PyPI - ldap-ui - Versions diffs - 0.9.14__py3-none-any.whl → 0.10.0__py3-none-any.whl - Mend

ldap-ui 0.9.14py3-none-any.whl → 0.10.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

ldap_ui/__init__.py +1 -1
ldap_ui/app.py +84 -191
ldap_ui/entities.py +62 -0
ldap_ui/ldap_api.py +309 -276
ldap_ui/ldap_helpers.py +51 -28
ldap_ui/schema.py +8 -8
ldap_ui/statics/assets/{index-qocMa2qY.css → index-4LadlPh6.css} +1 -1
ldap_ui/statics/assets/index-4LadlPh6.css.gz +0 -0
ldap_ui/statics/assets/index-CVDJWmXN.js +19 -0
ldap_ui/statics/assets/index-CVDJWmXN.js.gz +0 -0
ldap_ui/statics/index.html +2 -2
{ldap_ui-0.9.14.dist-info → ldap_ui-0.10.0.dist-info}/METADATA +8 -9
ldap_ui-0.10.0.dist-info/RECORD +25 -0
{ldap_ui-0.9.14.dist-info → ldap_ui-0.10.0.dist-info}/WHEEL +1 -1
ldap_ui/statics/assets/index-C5yrwMPy.js +0 -18
ldap_ui/statics/assets/index-C5yrwMPy.js.gz +0 -0
ldap_ui/statics/assets/index-qocMa2qY.css.gz +0 -0
ldap_ui-0.9.14.dist-info/RECORD +0 -24
{ldap_ui-0.9.14.dist-info → ldap_ui-0.10.0.dist-info}/entry_points.txt +0 -0
{ldap_ui-0.9.14.dist-info → ldap_ui-0.10.0.dist-info}/licenses/LICENSE.txt +0 -0
{ldap_ui-0.9.14.dist-info → ldap_ui-0.10.0.dist-info}/top_level.txt +0 -0

ldap_ui/__init__.py CHANGED Viewed

	@@ -1 +1 @@
1	- __version__ = "0.9.14"
1	+ __version__ = "0.10.0"

