kallithea Changeset - 74685a31cc43

Changeset - 74685a31cc43

Parent rev.

Child rev.

[Not reviewed]

beta

0 7 0

"Lorenzo M. Catucci" - 15 years ago 2011-04-26 19:17:06
lorenzo@sancho.ccd.uniroma2.it

Enable start_tls connection encryption.

7 files changed with 30 insertions and 14 deletions:

rhodecode/controllers/admin/ldap_settings.py

rhodecode/lib/auth.py

rhodecode/lib/auth_ldap.py

rhodecode/lib/db_manage.py

rhodecode/model/forms.py

rhodecode/model/settings.py

rhodecode/templates/admin/ldap/ldap.html

0 comments (0 inline, 0 general)

rhodecode/controllers/admin/ldap_settings.py

➞

Show inline comments

@@ @@ -38,74 +38,84 @@ from rhodecode.lib.auth import LoginRequ @@
 from rhodecode.lib.auth_ldap import LdapImportError
 from rhodecode.model.settings import SettingsModel
 from rhodecode.model.forms import LdapSettingsForm
 from sqlalchemy.exc import DatabaseError
 log = logging.getLogger(__name__)
 class LdapSettingsController(BaseController):
     search_scope_choices = [('BASE', _('BASE'),),
                             ('ONELEVEL', _('ONELEVEL'),),
                             ('SUBTREE', _('SUBTREE'),),
+                            ]
     search_scope_default = 'SUBTREE'
     tls_reqcert_choices = [('NEVER', _('NEVER'),),
                            ('ALLOW', _('ALLOW'),),
                            ('TRY', _('TRY'),),
                            ('DEMAND', _('DEMAND'),),
                            ('HARD', _('HARD'),),
+                           ]
     tls_reqcert_default = 'DEMAND'
     tls_kind_choices = [('PLAIN', _('No encryption'),),
                         ('LDAPS', _('LDAPS connection'),),
                         ('START_TLS', _('START_TLS on LDAP connection'),)
+                        ]
     tls_kind_default = 'PLAIN'
     @LoginRequired()
     @HasPermissionAllDecorator('hg.admin')
     def __before__(self):
         c.admin_user = session.get('admin_user')
         c.admin_username = session.get('admin_username')
         c.search_scope_choices = self.search_scope_choices
         c.tls_reqcert_choices = self.tls_reqcert_choices
         c.tls_kind_choices = self.tls_kind_choices
         super(LdapSettingsController, self).__before__()
     def index(self):
         defaults = SettingsModel().get_ldap_settings()
         c.search_scope_cur = defaults.get('ldap_search_scope')
         c.tls_reqcert_cur = defaults.get('ldap_tls_reqcert')
         c.tls_kind_cur = defaults.get('ldap_tls_kind')
         return htmlfill.render(
                     render('admin/ldap/ldap.html'),
                     defaults=defaults,
                     encoding="UTF-8",
                     force_defaults=True,)
     def ldap_settings(self):
         """POST ldap create and store ldap settings"""
         settings_model = SettingsModel()
         _form = LdapSettingsForm([x[0] for x in self.tls_reqcert_choices],
                                  [x[0] for x in self.search_scope_choices])()
                                  [x[0] for x in self.search_scope_choices],
                                  [x[0] for x in self.tls_kind_choices])()
         try:
             form_result = _form.to_python(dict(request.POST))
             try:
                 for k, v in form_result.items():
                     if k.startswith('ldap_'):
                         setting = settings_model.get(k)
                         setting.app_settings_value = v
                         self.sa.add(setting)
                 self.sa.commit()
                 h.flash(_('Ldap settings updated successfully'),
                     category='success')
             except (DatabaseError,):
                 raise
         except LdapImportError:
             h.flash(_('Unable to activate ldap. The "python-ldap" library '
                       'is missing.'), category='warning')
         except formencode.Invalid, errors:
             c.search_scope_cur = self.search_scope_default
             c.tls_reqcert_cur = self.search_scope_default

