# Copyright 2012 OpenStack Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
from __future__ import absolute_import
import uuid
import ldap.filter
from oslo_log import log
from oslo_log import versionutils
import six
from keystone.common import driver_hints
import keystone.conf
from keystone import exception
from keystone.i18n import _, _LW
from keystone.identity.backends import base
from keystone.identity.backends.ldap import common as common_ldap
from keystone.identity.backends.ldap import models
CONF = keystone.conf.CONF
LOG = log.getLogger(__name__)
_DEPRECATION_MSG = _('%s for the LDAP identity backend has been deprecated in '
'the Mitaka release in favor of read-only identity LDAP '
'access. It will be removed in the "O" release.')
READ_ONLY_LDAP_ERROR_MESSAGE = _("LDAP does not support write operations")
LDAP_MATCHING_RULE_IN_CHAIN = "1.2.840.113556.1.4.1941"
[docs]class Identity(base.IdentityDriverBase):
def __init__(self, conf=None):
super(Identity, self).__init__()
if conf is None:
self.conf = CONF
else:
self.conf = conf
self.user = UserApi(self.conf)
self.group = GroupApi(self.conf)
[docs] def is_domain_aware(self):
return False
[docs] def generates_uuids(self):
return False
# Identity interface
[docs] def authenticate(self, user_id, password):
try:
user_ref = self._get_user(user_id)
except exception.UserNotFound:
raise AssertionError(_('Invalid user / password'))
if not user_id or not password:
raise AssertionError(_('Invalid user / password'))
conn = None
try:
conn = self.user.get_connection(user_ref['dn'],
password, end_user_auth=True)
if not conn:
raise AssertionError(_('Invalid user / password'))
except Exception:
raise AssertionError(_('Invalid user / password'))
finally:
if conn:
conn.unbind_s()
return self.user.filter_attributes(user_ref)
def _get_user(self, user_id):
return self.user.get(user_id)
[docs] def get_user(self, user_id):
return self.user.get_filtered(user_id)
[docs] def list_users(self, hints):
return self.user.get_all_filtered(hints)
[docs] def get_user_by_name(self, user_name, domain_id):
# domain_id will already have been handled in the Manager layer,
# parameter left in so this matches the Driver specification
return self.user.filter_attributes(self.user.get_by_name(user_name))
[docs] def get_group(self, group_id):
return self.group.get_filtered(group_id)
[docs] def get_group_by_name(self, group_name, domain_id):
# domain_id will already have been handled in the Manager layer,
# parameter left in so this matches the Driver specification
return self.group.get_filtered_by_name(group_name)
[docs] def list_groups_for_user(self, user_id, hints):
user_ref = self._get_user(user_id)
if self.conf.ldap.group_members_are_ids:
user_dn = user_ref['id']
else:
user_dn = user_ref['dn']
return self.group.list_user_groups_filtered(user_dn, hints)
[docs] def list_groups(self, hints):
return self.group.get_all_filtered(hints)
[docs] def list_users_in_group(self, group_id, hints):
users = []
for user_key in self.group.list_group_users(group_id):
if self.conf.ldap.group_members_are_ids:
user_id = user_key
else:
user_id = self.user._dn_to_id(user_key)
try:
users.append(self.user.get_filtered(user_id))
except exception.UserNotFound:
msg = ('Group member `%(user_key)s` not found in'
' `%(group_id)s`. The user should be removed'
' from the group. The user will be ignored.')
LOG.debug(msg, dict(user_key=user_key, group_id=group_id))
return users
[docs] def check_user_in_group(self, user_id, group_id):
user_refs = self.list_users_in_group(group_id, driver_hints.Hints())
for x in user_refs:
if x['id'] == user_id:
break
else:
# Try to fetch the user to see if it even exists. This
# will raise a more accurate exception.
self.get_user(user_id)
raise exception.NotFound(_("User '%(user_id)s' not found in"
" group '%(group_id)s'") %
{'user_id': user_id,
'group_id': group_id})
# Unsupported methods
def _disallow_write(self):
if not common_ldap.WRITABLE:
raise exception.Forbidden(READ_ONLY_LDAP_ERROR_MESSAGE)
[docs] def create_user(self, user_id, user):
self._disallow_write()
return self._create_user(user_id, user)
[docs] def update_user(self, user_id, user):
self._disallow_write()
return self._update_user(user_id, user)
[docs] def delete_user(self, user_id):
self._disallow_write()
self._delete_user(user_id)
[docs] def change_password(self, user_id, new_password):
raise exception.Forbidden(READ_ONLY_LDAP_ERROR_MESSAGE)
[docs] def add_user_to_group(self, user_id, group_id):
self._disallow_write()
self._add_user_to_group(user_id, group_id)
[docs] def remove_user_from_group(self, user_id, group_id):
self._disallow_write()
self._remove_user_from_group(user_id, group_id)
[docs] def create_group(self, group_id, group):
self._disallow_write()
return self._create_group(group_id, group)
[docs] def update_group(self, group_id, group):
self._disallow_write()
return self._update_group(group_id, group)
[docs] def delete_group(self, group_id):
self._disallow_write()
return self._delete_group(group_id)
# Test implementations
def _create_user(self, user_id, user):
msg = _DEPRECATION_MSG % "create_user"
versionutils.report_deprecated_feature(LOG, msg)
user_ref = self.user.create(user)
return self.user.filter_attributes(user_ref)
def _update_user(self, user_id, user):
msg = _DEPRECATION_MSG % "update_user"
versionutils.report_deprecated_feature(LOG, msg)
old_obj = self.user.get(user_id)
if 'name' in user and old_obj.get('name') != user['name']:
raise exception.Conflict(_('Cannot change user name'))
if self.user.enabled_mask:
self.user.mask_enabled_attribute(user)
elif self.user.enabled_invert and not self.user.enabled_emulation:
# We need to invert the enabled value for the old model object
# to prevent the LDAP update code from thinking that the enabled
# values are already equal.
user['enabled'] = not user['enabled']
old_obj['enabled'] = not old_obj['enabled']
self.user.update(user_id, user, old_obj)
return self.user.get_filtered(user_id)
def _delete_user(self, user_id):
msg = _DEPRECATION_MSG % "delete_user"
versionutils.report_deprecated_feature(LOG, msg)
user = self.user.get(user_id)
user_dn = user['dn']
groups = self.group.list_user_groups(user_dn)
for group in groups:
group_ref = self.group.get(group['id'], '*') # unfiltered
group_dn = group_ref['dn']
try:
super(GroupApi, self.group).remove_member(user_dn, group_dn)
except ldap.NO_SUCH_ATTRIBUTE:
msg = _LW('User %(user)s was not removed from group %(group)s '
'because the relationship was not found')
LOG.warning(msg, {'user': user_id, 'group': group['id']})
if hasattr(user, 'tenant_id'):
self.project.remove_user(user.tenant_id, user_dn)
self.user.delete(user_id)
def _create_group(self, group_id, group):
msg = _DEPRECATION_MSG % "create_group"
versionutils.report_deprecated_feature(LOG, msg)
return common_ldap.filter_entity(self.group.create(group))
def _update_group(self, group_id, group):
msg = _DEPRECATION_MSG % "update_group"
versionutils.report_deprecated_feature(LOG, msg)
return common_ldap.filter_entity(self.group.update(group_id, group))
def _delete_group(self, group_id):
msg = _DEPRECATION_MSG % "delete_group"
versionutils.report_deprecated_feature(LOG, msg)
return self.group.delete(group_id)
def _add_user_to_group(self, user_id, group_id):
msg = _DEPRECATION_MSG % "add_user_to_group"
versionutils.report_deprecated_feature(LOG, msg)
user_ref = self._get_user(user_id)
user_dn = user_ref['dn']
self.group.add_user(user_dn, group_id, user_id)
def _remove_user_from_group(self, user_id, group_id):
msg = _DEPRECATION_MSG % "remove_user_from_group"
versionutils.report_deprecated_feature(LOG, msg)
user_ref = self._get_user(user_id)
user_dn = user_ref['dn']
self.group.remove_user(user_dn, group_id, user_id)
# TODO(termie): turn this into a data object and move logic to driver
[docs]class UserApi(common_ldap.EnabledEmuMixIn, common_ldap.BaseLdap):
DEFAULT_OU = 'ou=Users'
DEFAULT_STRUCTURAL_CLASSES = ['person']
DEFAULT_ID_ATTR = 'cn'
DEFAULT_OBJECTCLASS = 'inetOrgPerson'
NotFound = exception.UserNotFound
options_name = 'user'
attribute_options_names = {'password': 'pass',
'email': 'mail',
'name': 'name',
'description': 'description',
'enabled': 'enabled',
'default_project_id': 'default_project_id'}
immutable_attrs = ['id']
model = models.User
def __init__(self, conf):
super(UserApi, self).__init__(conf)
self.enabled_mask = conf.ldap.user_enabled_mask
self.enabled_default = conf.ldap.user_enabled_default
self.enabled_invert = conf.ldap.user_enabled_invert
self.enabled_emulation = conf.ldap.user_enabled_emulation
def _ldap_res_to_model(self, res):
obj = super(UserApi, self)._ldap_res_to_model(res)
if self.enabled_mask != 0:
enabled = int(obj.get('enabled', self.enabled_default))
obj['enabled'] = ((enabled & self.enabled_mask) !=
self.enabled_mask)
elif self.enabled_invert and not self.enabled_emulation:
