Merge pull request #31 from buxx/feature/ldap

.travis.yml

 install:
   - "cd tracim && python setup.py develop; cd -"
   - "pip install -r install/requirements.txt; echo"
-  - "./bin/tg2env-patch 1 /home/travis/virtualenv/python3.2.5/lib/python3.2/site-packages"
-  - "pip install -r install/requirements.txt; echo"
-  - "./bin/tg2env-patch 2 /home/travis/virtualenv/python3.2.5/lib/python3.2/site-packages"
   - "pip install coveralls"
 
 before_script:

README.md

     website.title = My Company Intranet
     website.base_url = http://intranet.mycompany.com:8080
 
+#### LDAP ####
+
+To use LDAP authentication, set ``auth_type`` parameter to "ldap":
+
+    auth_type = ldap
+
+Then add LDAP parameters
+
+    # LDAP server address
+    ldap_url = ldap://localhost:389
+
+    # Base dn to make queries
+    ldap_base_dn = dc=directory,dc=fsf,dc=org
+
+    # Bind dn to identify the search
+    ldap_bind_dn = cn=admin,dc=directory,dc=fsf,dc=org
+
+    # The bind password
+    ldap_bind_pass = toor
+
+    # Attribute name of user record who contain user login (email)
+    ldap_ldap_naming_attribute = uid
+
+    # Matching between ldap attribute and ldap user field (ldap_attr1=user_field1,ldap_attr2=user_field2,...)
+    ldap_user_attributes = mail=email
+
+    # TLS usage to communicate with your LDAP server
+    ldap_tls = False
+
+    # If True, LDAP own tracim group managment (not available for now!)
+    ldap_group_enabled = False
+
+You may need an administrator account to manage Tracim. Use the following command (from ``/install/dir/of/tracim/tracim``):
+
+```
+gearbox user create -l admin-email@domain.com -g managers -g administrators
+```
+
+Keep in mind ``admin-email@domain.com`` must match with LDAP user.
+
 #### Other parameters  ####
 
 There are other parameters which may be of some interest for you. For example, you can:

install/requirements.txt

-Babel==1.3
+Babel==2.2
 Beaker==1.6.4
 CherryPy==3.6.0
 FormEncode==1.3.0a1
 tgext.admin==0.6.4
 tgext.asyncjob==0.3.1
 tgext.crud==0.7.3
-tgext.pluggable==0.5.4
+tgext.pluggable==0.5.5
 transaction==1.4.4
 tw2.core==2.2.2
 tw2.forms==2.2.2.1
 zope.sqlalchemy==0.7.6
 tgapp-resetpassword==0.1.3
 lxml
+python-ldap-test==0.2.0
+who-ldap==3.1.0

tracim/development.ini.base

 beaker.session.key = tracim
 beaker.session.secret = 3283411b-1904-4554-b0e1-883863b53080
 
+# Auth type (internal or ldap)
+auth_type = internal
+
+# If auth_type is ldap, uncomment following ldap_* parameters
+
+# LDAP server address
+# ldap_url = ldap://localhost:389
+
+# Base dn to make queries
+# ldap_base_dn = dc=directory,dc=fsf,dc=org
+
+# Bind dn to identify the search
+# ldap_bind_dn = cn=admin,dc=directory,dc=fsf,dc=org
+
+# The bind password
+# ldap_bind_pass = toor
+
+# Attribute name of user record who contain user login (email)
+# ldap_ldap_naming_attribute = uid
+
+# Matching between ldap attribute and ldap user field (ldap_attr1=user_field1,ldap_attr2=user_field2,...)
+# ldap_user_attributes = mail=email
+
+# TLS usage to communicate with your LDAP server
+# ldap_tls = False
+
+# If True, LDAP own tracim group managment (not available for now!)
+# ldap_group_enabled = False
+
 #By default session is store in cookies to avoid the overhead
 #of having to manage a session storage. On production you might
 #want to switch to a better session storage.

tracim/migration/versions/b73e57760b36_add_user_field_for_imported_profiles.py

+"""Add User field for imported profiles
+
+Revision ID: b73e57760b36
+Revises: 43a323cc661
+Create Date: 2016-02-09 11:00:22.694054
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = 'b73e57760b36'
+down_revision = '43a323cc661'
+
+import sqlalchemy as sa
+from alembic import op
+
+
+def upgrade():
+    op.add_column('users', sa.Column('imported_from', sa.Unicode(length=32), nullable=True))
+
+
+def downgrade():
+    op.drop_column('users', 'imported_from')

tracim/setup.py

                ]
 
 install_requires=[
-    "TurboGears2 >= 2.3.7",
+    "TurboGears2==2.3.7",
     "Genshi",
     "Mako",
     "zope.sqlalchemy >= 0.4",
     "sqlalchemy",
     "alembic",
     "repoze.who",
+    "who-ldap==3.1.0",
+    "python-ldap-test==0.2.0",
     ]
 
 setup(
         ],
         'gearbox.plugins': [
             'turbogears-devtools = tg.devtools'
+        ],
+        'gearbox.commands': [
+            'ldap_server = tracim.command.ldap_test_server:LDAPTestServerCommand',
+            'user_create = tracim.command.user:CreateUserCommand',
+            'user_update = tracim.command.user:UpdateUserCommand',
         ]
     },
     dependency_links=[
-        "http://tg.gy/230"
+        "http://tg.gy/230",
         ],
     zip_safe=False
 )

tracim/test.ini

 use = main
 skip_authentication = True
 
+[app:ldap]
+sqlalchemy.url = postgresql://postgres:dummy@127.0.0.1:5432/tracim_test?client_encoding=utf8
+auth_type = ldap
+ldap_url = ldap://localhost:3333
+ldap_base_dn = dc=directory,dc=fsf,dc=org
+ldap_bind_dn = cn=admin,dc=directory,dc=fsf,dc=org
+ldap_bind_pass = toor
+ldap_ldap_naming_attribute = uid
+ldap_user_attributes = mail=email,pubname=display_name
+ldap_tls = False
+ldap_group_enabled = False
+use = config:development.ini
+
 # Add additional test specific configuration options as necessary.

tracim/tracim/command/__init__.py

+# -*- coding: utf-8 -*-
+import argparse
+import os
+import sys
+
+import transaction
+from gearbox.command import Command
+from paste.deploy import loadapp
+from webtest import TestApp
+
+from tracim.lib.exception import CommandAbortedError
+
+
+class BaseCommand(Command):
+    """ Setup ap at take_action call """
+    auto_setup_app = True
+
+    def run(self, parsed_args):
+        try:
+            super().run(parsed_args)
+        except CommandAbortedError as exc:
+            if parsed_args.raise_error:
+                raise
+            print(exc)
+
+    def get_parser(self, prog_name):
+        parser = super().get_parser(prog_name)
+
+        parser.add_argument(
+            "--raise",
+            help='Raise CommandAbortedError errors instead print it\'s message',
+            dest='raise_error',
+            action='store_true',
+        )
+
+        return parser
+
+
+class AppContextCommand(BaseCommand):
+    """
+    Command who initialize app context at beginning of take_action method.
+    """
+
+    def __init__(self, *args, **kwargs):
+        super(AppContextCommand, self).__init__(*args, **kwargs)
+
+    @staticmethod
+    def _get_initialized_app_context(parsed_args):
+        """
+        :param parsed_args: parsed args (eg. from take_action)
+        :return: (wsgi_app, test_app)
+        """
+        config_file = parsed_args.config_file
+        config_name = 'config:%s' % config_file
+        here_dir = os.getcwd()
+
+        # Load locals and populate with objects for use in shell
+        sys.path.insert(0, here_dir)
+
+        # Load the wsgi app first so that everything is initialized right
+        wsgi_app = loadapp(config_name, relative_to=here_dir)
+        test_app = TestApp(wsgi_app)
+
+        # Make available the tg.request and other global variables
+        tresponse = test_app.get('/_test_vars')
+
+        return wsgi_app, test_app
+
+    def take_action(self, parsed_args):
+        super(AppContextCommand, self).take_action(parsed_args)
+        if self.auto_setup_app:
+            self._get_initialized_app_context(parsed_args)
+
+    def get_parser(self, prog_name):
+        parser = super(AppContextCommand, self).get_parser(prog_name)
+
+        parser.add_argument("-c", "--config",
+                            help='application config file to read (default: development.ini)',
+                            dest='config_file', default="development.ini")
+        return parser
+
+    def run(self, parsed_args):
+        super().run(parsed_args)
+        transaction.commit()
+
+
+class Extender(argparse.Action):
+    """
+    Copied class from http://stackoverflow.com/a/12461237/801924
+    """
+    def __call__(self, parser, namespace, values, option_strings=None):
+        # Need None here incase `argparse.SUPPRESS` was supplied for `dest`
+        dest = getattr(namespace, self.dest, None)
+        # print dest,self.default,values,option_strings
+        if not hasattr(dest, 'extend') or dest == self.default:
+            dest = []
+            setattr(namespace, self.dest, dest)
+            # if default isn't set to None, this method might be called
+            # with the default as `values` for other arguements which
+            # share this destination.
+            parser.set_defaults(**{self.dest: None})
+        try:
+            dest.extend(values)
+        except ValueError:
+            dest.append(values)

tracim/tracim/command/ldap_test_server.py

+from time import sleep
+from tracim.fixtures.ldap import ldap_test_server_fixtures
+from gearbox.command import Command
+from ldap_test import LdapServer
+
+
+class LDAPTestServerCommand(Command):
+
+    def get_description(self):
+        return '''Run a test LDAP server.'''
+
+    def take_action(self, parsed_args):
+        # TODO - B.S. - 20160210: paramètre argv pour preciser les fixtures
+        server = LdapServer(ldap_test_server_fixtures)
+        print("Starting LDAP server on localhost (port %d)" % ldap_test_server_fixtures.get('port'))
+        print("Press CTRL+C to stop it")
+        server.start()
+        try:
+            while True:
+                sleep(1)
+        except KeyboardInterrupt:
+            pass

tracim/tracim/command/user.py

+# -*- coding: utf-8 -*-
+import transaction
+from sqlalchemy.exc import IntegrityError
+from tg import config
+
+from tracim.command import AppContextCommand, Extender
+from tracim.lib.auth.ldap import LDAPAuth
+from tracim.lib.exception import AlreadyExistError, CommandAbortedError
+from tracim.lib.group import GroupApi
+from tracim.lib.user import UserApi
+from tracim.model import DBSession, User
+
+
+class UserCommand(AppContextCommand):
+
+    ACTION_CREATE = 'create'
+    ACTION_UPDATE = 'update'
+
+    action = NotImplemented
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._session = DBSession
+        self._transaction = transaction
+        self._user_api = UserApi(None)
+        self._group_api = GroupApi(None)
+
+    def get_description(self):
+        return '''Create or update user.'''
+
+    def get_parser(self, prog_name):
+        parser = super().get_parser(prog_name)
+
+        parser.add_argument(
+            "-l",
+            "--login",
+            help='User login (email)',
+            dest='login',
+            required=True
+        )
+
+        parser.add_argument(
+            "-p",
+            "--password",
+            help='User password',
+            dest='password',
+            required=False,
+            default=None
+        )
+
+        parser.add_argument(
+            "-g",
+            "--add-to-group",
+            help='Add user to group',
+            dest='add_to_group',
+            nargs='*',
+            action=Extender,
+            default=[],
+        )
+
+        parser.add_argument(
+            "-rmg",
+            "--remove-from-group",
+            help='Remove user from group',
+            dest='remove_from_group',
+            nargs='*',
+            action=Extender,
+            default=[],
+        )
+
+        return parser
+
+    def _user_exist(self, login):
+        return self._user_api.user_with_email_exists(login)
+
+    def _get_group(self, name):
+        return self._group_api.get_one_with_name(name)
+
+    def _add_user_to_named_group(self, user, group_name):
+        group = self._get_group(group_name)
+        if user not in group.users:
+            group.users.append(user)
+        self._session.flush()
+
+    def _remove_user_from_named_group(self, user, group_name):
+        group = self._get_group(group_name)
+        if user in group.users:
+            group.users.remove(user)
+        self._session.flush()
+
+    def _create_user(self, login, password, **kwargs):
+        if not password:
+            if self._password_required():
+                raise CommandAbortedError("You must provide -p/--password parameter")
+            password = ''
+
+        try:
+            user = User(email=login, password=password, **kwargs)
+            self._session.add(user)
+            self._session.flush()
+        except IntegrityError:
+            self._session.rollback()
+            raise AlreadyExistError()
+
+        return user
+
+    def _update_password_for_login(self, login, password):
+        user = self._user_api.get_one_by_email(login)
+        user.password = password
+        self._session.flush()
+        transaction.commit()
+
+    def take_action(self, parsed_args):
+        super().take_action(parsed_args)
+
+        user = self._proceed_user(parsed_args)
+        self._proceed_groups(user, parsed_args)
+
+        print("User created/updated")
+
+    def _proceed_user(self, parsed_args):
+        self._check_context(parsed_args)
+
+        if self.action == self.ACTION_CREATE:
+            try:
+                user = self._create_user(login=parsed_args.login, password=parsed_args.password)
+            except AlreadyExistError:
+                raise CommandAbortedError("Error: User already exist (use `user update` command instead)")
+        else:
+            if parsed_args.password:
+                self._update_password_for_login(login=parsed_args.login, password=parsed_args.password)
+            user = self._user_api.get_one_by_email(parsed_args.login)
+
+        return user
+
+    def _proceed_groups(self, user, parsed_args):
+        # User always in "users" group
+        self._add_user_to_named_group(user, 'users')
+
+        for group_name in parsed_args.add_to_group:
+            self._add_user_to_named_group(user, group_name)
+
+        for group_name in parsed_args.remove_from_group:
+            self._remove_user_from_named_group(user, group_name)
+
+    def _password_required(self):
+        if config.get('auth_type') == LDAPAuth.name:
+            return False
+        return True
+
+    def _check_context(self, parsed_args):
+        if config.get('auth_type') == LDAPAuth.name:
+            auth_instance = config.get('auth_instance')
+            if not auth_instance.ldap_auth.user_exist(parsed_args.login):
+                raise LDAPUserUnknown(
+                    "LDAP is enabled and user with login/email \"%s\" not found in LDAP" % parsed_args.login
+                )
+
+
+class CreateUserCommand(UserCommand):
+    action = UserCommand.ACTION_CREATE
+
+
+class UpdateUserCommand(UserCommand):
+    action = UserCommand.ACTION_UPDATE
+
+
+class LDAPUserUnknown(CommandAbortedError):
+    pass

tracim/tracim/config/__init__.py

 # -*- coding: utf-8 -*-
+from tg import AppConfig
 
+from tracim.lib.auth.wrapper import AuthConfigWrapper
+
+
+class TracimAppConfig(AppConfig):
+    """
+    Tracim specific config processes.
+    """
+
+    def after_init_config(self, conf):
+        AuthConfigWrapper.wrap(conf)
+        #  Fix tg2 problem: https://groups.google.com/forum/#!topic/turbogears/oL_04O6eCQQ
+        self.auth_backend = conf.get('auth_backend')
+        self.sa_auth = conf.get('sa_auth')

tracim/tracim/config/app_cfg.py

 import tg
 from paste.deploy.converters import asbool
 
-from tg.configuration import AppConfig
 from tgext.pluggable import plug
 from tgext.pluggable import replace_template
 
 
 import tracim
 from tracim import model
+from tracim.config import TracimAppConfig
 from tracim.lib import app_globals, helpers
+from tracim.lib.auth.wrapper import AuthConfigWrapper
 from tracim.lib.base import logger
 from tracim.model.data import ActionDescription
 from tracim.model.data import ContentType
 
-base_config = AppConfig()
+base_config = TracimAppConfig()
 base_config.renderers = []
 base_config.use_toscawidgets = False
 base_config.use_toscawidgets2 = True
 base_config.model = tracim.model
 base_config.DBSession = tracim.model.DBSession
 
+# This value can be modified by tracim.lib.auth.wrapper.AuthConfigWrapper but have to be specified before
+base_config.auth_backend = 'sqlalchemy'
 
 # base_config.flash.cookie_name
 # base_config.flash.default_status -> Default message status if not specified (ok by default)
 # YOU MUST CHANGE THIS VALUE IN PRODUCTION TO SECURE YOUR APP 
 base_config.sa_auth.cookie_secret = "3283411b-1904-4554-b0e1-883863b53080"
 
-base_config.auth_backend = 'sqlalchemy'
-
-# what is the class you want to use to search for users in the database
-base_config.sa_auth.user_class = model.User
-
-from tg.configuration.auth import TGAuthMetadata
-
-from sqlalchemy import and_
-#This tells to TurboGears how to retrieve the data for your user
-class ApplicationAuthMetadata(TGAuthMetadata):
-
-    def __init__(self, sa_auth):
-        self.sa_auth = sa_auth
-
-    def authenticate(self, environ, identity):
-        user = self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(and_(
-            self.sa_auth.user_class.is_active==True,
-            self.sa_auth.user_class.email==identity['login']
-        )).first()
-
-        if user and user.validate_password(identity['password']):
-            return identity['login']
-    def get_user(self, identity, userid):
-        return self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(and_(self.sa_auth.user_class.is_active==True, self.sa_auth.user_class.email==userid)).first()
-    def get_groups(self, identity, userid):
-        return [g.group_name for g in identity['user'].groups]
-    def get_permissions(self, identity, userid):
-        return [p.permission_name for p in identity['user'].permissions]
-
-base_config.sa_auth.dbsession = model.DBSession
-
-base_config.sa_auth.authmetadata = ApplicationAuthMetadata(base_config.sa_auth)
-
-# You can use a different repoze.who Authenticator if you want to
-# change the way users can login
-#base_config.sa_auth.authenticators = [('myauth', SomeAuthenticator()]
-
-# You can add more repoze.who metadata providers to fetch
-# user metadata.
-# Remember to set base_config.sa_auth.authmetadata to None
-# to disable authmetadata and use only your own metadata providers
-#base_config.sa_auth.mdproviders = [('myprovider', SomeMDProvider()]
-
-# override this if you would like to provide a different who plugin for
-# managing login and logout of your application
-base_config.sa_auth.form_plugin = None
-
-# You may optionally define a page where you want users to be redirected to
-# on login:
-base_config.sa_auth.post_login_url = '/post_login'
-
-# You may optionally define a page where you want users to be redirected to
-# on logout:
-base_config.sa_auth.post_logout_url = '/post_logout'
-
 # INFO - This is the way to specialize the resetpassword email properties
 # plug(base_config, 'resetpassword', None, mail_subject=reset_password_email_subject)
 plug(base_config, 'resetpassword', 'reset_password')

tracim/tracim/config/deployment.ini_tmpl

 beaker.session.secret = ${app_instance_secret}
 app_instance_uuid = ${app_instance_uuid}
 
+# Auth type (internal or ldap)
+auth_type = internal
+
 # If you'd like to fine-tune the individual locations of the cache data dirs
 # for the Cache data, or the Session saves, un-comment the desired settings
 # here:

tracim/tracim/controllers/__init__.py

         :param kw:
         :return:
         """
+        super()._before(*args, **kw)
         TIMRestPathContextSetup.current_user()
 
 
         :param kw:
         :return:
         """
+        super()._before(*args, **kw)
         TIMRestPathContextSetup.current_user()
 
     @classmethod

tracim/tracim/controllers/error.py

     @expose('tracim.templates.error')
     def document(self, *args, **kwargs):
         """Render the error document"""
-        resp = request.environ.get('pylons.original_response')
+        resp = request.environ.get('tg.original_response')
         default_message = ('<p>We\'re sorry but we weren\'t able to process '
                            ' this request.</p>')
 

tracim/tracim/controllers/user.py

 # -*- coding: utf-8 -*-
+from webob.exc import HTTPForbidden
 
 from tracim import model  as pm
 
 
     @tg.expose('tracim.templates.user_password_edit_me')
     def edit(self):
+        if not tg.config.get('auth_is_internal'):
+            raise HTTPForbidden()
+
         dictified_user = Context(CTX.USER).toDict(tmpl_context.current_user, 'user')
         return DictLikeClass(result = dictified_user)
 
     @tg.expose()
     def put(self, current_password, new_password1, new_password2):
+        if not tg.config.get('auth_is_internal'):
+            raise HTTPForbidden()
+
         # FIXME - Allow only self password or operation for managers
         current_user = tmpl_context.current_user
 
         current_user = tmpl_context.current_user
         assert user_id==current_user.user_id
 