rhodecode/lib/auth.py

➞

Show inline comments

@@ @@ -169,49 +169,49 @@ def authenticate(username, password): @@
     else:
         log.debug('Regular authentication failed')
         user_obj = user_model.get_by_username(username, cache=False,
                                             case_insensitive=True)
         if user_obj is not None and not user_obj.ldap_dn:
             log.debug('this user already exists as non ldap')
             return False
         from rhodecode.model.settings import SettingsModel
         ldap_settings = SettingsModel().get_ldap_settings()
         #======================================================================
         # FALLBACK TO LDAP AUTH IF ENABLE
         #======================================================================
         if str2bool(ldap_settings.get('ldap_active')):
             log.debug("Authenticating user using ldap")
             kwargs = {
                   'server': ldap_settings.get('ldap_host', ''),
                   'base_dn': ldap_settings.get('ldap_base_dn', ''),
                   'port': ldap_settings.get('ldap_port'),
                   'bind_dn': ldap_settings.get('ldap_dn_user'),
                   'bind_pass': ldap_settings.get('ldap_dn_pass'),
-                  'use_ldaps': str2bool(ldap_settings.get('ldap_ldaps')),
+                  'tls_kind': ldap_settings.get('ldap_tls_kind'),
                   'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),
                   'ldap_filter': ldap_settings.get('ldap_filter'),
                   'search_scope': ldap_settings.get('ldap_search_scope'),
                   'attr_login': ldap_settings.get('ldap_attr_login'),
                   'ldap_version': 3,
+                  }
             log.debug('Checking for ldap authentication')
             try:
                 aldap = AuthLdap(**kwargs)
                 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username,
                                                                 password)
                 log.debug('Got ldap DN response %s', user_dn)
                 user_attrs = {
                     'name': ldap_attrs.get(ldap_settings\
                                        .get('ldap_attr_firstname'), [''])[0],
                     'lastname': ldap_attrs.get(ldap_settings\
                                            .get('ldap_attr_lastname'),[''])[0],
                     'email': ldap_attrs.get(ldap_settings\
                                         .get('ldap_attr_email'), [''])[0],
+                    }
                 if user_model.create_ldap(username, password, user_dn,
                                           user_attrs):

rhodecode/lib/auth_ldap.py

➞

Show inline comments

@@ @@ -13,107 +13,113 @@ @@
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
+#
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 Created on Nov 17, 2010
 @author: marcink
 """
 from rhodecode.lib.exceptions import *
 import logging
 log = logging.getLogger(__name__)
 try:
     import ldap
 except ImportError:
     pass
 class AuthLdap(object):
     def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
-                 use_ldaps=False, tls_reqcert='DEMAND', ldap_version=3,
+                 tls_kind = 'PLAIN', tls_reqcert='DEMAND', ldap_version=3,
                  ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
                  search_scope='SUBTREE',
                  attr_login='uid'):
         self.ldap_version = ldap_version
         if use_ldaps:
         ldap_server_type = 'ldap'
         self.TLS_KIND = tls_kind
         if self.TLS_KIND == 'LDAPS':
             port = port or 689
         self.LDAP_USE_LDAPS = use_ldaps
             ldap_server_type = ldap_server_type + 's'
         self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert]
         self.LDAP_SERVER_ADDRESS = server
         self.LDAP_SERVER_PORT = port
         #USE FOR READ ONLY BIND TO LDAP SERVER
         self.LDAP_BIND_DN = bind_dn
         self.LDAP_BIND_PASS = bind_pass
         ldap_server_type = 'ldap'
         if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
         self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
                                                self.LDAP_SERVER_ADDRESS,
                                                self.LDAP_SERVER_PORT)
         self.BASE_DN = base_dn
         self.LDAP_FILTER = ldap_filter
         self.SEARCH_SCOPE = ldap.__dict__['SCOPE_' + search_scope]
         self.attr_login = attr_login
     def authenticate_ldap(self, username, password):
         """Authenticate a user via LDAP and return his/her LDAP properties.
         Raises AuthenticationError if the credentials are rejected, or
         EnvironmentError if the LDAP server can't be reached.
         :param username: username
         :param password: password
         """
         from rhodecode.lib.helpers import chop_at
         uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)
         if "," in username:
             raise LdapUsernameError("invalid character in username: ,")
         try:
             ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/etc/openldap/cacerts')
             ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
             ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
             ldap.set_option(ldap.OPT_TIMEOUT, 20)
             ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
             ldap.set_option(ldap.OPT_TIMELIMIT, 15)
-            if self.LDAP_USE_LDAPS:
+            if self.TLS_KIND != 'PLAIN':
                 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
             server = ldap.initialize(self.LDAP_SERVER)
             if self.ldap_version == 2:
                 server.protocol = ldap.VERSION2
             else:
                 server.protocol = ldap.VERSION3
             if self.TLS_KIND == 'START_TLS':
                 server.start_tls_s()
             if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
                 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
             filt = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login, username)
             log.debug("Authenticating %r filt %s at %s", self.BASE_DN,
                       filt, self.LDAP_SERVER)
             lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,
                                            filt)
             if not lobjects:
                 raise ldap.NO_SUCH_OBJECT()
             for (dn, _attrs) in lobjects:
                 try:
                     server.simple_bind_s(dn, password)
                     attrs = server.search_ext_s(dn, ldap.SCOPE_BASE, '(objectClass=*)')[0][1]
                     break
                 except ldap.INVALID_CREDENTIALS, e:
                     log.debug("LDAP rejected password for user '%s' (%s): %s",
                               uid, username, dn)
             else:
                 log.debug("No matching LDAP objects for authentication "

