ldap-ui 0.9.5__py3-none-any.whl → 0.9.7__py3-none-any.whl

ldap_ui/__init__.py

@@ -1 +1 @@
-__version__ = "0.9.5"
+__version__ = "0.9.7"

ldap_ui/__main__.py

@@ -23,7 +23,7 @@ def print_version(ctx: click.Context, param: click.Parameter, value: bool) -> No
     "--base-dn",
     type=str,
     default=settings.BASE_DN,
-    help="LDAP base DN. Required unless the BASE_DN environment variable is set.",
+    help="LDAP base DN (required). [default: BASE_DN environment variable]",
 )
 @click.option(
     "-h",
@@ -41,6 +41,12 @@ def print_version(ctx: click.Context, param: click.Parameter, value: bool) -> No
     help="Bind socket to this port. If 0, an available port will be picked.",
     show_default=True,
 )
+@click.option(
+    "-u",
+    "--ldap-url",
+    type=str,
+    help="LDAP directory connection URL. [default: LDAP_URL environment variable or 'ldap:///']",
+)
 @click.option(
     "-l",
     "--log-level",
@@ -57,7 +63,7 @@ def print_version(ctx: click.Context, param: click.Parameter, value: bool) -> No
     is_eager=True,
     help="Display the current version and exit.",
 )
-def main(base_dn, host, port, log_level):
+def main(base_dn, host, port, ldap_url, log_level):
     logging.basicConfig(level=LOG_LEVELS[log_level])
     rootHandler = logging.getLogger().handlers[0]
     rootHandler.setFormatter(ColourizedFormatter(fmt="%(levelprefix)s %(message)s"))
@@ -65,9 +71,11 @@ def main(base_dn, host, port, log_level):
     if base_dn is not None:
         settings.BASE_DN = base_dn
 
+    if ldap_url is not None:
+        settings.LDAP_URL = ldap_url
+
     uvicorn.run(
         "ldap_ui.app:app",
-        log_level=logging.INFO,
         host=host,
         port=port,
     )

ldap_ui/app.py

@@ -10,13 +10,12 @@ No sessions, no cookies, nothing else.
 
 import base64
 import binascii
-import contextlib
 import logging
 import sys
+from http import HTTPStatus
 from typing import AsyncGenerator
 
 import ldap
-from ldap.schema import SubSchema
 from pydantic import ValidationError
 from starlette.applications import Starlette
 from starlette.authentication import (
@@ -37,7 +36,7 @@ from starlette.staticfiles import StaticFiles
 
 from . import settings
 from .ldap_api import api
-from .ldap_helpers import WITH_OPERATIONAL_ATTRS, empty, ldap_connect, unique
+from .ldap_helpers import empty, ldap_connect, unique
 
 LOG = logging.getLogger("ldap-ui")
 
@@ -49,8 +48,8 @@ LOG.debug("Base DN: %s", settings.BASE_DN)
 
 # Force authentication
 UNAUTHORIZED = Response(
-    "Invalid credentials",
-    status_code=401,
+    HTTPStatus.UNAUTHORIZED.phrase,
+    status_code=HTTPStatus.UNAUTHORIZED.value,
     headers={"WWW-Authenticate": 'Basic realm="Please log in", charset="UTF-8"'},
 )
 
@@ -71,15 +70,20 @@ class LdapConnectionMiddleware(BaseHTTPMiddleware):
 
                 # Search for basic auth user
                 if type(request.user) is LdapUser:
-                    dn, _attrs = await unique(
-                        connection,
-                        connection.search(
-                            settings.BASE_DN,
-                            ldap.SCOPE_SUBTREE,
-                            settings.GET_BIND_DN_FILTER(request.user.username),
-                        ),
-                    )
                     password = request.user.password
+                    dn = settings.GET_BIND_PATTERN(request.user.username)
+                    if dn is None:
+                        try:
+                            dn, _attrs = await unique(
+                                connection,
+                                connection.search(
+                                    settings.BASE_DN,
+                                    ldap.SCOPE_SUBTREE,
+                                    settings.GET_BIND_DN_FILTER(request.user.username),
+                                ),
+                            )
+                        except HTTPException:
+                            pass
 
                 # Hard-wired credentials
                 if dn is None:
@@ -99,10 +103,10 @@ class LdapConnectionMiddleware(BaseHTTPMiddleware):
 
         except ldap.LDAPError as err:
             msg = ldap_exception_message(err)
-            LOG.error(msg)
+            LOG.error(msg, exc_info=err)
             return PlainTextResponse(
                 msg,
-                status_code=500,
+                status_code=HTTPStatus.INTERNAL_SERVER_ERROR.value,
             )
 
