Coverage for ldap_auth.py : 45%

############################################################################# 

# LDAP support module. 

# 

# vim:ts=3:sw=3:expandtab 

# 

# Copyright (C) 2014 SurfCrew, Inc. 

# 

# Author: Lionel Litty 

# 

# Module encapsulating ldap interaction, including state, and making it 

# asynchronous. 

# 

# python-ldap provides non-blocking versions of the APIs (for the most part) 

# but no notification mechanism. This forces us to resort to periodic polling 

# to check if results have been received. This is achieved by adding one 

# PeriodicCallback per pending LDAP call to the Tornado ioloop. 

# 

# Encapsulation + asynchrony means four layers of callbacks are used: 

# * Callbacks from the tornado ioloop to the LDAPConnection object (_get_result). 

# * Handling of result (_on_xxx_result). 

# * Callback from the result handler to the logic flow (verifying a user 

# involves two LDAP calls: binding with credentials, then checking group 

# membership). 

# * Callback from the module to the requester with final outcome. 

# 

############################################################################# 

import functools 

import json 

import logging 

import ldap 

import tornado.ioloop 

from safly.config import config 

from safly.logger import get_logger, SafelyLoggerMixin 

log = get_logger('auth-ldap', auto_prefix=True) 

# FIXME - SECURITY! This disables verification of the server certificate. 

ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) 

# If the server is not responsive at the network level, abandon after 10 secs. 

ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10) 

# Cache the service ldap connection object and try to reuse it. 

service_con = None 

# Cache the parsed domain dict. 

domain_dict = None 

def _get_domains(): 

global domain_dict 

if not domain_dict: 

try: 

domain_dict = json.loads(config.get('authentication', 

'ldap_domain_dict')) 

except Exception as e: 

log.error({'error': e}, 

event='auth-config-processing-failed') 

domain_dict = {} 

return domain_dict 

class LDAPConnection(SafelyLoggerMixin): 

# When waiting for a response, check every POLL_INTERVAL ms. 

POLL_INTERVAL = 100 

# How long before we timeout LDAP calls, in seconds. 

CALL_TIMEOUT = 20 

def __init__(self, ldap_host=None): 

SafelyLoggerMixin.__init__(self, 'auth-ldap') 

# We test this in the destructor, make sure the attribute exists if 

# initialize throws. 

self.con = None 

if not ldap_host: 

ldap_host = config.get('authentication', 'ldap_host') 

# Note that initialize does not result in any network communication. 

self.con = ldap.initialize('%s://%s:%s' % ( 

'ldaps' if config.get('authentication', 

'ldap_mode') == 'ldaps' else 'ldap', 

ldap_host, 

config.getint('authentication', 'ldap_port'))) 

# Results we are polling for, indexed by msgid. 

self.pending_results = {} 

# Once bound, the identity we used to bind. 

self.who = None 

# start_tls does not have an asynchronous version so we unfortunately 

# block here. 

if config.get('authentication', 'ldap_mode') == 'ldap_starttls': 

# This will throw on failure. 

self.con.start_tls_s() 

def __del__(self): 

"""Log exception and proceed on failure.""" 

if not self.con: 

return 

try: 

self.con.unbind() 

except Exception as e: 

self.log.error({'error': e}, event='ldap-unbind-failed') 

else: 

self.log.debug('Unbound connection for %s.', self.who) 

self.con = None 

def _poll_for_result(self, msgid, callback): 

"""Initiates a periodic check for the result of @msgid. 

callback takes three arguments: success (True or False), result_type and 

result_data. When an error occurs, success is False, result_type is None 

and result_data has details. 

""" 

self.log.debug('Polling for result for %s', msgid) 

periodic_callback = tornado.ioloop.PeriodicCallback( 

functools.partial(self._get_result, msgid, 

tornado.ioloop.IOLoop.instance().time(), callback), 

self.POLL_INTERVAL) 

self.pending_results[msgid] = periodic_callback 

periodic_callback.start() 

def _get_result(self, msgid, start_time, callback): 

"""Invokes callback once result has been obtained or timeout was reached. 

callback takes three arguments: success (True or False), result_type and 

result_data. When an error occurs, success is False, result_type is None 

and result_data has details. 

