ldap support, dev.

install/requirements.txt

@@ -13,7 +13,7 @@ WebOb==1.6.0a0
 WebTest==1.4.2
 alembic==0.8.4
 argparse==1.2.1
-backlash==0.0.6
+backlash==0.0.7
 beautifulsoup4==4.3.2
 cliff==1.8.0
 cmd2==0.6.7
@@ -47,3 +47,5 @@ zope.interface==4.1.3
 zope.sqlalchemy==0.7.6
 tgapp-resetpassword==0.1.3
 lxml
+python-ldap-test==0.2.0
+who-ldap==3.1.0

tracim/migration/versions/b73e57760b36_add_user_field_for_imported_profiles.py

@@ -0,0 +1,22 @@
+"""Add User field for imported profiles
+
+Revision ID: b73e57760b36
+Revises: 43a323cc661
+Create Date: 2016-02-09 11:00:22.694054
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = 'b73e57760b36'
+down_revision = '43a323cc661'
+
+import sqlalchemy as sa
+from alembic import op
+
+
+def upgrade():
+    op.add_column('users', sa.Column('imported_from', sa.Unicode(length=32), nullable=True))
+
+
+def downgrade():
+    op.drop_column('users', 'imported_from')

tracim/s.py

@@ -0,0 +1,59 @@
+from time import sleep
+
+from ldap_test import LdapServer
+
+server = LdapServer({
+            'port': 3333,
+            'password': 'toor',
+
+            'bind_dn': 'cn=admin,dc=directory,dc=fsf,dc=org',
+            'base': {
+                'objectclass': ['dcObject', 'organization'],
+                'dn': 'dc=directory,dc=fsf,dc=org',
+                'attributes': {
+                    'o': 'Free Software Foundation',
+                    'dc': 'directory'
+                }
+            },
+
+            'entries': [
+                {
+                    'objectclass': ['organizationalRole'],
+                    'dn': 'cn=admin,dc=directory,dc=fsf,dc=org',
+                    'attributes': {
+                        'cn': 'admin'
+                    }
+                },
+                {
+                    'objectclass': ['organizationalUnit'],
+                    'dn': 'ou=people,dc=directory,dc=fsf,dc=org',
+                    'attributes': {
+                        'ou': 'people',
+                    }
+                },
+                {
+                    'objectclass': ['organizationalUnit'],
+                    'dn': 'ou=groups,dc=directory,dc=fsf,dc=org',
+                    'attributes': {
+                        'ou': 'groups',
+                    }
+                },
+                {
+                    'objectclass': ['account', 'top'],
+                    'dn': 'cn=richard-not-real-email@fsf.org,ou=people,dc=directory,dc=fsf,dc=org',
+                    'attributes': {
+                        'uid': 'richard-not-real-email@fsf.org',
+                        'userPassword': 'rms',
+                        'givenName': 'Richard',
+                        'sn': 'Stallman',
+                        'mail': 'richard-not-real-email@fsf.org'
+                    }
+                },
+            ]
+        })
+
+server.start()
+try:
+    sleep(999999999)
+except KeyboardInterrupt:
+    pass

tracim/setup.py

@@ -39,6 +39,8 @@ install_requires=[
     "sqlalchemy",
     "alembic",
     "repoze.who",
+    "who-ldap==3.1.0",
+    "python-ldap-test==0.2.0",
     ]
 
 setup(

tracim/test.ini

@@ -23,4 +23,13 @@ use = config:development.ini
 use = main
 skip_authentication = True
 
+[app:ldap]
+sqlalchemy.url = postgresql://postgres:dummy@127.0.0.1:5432/tracim_test?client_encoding=utf8
+auth_type = 'ldap'
+ldap_url = 'ldaps://ad.my-company.org'
+ldap_base_dn = 'ou=users,dc=ad,dc=my-company,dc=com'
+ldap_bind_dn = 'cn=bind,cn=users,dc=ad,dc=my-company,dc=com'
+ldap_bind_pass = 'toor2'
+use = config:development.ini
+
 # Add additional test specific configuration options as necessary.

