Enable LDAP : required

    Whether to use LDAP for authenticating users.

.. _ldap_host:

Host : required

    LDAP server hostname or IP address. Can be also a comma separated

    list of servers to support LDAP fail-over.

.. _Port:

Port : required

    389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.

.. _ldap_account:

Account : optional

    Only required if the LDAP server does not allow anonymous browsing of

    records.  This should be a special account for record browsing.  This

    will require `LDAP Password`_ below.

.. _LDAP Password:

Password : optional

    Only required if the LDAP server does not allow anonymous browsing of

    records.

.. _Enable LDAPS:

Connection Security : required

    Defines the connection to LDAP server

    No encryption

        Plain non encrypted connection

    LDAPS connection

        Enable LDAPS connections. It will likely require `Port`_ to be set to

        a different value (standard LDAPS port is 636). When LDAPS is enabled

        then `Certificate Checks`_ is required.

    START_TLS on LDAP connection

        START TLS connection

.. _Certificate Checks:

Certificate Checks : optional

    How SSL certificates verification is handled -- this is only useful when

    `Enable LDAPS`_ is enabled.  Only DEMAND or HARD offer full SSL security

    NEVER

        A serve certificate will never be requested or checked.

    ALLOW

        A server certificate is requested.  Failure to provide a

        certificate or providing a bad certificate will not terminate the

        session.

    TRY

        A server certificate is requested.  Failure to provide a

        certificate does not halt the session; providing a bad certificate

        halts the session.

    DEMAND

        A server certificate is requested and must be provided and

        authenticated for the session to proceed.

    HARD

        The same as DEMAND.

.. _Base DN:

Base DN : required

    The Distinguished Name (DN) where searches for users will be performed.

    Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

.. _LDAP Filter:

LDAP Filter : optional

    A LDAP filter defined by RFC 2254.  This is more useful when `LDAP

    Search Scope`_ is set to SUBTREE.  The filter is useful for limiting

    which LDAP objects are identified as representing Users for

    authentication.  The filter is augmented by `Login Attribute`_ below.

    This can commonly be left blank.

.. _LDAP Search Scope:

LDAP Search Scope : required

    This limits how far LDAP will search for a matching object.

    BASE

        Only allows searching of `Base DN`_ and is usually not what you

        want.

    ONELEVEL

        Searches all entries under `Base DN`_, but not Base DN itself.

    SUBTREE

        Searches all entries below `Base DN`_, but not Base DN itself.

        When using SUBTREE `LDAP Filter`_ is useful to limit object

        location.

.. _Login Attribute:

Login Attribute : required

    The LDAP record attribute that will be matched as the USERNAME or

    ACCOUNT used to connect to Kallithea.  This will be added to `LDAP

    Filter`_ for locating the User object.  If `LDAP Filter`_ is specified as

    "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has

    connected as "jsmith" then the `LDAP Filter`_ will be augmented as below

    ::

        (&(LDAPFILTER)(uid=jsmith))

.. _ldap_attr_firstname:

First Name Attribute : required

    The LDAP record attribute which represents the user's first name.

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.lib.auth_modules.auth_ldap

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kallithea authentication plugin for LDAP

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Created on Nov 17, 2010

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

import traceback

from kallithea.lib import auth_modules

from kallithea.lib.compat import hybrid_property

from kallithea.lib.utils2 import safe_unicode, safe_str

from kallithea.lib.exceptions import (

    LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError

)

from kallithea.model.db import User

log = logging.getLogger(__name__)

try:

    import ldap

except ImportError:

    # means that python-ldap is not installed

    ldap = None

class AuthLdap(object):

    def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',

                 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',

                 search_scope='SUBTREE', attr_login='uid'):

        if ldap is None:

            raise LdapImportError

        self.ldap_version = ldap_version

        ldap_server_type = 'ldap'

        self.TLS_KIND = tls_kind

        if self.TLS_KIND == 'LDAPS':

            port = port or 689

            ldap_server_type = ldap_server_type + 's'

        OPT_X_TLS_DEMAND = 2

        self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,

                                   OPT_X_TLS_DEMAND)

