ldap-ui 0.9.0__py3-none-any.whl

ldap_ui/ldap_helpers.py

@@ -0,0 +1,112 @@
+"""
+Utilities for asynchronous LDAP operations.
+
+HTTP endpoints typically trigger asynchronous LDAP requests
+which return an ID for the operation being performed.
+Results are then gathered in non-blocking mode.
+
+Some shorthands are provided for common usages
+like retrieving a unique result or waiting for an
+operation to complete without results.
+"""
+
+import contextlib
+from typing import AsyncGenerator, Generator, Tuple
+
+import ldap
+from anyio import sleep
+from ldap.ldapobject import LDAPObject
+from starlette.exceptions import HTTPException
+
+from . import settings
+
+__all__ = (
+    "empty",
+    "get_entry_by_dn",
+    "ldap_connect",
+    "result",
+    "unique",
+    "WITH_OPERATIONAL_ATTRS",
+)
+
+
+# Constant to add technical attributes in LDAP search results
+WITH_OPERATIONAL_ATTRS = ("*", "+")
+
+
+@contextlib.contextmanager
+def ldap_connect() -> Generator[LDAPObject, None, None]:
+    "Open an LDAP connection"
+
+    url = settings.LDAP_URL
+    connection = ldap.initialize(url)
+
+    # #43 TLS, see https://stackoverflow.com/a/8795694
+    if settings.USE_TLS or settings.INSECURE_TLS:
+        cert_level = (
+            ldap.OPT_X_TLS_NEVER if settings.INSECURE_TLS else ldap.OPT_X_TLS_DEMAND
+        )
+
+        connection.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, cert_level)
+        # See https://stackoverflow.com/a/38136255
+        connection.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+        if not url.startswith("ldaps://"):
+            connection.start_tls_s()
+    yield connection
+    connection.unbind_s()
+
+
+async def result(
+    connection: LDAPObject, msgid: int
+) -> AsyncGenerator[Tuple[str, dict[str, list[bytes]]], None]:
+    "Stream LDAP result entries without blocking other tasks"
+
+    while True:
+        r_type, r_data = connection.result(msgid=msgid, all=0, timeout=0)
+        if r_type is None:  # Throttle to 100 results / second
+            await sleep(0.01)
+        elif r_data == []:  # Operation completed
+            break
+        else:
+            yield r_data[0]
+
+
+async def unique(
+    connection: LDAPObject,
+    msgid: int,
+) -> Tuple[str, dict[str, list[bytes]]]:
+    "Asynchronously collect a unique result"
+
+    res = None
+    async for r in result(connection, msgid):
+        if res is None:
+            res = r
+        else:
+            connection.abandon(msgid)
+            raise HTTPException(500, "Non-unique result")
+    if res is None:
+        raise HTTPException(404, "Empty search result")
+    return res
+
+
+async def empty(
+    connection: LDAPObject,
+    msgid: int,
+) -> None:
+    "Asynchronously wait for an empty result"
+
+    async for r in result(connection, msgid):
+        connection.abandon(msgid)
+        raise HTTPException(500, "Unexpected result")
+
+
+async def get_entry_by_dn(
+    connection: LDAPObject,
+    dn: str,
+) -> Tuple[str, dict[str, list[bytes]]]:
+    "Asynchronously retrieve an LDAP entry by its DN"
+
+    try:
+        return await unique(connection, connection.search(dn, ldap.SCOPE_BASE))
+    except ldap.NO_SUCH_OBJECT:
+        raise HTTPException(404, f"DN not found: {dn}")

