[forms] do similar refactoring for inline edition than for inline creation
"""cubicweb ldap user sourcethis source is for now limited to a read-only CWUser source:organization: Logilab:copyright: 2003-2009 LOGILAB S.A. (Paris, FRANCE), license is LGPL v2.:contact: http://www.logilab.fr/ -- mailto:contact@logilab.frPart of the code is coming form Zope's LDAPUserFolderCopyright (c) 2004 Jens Vagelpohl.All Rights Reserved.This software is subject to the provisions of the Zope Public License,Version 2.1 (ZPL). A copy of the ZPL should accompany this distribution.THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIEDWARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESSFOR A PARTICULAR PURPOSE.:license: GNU Lesser General Public License, v2.1 - http://www.gnu.org/licenses"""frombase64importb64decodefromlogilab.common.textutilsimportsplitstripfromrql.nodesimportRelation,VariableRef,Constant,Functionimportldapfromldap.ldapobjectimportReconnectLDAPObjectfromldap.filterimportfilter_format,escape_filter_charsfromldapurlimportLDAPUrlfromcubicwebimportAuthenticationError,UnknownEid,RepositoryErrorfromcubicweb.server.utilsimportcartesian_productfromcubicweb.server.sourcesimport(AbstractSource,TrFunc,GlobTrFunc,ConnectionWrapper,TimedCache)# search scopesBASE=ldap.SCOPE_BASEONELEVEL=ldap.SCOPE_ONELEVELSUBTREE=ldap.SCOPE_SUBTREE# map ldap protocol to their standard portPROTO_PORT={'ldap':389,'ldaps':636,'ldapi':None,}classLDAPUserSource(AbstractSource):"""LDAP read-only CWUser source"""support_entities={'CWUser':False}options=(('host',{'type':'string','default':'ldap','help':'ldap host. It may contains port information using \<host>:<port> notation.','group':'ldap-source','inputlevel':1,}),('protocol',{'type':'choice','default':'ldap','choices':('ldap','ldaps','ldapi'),'help':'ldap protocol','group':'ldap-source','inputlevel':1,}),('auth-mode',{'type':'choice','default':'simple','choices':('simple','cram_md5','digest_md5','gssapi'),'help':'authentication mode used to authenticate user to the ldap.','group':'ldap-source','inputlevel':1,}),('auth-realm',{'type':'string','default':None,'help':'realm to use when using gssapp/kerberos authentication.','group':'ldap-source','inputlevel':1,}),('data-cnx-dn',{'type':'string','default':'','help':'user dn to use to open data connection to the ldap (eg used \to respond to rql queries).','group':'ldap-source','inputlevel':1,}),('data-cnx-password',{'type':'string','default':'','help':'password to use to open data connection to the ldap (eg used to respond to rql queries).','group':'ldap-source','inputlevel':1,}),('user-base-dn',{'type':'string','default':'ou=People,dc=logilab,dc=fr','help':'base DN to lookup for users','group':'ldap-source','inputlevel':0,}),('user-scope',{'type':'choice','default':'ONELEVEL','choices':('BASE','ONELEVEL','SUBTREE'),'help':'user search scope','group':'ldap-source','inputlevel':1,}),('user-classes',{'type':'csv','default':('top','posixAccount'),'help':'classes of user','group':'ldap-source','inputlevel':1,}),('user-login-attr',{'type':'string','default':'uid','help':'attribute used as login on authentication','group':'ldap-source','inputlevel':1,}),('user-default-group',{'type':'csv','default':('users',),'help':'name of a group in which ldap users will be by default. \You can set multiple groups by separating them by a comma.','group':'ldap-source','inputlevel':1,}),('user-attrs-map',{'type':'named','default':{'uid':'login','gecos':'email'},'help':'map from ldap user attributes to cubicweb attributes','group':'ldap-source','inputlevel':1,}),('synchronization-interval',{'type':'int','default':24*60*60,'help':'interval between synchronization with the ldap \directory (default to once a day).','group':'ldap-source','inputlevel':2,}),('cache-life-time',{'type':'int','default':2*60,'help':'life time of query cache in minutes (default to two hours).','group':'ldap-source','inputlevel':2,}),)def__init__(self,repo,appschema,source_config,*args,**kwargs):AbstractSource.