ldap-ui 0.9.15__py3-none-any.whl → 0.10.1__py3-none-any.whl

ldap_ui/__init__.py

@@ -1 +1 @@
-__version__ = "0.9.15"
+__version__ = "0.10.1"

ldap_ui/app.py

@@ -8,232 +8,83 @@ The backend is stateless, it re-connects to the directory on every request.
 No sessions, no cookies, nothing else.
 """
 
-import base64
-import binascii
 import logging
-import sys
 from http import HTTPStatus
-from typing import Optional
-
-from ldap import (
-    INSUFFICIENT_ACCESS,  # pyright: ignore[reportAttributeAccessIssue]
-    INVALID_CREDENTIALS,  # pyright: ignore[reportAttributeAccessIssue]
-    SCOPE_BASE,  # pyright: ignore[reportAttributeAccessIssue]
-    SCOPE_SUBTREE,  # pyright: ignore[reportAttributeAccessIssue]
-    UNWILLING_TO_PERFORM,  # pyright: ignore[reportAttributeAccessIssue]
-    LDAPError,  # pyright: ignore[reportAttributeAccessIssue]
-)
-from ldap.ldapobject import LDAPObject
-from pydantic import ValidationError
-from starlette.applications import Starlette
-from starlette.authentication import (
-    AuthCredentials,
-    AuthenticationBackend,
-    AuthenticationError,
-    SimpleUser,
+
+from fastapi import FastAPI, Request, Response
+from fastapi.middleware.gzip import GZipMiddleware
+from fastapi.responses import JSONResponse
+from fastapi.staticfiles import StaticFiles
+from ldap import (  # type: ignore
+    ALREADY_EXISTS,  # type: ignore
+    INSUFFICIENT_ACCESS,  # type: ignore
+    INVALID_CREDENTIALS,  # type: ignore
+    NO_SUCH_OBJECT,  # type: ignore
+    OBJECT_CLASS_VIOLATION,  # type: ignore
+    UNWILLING_TO_PERFORM,  # type: ignore  # type: ignore
+    LDAPError,  # type: ignore
 )
-from starlette.exceptions import HTTPException
-from starlette.middleware import Middleware
-from starlette.middleware.authentication import AuthenticationMiddleware
-from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
-from starlette.middleware.gzip import GZipMiddleware
-from starlette.requests import HTTPConnection, Request
-from starlette.responses import Response
-from starlette.routing import Mount
-from starlette.staticfiles import StaticFiles
-
-from . import settings
-from .ldap_api import api
-from .ldap_helpers import WITH_OPERATIONAL_ATTRS, empty, ldap_connect, unique
-
-LOG = logging.getLogger("ldap-ui")
-
-
-def ldap_exception_message(exc: LDAPError) -> str:
-    args = exc.args[0]
-    if "info" in args:
-        return args.get("info", "") + ": " + args.get("desc", "")
-    return args.get("desc", "")
-
-
-if not settings.BASE_DN or not settings.SCHEMA_DN:
-    # Try auto-detection from root DSE
-    try:
-        with ldap_connect() as connection:
-            _dn, attrs = connection.search_s(  # pyright: ignore[reportAssignmentType, reportOptionalSubscript]
-                "", SCOPE_BASE, attrlist=WITH_OPERATIONAL_ATTRS
-            )[0]
-            base_dns = attrs.get("namingContexts", [])
-            if len(base_dns) == 1:
-                settings.BASE_DN = settings.BASE_DN or base_dns[0].decode()
-            else:
-                LOG.warning("No unique base DN: %s", base_dns)
-            schema_dns = attrs.get("subschemaSubentry", [])
-            settings.SCHEMA_DN = settings.SCHEMA_DN or schema_dns[0].decode()
-    except LDAPError as err:
-        LOG.error(ldap_exception_message(err), exc_info=err)
-
-if not settings.BASE_DN:
-    LOG.critical("An LDAP base DN is required!")
-    sys.exit(1)
-
-if not settings.SCHEMA_DN:
-    LOG.critical("An LDAP schema DN is required!")
-    sys.exit(1)
-
-
-async def anonymous_user_search(connection: LDAPObject, username: str) -> Optional[str]:
-    try:
-        # No BIND_PATTERN, try anonymous search
-        dn, _attrs = await unique(
-            connection,
-            connection.search(
-                settings.BASE_DN,
-                SCOPE_SUBTREE,
-                settings.GET_BIND_DN_FILTER(username),
-            ),
-        )
-        return dn
-
-    except HTTPException:
-        pass  # No unique result
-
-
-class LdapConnectionMiddleware(BaseHTTPMiddleware):
-    async def dispatch(
-        self, request: Request, call_next: RequestResponseEndpoint
-    ) -> Response:
-        "Add an authenticated LDAP connection to the request"
-
-        # No authentication required for static files
-        if not request.url.path.startswith("/api"):
-            return await call_next(request)
-
-        try:
-            with ldap_connect() as connection:
-                # Hard-wired credentials
-                dn = settings.GET_BIND_DN()
-                password = settings.GET_BIND_PASSWORD()
-
-                # Search for basic auth user
-                if not dn and type(request.user) is LdapUser:
-                    password = request.user.password
-                    dn = settings.GET_BIND_PATTERN(
-                        request.user.username
-                    ) or await anonymous_user_search(connection, request.user.username)
-
-                if dn:  # Log in
-                    await empty(connection, connection.simple_bind(dn, password))
-                    request.state.ldap = connection
-                    return await call_next(request)
-
-        except INVALID_CREDENTIALS:
-            pass
-
-        except INSUFFICIENT_ACCESS as err:
-            return Response(
-                ldap_exception_message(err),
-                status_code=HTTPStatus.FORBIDDEN.value,
-            )
-
-        except UNWILLING_TO_PERFORM:
-            LOG.warning("Need BIND_DN or BIND_PATTERN to authenticate")
-            return Response(
-                HTTPStatus.FORBIDDEN.phrase,
-                status_code=HTTPStatus.FORBIDDEN.value,
-            )
-
-        except LDAPError as err:
-            LOG.error(ldap_exception_message(err), exc_info=err)
-            return Response(
-                ldap_exception_message(err),
-                status_code=HTTPStatus.INTERNAL_SERVER_ERROR.value,
-            )
 