+        # Only keep allowed field update
+        updated_fields = self._clean_update_fields({
+            'name': name,
+            'email': email
+        })
+
         api = UserApi(tmpl_context.current_user)
-        api.update(current_user, name, email, True)
+        api.update(current_user, do_save=True, **updated_fields)
         tg.flash(_('profile updated.'))
         if next_url:
             tg.redirect(tg.url(next_url))
         tg.redirect(self.url())
+
+    def _clean_update_fields(self, fields: dict):
+        """
+        Remove field key who are not allowed to be updated
+        :param fields: dict with field name key to be cleaned
+        :rtype fields: dict
+        :return:
+        """
+        auth_instance = tg.config.get('auth_instance')
+        if not auth_instance.is_internal:
+            externalized_fields_names = auth_instance.managed_fields
+            for externalized_field_name in externalized_fields_names:
+                if externalized_field_name in fields:
+                    fields.pop(externalized_field_name)
+        return fields

tracim/tracim/fixtures/__init__.py

+import transaction
+
+from tracim.model import DBSession
+
+
+class Fixture(object):
+
+    """ Fixture classes (list) required for this fixtures"""
+    require = NotImplemented
+
+    def __init__(self, session):
+        self._session = session
+
+    def insert(self):
+        raise NotImplementedError()
+
+
+class FixturesLoader(object):
+    """
+    Fixtures loader. Load each fixture once.
+    """
+
+    def __init__(self, loaded=None):
+        loaded = [] if loaded is None else loaded
+        self._loaded = loaded
+
+    def loads(self, fixtures_classes):
+        for fixture_class in fixtures_classes:
+            for required_fixture_class in fixture_class.require:
+                self._load(required_fixture_class)
+            self._load(fixture_class)
+
+    def _load(self, fixture_class):
+        if fixture_class not in self._loaded:
+            fixture = fixture_class(DBSession)
+            fixture.insert()
+            self._loaded.append(fixture_class)
+            DBSession.flush()
+            transaction.commit()

tracim/tracim/fixtures/ldap.py

+ldap_test_server_fixtures = {
+    'port': 3333,
+    'password': 'toor',
+
+    'bind_dn': 'cn=admin,dc=directory,dc=fsf,dc=org',
+    'base': {
+        'objectclass': ['dcObject', 'organization'],
+        'dn': 'dc=directory,dc=fsf,dc=org',
+        'attributes': {
+            'o': 'Free Software Foundation',
+            'dc': 'directory'
+        }
+    },
+
+    'entries': [
+        {
+            'objectclass': ['organizationalRole'],
+            'dn': 'cn=admin,dc=directory,dc=fsf,dc=org',
+            'attributes': {
+                'cn': 'admin'
+            }
+        },
+        {
+            'objectclass': ['organizationalUnit'],
+            'dn': 'ou=people,dc=directory,dc=fsf,dc=org',
+            'attributes': {
+                'ou': 'people',
+            }
+        },
+        {
+            'objectclass': ['organizationalUnit'],
+            'dn': 'ou=groups,dc=directory,dc=fsf,dc=org',
+            'attributes': {
+                'ou': 'groups',
+            }
+        },
+        {
+            'objectclass': ['account', 'top'],
+            'dn': 'cn=richard-not-real-email@fsf.org,ou=people,dc=directory,dc=fsf,dc=org',
+            'attributes': {
+                'uid': 'richard-not-real-email@fsf.org',
+                'userPassword': 'rms',
+                'mail': 'richard-not-real-email@fsf.org',
+                'pubname': 'Richard Stallman',
+            }
+        },
+        {
+            'objectclass': ['account', 'top'],
+            'dn': 'cn=lawrence-not-real-email@fsf.org,ou=people,dc=directory,dc=fsf,dc=org',
+            'attributes': {
+                'uid': 'lawrence-not-real-email@fsf.org',
+                'userPassword': 'foobarbaz',
+                'mail': 'lawrence-not-real-email@fsf.org',
+                'pubname': 'Lawrence Lessig',
+            }
+        },
+    ]
+}

tracim/tracim/fixtures/users_and_groups.py

+# -*- coding: utf-8 -*-
+from tracim import model
+from tracim.fixtures import Fixture
+
+
+class Base(Fixture):
+    require = []
+
+    def insert(self):
+        u = model.User()
+        u.display_name = 'Global manager'
+        u.email = 'admin@admin.admin'
+        u.password = 'admin@admin.admin'
+        self._session.add(u)
+
+        g1 = model.Group()
+        g1.group_id = 1
+        g1.group_name = 'users'
+        g1.display_name = 'Users'
+        g1.users.append(u)
+        self._session.add(g1)
+
+        g2 = model.Group()
+        g2.group_id = 2
+        g2.group_name = 'managers'
+        g2.display_name = 'Global Managers'
+        g2.users.append(u)
+        self._session.add(g2)
+
+        g3 = model.Group()
+        g3.group_id = 3
+        g3.group_name = 'administrators'
+        g3.display_name = 'Administrators'
+        g3.users.append(u)
+        self._session.add(g3)
+
+
+class Test(Fixture):
+    require = [Base, ]
+
+    def insert(self):
+        g2 = self._session.query(model.Group).filter(model.Group.group_name == 'managers').one()
+
+        lawrence = model.User()
+        lawrence.display_name = 'Lawrence L.'
+        lawrence.email = 'lawrence-not-real-email@fsf.org'
+        lawrence.password = 'foobarbaz'
+        self._session.add(lawrence)
+        g2.users.append(lawrence)

tracim/tracim/i18n/fr/LC_MESSAGES/tracim.po

-# French (France) translations for pod.
-# Copyright (C) 2014 ORGANIZATION
-# This file is distributed under the same license as the pod project.
-# FIRST AUTHOR <EMAIL@ADDRESS>, 2014.
+# French translations for tracim.
+# Copyright (C) 2016 ORGANIZATION
+# This file is distributed under the same license as the tracim project.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2016.
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: pod 0.1\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2015-09-08 17:43+0200\n"
+"POT-Creation-Date: 2016-02-18 14:37+0100\n"
 "PO-Revision-Date: 2015-09-08 15:27+0100\n"
 "Last-Translator: Damien Accorsi <damien.accorsi@free.fr>\n"
+"Language: fr\n"
 "Language-Team: fr_FR <LL@li.org>\n"
 "Plural-Forms: nplurals=2; plural=(n > 1)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Generated-By: Babel 1.3\n"
+"Generated-By: Babel 2.2.0\n"
 
-#: tracim/config/app_cfg.py:137
+#: tracim/config/app_cfg.py:86
 msgid "Password reset request"
 msgstr "Réinitialisation du mot de passe"
 
-#: tracim/config/app_cfg.py:138 tracim/config/app_cfg.py:167
+#: tracim/config/app_cfg.py:87 tracim/config/app_cfg.py:116
 #, python-format
 msgid ""
 "\n"
 " à l'originie de cette requête, merci d'ignorer et/ou supprimer cet "
 "e-mail.\n"
 
-#: tracim/config/app_cfg.py:154 tracim/templates/widgets/forms.mak:15
+#: tracim/config/app_cfg.py:103 tracim/templates/widgets/forms.mak:15
 #: tracim/templates/widgets/forms.mak:16 tracim/templates/widgets/forms.mak:39
 #: tracim/templates/widgets/forms.mak:40
 msgid "New password"
 msgstr "Nouveau mot de passe"
 
-#: tracim/config/app_cfg.py:155
+#: tracim/config/app_cfg.py:104
 msgid "Confirm new password"
 msgstr "Confirmer le nouveau mot de passe"
 
-#: tracim/config/app_cfg.py:156
+#: tracim/config/app_cfg.py:105
 msgid "Save new password"
 msgstr "Enregistrer le nouveau mot de passe"
 
-#: tracim/config/app_cfg.py:157 tracim/templates/admin/user_getall.mak:48
+#: tracim/config/app_cfg.py:106 tracim/templates/admin/user_getall.mak:48
 msgid "Email address"
 msgstr "Adresse email"
 
-#: tracim/config/app_cfg.py:158
+#: tracim/config/app_cfg.py:107
 msgid "Send Request"
 msgstr "Valider"
 
-#: tracim/config/app_cfg.py:161
+#: tracim/config/app_cfg.py:110
 msgid "Password reset request sent"
 msgstr "Requête de réinitialisation du mot de passe envoyée"
 
-#: tracim/config/app_cfg.py:162 tracim/config/app_cfg.py:164
+#: tracim/config/app_cfg.py:111 tracim/config/app_cfg.py:113
 msgid "Invalid password reset request"
 msgstr "Requête de réinitialisation du mot de passe invalide"
 
-#: tracim/config/app_cfg.py:163
+#: tracim/config/app_cfg.py:112
 msgid "Password reset request timed out"
 msgstr "Echec de la requête de réinitialisation du mot de passe"
 
-#: tracim/config/app_cfg.py:165
+#: tracim/config/app_cfg.py:114
 msgid "Password changed successfully"
 msgstr "Mot de passe changé"
 
-#: tracim/controllers/__init__.py:272 tracim/controllers/content.py:313
+#: tracim/controllers/__init__.py:273 tracim/controllers/content.py:313
 #: tracim/controllers/content.py:426
 msgid "{} updated"
 msgstr "{} mis(e) à jour"
 
-#: tracim/controllers/__init__.py:277 tracim/controllers/content.py:431
+#: tracim/controllers/__init__.py:278 tracim/controllers/content.py:431
 msgid "{} not updated: the content did not change"
 msgstr "{} non mis à jour : le contenu n'a pas changé"
 
-#: tracim/controllers/__init__.py:282 tracim/controllers/content.py:318
+#: tracim/controllers/__init__.py:283 tracim/controllers/content.py:318
 #: tracim/controllers/content.py:436
 msgid "{} not updated - error: {}"
 msgstr "{} pas mis(e) à jour - erreur : {}"
 
-#: tracim/controllers/__init__.py:296
+#: tracim/controllers/__init__.py:297
 msgid "{} status updated"
 msgstr "Statut de {} mis(e) à jour"
 
-#: tracim/controllers/__init__.py:300
+#: tracim/controllers/__init__.py:301
 msgid "{} status not updated: {}"
 msgstr "Statut de {} non mis(e) à jour : {}"
 
-#: tracim/controllers/__init__.py:332 tracim/controllers/content.py:839
+#: tracim/controllers/__init__.py:333 tracim/controllers/content.py:839
 msgid "{} archived. <a class=\"alert-link\" href=\"{}\">Cancel action</a>"
 msgstr "{} archivé(e). <a class=\"alert-link\" href=\"{}\">Annuler l'opération</a>"
 
-#: tracim/controllers/__init__.py:341 tracim/controllers/content.py:848
+#: tracim/controllers/__init__.py:342 tracim/controllers/content.py:848
 msgid "{} not archived: {}"
 msgstr "{} non archivé(e) : {}"
 
-#: tracim/controllers/__init__.py:354 tracim/controllers/content.py:862
+#: tracim/controllers/__init__.py:355 tracim/controllers/content.py:862
 msgid "{} unarchived."
 msgstr "{} désarchivé(e)"
 
-#: tracim/controllers/__init__.py:362 tracim/controllers/content.py:870
+#: tracim/controllers/__init__.py:363 tracim/controllers/content.py:870
 msgid "{} not un-archived: {}"
 msgstr "{} non désarchivé(e) : {}"
 
-#: tracim/controllers/__init__.py:380 tracim/controllers/content.py:90
+#: tracim/controllers/__init__.py:381 tracim/controllers/content.py:90
 #: tracim/controllers/content.py:887
 msgid "{} deleted. <a class=\"alert-link\" href=\"{}\">Cancel action</a>"
 msgstr ""
 "{} supprimé(e). <a class=\"alert-link\" href=\"{}\">Annuler "
 "l'opération</a>"
 
-#: tracim/controllers/__init__.py:389 tracim/controllers/content.py:101
+#: tracim/controllers/__init__.py:390 tracim/controllers/content.py:101
 #: tracim/controllers/content.py:896
 msgid "{} not deleted: {}"
 msgstr "{} non supprimé(e) : {}"
 
-#: tracim/controllers/__init__.py:404 tracim/controllers/content.py:118
+#: tracim/controllers/__init__.py:405 tracim/controllers/content.py:118
 #: tracim/controllers/content.py:911
 msgid "{} undeleted."
 msgstr "{} restauré(e)."
 