""" 

success = False 

try: 

res_type, res_data = self.con.result(msgid, timeout=0) 

except Exception as e: 

if self.log.isEnabledFor(logging.DEBUG): 

self.log.exception({'error': e}, event='ldap-no-result') 

res_data = str(e) 

res_type = None 

else: 

# No result yet. 

if not res_type: 

if tornado.ioloop.IOLoop.instance().time() - start_time < self.CALL_TIMEOUT: 

self.log.debug('No result yet for %s', msgid) 

return 

try: 

self.con.abandon(msgid) 

except: 

pass 

res_data = 'Timed out' 

else: 

success = True 

self.log.debug('Got some results for msgid %s among %s', msgid, 

self.pending_results.keys()) 

assert msgid in self.pending_results 

self.pending_results[msgid].stop() 

del self.pending_results[msgid] 

self.log.debug('Result for %s after %s seconds: %s, %s.', 

msgid, tornado.ioloop.IOLoop.instance().time() - start_time, 

res_type, res_data) 

callback(success, res_type, res_data) 

def _on_bind_result(self, callback, success, res_type, res_data): 

"""Invoked once the bind call completed. 

@callback takes one argument: the outcome. 

""" 

if not success or res_type != ldap.RES_BIND or res_data: 

self.log.error({'result_type': res_type, 'result_data': res_data}, 

event='ldap-bind-failed', opslog=True) 

callback(False) 

else: 

callback(True) 

def bind(self, who, password, callback): 

"""Binds to the server as @who. 

When done, invokes @callback with a boolean indicating success. 

""" 

self.who = who 

try: 

msgid = self.con.simple_bind(who, password) 

except Exception as e: 

self.log.error({'error': e}, event='ldap-bind-failed') 

callback(False) 

return 

self.log.debug('Bind for %s: %s', who, msgid) 

self._poll_for_result(msgid, 

functools.partial(self._on_bind_result, callback)) 

def _on_recursive_check_result(self, callback, username, success, res_type, 

res_data): 

"""Invoked once the recursive check for membership completes. 

@callback takes one argument: the outcome. 

""" 

if not success or res_type != ldap.RES_SEARCH_RESULT: 

self.log.error({'details': 'membership check', 

'result_type': res_type, 'result_data': res_data}, 

event='ldap-auth-error', opslog=True) 

callback(False) 

return 

# If the result list is not empty, the user belongs to the group. 

if res_data: 

callback(username) 

else: 

self.log.error({'details': 'recursive membership check', 

'result_type': res_type, 'result_data': res_data}, 

event='ldap-auth-error', opslog=True) 

callback(False, error='ID_ALERT_NOT_AUTHORIZED') 

def _on_search_result(self, callback, username, res_type, res_data): 

"""Invoked once the search call for membership completes. 

@callback takes one argument: the outcome. 

""" 

user_dn = None 

authorized_group = config.get('authentication', 

'ldap_authorized_group').lower() 

# Check if the surfcrew group is in the list. 

try: 

member_of = res_data[0][1].get('memberOf', []) 

for group in member_of: 

if group.lower() == authorized_group: 

callback(username) 

return 

user_dn = res_data[0][0] 

except Exception as e: 

details = {'details': 'membership check', 'error': e} 

if self.log.isEnabledFor(logging.DEBUG): 

self.log.exception(details, event='ldap-auth-error') 

else: 

self.log.error(details, event='ldap-auth-error', opslog=True) 

if not config.getboolean('authentication', 'ldap_recursive_group_check'): 

self.log.info({'details': 'membership check', 

'result_type': res_type, 'result_data': res_data}, 

event='ldap-auth-failed', opslog=True) 

callback(False, error='ID_ALERT_NOT_AUTHORIZED') 

return 

if not user_dn: 

self.log.error({'details': 'no dn for recursive membership check', 

'result_type': res_type, 'result_data': res_data}, 

event='ldap-auth-error', opslog=True) 

callback(False, error='ID_ALERT_NOT_AUTHORIZED') 

return 

# Use LDAP_MATCHING_RULE_IN_CHAIN OID (1.2.840.113556.1.4.1941) to 

# traverse groups for membership. 

# attrlist does not matter. We specify one to limit the size of the 

# response. 

try: 

msgid = self.con.search( 

user_dn, ldap.SCOPE_BASE, attrlist=['cn'], 

filterstr='(memberof:1.2.840.113556.1.4.1941:=%s)' % 

authorized_group) 

except Exception as e: 

self.log.error({'details': 'recursive membership check', 

'error': e}, event='ldap-auth-error') 

callback(False) 

return 

self.log.debug('Recursive membership check for %s, %s: %s', 

user_dn, authorized_group, msgid) 

self._poll_for_result( 

msgid, functools.partial(self._on_recursive_check_result, 

callback, username)) 

def check_membership(self, username, callback): 

"""Asks the server if @username belongs to the authorized group. 

