kallithea Changeset - 7ce3897bacd0

Changeset - 7ce3897bacd0

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Mads Kiilerich - 9 years ago 2016-11-15 22:53:41
madski@unity3d.com

auth: make ldap OPT_X_TLS_CACERTDIR configurable

A location was hardcoded. The location was wrong for many systems and prevented
actual TLS from working. Also, it should not be necessary with modern Pythons.

For some reason, instead of removing it, we now decide to expose it to the
user. Choice FTW!

3 files changed with 31 insertions and 9 deletions:

docs/setup.rst

kallithea/lib/auth_modules/auth_ldap.py

kallithea/tests/functional/test_admin_auth_settings.py

0 comments (0 inline, 0 general)

docs/setup.rst

➞

Show inline comments

@@ @@ -232,16 +232,14 @@ Connection Security : required @@
 .. _Certificate Checks:
 Certificate Checks : optional
     How SSL certificates verification is handled -- this is only useful when
     `Enable LDAPS`_ is enabled.  Only DEMAND or HARD offer full SSL security
     while the other options are susceptible to man-in-the-middle attacks.  SSL
     certificates can be installed to /etc/openldap/cacerts so that the
     DEMAND or HARD options can be used with self-signed certificates or
     certificates that do not have traceable certificates of authority.
     with mandatory certificate validation, while the other options are
     susceptible to man-in-the-middle attacks.
     NEVER
         A serve certificate will never be requested or checked.
     ALLOW
         A server certificate is requested.  Failure to provide a
@@ @@ -257,12 +255,22 @@ Certificate Checks : optional @@
         A server certificate is requested and must be provided and
         authenticated for the session to proceed.
     HARD
         The same as DEMAND.
 .. _Custom CA Certificates:
 Custom CA Certificates : optional
     Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
     Python 2.7.10 and later default to using the system certificate store, and
     this should thus not be necessary when using certificates signed by a CA
     trusted by the system.
     It can be set to something like `/etc/openldap/cacerts` on older systems or
     if using self-signed certificates.
 .. _Base DN:
 Base DN : required
     The Distinguished Name (DN) where searches for users will be performed.
     Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

kallithea/lib/auth_modules/auth_ldap.py

➞

Show inline comments

@@ @@ -46,13 +46,13 @@ except ImportError: @@
     ldap = None
 class AuthLdap(object):
     def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
                  tls_kind='PLAIN', tls_reqcert='DEMAND', ldap_version=3,
+                 tls_kind='PLAIN', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,
                  ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
                  search_scope='SUBTREE', attr_login='uid'):
         if ldap is None:
             raise LdapImportError
         self.ldap_version = ldap_version
@@ @@ -64,12 +64,14 @@ class AuthLdap(object): @@
             port = port or 689
             ldap_server_type = ldap_server_type + 's'
         OPT_X_TLS_DEMAND = 2
         self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,
                                    OPT_X_TLS_DEMAND)
         self.cacertdir = cacertdir
         # split server into list
         self.LDAP_SERVER_ADDRESS = server.split(',')
         self.LDAP_SERVER_PORT = port
         # USE FOR READ ONLY BIND TO LDAP SERVER
         self.LDAP_BIND_DN = safe_str(bind_dn)
@@ @@ -104,15 +106,17 @@ class AuthLdap(object): @@
             log.debug("Attempt to authenticate LDAP user "
                       "with blank password rejected.")
             raise LdapPasswordError()
         if "," in username:
             raise LdapUsernameError("invalid character in username: ,")
         try:
             if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
                 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR,
                                 '/etc/openldap/cacerts')
             if self.cacertdir:
                 if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
                     ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.cacertdir)
                 else:
                     log.debug("OPT_X_TLS_CACERTDIR is not available - can't set %s", self.cacertdir)
             ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
             ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
             ldap.set_option(ldap.OPT_TIMEOUT, 20)
             ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
             ldap.set_option(ldap.OPT_TIMELIMIT, 15)
             if self.TLS_KIND != 'PLAIN':
@@ @@ -165,13 +169,14 @@ class AuthLdap(object): @@
             raise LdapPasswordError()
         except ldap.NO_SUCH_OBJECT:
             log.debug("LDAP says no such user '%s' (%s)", uid, username)
             raise LdapUsernameError()
         except ldap.SERVER_DOWN:
             raise LdapConnectionError("LDAP can't access authentication server")
             # [0] might be {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': "Can't contact LDAP server"}
             raise LdapConnectionError("LDAP can't connect to authentication server")
 class KallitheaAuthPlugin(auth_modules.KallitheaExternalAuthPlugin):
     def __init__(self):
         self._logger = logging.getLogger(__name__)
         self._tls_kind_values = ["PLAIN", "LDAPS", "START_TLS"]
@@ @@ -228,12 +233,19 @@ class KallitheaAuthPlugin(auth_modules.K @@
                 "type": "select",
                 "values": self._tls_reqcert_values,
                 "description": "Require Cert over TLS?",
                 "formname": "Certificate Checks"
             },
+            {
                 "name": "cacertdir",
                 "validator": self.validators.UnicodeString(strip=True),
                 "type": "string",
                 "description": "Optional: Custom CA certificate directory for validating LDAPS",
                 "formname": "Custom CA Certificates"
             },
+            {
                 "name": "base_dn",
                 "validator": self.validators.UnicodeString(strip=True),
                 "type": "string",
                 "description": "Base DN to search (e.g., dc=mydomain,dc=com)",
                 "formname": "Base DN"
             },
@@ @@ -311,12 +323,13 @@ class KallitheaAuthPlugin(auth_modules.K @@
             'base_dn': settings.get('base_dn', ''),
             'port': settings.get('port'),
             'bind_dn': settings.get('dn_user'),
             'bind_pass': settings.get('dn_pass'),
             'tls_kind': settings.get('tls_kind'),
             'tls_reqcert': settings.get('tls_reqcert'),
             'cacertdir': settings.get('cacertdir'),
             'ldap_filter': settings.get('filter'),
             'search_scope': settings.get('search_scope'),
             'attr_login': settings.get('attr_login'),
             'ldap_version': 3,
+        }

kallithea/tests/functional/test_admin_auth_settings.py

➞

Show inline comments

@@ @@ -27,12 +27,13 @@ class TestAuthSettingsController(TestCon @@
         params = self._enable_plugins('kallithea.lib.auth_modules.auth_internal,kallithea.lib.auth_modules.auth_ldap')
         params.update({'auth_ldap_host': u'dc.example.com',
                        'auth_ldap_port': '999',
                        'auth_ldap_tls_kind': 'PLAIN',
                        'auth_ldap_tls_reqcert': 'NEVER',
                        'auth_ldap_cacertdir': '',
                        'auth_ldap_dn_user': 'test_user',
                        'auth_ldap_dn_pass': 'test_pass',
                        'auth_ldap_base_dn': 'test_base_dn',
                        'auth_ldap_filter': 'test_filter',
                        'auth_ldap_search_scope': 'BASE',
                        'auth_ldap_attr_login': 'test_attr_login',

0 comments (0 inline, 0 general)