diff options
author | B. Stack <bgstack15@gmail.com> | 2021-06-25 11:16:43 -0400 |
---|---|---|
committer | B. Stack <bgstack15@gmail.com> | 2021-06-25 11:18:19 -0400 |
commit | 8c6a9cbcf966c8d6d38f65cd3dc8095543ad9270 (patch) | |
tree | 16b5a08975939ef3abfd4aaf67b8dd85f9251183 /session_app.py.publish | |
parent | enable ldap user resolution and display shortnames (diff) | |
download | session_app-8c6a9cbcf966c8d6d38f65cd3dc8095543ad9270.tar.gz session_app-8c6a9cbcf966c8d6d38f65cd3dc8095543ad9270.tar.bz2 session_app-8c6a9cbcf966c8d6d38f65cd3dc8095543ad9270.zip |
now store user groups in session, for display
Diffstat (limited to 'session_app.py.publish')
-rwxr-xr-x | session_app.py.publish | 64 |
1 files changed, 46 insertions, 18 deletions
diff --git a/session_app.py.publish b/session_app.py.publish index ac37e17..18bf5f1 100755 --- a/session_app.py.publish +++ b/session_app.py.publish @@ -97,16 +97,34 @@ def requires_authn_kerberos(function): # if ldap config options are set, then do kerberos -> short username resolution user = ctx.kerberos_user if 'LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB' in app.config: - user = session_ldap.get_ldap_attrib_from_krbPrincipalName( + conn = session_ldap.get_ldap_connection( server_uri=get_next_ldap_server(app), bind_dn=app.config['LDAP_BIND_DN'], bind_pw=app.config['LDAP_BIND_PASSWORD'], + ) + this_user = session_ldap.get_ldap_attrib_from_krbPrincipalName( + connection = conn, search_base=app.config['LDAP_USER_BASE'], - user_attrib=app.config['LDAP_USER_DISPLAY_ATTRIB'], + user_attrib="dn", user_krbPrincipalName=user, krbPrincipalName_attrib=app.config['LDAP_USER_KERBEROS_PRINCIPAL_ATTRIB'] ) - response = function(user, *args, **kwargs) + #print(f"DEBUG: krb user {user} is ldap dn {this_user}") + shortuser = session_ldap.get_ldap_username_attrib_from_dn( + authenticated_user=conn, + user_dn=this_user, + user_match_attrib=app.config['LDAP_USER_DISPLAY_ATTRIB'] + ) + #print(f"DEBUG: shortuser {shortuser}") + groups = session_ldap.get_ldap_user_groups( + connection=conn, + user_dn=this_user, + user_attrib_memberof=app.config['LDAP_USER_ATTRIB_MEMBEROF'], + group_name_attrib=app.config['LDAP_GROUP_NAME_ATTRIB'], + group_base=app.config['LDAP_GROUP_BASE'] + ) + #print(f"DEBUG: groups {groups}") + response = function(shortuser, groups, *args, **kwargs) response = make_response(response) if ctx.kerberos_token is not None: response.headers['WWW-Authenticate'] = ' '.join(['negotiate', ctx.kerberos_token]) @@ -131,7 +149,7 @@ def requires_authn_ldap(function): # formdata is in session if we are coming from login_basic() form = session.get('formdata', None) if form: - print(f"DEBUG: requires_authn_ldap form={form}") + #print(f"DEBUG: requires_authn_ldap form={form}") session.pop('formdata') if 'username' in form: username = form['username'] @@ -156,7 +174,7 @@ def requires_authn_ldap(function): ) # list_matching_users always returns list, so if it contains <> 1 we are in trouble if len(this_user) != 1: - print(f"WARNING: cannot determine unique user for {app.config['LDAP_USER_MATCH_ATTRIB']}={username} which returned {tihs_user}") + print(f"WARNING: cannot determine unique user for {app.config['LDAP_USER_MATCH_ATTRIB']}={username} which returned {this_user}") return _unauthorized_ldap() this_user = this_user[0] print(f"DEBUG: requires_authn_ldap: found in ldap the username {this_user}") @@ -166,7 +184,15 @@ def requires_authn_ldap(function): authenticated_user=ll, user_match_attrib=app.config['LDAP_USER_DISPLAY_ATTRIB'] ) - return function(shortuser,*args, **kwargs) + groups = session_ldap.get_ldap_user_groups( + connection=ll, + user_dn=this_user, + user_attrib_memberof=app.config['LDAP_USER_ATTRIB_MEMBEROF'], + group_name_attrib=app.config['LDAP_GROUP_NAME_ATTRIB'], + group_base=app.config['LDAP_GROUP_BASE'] + ) + print(f"DEBUG: user {shortuser} has groups {groups}") + return function(shortuser, groups ,*args, **kwargs) else: return _unauthorized_ldap() return decorated @@ -193,9 +219,10 @@ def protected_page(): def protected_page_real(): s_user = session['user'] c_user = request.cookies.get('user') + groups = session['groups'] cookie=request.cookies print(cookie) - return render_template('view.html', c_user = c_user, s_user=s_user, cookie=cookie) + return render_template('view.html', c_user = c_user, s_user=s_user, cookie=cookie, groups=groups) @app.route("/login/new") @app.route("/login/new/") @@ -257,11 +284,20 @@ def ldap_login(username,password): @app.route("/login/kerberos") @app.route("/login/kerberos/") @requires_authn_kerberos -def login_kerberos(user): +def login_kerberos(user,groups=[]): resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("protected_page")}">success with kerberos') #resp.headers['login'] = "from-kerberos" resp.set_cookie('type',"kerberos") - resp = login_generic(session,resp,user,None) + resp = login_generic(session,resp,user,groups) + return resp + +@app.route("/login/ldap", methods=['POST','GET']) +@app.route("/login/ldap/", methods=['POST','GET']) +@requires_authn_ldap +def login_ldap(user,groups=[]): + resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("protected_page")}">success with ldap') + resp.set_cookie('type',"ldap") + resp = login_generic(session,resp,user,groups) return resp def login_generic(session,resp,user,groups=[]): @@ -272,15 +308,7 @@ def login_generic(session,resp,user,groups=[]): session.permanent = True session['user']=user session['end_time'] = end_time_str - return resp - -@app.route("/login/ldap", methods=['POST','GET']) -@app.route("/login/ldap/", methods=['POST','GET']) -@requires_authn_ldap -def login_ldap(user,groups=[]): - resp = Response(f'<meta http-equiv="Refresh" content="1; url={url_for("protected_page")}">success with ldap') - resp.set_cookie('type',"ldap") - resp = login_generic(session,resp,user,groups) + session['groups'] = groups return resp @app.route("/login/form", methods=['POST','GET']) |