__init__(self,repo,appschema,source_config,*args,**kwargs)self.host=source_config['host']self.protocol=source_config.get('protocol','ldap')self.authmode=source_config.get('auth-mode','simple')self._authenticate=getattr(self,'_auth_%s'%self.authmode)self.cnx_dn=source_config.get('data-cnx-dn')or''self.cnx_pwd=source_config.get('data-cnx-password')or''self.user_base_scope=globals()[source_config['user-scope']]self.user_base_dn=source_config['user-base-dn']self.user_base_scope=globals()[source_config['user-scope']]self.user_classes=splitstrip(source_config['user-classes'])self.user_login_attr=source_config['user-login-attr']self.user_default_groups=splitstrip(source_config['user-default-group'])self.user_attrs=dict(v.split(':',1)forvinsplitstrip(source_config['user-attrs-map']))self.user_rev_attrs={'eid':'dn'}forldapattr,cwattrinself.user_attrs.items():self.user_rev_attrs[cwattr]=ldapattrself.base_filters=[filter_format('(%s=%s)',('objectClass',o))foroinself.user_classes]self._conn=Noneself._cache={}ttlm=int(source_config.get('cache-life-type',2*60))self._query_cache=TimedCache(ttlm)self._interval=int(source_config.get('synchronization-interval',24*60*60))defreset_caches(self):"""method called during test to reset potential source caches"""self._cache={}self._query_cache=TimedCache(2*60)definit(self):"""method called by the repository once ready to handle request"""self.repo.looping_task(self._interval,self.synchronize)self.repo.looping_task(self._query_cache.ttl.seconds/10,self._query_cache.clear_expired)defsynchronize(self):"""synchronize content known by this repository with content in the external repository """self.info('synchronizing ldap source %s',self.uri)try:ldap_emailattr=self.user_rev_attrs['email']exceptKeyError:return# no email in ldap, we're donesession=self.repo.internal_session()try:cursor=session.system_sql("SELECT eid, extid FROM entities WHERE ""source='%s'"%self.uri)foreid,b64extidincursor.fetchall():extid=b64decode(b64extid)# if no result found, _search automatically delete entity informationres=self._search(session,extid,BASE)ifres:ldapemailaddr=res[0].get(ldap_emailattr)ifldapemailaddr:rset=session.execute('EmailAddress X,A WHERE ''U use_email X, U eid %(u)s',{'u':eid})ldapemailaddr=unicode(ldapemailaddr)foremaileid,emailaddrinrset:ifemailaddr==ldapemailaddr:breakelse:self.info('updating email address of user %s to %s',extid,ldapemailaddr)ifrset:session.execute('SET X address %(addr)s WHERE ''U primary_email X, U eid %(u)s',{'addr':ldapemailaddr,'u':eid})else:# no email found, create it_insert_email(session,ldapemailaddr,eid)finally:session.commit()session.close()defget_connection(self):"""open and return a connection to the source"""ifself._connisNone:self._connect()returnConnectionWrapper(self._conn)defauthenticate(self,session,login,password):"""return CWUser eid for the given login/password if this account is defined in this source, else raise `AuthenticationError` two queries are needed since passwords are