-        return Response(
-            HTTPStatus.UNAUTHORIZED.phrase,
-            status_code=HTTPStatus.UNAUTHORIZED.value,
-            headers={
-                # Trigger authentication
-                "WWW-Authenticate": 'Basic realm="Please log in", charset="UTF-8"'
-            },
-        )
+from . import __version__, ldap_api, settings
 
+# Main ASGI entry
 
-class LdapUser(SimpleUser):
-    "LDAP credentials"
+app = FastAPI(debug=settings.DEBUG, title="LDAP UI", version=__version__)
+app.include_router(ldap_api.api)
+app.mount("/", StaticFiles(packages=["ldap_ui"], html=True))
 
-    def __init__(self, username: str, password: str):
-        super().__init__(username)
-        self.password = password
+app.add_middleware(GZipMiddleware, minimum_size=1000, compresslevel=5)
 
 
-class BasicAuthBackend(AuthenticationBackend):
-    "Handle basic authentication"
+@app.middleware("http")
+async def cache_buster(request: Request, call_next) -> Response:
+    "Forbid caching of API responses"
+    response = await call_next(request)
+    if request.url.path.startswith("/api"):
+        response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+        response.headers["Pragma"] = "no-cache"
+        response.headers["Expires"] = "0"
+    return response
 
-    async def authenticate(self, conn: HTTPConnection):
-        "Place LDAP credentials in request.user"
 
-        if "Authorization" in conn.headers:
-            try:
-                auth = conn.headers["Authorization"]
-                scheme, credentials = auth.split()
-                if scheme.lower() == "basic":
-                    decoded = base64.b64decode(credentials).decode("ascii")
-                    username, _, password = decoded.partition(":")
-                    return (
-                        AuthCredentials(["authenticated"]),
-                        LdapUser(username, password),
-                    )
-            except (ValueError, UnicodeDecodeError, binascii.Error) as _exc:
-                raise AuthenticationError("Invalid basic auth credentials")
+# API error handling
 
+LDAP_ERROR_TO_STATUS = {
+    ALREADY_EXISTS: HTTPStatus.CONFLICT,
+    INSUFFICIENT_ACCESS: HTTPStatus.FORBIDDEN,
+    INVALID_CREDENTIALS: HTTPStatus.UNAUTHORIZED,
+    NO_SUCH_OBJECT: HTTPStatus.NOT_FOUND,
+    OBJECT_CLASS_VIOLATION: HTTPStatus.BAD_REQUEST,
+    UNWILLING_TO_PERFORM: HTTPStatus.FORBIDDEN,
+}
 
