ldap-frontend/ldap_frontend/__init__.py

from json import load
from os import environ

from flask import Flask, flash, redirect, request, session, url_for
from flask_babel import Babel, gettext
from flask_wtf.csrf import CSRFError, CSRFProtect
from ldap3 import ALL_ATTRIBUTES, MODIFY_ADD, MODIFY_DELETE
from ldap3.core.exceptions import LDAPException
from ldap3.utils.dn import escape_rdn

from .helpers.flask import template
from .helpers.ldap import (
    admin_required,
    get_user,
    login_required,
    try_auth,
    update_user,
    update_user_password,
)

app = Flask(__name__)
app.secret_key = environ.get("FLASK_SECRET_KEY", default="test")
app.config["LANGUAGES"] = {"en": "English", "de": "Deutsch"}

babel = Babel(app)
csrf = CSRFProtect(app)

with open(environ["APP_CONFIG"]) as f:
    APP_CONFIG = load(f)


@babel.localeselector
def get_locale():
    return request.accept_languages.best_match(app.config["LANGUAGES"].keys())


@app.errorhandler(CSRFError)
def handle_csrf_error(e):
    flash(
        gettext("CRSF validation error. For your own safety, you have been logged out.")
    )

    session["is_logged_in"] = False
    session["username"] = ""
    session["password"] = ""

    return redirect(url_for("login"))


@app.route("/")
def slash():
    if session.get("is_logged_in"):
        return redirect(url_for("selfservice"))
    return redirect(url_for("login"))


@app.route("/login", methods=["GET", "POST"])
def login():
    session["is_logged_in"] = False

    if request.method == "POST":
        if try_auth(
            escape_rdn(request.form["username"]),
            request.form["password"],
        ):
            session["is_logged_in"] = True
            session["username"] = escape_rdn(request.form["username"])
            session["password"] = request.form["password"]

            flash(gettext("logged in"))

            return redirect(url_for("selfservice"))
        else:
            flash(gettext("username or password is wrong"))

    return template(None, "login.html")


@app.route("/logout")
def logout():
    session["is_logged_in"] = False
    session["username"] = ""
    session["password"] = ""

    flash(gettext("you have been logged out"))

    return redirect(url_for("login"))


@app.route("/selfservice", methods=["GET", "POST"])
@login_required
def selfservice(ldap):
    if request.method == "POST":
        if request.form.get("userdata"):
            try:
                update_user(
                    ldap,
                    session["username"],
                    {
                        "givenName": request.form["givenName"],
                        "sn": request.form["sn"],
                        "cn": "{} {}".format(
                            request.form["givenName"],
                            request.form["sn"],
                        ),
                        "externalMail": request.form["externalMail"],
                    },
                )
                flash(gettext("user data was updated"))
            except LDAPException as e:
                app.logger.error(
                    "Updating {} failed: {}\n{}".format(
                        APP_CONFIG["template"]["user_dn"].format(session["username"]),
                        repr(e),
                        repr(request.form),
                    ),
                )
                flash(e)
        elif request.form.get("passwordchange"):
            validated = (True,)
            if not try_auth(
                session["username"],
                request.form["current"],
            ):
                validated = False
                flash(gettext("current password does not match the one stored"))

            if request.form["new"] != request.form["repeat"]:
                validated = False
                flash(gettext("new passwords do not match"))

            if len(request.form["new"]) < 12:
                validated = False
                flash(gettext("new password must be atleast 12 characters long"))

            if validated:
                try:
                    update_user_password(
                        ldap,
                        session["username"],
                        request.form["new"],
                    )
                    session["password"] = request.form["new"]
                    flash(gettext("your password was changed"))
                except LDAPException as e:
                    app.logger.error(
                        "Updating {} failed: {}".format(
                            APP_CONFIG["template"]["user_dn"].format(
                                session["username"]
                            ),
                            repr(e),
                        ),
                    )
                    flash(e)

        return redirect(url_for("selfservice"))

    return template(ldap, "selfservice.html")


@app.route("/groups", methods=["GET"])
@login_required
def groups(ldap):
    ldap.search(
        APP_CONFIG["ldap"]["group_base"],
        "(objectclass=groupOfNames)",
        attributes=ALL_ATTRIBUTES,
    )

    return template(
        ldap,
        "groups/list.html",
        groups=ldap.entries,
    )