 
@@ -172,29 +176,16 @@ async def http_exception(_request: Request, exc: HTTPException) -> Response:
 
 async def forbidden(_request: Request, exc: ldap.LDAPError) -> Response:
     "HTTP 403 Forbidden"
-    return PlainTextResponse(ldap_exception_message(exc), status_code=403)
+    return PlainTextResponse(
+        ldap_exception_message(exc),
+        status_code=HTTPStatus.FORBIDDEN.value,
+    )
 
 
 async def http_422(_request: Request, e: ValidationError) -> Response:
     "HTTP 422 Unprocessable Entity"
     LOG.warn("Invalid request body", exc_info=e)
-    return Response(repr(e), status_code=422)
-
-
-@contextlib.asynccontextmanager
-async def lifespan(app):
-    with ldap_connect() as connection:
-        # See: https://hub.packtpub.com/python-ldap-applications-part-4-ldap-schema/
-        _dn, sub_schema = await unique(
-            connection,
-            connection.search(
-                settings.SCHEMA_DN,
-                ldap.SCOPE_BASE,
-                attrlist=WITH_OPERATIONAL_ATTRS,
-            ),
-        )
-        app.state.schema = SubSchema(sub_schema, check_uniqueness=2)
-        yield
+    return Response(repr(e), status_code=HTTPStatus.UNPROCESSABLE_ENTITY.value)
 
 
 # Main ASGI entry
@@ -205,7 +196,6 @@ app = Starlette(
         ldap.INSUFFICIENT_ACCESS: forbidden,
         ValidationError: http_422,
     },
-    lifespan=lifespan,
     middleware=(
         Middleware(AuthenticationMiddleware, backend=BasicAuthBackend()),
         Middleware(LdapConnectionMiddleware),
@@ -213,7 +203,7 @@ app = Starlette(
         Middleware(GZipMiddleware, minimum_size=512, compresslevel=6),
     ),
     routes=[
-        Mount("/api", routes=api.routes),
+        Mount("/api", app=api),
         Mount("/", StaticFiles(packages=["ldap_ui"], html=True)),
     ],
 )

ldap_ui/ldap_api.py

@@ -2,13 +2,14 @@
 ReST endpoints for LDAP access.
 
 Directory operations are accessible to the frontend
-through a hand-knit API, responses are usually converted to JSON.
+through a hand-knit ReST API, responses are usually converted to JSON.
 
 Asynchronous LDAP operations are used as much as possible.
 """
 
 import base64
 import io
+from http import HTTPStatus
 from typing import Any, Optional, Tuple, Union
 
 import ldap
@@ -31,13 +32,15 @@ from .ldap_helpers import (
     get_entry_by_dn,
     ldap_connect,
     result,
+    unique,
 )
+from .schema import ObjectClass as OC
 from .schema import frontend_schema
 
 __all__ = ("api",)
 
 
-NO_CONTENT = Response(status_code=204)
+NO_CONTENT = Response(status_code=HTTPStatus.NO_CONTENT.value)
 
 # Special fields
 PHOTOS = ("jpegPhoto", "thumbnailPhoto")
@@ -87,7 +90,20 @@ async def _tree(request: Request, basedn: str, scope: int) -> list[dict[str, Any
     ]
 
 
-def _entry(schema: SubSchema, res: Tuple[str, Any]) -> dict[str, Any]:
+class Meta(BaseModel):
+    dn: str
+    required: list[str]
+    aux: list[str]
+    binary: list[str]
+    autoFilled: list[str]
+
+
+class Entry(BaseModel):
+    attrs: dict[str, list[str]]
+    meta: Meta
+
+
+def _entry(schema: SubSchema, res: Tuple[str, Any]) -> Entry:
     "Prepare an LDAP entry for transmission"
 
     dn, attrs = res
@@ -96,7 +112,7 @@ def _entry(schema: SubSchema, res: Tuple[str, Any]) -> dict[str, Any]:
     soc = [
         oc.names[0]
         for oc in map(lambda o: schema.get_obj(ObjectClass, o), ocs)
-        if oc.kind == 0
+        if oc.kind == OC.Kind.structural.value
     ]
     aux = set(
         schema.get_obj(ObjectClass, a).names[0]
@@ -126,26 +142,22 @@ def _entry(schema: SubSchema, res: Tuple[str, Any]) -> dict[str, Any]:
             if syntax.not_human_readable:
                 binary.add(attr)
 