stored crypted, so we have to fetch the salt first """assertlogin,'no login!'searchfilter=[filter_format('(%s=%s)',(self.user_login_attr,login))]searchfilter.extend([filter_format('(%s=%s)',('objectClass',o))foroinself.user_classes])searchstr='(&%s)'%''.join(searchfilter)# first search the usertry:user=self._search(session,self.user_base_dn,self.user_base_scope,searchstr)[0]exceptIndexError:# no such userraiseAuthenticationError()# check password by establishing a (unused) connectiontry:self._connect(user,password)exceptException,ex:self.info('while trying to authenticate %s: %s',user,ex)# Something went wrong, most likely bad credentialsraiseAuthenticationError()returnself.extid2eid(user['dn'],'CWUser',session)defldap_name(self,var):ifvar.stinfo['relations']:relname=iter(var.stinfo['relations']).next().r_typereturnself.user_rev_attrs.get(relname)returnNonedefprepare_columns(self,mainvars,rqlst):"""return two list describin how to build the final results from the result of an ldap search (ie a list of dictionnary) """columns=[]global_transforms=[]fori,terminenumerate(rqlst.selection):ifisinstance(term,Constant):columns.append(term)continueifisinstance(term,Function):# LOWER, UPPER, COUNT...var=term.get_nodes(VariableRef)[0]var=var.variabletry:mainvar=var.stinfo['attrvar'].nameexceptAttributeError:# no attrvar setmainvar=var.nameassertmainvarinmainvarstrname=term.nameldapname=self.ldap_name(var)iftrnamein('COUNT','MIN','MAX','SUM'):global_transforms.append(GlobTrFunc(trname,i,ldapname))columns.append((mainvar,ldapname))continueiftrnamein('LOWER','UPPER'):columns.append((mainvar,TrFunc(trname,i,ldapname)))continueraiseNotImplementedError('no support for %s function'%trname)ifterm.nameinmainvars:columns.append((term.name,'dn'))continuevar=term.variablemainvar=var.stinfo['attrvar'].namecolumns.append((mainvar,self.ldap_name(var)))#else:# # probably a bug in rql splitting if we arrive here# raise NotImplementedErrorreturncolumns,global_transformsdefsyntax_tree_search(self,session,union,args=None,cachekey=None,varmap=None,debug=0):"""return result from this source for a rql query (actually from a rql syntax tree and a solution dictionary mapping each used variable to a possible type). If cachekey is given, the query necessary to fetch the results (but not the results themselves) may be cached using this key. """# XXX not handled : transform/aggregat function, join on multiple users...assertlen(union.children)==1,'union not supported'rqlst=union.children[0]assertnotrqlst.with_,'subquery not supported'rqlkey=rqlst.as_string(kwargs=args)try:results=self._query_cache[rqlkey]exceptKeyError:results=self.rqlst_search(session,rqlst,args)self._query_cache[rqlkey]=resultsreturnresultsdefrqlst_search(self,session,rqlst,args):mainvars=[]forvarnameinrqlst.defined_vars:forsolinrqlst.solutions:ifsol[varname]=='CWUser':mainvars.append(varname)breakassertmainvars,rqlstcolumns,globtransforms=self.prepare_columns(mainvars,rqlst)eidfilters=[]allresults=[]generator=RQL2LDAPFilter(self,session,args,mainvars)formainvarinmainvars:# handle restrictiontry:eidfilters_,ldapfilter=generator.generate(rqlst,mainvar)exceptGotDN,ex:assertex.dn,'no dn!'try:res=[self._cache[ex.dn]]exceptKeyError:res=self._search(session,ex.dn,BASE)exceptUnknownEid,ex:# raised when we are looking for the dn of an eid which is not# coming from this sourceres=[]else:eidfilters+=eidfilters_res=self._search(session,self.user_base_dn,self.user_base_scope,ldapfilter)allresults.append(res)# 