When done, invokes @callback with a boolean indicating success. 

""" 

if not '\\' in username: 

self.log.error({'username': username}, event='ldap-invalid-username') 

callback(False, error='ID_ALERT_INVALID_USERNAME') 

return 

domain_name, account_name = username.split('\\', 1) 

self._get_attributes(account_name, domain_name, ['memberOf'], 

self._on_search_result, callback) 

def _std_checks(self, cb, callback, username, success, res_type, res_data): 

if not success or res_type != ldap.RES_SEARCH_RESULT: 

self.log.error({'details': 'attribute retrieval', 

'result_type': res_type, 'result_data': res_data}, 

event='ldap-auth-error', opslog=True) 

callback(False) 

return 

# Filter out ref: from res_data - they don't contain the DN part 

res_data = [k for k in res_data if k[0]] 

# There should be only one result. 

if len(res_data) != 1: 

if not res_data: 

self.log.error({'details': 'user not found'}, 

event='ldap-auth-error', opslog=True) 

else: 

self.log.error({'details': 'cannot uniquely identify user', 

'result_data': res_data}, 

event='ldap-auth-error', opslog=True) 

callback(False) 

return 

cb(callback, username, res_type, res_data) 

def _get_attributes(self, account_name, domain_name, attributes, on_search, 

callback): 

if domain_name: 

domain_info = _get_domains().get(domain_name) 

if not domain_info: 

self.log.error({'details': 'could not get domain info', 

'ldap_domain': domain_name}, 

event='ldap-auth-error', opslog=True) 

callback(False, error='ID_ALERT_BAD_DOMAIN') 

return 

domain_dn = domain_info[0] 

else: 

domain_dn = '' 

custom_clause = (config.getboolean('authentication', 

'ldap_use_custom_filter_clause') and 

config.get('authentication', 

'ldap_custom_filter_clause') or '') 

search_filter = (config.get('authentication', 

'ldap_default_search_filter') % 

{'account_name': account_name, 

'custom_clause': custom_clause}) 

# TODO: catching the exception should really happen in 

# _get_attributes, and passed to callback, but 

# _do_with_service_con expects exceptions to be thrown 

msgid = self.con.search( 

domain_dn, ldap.SCOPE_SUBTREE, attrlist=attributes, 

filterstr=search_filter) 

self.log.debug('Getting attributes %s for %s, %s: %s', attributes, 

account_name, domain_dn, msgid) 

username = (domain_name and '\\'.join([domain_name, account_name]) or 

account_name) 

self._poll_for_result( 

msgid, functools.partial(self._std_checks, 

on_search, callback, username)) 

def get_attributes(self, account_name, domain, attributes, callback): 

def _cont(callback, username, res_type, res_data): 

res_data[0][1]['dn'] = [res_data[0][0]] 

callback(res_data[0][1]) 

self._get_attributes(account_name, domain, attributes, _cont, callback) 

def _con_bound(callback, query, success): 

"""Invoked once the binding step is complete (it may have failed).""" 

if not success: 

callback(False) 

return 

# Now we do the query - con is bound, we can do a search. 

query() 

def _do_with_service_con(method, callback): 

global service_con 

if not service_con: 

log.debug('Establishing service connection.') 

try: 

service_con = LDAPConnection() 

except Exception as e: 

log.error({'error': e}, event='ldap-service-connection-failed') 

callback(False) 

return 

service_con.bind(config.get('authentication', 'ldap_service_username'), 

config.get('authentication', 'ldap_service_password'), 

functools.partial(_con_bound, callback, 

functools.partial(method, service_con))) 

return 

log.debug('Reusing service connection.') 

try: 

method(service_con) 

except ldap.SERVER_DOWN as e: 

# TODO: this is a horrendous mixture of callback-based and try-catch based 

# error handling 

# TODO: now we only handle reconnection attempts if search fails, but not 

# if ldap.SERVER_DOWN occurs asynchronously in _get_result 

if log.isEnabledFor(logging.DEBUG): 

log.exception({'details': 'Failed to reuse service connection', 

'error': e}, event='ldap-service-communication-failed') 

# Reset service_con and retry. 

service_con = None 

_do_with_service_con(method, callback) 

except Exception as e: 

log.error({'error': e}, event='ldap-service-communication-failed') 

callback(False) 

return 

def _on_credentential_check_result(username, member, callback, success): 

"""Invoked once we have bound as the user.""" 

if success: 

if member: 

callback(username) 

else: 

callback(False, error='ID_ALERT_NOT_AUTHORIZED') 

else: 

callback(False) 

def verify_user(account_name, password, domain, callback=None): 

"""Check credentials and authorization. 