        # split server into list

        self.LDAP_SERVER_ADDRESS = server.split(',')

        self.LDAP_SERVER_PORT = port

        # USE FOR READ ONLY BIND TO LDAP SERVER

        self.LDAP_BIND_DN = safe_str(bind_dn)

        self.LDAP_BIND_PASS = safe_str(bind_pass)

        _LDAP_SERVERS = []

        for host in self.LDAP_SERVER_ADDRESS:

            _LDAP_SERVERS.append("%s://%s:%s" % (ldap_server_type,

                                                     host.replace(' ', ''),

                                                     self.LDAP_SERVER_PORT))

        self.LDAP_SERVER = str(', '.join(s for s in _LDAP_SERVERS))

        self.BASE_DN = safe_str(base_dn)

        self.LDAP_FILTER = safe_str(ldap_filter)

        self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)

        self.attr_login = attr_login

    def authenticate_ldap(self, username, password):

        """

        Authenticate a user via LDAP and return his/her LDAP properties.

        Raises AuthenticationError if the credentials are rejected, or

        EnvironmentError if the LDAP server can't be reached.

        :param username: username

        :param password: password

        """

        from kallithea.lib.helpers import chop_at

        uid = chop_at(username, "@%s" % self.LDAP_SERVER_ADDRESS)

        if not password:

            log.debug("Attempt to authenticate LDAP user "

                      "with blank password rejected.")

            raise LdapPasswordError()

        if "," in username:

            raise LdapUsernameError("invalid character in username: ,")

        try:

            ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)

            ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)

            ldap.set_option(ldap.OPT_TIMEOUT, 20)

            ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)

            ldap.set_option(ldap.OPT_TIMELIMIT, 15)

            if self.TLS_KIND != 'PLAIN':

                ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)

            server = ldap.initialize(self.LDAP_SERVER)

            if self.ldap_version == 2:

                server.protocol = ldap.VERSION2

            else:

                server.protocol = ldap.VERSION3

            if self.TLS_KIND == 'START_TLS':

                server.start_tls_s()

            if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:

                log.debug('Trying simple_bind with password and given DN: %s',

                          self.LDAP_BIND_DN)

                server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)

            filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER, self.attr_login,

                                        username)

            log.debug("Authenticating %r filter %s at %s", self.BASE_DN,

                      filter_, self.LDAP_SERVER)

            lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,

                                           filter_)

            if not lobjects:

                raise ldap.NO_SUCH_OBJECT()

            for (dn, _attrs) in lobjects:

                if dn is None:

                    continue

                try:

                    log.debug('Trying simple bind with %s', dn)

                    server.simple_bind_s(dn, safe_str(password))

                    results = server.search_ext_s(dn, ldap.SCOPE_BASE,

                                                  '(objectClass=*)')

                    if len(results) == 1:

                        dn_, attrs = results[0]

                        assert dn_ == dn

                        return dn, attrs

                except ldap.INVALID_CREDENTIALS:

                    log.debug("LDAP rejected password for user '%s' (%s): %s",

                              uid, username, dn)

                    continue # accept authentication as another ldap user with same username

            log.debug("No matching LDAP objects for authentication "

                      "of '%s' (%s)", uid, username)

            raise LdapPasswordError()

        except ldap.NO_SUCH_OBJECT:

            log.debug("LDAP says no such user '%s' (%s)", uid, username)

            raise LdapUsernameError()

        except ldap.SERVER_DOWN:

class KallitheaAuthPlugin(auth_modules.KallitheaExternalAuthPlugin):

    def __init__(self):

        self._logger = logging.getLogger(__name__)

        self._tls_kind_values = ["PLAIN", "LDAPS", "START_TLS"]

        self._tls_reqcert_values = ["NEVER", "ALLOW", "TRY", "DEMAND", "HARD"]

        self._search_scopes = ["BASE", "ONELEVEL", "SUBTREE"]

    @hybrid_property

    def name(self):

        return "ldap"

    def settings(self):

        settings = [

            {

                "name": "host",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Host of the LDAP Server",

                "formname": "LDAP Host"