tracim/tracim/config/app_cfg.py

@@ -25,6 +25,7 @@ from tg.i18n import lazy_ugettext as l_
 import tracim
 from tracim import model
 from tracim.lib import app_globals, helpers
+from tracim.lib.auth.wrapper import AuthConfigWrapper
 from tracim.lib.base import logger
 from tracim.model.data import ActionDescription
 from tracim.model.data import ContentType
@@ -72,60 +73,20 @@ base_config['flash.template'] = '''
 # YOU MUST CHANGE THIS VALUE IN PRODUCTION TO SECURE YOUR APP 
 base_config.sa_auth.cookie_secret = "3283411b-1904-4554-b0e1-883863b53080"
 
-base_config.auth_backend = 'sqlalchemy'
+base_config.auth_type = 'ldap'
 
-# what is the class you want to use to search for users in the database
-base_config.sa_auth.user_class = model.User
+# ldap_base_dn = 'ou=users,dc=ad,dc=snake-oil-company,dc=com'
+# ldap_bind_dn = 'cn=bind,cn=users,dc=ad,dc=snake-oil-company,dc=com'
 
-from tg.configuration.auth import TGAuthMetadata
+base_config.ldap_url = 'ldap://localhost:3333'
+base_config.ldap_base_dn = 'dc=directory,dc=fsf,dc=org'
+base_config.ldap_bind_dn = 'cn=admin,dc=directory,dc=fsf,dc=org'
+base_config.ldap_bind_pass = 'toor'
+base_config.ldap_ldap_naming_attribute = 'uid'
+base_config.ldap_user_attributes = 'mail=email'
+base_config.ldap_tls = False
 
-from sqlalchemy import and_
-#This tells to TurboGears how to retrieve the data for your user
-class ApplicationAuthMetadata(TGAuthMetadata):
-
-    def __init__(self, sa_auth):
-        self.sa_auth = sa_auth
-
-    def authenticate(self, environ, identity):
-        user = self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(and_(
-            self.sa_auth.user_class.is_active==True,
-            self.sa_auth.user_class.email==identity['login']
-        )).first()
-
-        if user and user.validate_password(identity['password']):
-            return identity['login']
-    def get_user(self, identity, userid):
-        return self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(and_(self.sa_auth.user_class.is_active==True, self.sa_auth.user_class.email==userid)).first()
-    def get_groups(self, identity, userid):
-        return [g.group_name for g in identity['user'].groups]
-    def get_permissions(self, identity, userid):
-        return [p.permission_name for p in identity['user'].permissions]
-
-base_config.sa_auth.dbsession = model.DBSession
-
-base_config.sa_auth.authmetadata = ApplicationAuthMetadata(base_config.sa_auth)
-
-# You can use a different repoze.who Authenticator if you want to
-# change the way users can login
-#base_config.sa_auth.authenticators = [('myauth', SomeAuthenticator()]
-
-# You can add more repoze.who metadata providers to fetch
-# user metadata.
-# Remember to set base_config.sa_auth.authmetadata to None
-# to disable authmetadata and use only your own metadata providers
-#base_config.sa_auth.mdproviders = [('myprovider', SomeMDProvider()]
-
-# override this if you would like to provide a different who plugin for
-# managing login and logout of your application
-base_config.sa_auth.form_plugin = None
-
-# You may optionally define a page where you want users to be redirected to
-# on login:
-base_config.sa_auth.post_login_url = '/post_login'
-
-# You may optionally define a page where you want users to be redirected to
-# on logout:
-base_config.sa_auth.post_logout_url = '/post_logout'
+AuthConfigWrapper.wrap(base_config)
 
