File: res.py

package info (click to toggle)
tryton-modules-ldap-authentication 3.4.0-1
links: PTS, VCS
area: main
in suites: jessie, jessie-kfreebsd
size: 272 kB
ctags: 57
sloc: python: 330; makefile: 6
file content (175 lines) | stat: -rw-r--r-- 6,279 bytes
#This file is part of Tryton.  The COPYRIGHT file at the top level of
#this repository contains the full copyright notices and license terms.
import logging
import urlparse

import ldap
from trytond.transaction import Transaction
from trytond.pool import Pool, PoolMeta
from trytond.config import config, parse_uri

__all__ = ['User']
__metaclass__ = PoolMeta

logger = logging.getLogger(__name__)
section = 'ldap_authentication'


def parse_ldap_url(uri):
    unquote = urlparse.unquote
    uri = parse_uri(uri)
    dn = unquote(uri.path)[1:]
    attributes, scope, filter_, extensions = (
        uri.query.split('?') + [''] * 4)[:4]
    if not scope:
        scope = 'base'
    extensions = urlparse.parse_qs(extensions)
    return (uri, dn, unquote(attributes), unquote(scope), unquote(filter_),
        extensions)


def ldap_connection():
    uri = config.get(section, 'uri')
    if not uri:
        return
    uri, _, _, _, _, extensions = parse_ldap_url(uri)
    if uri.scheme.startswith('ldaps'):
        scheme, port = 'ldaps', 636
    else:
        scheme, port = 'ldap', 389
    conn = ldap.initialize('%s://%s:%s/' % (
            scheme, uri.hostname, uri.port or port))
    if config.getboolean(section, 'active_directory', 'False'):
        conn.set_option(ldap.OPT_REFERRALS, 0)
    if 'tls' in uri.scheme:
        conn.start_tls_s()

    bindname = extensions.get('bindname')
    if not bindname:
        bindname = extensions.get('!bindname')
    if bindname:
        # XXX find better way to get the password
        conn.simple_bind_s(bindname, config.get(section, 'bind_pass'))
    return conn


class User:
    __name__ = 'res.user'

    @classmethod
    def __setup__(cls):
        super(User, cls).__setup__()
        cls._error_messages.update({
                'set_passwd_ldap_user': (
                    'You can not set the password of ldap user "%s".'),
                })

    @staticmethod
    def ldap_search_user(login, con, attrs=None):
        '''
        Return the result of a ldap search for the login using the ldap
        connection con based on connection.
        The attributes values defined in attrs will be return.
        '''
        _, dn, _, scope, filter_, _ = parse_ldap_url(
            config.get(section, 'uri'))
        scope = {
            'base': ldap.SCOPE_BASE,
            'onelevel': ldap.SCOPE_ONELEVEL,
            'subtree': ldap.SCOPE_SUBTREE,
            }.get(scope)
        uid = config.get(section, 'uid', 'uid')
        if filter_:
            filter_ = '(&(%s=%s)%s)' % (uid, login, filter_)
        else:
            filter_ = '(%s=%s)' % (uid, login)

        result = con.search_s(dn, scope, filter_, attrs)
        if config.get(section, 'active_directory'):
            result = [x for x in result if x[0]]
        if result and len(result) > 1:
            logger.info('ldap_search_user found more than 1 user')
        return result

    @classmethod
    def _check_passwd_ldap_user(cls, logins):
        find = False
        try:
            con = ldap_connection()
            if not con:
                return
            for login in logins:
                if cls.ldap_search_user(login, con, attrs=[]):
                    find = True
                    break
        except ldap.LDAPError, e:
            logger.error('LDAPError: %s' % str(e))
        if find:
            cls.raise_user_error('set_passwd_ldap_user', (login.rec_name,))

    @classmethod
    def create(cls, vlist):
        tocheck = []
        for values in vlist:
            if values.get('password') and 'login' in values:
                tocheck.append(values['login'])
        if tocheck:
            with Transaction().set_context(_check_access=False):
                cls._check_passwd_ldap_user(tocheck)
        return super(User, cls).create(vlist)

    @classmethod
    def write(cls, *args):
        actions = iter(args)
        for users, values in zip(actions, actions):
            if values.get('password'):
                logins = [x.login for x in users]
                cls._check_passwd_ldap_user(logins)
        super(User, cls).write(*args)

    @classmethod
    def set_preferences(cls, values, old_password=False):
        if 'password' in values:
            try:
                con = ldap_connection()
                if con:
                    user = cls(Transaction().user)
                    uid = config.get(section, 'uid', 'uid')
                    users = cls.ldap_search_user(user.login, con, attrs=[uid])
                    if users and len(users) == 1:
                        [(dn, attrs)] = users
                        if con.simple_bind_s(dn, old_password):
                            con.passwd_s(dn, old_password, values['password'])
                            values = values.copy()
                            del values['password']
                        else:
                            cls.raise_user_error('wrong_password')
            except ldap.LDAPError, e:
                logger.error('LDAPError: %s' % str(e))
        super(User, cls).set_preferences(values, old_password=old_password)

    @classmethod
    def get_login(cls, login, password):
        pool = Pool()
        LoginAttempt = pool.get('res.user.login.attempt')
        try:
            con = ldap_connection()
            if con:
                uid = config.get(section, 'uid', 'uid')
                users = cls.ldap_search_user(login, con, attrs=[uid])
                if users and len(users) == 1:
                    [(dn, attrs)] = users
                    if password and con.simple_bind_s(dn, password):
                        user_id, _ = cls._get_login(login)
                        if user_id:
                            LoginAttempt.remove(login)
                            return user_id
                        elif config.getboolean(section, 'create_user'):
                            user, = cls.create([{
                                        'name': attrs.get(uid, [login])[0],
                                        'login': login,
                                        }])
                            return user.id
        except ldap.LDAPError, e:
            logger.error('LDAPError: %s' % str(e))
        return super(User, cls).get_login(login, password)