            },

            {

                "name": "port",

                "validator": self.validators.Number(strip=True, not_empty=True),

                "type": "string",

                "description": "Port that the LDAP server is listening on",

                "default": 389,

                "formname": "Port"

            },

            {

                "name": "dn_user",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "User to connect to LDAP",

                "formname": "Account"

            },

            {

                "name": "dn_pass",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "password",

                "description": "Password to connect to LDAP",

                "formname": "Password"

            },

            {

                "name": "tls_kind",

                "validator": self.validators.OneOf(self._tls_kind_values),

                "type": "select",

                "values": self._tls_kind_values,

                "description": "TLS Type",

                "default": 'PLAIN',

                "formname": "Connection Security"

            },

            {

                "name": "tls_reqcert",

                "validator": self.validators.OneOf(self._tls_reqcert_values),

                "type": "select",

                "values": self._tls_reqcert_values,

                "description": "Require Cert over TLS?",

                "formname": "Certificate Checks"

            },

            {

                "name": "base_dn",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Base DN to search (e.g., dc=mydomain,dc=com)",

                "formname": "Base DN"

            },

            {

                "name": "filter",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Filter to narrow results (e.g., ou=Users, etc)",

                "formname": "LDAP Search Filter"

            },

            {

                "name": "search_scope",

                "validator": self.validators.OneOf(self._search_scopes),

                "type": "select",

                "values": self._search_scopes,

                "description": "How deep to search LDAP",

                "formname": "LDAP Search Scope"

            },

            {

                "name": "attr_login",

                "validator": self.validators.AttrLoginValidator(not_empty=True, strip=True),

                "type": "string",

                "description": "LDAP Attribute to map to user name",

                "formname": "Login Attribute"

            },

            {

                "name": "attr_firstname",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "LDAP Attribute to map to first name",

                "formname": "First Name Attribute"

            },

            {

                "name": "attr_lastname",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "LDAP Attribute to map to last name",

                "formname": "Last Name Attribute"

            },

            {

                "name": "attr_email",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "LDAP Attribute to map to email address",

                "formname": "Email Attribute"

            }

        ]

        return settings

    def use_fake_password(self):

        return True

    def user_activation_state(self):

        def_user_perms = User.get_default_user().AuthUser.permissions['global']

        return 'hg.extern_activate.auto' in def_user_perms

    def auth(self, userobj, username, password, settings, **kwargs):

        """

        Given a user object (which may be null), username, a plaintext password,

        and a settings object (containing all the keys needed as listed in settings()),

        authenticate this user's login attempt.

        Return None on failure. On success, return a dictionary of the form:

            see: KallitheaAuthPluginBase.auth_func_attrs

        This is later validated for correctness

        """

        if not username or not password:

            log.debug('Empty username or password skipping...')

            return None

        kwargs = {

            'server': settings.get('host', ''),

            'base_dn': settings.get('base_dn', ''),

            'port': settings.get('port'),

            'bind_dn': settings.get('dn_user'),

            'bind_pass': settings.get('dn_pass'),

            'tls_kind': settings.get('tls_kind'),

            'tls_reqcert': settings.get('tls_reqcert'),

            'ldap_filter': settings.get('filter'),

            'search_scope': settings.get('search_scope'),

            'attr_login': settings.get('attr_login'),

            'ldap_version': 3,

        }

        if kwargs['bind_dn'] and not kwargs['bind_pass']:

            log.debug('Using dynamic binding.')

            kwargs['bind_dn'] = kwargs['bind_dn'].replace('$login', username)

            kwargs['bind_pass'] = password

        log.debug('Checking for ldap authentication')

        try:

            aldap = AuthLdap(**kwargs)

            (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)

            log.debug('Got ldap DN response %s', user_dn)

            get_ldap_attr = lambda k: ldap_attrs.get(settings.get(k), [''])[0]

