ldap-ui 0.10.1__py3-none-any.whl → 0.10.3__py3-none-any.whl

ldap_ui/__init__.py

@@ -1 +1 @@
-__version__ = "0.10.1"
+__version__ = "0.10.3"

ldap_ui/__main__.py

@@ -57,6 +57,11 @@ def print_version(ctx: click.Context, param: click.Parameter, value: bool) -> No
     help="Log level.",
     show_default=True,
 )
+@click.option(
+    "--reload",
+    is_flag=True,
+    help="Watch for changes and reload?",
+)
 @click.option(
     "--version",
     is_flag=True,
@@ -65,7 +70,7 @@ def print_version(ctx: click.Context, param: click.Parameter, value: bool) -> No
     is_eager=True,
     help="Display the current version and exit.",
 )
-def main(base_dn, host, port, ldap_url, log_level):
+def main(base_dn, host, port, ldap_url, log_level, reload):
     logging.basicConfig(level=LOG_LEVELS[log_level])
     rootHandler = logging.getLogger().handlers[0]
     rootHandler.setFormatter(ColourizedFormatter(fmt="%(levelprefix)s %(message)s"))
@@ -76,11 +81,7 @@ def main(base_dn, host, port, ldap_url, log_level):
     if ldap_url is not None:
         settings.LDAP_URL = ldap_url
 
-    uvicorn.run(
-        "ldap_ui.app:app",
-        host=host,
-        port=port,
-    )
+    uvicorn.run("ldap_ui.app:app", host=host, port=port, reload=reload)
 
 
 if __name__ == "__main__":

ldap_ui/entities.py

@@ -1,6 +1,6 @@
 "Data types for ReST endpoints"
 
-from pydantic import BaseModel, Field
+from pydantic import BaseModel
 
 
 class TreeItem(BaseModel):
@@ -12,32 +12,20 @@ class TreeItem(BaseModel):
     level: int
 
 
-class Meta(BaseModel):
-    "Attribute classification for an entry"
-
-    dn: str
-    required: list[str]
-    aux: list[str]
-    binary: list[str]
-    autoFilled: list[str]
-    isNew: bool = False
-
-
 Attributes = dict[str, list[str]]
 
+AttributeNames = list[str]  # Names of modified attributes
+
 
 class Entry(BaseModel):
     "Directory entry"
 
+    dn: str
     attrs: Attributes
-    meta: Meta
-    changed: list[str] = Field(default_factory=list)
-
-
-class ChangedAttributes(BaseModel):
-    "List of modified attributes"
-
-    changed: list[str]
+    binary: AttributeNames
+    autoFilled: AttributeNames
+    changed: AttributeNames
+    isNew: bool = False
 
 
 class ChangePasswordRequest(BaseModel):

ldap_ui/ldap_api.py

@@ -19,12 +19,12 @@ from fastapi import (
     Body,
     Depends,
     File,
+    Header,
     HTTPException,
     Response,
     UploadFile,
 )
 from fastapi.responses import PlainTextResponse
-from fastapi.security import HTTPBasic, HTTPBasicCredentials
 from ldap import (
     INVALID_CREDENTIALS,  # type: ignore
     SCOPE_BASE,  # type: ignore
@@ -34,15 +34,14 @@ from ldap import (
 from ldap.ldapobject import LDAPObject
 from ldap.modlist import addModlist, modifyModlist
 from ldap.schema import SubSchema
-from ldap.schema.models import AttributeType, LDAPSyntax, ObjectClass
+from ldap.schema.models import AttributeType, LDAPSyntax
 
 from . import settings
 from .entities import (
+    AttributeNames,
     Attributes,
-    ChangedAttributes,
     ChangePasswordRequest,
     Entry,
-    Meta,
     Range,
     SearchResult,
     TreeItem,
@@ -58,7 +57,6 @@ from .ldap_helpers import (
     results,
     unique,
 )
-from .schema import ObjectClass as OC
 from .schema import Schema, frontend_schema
 
 NO_CONTENT = Response(status_code=HTTPStatus.NO_CONTENT)
@@ -96,8 +94,8 @@ async def get_root_dse(connection: LDAPObject):
 
 
 async def authenticated(
-    credentials: Annotated[HTTPBasicCredentials, Depends(HTTPBasic())],
     connection: Annotated[LDAPObject, Depends(ldap_connect)],
+    authorization: Annotated[str | None, Header()] = None,
 ) -> LDAPObject:
     "Authenticate against the directory"
 
@@ -109,11 +107,11 @@ async def authenticated(
     password = settings.GET_BIND_PASSWORD()
 
     # Search for basic auth user
-    if not dn:
-        password = credentials.password
-        dn = settings.GET_BIND_PATTERN(
-            credentials.username
-        ) or await anonymous_user_search(connection, credentials.username)
+    if not dn and authorization:
+        username, password = get_basic_credentials(authorization)
+        dn = settings.GET_BIND_PATTERN(username) or await anonymous_user_search(
+            connection, username
+        )
 
     if dn:  # Log in
         await empty(connection, connection.simple_bind(dn, password))
@@ -122,6 +120,13 @@ async def authenticated(
     raise INVALID_CREDENTIALS([{"desc": f"Invalid credentials for DN: {dn}"}])
 
 
+def get_basic_credentials(authorization: str) -> list[str]:
+    scheme, credentials = authorization.split(maxsplit=1)
+    if scheme.lower() != "basic":
+        raise INVALID_CREDENTIALS()
+    return base64.b64decode(credentials).decode().split(":", maxsplit=1)
+
+
 AuthenticatedConnection = Annotated[LDAPObject, Depends(authenticated)]
 
