LDAP: Groups and permission managment (for groups in local db)

tracim/test.ini

@@ -33,6 +33,7 @@ ldap_bind_pass = toor
 ldap_ldap_naming_attribute = uid
 ldap_user_attributes = mail=email
 ldap_tls = False
+ldap_group_enabled = False
 use = config:development.ini
 
 # Add additional test specific configuration options as necessary.

tracim/tracim/lib/auth/ldap.py

@@ -1,12 +1,13 @@
 # -*- coding: utf-8 -*-
 from tg.configuration.auth import TGAuthMetadata
-from who_ldap import LDAPAttributesPlugin, LDAPGroupsPlugin
+from who_ldap import LDAPAttributesPlugin as BaseLDAPAttributesPlugin
+from who_ldap import LDAPGroupsPlugin as BaseLDAPGroupsPlugin
 from who_ldap import LDAPSearchAuthenticatorPlugin as BaseLDAPSearchAuthenticatorPlugin
 
 from tracim.lib.auth.base import Auth
 from tracim.lib.helpers import ini_conf_to_bool
 from tracim.lib.user import UserApi
-from tracim.model import auth, DBSession, User
+from tracim.model import DBSession, User
 
 
 class LDAPAuth(Auth):
@@ -21,7 +22,7 @@ class LDAPAuth(Auth):
         super().__init__(config)
         self.ldap_auth = self._get_ldap_auth()
         self.ldap_user_provider = self._get_ldap_user_provider()
-        if self._config.get('ldap_group_enabled', False):
+        if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
             self.ldap_groups_provider = self._get_ldap_groups_provider()
 
     def wrap_config(self):
@@ -30,7 +31,7 @@ class LDAPAuth(Auth):
         self._config['sa_auth'].authenticators = [('ldapauth', self.ldap_auth)]
 
         mdproviders = [('ldapuser', self.ldap_user_provider)]
-        if self._config.get('ldap_group_enabled', False):
+        if ini_conf_to_bool(self._config.get('ldap_group_enabled', False)):
             mdproviders.append(('ldapgroups', self.ldap_groups_provider))
         self._config['sa_auth'].mdproviders = mdproviders
 
@@ -105,32 +106,53 @@ class LDAPSearchAuthenticatorPlugin(BaseLDAPSearchAuthenticatorPlugin):
 
 class LDAPApplicationAuthMetadata(TGAuthMetadata):
 
-    # map from LDAP group names to TurboGears group names
-    group_map = {'operators': 'managers'}
-
-    # set of permissions for all mapped groups
-    permissions_for_groups = {'managers': {'manage'}}
-
-    def __init__(self, sa_auth):
-        self.sa_auth = sa_auth
+    def __init__(self, config):
+        self.sa_auth = config.get('sa_auth')
+        self._config = config
 
     def get_user(self, identity, userid):
-        user = identity.get('user')
-        if user:
-            name = '{email}'.format(**user).strip()
-            user.update(user_name=userid, display_name=name)
-        return user
+        return identity.get('user')
 
     def get_groups(self, identity, userid):
-        get_group = self.group_map.get
-        return [get_group(g, g) for g in identity.get('groups', [])]
+        if not ini_conf_to_bool(self._config.get('ldap_group_enabled')):
+
+            # TODO - B.S. - 20160212: récupérer identity['user'].groups directement produit
+            # Parent instance XXX is not bound to a Session. Voir avec Damien.
+            user = DBSession.query(User).filter(User.email == identity['user'].email).one()
+            return [g.group_name for g in user.groups]
 
-    def get_permissions_for_group(self, group):
-        return self.permissions_for_groups.get(group, set())
+            return [g.group_name for g in identity['user'].groups]
+        else:
+            raise NotImplementedError()
 
     def get_permissions(self, identity, userid):
-        permissions = set()
-        get_permissions = self.get_permissions_for_group
-        for group in self.get_groups(identity, userid):
-            permissions |= get_permissions(group)
-        return permissions
+        if not ini_conf_to_bool(self._config.get('ldap_group_enabled')):
+
+            # TODO - B.S. - 20160212: récupérer identity['user'].groups directement produit
+            # Parent instance XXX is not bound to a Session. Voir avec Damien.
+            user = DBSession.query(User).filter(User.email == identity['user'].email).one()
+            return [p.permission_name for p in user.permissions]
+
+            return [p.permission_name for p in identity['user'].permissions]
+        else:
+            raise NotImplementedError()
+
+
+class LDAPGroupsPlugin(BaseLDAPGroupsPlugin):
+
+    def add_metadata(self, environ, identity):
+        super().add_metadata(environ, identity)
+        groups_names = identity[self.name]
+        raise NotImplementedError()  # Should sync groups etc ...
+
+
+class LDAPAttributesPlugin(BaseLDAPAttributesPlugin):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._user_api = UserApi(None)
+
+    def add_metadata(self, environ, identity):
+        super().add_metadata(environ, identity)
+        # TODO - B.S. - 20160212: identity contains now som information from LDAP what we can save in local database
+        identity[self.name] = self._user_api.get_one_by_email(identity.get('repoze.who.userid'))

tracim/tracim/tests/functional/test_ldap_authentication.py

@@ -24,12 +24,12 @@ class TestAuthentication(LDAPTest, TracimTestController):
 
     def test_ldap_auth_fail_wrong_pass(self):
         # User is unknown in tracim database
-        eq_(0, DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').count())
+        eq_(0, DBSession.query(User).filter(User.email == 'richard-not-real-email@fsf.org').count())
 
-        self._connect_user('lawrence-not-real-email@fsf.org', 'wrong-pass')
+        self._connect_user('richard-not-real-email@fsf.org', 'wrong-pass')
 