 # INFO - This is the way to specialize the resetpassword email properties
 # plug(base_config, 'resetpassword', None, mail_subject=reset_password_email_subject)

tracim/tracim/lib/auth/__init__.py

@@ -0,0 +1 @@
+from tracim.lib.auth.base import Auth

tracim/tracim/lib/auth/base.py

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+
+
+class Auth:
+
+    name = NotImplemented
+
+    def __init__(self, config):
+        self._config = config
+
+    def wrap_config(self):
+        # override this if you would like to provide a different who plugin for
+        # managing login and logout of your application
+        self._config.sa_auth.form_plugin = None
+
+        # You may optionally define a page where you want users to be redirected to
+        # on login:
+        self._config.sa_auth.post_login_url = '/post_login'
+
+        # You may optionally define a page where you want users to be redirected to
+        # on logout:
+        self._config.sa_auth.post_logout_url = '/post_logout'

tracim/tracim/lib/auth/internal.py

@@ -0,0 +1,43 @@
+# -*- coding: utf-8 -*-
+from sqlalchemy import and_
+from tg.configuration.auth import TGAuthMetadata
+
+from tracim.lib.auth.base import Auth
+from tracim.model import DBSession, User
+
+
+class InternalAuth(Auth):
+
+    name = 'internal'
+
+    def wrap_config(self):
+        super().wrap_config()
+
+        self._config.sa_auth.user_class = User
+        self._config.auth_backend = 'sqlalchemy'
+        self._config.sa_auth.dbsession = DBSession
+        self._config.sa_auth.authmetadata = InternalApplicationAuthMetadata(self._config.sa_auth)
+
+
+class InternalApplicationAuthMetadata(TGAuthMetadata):
+    def __init__(self, sa_auth):
+        self.sa_auth = sa_auth
+
+    def authenticate(self, environ, identity):
+        user = self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(and_(
+            self.sa_auth.user_class.is_active == True,
+            self.sa_auth.user_class.email == identity['login']
+        )).first()
+
+        if user and user.validate_password(identity['password']):
+            return identity['login']
+
+    def get_user(self, identity, userid):
+        return self.sa_auth.dbsession.query(self.sa_auth.user_class).filter(
+            and_(self.sa_auth.user_class.is_active == True, self.sa_auth.user_class.email == userid)).first()
+
+    def get_groups(self, identity, userid):
+        return [g.group_name for g in identity['user'].groups]
+
+    def get_permissions(self, identity, userid):
+        return [p.permission_name for p in identity['user'].permissions]

tracim/tracim/lib/auth/ldap.py

@@ -0,0 +1,135 @@
+# -*- coding: utf-8 -*-
+from tg.configuration.auth import TGAuthMetadata
+from who_ldap import LDAPAttributesPlugin, LDAPGroupsPlugin
+from who_ldap import LDAPSearchAuthenticatorPlugin as BaseLDAPSearchAuthenticatorPlugin
+
+from tracim.lib.auth.base import Auth
+from tracim.lib.user import UserApi
+from tracim.model import auth, DBSession, User
+
+
+class LDAPAuth(Auth):
+    """
+    LDAP auth management.
+    TODO: Group connection
+
+    """
+    name = 'ldap'
+
+    def __init__(self, config):
+        super().__init__(config)
+        self.ldap_auth = self._get_ldap_auth()
+        self.ldap_user_provider = self._get_ldap_user_provider()
+        if self._config.get('ldap_group_enabled', False):
+            self.ldap_groups_provider = self._get_ldap_groups_provider()
+
+    def wrap_config(self):
+        super().wrap_config()
+        self._config.auth_backend = 'ldapauth'
+        self._config.sa_auth.authenticators = [('ldapauth', self.ldap_auth)]
+
+        mdproviders = [('ldapuser', self.ldap_user_provider)]
+        if self._config.get('ldap_group_enabled', False):
+            mdproviders.append(('ldapgroups', self.ldap_groups_provider))
+        self._config.sa_auth.mdproviders = mdproviders
+
+        self._config.sa_auth.authmetadata = LDAPApplicationAuthMetadata(self._config.sa_auth)
+
+    def _get_ldap_auth(self):
+        auth_plug = LDAPSearchAuthenticatorPlugin(
+            url=self._config.get('ldap_url'),
+            base_dn=self._config.get('ldap_base_dn'),
+            bind_dn=self._config.get('ldap_bind_dn'),
+            bind_pass=self._config.get('ldap_bind_pass'),
+            returned_id='login',
+            # the LDAP attribute that holds the user name:
+            naming_attribute=self._config.get('ldap_naming_attribute'),
+            start_tls=self._config.get('ldap_tls', False),
+        )
+        auth_plug.set_auth(self)
+        return auth_plug
+
+    def _get_ldap_user_provider(self):
+        return LDAPAttributesPlugin(
+            url=self._config.get('ldap_url'),
+            bind_dn=self._config.get('ldap_bind_dn'),
+            bind_pass=self._config.get('ldap_bind_pass'),
+            name='user',
+            # map from LDAP attributes to TurboGears user attributes:
+            attributes=self._config.get('ldap_user_attributes', 'mail=email'),
+            flatten=True,
+            start_tls=self._config.get('ldap_tls', False)
+        )
+
+    def _get_ldap_groups_provider(self):
+        return LDAPGroupsPlugin(
+            url=self._config.get('ldap_url'),
+            base_dn=self._config.get('ldap_base_dn'),
+            bind_dn=self._config.get('ldap_bind_dn'),
+            bind_pass=self._config.get('ldap_bind_pass'),
+            filterstr=self._config.get('ldap_group_filter', '(&(objectClass=group)(member=%(dn)s))'),
+            name='groups',
+            start_tls=self._config.get('ldap_tls', False)
+        )
+
+
+class LDAPSearchAuthenticatorPlugin(BaseLDAPSearchAuthenticatorPlugin):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._auth = None
+        self._user_api = UserApi(None)
+
+    def set_auth(self, auth):
+        self._auth = auth
+
+    def authenticate(self, environ, identity):
+        # Note: super().authenticate return None if already authenticated or not found
+        email = super().authenticate(environ, identity)
+        if email:
+            self._sync_ldap_user(email)
+        return email
+
+    def _sync_ldap_user(self, email):
+        if not self._user_api.user_with_email_exists(email):
+            user = User(email=email, imported_from=LDAPAuth.name)
+            DBSession.add(user)
+            import transaction
+            transaction.commit()
+
+            # TODO - B.S. - 20160208: Voir avec Damien, si je ne fait pas de transaction.commit()
+            # manuellement la donnée n'est pas en base.
+            # self._user_api.create_user(email=email, save_now=True)
+
+
+class LDAPApplicationAuthMetadata(TGAuthMetadata):
+
+    # map from LDAP group names to TurboGears group names
+    group_map = {'operators': 'managers'}
+
+    # set of permissions for all mapped groups
+    permissions_for_groups = {'managers': {'manage'}}
+
+    def __init__(self, sa_auth):
+        self.sa_auth = sa_auth
+
+    def get_user(self, identity, userid):
+        user = identity.get('user')
+        if user:
+            name = '{email}'.format(**user).strip()
+            user.update(user_name=userid, display_name=name)
+        return user
+
+    def get_groups(self, identity, userid):
+        get_group = self.group_map.get
+        return [get_group(g, g) for g in identity.get('groups', [])]
+
+    def get_permissions_for_group(self, group):
+        return self.permissions_for_groups.get(group, set())
+
+    def get_permissions(self, identity, userid):
+        permissions = set()
+        get_permissions = self.get_permissions_for_group
+        for group in self.get_groups(identity, userid):
+            permissions |= get_permissions(group)
+        return permissions

tracim/tracim/lib/auth/wrapper.py

@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+from tracim.lib.auth.internal import InternalAuth
+from tracim.lib.auth.ldap import LDAPAuth
+
+
+class AuthConfigWrapper:
+
+    # TODO: Dynamic load, like plugins ?
+    AUTH_WRAPPERS = (InternalAuth, LDAPAuth)
+    EXTERNAL_AUTHS = (LDAPAuth,)
+
+    @classmethod
+    def wrap(cls, config):
+        wrapper_class = cls._get_wrapper_class(config)
+        wrapper = wrapper_class(config)
+        wrapper.wrap_config()
+        return config
+
+    @classmethod
+    def _get_wrapper_class(cls, config):
+        for wrapper_class in cls.AUTH_WRAPPERS:
+            if wrapper_class.name is NotImplemented:
+                raise Exception("\"name\" attribute of %s is required" % str(wrapper_class))
+            if config.auth_type == wrapper_class.name:
+                return wrapper_class
+        raise Exception("No auth config wrapper found for \"%s\" auth_type config" % config.auth_type)

tracim/tracim/model/auth.py

@@ -119,6 +119,7 @@ class User(DeclarativeBase):
     _password = Column('password', Unicode(128))
     created = Column(DateTime, default=datetime.now)
     is_active = Column(Boolean, default=True, nullable=False)
+    imported_from = Column(Unicode(32), nullable=True)
 