 
@@ -188,50 +193,25 @@ async def get_entry(dn: str, connection: AuthenticatedConnection) -> Entry:
 def _entry(entry: LdapEntry, schema: SubSchema) -> Entry:
     "Decode an LDAP entry for transmission"
 
-    meta = _meta(entry, schema)
-    attrs = {
-        k: ["*****"]  # 23 suppress userPassword
-        if k == "userPassword"
-        else [base64.b64encode(val).decode() for val in entry.attrs[k]]
-        if k in meta.binary
-        else entry.attr(k)
-        for k in sorted(entry.attrs)
-    }
-    return Entry(attrs=attrs, meta=meta)
-
-
-def _meta(entry: LdapEntry, schema: SubSchema) -> Meta:
-    "Classify entry attributes"
-
-    object_classes = set(entry.attr("objectClass"))
-    must_attrs, _may_attrs = schema.attribute_types(object_classes)
-    required = [
-        schema.get_obj(AttributeType, a).names[0]  # type: ignore
-        for a in must_attrs
-    ]
-    structural = [
-        oc.names[0]  # type: ignore
-        for oc in map(lambda o: schema.get_obj(ObjectClass, o), object_classes)
-        if oc.kind == OC.Kind.structural  # type: ignore
-    ]
-    aux = set(
-        schema.get_obj(ObjectClass, a).names[0]  # type: ignore
-        for a in schema.get_applicable_aux_classes(structural[0])
+    binary = sorted(
+        set(attr for attr in entry.attrs if _is_binary(entry, attr, schema))
     )
-
-    return Meta(
+    return Entry(
+        attrs={
+            k: ["*****"]  # 23 suppress userPassword
+            if k == "userPassword"
+            else [base64.b64encode(val).decode() for val in entry.attrs[k]]
+            if k in binary
+            else entry.attr(k)
+            for k in sorted(entry.attrs)
+        },
         dn=entry.dn,
-        required=required,
-        aux=sorted(aux - object_classes),
-        binary=sorted(_binary_attributes(entry, schema)),
+        binary=binary,
         autoFilled=[],
+        changed=[],
     )
 
 
-def _binary_attributes(entry: LdapEntry, schema: SubSchema) -> set[str]:
-    return set(attr for attr in entry.attrs if _is_binary(entry, attr, schema))
-
-
 def _is_binary(entry: LdapEntry, attr: str, schema: SubSchema) -> bool:
     "Guess whether an attribute has binary content"
 
@@ -272,7 +252,7 @@ async def delete_entry(dn: str, connection: AuthenticatedConnection) -> None:
 @api.post("/entry/{dn:path}", tags=[Tag.EDITING], operation_id="post_entry")
 async def post_entry(
     dn: str, attributes: Attributes, connection: AuthenticatedConnection
-) -> ChangedAttributes:
+) -> AttributeNames:
     entry = await get_entry_by_dn(connection, dn)
     schema = await get_schema(connection)
 
@@ -280,16 +260,19 @@ async def post_entry(
         attr: _nonempty_byte_strings(attributes, attr)
         for attr in attributes
         if attr not in PASSWORDS
-        and not _is_binary(
-            entry, attr, schema
-        )  # FIXME Handle binary attributes properly
+        and (
+            attr not in entry.attrs
+            or not _is_binary(
+                entry, attr, schema
+            )  # FIXME Handle binary attributes properly
+        )
     }
 
     actual = {attr: v for attr, v in entry.attrs.items() if attr in expected}
     modlist = modifyModlist(actual, expected)
     if modlist:  # Apply changes and send changed keys back
         await empty(connection, connection.modify(dn, modlist))
-    return ChangedAttributes(changed=list(sorted(set(m[1] for m in modlist))))
+    return list(sorted(set(m[1] for m in modlist)))
 
 
 def _nonempty_byte_strings(attributes: Attributes, attr: str) -> list[bytes]:
@@ -299,7 +282,7 @@ def _nonempty_byte_strings(attributes: Attributes, attr: str) -> list[bytes]:
 @api.put("/entry/{dn:path}", tags=[Tag.EDITING], operation_id="put_entry")
 async def put_entry(
     dn: str, attributes: Attributes, connection: AuthenticatedConnection
-) -> ChangedAttributes:
+) -> AttributeNames:
     modlist = addModlist(
         {
             attr: _nonempty_byte_strings(attributes, attr)
@@ -309,7 +292,7 @@ async def put_entry(
     )
     if modlist:
         await empty(connection, connection.add(dn, modlist))
-    return ChangedAttributes(changed=["dn"])  # Dummy
+    return ["dn"]  # Dummy
 
 
 @api.post(

ldap_ui/settings.py

@@ -30,17 +30,11 @@ BASE_DN = config("BASE_DN", default=None)
 SCHEMA_DN = config("SCHEMA_DN", default=None)
 
 USE_TLS = config(
-    "USE_TLS",
-    cast=lambda x: bool(x),
-    default=LDAP_URL.startswith("ldaps://"),
+    "USE_TLS", cast=lambda x: bool(x), default=LDAP_URL.startswith("ldaps://")
 )
 
 # DANGEROUS: Disable TLS host name verification.
-INSECURE_TLS = config(
-    "INSECURE_TLS",
-    cast=lambda x: bool(x),
-    default=False,
-)
+INSECURE_TLS = config("INSECURE_TLS", cast=lambda x: bool(x), default=False)
 
 #
 # Binding
@@ -54,8 +48,7 @@ def GET_BIND_DN() -> Optional[str]:
     the UI will NOT ask for a login.
     You need to secure it otherwise!
     """
-    if config("BIND_DN", default=None):
-        return config("BIND_DN")
+    return config("BIND_DN", default=None)
 
 
 def GET_BIND_PATTERN(username) -> Optional[str]: