# coding: utf-8 # import json from collections import defaultdict from copy import deepcopy from django.conf import settings from django.core.cache import cache from django.utils.translation import gettext_lazy as _ from ldap3 import Server, Connection, SIMPLE from ldap3.core.exceptions import ( LDAPSocketOpenError, LDAPSocketReceiveError, LDAPSessionTerminatedByServerError, LDAPUserNameIsMandatoryError, LDAPPasswordIsMandatoryError, LDAPInvalidDnError, LDAPInvalidServerError, LDAPBindError, LDAPInvalidFilterError, LDAPExceptionError, LDAPConfigurationError, LDAPAttributeError, ) from authentication.backends.ldap import LDAPAuthorizationBackend, LDAPUser, \ LDAPHAAuthorizationBackend from common.const import LDAP_AD_ACCOUNT_DISABLE from common.db.utils import close_old_connections from common.utils import timeit, get_logger from common.utils.http import is_true from orgs.utils import tmp_to_org from settings.const import ImportStatus from users.models import User, UserGroup from users.utils import construct_user_email logger = get_logger(__file__) __all__ = [ 'LDAPConfig', 'LDAPServerUtil', 'LDAPCacheUtil', 'LDAPImportUtil', 'LDAPSyncUtil', 'LDAP_USE_CACHE_FLAGS', 'LDAPTestUtil', ] LDAP_USE_CACHE_FLAGS = [1, '1', 'true', 'True', True] class LDAPConfig(object): def __init__(self, config=None, category='ldap'): self.server_uri = None self.bind_dn = None self.password = None self.use_ssl = None self.search_ou = None self.search_filter = None self.attr_map = None self.auth_ldap = None self.category = category if isinstance(config, dict): self.load_from_config(config) else: self.load_from_settings() def load_from_config(self, config): self.server_uri = config.get('server_uri') self.bind_dn = config.get('bind_dn') self.password = config.get('password') self.use_ssl = config.get('use_ssl') self.search_ou = config.get('search_ou') self.search_filter = config.get('search_filter') self.attr_map = config.get('attr_map') self.auth_ldap = config.get('auth_ldap') def load_from_settings(self): prefix = 'AUTH_LDAP' if self.category == 'ldap' else 'AUTH_LDAP_HA' self.server_uri = getattr(settings, f"{prefix}_SERVER_URI") self.bind_dn = getattr(settings, f"{prefix}_BIND_DN") self.password = getattr(settings, f"{prefix}_BIND_PASSWORD") self.use_ssl = getattr(settings, f"{prefix}_START_TLS") self.search_ou = getattr(settings, f"{prefix}_SEARCH_OU") self.search_filter = getattr(settings, f"{prefix}_SEARCH_FILTER") self.attr_map = getattr(settings, f"{prefix}_USER_ATTR_MAP") self.auth_ldap = getattr(settings, prefix) class LDAPServerUtil(object): def __init__(self, config=None, category='ldap'): if isinstance(config, dict): self.config = LDAPConfig(config=config) elif isinstance(config, LDAPConfig): self.config = config else: self.config = LDAPConfig(category=category) self._conn = None self._paged_size = self.get_paged_size() self.search_users = None self.search_value = None @property def connection(self): if self._conn: return self._conn server = Server(self.config.server_uri, use_ssl=self.config.use_ssl) conn = Connection(server, self.config.bind_dn, self.config.password) conn.bind() self._conn = conn return self._conn @staticmethod def get_paged_size(): paged_size = settings.AUTH_LDAP_SEARCH_PAGED_SIZE if isinstance(paged_size, int): return paged_size return None def paged_cookie(self): if self._paged_size is None: return None try: cookie = self.connection.result['controls']['1.2.840.113556.1.4.319']['value']['cookie'] return cookie except Exception as e: logger.debug(e, exc_info=True) return None def get_search_filter_extra(self): extra = '' if self.search_users: mapping_username = self.config.attr_map.get('username') for user in self.search_users: extra += '({}={})'.format(mapping_username, user) return '(|{})'.format(extra) if self.search_value: for attr in self.config.attr_map.values(): extra += '({}={})'.format(attr, '*{}*'.format(self.search_value)) return '(|{})'.format(extra) return extra def