-#: tracim/controllers/__init__.py:414 tracim/controllers/content.py:130
+#: tracim/controllers/__init__.py:415 tracim/controllers/content.py:130
 #: tracim/controllers/content.py:921
 msgid "{} not un-deleted: {}"
 msgstr "{} non restauré(e) : {}"
 
-#: tracim/controllers/__init__.py:428
+#: tracim/controllers/__init__.py:429
 msgid "{} marked as read."
 msgstr "{} marqué \"lu\"."
 
-#: tracim/controllers/__init__.py:436
+#: tracim/controllers/__init__.py:437
 msgid "{} not marked as read: {}"
 msgstr "{} non marqué \"lu\" : {}"
 
-#: tracim/controllers/__init__.py:450
+#: tracim/controllers/__init__.py:451
 msgid "{} marked unread."
 msgstr "{} marqué \"non lu\"."
 
-#: tracim/controllers/__init__.py:458
+#: tracim/controllers/__init__.py:459
 msgid "{} not marked unread: {}"
 msgstr "{} non marqué \"non lu\" : {}"
 
 msgid "Successfully logged out. We hope to see you soon!"
 msgstr "Déconnexion réussie. Nous espérons vous revoir bientôt !"
 
-#: tracim/controllers/user.py:54
+#: tracim/controllers/user.py:55
 msgid "Notification enabled for workspace {}"
 msgstr "Notifications activées pour l'espace de travail {}"
 
-#: tracim/controllers/user.py:67
+#: tracim/controllers/user.py:68
 msgid "Notification disabled for workspace {}"
 msgstr "Notifications désactivées pour l'espace de travail {}"
 
-#: tracim/controllers/user.py:107 tracim/controllers/admin/user.py:203
+#: tracim/controllers/user.py:114 tracim/controllers/admin/user.py:203
 msgid "Empty password is not allowed."
 msgstr "Le mot de passe ne doit pas être vide"
 
-#: tracim/controllers/user.py:111
+#: tracim/controllers/user.py:118
 msgid "The current password you typed is wrong"
-msgstr "Le mot de passe que vous avez tapé est erroné"
+msgstr "Le mot de passe saisi est erroné"
 
-#: tracim/controllers/user.py:115 tracim/controllers/admin/user.py:207
+#: tracim/controllers/user.py:122 tracim/controllers/admin/user.py:207
 msgid "New passwords do not match."
 msgstr "Les mots de passe ne concordent pas"
 
-#: tracim/controllers/user.py:121
+#: tracim/controllers/user.py:128
 msgid "Your password has been changed"
 msgstr "Votre mot de passe a été changé"
 
-#: tracim/controllers/user.py:179
+#: tracim/controllers/user.py:192
 msgid "profile updated."
 msgstr "Profil mis à jour"
 
 msgid "The content did not changed"
 msgstr "Le contenu est inchangé"
 
-#: tracim/lib/helpers.py:34
+#: tracim/lib/helpers.py:33
 msgid "{date} at {time}"
 msgstr "{date} à {time}"
 
-#: tracim/lib/notifications.py:285
+#: tracim/lib/notifications.py:289
 msgid "<span id=\"content-intro-username\">{}</span> added a comment:"
 msgstr "<span id=\"content-intro-username\">{}</span> a ajouté un commentaire :"
 
-#: tracim/lib/notifications.py:287 tracim/lib/notifications.py:296
+#: tracim/lib/notifications.py:291 tracim/lib/notifications.py:300
 msgid "Answer"
 msgstr "Répondre"
 
-#: tracim/lib/notifications.py:293 tracim/lib/notifications.py:317
-#: tracim/lib/notifications.py:350
+#: tracim/lib/notifications.py:297 tracim/lib/notifications.py:321
+#: tracim/lib/notifications.py:354
 msgid "View online"
 msgstr "Voir en ligne"
 
-#: tracim/lib/notifications.py:297
+#: tracim/lib/notifications.py:301
 msgid "<span id=\"content-intro-username\">{}</span> started a thread entitled:"
 msgstr ""
 "<span id=\"content-intro-username\">{}</span> a lancé une discussion "
 "intitulée :"
 
-#: tracim/lib/notifications.py:302
+#: tracim/lib/notifications.py:306
 msgid "<span id=\"content-intro-username\">{}</span> added a file entitled:"
 msgstr ""
 "<span id=\"content-intro-username\">{}</span> a ajouté un fichier "
 "intitulé :"
 
-#: tracim/lib/notifications.py:312
+#: tracim/lib/notifications.py:316
 msgid "<span id=\"content-intro-username\">{}</span> added a page entitled:"
 msgstr ""
 "<span id=\"content-intro-username\">{}</span> a ajouté une page intitulée"
 " :"
 
-#: tracim/lib/notifications.py:320
+#: tracim/lib/notifications.py:324
 msgid "<span id=\"content-intro-username\">{}</span> uploaded a new revision."
 msgstr ""
 "<span id=\"content-intro-username\">{}</span> a téléchargé une nouvelle "
 "version."
 
-#: tracim/lib/notifications.py:324
+#: tracim/lib/notifications.py:328
 msgid "<span id=\"content-intro-username\">{}</span> updated this page."
 msgstr "<span id=\"content-intro-username\">{}</span> a mis à jour cette page."
 
-#: tracim/lib/notifications.py:329 tracim/lib/notifications.py:339
+#: tracim/lib/notifications.py:333 tracim/lib/notifications.py:343
 msgid "<p id=\"content-body-intro\">Here is an overview of the changes:</p>"
 msgstr "<p id=\"content-body-intro\">Voici un aperçu des modifications :</p>"
 
-#: tracim/lib/notifications.py:334
+#: tracim/lib/notifications.py:338
 msgid ""
 "<span id=\"content-intro-username\">{}</span> updated the thread "
 "description."
 "<span id=\"content-intro-username\">{}</span> a mis à jour la description"
 " de la discussion."
 
-#: tracim/lib/notifications.py:353
+#: tracim/lib/notifications.py:357
 msgid ""
 "<span id=\"content-intro-username\">{}</span> updated the file "
 "description."
 msgid "Welcome to your home, {username}."
 msgstr "Bienvenue, {username}."
 
-#: tracim/templates/home.mak:50 tracim/templates/user_toolbars.mak:55
+#: tracim/templates/home.mak:50 tracim/templates/user_toolbars.mak:63
 msgid "Not Read"
 msgstr "Non lus"
 
 msgid "Last activity: {datetime}"
 msgstr "Dernière activité : {datetime}"
 
-#: tracim/templates/home.mak:88 tracim/templates/user_toolbars.mak:56
+#: tracim/templates/home.mak:88 tracim/templates/user_toolbars.mak:64
 msgid "Recent Activity"
 msgstr "Activité récente"
 
 msgid "Edit user"
 msgstr "Modifier l'utilisateur"
 
-#: tracim/templates/user_toolbars.mak:18 tracim/templates/user_toolbars.mak:43
+#: tracim/templates/user_toolbars.mak:20 tracim/templates/user_toolbars.mak:49
 #: tracim/templates/widgets/forms.mak:7 tracim/templates/widgets/forms.mak:35
 msgid "Change password"
 msgstr "Changer le mot de passe"
 
-#: tracim/templates/user_toolbars.mak:18 tracim/templates/user_toolbars.mak:43
+#: tracim/templates/user_toolbars.mak:20 tracim/templates/user_toolbars.mak:49
 #: tracim/templates/admin/user_getall.mak:51
 msgid "Password"
 msgstr "Mot de passe"
 
-#: tracim/templates/user_toolbars.mak:24
+#: tracim/templates/user_toolbars.mak:28
 msgid "Disable user"
 msgstr "Désactiver l'utilisateur"
 
-#: tracim/templates/user_toolbars.mak:24
+#: tracim/templates/user_toolbars.mak:28
 msgid "Disable"
 msgstr "Désactiver"
 
-#: tracim/templates/user_toolbars.mak:26
+#: tracim/templates/user_toolbars.mak:30
 msgid "Enable user"
 msgstr "Activer l'utilisateur"
 
-#: tracim/templates/user_toolbars.mak:26
+#: tracim/templates/user_toolbars.mak:30
 msgid "Enable"
 msgstr "Activer"
 
-#: tracim/templates/user_toolbars.mak:42
+#: tracim/templates/user_toolbars.mak:46
 msgid "Edit my profile"
 msgstr "Mon profil"
 
-#: tracim/templates/user_toolbars.mak:47
+#: tracim/templates/user_toolbars.mak:55
 msgid "Go to..."
 msgstr "Voir..."
 
-#: tracim/templates/user_toolbars.mak:55
+#: tracim/templates/user_toolbars.mak:63
 msgid "Not read"
 msgstr "Non lus"
 
-#: tracim/templates/user_toolbars.mak:56
+#: tracim/templates/user_toolbars.mak:64
 msgid "Activity"
 msgstr "Activité"
 
-#: tracim/templates/user_toolbars.mak:57
+#: tracim/templates/user_toolbars.mak:65
 msgid "My Workspaces"
 msgstr "Mes espaces de travail"
 
-#: tracim/templates/user_toolbars.mak:57
+#: tracim/templates/user_toolbars.mak:65
 msgid "Spaces"
 msgstr "Espaces"
 
 #: tracim/templates/user_workspace_forms.mak:14
 #: tracim/templates/user_workspace_forms.mak:15
 #: tracim/templates/user_workspace_forms.mak:100
-#: tracim/templates/user_workspace_forms.mak:101
-#: tracim/templates/user_workspace_forms.mak:105
+#: tracim/templates/user_workspace_forms.mak:104
+#: tracim/templates/user_workspace_forms.mak:111
 #: tracim/templates/admin/user_getall.mak:43
 #: tracim/templates/admin/user_getall.mak:44
 #: tracim/templates/admin/workspace_getall.mak:41
 #: tracim/templates/user_workspace_forms.mak:39
 #: tracim/templates/user_workspace_forms.mak:58
 #: tracim/templates/user_workspace_forms.mak:81
-#: tracim/templates/user_workspace_forms.mak:110
+#: tracim/templates/user_workspace_forms.mak:116
 #: tracim/templates/admin/user_getall.mak:66
 #: tracim/templates/admin/workspace_getall.mak:53
 #: tracim/templates/admin/workspace_getone.mak:93
 msgid "Edit User"
 msgstr "Modifier l'utilisateur"
 
-#: tracim/templates/user_workspace_forms.mak:104
+#: tracim/templates/user_workspace_forms.mak:102
+#: tracim/templates/user_workspace_forms.mak:109
+msgid "This information is managed by an external application"
+msgstr "Cette information est gérée par une application externe"
+
+#: tracim/templates/user_workspace_forms.mak:107
 #: tracim/templates/admin/user_getall.mak:47
 #: tracim/templates/admin/user_getall.mak:106
 msgid "Email"

tracim/tracim/lib/auth/__init__.py

+from tracim.lib.auth.base import Auth

tracim/tracim/lib/auth/base.py

+# -*- coding: utf-8 -*-
+from tg.util import Bunch
+
+""" Backup of config.sa_auth """
+_original_sa_auth = None
+
+
+def _get_clean_sa_auth(config):
+    """
+    Return the original sa_auth parameter. Consider Original as it's content before first fill in configuration.
+    :param config: tg2 app config
+    :return: original sa_auth parameter
+    """
+    global _original_sa_auth
+
+    if _original_sa_auth is None:
+        _original_sa_auth = dict(config.get('sa_auth'))
+
+    sa_auth = Bunch()
+    sa_auth.update(_original_sa_auth)
+    return sa_auth
+
+
+class Auth(object):
+    """
+    Auth strategy base class
+    """
+
+    """ Auth strategy must be named: .ini config will use this name in auth_type parameter """
+    name = NotImplemented
+
+    """ When Auth is not internal, user account management are disabled (forgotten password, etc.) """
+    _internal = NotImplemented
+
+    def __init__(self, config):
+        self._config = config
+        self._managed_fields = []
+
+    @property
+    def is_internal(self):
+        return bool(self._internal)
+
+    @property
+    def managed_fields(self):
+        return self._managed_fields
+
+    def feed_config(self):
+        """
+        Fill config with auth needed. You must overload with whild implementation.
+        :return:
+        """
+        self._config['sa_auth'] = _get_clean_sa_auth(self._config)
+
+        self._config['auth_is_internal'] = self.is_internal
+
+        # override this if you would like to provide a different who plugin for
+        # managing login and logout of your application
+        self._config['sa_auth'].form_plugin = None
+
+        # You may optionally define a page where you want users to be redirected to
+        # on login:
+        self._config['sa_auth'].post_login_url = '/post_login'
+
+        # You may optionally define a page where you want users to be redirected to
+        # on logout:
+        self._config['sa_auth'].post_logout_url = '/post_logout'

tracim/tracim/lib/auth/internal.py

+# -*- coding: utf-8 -*-
+from sqlalchemy import and_
+from tg.configuration.auth import TGAuthMetadata
+
+from tracim.lib.auth.base import Auth
+from tracim.model import DBSession, User
+
+
+class InternalAuth(Auth):
+
+    name = 'internal'
+    _internal = True
+
+    def feed_config(self):
+        """
+        Fill config with internal (database) auth information.
+        :return:
+        """
+        super().feed_config()
+        self._config['sa_auth'].user_class = User
+        self._config['auth_backend'] = 'sqlalchemy'
+        self._config['sa_auth'].dbsession = DBSession
+        self._config['sa_auth'].authmetadata = InternalApplicationAuthMetadata(self._config.get('sa_auth'))
+
+
+class InternalApplicationAuthMetadata(TGAuthMetadata):
+    def __init__(self, sa_auth):
+        self.sa_auth = sa_auth
+
+    def authenticate(self, environ, identity):
+        user = self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(and_(
+            self.sa_auth.user_class.is_active == True,
+            self.sa_auth.user_class.email == identity['login']
+        )).first()
+
+        if user and user.validate_password(identity['password']):
+            return identity['login']
+
+    def get_user(self, identity, userid):
+        return self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(
+            and_(self.sa_auth.user_class.is_active == True, self.sa_auth.user_class.email == userid)).first()
+
+    def get_groups(self, identity, userid):
+        return [g.group_name for g in identity['user'].groups]
+
+    def get_permissions(self, identity, userid):
+        return [p.permission_name for p in identity['user'].permissions]

tracim/tracim/lib/auth/ldap.py

+# -*- coding: utf-8 -*-
+import transaction
+from tg.configuration.auth import TGAuthMetadata
+from who_ldap import LDAPAttributesPlugin as BaseLDAPAttributesPlugin, make_connection
+from who_ldap import LDAPGroupsPlugin as BaseLDAPGroupsPlugin
+from who_ldap import LDAPSearchAuthenticatorPlugin as BaseLDAPSearchAuthenticatorPlugin
+
+from tracim.lib.auth.base import Auth
+from tracim.lib.exception import ConfigurationError
+from tracim.lib.helpers import ini_conf_to_bool
+from tracim.lib.user import UserApi
+from tracim.model import DBSession, User
+
+
+class LDAPAuth(Auth):
+    """
+    LDAP auth management.
+
+    """
+    name = 'ldap'
+    _internal = False
+
+    def __init__(self, config):
+        super().__init__(config)
+        self.ldap_auth = self._get_ldap_auth()
+        self.ldap_user_provider = self._get_ldap_user_provider()
+        if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
+            self.ldap_groups_provider = self._get_ldap_groups_provider()
+        self._managed_fields = self.ldap_user_provider.local_fields
+
+    def feed_config(self):
+        super().feed_config()
+        self._config['auth_backend'] = 'ldapauth'
+        self._config['sa_auth'].authenticators = [('ldapauth', self.ldap_auth)]
+
+        mdproviders = [('ldapuser', self.ldap_user_provider)]
+        if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
+            raise ConfigurationError("ldap_group_enabled is not yet available")
+            mdproviders.append(('ldapgroups', self.ldap_groups_provider))
+        self._config['sa_auth'].mdproviders = mdproviders
+
+        self._config['sa_auth'].authmetadata = LDAPApplicationAuthMetadata(self._config.get('sa_auth'))
+
+    def _get_ldap_auth(self):
+        auth_plug = LDAPSearchAuthenticatorPlugin(
+            url=self._config.get('ldap_url'),
+            base_dn=self._config.get('ldap_base_dn'),
+            bind_dn=self._config.get('ldap_bind_dn'),
+            bind_pass=self._config.get('ldap_bind_pass'),
+            returned_id='login',
+            # the LDAP attribute that holds the user name:
+            naming_attribute=self._config.get('ldap_naming_attribute'),
+            start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
+        )
+        auth_plug.set_auth(self)
+        return auth_plug
+
+    def _get_ldap_user_provider(self):
+        return LDAPAttributesPlugin(
+            url=self._config.get('ldap_url'),
+            bind_dn=self._config.get('ldap_bind_dn'),
+            bind_pass=self._config.get('ldap_bind_pass'),
+            name='user',
+            # map from LDAP attributes to TurboGears user attributes:
+            attributes=self._config.get('ldap_user_attributes', 'mail=email'),
+            flatten=True,
+            start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
+        )
+
+    def _get_ldap_groups_provider(self):
+        return LDAPGroupsPlugin(
+            url=self._config.get('ldap_url'),
+            base_dn=self._config.get('ldap_base_dn'),
+            bind_dn=self._config.get('ldap_bind_dn'),
+            bind_pass=self._config.get('ldap_bind_pass'),
+            filterstr=self._config.get('ldap_group_filter', '(&(objectClass=group)(member=%(dn)s))'),
+            name='groups',
+            start_tls=ini_conf_to_bool(self._config.get('ldap_tls', False)),
+        )
+
+
+class LDAPSearchAuthenticatorPlugin(BaseLDAPSearchAuthenticatorPlugin):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._auth = None
+        self._user_api = UserApi(None)
+
+    def set_auth(self, auth):
+        self._auth = auth
+
+    def authenticate(self, environ, identity):
+        # Note: super().authenticate return None if already authenticated or not found
+        email = super().authenticate(environ, identity)
+        if email:
+            self._sync_ldap_user(email, environ, identity)
+        return email
+
+    def _sync_ldap_user(self, email, environ, identity):
+        # Create or get user for connected email
+        if not self._user_api.user_with_email_exists(email):
+            user = User(email=email, imported_from=LDAPAuth.name)
+            DBSession.add(user)
+        else:
+            user = self._user_api.get_one_by_email(email)
+
+        # Retrieve ldap user attributes
+        self._auth.ldap_user_provider.add_metadata_for_auth(environ, identity)
+
+        # Update user with ldap attributes
+        user_ldap_values = identity.get('user').copy()
+        for field_name in user_ldap_values:
+            setattr(user, field_name, user_ldap_values[field_name])
+
+        DBSession.flush()
+        transaction.commit()
+
+    def user_exist(self, email):
+        with make_connection(self.url, self.bind_dn, self.bind_pass) as conn:
+            if self.start_tls:
+                conn.start_tls()
+
+            if not conn.bind():
+                return False
+
+            search = self.search_pattern % email
+            conn.search(self.base_dn, search, self.search_scope)
+
+            if len(conn.response) > 0:
+                return True
+
+            return False
+
+
+class LDAPApplicationAuthMetadata(TGAuthMetadata):
+
+    def __init__(self, config):
+        self.sa_auth = config.get('sa_auth')
+        self._config = config
+
+    def get_user(self, identity, userid):
+        return identity.get('user')
+
+    def get_groups(self, identity, userid):
+        if not ini_conf_to_bool(self._config.get('ldap_group_enabled')):
+
+            # TODO - B.S. - 20160212: récupérer identity['user'].groups directement produit
+            # Parent instance XXX is not bound to a Session. Voir avec Damien.
+            user = DBSession.query(User).filter(User.email == identity['user'].email).one()
+            return [g.group_name for g in user.groups]
+
+            return [g.group_name for g in identity['user'].groups]
+        else:
+            raise NotImplementedError()
+
+    def get_permissions(self, identity, userid):
+        if not ini_conf_to_bool(self._config.get('ldap_group_enabled')):
+
+            # TODO - B.S. - 20160212: récupérer identity['user'].groups directement produit
+            # Parent instance XXX is not bound to a Session. Voir avec Damien.
+            user = DBSession.query(User).filter(User.email == identity['user'].email).one()
+            return [p.permission_name for p in user.permissions]
+
+            return [p.permission_name for p in identity['user'].permissions]
+        else:
+            raise NotImplementedError()
+
+
+class LDAPGroupsPlugin(BaseLDAPGroupsPlugin):
+
+    def add_metadata(self, environ, identity):
+        super().add_metadata(environ, identity)
+        groups_names = identity[self.name]
+        raise NotImplementedError()  # Should sync groups etc ...
+
+
+class LDAPAttributesPlugin(BaseLDAPAttributesPlugin):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._user_api = UserApi(None)
+
+    def add_metadata(self, environ, identity):
+        # We disable metadata recuperation, we do it at connection in LDAPSearchAuthenticatorPlugin._sync_ldap_user
+        return
+
+    def add_metadata_for_auth(self, environ, identity):
+        super().add_metadata(environ, identity)
+
+    @property
+    def local_fields(self):
+        """
+        :return: list of ldap side managed field names
+        """
+        return list(self._attributes_map.values())

tracim/tracim/lib/auth/wrapper.py

+# -*- coding: utf-8 -*-
+from tracim.lib.auth.internal import InternalAuth
+from tracim.lib.auth.ldap import LDAPAuth
+
+
+class AuthConfigWrapper(object):
+
+    # TODO: Dynamic load, like plugins ?
+    AUTH_CLASSES = (InternalAuth, LDAPAuth)
+
+    @classmethod
+    def wrap(cls, config):
+        auth_class = cls._get_auth_class(config)
+        config['auth_instance'] = auth_class(config)
+        config['auth_instance'].feed_config()
+
+    @classmethod
+    def _get_auth_class(cls, config):
+        for auth_class in cls.AUTH_CLASSES:
+            if auth_class.name is NotImplemented:
+                raise Exception("\"name\" attribute of %s is required" % str(auth_class))
+            if config.get('auth_type') == auth_class.name:
+                return auth_class
+        raise Exception("No auth config wrapper found for \"%s\" auth_type config" % config.get('auth_type'))

tracim/tracim/lib/base.py

         tmpl_context.identity = request.identity
         return TGController.__call__(self, environ, context)
 
+    def _before(self, *args, **kwargs):
+        tmpl_context.auth_is_internal = tg.config.get('auth_is_internal', True)
+        tmpl_context.auth_instance = tg.config.get('auth_instance')
+
     @property
     def parent_controller(self):
         possible_parent = None

tracim/tracim/lib/exception.py

+# -*- coding: utf-8 -*-
+
+
+class TracimError(Exception):
+    pass
+
+
+class ConfigurationError(TracimError):
+    pass
+
+
+class AlreadyExistError(TracimError):
+    pass
+
+
+class CommandError(TracimError):
+    pass
+
+
+class CommandAbortedError(CommandError):
+    pass

tracim/tracim/lib/group.py

 
     def get_one(self, group_id) -> Group:
         return self._base_query().filter(Group.group_id==group_id).one()
+
+    def get_one_with_name(self, group_name) -> Group:
+        return self._base_query().filter(Group.group_name==group_name).one()

tracim/tracim/lib/helpers.py

             result += '…'
 
     return result
+
+
+def ini_conf_to_bool(value):
+    """
+    Depending INI file interpreter, False values are simple parsed as string,
+    so use this function to consider them as boolean
+    :param value: value of ini parameter
+    :return: bollean value
+    """
+    if value in ('False', 'false', '0', 'off', 'no'):
+        return False
+    return bool(value)
+
+
+def is_user_externalized_field(field_name):
+    if not tg.config.get('auth_instance').is_internal:
+        return field_name in tg.config.get('auth_instance').managed_fields
+    return False

tracim/tracim/lib/user.py

     def get_one_by_email(self, email: str):
         return self._base_query().filter(User.email==email).one()
 
-    def update(self, user: User, name: str, email: str, do_save):
-        user.display_name = name
-        user.email = email
+    def update(self, user: User, name: str=None, email: str=None, do_save=True):
+        if name is not None:
+            user.display_name = name
+
+        if email is not None:
+            user.email = email
+
         if do_save:
             self.save(user)
 

tracim/tracim/model/auth.py

     _password = Column('password', Unicode(128))
     created = Column(DateTime, default=datetime.now)
     is_active = Column(Boolean, default=True, nullable=False)
+    imported_from = Column(Unicode(32), nullable=True)
 
     @hybrid_property
     def email_address(self):

tracim/tracim/public/assets/css/dashboard.css

 
 .panel-heading > h3 { font-size: 1.5em;}
 
-hr.t-toolbar-btn-group-separator { border-color: #CCC; border-style: dotted; }
+hr.t-toolbar-btn-group-separator { border-color: #CCC; border-style: dotted; }
+
+span.info.readonly {
+    font-size: 0.8em;
+    opacity: 0.7;
+}

tracim/tracim/templates/index.mak

                                 <button type="submit" class="btn btn-small btn-success text-right">
                                     <i class="fa fa-check"></i> ${_('Login')}
                                 </button>
-                                % if CFG.EMAIL_NOTIFICATION_ACTIVATED:
+                                % if CFG.EMAIL_NOTIFICATION_ACTIVATED and tmpl_context.auth_is_internal:
                                     <div class="pull-left">
                                         <a class="btn btn-link" href="${tg.url('/reset_password')}"><i class="fa fa-magic"></i> ${_('Forgot password?')}</a>
                                     </div>

tracim/tracim/templates/user_toolbars.mak

                 endif
             %>
         <a title="${_('Edit current user')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-modal-dialog" data-remote="${user_edit_url}" >${ICON.FA('fa-edit t-less-visible')} ${_('Edit user')}</a>
-            <a title="${_('Change password')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-password-modal-dialog" data-remote="${user_password_edit_url}" >${ICON.FA('fa-key t-less-visible')} ${_('Password')}</a>
+
+            % if tmpl_context.auth_is_internal:
+                <a title="${_('Change password')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-password-modal-dialog" data-remote="${user_password_edit_url}" >${ICON.FA('fa-key t-less-visible')} ${_('Password')}</a>
+            % endif
+
         </div>
         <p></p>
         % if current_user.profile.id>2 and current_user.id!=user.id:
                 user_edit_url = tg.url('/user/{}/edit'.format(current_user.id), {'next_url': '/home'})
                 user_password_edit_url = tg.url('/user/{}/password/edit'.format(current_user.id))
             %>
-            <a title="${_('Edit my profile')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-modal-dialog" data-remote="${user_edit_url}" >${ICON.FA('fa-edit t-less-visible')} ${_('Edit my profile')}</a>
-            <a title="${_('Change password')}" class="btn btn-default" data-toggle="modal" data-target="#user-edit-password-modal-dialog" data-remote="${user_password_edit_url}" >${ICON.FA('fa-key t-less-visible')} ${_('Password')}</a>
+            <a title="${_('Edit my profile')}" class="btn btn-default edit-profile-btn" data-toggle="modal" data-target="#user-edit-modal-dialog" data-remote="${user_edit_url}" >${ICON.FA('fa-edit t-less-visible')} ${_('Edit my profile')}</a>
+
+            % if tmpl_context.auth_is_internal:
+                <a title="${_('Change password')}" class="btn btn-default change-password-btn" data-toggle="modal" data-target="#user-edit-password-modal-dialog" data-remote="${user_password_edit_url}" >${ICON.FA('fa-key t-less-visible')} ${_('Password')}</a>
+            % endif
+
         </div>
         <p></p>
         <h3 class="t-spacer-above" style="margin-top: 1em;">

tracim/tracim/templates/user_workspace_forms.mak

         <div class="modal-body">
             <div class="form-group">
                 <label for="name">${_('Name')}</label>
-                <input name="name" type="text" class="form-control" id="name" placeholder="${_('Name')}" value="${user.name}">
+                % if h.is_user_externalized_field('name'):
+                    <span class="info readonly">${_('This information is managed by an external application')}</span>
+                % endif
+                <input name="name" type="text" class="form-control" id="name" placeholder="${_('Name')}" value="${user.name}" ${'readonly="readonly"' if h.is_user_externalized_field('name') else '' | n}>
             </div>
             <div class="form-group">
                 <label for="email">${_('Email')}</label>
-                <input name="email" type="text" class="form-control" id="email" placeholder="${_('Name')}" value="${user.email}">
+                % if h.is_user_externalized_field('email'):
+                    <span class="info readonly">${_('This information is managed by an external application')}</span>
+                % endif
+                <input name="email" type="text" class="form-control" id="email" placeholder="${_('Name')}" value="${user.email}" ${'readonly="readonly"' if h.is_user_externalized_field('email') else '' | n}>
             </div>
         </div>
         <div class="modal-footer">

tracim/tracim/tests/__init__.py

 # -*- coding: utf-8 -*-
 """Unit and functional test suite for tracim."""
+import argparse
+import os
+from os import getcwd
 
-from os import getcwd, path
-
-from paste.deploy import loadapp
-from webtest import TestApp
-
-from gearbox.commands.setup_app import SetupAppCommand
-
+import ldap3
 import tg
-from tg import config
-from tg.util import Bunch
-
+import time
+import transaction
+from gearbox.commands.setup_app import SetupAppCommand
+from ldap_test import LdapServer
+from nose.tools import ok_
+from paste.deploy import loadapp
 from sqlalchemy.engine import reflection
-
 from sqlalchemy.schema import DropConstraint
 from sqlalchemy.schema import DropSequence
 from sqlalchemy.schema import DropTable
 from sqlalchemy.schema import MetaData
 from sqlalchemy.schema import Sequence
 from sqlalchemy.schema import Table
+from tg import config
+from tg.util import Bunch
+from webtest import TestApp as BaseTestApp, AppError
+from who_ldap import make_connection
 
-import transaction
-
+from tracim.fixtures import FixturesLoader
+from tracim.fixtures.users_and_groups import Base as BaseFixture
 from tracim.lib.base import logger
+from tracim.model import DBSession
 
 __all__ = ['setup_app', 'setup_db', 'teardown_db', 'TestController']
 
 application_name = 'main_without_authn'
 
 
+class TestApp(BaseTestApp):
+    def _check_status(self, status, res):
+        """ Simple override to print html content when error"""
+        try:
+            super()._check_status(status, res)
+        except AppError as exc:
+            dump_file_path = "/tmp/debug_%d_%s.html" % (time.time() * 1000, res.request.path_qs[1:])
+            if os.path.exists("/tmp"):
+                with open(dump_file_path, 'w') as dump_file:
+                    print(res.ubody, file=dump_file)
+                # Update exception message with info about this dumped file
+                exc.args = ('%s html error file dump in %s' % (exc.args[0], dump_file_path), ) + exc.args[1:]
+            raise exc
+
+
 def load_app(name=application_name):
     """Load the test application."""
     return TestApp(loadapp('config:test.ini#%s' % name, relative_to=getcwd()))
 class TestStandard(object):
 
     application_under_test = application_name
+    fixtures = [BaseFixture, ]
 
     def setUp(self):
         self.app = load_app(self.application_under_test)
         setup_db()
         logger.debug(self, 'Start Database Setup... -> done')
 
+        logger.debug(self, 'Load extra fixtures...')
+        fixtures_loader = FixturesLoader([BaseFixture])  # BaseFixture is already loaded in bootstrap
+        fixtures_loader.loads(self.fixtures)
+        logger.debug(self, 'Load extra fixtures... -> done')
+
         self.app.get('/_test_vars')  # Allow to create fake context
         tg.i18n.set_lang('en')  # Set a default lang
 
     def tearDown(self):
         transaction.commit()
 
+
+class TestCommand(TestStandard):
+    def _execute_command(self, command_class, command_name, sub_argv):
+        parser = argparse.ArgumentParser()
+        command = command_class(self.app, parser)
+        command.auto_setup_app = False
+        cmd_parser = command.get_parser(command_name)
+        parsed_args = cmd_parser.parse_args(sub_argv)
+        return command.run(parsed_args)
+
+    def setUp(self):
+        super().setUp()
+        # Ensure app config is loaded
+        self.app.get('/_test_vars')
+
+
 class TestController(object):
     """Base functional test case for the controllers.
 
     """
 
     application_under_test = application_name
+    fixtures = [BaseFixture, ]
 
     def setUp(self):
         """Setup test fixture for each functional test method."""
         setup_app(section_name=self.application_under_test)
         setup_db()
 
+        fixtures_loader = FixturesLoader([BaseFixture])  # BaseFixture is already loaded in bootstrap
+        fixtures_loader.loads(self.fixtures)
+
 
     def tearDown(self):
         """Tear down test fixture for each functional test method."""
-        # model.DBSession.remove()
+        DBSession.close()
         teardown_db()
+
+
+class TracimTestController(TestController):
+
+    def _connect_user(self, login, password):
+        # Going to the login form voluntarily:
+        resp = self.app.get('/', status=200)
+        form = resp.form
+        # Submitting the login form:
+        form['login'] = login
+        form['password'] = password
+        return form.submit(status=302)
+
+
+class LDAPTest(object):
+
+    """
+    Server fixtures, see https://github.com/zoldar/python-ldap-test
+    """
+    ldap_server_data = NotImplemented
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._ldap_test_server = None
+        self._ldap_connection = None
+
+    def setUp(self):
+        super().setUp()
+        self._ldap_test_server = LdapServer(self.ldap_server_data)
+        self._ldap_test_server.start()
+        ldap3_server = ldap3.Server('localhost', port=self._ldap_test_server.config['port'])
+        self._ldap_connection = ldap3.Connection(
+            ldap3_server,
+            user=self._ldap_test_server.config['bind_dn'],
+            password=self._ldap_test_server.config['password'],
+            auto_bind=True
+        )
+
+    def tearDown(self):
+        super().tearDown()
+        self._ldap_test_server.stop()
+
+    def test_ldap_connectivity(self):
+        with make_connection(
+                'ldap://%s:%d' % ('localhost', self._ldap_test_server.config['port']),
+                self._ldap_test_server.config['bind_dn'],
+                'toor'
+        ) as conn:
+            if not conn.bind():
+                ok_(False, "Cannot establish connection with LDAP test server")
+            else:
+                ok_(True)
+
+
+class ArgumentParser(argparse.ArgumentParser):
+    def exit(self, status=0, message=None):
+        raise Exception(message)

tracim/tracim/tests/command/commands.py

+# -*- coding: utf-8 -*-
+import os
+import subprocess
+
+from nose.tools import ok_
+
+import tracim
+
+
+class TestCommands(object):
+    def test_commands(self):
+        """
+        Test listing of gearbox command: Tracim commands must be listed
+        :return:
+        """
+        os.chdir(os.path.dirname(tracim.__file__) + '/../')
+
+        output = subprocess.check_output(["gearbox", "-h"])
+        output = output.decode('utf-8')
+
+        ok_(output.find('not a command') == -1)
+
+        ok_(output.find('serve') > 0)
+
+        ok_(output.find('ldap server') > 0)
+        ok_(output.find('user create') > 0)
+        ok_(output.find('user update') > 0)

tracim/tracim/tests/command/user.py

+from nose.tools import eq_
+from nose.tools import ok_
+
+from tracim.command.user import CreateUserCommand, UpdateUserCommand
+from tracim.model import DBSession, Group
+from tracim.model.auth import User
+from tracim.tests import TestCommand
+
+
+class TestUserCommand(TestCommand):
+
+    def test_create(self):
+        self._create_user('new-user@algoo.fr', 'toor')
+
+    def test_update_password(self):
+        self._create_user('new-user@algoo.fr', 'toor')
+        self._execute_command(
+            CreateUserCommand,
+            'gearbox user update',
+            ['-l', 'new-user@algoo.fr', '-p', 'new_password']
+        )
+        user = DBSession.query(User).filter(User.email == 'new-user@algoo.fr').one()
+        user.validate_password('new_password')
+
+    def test_create_with_group(self):
+        more_args = ['--add-to-group', 'managers', '--add-to-group', 'administrators']
+        self._create_user('new-user@algoo.fr', 'toor', more_args=more_args)
+        user = DBSession.query(User).filter(User.email == 'new-user@algoo.fr').one()
+        group_managers = DBSession.query(Group).filter(Group.group_name == 'managers').one()
+        group_administrators = DBSession.query(Group).filter(Group.group_name == 'administrators').one()
+
+        ok_(user in group_managers.users)
+        ok_(user in group_administrators.users)
+
+    def test_change_groups(self):
+        # create an user in managers group
+        more_args = ['--add-to-group', 'managers']
+        self._create_user('new-user@algoo.fr', 'toor', more_args=more_args)
+        user = DBSession.query(User).filter(User.email == 'new-user@algoo.fr').one()
+        group_managers = DBSession.query(Group).filter(Group.group_name == 'managers').one()
+        group_administrators = DBSession.query(Group).filter(Group.group_name == 'administrators').one()
+
+        ok_(user in group_managers.users)
+        ok_(user not in group_administrators.users)
+
+        # Update him and add to administrators group
+        add_to_admins_argvs = ['-l', 'new-user@algoo.fr', '--add-to-group', 'administrators']
+        self._execute_command(UpdateUserCommand, 'gearbox user update', add_to_admins_argvs)
+        user = DBSession.query(User).filter(User.email == 'new-user@algoo.fr').one()
+        group_managers = DBSession.query(Group).filter(Group.group_name == 'managers').one()
+        group_administrators = DBSession.query(Group).filter(Group.group_name == 'administrators').one()
+
+        ok_(user in group_managers.users)
+        ok_(user in group_administrators.users)
+
+        # remove him from administrators group
+        remove_from_admins_argvs = ['-l', 'new-user@algoo.fr', '--remove-from-group', 'administrators']
+        self._execute_command(UpdateUserCommand, 'gearbox user update', remove_from_admins_argvs)
+        user = DBSession.query(User).filter(User.email == 'new-user@algoo.fr').one()
+        group_managers = DBSession.query(Group).filter(Group.group_name == 'managers').one()
+        group_administrators = DBSession.query(Group).filter(Group.group_name == 'administrators').one()
+
+        ok_(user in group_managers.users)
+        ok_(user not in group_administrators.users)
+
+    def _create_user(self, email, password, more_args=[]):
+        args = ['-l', email, '-p', password]
+        args.extend(more_args)
+
+        self._check_user_exist(email, exist=False)
+        self._execute_command(CreateUserCommand, 'gearbox user create', args)
+        self._check_user_exist(email, exist=True)
+
+        user = DBSession.query(User).filter(User.email == email).one()
+        user.validate_password(password)
+
+    @staticmethod
+    def _check_user_exist(email, exist=True):
+        eq_(exist, bool(DBSession.query(User).filter(User.email == email).count()))
+

tracim/tracim/tests/command/user_ldap.py

+from nose.tools import eq_, raises
+from nose.tools import ok_
+
+from tracim.command.user import CreateUserCommand, LDAPUserUnknown
+from tracim.fixtures.ldap import ldap_test_server_fixtures
+from tracim.lib.exception import CommandAbortedError
+from tracim.tests import TestCommand, LDAPTest
+
+
+class TestLDAPUserCommand(LDAPTest, TestCommand):
+    """
+    Test LDAP user verification when execute command
+    """
+    application_under_test = 'ldap'
+    ldap_server_data = ldap_test_server_fixtures
+
+    @raises(LDAPUserUnknown)
+    def test_user_not_in_ldap(self):
+        self._execute_command(
+            CreateUserCommand,
+            'gearbox user create',
+            ['-l', 'unknown-user@fsf.org', '-p', 'foo', '--raise']
+        )
+
+    def test_user_in_ldap(self):
+        try:
+            self._execute_command(
+                CreateUserCommand,
+                'gearbox user create',
+                ['-l', 'richard-not-real-email@fsf.org', '-p', 'foo', '--raise']
+            )
+        except LDAPUserUnknown:
+            ok_(False, "Command should not raise LDAPUserUnknown exception")