1. get eid for each dn and filter according to that eid if necessaryfori,resinenumerate(allresults):filteredres=[]forresdictinres:# get sure the entity exists in the system tableeid=self.extid2eid(resdict['dn'],'CWUser',session)foreidfilterineidfilters:ifnoteidfilter(eid):breakelse:resdict['eid']=eidfilteredres.append(resdict)allresults[i]=filteredres# 2. merge result for each "mainvar": cartesian productallresults=cartesian_product(allresults)# 3. build final result according to column definitionresult=[]forrawlineinallresults:rawline=dict(zip(mainvars,rawline))line=[]forvarname,ldapnameincolumns:ifldapnameisNone:value=None# no mapping availableelifldapname=='dn':value=rawline[varname]['eid']elifisinstance(ldapname,Constant):ifldapname.type=='Substitute':value=args[ldapname.value]else:value=ldapname.valueelifisinstance(ldapname,TrFunc):value=ldapname.apply(rawline[varname])else:value=rawline[varname].get(ldapname)line.append(value)result.append(line)fortrfuncinglobtransforms:result=trfunc.apply(result)#print '--> ldap result', resultreturnresultdef_connect(self,user=None,userpwd=None):ifself.protocol=='ldapi':hostport=self.hostelifnot':'inself.host:hostport='%s:%s'%(self.host,PROTO_PORT[self.protocol])else:hostport=self.hostself.info('connecting %s://%s as %s',self.protocol,hostport,useranduser['dn']or'anonymous')url=LDAPUrl(urlscheme=self.protocol,hostport=hostport)conn=ReconnectLDAPObject(url.initializeUrl())# Set the protocol version - version 3 is preferredtry:conn.set_option(ldap.OPT_PROTOCOL_VERSION,ldap.VERSION3)exceptldap.LDAPError:# Invalid protocol version, fall back safelyconn.set_option(ldap.OPT_PROTOCOL_VERSION,ldap.VERSION2)# Deny auto-chasing of referrals to be safe, we handle them instead#try:# connection.set_option(ldap.OPT_REFERRALS, 0)#except ldap.LDAPError: # Cannot set referrals, so do nothing# pass#conn.set_option(ldap.OPT_NETWORK_TIMEOUT, conn_timeout)#conn.timeout = op_timeout# Now bind with the credentials given. Let exceptions propagate out.ifuserisNone:# no user specified, we want to initialize the 'data' connection,assertself._connisNoneself._conn=conn# XXX always use simple bind for data connectionifnotself.cnx_dn:conn.simple_bind_s(self.cnx_dn,self.cnx_pwd)else:self._authenticate(conn,{'dn':self.cnx_dn},self.cnx_pwd)else:# user specified, we want to check user/password, no need to return# the connection which will be thrown outself._authenticate(conn,user,userpwd)returnconndef_auth_simple(self,conn,user,userpwd):conn.simple_bind_s(user['dn'],userpwd)def_auth_cram_md5(self,conn,user,userpwd):fromldapimportsaslauth_token=sasl.cram_md5(user['dn'],userpwd)conn.sasl_interactive_bind_s('',auth_tokens)def_auth_digest_md5(self,conn,user,userpwd):fromldapimportsaslauth_token=sasl.digest_md5(user['dn'],userpwd)conn.sasl_interactive_bind_s('',auth_tokens)def_auth_gssapi(self,conn,user,userpwd):# print XXX not proper sasl/gssapiimportkerberosifnotkerberos.checkPassword(user[self.user_login_attr],userpwd):raiseException('BAD login / mdp')#from ldap import sasl#conn.sasl_interactive_bind_s('', sasl.gssapi())def_search(self,session,base,scope,searchstr='(objectClass=*)',attrs=()):"""make an ldap query"""cnx=session.pool.connection(self.uri).cnxtry:res=cnx.search_s(base,scope,searchstr,attrs)exceptldap.PARTIAL_RESULTS:res=cnx.result(all=0)[1]exceptldap.NO_SUCH_OBJECT:eid=self.extid2eid(base,'CWUser',session,insert=False)ifeid:self.warning('deleting ldap user with eid %s and dn %s',eid,base)self.repo.delete_info(session,eid)self._cache.pop(base,None)return[]## except ldap.REFERRAL, e:## cnx = self.handle_referral(e)## try:## res = cnx.search_s(base, scope, searchstr, attrs)## except ldap.PARTIAL_RESULTS:## res_type, res = cnx.result(all=0)result=[]forrec_dn,rec_dictinres:# When used against Active Directory, "rec_dict" may not be# be a dictionary in some cases (instead, it can be a list)# An example of a useless "res" entry that can be ignored# from AD is# (None, ['ldap://ForestDnsZones.PORTAL.LOCAL/DC=ForestDnsZones,DC=PORTAL,DC=LOCAL'])# This appears to be some sort of internal referral, but# we can't handle it, so we need to skip over it.try:items=rec_dict.items()exceptAttributeError:# 'items' not found on rec_dict, skipcontinueforkey,valueinitems:# XXX syt: huuum ?ifnotisinstance(value,str):try:foriinrange(len(value)):value[i]=unicode(value[i],'utf8')except:passifisinstance(value,list)andlen(value)==1:rec_dict[key]=value=value[0]rec_dict['dn']=rec_dnself._cache[rec_dn]=rec_dictresult.append(rec_dict)#print '--->', resultreturnresultdefbefore_entity_insertion(self,session,lid,etype,eid):"""called by the repository when an eid has been attributed for an entity stored here but the entity has not been inserted in the system table yet. This method must return the an Entity instance representation of this entity. """entity=super(LDAPUserSource,self).before_entity_insertion(session,lid,etype,eid)res=self._search(session,lid,BASE)[0]forattrinentity.e_schema.indexable_attributes():entity[attr]=res[self.user_rev_attrs[attr]]returnentitydefafter_entity_insertion(self,session,dn,entity):"""called by the repository after an entity stored here has been inserted in the system table. """super(LDAPUserSource,self).after_entity_insertion(session,dn,entity)forgroupinself.user_default_groups:session.execute('SET X in_group G WHERE X eid %(x)s, G name %(group)s',{'x':entity.eid,'group':group},'x')# search for existant email firsttry:emailaddr=self._cache[dn][self.user_rev_attrs['email']]exceptKeyError:returnrset=session.execute('EmailAddress X WHERE X address %(addr)s',{'addr':emailaddr})ifrset:session.execute('SET U primary_email X WHERE U eid %(u)s, X eid %(x)s',{'x':rset[0][0],'u':entity.eid},'u')else:# not found, create it_insert_email(session,emailaddr,entity.eid)defupdate_entity(self,session,entity):"""replace an entity in the source"""raiseRepositoryError('this source is read only')defdelete_entity(self,session,etype,eid):"""delete an entity from the source"""raiseRepositoryError('this source is read only')def_insert_email(session,emailaddr,ueid):session.execute('INSERT EmailAddress X: X address %(addr)s, U primary_email X ''WHERE U eid %(x)s',{'addr':emailaddr,'x':ueid},'x')classGotDN(Exception):"""exception used when a dn localizing the searched user has been found"""def__init__(self,dn):self.dn=dnclassRQL2LDAPFilter(object):"""generate an LDAP filter for a rql query"""def__init__(self,source,session,args=None,mainvars=()):self.source=sourceself._ldap_attrs=source.user_rev_attrsself._base_filters=source.base_filtersself._session=sessionifargsisNone:args={}self._args=argsself.mainvars=mainvarsdefgenerate(self,selection,mainvarname):self._filters=res=self._base_filters[:]self._mainvarname=mainvarnameself._eidfilters=[]self._done_not=set()restriction=selection.whereifisinstance(restriction,Relation):# only a single relation, need to append result here (no