            # old attrs fetched from Kallithea database

            admin = getattr(userobj, 'admin', False)

            active = getattr(userobj, 'active', self.user_activation_state())

            email = getattr(userobj, 'email', '')

            firstname = getattr(userobj, 'firstname', '')

            lastname = getattr(userobj, 'lastname', '')

            user_data = {

                'username': username,

                'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),

                'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),

                'groups': [],

                'email': get_ldap_attr('attr_email') or email,

                'admin': admin,

                'active': active,

                "active_from_extern": None,

                'extern_name': user_dn,

            }

            log.info('user %s authenticated correctly', user_data['username'])

            return user_data

        except LdapUsernameError:

            log.info('Error authenticating %s with LDAP: User not found', username)

        except LdapPasswordError:

            log.info('Error authenticating %s with LDAP: Password error', username)

        except LdapImportError:

            log.error('Error authenticating %s with LDAP: LDAP not available', username)

        return None

from kallithea.tests.base import *

from kallithea.model.db import Setting

class TestAuthSettingsController(TestController):

    def _enable_plugins(self, plugins_list):

        test_url = url(controller='admin/auth_settings',

                       action='auth_settings')

        params={'auth_plugins': plugins_list, '_authentication_token': self.authentication_token()}

        for plugin in plugins_list.split(','):

            enable = plugin.partition('kallithea.lib.auth_modules.')[-1]

            params.update({'%s_enabled' % enable: True})

        response = self.app.post(url=test_url, params=params)

        return params

        #self.checkSessionFlash(response, 'Auth settings updated successfully')

    def test_index(self):

        self.log_user()

        response = self.app.get(url(controller='admin/auth_settings',

                                    action='index'))

        response.mustcontain('Authentication Plugins')

    @skipif(not ldap_lib_installed, reason='skipping due to missing ldap lib')

    def test_ldap_save_settings(self):

        self.log_user()

        params = self._enable_plugins('kallithea.lib.auth_modules.auth_internal,kallithea.lib.auth_modules.auth_ldap')

        params.update({'auth_ldap_host': u'dc.example.com',

                       'auth_ldap_port': '999',

                       'auth_ldap_tls_kind': 'PLAIN',

                       'auth_ldap_tls_reqcert': 'NEVER',

                       'auth_ldap_dn_user': 'test_user',

                       'auth_ldap_dn_pass': 'test_pass',

                       'auth_ldap_base_dn': 'test_base_dn',

                       'auth_ldap_filter': 'test_filter',

                       'auth_ldap_search_scope': 'BASE',

                       'auth_ldap_attr_login': 'test_attr_login',

                       'auth_ldap_attr_firstname': 'ima',

                       'auth_ldap_attr_lastname': 'tester',

                       'auth_ldap_attr_email': 'test@example.com'})

        test_url = url(controller='admin/auth_settings',

                       action='auth_settings')

        response = self.app.post(url=test_url, params=params)

        self.checkSessionFlash(response, 'Auth settings updated successfully')

        new_settings = Setting.get_auth_settings()

        assert new_settings['auth_ldap_host'] == u'dc.example.com', 'fail db write compare'

    @skipif(not ldap_lib_installed, reason='skipping due to missing ldap lib')

    def test_ldap_error_form_wrong_port_number(self):

        self.log_user()

        params = self._enable_plugins('kallithea.lib.auth_modules.auth_internal,kallithea.lib.auth_modules.auth_ldap')

        params.update({'auth_ldap_host': '',

                       'auth_ldap_port': 'i-should-be-number',  # bad port num

                       'auth_ldap_tls_kind': 'PLAIN',

                       'auth_ldap_tls_reqcert': 'NEVER',

                       'auth_ldap_dn_user': '',

                       'auth_ldap_dn_pass': '',

                       'auth_ldap_base_dn': '',

                       'auth_ldap_filter': '',

                       'auth_ldap_search_scope': 'BASE',

                       'auth_ldap_attr_login': '',

                       'auth_ldap_attr_firstname': '',

                       'auth_ldap_attr_lastname': '',

                       'auth_ldap_attr_email': ''})

        test_url = url(controller='admin/auth_settings',

                       action='auth_settings')

        response = self.app.post(url=test_url, params=params)

        response.mustcontain("""<span class="error-message">"""

                             """Please enter a number</span>""")

    @skipif(not ldap_lib_installed, reason='skipping due to missing ldap lib')

    def test_ldap_error_form(self):

        self.log_user()