-    return {
-        "attrs": {
-            k: [
-                base64.b64encode(val).decode() if k in binary else val.decode()
-                for val in values
-            ]
+    return Entry(
+        attrs={
+            k: [base64.b64encode(val) if k in binary else val for val in values]
             for k, values in attrs.items()
         },
-        "meta": {
-            "dn": dn,
-            "required": [schema.get_obj(AttributeType, a).names[0] for a in must_attrs],
-            "aux": sorted(aux - ocs),
-            "binary": sorted(binary),
-            "hints": {},  # FIXME obsolete?
-            "autoFilled": [],
-        },
-    }
+        meta=Meta(
+            dn=dn,
+            required=[schema.get_obj(AttributeType, a).names[0] for a in must_attrs],
+            aux=sorted(aux - ocs),
+            binary=sorted(binary),
+            autoFilled=[],
+        ),
+    )
 
 
-Entry = TypeAdapter(dict[str, list[bytes]])
+Attributes = TypeAdapter(dict[str, list[bytes]])
 
 
 @api.route("/entry/{dn}", methods=("GET", "POST", "DELETE", "PUT"))
@@ -157,7 +169,9 @@ async def entry(request: Request) -> Response:
 
     if request.method == "GET":
         return JSONResponse(
-            _entry(request.app.state.schema, await get_entry_by_dn(connection, dn))
+            _entry(
+                request.app.state.schema, await get_entry_by_dn(connection, dn)
+            ).model_dump()
         )
 
     if request.method == "DELETE":
@@ -168,7 +182,7 @@ async def entry(request: Request) -> Response:
         return NO_CONTENT
 
     # Copy JSON payload into a dictionary of non-empty byte strings
-    json = Entry.validate_json(await request.body())
+    json = Attributes.validate_json(await request.body())
     req = {
         k: [s for s in filter(None, v)]
         for k, v in json.items()
@@ -206,7 +220,9 @@ async def blob(request: Request) -> Response:
 
     if request.method == "GET":
         if attr not in attrs or len(attrs[attr]) <= index:
-            raise HTTPException(404, f"Attribute {attr} not found for DN {dn}")
+            raise HTTPException(
+                HTTPStatus.NOT_FOUND.value, f"Attribute {attr} not found for DN {dn}"
+            )
 
         return Response(
             attrs[attr][index],
@@ -234,7 +250,9 @@ async def blob(request: Request) -> Response:
 
     if request.method == "DELETE":
         if attr not in attrs or len(attrs[attr]) <= index:
-            raise HTTPException(404, f"Attribute {attr} not found for DN {dn}")
+            raise HTTPException(
+                HTTPStatus.NOT_FOUND.value, f"Attribute {attr} not found for DN {dn}"
+            )
         await empty(connection, connection.modify(dn, [(1, attr, None)]))
         data = attrs[attr][:index] + attrs[attr][index + 1 :]
         if data:
@@ -420,7 +438,9 @@ async def attribute_range(request: Request) -> JSONResponse:
     )
 
     if not values:
-        raise HTTPException(404, f"No values found for attribute {attribute}")
+        raise HTTPException(
+            HTTPStatus.NOT_FOUND.value, f"No values found for attribute {attribute}"
+        )
 
     minimum, maximum = min(values), max(values)
     return JSONResponse(
@@ -435,4 +455,18 @@ async def attribute_range(request: Request) -> JSONResponse:
 @api.route("/schema")
 async def json_schema(request: Request) -> JSONResponse:
     "Dump the LDAP schema as JSON"
-    return JSONResponse(frontend_schema(request.app.state.schema))
+    if getattr(request.app.state, "schema", None) is None:
+        connection = request.state.ldap
+        # See: https://hub.packtpub.com/python-ldap-applications-part-4-ldap-schema/
+        _dn, sub_schema = await unique(
+            connection,
+            connection.search(
+                settings.SCHEMA_DN,
+                ldap.SCOPE_BASE,
+                attrlist=WITH_OPERATIONAL_ATTRS,
+            ),
+        )
+        request.app.state.schema = SubSchema(sub_schema, check_uniqueness=2)
+
+    schema = frontend_schema(request.app.state.schema)
+    return JSONResponse(schema.model_dump())

ldap_ui/ldap_helpers.py

@@ -11,6 +11,7 @@ operation to complete without results.
 """
 
 import contextlib
+from http import HTTPStatus
 from typing import AsyncGenerator, Generator, Tuple
 
 import ldap
@@ -83,9 +84,12 @@ async def unique(
             res = r
         else:
             connection.abandon(msgid)
-            raise HTTPException(500, "Non-unique result")
+            raise HTTPException(
+                HTTPStatus.INTERNAL_SERVER_ERROR.value,
+                "Non-unique result",
+            )
     if res is None:
-        raise HTTPException(404, "Empty search result")
+        raise HTTPException(HTTPStatus.NOT_FOUND.value, "Empty search result")
     return res
 
