def has_member(self, user_identifier):
with ldap_context(self.ldap_settings):
user_dn, user_data = get_user_by_id(user_identifier, attributes=[self.ldap_settings['member_of_attr']])
if not user_dn:
return False
if self.ldap_settings['ad_group_style']:
group_dn, group_data = get_group_by_id(self.name, attributes=['objectSid'])
group_sids = group_data.get('objectSid')
token_groups = get_token_groups_from_user_dn(user_dn)
return any(group_sid in token_groups for group_sid in group_sids)
else:
return self.dn in user_data.get(self.ldap_settings['member_of_attr'], [])
def has_member(self, user_identifier):
with ldap_context(self.ldap_settings):
user_dn, user_data = get_user_by_id(
user_identifier,
attributes=[self.ldap_settings['member_of_attr']])
if not user_dn:
return False
if self.ldap_settings['ad_group_style']:
group_dn, group_data = get_group_by_id(
self.name, attributes=['objectSid'])
group_sids = group_data.get('objectSid')
token_groups = get_token_groups_from_user_dn(user_dn)
return any(group_sid in token_groups
for group_sid in group_sids)
else:
return self.dn in user_data.get(
self.ldap_settings['member_of_attr'], [])
def test_get_token_groups_from_user_dn(mocker, user_dn, mock_data, expected):
settings = {
'uri': 'ldaps://ldap.example.com:636',
'bind_dn': 'uid=admin,DC=example,DC=com',
'bind_password': '******',
'verify_cert': True,
'cert_file': ' /etc/ssl/certs/ca-certificates.crt',
'starttls': True,
'timeout': 10
}
ldap_search = MagicMock(return_value=mock_data)
ldap_conn = MagicMock(search_ext_s=ldap_search)
mocker.patch('flask_multipass.providers.ldap.util.ReconnectLDAPObject', return_value=ldap_conn)
with ldap_context(settings):
assert get_token_groups_from_user_dn(user_dn) == expected
# Token-Groups must be retrieved from a base scope query
ldap_search.assert_called_once_with(user_dn, SCOPE_BASE, sizelimit=1, timeout=settings['timeout'],
attrlist=['tokenGroups'])
def get_identity_groups(self, identifier):
groups = set()
with ldap_context(self.ldap_settings):
user_dn, user_data = get_user_by_id(identifier, self._attributes)
if not user_dn:
return set()
if self.ldap_settings['ad_group_style']:
for sid in get_token_groups_from_user_dn(user_dn):
search_filter = build_group_search_filter(
{'objectSid': {sid}}, exact=True)
for group_dn, group_data in self._search_groups(
search_filter):
group_name = to_unicode(
group_data[self.ldap_settings['gid']][0])
groups.add(self.group_class(self, group_name,
group_dn))
else:
# OpenLDAP does not have a way to get all groups for a user including nested ones
raise NotImplementedError(
'Only available for active directory')
return groups
def test_get_token_groups_from_user_dn(mocker, user_dn, mock_data, expected):
settings = {
'uri': 'ldaps://ldap.example.com:636',
'bind_dn': 'uid=admin,DC=example,DC=com',
'bind_password': '******',
'verify_cert': True,
'starttls': True,
'timeout': 10
}
ldap_search = MagicMock(return_value=mock_data)
ldap_conn = MagicMock(search_ext_s=ldap_search)
mocker.patch('flask_multipass.providers.ldap.util.ReconnectLDAPObject',
return_value=ldap_conn)
with ldap_context(settings):
assert get_token_groups_from_user_dn(user_dn) == expected
# Token-Groups must be retrieved from a base scope query
ldap_search.assert_called_once_with(user_dn,
SCOPE_BASE,
sizelimit=1,
timeout=settings['timeout'],
attrlist=['tokenGroups'])