@app.route("/groups/<ou>", methods=["GET", "POST"])
@admin_required
def group_edit(ldap, ou):
    ou = escape_rdn(ou)

    if request.method == "POST":
        if request.form.get("remove"):
            ldap.modify(
                APP_CONFIG["template"]["group_dn"].format(ou),
                {
                    "member": [
                        (
                            MODIFY_DELETE,
                            APP_CONFIG["template"]["user_dn"].format(
                                escape_rdn(request.form["remove"])
                            ),
                        )
                    ]
                },
            )
            flash(
                gettext(
                    "%(user)s was removed from %(ou)s",
                    user=request.form["remove"],
                    ou=ou,
                )
            )
        elif request.form.get("add"):
            ldap.modify(
                APP_CONFIG["template"]["group_dn"].format(ou),
                {
                    "member": [
                        (
                            MODIFY_ADD,
                            APP_CONFIG["template"]["user_dn"].format(
                                escape_rdn(request.form["add"])
                            ),
                        )
                    ]
                },
            )
            flash(
                gettext(
                    "%(user)s was added to %(ou)s", user=request.form["add"], ou=ou
                )
            )

        return redirect(url_for("group_edit", ou=ou))

    ldap.search(
        APP_CONFIG["ldap"]["user_base"],
        APP_CONFIG["template"]["group_nonmembers"].format(ou),
        attributes=["cn", "uid"],
    )
    users = ldap.entries

    ldap.search(
        APP_CONFIG["ldap"]["user_base"],
        APP_CONFIG["template"]["group_members"].format(ou),
        attributes=ALL_ATTRIBUTES,
    )

    return template(
        ldap,
        "groups/members.html",
        members=ldap.entries,
        ou=ou,
        other_users=users,
    )
initial commit 2021-12-21 07:30:36 +00:00			`from json import load`
			`from os import environ`

			`from flask import Flask, flash, redirect, request, session, url_for`
add translation to german 2021-12-23 08:14:27 +00:00			`from flask_babel import Babel, gettext`
			`from flask_wtf.csrf import CSRFError, CSRFProtect`
implement group member management 2021-12-21 09:20:16 +00:00			`from ldap3 import ALL_ATTRIBUTES, MODIFY_ADD, MODIFY_DELETE`
initial commit 2021-12-21 07:30:36 +00:00			`from ldap3.core.exceptions import LDAPException`
from ldap3.utils.dn import escape_rdn 2021-12-21 10:02:48 +00:00			`from ldap3.utils.dn import escape_rdn`
initial commit 2021-12-21 07:30:36 +00:00
add some group management 2021-12-21 08:27:25 +00:00			`from .helpers.flask import template`
			`from .helpers.ldap import (`
			`admin_required,`
			`get_user,`
			`login_required,`
			`try_auth,`
			`update_user,`
implement password change 2021-12-21 08:58:57 +00:00			`update_user_password,`
add some group management 2021-12-21 08:27:25 +00:00			`)`
initial commit 2021-12-21 07:30:36 +00:00
			`app = Flask(__name__)`
			`app.secret_key = environ.get("FLASK_SECRET_KEY", default="test")`
add translation to german 2021-12-23 08:14:27 +00:00			`app.config["LANGUAGES"] = {"en": "English", "de": "Deutsch"}`

			`babel = Babel(app)`
add CSRF validation 2021-12-21 15:57:39 +00:00			`csrf = CSRFProtect(app)`
initial commit 2021-12-21 07:30:36 +00:00
			`with open(environ["APP_CONFIG"]) as f:`
			`APP_CONFIG = load(f)`


add translation to german 2021-12-23 08:14:27 +00:00			`@babel.localeselector`
			`def get_locale():`
			`return request.accept_languages.best_match(app.config["LANGUAGES"].keys())`

add CSRF validation 2021-12-21 15:57:39 +00:00
			`@app.errorhandler(CSRFError)`
			`def handle_csrf_error(e):`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(`
			`gettext("CRSF validation error. For your own safety, you have been logged out.")`
			`)`
add CSRF validation 2021-12-21 15:57:39 +00:00
			`session["is_logged_in"] = False`
			`session["username"] = ""`
			`session["password"] = ""`

