[sagenb] 34/179: some code refactoring
felix salfelder
felix-guest at moszumanska.debian.org
Tue May 6 12:05:07 UTC 2014
This is an automated email from the git hooks/post-receive script.
felix-guest pushed a commit to branch master
in repository sagenb.
commit 356103bd48804e85a9c5b2f584be40066a4f88ec
Author: Robin Martinjak <rob at rmartinjak.de>
Date: Fri Nov 2 14:02:50 2012 +0100
some code refactoring
---
sagenb/notebook/auth.py | 127 ++++++++++++++++++++++++++----------------------
1 file changed, 70 insertions(+), 57 deletions(-)
diff --git a/sagenb/notebook/auth.py b/sagenb/notebook/auth.py
index 03550c1..f6fff51 100644
--- a/sagenb/notebook/auth.py
+++ b/sagenb/notebook/auth.py
@@ -24,17 +24,17 @@ class LdapAuth(AuthMethod):
"""
Authentication via LDAP
- User authentication:
- 1a. bind to LDAP with either
+ User authentication basically works like this:
+ 1.1) bind to LDAP with either
- generic configured DN and password (simple bind)
- GSSAPI (e.g. Kerberos)
- 1b. find the ldap object matching username.
- (return None if more than 1 object is found)
- 2. if 1 succeeds, try simple bind with the supplied user DN and password
+ 1.2) find the ldap object matching username.
+
+ 2) if 1 succeeds, try simple bind with the supplied user DN and password
User lookup:
- wildcard-search all configured "user lookup attributes" for
- the given search string
+ wildcard-search all configured "user lookup attributes" for the given
+ search string
"""
def _require_ldap(retval):
@@ -67,90 +67,103 @@ class LdapAuth(AuthMethod):
import ldap
from ldap.sasl import gssapi
conn = ldap.initialize(self._conf['ldap_uri'])
+
+ if self._conf['ldap_gssapi']:
+ token = gssapi()
+ conn.sasl_interactive_bind_s('', token)
+ else:
+ conn.simple_bind_s(self._conf['ldap_binddn'], self._conf['ldap_bindpw'])
+
try:
- if self._conf['ldap_gssapi']:
- token = gssapi()
- conn.sasl_interactive_bind_s("", token)
- else:
- conn.simple_bind_s(self._conf['ldap_binddn'], self._conf['ldap_bindpw'])
-
- result = conn.search_ext_s(self._conf['ldap_basedn'],
- ldap.SCOPE_SUBTREE,
- filterstr=query,
- attrlist=attrlist,
- timeout=self._conf['ldap_timeout'],
- sizelimit=self._conf['ldap_sizelimit'])
- except ldap.INVALID_CREDENTIALS:
- raise ValueError, "invalid LDAP credentials"
- except ldap.LDAPError, e:
- raise ValueError, e
+ result = conn.search_ext_s(
+ self._conf['ldap_basedn'],
+ ldap.SCOPE_SUBTREE,
+ filterstr=query,
+ attrlist=attrlist,
+ timeout=self._conf['ldap_timeout'],
+ sizelimit=self._conf['ldap_sizelimit']
+ )
+ except LDAPError, e:
+ print 'LDAP Error: %s' % str(e)
+ return []
finally:
conn.unbind_s()
+
return result
def _get_ldapuser(self, username, attrlist=None):
+ """
+ Returns a tuple containing the DN and a dict of attributes of the given
+ username, or (None, None) if the username is not found
+ """
from ldap.filter import filter_format
- try:
- result = self._ldap_search(filter_format("(%s=%s)", [self._conf['ldap_username_attrib'], username]), attrlist)
- except ValueError, e:
- print(e)
- return None
- # return None if more than 1 object found
- return result[0] if len(result) == 1 else None
+
+ result = self._ldap_search(filter_format('(%s=%s)', [self._conf['ldap_username_attrib'], username]), attrlist)
+
+ # only allow one unique result
+ # (len(result) will probably always be 0 or 1)
+ return result[0] if len(result) == 1 else (None, None)
@_require_ldap(None)
def user_lookup(self, search):
from ldap.filter import filter_format
- from ldap import LDAPError
+
+ uname_attrib = self._conf['ldap_username_attrib']
+ lookup_attribs = self._conf['ldap_lookup_attribs']
# build ldap OR query
- q = "(|%s)" % ''.join([filter_format("(%s=*%s*)", [a, search]) for a in self._conf['ldap_lookup_attribs']])
+ query = '(|%s)' % ''.join(filter_format('(%s=*%s*)', [a, search]) for a in lookup_attribs)
+
+ result = self._ldap_search(query, attrlist=[str(uname_attrib)])
- try:
- r = self._ldap_search(q, attrlist=[str(self._conf['ldap_username_attrib'])])
- except ValueError, e:
- print(e)
- return []
- except:
- return []
# return a list of usernames
- return [x[1][self._conf['ldap_username_attrib']][0].lower() for x in r if x[1].has_key(self._conf['ldap_username_attrib'])]
+ unames = []
+ for dn, attribs in result:
+ uname_list = attribs.get(uname_attrib, None)
+ if uname_list:
+ # use only the first item of the attribute list
+ unames.append(uname_list[0])
+ return unames
@_require_ldap(False)
def check_user(self, username):
# LDAP is NOT case sensitive while sage is, so only lowercase names are allowed
if username != username.lower():
return False
- return self._get_ldapuser(username) is not None
+ dn, attribs = self._get_ldapuser(username)
+ return dn is not None
@_require_ldap(False)
def check_password(self, username, password):
import ldap
- # retrieve username's DN
- try:
- u = self._get_ldapuser(username)
- #u[0] is DN, u[1] is a dict with all other attributes
- userdn = u[0]
- except ValueError:
+
+ dn, attribs = self._get_ldapuser(username)
+ if not dn:
return False
- # try to bind with that DN
+ # try to bind with found DN
conn = ldap.initialize(uri=self._conf['ldap_uri'])
try:
- conn.simple_bind_s(userdn, password)
+ conn.simple_bind_s(dn, password)
return True
except ldap.INVALID_CREDENTIALS:
return False
+ except ldap.LDAPError, e:
+ print 'LDAP Error: %s' % str(e)
+ return False
finally:
conn.unbind_s()
@_require_ldap('')
def get_attrib(self, username, attrib):
- # translate some common attribute names to their ldap equivalents, i.e. "email" is "mail
- attrib = 'mail' if attrib == 'email' else attrib
-
- u = self._get_ldapuser(username)
- if u is not None:
- a = u[1][attrib][0] #if u[1].has_key(attrib) else ''
- return a
- return ''
+ # 'translate' attribute names used in ExtAuthUserManager to their ldap equivalents
+ # "email" is "mail"
+ if attrib == 'email'
+ attrib = 'mail'
+
+ dn, attribs = self._get_ldapuser(username, [attrib])
+ if not attribs:
+ return ''
+
+ # return the first item or '' if the attribute is missing
+ return attribs.get(attrib, [''])[0]
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-science/packages/sagenb.git
More information about the debian-science-commits
mailing list