def __init__(self, group_manager, settings):
OAuth2PGCBasedUserManager.logger.info(
"Initializing OAuth2PGCBasedUserManager")
self._group_manager = group_manager
self._settings = settings
FilebasedUserManager.__init__(self, group_manager, None, settings)
def __init__(self, plugin, ldap, **kwargs):
DependentOnSettingsPlugin.__init__(self, plugin)
DependentOnLDAPConnection.__init__(self, ldap)
FilebasedUserManager.__init__(self,
group_manager=LDAPGroupManager(
plugin=plugin, ldap=ldap),
**kwargs)
def login_user(self, user):
"""
This method logs in the user into OctoPrint using authorization OAuth2.
After that, user is added into users.yaml config file.
"""
self._cleanup_sessions()
if user is None or user.is_anonymous:
return
if isinstance(user, LocalProxy):
user = user._get_current_object()
return user
if not isinstance(user, User):
return None
# -- Overridden parts -----------------------------------------------
if isinstance(user, OAuth2PGCUser):
username = user.get_id()
user = FilebasedUserManager.find_user(self, username)
if user is None:
FilebasedUserManager.add_user(self, username, '', active=True)
user = FilebasedUserManager.find_user(self, username)
# -- Overridden parts -----------------------------------------------
if not isinstance(user, SessionUser):
user = SessionUser(user)
self._session_users_by_session[user.session] = user
user_id = user.get_id()
if user_id not in self._sessionids_by_userid:
self._sessionids_by_userid[user_id] = set()
self._sessionids_by_userid[user_id].add(user.session)
for listener in self._login_status_listeners:
try:
listener.on_user_logged_in(user)
except Exception:
self._logger.exception(
"Error in on_user_logged_in on {!r}".format(listener),
extra=dict(callback=fqcn(listener)))
self._logger.info("Logged in user: {}".format(user.get_id()))
return user
def user(ctx):
"""
User management.
Note that this currently only supports managing user accounts stored in the configured user manager, not any
user managers added through plugins and the "octoprint.users.factory" hook.
"""
try:
logging.basicConfig(
level=logging.DEBUG
if get_ctx_obj_option(ctx, "verbosity", 0) > 0 else logging.WARN)
settings = init_settings(get_ctx_obj_option(ctx, "basedir", None),
get_ctx_obj_option(ctx, "configfile", None))
group_manager_name = settings.get(["accessControl", "groupManager"])
try:
clazz = get_class(group_manager_name)
group_manager = clazz()
except AttributeError:
click.echo("Could not instantiate group manager {}, "
"falling back to FilebasedGroupManager!".format(
group_manager_name),
err=True)
group_manager = FilebasedGroupManager()
ctx.obj.group_manager = group_manager
name = settings.get(["accessControl", "userManager"])
try:
clazz = get_class(name)
user_manager = clazz(group_manager=group_manager,
settings=settings)
except Exception:
click.echo(
"Could not instantiate user manager {}, falling back to FilebasedUserManager!"
.format(name),
err=True)
user_manager = FilebasedUserManager(group_manager,
settings=settings)
finally:
user_manager.enabled = settings.getBoolean(
["accessControl", "enabled"])
ctx.obj.user_manager = user_manager
except Exception:
click.echo("Could not instantiate user manager", err=True)
return
def check_password(self, username, password):
user = self.find_user(userid=username)
if isinstance(user, LDAPUser):
# in case group settings changed either in auth_ldap settings OR on LDAP directory
if user.is_active and (self.settings.get([OU]) is None or len(
self.refresh_ldap_group_memberships_for(user)) > 0):
self.logger.debug("Checking %s password via LDAP" %
user.get_id())
client = self.ldap.get_client(user.distinguished_name,
password)
authenticated = client is not None
self.logger.debug(
"%s was %sauthenticated" %
(user.get_name(), "" if authenticated else "not "))
return authenticated
else:
self.logger.debug(
"%s is inactive or no longer a member of required groups" %
user.get_id())
else:
self.logger.debug("Checking %s password via users.yaml" %
user.get_name())
return FilebasedUserManager.check_password(self, user.get_name(),
password)
return False
def find_user(self, userid=None, apikey=None, session=None):
self.logger.debug("Search for userid=%s, apiKey=%s, session=%s" %
(userid, apikey, session))
user = FilebasedUserManager.find_user(self,
