def _ldap_user_search(self, username_or_email, limit=20, suffix=""):
if not username_or_email:
return (None, "Empty username/email")
# Verify the admin connection works first. We do this here to avoid wrapping
# the entire block in the INVALID CREDENTIALS check.
try:
with self._ldap.get_connection():
pass
except ldap.INVALID_CREDENTIALS:
return (None, "LDAP Admin dn or password is invalid")
with self._ldap.get_connection() as conn:
logger.debug("Incoming username or email param: %s", username_or_email.__repr__())
for user_search_dn in self._user_dns:
(pairs, err_msg) = self._ldap_user_search_with_rdn(
conn, username_or_email, user_search_dn, suffix=suffix
)
if pairs is not None and len(pairs) > 0:
break
if err_msg is not None:
return (None, err_msg)
logger.debug("Found matching pairs: %s", pairs)
results = [LDAPUsers._LDAPResult(*pair) for pair in take(limit, pairs)]
# Filter out pairs without DNs. Some LDAP impls will return such pairs.
with_dns = [result for result in results if result.dn]
return (with_dns, None)
def get_filtered_matching_repositories(lookup_value,
filter_username=None,
repo_kind="image",
offset=0,
limit=25,
search_fields=None):
"""
Returns an iterator of all repositories matching the given lookup value, with optional filtering
to a specific user.
If the user is unspecified, only public repositories will be returned.
"""
if search_fields is None:
search_fields = set(
[SEARCH_FIELDS.description.name, SEARCH_FIELDS.name.name])
# Build the unfiltered search query.
unfiltered_query = _get_sorted_matching_repositories(
lookup_value,
repo_kind=repo_kind,
search_fields=search_fields,
include_private=filter_username is not None,
ids_only=filter_username is not None,
)
# Add a filter to the iterator, if necessary.
if filter_username is not None:
filter_user = _get_namespace_user(filter_username)
if filter_user is None:
return []
# NOTE: We add the offset to the limit here to ensure we have enough results
# for the take's we conduct below.
iterator = _filter_repositories_visible_to_user(
unfiltered_query, filter_user.id, offset + limit, repo_kind)
if offset > 0:
take(offset, iterator)
# Return the results.
return list(take(limit, iterator))
return list(unfiltered_query.offset(offset).limit(limit))
def query_users(self, query, limit=20):
if len(query) < 3:
return ([], self.federated_service, None)
try:
admin_client, _ = self._get_client(self.admin_username,
self.admin_password,
self.admin_tenant)
found_users = list(take(limit,
admin_client.users.list(name=query)))
logger.debug("For Keystone query %s found users: %s", query,
found_users)
if not found_users:
return ([], self.federated_service, None)
return ([self._user_info(user)
for user in found_users], self.federated_service, None)
except KeystoneAuthorizationFailure as kaf:
logger.exception(
"Keystone auth failure for admin user for query %s", query)
return (
None,
self.federated_service,
str(kaf) or "Invalid admin username or password",
)
except KeystoneUnauthorized as kut:
logger.exception(
"Keystone unauthorized for admin user for query %s", query)
return (
None,
self.federated_service,
str(kut) or "Invalid admin username or password",
)
except ClientException as cle:
logger.exception(
"Keystone unauthorized for admin user for query %s", query)
return (
None,
self.federated_service,
str(cle) or "Invalid admin username or password",
)