 
@@ -97,7 +101,7 @@ async def empty(
 
     async for r in result(connection, msgid):
         connection.abandon(msgid)
-        raise HTTPException(500, "Unexpected result")
+        raise HTTPException(HTTPStatus.INTERNAL_SERVER_ERROR.value, "Unexpected result")
 
 
 async def get_entry_by_dn(
@@ -109,4 +113,4 @@ async def get_entry_by_dn(
     try:
         return await unique(connection, connection.search(dn, ldap.SCOPE_BASE))
     except ldap.NO_SUCH_OBJECT:
-        raise HTTPException(404, f"DN not found: {dn}")
+        raise HTTPException(HTTPStatus.NOT_FOUND.value, f"DN not found: {dn}")

ldap_ui/schema.py

@@ -6,125 +6,155 @@ to determine how individual attributes should be presented
 to the user.
 """
 
-from typing import Any, Generator
+from enum import IntEnum
+from typing import Generator, Optional, Type, TypeVar, Union
 
 from ldap.schema import SubSchema
-from ldap.schema.models import AttributeType, LDAPSyntax, ObjectClass
+from ldap.schema.models import AttributeType, SchemaElement
+from ldap.schema.models import LDAPSyntax as LDAPSyntaxType
+from ldap.schema.models import ObjectClass as ObjectClassType
+from pydantic import BaseModel, Field, field_serializer
 
-__all__ = ("frontend_schema",)
+__all__ = ("frontend_schema", "Attribute", "ObjectClass")
 
+T = TypeVar("T", bound=SchemaElement)
 
-# Object class constants
-SCHEMA_OC_KIND = {
-    0: "structural",
-    1: "abstract",
-    2: "auxiliary",
-}
 
-# Attribute usage constants
-SCHEMA_ATTR_USAGE = {
-    0: "userApplications",
-    1: "directoryOperation",
-    2: "distributedOperation",
-    3: "dSAOperation",
-}
+class Element(BaseModel):
+    "Common attributes od schema elements"
 
+    oid: str
+    name: str
+    names: list[str] = Field(min_length=1)
+    desc: Optional[str]
+    obsolete: bool
+    sup: list[str]  # TODO check
 
-def element(obj) -> dict:
-    "Basic information about an schema element"
+
+def element(obj: Union[AttributeType, ObjectClassType]) -> Element:
     name = obj.names[0]
-    return {
-        "oid": obj.oid,
-        "name": name[:1].lower() + name[1:],
-        "names": obj.names,
-        "desc": obj.desc,
-        "obsolete": bool(obj.obsolete),
-        "sup": sorted(obj.sup),
-    }
-
-
-def object_class_dict(obj) -> dict:
-    "Additional information about an object class"
-    r = element(obj)
-    r.update(
-        {
-            "may": sorted(obj.may),
-            "must": sorted(obj.must),
-            "kind": SCHEMA_OC_KIND[obj.kind],
-        }
-    )
-    return r
-
-
-def attribute_dict(obj) -> dict:
-    "Additional information about an attribute"
-    r = element(obj)
-    r.update(
-        {
-            "single_value": bool(obj.single_value),
-            "no_user_mod": bool(obj.no_user_mod),
-            "usage": SCHEMA_ATTR_USAGE[obj.usage],
-            # FIXME avoid null values below
-            "equality": obj.equality,
-            "syntax": obj.syntax,
-            "substr": obj.substr,
-            "ordering": obj.ordering,
-        }
+    return Element(
+        oid=obj.oid,
+        name=name[:1].lower() + name[1:],
+        names=obj.names,
+        desc=obj.desc,
+        obsolete=bool(obj.obsolete),
+        sup=sorted(obj.sup),
     )
-    return r
 
 
-def syntax_dict(obj) -> dict:
-    "Information about an attribute syntax"
-    return {
-        "oid": obj.oid,
-        "desc": obj.desc,
-        "not_human_readable": bool(obj.not_human_readable),
-    }
+class ObjectClass(Element):
+    class Kind(IntEnum):
+        structural = 0
+        abstract = 1
+        auxiliary = 2
+
+    may: list[str]
+    must: list[str]
+    kind: Kind
+
+    @field_serializer("kind")
+    def serialize_kind(self, kind: Kind, _info) -> str:
+        return kind.name
+
+
+class Attribute(Element):
+    class Usage(IntEnum):
+        userApplications = 0
+        directoryOperation = 1
+        distributedOperation = 2
+        dSAOperation = 3
 