tracim/tracim/tests/functional/test_ldap_authentication.py

+# -*- coding: utf-8 -*-
+"""
+Integration tests for the ldap authentication sub-system.
+"""
+from tracim.fixtures.ldap import ldap_test_server_fixtures
+from nose.tools import eq_, ok_
+
+from tracim.fixtures.users_and_groups import Test as TestFixture
+from tracim.model import DBSession, User
+from tracim.tests import LDAPTest, TracimTestController
+
+
+class TestAuthentication(LDAPTest, TracimTestController):
+    application_under_test = 'ldap'
+    ldap_server_data = ldap_test_server_fixtures
+    fixtures = [TestFixture, ]
+
+    def test_ldap_auth_fail_no_account(self):
+        # User is unknown in tracim database
+        eq_(0, DBSession.query(User).filter(User.email == 'unknown-user@fsf.org').count())
+
+        self._connect_user('unknown-user@fsf.org', 'no-pass')
+
+        # User is registered in tracim database
+        eq_(0, DBSession.query(User).filter(User.email == 'unknown-user@fsf.org').count())
+
+    def test_ldap_auth_fail_wrong_pass(self):
+        # User is unknown in tracim database
+        eq_(0, DBSession.query(User).filter(User.email == 'richard-not-real-email@fsf.org').count())
+
+        self._connect_user('richard-not-real-email@fsf.org', 'wrong-pass')
+
+        # User is registered in tracim database
+        eq_(0, DBSession.query(User).filter(User.email == 'richard-not-real-email@fsf.org').count())
+
+    def test_ldap_auth_sync(self):
+        # User is unknown in tracim database
+        eq_(0, DBSession.query(User).filter(User.email == 'richard-not-real-email@fsf.org').count())
+
+        self._connect_user('richard-not-real-email@fsf.org', 'rms')
+
+        # User is registered in tracim database
+        eq_(1, DBSession.query(User).filter(User.email == 'richard-not-real-email@fsf.org').count())
+
+    def test_ldap_attributes_sync(self):
+        # User is already know in database
+        eq_(1, DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').count())
+
+        # His display name is Lawrence L.
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        eq_('Lawrence L.', lawrence.display_name)
+
+        # After connexion with LDAP, his display_name is updated (see ldap fixtures)
+        self._connect_user('lawrence-not-real-email@fsf.org', 'foobarbaz')
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        eq_('Lawrence Lessig', lawrence.display_name)

tracim/tracim/tests/functional/test_ldap_restrictions.py

+# -*- coding: utf-8 -*-
+from collections import OrderedDict
+
+from bs4 import BeautifulSoup
+from nose.tools import eq_, ok_
+
+from tracim.fixtures.ldap import ldap_test_server_fixtures
+from tracim.fixtures.users_and_groups import Test as TestFixture
+from tracim.lib.base import current_user
+from tracim.model import DBSession, User
+from tracim.tests import LDAPTest, TracimTestController
+
+
+class TestAuthentication(LDAPTest, TracimTestController):
+    application_under_test = 'ldap'
+    ldap_server_data = ldap_test_server_fixtures
+    fixtures = [TestFixture, ]
+
+    def test_password_disabled(self):
+        """
+        Password change is disabled
+        :return:
+        """
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        self._connect_user('lawrence-not-real-email@fsf.org', 'foobarbaz')
+        home = self.app.get('/home/',)
+
+        # HTML button is not here
+        eq_(None, BeautifulSoup(home.body).find(attrs={'class': 'change-password-btn'}))
+
+        # If we force passwd update, we got 403
+        try_post_passwd = self.app.post(
+            '/user/%d/password?_method=PUT' % lawrence.user_id,
+            OrderedDict([
+                ('current_password', 'fooobarbaz'),
+                ('new_password1', 'foobar'),
+                ('new_password2', 'foobar'),
+            ]),
+            expect_errors=403
+        )
+        eq_(try_post_passwd.status_code, 403, "Code should be 403, but is %d" % try_post_passwd.status_code)
+
+    def test_fields_disabled(self):
+        """
+        Some fields (email) are not editable on user interface: they are managed by LDAP
+        :return:
+        """
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        self._connect_user('lawrence-not-real-email@fsf.org', 'foobarbaz')
+
+        edit = self.app.get('/user/5/edit')
+
+        # email input field is disabled
+        email_input = BeautifulSoup(edit.body).find(attrs={'id': 'email'})
+        ok_('readonly' in email_input.attrs)
+        eq_(email_input.attrs['readonly'], "readonly")
+
+        # Name is not (see attributes configuration of LDAP fixtures)
+        name_input = BeautifulSoup(edit.body).find(attrs={'id': 'name'})
+        ok_('readonly' not in name_input.attrs)
+
+        # If we force edit of user, "email" field will be not updated
+        eq_(lawrence.email, 'lawrence-not-real-email@fsf.org')
+        eq_(lawrence.display_name, 'Lawrence L.')
+
+        try_post_user = self.app.post(
+            '/user/%d?_method=PUT' % lawrence.user_id,
+            OrderedDict([
+                ('name', 'Lawrence Lessig YEAH'),
+                ('email', 'An-other-email@fsf.org'),
+            ])
+        )
+
+        eq_(try_post_user.status_code, 302, "Code should be 302, but is %d" % try_post_user.status_code)
+
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        eq_(lawrence.email, 'lawrence-not-real-email@fsf.org', "email should be unmodified")
+        eq_(lawrence.display_name, 'Lawrence Lessig YEAH', "Name should be updated")

tracim/tracim/tests/library/test_ldap_without_ldap_groups.py

+# -*- coding: utf-8 -*-
+from nose.tools import eq_
+from tg import config
+
+from tracim.fixtures.ldap import ldap_test_server_fixtures
+from tracim.fixtures.users_and_groups import Test as TestFixtures
+from tracim.lib.auth.ldap import LDAPAuth
+from tracim.lib.helpers import ini_conf_to_bool
+from tracim.model import DBSession, User, Group
+from tracim.tests import LDAPTest, TestStandard
+
+
+class TestContentApi(LDAPTest, TestStandard):
+    """
+    This test load test.ini app:ldap config. LDAP groups management must be disabled in this config.
+    """
+    application_under_test = 'ldap'
+    ldap_server_data = ldap_test_server_fixtures
+    fixtures = [TestFixtures]
+
+    def _check_db_user(self, email, count=1):
+        eq_(count, DBSession.query(User).filter(User.email == email).count())
+
+    def test_authenticate_success(self):
+        """
+        LDAP Auth success
+        :return:
+        """
+        ldap_auth = LDAPAuth(config)
+        richard_identity = {'login': 'richard-not-real-email@fsf.org', 'password': 'rms'}
+
+        self._check_db_user('richard-not-real-email@fsf.org', 0)
+        auth_id = ldap_auth.ldap_auth.authenticate(environ={}, identity=richard_identity)
+
+        assert auth_id == 'richard-not-real-email@fsf.org'
+        self._check_db_user('richard-not-real-email@fsf.org', 1)
+
+    def test_authenticate_fail_wrong_pass(self):
+        """
+        LDAP Auth fail: wrong password
+        :return:
+        """
+        ldap_auth = LDAPAuth(config)
+        richard_identity = {'login': 'richard-not-real-email@fsf.org', 'password': 'wrong pass'}
+
+        self._check_db_user('richard-not-real-email@fsf.org', 0)
+        auth_id = ldap_auth.ldap_auth.authenticate(environ={}, identity=richard_identity)
+
+        assert auth_id is None
+        self._check_db_user('richard-not-real-email@fsf.org', 0)
+
+    def test_authenticate_fail_wrong_login(self):
+        """
+        LDAP Auth fail: wrong email
+        :return:
+        """
+        ldap_auth = LDAPAuth(config)
+        richard_identity = {'login': 'wrong-email@fsf.org', 'password': 'rms'}
+
+        self._check_db_user('wrong-email@fsf.org', 0)
+        auth_id = ldap_auth.ldap_auth.authenticate(environ={}, identity=richard_identity)
+
+        assert auth_id is None
+        self._check_db_user('wrong-email@fsf.org', 0)
+
+    def test_internal_groups(self):
+        """
+        LDAP don't manage groups here: We must retrieve internal groups of tested user
+        :return:
+        """
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        managers = DBSession.query(Group).filter(Group.group_name == 'managers').one()
+        lawrence_identity = {'user': lawrence}
+
+        # Lawrence is in fixtures: he is in managers group
+        self._check_db_user('lawrence-not-real-email@fsf.org', 1)
+        assert lawrence in managers.users
+        assert False is ini_conf_to_bool(config.get('ldap_group_enabled', False))
+        assert ['managers'] == config.get('sa_auth').authmetadata.get_groups(
+            identity=lawrence_identity,
+            userid=lawrence.email
+        )
+
+        should_groups = ['managers']
+        are_groups = config.get('sa_auth').authmetadata.get_groups(
+            identity=lawrence_identity,
+            userid=lawrence.email
+        )
+        eq_(should_groups,
+            are_groups,
+            "Permissions should be %s, they are %s" % (should_groups, are_groups))
+
+    def test_internal_permissions(self):
+        """
+        LDAP don't manage groups here: We must retrieve internal groups permission of tested user
+        :return:
+        """
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        managers = DBSession.query(Group).filter(Group.group_name == 'managers').one()
+        lawrence_identity = {'user': lawrence}
+
+        # Lawrence is in fixtures: he is in managers group
+        self._check_db_user('lawrence-not-real-email@fsf.org', 1)
+        assert lawrence in managers.users
+        assert False is ini_conf_to_bool(config.get('ldap_group_enabled', False))
+
+        should_permissions = []  # Actually there is no permission
+        are_permissions = config.get('sa_auth').authmetadata.get_permissions(
+            identity=lawrence_identity,
+            userid=lawrence.email
+        )
+        eq_(should_permissions,
+            are_permissions,
+            "Permissions should be %s, they are %s" % (should_permissions, are_permissions))
+

tracim/tracim/websetup/bootstrap.py

 """Setup the tracim application"""
 from __future__ import print_function
 
-import logging
-from tg import config
-from tracim import model
 import transaction
 
+from tracim.fixtures import FixturesLoader
+from tracim.fixtures.users_and_groups import Base as BaseFixture
+
+
 def bootstrap(command, conf, vars):
     """Place any commands to setup tracim here"""
 
     # <websetup.bootstrap.before.auth
     from sqlalchemy.exc import IntegrityError
     try:
-        u = model.User()
-        u.display_name = 'Global manager'
-        u.email = 'admin@admin.admin'
-        u.password = 'admin@admin.admin'
-        model.DBSession.add(u)
-
-        g1 = model.Group()
-        g1.group_id = 1
-        g1.group_name = 'users'
-        g1.display_name = 'Users'
-        g1.users.append(u)
-        model.DBSession.add(g1)
-
-        g2 = model.Group()
-        g2.group_id = 2
-        g2.group_name = 'managers'
-        g2.display_name = 'Global Managers'
-        g2.users.append(u)
-        model.DBSession.add(g2)
-
-        g3 = model.Group()
-        g3.group_id = 3
-        g3.group_name = 'administrators'
-        g3.display_name = 'Administrators'
-        g3.users.append(u)
-        model.DBSession.add(g3)
-
-        model.DBSession.flush()
-        transaction.commit()
-
+        fixtures_loader = FixturesLoader()
+        fixtures_loader.loads([BaseFixture])
     except IntegrityError:
         print('Warning, there was a problem adding your auth data, it may have already been added:')
         import traceback

tracim/tracim/websetup/schema.py

     display_name character varying(255),
     password character varying(128),
     created timestamp without time zone,
-    is_active boolean DEFAULT true NOT NULL
+    is_active boolean DEFAULT true NOT NULL,
+    imported_from character varying(32)
 );
 
 CREATE TABLE user_group (