# This could be a bool or a string. If it's a string,
# we need to convert it so we can invert it properly.
enabled = obj.get('enabled', self.enabled_default)
if isinstance(enabled, six.string_types):
if enabled.lower() == 'true':
enabled = True
else:
enabled = False
obj['enabled'] = not enabled
obj['dn'] = res[0]
return obj
[docs] def mask_enabled_attribute(self, values):
value = values['enabled']
values.setdefault('enabled_nomask', int(self.enabled_default))
if value != ((values['enabled_nomask'] & self.enabled_mask) !=
self.enabled_mask):
values['enabled_nomask'] ^= self.enabled_mask
values['enabled'] = values['enabled_nomask']
del values['enabled_nomask']
[docs] def create(self, values):
if 'options' in values:
values.pop('options') # can't specify options
if self.enabled_mask:
orig_enabled = values['enabled']
self.mask_enabled_attribute(values)
elif self.enabled_invert and not self.enabled_emulation:
orig_enabled = values['enabled']
if orig_enabled is not None:
values['enabled'] = not orig_enabled
else:
values['enabled'] = self.enabled_default
values = super(UserApi, self).create(values)
if self.enabled_mask or (self.enabled_invert and
not self.enabled_emulation):
values['enabled'] = orig_enabled
values['options'] = {} # options always empty
return values
[docs] def get(self, user_id, ldap_filter=None):
obj = super(UserApi, self).get(user_id, ldap_filter=ldap_filter)
obj['options'] = {} # options always empty
return obj
[docs] def get_filtered(self, user_id):
user = self.get(user_id)
return self.filter_attributes(user)
[docs] def get_all(self, ldap_filter=None, hints=None):
objs = super(UserApi, self).get_all(ldap_filter=ldap_filter,
hints=hints)
for obj in objs:
obj['options'] = {} # options always empty
return objs
[docs] def get_all_filtered(self, hints):
query = self.filter_query(hints, self.ldap_filter)
return [self.filter_attributes(user)
for user in self.get_all(query, hints)]
[docs] def filter_attributes(self, user):
return base.filter_user(common_ldap.filter_entity(user))
[docs] def is_user(self, dn):
"""Return True if the entry is a user."""