			`return redirect(url_for("login"))`


initial commit 2021-12-21 07:30:36 +00:00			`@app.route("/")`
			`def slash():`
add translation to german 2021-12-23 08:14:27 +00:00			`if session.get("is_logged_in"):`
redirect / to /selfservice if user is logged in already 2021-12-21 09:58:36 +00:00			`return redirect(url_for("selfservice"))`
initial commit 2021-12-21 07:30:36 +00:00			`return redirect(url_for("login"))`


			`@app.route("/login", methods=["GET", "POST"])`
			`def login():`
			`session["is_logged_in"] = False`

			`if request.method == "POST":`
			`if try_auth(`
from ldap3.utils.dn import escape_rdn 2021-12-21 10:02:48 +00:00			`escape_rdn(request.form["username"]),`
initial commit 2021-12-21 07:30:36 +00:00			`request.form["password"],`
			`):`
			`session["is_logged_in"] = True`
from ldap3.utils.dn import escape_rdn 2021-12-21 10:02:48 +00:00			`session["username"] = escape_rdn(request.form["username"])`
initial commit 2021-12-21 07:30:36 +00:00			`session["password"] = request.form["password"]`

add translation to german 2021-12-23 08:14:27 +00:00			`flash(gettext("logged in"))`
initial commit 2021-12-21 07:30:36 +00:00
			`return redirect(url_for("selfservice"))`
			`else:`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(gettext("username or password is wrong"))`
initial commit 2021-12-21 07:30:36 +00:00
			`return template(None, "login.html")`


			`@app.route("/logout")`
			`def logout():`
			`session["is_logged_in"] = False`
			`session["username"] = ""`
			`session["password"] = ""`

add translation to german 2021-12-23 08:14:27 +00:00			`flash(gettext("you have been logged out"))`
initial commit 2021-12-21 07:30:36 +00:00
			`return redirect(url_for("login"))`


			`@app.route("/selfservice", methods=["GET", "POST"])`
			`@login_required`
			`def selfservice(ldap):`
			`if request.method == "POST":`
implement password change 2021-12-21 08:58:57 +00:00			`if request.form.get("userdata"):`
			`try:`
			`update_user(`
			`ldap,`
			`session["username"],`
			`{`
			`"givenName": request.form["givenName"],`
			`"sn": request.form["sn"],`
			`"cn": "{} {}".format(`
			`request.form["givenName"],`
			`request.form["sn"],`
			`),`
adjust external-mail to new name externalMail the naming scheme complies with the ldap standards for attribute names 2022-01-02 22:12:28 +00:00			`"externalMail": request.form["externalMail"],`
implement password change 2021-12-21 08:58:57 +00:00			`},`
			`)`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(gettext("user data was updated"))`
implement password change 2021-12-21 08:58:57 +00:00			`except LDAPException as e:`
			`app.logger.error(`
			`"Updating {} failed: {}\n{}".format(`
			`APP_CONFIG["template"]["user_dn"].format(session["username"]),`
			`repr(e),`
			`repr(request.form),`
initial commit 2021-12-21 07:30:36 +00:00			`),`
implement password change 2021-12-21 08:58:57 +00:00			`)`
			`flash(e)`
			`elif request.form.get("passwordchange"):`
			`validated = (True,)`
			`if not try_auth(`
			`session["username"],`
			`request.form["current"],`
			`):`
			`validated = False`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(gettext("current password does not match the one stored"))`
implement password change 2021-12-21 08:58:57 +00:00
			`if request.form["new"] != request.form["repeat"]:`
			`validated = False`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(gettext("new passwords do not match"))`
implement password change 2021-12-21 08:58:57 +00:00
			`if len(request.form["new"]) < 12:`
			`validated = False`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(gettext("new password must be atleast 12 characters long"))`
implement password change 2021-12-21 08:58:57 +00:00
			`if validated:`
			`try:`
			`update_user_password(`
			`ldap,`
			`session["username"],`
			`request.form["new"],`
			`)`
			`session["password"] = request.form["new"]`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(gettext("your password was changed"))`
implement password change 2021-12-21 08:58:57 +00:00			`except LDAPException as e:`
			`app.logger.error(`
from ldap3.utils.dn import escape_rdn 2021-12-21 10:02:48 +00:00			`"Updating {} failed: {}".format(`
implement password change 2021-12-21 08:58:57 +00:00			`APP_CONFIG["template"]["user_dn"].format(`
			`session["username"]`
			`),`
			`repr(e),`
			`),`
			`)`
			`flash(e)`