get_search_filter(self): search_filter = self.config.search_filter % {'user': '*'} search_filter_extra = self.get_search_filter_extra() if search_filter_extra: search_filter = '(&{}{})'.format(search_filter, search_filter_extra) return search_filter def search_user_entries_ou(self, search_ou, paged_cookie=None): search_filter = self.get_search_filter() attributes = list(self.config.attr_map.values()) self.connection.search( search_base=search_ou, search_filter=search_filter, attributes=attributes, paged_size=self._paged_size, paged_cookie=paged_cookie ) @staticmethod def distinct_user_entries(user_entries): distinct_user_entries = list() distinct_user_entries_dn = set() for user_entry in user_entries: if user_entry.entry_dn in distinct_user_entries_dn: continue distinct_user_entries_dn.add(user_entry.entry_dn) distinct_user_entries.append(user_entry) return distinct_user_entries @timeit def search_user_entries(self, search_users=None, search_value=None): logger.info("Search user entries") self.search_users = search_users self.search_value = search_value user_entries = list() search_ous = str(self.config.search_ou).split('|') for search_ou in search_ous: search_ou = search_ou.strip() logger.info("Search user entries ou: {}".format(search_ou)) self.search_user_entries_ou(search_ou) user_entries.extend(self.connection.entries) while self.paged_cookie(): self.search_user_entries_ou(search_ou, self.paged_cookie()) user_entries.extend(self.connection.entries) user_entries = self.distinct_user_entries(user_entries) return user_entries def user_entry_to_dict(self, entry): user = {} attr_map = self.config.attr_map.items() for attr, mapping in attr_map: if not hasattr(entry, mapping): continue value = getattr(entry, mapping).value or '' if attr == 'is_active': if mapping.lower() == 'useraccountcontrol' and value: value = int(value) & LDAP_AD_ACCOUNT_DISABLE != LDAP_AD_ACCOUNT_DISABLE else: value = is_true(value) if attr == 'groups' and mapping.lower() == 'memberof': # AD: {'groups': 'memberOf'} if isinstance(value, str) and value: value = [value] if not isinstance(value, list): value = [] user[attr] = value.strip() if isinstance(value, str) else value user['status'] = ImportStatus.pending return user def user_entries_to_dict(self, user_entries): users = [] for user_entry in user_entries: user = self.user_entry_to_dict(user_entry) users.append(user) return users def search_for_user_dn(self, username): user_entries = self.search_user_entries(search_users=[username]) if len(user_entries) == 1: user_entry = user_entries[0] user_dn = user_entry.entry_dn else: user_dn = None return user_dn @timeit def search(self, search_users=None, search_value=None): logger.info("Search ldap users") user_entries = self.search_user_entries( search_users=search_users, search_value=search_value ) users = self.user_entries_to_dict(user_entries) return users class LDAPCacheUtil(object): def __init__(self, category='ldap'): self.search_users = None self.search_value = None self.category = category if self.category == 'ldap': self.cache_key_users = 'CACHE_KEY_LDAP_USERS' else: self.cache_key_users = 'CACHE_KEY_LDAP_HA_USERS' def set_users(self, users): logger.info('Set ldap users to cache, count: {}'.format(len(users))) cache.set(self.cache_key_users, users, None) def get_users(self): users = cache.get(self.cache_key_users) count = users if users is None else len(users) logger.info('Get ldap users from cache, count: {}'.format(count)) return users def delete_users(self): logger.info('Delete ldap users from cache') cache.delete(self.cache_key_users) def filter_users(self, users): if users is None: return users if self.search_users: filter_users = [ user for user in users if user['username'] in self.search_users ] elif self.search_value: filter_users = [] for u in users: search_value = self.search_value.lower() user_all_attr_value = [v for v in u.values() if isinstance(v, str)] if search_value not in ','.join(user_all_attr_value).lower(): continue filter_users.append(u) else: filter_users = users return filter_users def search(self, search_users=None, search_value=None): self.search_users = search_users self.search_value = search_value users = self.get_users() users = self.filter_users(users) return users class LDAPSyncUtil(object): class LDAPSyncUtilException(Exception): pass CACHE_KEY_LDAP_USERS_SYNC_TASK_ERROR_MSG = 'CACHE_KEY_LDAP_USERS_SYNC_TASK_ERROR_MSG' CACHE_KEY_LDAP_USERS_SYNC_TASK_STATUS = 'CACHE_KEY_LDAP_USERS_SYNC_TASK_STATUS' TASK_STATUS_IS_RUNNING = 'RUNNING' TASK_STATUS_IS_OVER = 'OVER' def __init__(self, category='ldap'): self.server_util = LDAPServerUtil(category=category) self.cache_util = LDAPCacheUtil(category=category) self.task_error_msg = None self.category = category def clear_cache(self): logger.info('Clear ldap sync cache') self.delete_task_status() self.delete_task_error_msg() self.cache_util.delete_users() @property def task_no_start(self): status = self.get_task_status() return status is None @property def task_is_running(self): status = self.get_task_status() return status == self.TASK_STATUS_IS_RUNNING @property def task_is_over(self): status = self.get_task_status() return status == self.TASK_STATUS_IS_OVER def set_task_status(self, status): logger.info('Set task status: {}'.format(status)) cache.set(self.CACHE_KEY_LDAP_USERS_SYNC_TASK_STATUS, status, None) def get_task_status(self): status = cache.get(self.CACHE_KEY_LDAP_USERS_SYNC_TASK_STATUS) logger.info('Get task status: {}'.format(status)) return status def delete_task_status(self): logger.info('Delete task status') cache.delete(self.CACHE_KEY_LDAP_USERS_SYNC_TASK_STATUS) def set_task_error_msg(self, error_msg): logger.info('Set task error msg') cache.set(self.CACHE_KEY_LDAP_USERS_SYNC_TASK_ERROR_MSG, error_msg, None) def get_task_error_msg(self): logger.info('Get task error msg') error_msg = cache.get(self.CACHE_KEY_LDAP_USERS_SYNC_TASK_ERROR_MSG, '') return error_msg def delete_task_error_msg(self): logger.info('Delete task error msg') cache.delete(self.CACHE_KEY_LDAP_USERS_SYNC_TASK_ERROR_MSG) def sync(self): users = self.server_util.search() self.cache_util.set_users(users) def perform_sync(self): logger.info('Start perform sync ldap users from server to cache') try: ok, msg = LDAPTestUtil(category=self.category).test_config() if not ok: raise self.LDAPSyncUtilException(msg) self.sync() except Exception as e: error_msg = str(e) logger.error(error_msg) self.set_task_error_msg(error_msg) finally: logger.info('End perform sync ldap users from server to cache') close_old_connections() class LDAPImportUtil(object): user_group_name_prefix = 'AD ' def __init__(self): pass @staticmethod def get_user_email(user): username = user['username'] email = user['email'] email = construct_user_email(username, email) return email def update_or_create(self, user): user['email'] = self.get_user_email(user) if user['username'] not in ['admin']: user['source'] = User.Source.ldap.value user.pop('status', None) obj, created = User.objects.update_or_create( username=user['username'], defaults=user ) return obj, created def get_user_group_names(self, groups) -> list: if not isinstance(groups, list): logger.error('Groups type not list') return [] group_names = [] for group in groups: if not group: continue if not isinstance(group, str): continue # get group name for AD, Such as: CN=Users,CN=Builtin,DC=jms,DC=com group_name = group.split(',')[0].split('=')[-1] group_name = f'{self.user_group_name_prefix}{group_name}'.strip() group_names.append(group_name) return group_names def perform_import(self, users, orgs): logger.info('Start perform import ldap users, count: {}'.format(len(users))) errors = [] objs = [] new_users = [] group_users_mapper = defaultdict(set) for user in users: groups = user.pop('groups', []) try: obj, created = self.update_or_create(user) if created: new_users.append(obj) objs.append(obj) except Exception as e: errors.append({user['username']: str(e)}) logger.error(e) continue try: group_names = self.get_user_group_names(groups) for group_name in group_names: group_users_mapper[group_name].add(obj) except Exception as e: errors.append({user['username']: str(e)}) logger.error(e) continue for org in orgs: self.bind_org(org, objs, group_users_mapper) logger.info('End perform import ldap users') return new_users, errors def exit_user_group(self, user_groups_mapper): # 通过对比查询本次导入用户需要移除的用户组 group_remove_users_mapper = defaultdict(set) for user, current_groups in user_groups_mapper.items(): old_groups = set(user.groups.filter(name__startswith=self.user_group_name_prefix)) exit_groups = old_groups - current_groups logger.debug(f'Ldap user {user} exits user groups {exit_groups}') for g in exit_groups: group_remove_users_mapper[g].add(user) # 根据用户组统一移除用户 for g, rm_users in group_remove_users_mapper.items(): g.users.remove(*rm_users) def bind_org(self, org, users, group_users_mapper): if not org: return if org.is_root(): return # add user to org for user in users: org.add_member(user) # add user to group with tmp_to_org(org): user_groups_mapper = defaultdict(set) for group_name, users in group_users_mapper.items(): group, created = UserGroup.objects.get_or_create( name=group_name, defaults={'name': group_name} ) for user in users: user_groups_mapper[user].add(group) group.users.add(*users) self.exit_user_group(user_groups_mapper) class LDAPTestUtil(object): class LDAPInvalidSearchOuOrFilterError(LDAPExceptionError): pass class LDAPInvalidAttributeMapError(LDAPExceptionError): pass class LDAPNotEnabledAuthError(LDAPExceptionError): pass class LDAPBeforeLoginCheckError(LDAPExceptionError): pass def __init__(self, config=None, category='ldap'): self.config = LDAPConfig(config, category) self.user_entries = [] if category == 'ldap': self.backend = LDAPAuthorizationBackend() else: self.backend = LDAPHAAuthorizationBackend() def _test_connection_bind(self, authentication=None, user=None, password=None): server = Server(self.config.server_uri) connection = Connection( server, user=user, password=password, authentication=authentication ) ret = connection.bind() return ret # test server uri def _check_server_uri(self): if not any([self.config.server_uri.startswith('ldap://') or self.config.server_uri.startswith('ldaps://')]): err = _('ldap:// or ldaps:// protocol is used.') raise LDAPInvalidServerError(err) def _test_server_uri(self): self._test_connection_bind() def test_server_uri(self): try: self._check_server_uri() self._test_server_uri() except LDAPSocketOpenError as e: error = _("Host or port is disconnected: {}").format(e) except LDAPSessionTerminatedByServerError as e: error = _('The port is not the port of the LDAP service: {}').format(e) except LDAPSocketReceiveError as e: error = _('Please add certificate: {}').format(e) except LDAPInvalidServerError as e: error = str(e) except Exception as e: error = _('Unknown error: {}').format(e) else: return raise LDAPInvalidServerError(error) # test bind dn def _test_bind_dn(self): user = self.config.bind_dn password = self.config.password ret = self._test_connection_bind( authentication=SIMPLE, user=user, password=password ) if not ret: msg = _('Bind DN or Password incorrect') raise LDAPInvalidDnError(msg) def test_bind_dn(self): try: self._test_bind_dn() except LDAPUserNameIsMandatoryError as e: error = _('Please enter Bind DN: {}').format(e) except LDAPPasswordIsMandatoryError as e: error = _('Please enter Password: {}').format(e) except LDAPInvalidDnError as e: error = _('Please enter correct Bind DN and Password: {}').format(e) except Exception as e: error = _('Unknown error: {}').format(e) else: return raise LDAPBindError(error) # test search ou def _test_search_ou_and_filter(self): config = deepcopy(self.config) util = LDAPServerUtil(config=config) search_ous = str(self.config.search_ou).split('|') for search_ou in search_ous: util.config.search_ou = search_ou user_entries = util.search_user_entries() logger.debug('Search ou: {}, count user: {}'.format(search_ou, len(user_entries))) if len(user_entries) == 0: error = _('Invalid User OU or User search filter: {}').format(search_ou) raise self.LDAPInvalidSearchOuOrFilterError(error) def test_search_ou_and_filter(self): try: self._test_search_ou_and_filter() except LDAPInvalidFilterError as e: error = e except self.LDAPInvalidSearchOuOrFilterError as e: error = e except LDAPAttributeError as e: error = e raise self.LDAPInvalidAttributeMapError(error) except Exception as e: error = _('Unknown error: {}').format(e) else: return raise self.LDAPInvalidSearchOuOrFilterError(error) # test attr map def _test_attr_map(self): attr_map = self.config.attr_map if not isinstance(attr_map, dict): attr_map = json.loads(attr_map) self.config.attr_map = attr_map should_contain_attr = {'username', 'name', 'email'} actually_contain_attr = set(attr_map.keys()) result = should_contain_attr - actually_contain_attr if len(result) != 0: error = _('LDAP User attr map not include: {}').format(result) raise self.LDAPInvalidAttributeMapError(error) def test_attr_map(self): try: self._test_attr_map() except json.JSONDecodeError: error = _('LDAP User attr map is not dict') except self.LDAPInvalidAttributeMapError as e: error = e except Exception as e: error = _('Unknown error: {}').format(e) else: return raise self.LDAPInvalidAttributeMapError(error) # test search def test_search(self): util = LDAPServerUtil(config=self.config) self.user_entries = util.search_user_entries() # test auth ldap enabled def test_enabled_auth_ldap(self): if not self.config.auth_ldap: error = _('LDAP authentication is not enabled') raise self.LDAPNotEnabledAuthError(error) # test config def _test_config(self): self.test_server_uri() self.test_bind_dn() self.test_attr_map() self.test_search_ou_and_filter() self.test_search() self.test_enabled_auth_ldap() def test_config(self): status = False try: self._test_config() except LDAPInvalidServerError as e: msg = _('Error (Invalid LDAP server): {}').format(e) except LDAPBindError as e: msg = _('Error (Invalid Bind DN): {}').format(e) except self.LDAPInvalidAttributeMapError as e: msg = _('Error (Invalid LDAP User attr map): {}').format(e) except self.LDAPInvalidSearchOuOrFilterError as e: msg = _('Error (Invalid User OU or User search filter): {}').format(e) except self.LDAPNotEnabledAuthError as e: msg = _('Error (Not enabled LDAP authentication): {}').format(e) except Exception as e: msg = _('Error (Unknown): {}').format(e) else: status = True msg = _('Succeed: Match {} users').format(len(self.user_entries)) if not status: logger.error(msg, exc_info=True) return status, msg # test login def _test_before_login_check(self, username, password): from settings.ws import CACHE_KEY_LDAP_TEST_CONFIG_TASK_STATUS, TASK_STATUS_IS_OVER if not cache.get(CACHE_KEY_LDAP_TEST_CONFIG_TASK_STATUS): self.test_config() ok, msg = self.backend.pre_check(username, password) if not ok: raise self.LDAPBeforeLoginCheckError(msg) def _test_login_auth(self, username, password): ldap_user = LDAPUser(self.backend, username=username.strip()) ldap_user._authenticate_user_dn(password) def _test_login(self, username, password): self._test_before_login_check(username, password) self._test_login_auth(username, password) def test_login(self, username, password): status = False try: self._test_login(username, password) except LDAPConfigurationError as e: msg = _('Authentication failed (configuration incorrect): {}').format(e) except self.LDAPBeforeLoginCheckError as e: msg = _('Authentication failed (before login check failed): {}').format(e) except LDAPUser.AuthenticationFailed as e: msg = _('Authentication failed (username or password incorrect): {}').format(e) except Exception as e: msg = _("Authentication failed (Unknown): {}").format(e) else: status = True msg = _("Authentication success: {}").format(username) if not status: logger.error(msg, exc_info=True) return status, msg