     @hybrid_property
     def email_address(self):

tracim/tracim/tests/__init__.py

@@ -3,6 +3,9 @@
 
 from os import getcwd, path
 
+import ldap3
+from ldap_test import LdapServer
+from nose.tools import ok_
 from paste.deploy import loadapp
 from webtest import TestApp
 
@@ -23,6 +26,7 @@ from sqlalchemy.schema import Sequence
 from sqlalchemy.schema import Table
 
 import transaction
+from who_ldap import make_connection
 
 from tracim.lib.base import logger
 
@@ -191,3 +195,55 @@ class TestController(object):
         """Tear down test fixture for each functional test method."""
         # model.DBSession.remove()
         teardown_db()
+
+
+class TracimTestController(TestController):
+
+    def _connect_user(self, login, password):
+        # Going to the login form voluntarily:
+        resp = self.app.get('/', status=200)
+        form = resp.form
+        # Submitting the login form:
+        form['login'] = login
+        form['password'] = password
+        return form.submit(status=302)
+
+
+class LDAPTest:
+
+    """
+    Server fixtures, see https://github.com/zoldar/python-ldap-test
+    """
+    ldap_server_data = NotImplemented
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._ldap_test_server = None
+        self._ldap_connection = None
+
+    def setUp(self):
+        super().setUp()
+        self._ldap_test_server = LdapServer(self.ldap_server_data)
+        self._ldap_test_server.start()
+        ldap3_server = ldap3.Server('localhost', port=self._ldap_test_server.config['port'])
+        self._ldap_connection = ldap3.Connection(
+            ldap3_server,
+            user=self._ldap_test_server.config['bind_dn'],
+            password=self._ldap_test_server.config['password'],
+            auto_bind=True
+        )
+
+    def tearDown(self):
+        super().tearDown()
+        self._ldap_test_server.stop()
+
+    def test_ldap_connectivity(self):
+        with make_connection(
+                'ldap://%s:%d' % ('localhost', self._ldap_test_server.config['port']),
+                self._ldap_test_server.config['bind_dn'],
+                'toor'
+        ) as conn:
+            if not conn.bind():
+                ok_(False, "Cannot establish connection with LDAP test server")
+            else:
+                ok_(True)