			`return redirect(url_for("selfservice"))`

initial commit 2021-12-21 07:30:36 +00:00			`return template(ldap, "selfservice.html")`
add some group management 2021-12-21 08:27:25 +00:00

			`@app.route("/groups", methods=["GET"])`
			`@login_required`
			`def groups(ldap):`
			`ldap.search(`
			`APP_CONFIG["ldap"]["group_base"],`
			`"(objectclass=groupOfNames)",`
			`attributes=ALL_ATTRIBUTES,`
			`)`

			`return template(`
			`ldap,`
			`"groups/list.html",`
			`groups=ldap.entries,`
			`)`


			`@app.route("/groups/<ou>", methods=["GET", "POST"])`
			`@admin_required`
			`def group_edit(ldap, ou):`
from ldap3.utils.dn import escape_rdn 2021-12-21 10:02:48 +00:00			`ou = escape_rdn(ou)`

add some group management 2021-12-21 08:27:25 +00:00			`if request.method == "POST":`
			`if request.form.get("remove"):`
implement group member management 2021-12-21 09:20:16 +00:00			`ldap.modify(`
			`APP_CONFIG["template"]["group_dn"].format(ou),`
			`{`
			`"member": [`
			`(`
			`MODIFY_DELETE,`
			`APP_CONFIG["template"]["user_dn"].format(`
from ldap3.utils.dn import escape_rdn 2021-12-21 10:02:48 +00:00			`escape_rdn(request.form["remove"])`
implement group member management 2021-12-21 09:20:16 +00:00			`),`
			`)`
			`]`
			`},`
			`)`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(`
			`gettext(`
			`"%(user)s was removed from %(ou)s",`
			`user=request.form["remove"],`
			`ou=ou,`
			`)`
			`)`
implement group member management 2021-12-21 09:20:16 +00:00			`elif request.form.get("add"):`
			`ldap.modify(`
			`APP_CONFIG["template"]["group_dn"].format(ou),`
			`{`
			`"member": [`
			`(`
			`MODIFY_ADD,`
			`APP_CONFIG["template"]["user_dn"].format(`
from ldap3.utils.dn import escape_rdn 2021-12-21 10:02:48 +00:00			`escape_rdn(request.form["add"])`
implement group member management 2021-12-21 09:20:16 +00:00			`),`
			`)`
			`]`
			`},`
add some group management 2021-12-21 08:27:25 +00:00			`)`
add translation to german 2021-12-23 08:14:27 +00:00			`flash(`
			`gettext(`
fix KeyError in group_edit 2021-12-23 15:28:10 +00:00			`"%(user)s was added to %(ou)s", user=request.form["add"], ou=ou`
add translation to german 2021-12-23 08:14:27 +00:00			`)`
			`)`
add some group management 2021-12-21 08:27:25 +00:00
			`return redirect(url_for("group_edit", ou=ou))`

implement group member management 2021-12-21 09:20:16 +00:00			`ldap.search(`
			`APP_CONFIG["ldap"]["user_base"],`
			`APP_CONFIG["template"]["group_nonmembers"].format(ou),`
			`attributes=["cn", "uid"],`
			`)`
			`users = ldap.entries`

add some group management 2021-12-21 08:27:25 +00:00			`ldap.search(`
			`APP_CONFIG["ldap"]["user_base"],`
			`APP_CONFIG["template"]["group_members"].format(ou),`
			`attributes=ALL_ATTRIBUTES,`
			`)`

			`return template(`
			`ldap,`
			`"groups/members.html",`
			`members=ldap.entries,`
			`ou=ou,`
implement group member management 2021-12-21 09:20:16 +00:00			`other_users=users,`
add some group management 2021-12-21 08:27:25 +00:00			`)`