def _validate_set_ldap_request(self):
if not self._only_system_reserved_users_in_manager():
raise MethodNotAllowedError('LDAP Configuration may be set only on'
' a clean manager.')
if not premium_enabled:
raise MethodNotAllowedError('LDAP is only supported in the '
'Cloudify premium edition.')
ldap_config = rest_utils.get_json_and_verify_params({
'ldap_server': {},
'ldap_username': {
'optional': True
},
'ldap_password': {
'optional': True
},
'ldap_domain': {},
'ldap_is_active_directory': {
'optional': True
},
'ldap_dn_extra': {},
'ldap_ca_cert': {
'optional': True
},
})
# Not allowing empty username or password
ldap_config['ldap_username'] = ldap_config.get('ldap_username', '')
ldap_config['ldap_password'] = ldap_config.get('ldap_password', '')
ldap_config['ldap_is_active_directory'] = \
rest_utils.verify_and_convert_bool(
'ldap_is_active_directory',
ldap_config.get('ldap_is_active_directory') or False
)
if ldap_config['ldap_server'].startswith('ldaps://'):
if 'ldap_ca_cert' not in ldap_config:
raise BadParametersError(
'A CA certificate must be provided to use ldaps.')
elif ldap_config['ldap_server'].startswith('ldap://'):
if 'ldap_ca_cert' in ldap_config:
raise BadParametersError(
'CA certificate cannot be provided when not using ldaps.')
else:
raise BadParametersError(
'ldap_server must specify protocol and should specify port, '
'e.g. ldap://192.0.2.1:389 or ldaps://192.0.2.45:636')
if ((ldap_config['ldap_username'] and not ldap_config['ldap_password'])
or (ldap_config['ldap_password']
and not ldap_config['ldap_username'])):
raise BadParametersError(
'Must supply either both username and password or neither. '
'Note that an empty username or password is invalid')
return ldap_config
def _validate_set_ldap_request(self):
if not self._only_admin_in_manager():
raise MethodNotAllowedError('LDAP Configuration may be set only on'
' a clean manager.')
if not current_app.premium_enabled:
raise MethodNotAllowedError('LDAP is only supported in the '
'Cloudify premium edition.')
ldap_config = rest_utils.get_json_and_verify_params({
'ldap_server', 'ldap_username', 'ldap_password', 'ldap_domain',
'ldap_is_active_directory', 'ldap_dn_extra'
})
return ldap_config
def _validate_set_ldap_request(self):
if not self._only_admin_in_manager():
raise MethodNotAllowedError('LDAP Configuration may be set only on'
' a clean manager.')
if not premium_enabled:
raise MethodNotAllowedError('LDAP is only supported in the '
'Cloudify premium edition.')
ldap_config = rest_utils.get_json_and_verify_params({
'ldap_server': {},
'ldap_username': {
'optional': True
},
'ldap_password': {
'optional': True
},
'ldap_domain': {},
'ldap_is_active_directory': {
'optional': True
},
'ldap_dn_extra': {}
})
# Not allowing empty username or password
ldap_config['ldap_username'] = ldap_config.get('ldap_username', '')
ldap_config['ldap_password'] = ldap_config.get('ldap_password', '')
ldap_config['ldap_is_active_directory'] = \
rest_utils.verify_and_convert_bool(
'ldap_is_active_directory',
ldap_config.get('ldap_is_active_directory') or False
)
if ((ldap_config['ldap_username'] and not ldap_config['ldap_password'])
or (ldap_config['ldap_password']
and not ldap_config['ldap_username'])):
raise BadParametersError(
'Must supply either both username and password or neither. '
'Note that an empty username or password is invalid')
return ldap_config
def put(self, multi_tenancy):
"""
Add a user to a group
"""
if current_app.ldap:
raise MethodNotAllowedError(
'Explicit group to user association is not permitted when '
'using LDAP. Group association to users is done automatically'
' according to the groups associated with the user in LDAP.')
request_dict = rest_utils.get_json_and_verify_params(
{'username', 'group_name'})
rest_utils.validate_inputs(request_dict)
return multi_tenancy.add_user_to_group(request_dict['username'],
request_dict['group_name'])
def _validate_set_ldap_request(self):
if not premium_enabled:
raise MethodNotAllowedError('LDAP is only supported in the '
'Cloudify premium edition.')
base_substitutions = ['base_dn', 'domain_dn', 'group_dn']
ldap_config = rest_utils.get_json_and_verify_params({
'ldap_server': {},
'ldap_domain': {},
'ldap_username': {'optional': True},
'ldap_password': {'optional': True},
'ldap_is_active_directory': {'optional': True},
'ldap_dn_extra': {'optional': True},
'ldap_ca_cert': {'optional': True},
'ldap_nested_levels': {'optional': True},
'ldap_bind_format': {
'optional': True,
'allowed_substitutions': [
'username', 'domain'] + base_substitutions,
},
'ldap_group_dn': {
'optional': True,
'allowed_substitutions': ['base_dn', 'domain_dn'],
},
'ldap_base_dn': {'optional': True},
'ldap_group_member_filter': {
'optional': True,
'allowed_substitutions': ['object_dn']
},
'ldap_user_filter': {
'optional': True,
'allowed_substitutions': ['username'] + base_substitutions,
},
'ldap_attribute_email': {'optional': True},
'ldap_attribute_first_name': {'optional': True},
'ldap_attribute_last_name': {'optional': True},
'ldap_attribute_uid': {'optional': True},
'ldap_attribute_group_membership': {'optional': True},
})
if ldap_config.get('ldap_nested_levels') is None:
ldap_config['ldap_nested_levels'] = 1
else:
ldap_config['ldap_nested_levels'] = rest_utils.convert_to_int(
ldap_config['ldap_nested_levels'])
for attr in ldap_config:
if ldap_config[attr] is None:
# Otherwise we try to set None on the config entry, which is
# not a string.
ldap_config[attr] = ''
ldap_config['ldap_is_active_directory'] = \
rest_utils.verify_and_convert_bool(
'ldap_is_active_directory',
ldap_config.get('ldap_is_active_directory') or False
)
if ldap_config['ldap_server'].startswith('ldaps://'):
if 'ldap_ca_cert' not in ldap_config:
raise BadParametersError(
'A CA certificate must be provided to use ldaps.'
)
elif ldap_config['ldap_server'].startswith('ldap://'):
if 'ldap_ca_cert' in ldap_config:
raise BadParametersError(
'CA certificate cannot be provided when not using ldaps.'
)
else:
raise BadParametersError(
'ldap_server must specify protocol and should specify port, '
'e.g. ldap://192.0.2.1:389 or ldaps://192.0.2.45:636'
)
user = ldap_config.get('ldap_username')
password = ldap_config.get('ldap_password')
if (user or password) and not (user and password):
raise BadParametersError(
'Must supply either both username and password or neither. '
'Note that an empty username or password is invalid')
return ldap_config