rhodecode/lib/db_manage.py

➞

Show inline comments

@@ @@ -291,49 +291,49 @@ class DbManage(object): @@
         hooks4.ui_value = 'python:rhodecode.lib.hooks.log_pull_action'
         #For mercurial 1.7 set backward comapatibility with format
         dotencode_disable = RhodeCodeUi()
         dotencode_disable.ui_section = 'format'
         dotencode_disable.ui_key = 'dotencode'
         dotencode_disable.ui_value = 'false'
         try:
             self.sa.add(hooks1)
             self.sa.add(hooks2)
             self.sa.add(hooks3)
             self.sa.add(hooks4)
             self.sa.add(dotencode_disable)
             self.sa.commit()
         except:
             self.sa.rollback()
             raise
     def create_ldap_options(self):
         """Creates ldap settings"""
         try:
             for k, v in [('ldap_active', 'false'), ('ldap_host', ''),
-                        ('ldap_port', '389'), ('ldap_ldaps', 'false'),
+                        ('ldap_port', '389'), ('ldap_tls_kind', 'PLAIN'),
                         ('ldap_tls_reqcert', ''), ('ldap_dn_user', ''),
                         ('ldap_dn_pass', ''), ('ldap_base_dn', ''),
                         ('ldap_filter', ''), ('ldap_search_scope', ''),
                         ('ldap_attr_login', ''), ('ldap_attr_firstname', ''),
                         ('ldap_attr_lastname', ''), ('ldap_attr_email', '')]:
                 setting = RhodeCodeSettings(k, v)
                 self.sa.add(setting)
             self.sa.commit()
         except:
             self.sa.rollback()
             raise
     def config_prompt(self, test_repo_path='', retries=3):
         if retries == 3:
             log.info('Setting up repositories config')
         if not self.tests and not test_repo_path:
             path = raw_input('Specify valid full path to your repositories'
                         ' you can change this later in application settings:')
         else:
             path = test_repo_path
         path_ok = True

rhodecode/model/forms.py

➞

Show inline comments

@@ @@ -535,45 +535,45 @@ def ApplicationUiSettingsForm(): @@
         allow_extra_fields = True
         filter_extra_fields = False
         web_push_ssl = OneOf(['true', 'false'], if_missing='false')
         paths_root_path = All(ValidPath(), UnicodeString(strip=True, min=1, not_empty=True))
         hooks_changegroup_update = OneOf(['True', 'False'], if_missing=False)
         hooks_changegroup_repo_size = OneOf(['True', 'False'], if_missing=False)
         hooks_pretxnchangegroup_push_logger = OneOf(['True', 'False'], if_missing=False)
         hooks_preoutgoing_pull_logger = OneOf(['True', 'False'], if_missing=False)
     return _ApplicationUiSettingsForm
 def DefaultPermissionsForm(perms_choices, register_choices, create_choices):
     class _DefaultPermissionsForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
         overwrite_default = StringBoolean(if_missing=False)
         anonymous = OneOf(['True', 'False'], if_missing=False)
         default_perm = OneOf(perms_choices)
         default_register = OneOf(register_choices)
         default_create = OneOf(create_choices)
     return _DefaultPermissionsForm
 def LdapSettingsForm(tls_reqcert_choices, search_scope_choices):
+def LdapSettingsForm(tls_reqcert_choices, search_scope_choices, tls_kind_choices):
     class _LdapSettingsForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
         pre_validators = [LdapLibValidator]
         ldap_active = StringBoolean(if_missing=False)
         ldap_host = UnicodeString(strip=True,)
         ldap_port = Number(strip=True,)
-        ldap_ldaps = StringBoolean(if_missing=False)
+        ldap_tls_kind = OneOf(tls_kind_choices)
         ldap_tls_reqcert = OneOf(tls_reqcert_choices)
         ldap_dn_user = UnicodeString(strip=True,)
         ldap_dn_pass = UnicodeString(strip=True,)
         ldap_base_dn = UnicodeString(strip=True,)
         ldap_filter = UnicodeString(strip=True,)
         ldap_search_scope = OneOf(search_scope_choices)
         ldap_attr_login = All(AttrLoginValidator, UnicodeString(strip=True,))
         ldap_attr_firstname = UnicodeString(strip=True,)
         ldap_attr_lastname = UnicodeString(strip=True,)
         ldap_attr_email = UnicodeString(strip=True,)
     return _LdapSettingsForm