ldap_ui/app.py CHANGED Viewed

@@ -8,60 +8,58 @@ The backend is stateless, it re-connects to the directory on every request.
 No sessions, no cookies, nothing else.
 """
-import base64
-import binascii
 import logging
 import sys
+from contextlib import contextmanager
 from http import HTTPStatus
-from typing import Optional
-from ldap import (
-    INSUFFICIENT_ACCESS,  # pyright: ignore[reportAttributeAccessIssue]
-    INVALID_CREDENTIALS,  # pyright: ignore[reportAttributeAccessIssue]
-    SCOPE_BASE,  # pyright: ignore[reportAttributeAccessIssue]
-    SCOPE_SUBTREE,  # pyright: ignore[reportAttributeAccessIssue]
-    UNWILLING_TO_PERFORM,  # pyright: ignore[reportAttributeAccessIssue]
-    LDAPError,  # pyright: ignore[reportAttributeAccessIssue]
-)
-from ldap.ldapobject import LDAPObject
-from pydantic import ValidationError
-from starlette.applications import Starlette
-from starlette.authentication import (
-    AuthCredentials,
-    AuthenticationBackend,
-    AuthenticationError,
-    SimpleUser,
+from fastapi import FastAPI, Request, Response
+from fastapi.middleware.gzip import GZipMiddleware
+from fastapi.responses import JSONResponse
+from fastapi.staticfiles import StaticFiles
+from ldap import (  # type: ignore
+    ALREADY_EXISTS,  # type: ignore
+    INSUFFICIENT_ACCESS,  # type: ignore
+    INVALID_CREDENTIALS,  # type: ignore
+    NO_SUCH_OBJECT,  # type: ignore
+    OBJECT_CLASS_VIOLATION,  # type: ignore
+    SCOPE_BASE,  # type: ignore
+    UNWILLING_TO_PERFORM,  # type: ignore
+    LDAPError,  # type: ignore
 )
-from starlette.exceptions import HTTPException
-from starlette.middleware import Middleware
-from starlette.middleware.authentication import AuthenticationMiddleware
-from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
-from starlette.middleware.gzip import GZipMiddleware
-from starlette.requests import HTTPConnection, Request
-from starlette.responses import Response
-from starlette.routing import Mount
-from starlette.staticfiles import StaticFiles
-from . import settings
+from . import __version__, settings
 from .ldap_api import api
-from .ldap_helpers import WITH_OPERATIONAL_ATTRS, empty, ldap_connect, unique
+from .ldap_helpers import WITH_OPERATIONAL_ATTRS, ldap_connect
 LOG = logging.getLogger("ldap-ui")
+LDAP_ERROR_TO_STATUS = {
+    ALREADY_EXISTS: HTTPStatus.CONFLICT,
+    INSUFFICIENT_ACCESS: HTTPStatus.FORBIDDEN,
+    INVALID_CREDENTIALS: HTTPStatus.UNAUTHORIZED,
+    NO_SUCH_OBJECT: HTTPStatus.NOT_FOUND,
+    OBJECT_CLASS_VIOLATION: HTTPStatus.BAD_REQUEST,
+    UNWILLING_TO_PERFORM: HTTPStatus.FORBIDDEN,
+}
-def ldap_exception_message(exc: LDAPError) -> str:
-    args = exc.args[0]
-    if "info" in args:
-        return args.get("info", "") + ": " + args.get("desc", "")
-    return args.get("desc", "")
+def format_ldap_error(exc: LDAPError) -> str:
+    cause = exc.args[0] if exc.args else {}
+    desc = cause.get("desc", "LDAP error").strip().capitalize()
+    if "info" in cause:
+        return f"{desc}: {cause['info'].strip().capitalize()}"
+    return f"{desc}"
 if not settings.BASE_DN or not settings.SCHEMA_DN:
-    # Try auto-detection from root DSE
-    try:
-        with ldap_connect() as connection:
-            _dn, attrs = connection.search_s(  # pyright: ignore[reportAssignmentType, reportOptionalSubscript]
-                "", SCOPE_BASE, attrlist=WITH_OPERATIONAL_ATTRS
+    try:  # Auto-detection from root DSE
+        connect = contextmanager(ldap_connect)
+        with connect() as connection:
+            _dn, attrs = connection.search_s(  # type: ignore
+                "",
+                SCOPE_BASE,
+                attrlist=WITH_OPERATIONAL_ATTRS,
             )[0]
             base_dns = attrs.get("namingContexts", [])
             if len(base_dns) == 1:
@@ -71,7 +69,7 @@ if not settings.BASE_DN or not settings.SCHEMA_DN:
             schema_dns = attrs.get("subschemaSubentry", [])
             settings.SCHEMA_DN = settings.SCHEMA_DN or schema_dns[0].decode()
     except LDAPError as err:
-        LOG.error(ldap_exception_message(err), exc_info=err)
+        LOG.error(format_ldap_error(err), exc_info=err)
 if not settings.BASE_DN:
     LOG.critical("An LDAP base DN is required!")
@@ -82,158 +80,53 @@ if not settings.SCHEMA_DN:
     sys.exit(1)
-async def anonymous_user_search(connection: LDAPObject, username: str) -> Optional[str]:
-    try:
-        # No BIND_PATTERN, try anonymous search
-        dn, _attrs = await unique(
-            connection,
-            connection.search(
-                settings.BASE_DN,
-                SCOPE_SUBTREE,
-                settings.GET_BIND_DN_FILTER(username),
-            ),
-        )
-        return dn
-    except HTTPException:
-        pass  # No unique result
-class LdapConnectionMiddleware(BaseHTTPMiddleware):
-    async def dispatch(
-        self, request: Request, call_next: RequestResponseEndpoint
-    ) -> Response:
-        "Add an authenticated LDAP connection to the request"
-        # No authentication required for static files
-        if not request.url.path.startswith("/api"):
-            return await call_next(request)
-        try:
-            with ldap_connect() as connection:
-                # Hard-wired credentials
-                dn = settings.GET_BIND_DN()
-                password = settings.GET_BIND_PASSWORD()
-                # Search for basic auth user
-                if not dn and type(request.user) is LdapUser:
-                    password = request.user.password
-                    dn = settings.GET_BIND_PATTERN(
-                        request.user.username