         # User is registered in tracim database
-        eq_(0, DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').count())
+        eq_(0, DBSession.query(User).filter(User.email == 'richard-not-real-email@fsf.org').count())
 
     def test_ldap_auth_sync(self):
         # User is unknown in tracim database

tracim/tracim/tests/library/test_ldap_without_ldap_groups.py

@@ -0,0 +1,113 @@
+# -*- coding: utf-8 -*-
+from nose.tools import eq_
+from tg import config
+
+from tracim.fixtures.ldap import ldap_test_server_fixtures
+from tracim.lib.auth.ldap import LDAPAuth
+from tracim.lib.helpers import ini_conf_to_bool
+from tracim.model import DBSession, User, Group
+from tracim.tests import LDAPTest, TestStandard
+
+
+class TestContentApi(LDAPTest, TestStandard):
+    """
+    This test load test.ini app:ldap config. LDAP groups management must be disabled in this config.
+    """
+    application_under_test = 'ldap'
+    ldap_server_data = ldap_test_server_fixtures
+
+    def _check_db_user(self, email, count=1):
+        eq_(count, DBSession.query(User).filter(User.email == email).count())
+
+    def test_authenticate_success(self):
+        """
+        LDAP Auth success
+        :return:
+        """
+        ldap_auth = LDAPAuth(config)
+        richard_identity = {'login': 'richard-not-real-email@fsf.org', 'password': 'rms'}
+
+        self._check_db_user('richard-not-real-email@fsf.org', 0)
+        auth_id = ldap_auth.ldap_auth.authenticate(environ={}, identity=richard_identity)
+
+        assert auth_id == 'richard-not-real-email@fsf.org'
+        self._check_db_user('richard-not-real-email@fsf.org', 1)
+
+    def test_authenticate_fail_wrong_pass(self):
+        """
+        LDAP Auth fail: wrong password
+        :return:
+        """
+        ldap_auth = LDAPAuth(config)
+        richard_identity = {'login': 'richard-not-real-email@fsf.org', 'password': 'wrong pass'}
+
+        self._check_db_user('richard-not-real-email@fsf.org', 0)
+        auth_id = ldap_auth.ldap_auth.authenticate(environ={}, identity=richard_identity)
+
+        assert auth_id is None
+        self._check_db_user('richard-not-real-email@fsf.org', 0)
+
+    def test_authenticate_fail_wrong_login(self):
+        """
+        LDAP Auth fail: wrong email
+        :return:
+        """
+        ldap_auth = LDAPAuth(config)
+        richard_identity = {'login': 'wrong-email@fsf.org', 'password': 'rms'}
+
+        self._check_db_user('wrong-email@fsf.org', 0)
+        auth_id = ldap_auth.ldap_auth.authenticate(environ={}, identity=richard_identity)
+
+        assert auth_id is None
+        self._check_db_user('wrong-email@fsf.org', 0)
+
+    def test_internal_groups(self):
+        """
+        LDAP don't manage groups here: We must retrieve internal groups of tested user
+        :return:
+        """
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        managers = DBSession.query(Group).filter(Group.group_name == 'managers').one()
+        lawrence_identity = {'user': lawrence}
+
+        # Lawrence is in fixtures: he is in managers group
+        self._check_db_user('lawrence-not-real-email@fsf.org', 1)
+        assert lawrence in managers.users
+        assert False is ini_conf_to_bool(config.get('ldap_group_enabled', False))
+        assert ['managers'] == config.get('sa_auth').authmetadata.get_groups(
+            identity=lawrence_identity,
+            userid=lawrence.email
+        )
+
+        should_groups = ['managers']
+        are_groups = config.get('sa_auth').authmetadata.get_groups(
+            identity=lawrence_identity,
+            userid=lawrence.email
+        )
+        eq_(should_groups,
+            are_groups,
+            "Permissions should be %s, they are %s" % (should_groups, are_groups))
+
+    def test_internal_permissions(self):
+        """
+        LDAP don't manage groups here: We must retrieve internal groups permission of tested user
+        :return:
+        """
+        lawrence = DBSession.query(User).filter(User.email == 'lawrence-not-real-email@fsf.org').one()
+        managers = DBSession.query(Group).filter(Group.group_name == 'managers').one()
+        lawrence_identity = {'user': lawrence}
+
+        # Lawrence is in fixtures: he is in managers group
+        self._check_db_user('lawrence-not-real-email@fsf.org', 1)
+        assert lawrence in managers.users
+        assert False is ini_conf_to_bool(config.get('ldap_group_enabled', False))
+
+        should_permissions = []  # Actually there is no permission
+        are_permissions = config.get('sa_auth').authmetadata.get_permissions(
+            identity=lawrence_identity,
+            userid=lawrence.email
+        )
+        eq_(should_permissions,
+            are_permissions,
+            "Permissions should be %s, they are %s" % (should_permissions, are_permissions))
+

tracim/tracim/websetup/bootstrap.py

@@ -40,6 +40,15 @@ def bootstrap(command, conf, vars):
         g3.users.append(u)
         model.DBSession.add(g3)
 
+        # TODO: - B.S. - 20160212: Following fixture is LDAP tests specific, should make an little fixture management
+        # for tests
+        lawrence = model.User()
+        lawrence.display_name = 'Lawrence Lessig'
+        lawrence.email = 'lawrence-not-real-email@fsf.org'
+        lawrence.password = 'foobarbaz'
+        model.DBSession.add(lawrence)
+        g2.users.append(lawrence)
+
         model.DBSession.flush()
         transaction.commit()
         pass