# NOTE(blk-u): It's easy to check if the DN is under the User tree,
# but may not be accurate. A more accurate test would be to fetch the
# entry to see if it's got the user objectclass, but this could be
# really expensive considering how this is used.
return common_ldap.dn_startswith(dn, self.tree_dn)
[docs] def update(self, user_id, values, old_obj=None):
if old_obj is None:
old_obj = self.get(user_id)
# don't support updating options
if 'options' in old_obj:
old_obj.pop('options')
if 'options' in values:
values.pop('options')
values = super(UserApi, self).update(user_id, values, old_obj)
values['options'] = {} # options always empty
return values
[docs]class GroupApi(common_ldap.BaseLdap):
DEFAULT_OU = 'ou=UserGroups'
DEFAULT_STRUCTURAL_CLASSES = []
DEFAULT_OBJECTCLASS = 'groupOfNames'
DEFAULT_ID_ATTR = 'cn'
DEFAULT_MEMBER_ATTRIBUTE = 'member'
NotFound = exception.GroupNotFound
options_name = 'group'
attribute_options_names = {'description': 'desc',
'name': 'name'}
immutable_attrs = ['name']
model = models.Group
def _ldap_res_to_model(self, res):
model = super(GroupApi, self)._ldap_res_to_model(res)
model['dn'] = res[0]
return model
def __init__(self, conf):
super(GroupApi, self).__init__(conf)
self.group_ad_nesting = conf.ldap.group_ad_nesting
self.member_attribute = (conf.ldap.group_member_attribute
or self.DEFAULT_MEMBER_ATTRIBUTE)
[docs] def create(self, values):
data = values.copy()
if data.get('id') is None:
data['id'] = uuid.uuid4().hex
if 'description' in data and data['description'] in ['', None]:
data.pop('description')
return super(GroupApi, self).create(data)
[docs] def delete(self, group_id):
# TODO(spzala): this is only placeholder for group and domain
# role support which will be added under bug 1101287
group_ref = self.get(group_id)
group_dn = group_ref['dn']
if group_dn:
self._delete_tree_nodes(group_dn, ldap.SCOPE_ONELEVEL)
super(GroupApi, self).delete(group_id)
[docs] def update(self, group_id, values):
old_obj = self.get(group_id)
return super(GroupApi, self).update(group_id, values, old_obj)
[docs] def add_user(self, user_dn, group_id, user_id):
group_ref = self.get(group_id)
group_dn = group_ref['dn']
try:
super(GroupApi, self).add_member(user_dn, group_dn)
except exception.Conflict:
raise exception.Conflict(_(
'User %(user_id)s is already a member of group %(group_id)s') %
{'user_id': user_id, 'group_id': group_id})
[docs] def remove_user(self, user_dn, group_id, user_id):
group_ref = self.get(group_id)
group_dn = group_ref['dn']
try:
super(GroupApi, self).remove_member(user_dn, group_dn)
except ldap.NO_SUCH_ATTRIBUTE:
raise exception.UserNotFound(user_id=user_id)
[docs] def list_user_groups(self, user_dn):
"""Return a list of groups for which the user is a member."""
user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
if self.group_ad_nesting:
query = '(%s:%s:=%s)' % (
self.member_attribute,
LDAP_MATCHING_RULE_IN_CHAIN,
user_dn_esc)
else:
query = '(%s=%s)' % (self.member_attribute,
user_dn_esc)
return self.get_all(query)
[docs] def list_user_groups_filtered(self, user_dn, hints):
"""Return a filtered list of groups for which the user is a member."""
user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
if self.group_ad_nesting:
# Hardcoded to member as that is how the Matching Rule in Chain
# Mechanisms expects it. The member_attribute might actually be
# member_of elsewhere, so they are not the same.
query = '(member:%s:=%s)' % (
LDAP_MATCHING_RULE_IN_CHAIN,
user_dn_esc)
else:
query = '(%s=%s)' % (self.member_attribute,
user_dn_esc)
return self.get_all_filtered(hints, query)
[docs] def list_group_users(self, group_id):
"""Return a list of user dns which are members of a group."""
group_ref = self.get(group_id)
group_dn = group_ref['dn']
try:
if self.group_ad_nesting:
# NOTE(ayoung): LDAP_SCOPE is used here instead of hard-
# coding to SCOPE_SUBTREE to get through the unit tests.
# However, it is also probably more correct.
attrs = self._ldap_get_list(
self.tree_dn, self.LDAP_SCOPE,
query_params={
"member:%s:" % LDAP_MATCHING_RULE_IN_CHAIN:
group_dn},
attrlist=[self.member_attribute])
else:
attrs = self._ldap_get_list(group_dn, ldap.SCOPE_BASE,
attrlist=[self.member_attribute])
except ldap.NO_SUCH_OBJECT:
raise self.NotFound(group_id=group_id)
users = []
for dn, member in attrs:
user_dns = member.get(self.member_attribute, [])
for user_dn in user_dns:
users.append(user_dn)
return users
[docs] def get_filtered(self, group_id):
group = self.get(group_id)
return common_ldap.filter_entity(group)
[docs] def get_filtered_by_name(self, group_name):
group = self.get_by_name(group_name)
return common_ldap.filter_entity(group)
[docs] def get_all_filtered(self, hints, query=None):
if self.ldap_filter:
query = (query or '') + self.ldap_filter
query = self.filter_query(hints, query)
return [common_ldap.filter_entity(group)
for group in self.get_all(query, hints)]