rhodecode/model/settings.py

➞

Show inline comments

@@ @@ -49,49 +49,49 @@ class SettingsModel(BaseModel): @@
         'rhodecode_' prefix, than global pylons config is updated with such
         keys
         """
         ret = self.sa.query(RhodeCodeSettings)
         if cache:
             ret = ret.options(FromCache("sql_cache_short", "get_hg_settings"))
         if not ret:
             raise Exception('Could not get application settings !')
         settings = {}
         for each in ret:
             settings['rhodecode_' + each.app_settings_name] = each.app_settings_value
         return settings
     def get_ldap_settings(self):
         """
         Returns ldap settings from database
         :returns:
         ldap_active
         ldap_host
         ldap_port
-        ldap_ldaps
+        ldap_tls_kind
         ldap_tls_reqcert
         ldap_dn_user
         ldap_dn_pass
         ldap_base_dn
         ldap_filter
         ldap_search_scope
         ldap_attr_login
         ldap_attr_firstname
         ldap_attr_lastname
         ldap_attr_email
         """
         # ldap_search_scope
         r = self.sa.query(RhodeCodeSettings)\
                 .filter(RhodeCodeSettings.app_settings_name\
                         .startswith('ldap_'))\
                 .all()
         fd = {}
         for row in r:
             v = row.app_settings_value
             if v in ['true', 'yes', 'on', 'y', 't', '1']:
                 v = True

rhodecode/templates/admin/ldap/ldap.html

➞

Show inline comments

@@ @@ -26,50 +26,50 @@ @@
         <div class="fields">
 	  <h3>${_('Connection settings')}</h3>
             <div class="field">
                 <div class="label label-checkbox"><label for="ldap_active">${_('Enable LDAP')}</label></div>
                 <div class="checkboxes"><div class="checkbox">${h.checkbox('ldap_active',True,class_='small')}</div></div>
             </div>
             <div class="field">
                 <div class="label"><label for="ldap_host">${_('Host')}</label></div>
                 <div class="input">${h.text('ldap_host',class_='small')}</div>
             </div>
             <div class="field">
                 <div class="label"><label for="ldap_port">${_('Port')}</label></div>
                 <div class="input">${h.text('ldap_port',class_='small')}</div>
             </div>
             <div class="field">
                 <div class="label"><label for="ldap_dn_user">${_('Account')}</label></div>
                 <div class="input">${h.text('ldap_dn_user',class_='small')}</div>
             </div>
             <div class="field">
                 <div class="label"><label for="ldap_dn_pass">${_('Password')}</label></div>
                 <div class="input">${h.password('ldap_dn_pass',class_='small')}</div>
             </div>
             <div class="field">
                 <div class="label label-checkbox"><label for="ldap_ldaps">${_('Enable LDAPS')}</label></div>
                 <div class="checkboxes"><div class="checkbox">${h.checkbox('ldap_ldaps',True,class_='small')}</div></div>
                 <div class="label"><label for="ldap_tls_kind">${_('Connection security')}</label></div>
                 <div class="select">${h.select('ldap_tls_kind',c.tls_kind_cur,c.tls_kind_choices,class_='small')}</div>
             </div>
             <div class="field">
                 <div class="label"><label for="ldap_tls_reqcert">${_('Certificate Checks')}</label></div>
                 <div class="select">${h.select('ldap_tls_reqcert',c.tls_reqcert_cur,c.tls_reqcert_choices,class_='small')}</div>
             </div>
 	  <h3>${_('Search settings')}</h3>
             <div class="field">
                 <div class="label"><label for="ldap_base_dn">${_('Base DN')}</label></div>
                 <div class="input">${h.text('ldap_base_dn',class_='small')}</div>
             </div>
             <div class="field">
                 <div class="label"><label for="ldap_filter">${_('LDAP Filter')}</label></div>
                 <div class="input">${h.text('ldap_filter',class_='small')}</div>
             </div>
             <div class="field">
                 <div class="label"><label for="ldap_search_scope">${_('LDAP Search Scope')}</label></div>
                 <div class="select">${h.select('ldap_search_scope',c.search_scope_cur,c.search_scope_choices,class_='small')}</div>
             </div>
 	  <h3>${_('Attribute mappings')}</h3>
             <div class="field">
                 <div class="label"><label for="ldap_attr_login">${_('Login Attribute')}</label></div>
                 <div class="input">${h.text('ldap_attr_login',class_='small')}</div>
             </div>
             <div class="field">

0 comments (0 inline, 0 general)