tracim/tracim/tests/functional/test_ldap_authentication.py

@@ -0,0 +1,80 @@
+# -*- coding: utf-8 -*-
+"""
+Integration tests for the ldap authentication sub-system.
+"""
+from nose.tools import eq_
+from tg import config
+
+from tracim.model import DBSession, User
+from tracim.tests import LDAPTest, TracimTestController
+
+
+class TestAuthentication(LDAPTest, TracimTestController):
+    application_under_test = 'ldap'
+    ldap_server_data = {
+            'port': 3333,
+            'password': 'toor',
+
+            'bind_dn': 'cn=admin,dc=directory,dc=fsf,dc=org',
+            'base': {
+                'objectclass': ['dcObject', 'organization'],
+                'dn': 'dc=directory,dc=fsf,dc=org',
+                'attributes': {
+                    'o': 'Free Software Foundation',
+                    'dc': 'directory'
+                }
+            },
+
+            'entries': [
+                {
+                    'objectclass': ['organizationalRole'],
+                    'dn': 'cn=admin,dc=directory,dc=fsf,dc=org',
+                    'attributes': {
+                        'cn': 'admin'
+                    }
+                },
+                {
+                    'objectclass': ['organizationalUnit'],
+                    'dn': 'ou=people,dc=directory,dc=fsf,dc=org',
+                    'attributes': {
+                        'ou': 'people',
+                    }
+                },
+                {
+                    'objectclass': ['organizationalUnit'],
+                    'dn': 'ou=groups,dc=directory,dc=fsf,dc=org',
+                    'attributes': {
+                        'ou': 'groups',
+                    }
+                },
+                {
+                    'objectclass': ['account', 'top'],
+                    'dn': 'cn=richard-not-real-email@fsf.org,ou=people,dc=directory,dc=fsf,dc=org',
+                    'attributes': {
+                        'uid': 'richard-not-real-email@fsf.org',
+                        'userPassword': 'rms',
+                        'mail': 'richard-not-real-email@fsf.org'
+                    }
+                },
+            ]
+        }
+
+    def test_ldap_auth_fail(self):
+        # User is unknown in tracim database
+        eq_(0, DBSession.query(User).filter(User.email == 'unknown-user@fsf.org').count())
+
+        self._connect_user('unknown-user@fsf.org', 'no-pass')
+
+        # User is registered in tracim database
+        eq_(0, DBSession.query(User).filter(User.email == 'unknown-user@fsf.org').count())
+        DBSession.close()
+
+    def test_ldap_auth_sync(self):
+        # User is unknown in tracim database
+        eq_(0, DBSession.query(User).filter(User.email == 'richard-not-real-email@fsf.org').count())
+
+        self._connect_user('richard-not-real-email@fsf.org', 'rms')
+
+        # User is registered in tracim database
+        eq_(1, DBSession.query(User).filter(User.email == 'richard-not-real-email@fsf.org').count())
+        DBSession.close()

tracim/tracim/websetup/bootstrap.py

@@ -13,35 +13,36 @@ def bootstrap(command, conf, vars):
     # <websetup.bootstrap.before.auth
     from sqlalchemy.exc import IntegrityError
     try:
-        u = model.User()
-        u.display_name = 'Global manager'
-        u.email = 'admin@admin.admin'
-        u.password = 'admin@admin.admin'
-        model.DBSession.add(u)
-
-        g1 = model.Group()
-        g1.group_id = 1
-        g1.group_name = 'users'
-        g1.display_name = 'Users'
-        g1.users.append(u)
-        model.DBSession.add(g1)
-
-        g2 = model.Group()
-        g2.group_id = 2
-        g2.group_name = 'managers'
-        g2.display_name = 'Global Managers'
-        g2.users.append(u)
-        model.DBSession.add(g2)
-
-        g3 = model.Group()
-        g3.group_id = 3
-        g3.group_name = 'administrators'
-        g3.display_name = 'Administrators'
-        g3.users.append(u)
-        model.DBSession.add(g3)
-
-        model.DBSession.flush()
-        transaction.commit()
+        # u = model.User()
+        # u.display_name = 'Global manager'
+        # u.email = 'admin@admin.admin'
+        # u.password = 'admin@admin.admin'
+        # model.DBSession.add(u)
+        #
+        # g1 = model.Group()
+        # g1.group_id = 1
+        # g1.group_name = 'users'
+        # g1.display_name = 'Users'
+        # g1.users.append(u)
+        # model.DBSession.add(g1)
+        #
+        # g2 = model.Group()
+        # g2.group_id = 2
+        # g2.group_name = 'managers'
+        # g2.display_name = 'Global Managers'
+        # g2.users.append(u)
+        # model.DBSession.add(g2)
+        #
+        # g3 = model.Group()
+        # g3.group_id = 3
+        # g3.group_name = 'administrators'
+        # g3.display_name = 'Administrators'
+        # g3.users.append(u)
+        # model.DBSession.add(g3)
+        #
+        # model.DBSession.flush()
+        # transaction.commit()
+        pass
 
     except IntegrityError:
         print('Warning, there was a problem adding your auth data, it may have already been added:')

tracim/tracim/websetup/schema.py

@@ -174,7 +174,8 @@ CREATE TABLE users (
     display_name character varying(255),
     password character varying(128),
     created timestamp without time zone,
-    is_active boolean DEFAULT true NOT NULL
+    is_active boolean DEFAULT true NOT NULL,
+    imported_from character varying(32)
 );
 
 CREATE TABLE user_group (