AND/OR)filter=restriction.accept(self)iffilterisnotNone:res.append(filter)elifrestriction:restriction.accept(self)iflen(res)>1:returnself._eidfilters,'(&%s)'%''.join(res)returnself._eidfilters,res[0]defvisit_and(self,et):"""generate filter for a AND subtree"""forcinet.children:part=c.accept(self)ifpart:self._filters.append(part)defvisit_or(self,ou):"""generate filter for a OR subtree"""res=[]forcinou.children:part=c.accept(self)ifpart:res.append(part)ifres:iflen(res)>1:part='(|%s)'%''.join(res)else:part=res[0]self._filters.append(part)defvisit_not(self,node):"""generate filter for a OR subtree"""part=node.children[0].accept(self)ifpart:self._filters.append('(!(%s))'%part)defvisit_relation(self,relation):"""generate filter for a relation"""rtype=relation.r_type# don't care of type constraint statement (i.e. relation_type = 'is')ifrtype=='is':return''lhs,rhs=relation.get_parts()# attribute relationifself.source.schema.rschema(rtype).is_final():# dunno what to do here, don't pretend anything elseiflhs.name!=self._mainvarname:iflhs.nameinself.mainvars:# XXX check we don't have variable as rhsreturnraiseNotImplementedErrorrhs_vars=rhs.get_nodes(VariableRef)ifrhs_vars:iflen(rhs_vars)>1:raiseNotImplementedError# selected variable, nothing to do herereturn# no variables in the RHSifisinstance(rhs.children[0],Function):res=rhs.children[0].accept(self)elifrtype!='has_text':res=self._visit_attribute_relation(relation)else:raiseNotImplementedError(relation)# regular relation XXX todo: in_groupelse:raiseNotImplementedError(relation)returnresdef_visit_attribute_relation(self,relation):"""generate filter for an attribute relation"""lhs,rhs=relation.get_parts()lhsvar=lhs.variableifrelation.r_type=='eid':# XXX hack# skip comparison signeid=int(rhs.children[0].accept(self))ifrelation.neged(strict=True):self._done_not.add(relation.parent)self._eidfilters.append(lambdax:notx==eid)returnifrhs.operator!='=':filter={'>':lambdax:x>eid,'>=':lambdax:x>=eid,'<':lambdax:x<eid,'<=':lambdax:x<=eid,}[rhs.operator]self._eidfilters.append(filter)returndn=self.source.eid2extid(eid,self._session)raiseGotDN(dn)try:filter='(%s%s)'%(self._ldap_attrs[relation.r_type],rhs.accept(self))exceptKeyError:# unsupported attributeself.source.warning('%s source can\'t handle relation %s, no ''results will be returned from this source',self.source.uri,relation)raiseUnknownEid# trick to return no resultreturnfilterdefvisit_comparison(self,cmp):"""generate filter for a comparaison"""return'%s%s'%(cmp.operator,cmp.children[0].accept(self))defvisit_mathexpression(self,mexpr):"""generate filter for a mathematic expression"""raiseNotImplementedErrordefvisit_function(self,function):"""generate filter name for a function"""iffunction.name=='IN':returnself.visit_in(function)raiseNotImplementedErrordefvisit_in(self,function):grandpapa=function.parent.parentldapattr=self._ldap_attrs[grandpapa.r_type]res=[]forcinfunction.children:part=c.accept(self)ifpart:res.append(part)ifres:iflen(res)>1:part='(|%s)'%''.join('(%s=%s)'%(ldapattr,v)forvinres)else:part='(%s=%s)'%(ldapattr,res[0])returnpartdefvisit_constant(self,constant):"""generate filter name for a constant"""value=constant.valueifconstant.typeisNone:raiseNotImplementedErrorifconstant.type=='Date':raiseNotImplementedError#value = self.keyword_map[value]()elifconstant.type=='Substitute':value=self._args[constant.value]else:value=constant.valueifisinstance(value,unicode):value=value.encode('utf8')else:value=str(value)returnescape_filter_chars(value)defvisit_variableref(self,variableref):"""get the sql name for a variable reference"""pass