+    single_value: bool
+    no_user_mod: bool
+    usage: Usage
+    equality: Optional[str]
+    syntax: Optional[str]
+    substr: Optional[str]
+    ordering: Optional[str]
 
-def lowercase_dict(attr: str, items) -> dict:
+    @field_serializer("usage")
+    def serialize_kind(self, usage: Usage, _info) -> str:
+        return usage.name
+
+
+class Syntax(BaseModel):
+    oid: str
+    desc: str
+    not_human_readable: bool
+
+
+def lowercase_dict(attr: str, items: list[T]) -> dict[str, T]:
     "Create an dictionary with lowercased keys extracted from a given attribute"
-    return {obj[attr].lower(): obj for obj in items}
+    return {getattr(obj, attr).lower(): obj for obj in items}
 
 
 def extract_type(
-    sub_schema: SubSchema, schema_class: Any
-) -> Generator[Any, None, None]:
+    sub_schema: SubSchema, schema_class: Type[T]
+) -> Generator[T, None, None]:
     "Get non-obsolete objects from the schema for a type"
 
     for oid in sub_schema.listall(schema_class):
         obj = sub_schema.get_obj(schema_class, oid)
-        if schema_class is LDAPSyntax or not obj.obsolete:
+        if schema_class is LDAPSyntaxType or not obj.obsolete:
             yield obj
 
 
+class Schema(BaseModel):
+    attributes: dict[str, Attribute]
+    objectClasses: dict[str, ObjectClass]
+    syntaxes: dict[str, Syntax]
+
+
 # See: https://www.python-ldap.org/en/latest/reference/ldap-schema.html
-def frontend_schema(sub_schema: SubSchema) -> dict[Any]:
+def frontend_schema(sub_schema: SubSchema) -> Schema:
     "Dump an LDAP SubSchema"
 
-    return dict(
+    return Schema(
         attributes=lowercase_dict(
             "name",
             sorted(
-                map(
-                    attribute_dict,
-                    extract_type(sub_schema, AttributeType),
+                (
+                    Attribute(
+                        single_value=bool(attr.single_value),
+                        no_user_mod=bool(attr.no_user_mod),
+                        usage=Attribute.Usage(attr.usage),
+                        # FIXME avoid null values below
+                        equality=attr.equality,
+                        syntax=attr.syntax,
+                        substr=attr.substr,
+                        ordering=attr.ordering,
+                        **element(attr).model_dump(),
+                    )
+                    for attr in extract_type(sub_schema, AttributeType)
                 ),
-                key=lambda x: x["name"],
+                key=lambda x: x.name,
             ),
         ),
         objectClasses=lowercase_dict(
             "name",
             sorted(
-                map(
-                    object_class_dict,
-                    extract_type(sub_schema, ObjectClass),
+                (
+                    ObjectClass(
+                        may=sorted(oc.may),
+                        must=sorted(oc.must),
+                        kind=ObjectClass.Kind(oc.kind),
+                        **element(oc).model_dump(),
+                    )
+                    for oc in extract_type(sub_schema, ObjectClassType)
                 ),
-                key=lambda x: x["name"],
+                key=lambda x: x.name,
             ),
         ),
         syntaxes=lowercase_dict(
-            "oid", map(syntax_dict, extract_type(sub_schema, LDAPSyntax))
+            "oid",
+            [
+                Syntax(
+                    oid=stx.oid,
+                    desc=stx.desc,
+                    not_human_readable=bool(stx.not_human_readable),
+                )
+                for stx in extract_type(sub_schema, LDAPSyntaxType)
+            ],
         ),
     )

ldap_ui/settings.py

@@ -39,11 +39,16 @@ def GET_BIND_DN(username) -> Optional[str]:
     if config("BIND_DN", default=None):
         return config("BIND_DN")
 
+    return GET_BIND_PATTERN(username)
+
+
+def GET_BIND_PATTERN(username) -> Optional[str]:
+    "Determine the bind pattern from the environment and request"
     # Optional user DN pattern string for authentication,
     # e.g. "uid=%s,ou=people,dc=example,dc=com".
     # This can be used to authenticate with directories
     # that do not allow anonymous users to search.
-    elif config("BIND_PATTERN", default=None) and username:
+    if config("BIND_PATTERN", default=None) and username:
         return config("BIND_PATTERN") % username