This is done by binding to the LDAP server with the form 

domain\account_name. 

On success, callback is invoked with the user's username 

(domain\account_name). On failure, callback is invoked with False. 

""" 

if not callback: 

# should not happen, as callback is really mandatory; it is a kwarg 

# only to enable its use with tornado.gen.Task 

callback = lambda *args, **kwargs: None 

domain_info = _get_domains().get(domain) 

if not domain_info: 

log.error({'details': 'no domain info', 'ldap_domain': domain}, 

event='ldap-auth-error') 

callback(False) 

return 

ldap_host = domain_info[1] 

username = '\\'.join([domain, account_name]) 

# Always use a new connection to verify a user's identity. 

log.debug('Verifying credentials for %s', username) 

try: 

con = LDAPConnection(ldap_host) 

except Exception as e: 

log.error({'error': e}, event='ldap-service-connection-failed') 

callback(False) 

return 

method = functools.partial(con.check_membership, username, callback) 

con.bind(username, password, functools.partial(_con_bound, callback, method)) 

def attribute_lookup(account_name, domain, attributes, callback): 

"""Get the list of attributes. 

This is done by binding to the LDAP server with the admin credentials. 

On success, callback is invoked with the user's attributes. 

On failure, callback is invoked with False. 

""" 

def method(con): 

try: 

passthrough_method(con) 

except Exception as e: 

if log.isEnabledFor(logging.DEBUG): 

details = {'details': 'get attributes', 'error': e, 

'attributes': attributes, 'account_name': account_name, 

'ldap_domain': domain} 

log.exception(details, event='ldap-auth-error') 

else: 

log.error(details, event='ldap-auth-error') 

callback(False) 

def passthrough_method(con): 

con.get_attributes(account_name, domain, attributes, callback) 

if not config.getboolean('authentication', 'ldap_user_details_lookup'): 

log.error({}, event='ldap-user-details-lookup-disabled') 

callback(False, error='ID_ALERT_NOT_ENABLED') 

return 

if not domain: 

# if domain is not specified, reuse service connection 

log.debug('Retrieving attributes for %s using service connection', 

account_name) 

_do_with_service_con(passthrough_method, callback) 

return 

domain_info = _get_domains().get(domain) 

if not domain_info: 

log.error({'details': 'no domain info', 'ldap_domain': domain}, 

event='ldap-auth-error') 

callback(False) 

return 

ldap_host = domain_info[1] 

admin = config.get('authentication', 'ldap_service_username') 

password = config.get('authentication', 'ldap_service_password') 

log.debug('Retrieving attributes for %s', account_name) 

try: 

# TODO: reuse existing connections to get user's attributes 

con = LDAPConnection(ldap_host) 

except Exception as e: 

log.error({'error': e}, event='ldap-service-connection-failed') 

callback(False) 

return 

con.bind(admin, password, 

functools.partial(_con_bound, callback, functools.partial(method, 

con))) 

def authorize_user(username, callback=None): 

"""Check that user is still authorized to use the service. 

User is in the domain\\username form. 

The user is already authenticated and did not provide credentials, so an 

service account is used for the lookup. 

On success, callback is invoked with the user's DN. On failure, callback is 

invoked with False. 

""" 

if not callback: 

# should not happen, as callback is really mandatory; it is a kwarg 

# only to enable its use with tornado.gen.Task 

callback = lambda *args, **kwargs: None 

log.debug('Verifying authorization for %s', username) 

# Without a service account, we cannot re-authorize the user, so 

# re-authorization always succeeds. 

if not config.getboolean('authentication', 'ldap_use_service'): 

callback(username) 

return 

method = functools.partial(LDAPConnection.check_membership, 

username=username, callback=callback) 

_do_with_service_con(method, callback) 

def get_domain_dict(): 

"""Retrieve a dictionary of domains the user can choose from. 

The list is part of the config (populated via the dashboard). 

""" 

# We do not need to send the domain DN to the user. 

return {k: k for k in _get_domains().keys()}