-                    ) or await anonymous_user_search(connection, request.user.username)
-                if dn:  # Log in
-                    await empty(connection, connection.simple_bind(dn, password))
-                    request.state.ldap = connection
-                    return await call_next(request)
-        except INVALID_CREDENTIALS:
-            pass
-        except INSUFFICIENT_ACCESS as err:
-            return Response(
-                ldap_exception_message(err),
-                status_code=HTTPStatus.FORBIDDEN.value,
-            )
-        except UNWILLING_TO_PERFORM:
-            LOG.warning("Need BIND_DN or BIND_PATTERN to authenticate")
-            return Response(
-                HTTPStatus.FORBIDDEN.phrase,
-                status_code=HTTPStatus.FORBIDDEN.value,
-            )
-        except LDAPError as err:
-            LOG.error(ldap_exception_message(err), exc_info=err)
-            return Response(
-                ldap_exception_message(err),
-                status_code=HTTPStatus.INTERNAL_SERVER_ERROR.value,
-            )
-        return Response(
-            HTTPStatus.UNAUTHORIZED.phrase,
-            status_code=HTTPStatus.UNAUTHORIZED.value,
-            headers={
-                # Trigger authentication
-                "WWW-Authenticate": 'Basic realm="Please log in", charset="UTF-8"'
-            },
-        )
-class LdapUser(SimpleUser):
-    "LDAP credentials"
-    def __init__(self, username: str, password: str):
-        super().__init__(username)
-        self.password = password
-class BasicAuthBackend(AuthenticationBackend):
-    "Handle basic authentication"
-    async def authenticate(self, conn: HTTPConnection):
-        "Place LDAP credentials in request.user"
-        if "Authorization" in conn.headers:
-            try:
-                auth = conn.headers["Authorization"]
-                scheme, credentials = auth.split()
-                if scheme.lower() == "basic":
-                    decoded = base64.b64decode(credentials).decode("ascii")
-                    username, _, password = decoded.partition(":")
-                    return (
-                        AuthCredentials(["authenticated"]),
-                        LdapUser(username, password),
-                    )
-            except (ValueError, UnicodeDecodeError, binascii.Error) as _exc:
-                raise AuthenticationError("Invalid basic auth credentials")
-class CacheBustingMiddleware(BaseHTTPMiddleware):
+# Main ASGI entry
+app = FastAPI(debug=settings.DEBUG, title="LDAP UI", version=__version__)
+app.include_router(api)
+app.mount("/", StaticFiles(packages=["ldap_ui"], html=True))
+app.add_middleware(GZipMiddleware, minimum_size=1000, compresslevel=5)
+@app.middleware("http")
+async def cache_buster(request: Request, call_next) -> Response:
     "Forbid caching of API responses"
+    response = await call_next(request)
+    if request.url.path.startswith("/api"):
+        response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+        response.headers["Pragma"] = "no-cache"
+        response.headers["Expires"] = "0"
+    return response
-    async def dispatch(
-        self, request: Request, call_next: RequestResponseEndpoint
-    ) -> Response:
-        response = await call_next(request)
-        if request.url.path.startswith("/api"):
-            response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
-            response.headers["Pragma"] = "no-cache"
-            response.headers["Expires"] = "0"
-        return response
-async def http_exception(_request: Request, exc: HTTPException) -> Response:
-    "Send error responses"
-    assert exc.status_code >= 400
-    return Response(
-        exc.detail,
-        status_code=exc.status_code,
-        headers=exc.headers,
+# API error handling
+def error_response(
+    exc: LDAPError, status: HTTPStatus, headers: dict[str, str] | None = None
+) -> JSONResponse:
+    return JSONResponse({"detail": [format_ldap_error(exc)]}, status, headers=headers)
+@app.exception_handler(INVALID_CREDENTIALS)
+def handle_invalid_credentials(_request: Request, exc: INVALID_CREDENTIALS):
+    return error_response(
+        exc,
+        HTTPStatus.UNAUTHORIZED,
+        headers={"WWW-Authenticate": 'Basic realm="Please log in", charset="UTF-8"'},
     )
-async def http_422(_request: Request, e: ValidationError) -> Response:
-    "HTTP 422 Unprocessable Entity"
-    LOG.warn("Invalid request body", exc_info=e)
-    return Response(repr(e), status_code=HTTPStatus.UNPROCESSABLE_ENTITY.value)
+@app.exception_handler(UNWILLING_TO_PERFORM)
+def handle_unwilling_to_perform(_request: Request, exc: UNWILLING_TO_PERFORM):
+    LOG.warning("Need BIND_DN or BIND_PATTERN to authenticate")
+    return error_response(exc, HTTPStatus.FORBIDDEN)
-# Main ASGI entry
-app = Starlette(
-    debug=settings.DEBUG,
-    exception_handlers={  # pyright: ignore[reportArgumentType]
-        HTTPException: http_exception,
-        ValidationError: http_422,
-    },
-    middleware=(
-        Middleware(AuthenticationMiddleware, backend=BasicAuthBackend()),
-        Middleware(LdapConnectionMiddleware),
-        Middleware(CacheBustingMiddleware),
-        Middleware(GZipMiddleware, minimum_size=512, compresslevel=6),
-    ),
-    routes=[
-        Mount("/api", app=api),
-        Mount("/", StaticFiles(packages=["ldap_ui"], html=True)),
-    ],
-)
+@app.exception_handler(LDAPError)
+def handle_ldap_error(_request: Request, exc: LDAPError):
+    "General handler for other LDAP errors"
+    return error_response(
+        exc, LDAP_ERROR_TO_STATUS.get(type(exc), HTTPStatus.INTERNAL_SERVER_ERROR)
+    )