-class CacheBustingMiddleware(BaseHTTPMiddleware):
-    "Forbid caching of API responses"
-
-    async def dispatch(
-        self, request: Request, call_next: RequestResponseEndpoint
-    ) -> Response:
-        response = await call_next(request)
-        if request.url.path.startswith("/api"):
-            response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
-            response.headers["Pragma"] = "no-cache"
-            response.headers["Expires"] = "0"
-        return response
-
-
-async def http_exception(_request: Request, exc: HTTPException) -> Response:
-    "Send error responses"
-    assert exc.status_code >= 400
-    return Response(
-        exc.detail,
-        status_code=exc.status_code,
-        headers=exc.headers,
-    )
 
+@app.exception_handler(LDAPError)
+def handle_ldap_error(request: Request, exc: LDAPError) -> Response:
+    "General handler for LDAP errors"
 
-async def http_422(_request: Request, e: ValidationError) -> Response:
-    "HTTP 422 Unprocessable Entity"
-    LOG.warn("Invalid request body", exc_info=e)
-    return Response(repr(e), status_code=HTTPStatus.UNPROCESSABLE_ENTITY.value)
+    exc_type = type(exc)
+    if exc_type is UNWILLING_TO_PERFORM:
+        logging.critical("Need BIND_DN or BIND_PATTERN to authenticate")
 
+    if exc_type is INVALID_CREDENTIALS:
+        return Response(
+            status_code=HTTPStatus.UNAUTHORIZED,
+            headers={
+                "WWW-Authenticate": 'Basic realm="Please log in", charset="UTF-8"'
+            },
+        )
 
-# Main ASGI entry
-app = Starlette(
-    debug=settings.DEBUG,
-    exception_handlers={  # pyright: ignore[reportArgumentType]
-        HTTPException: http_exception,
-        ValidationError: http_422,
-    },
-    middleware=(
-        Middleware(AuthenticationMiddleware, backend=BasicAuthBackend()),
-        Middleware(LdapConnectionMiddleware),
-        Middleware(CacheBustingMiddleware),
-        Middleware(GZipMiddleware, minimum_size=512, compresslevel=6),
-    ),
-    routes=[
-        Mount("/api", app=api),
-        Mount("/", StaticFiles(packages=["ldap_ui"], html=True)),
-    ],
-)
+    if exc_type not in LDAP_ERROR_TO_STATUS:
+        # Unknown error --> log it since FastApi won't do it for us
+        logging.exception("Error in %s %s:", request.method, request.url, exc_info=exc)
+
+    cause = exc.args[0] if exc.args else {}
+    desc = cause.get("desc", "LDAP error").capitalize()
+    msg = f"{desc}" if "info" not in cause else f"{desc}: {cause['info'].capitalize()}"
+    return JSONResponse(
+        {"detail": [msg]},
+        status_code=LDAP_ERROR_TO_STATUS.get(
+            exc_type, HTTPStatus.INTERNAL_SERVER_ERROR
+        ),
+    )

ldap_ui/entities.py

@@ -0,0 +1,62 @@
+"Data types for ReST endpoints"
+
+from pydantic import BaseModel, Field
+
+
+class TreeItem(BaseModel):
+    "Entry in the navigation tree"
+
+    dn: str
+    structuralObjectClass: str
+    hasSubordinates: bool
+    level: int
+
+
+class Meta(BaseModel):
+    "Attribute classification for an entry"
+
+    dn: str
+    required: list[str]
+    aux: list[str]
+    binary: list[str]
+    autoFilled: list[str]
+    isNew: bool = False
+
+
+Attributes = dict[str, list[str]]
+
+
+class Entry(BaseModel):
+    "Directory entry"
+
+    attrs: Attributes
+    meta: Meta
+    changed: list[str] = Field(default_factory=list)
+
+
+class ChangedAttributes(BaseModel):
+    "List of modified attributes"
+
+    changed: list[str]
+
+
+class ChangePasswordRequest(BaseModel):
+    "Change a password"
+
+    old: str
+    new1: str
+
+
+class SearchResult(BaseModel):
+    "Search result"
+
+    dn: str
+    name: str
+
+
+class Range(BaseModel):
+    "Numeric attribute range"
+
+    min: int
+    max: int
+    next: int