summaryrefslogtreecommitdiff
path: root/session_app.py.publish
diff options
context:
space:
mode:
authorB. Stack <bgstack15@gmail.com>2021-06-25 11:16:43 -0400
committerB. Stack <bgstack15@gmail.com>2021-06-25 11:18:19 -0400
commit8c6a9cbcf966c8d6d38f65cd3dc8095543ad9270 (patch)
tree16b5a08975939ef3abfd4aaf67b8dd85f9251183 /session_app.py.publish
parentenable ldap user resolution and display shortnames (diff)
downloadsession_app-8c6a9cbcf966c8d6d38f65cd3dc8095543ad9270.tar.gz
session_app-8c6a9cbcf966c8d6d38f65cd3dc8095543ad9270.tar.bz2
session_app-8c6a9cbcf966c8d6d38f65cd3dc8095543ad9270.zip
now store user groups in session, for display
Diffstat (limited to 'session_app.py.publish')
-rwxr-xr-xsession_app.py.publish64
1 files changed, 46 insertions, 18 deletions
diff --git a/session_app.py.publish b/session_app.py.publish
index ac37e17..18bf5f1 100755
--- a/session_app.py.publish
+++ b/session_app.py.publish
@@ -97,16 +97,34 @@ def requires_authn_kerberos(function):
# if ldap config options are set, then do kerberos -> short username resolution
user = ctx.kerberos_user
if 'LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB' in app.config:
- user = session_ldap.get_ldap_attrib_from_krbPrincipalName(
+ conn = session_ldap.get_ldap_connection(
server_uri=get_next_ldap_server(app),
bind_dn=app.config['LDAP_BIND_DN'],
bind_pw=app.config['LDAP_BIND_PASSWORD'],
+ )
+ this_user = session_ldap.get_ldap_attrib_from_krbPrincipalName(
+ connection = conn,
search_base=app.config['LDAP_USER_BASE'],
- user_attrib=app.config['LDAP_USER_DISPLAY_ATTRIB'],
+ user_attrib="dn",
user_krbPrincipalName=user,
krbPrincipalName_attrib=app.config['LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB']
)
- response = function(user, *args, **kwargs)
+ #print(f"DEBUG: krb user {user} is ldap dn {this_user}")
+ shortuser = session_ldap.get_ldap_username_attrib_from_dn(
+ authenticated_user=conn,
+ user_dn=this_user,
+ user_match_attrib=app.config['LDAP_USER_DISPLAY_ATTRIB']
+ )
+ #print(f"DEBUG: shortuser {shortuser}")
+ groups = session_ldap.get_ldap_user_groups(
+ connection=conn,
+ user_dn=this_user,
+ user_attrib_memberof=app.config['LDAP_USER_ATTRIB_MEMBEROF'],
+ group_name_attrib=app.config['LDAP_GROUP_NAME_ATTRIB'],
+ group_base=app.config['LDAP_GROUP_BASE']
+ )
+ #print(f"DEBUG: groups {groups}")
+ response = function(shortuser, groups, *args, **kwargs)
response = make_response(response)
if ctx.kerberos_token is not None:
response.headers['WWW-Authenticate'] = ' '.join(['negotiate', ctx.kerberos_token])
@@ -131,7 +149,7 @@ def requires_authn_ldap(function):
# formdata is in session if we are coming from login_basic()
form = session.get('formdata', None)
if form:
- print(f"DEBUG: requires_authn_ldap form={form}")
+ #print(f"DEBUG: requires_authn_ldap form={form}")
session.pop('formdata')
if 'username' in form:
username = form['username']
@@ -156,7 +174,7 @@ def requires_authn_ldap(function):
)
# list_matching_users always returns list, so if it contains <> 1 we are in trouble
if len(this_user) != 1:
- print(f"WARNING: cannot determine unique user for {app.config['LDAP_USER_MATCH_ATTRIB']}={username} which returned {tihs_user}")
+ print(f"WARNING: cannot determine unique user for {app.config['LDAP_USER_MATCH_ATTRIB']}={username} which returned {this_user}")
return _unauthorized_ldap()
this_user = this_user[0]
print(f"DEBUG: requires_authn_ldap: found in ldap the username {this_user}")
@@ -166,7 +184,15 @@ def requires_authn_ldap(function):
authenticated_user=ll,
user_match_attrib=app.config['LDAP_USER_DISPLAY_ATTRIB']
)
- return function(shortuser,*args, **kwargs)
+ groups = session_ldap.get_ldap_user_groups(
+ connection=ll,
+ user_dn=this_user,
+ user_attrib_memberof=app.config['LDAP_USER_ATTRIB_MEMBEROF'],
+ group_name_attrib=app.config['LDAP_GROUP_NAME_ATTRIB'],
+ group_base=app.config['LDAP_GROUP_BASE']
+ )
+ print(f"DEBUG: user {shortuser} has groups {groups}")
+ return function(shortuser, groups ,*args, **kwargs)
else:
return _unauthorized_ldap()
return decorated
@@ -193,9 +219,10 @@ def protected_page():
def protected_page_real():
s_user = session['user']
c_user = request.cookies.get('user')
+ groups = session['groups']
cookie=request.cookies
print(cookie)
- return render_template('view.html', c_user = c_user, s_user=s_user, cookie=cookie)
+ return render_template('view.html', c_user = c_user, s_user=s_user, cookie=cookie, groups=groups)
@app.route("/login/new")
@app.route("/login/new/")
@@ -257,11 +284,20 @@ def ldap_login(username,password):
@app.route("/login/kerberos")
@app.route("/login/kerberos/")
@requires_authn_kerberos
-def login_kerberos(user):
+def login_kerberos(user,groups=[]):
resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("protected_page")}">success with kerberos')
#resp.headers['login'] = "from-kerberos"
resp.set_cookie('type',"kerberos")
- resp = login_generic(session,resp,user,None)
+ resp = login_generic(session,resp,user,groups)
+ return resp
+
+@app.route("/login/ldap", methods=['POST','GET'])
+@app.route("/login/ldap/", methods=['POST','GET'])
+@requires_authn_ldap
+def login_ldap(user,groups=[]):
+ resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("protected_page")}">success with ldap')
+ resp.set_cookie('type',"ldap")
+ resp = login_generic(session,resp,user,groups)
return resp
def login_generic(session,resp,user,groups=[]):
@@ -272,15 +308,7 @@ def login_generic(session,resp,user,groups=[]):
session.permanent = True
session['user']=user
session['end_time'] = end_time_str
- return resp
-
-@app.route("/login/ldap", methods=['POST','GET'])
-@app.route("/login/ldap/", methods=['POST','GET'])
-@requires_authn_ldap
-def login_ldap(user,groups=[]):
- resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("protected_page")}">success with ldap')
- resp.set_cookie('type',"ldap")
- resp = login_generic(session,resp,user,groups)
+ session['groups'] = groups
return resp
@app.route("/login/form", methods=['POST','GET'])
bgstack15