ldap_ui/entities.py ADDED Viewed

@@ -0,0 +1,62 @@
+"Data types for ReST endpoints"
+from pydantic import BaseModel, Field
+class TreeItem(BaseModel):
+    "Entry in the navigation tree"
+    dn: str
+    structuralObjectClass: str
+    hasSubordinates: bool
+    level: int
+class Meta(BaseModel):
+    "Attribute classification for an entry"
+    dn: str
+    required: list[str]
+    aux: list[str]
+    binary: list[str]
+    autoFilled: list[str]
+    isNew: bool = False
+Attributes = dict[str, list[str]]
+class Entry(BaseModel):
+    "Directory entry"
+    attrs: Attributes
+    meta: Meta
+    changed: list[str] = Field(default_factory=list)
+class ChangedAttributes(BaseModel):
+    "List of modified attributes"
+    changed: list[str]
+class ChangePasswordRequest(BaseModel):
+    "Change a password"
+    old: str
+    new1: str
+class SearchResult(BaseModel):
+    "Search result"
+    dn: str
+    name: str
+class Range(BaseModel):
+    "Numeric attribute range"
+    min: int
+    max: int
+    next: int

ldap-ui 0.9.14__py3-none-any.whl → 0.10.0__py3-none-any.whl

ldap-ui 0.9.14py3-none-any.whl → 0.10.0py3-none-any.whl