_search(self, email, username, options):
config_ok, failure_mode = self.check_config(username, email, options)
if ldap is None:
raise RuntimeError("Failed to load LDAP module: %s",
str(ldap_import_exc))
if not config_ok:
return failure_mode, None
if self.auto_create_roles_or_groups and self.role_search_attribute is None:
raise ConfigurationError(
"If 'auto-create-roles' or 'auto-create-groups' is True, a '%s' attribute has to"
" be provided." % self.role_search_option)
params = {'email': email, 'username': username}
try:
ldap_options_raw = _get_subs(options, 'ldap-options', params)
except ConfigurationError:
ldap_options = ()
else:
ldap_options = _parse_ldap_options(ldap_options_raw)
try:
# setup connection
ldap.set_option(ldap.OPT_REFERRALS, 0)
for opt in ldap_options:
ldap.set_option(*opt)
except Exception:
log.exception('LDAP authenticate: set_option exception')
return (failure_mode, None)
if 'search-fields' in options:
try:
l = ldap.initialize(_get_subs(options, 'server', params))
l.protocol_version = 3
if 'search-user' in options:
l.simple_bind_s(
_get_subs(options, 'search-user', params),
_get_subs(options, 'search-password', params))
else:
l.simple_bind_s()
# setup search
attributes = [
_.strip().format(**params)
for _ in options['search-fields'].split(',')
]
if 'search-memberof-filter' in options:
attributes.append('memberOf')
suser = l.search_ext_s(_get_subs(options, 'search-base',
params),
ldap.SCOPE_SUBTREE,
_get_subs(options, 'search-filter',
params),
attributes,
timeout=60,
sizelimit=1)
# parse results
if suser is None or len(suser) == 0:
log.warning(
'LDAP authenticate: search returned no results')
return (failure_mode, None)
dn, attrs = suser[0]
log.debug("LDAP authenticate: dn is %s", dn)
log.debug("LDAP authenticate: search attributes are %s", attrs)
if hasattr(attrs, 'has_key'):
for attr in attributes:
if self.role_search_attribute and attr == self.role_search_attribute[
1:-1]: # strip brackets
# keep role names as list
params[self.role_search_option] = attrs[attr]
elif attr == 'memberOf':
params[attr] = attrs[attr]
elif attr in attrs:
params[attr] = str(attrs[attr][0])
else:
params[attr] = ""
if self.auto_create_roles_or_groups and self.role_search_option not in params:
raise ConfigurationError(
"Missing or mismatching LDAP parameters for %s. Make sure the %s is "
"included in the 'search-fields'." %
(self.role_search_option, self.role_search_attribute))
params['dn'] = dn
except Exception:
log.exception('LDAP authenticate: search exception')
return (failure_mode, None)
return failure_mode, params
def raise_error(message):
log.error(message)
raise ConfigurationError(message)