ldap_ui/schema.py

@@ -0,0 +1,130 @@
+"""
+JSON-serializable representation of the LDAP directory schema.
+
+It is used by the frontend for consistency checks, and
+to determine how individual attributes should be presented
+to the user.
+"""
+
+from typing import Any, Generator
+
+from ldap.schema import SubSchema
+from ldap.schema.models import AttributeType, LDAPSyntax, ObjectClass
+
+__all__ = ("frontend_schema",)
+
+
+# Object class constants
+SCHEMA_OC_KIND = {
+    0: "structural",
+    1: "abstract",
+    2: "auxiliary",
+}
+
+# Attribute usage constants
+SCHEMA_ATTR_USAGE = {
+    0: "userApplications",
+    1: "directoryOperation",
+    2: "distributedOperation",
+    3: "dSAOperation",
+}
+
+
+def element(obj) -> dict:
+    "Basic information about an schema element"
+    name = obj.names[0]
+    return {
+        "oid": obj.oid,
+        "name": name[:1].lower() + name[1:],
+        "names": obj.names,
+        "desc": obj.desc,
+        "obsolete": bool(obj.obsolete),
+        "sup": sorted(obj.sup),
+    }
+
+
+def object_class_dict(obj) -> dict:
+    "Additional information about an object class"
+    r = element(obj)
+    r.update(
+        {
+            "may": sorted(obj.may),
+            "must": sorted(obj.must),
+            "kind": SCHEMA_OC_KIND[obj.kind],
+        }
+    )
+    return r
+
+
+def attribute_dict(obj) -> dict:
+    "Additional information about an attribute"
+    r = element(obj)
+    r.update(
+        {
+            "single_value": bool(obj.single_value),
+            "no_user_mod": bool(obj.no_user_mod),
+            "usage": SCHEMA_ATTR_USAGE[obj.usage],
+            # FIXME avoid null values below
+            "equality": obj.equality,
+            "syntax": obj.syntax,
+            "substr": obj.substr,
+            "ordering": obj.ordering,
+        }
+    )
+    return r
+
+
+def syntax_dict(obj) -> dict:
+    "Information about an attribute syntax"
+    return {
+        "oid": obj.oid,
+        "desc": obj.desc,
+        "not_human_readable": bool(obj.not_human_readable),
+    }
+
+
+def lowercase_dict(attr: str, items) -> dict:
+    "Create an dictionary with lowercased keys extracted from a given attribute"
+    return {obj[attr].lower(): obj for obj in items}
+
+
+def extract_type(
+    sub_schema: SubSchema, schema_class: Any
+) -> Generator[Any, None, None]:
+    "Get non-obsolete objects from the schema for a type"
+
+    for oid in sub_schema.listall(schema_class):
+        obj = sub_schema.get_obj(schema_class, oid)
+        if schema_class is LDAPSyntax or not obj.obsolete:
+            yield obj
+
+
+# See: https://www.python-ldap.org/en/latest/reference/ldap-schema.html
+def frontend_schema(sub_schema: SubSchema) -> dict[Any]:
+    "Dump an LDAP SubSchema"
+
+    return dict(
+        attributes=lowercase_dict(
+            "name",
+            sorted(
+                map(
+                    attribute_dict,
+                    extract_type(sub_schema, AttributeType),
+                ),
+                key=lambda x: x["name"],
+            ),
+        ),
+        objectClasses=lowercase_dict(
+            "name",
+            sorted(
+                map(
+                    object_class_dict,
+                    extract_type(sub_schema, ObjectClass),
+                ),
+                key=lambda x: x["name"],
+            ),
+        ),
+        syntaxes=lowercase_dict(
+            "oid", map(syntax_dict, extract_type(sub_schema, LDAPSyntax))
+        ),
+    )

ldap_ui/settings.py

@@ -0,0 +1,85 @@
+import os
+from typing import Optional
+
+from starlette.config import Config
+
+config = Config(".env")
+
+# App settings
+DEBUG = config("DEBUG", cast=lambda x: bool(x), default=False)
+PREFERRED_URL_SCHEME = "https"
+SECRET_KEY = os.urandom(16)
+
+#
+# LDAP settings
+#
+LDAP_URL = config("LDAP_URL", default="ldap:///")
+BASE_DN = config("BASE_DN")  # Always required
+
+USE_TLS = config(
+    "USE_TLS",
+    cast=lambda x: bool(x),
+    default=LDAP_URL.startswith("ldaps://"),
+)
+INSECURE_TLS = config("INSECURE_TLS", cast=lambda x: bool(x), default=False)
+
+SCHEMA_DN = config("SCHEMA_DN", default="cn=subschema")
+
+
+#
+# Binding
+#
+def GET_BIND_DN(username) -> Optional[str]:
+    "Try to determine the login DN from the environment and request"
+
+    # Use a hard-wired DN from the environment.
+    # If this is set and a GET_BIND_PASSWORD returns something,
+    # the UI will NOT ask for a login.
+    # You need to secure it otherwise!
+    if config("BIND_DN", default=None):
+        return config("BIND_DN")
+
+    # Optional user DN pattern string for authentication,
+    # e.g. "uid=%s,ou=people,dc=example,dc=com".
+    # This can be used to authenticate with directories
+    # that do not allow anonymous users to search.
+    elif config("BIND_PATTERN", default=None) and username:
+        return config("BIND_PATTERN") % username
+
+
+def GET_BIND_DN_FILTER(username) -> str:
+    "Produce a LDAP search filter for the login DN"
+    return SEARCH_PATTERNS[0] % username
+
+
+def GET_BIND_PASSWORD() -> Optional[str]:
+    "Try to determine the login password from the environment or request"
+
+    pw = config("BIND_PASSWORD", default=None)
+    if pw is not None:
+        return pw
+
+    pw_file = config("BIND_PASSWORD_FILE", default=None)
+    if pw_file is not None:
+        with open(pw_file) as file:
+            return file.read().rstrip("\n")
+
+
+#
+# Search
+#
+
+# Attribute to search for user names
+LOGIN_ATTR = config("LOGIN_ATTR", default="uid")
+
+# Search users by a number of common attributes
+SEARCH_PATTERNS = (
+    "(%s=%%s)" % LOGIN_ATTR,
+    "(cn=%s*)",
+    "(gn=%s*)",
+    "(sn=%s*)",
+)
+SEARCH_QUERY_MIN = config(
+    "SEARCH_QUERY_MIN", cast=int, default=2
+)  # Minimum length of query term
+SEARCH_MAX = config("SEARCH_MAX", cast=int, default=50)  # Maximum number of results