userid=userid,
apikey=apikey,
session=session)
user, userid = self._find_user_with_transformation(
apikey, session, user, userid)
if not user and userid:
user = self._find_user_via_ldap(user, userid)
return user
def add_user(self,
username,
password=None,
active=False,
permissions=None,
groups=None,
apikey=None,
overwrite=False,
dn=None):
if dn is None:
FilebasedUserManager.add_user(self,
username=username,
password=password,
active=active,
permissions=permissions,
groups=groups,
apikey=apikey,
overwrite=overwrite)
else:
if username in self._users.keys() and not overwrite:
raise UserAlreadyExists(username)
if not permissions:
permissions = []
permissions = self._to_permissions(*permissions)
if not groups:
groups = self._group_manager.default_groups
groups = self._to_groups(*groups)
self._users[username] = LDAPUser(username=username,
active=active,
permissions=permissions,
groups=groups,
dn=dn,
apikey=apikey)
self._dirty = True
self._save()
def _find_user_with_transformation(self, apikey, session, user, userid):
transformation = self.settings.get([SEARCH_TERM_TRANSFORM])
if not user and userid and transformation:
self.logger.debug("Transforming %s using %s" %
(userid, transformation))
transformed = getattr(str, transformation)(str(userid))
self.logger.debug("Search for user userid=%s" % transformed)
if transformed != userid:
userid = transformed
user = FilebasedUserManager.find_user(self,
userid=userid,
apikey=apikey,
session=session)
return user, userid
def find_user(self, userid=None, apikey=None, session=None):
self._logger.debug("Search for userid=%s, apiKey=%s, session=%s" % (userid, apikey, session))
user = FilebasedUserManager.find_user(self, userid=userid, apikey=apikey, session=session)
transformation = self.plugin_settings().get(["search_term_transform"])
if not user and userid and transformation:
self._logger.debug("Transforming %s using %s" % (userid, transformation))
transformed = getattr(str, transformation)(str(userid))
self._logger.debug("Search for user userid=%s" % transformed)
if transformed != userid:
userid = transformed
user = FilebasedUserManager.find_user(self, userid=userid, apikey=apikey, session=session)
if not user and userid:
self._logger.debug("User %s not found locally, treating as LDAP" % userid)
search_filter = self.plugin_settings().get(["search_filter"])
"""
operating on the wildly unsafe assumption that the admin who configures this plugin will have their head
screwed on right and NOT escaping their search strings... only escaping unsafe user-entered text that is
passed directly to search filters
"""
ldap_user = self.ldap_search(filter_format(search_filter, (userid,)))
if ldap_user is not None:
self._logger.debug("User %s found as dn=%s" % (userid, ldap_user["dn"]))
groups = self.group_filter(ldap_user["dn"])
if isinstance(groups, list):
self._logger.debug("Creating new LDAPUser %s" % userid)
# TODO: make username configurable or make dn configurable (e.g. could be userPrincipalName?)
if self.plugin_settings().get(["local_cache"]):
self.add_user(username=userid, dn=ldap_user["dn"], groups=groups, active=True)
user = self._users[userid]
else:
user = LDAPUser(username=userid, dn=ldap_user["dn"], groups=groups, active=True, )
return user
def check_password(self, username, password):
user = self.find_user(userid=username)
self._logger.debug("%s is a %s" % (username, type(user)))
if isinstance(user, LDAPUser):
# in case group settings changed either in auth_ldap settings OR on LDAP directory
groups = self.group_filter(user.get_distinguished_name())
if user.is_active() and isinstance(groups, list):
self.changeUserGroups(user.get_name(), groups)
self._logger.debug("Checking %s password via LDAP" % user.get_name())
client = self.get_ldap_client(user.get_distinguished_name(), password)
return client is not None
else:
self._logger.debug("%s is inactive or no longer a member of required groups" % user.get_name())
else:
self._logger.debug("Checking %s password via users.yaml" % user.get_name())
return FilebasedUserManager.check_password(self, user.get_name(), password)
return False
def __init__(self, plugin, **kwargs):
self._plugin = plugin
# noinspection PyArgumentList
ldapgroups = LDAPGroupManager(self)
FilebasedUserManager.__init__(self, ldapgroups, **kwargs)