several basic ldap utilities should now be working, including creating OUs in the local ldap (create_tapis_ldap_tenant_ou), creating test users in the dev OU (add_test_user), and checking passwords (check_username_password)

Joe Stubbs · Joe Stubbs · commit 167e3585745d · 2019-11-22T17:13:20.000-06:00
diff --git a/Dockerfile-tests b/Dockerfile-tests
@@ -0,0 +1,11 @@
+# Image: tapis/authenticator-tests
+from tapis/authenticator
+
+USER root
+ADD tests-requirements.txt /home/tapis/tests-requirements.txt
+RUN pip install -r /home/tapis/tests-requirements.txt
+ADD service/tests /home/tapis/service/tests
+RUN chown -R tapis:tapis /home/tapis
+
+USER tapis
+ENTRYPOINT ["pytest"]
diff --git a/service/ldap.py b/service/ldap.py
@@ -1,27 +1,163 @@
 from ldap3 import Server, Connection
 from ldap3.core.exceptions import LDAPBindError
+import json
 
 from service import get_tenant_config
 from service.errors import InvalidPasswordError
+from service.models import LdapOU, LdapUser
+
+from common.config import conf
+from common.errors import DAOError
 
 # get the logger instance -
 from common.logs import get_logger
 logger = get_logger(__name__)
 
 
-def get_ldap_connection(tenant_id, bind_dn=None, bind_credential=None):
+def get_ldap_connection(ldap_server, ldap_port, bind_dn, bind_password, use_ssl=True):
     """
-    Get an ldap connection to the ldap server corresponding to the tenant_id. 
-    :param tenant_id: 
+    Get a connection to an LDAP server.
+    :param ldap_server: The URI of the ldap server.
+    :param ldap_port: The port of the ldap server.
+    :param bind_dn: The DN to use to bind.
+    :param bind_password: The password associated with the bind DN.
+    :param use_ssl: Whether to use SSL when connecting to the LDAP server.
+    :return:
+    """
+    server = Server(ldap_server, port=ldap_port, use_ssl=use_ssl)
+    conn = Connection(server, bind_dn, bind_password, auto_bind=True)
+    return conn
+
+def get_tapis_ldap_server_info():
+    """
+    Returns dictionary of Tapis LDAP server connection information.
+    :return: (dict)
+    """
+    return {
+        "server": conf.dev_ldap_url,
+        "port": conf.dev_ldap_port,
+        "bind_dn": conf.dev_ldap_bind_dn,
+        "bind_password": conf.dev_ldap_bind_credential,
+        "base_dn": conf.dev_ldap_tenants_base_dn,
+        "use_ssl": conf.dev_ldap_use_ssl
+    }
+
+tapis_ldap = get_tapis_ldap_server_info()
+
+def get_tapis_ldap_connection():
+    """
+    Convenience wrapper function to get an ldap connection to the Tapis dev ldap server.
+    :return:
+    """
+    try:
+        return get_ldap_connection(ldap_server = tapis_ldap['server'],
+                                   ldap_port = tapis_ldap['port'],
+                                   bind_dn = tapis_ldap['bind_dn'],
+                                   bind_password = tapis_ldap['bind_password'],
+                                   use_ssl = tapis_ldap['use_ssl'])
+    except LDAPBindError as e:
+        logger.debug(f'Invalid Tapis bind credential: {e}')
+        raise InvalidPasswordError("Invalid username/password combination.")
+    except Exception as e:
+        msg = f"Got exception trying to create connection object to Tapis LDAP. e: {e}"
+        logger.error(msg)
+        raise DAOError(msg)
+
+
+def add_tapis_ou(ou):
+    """
+    Add an LDAP record representing an Organizational Unit (ou) to the Tapis LDAP.
+    :param ou: (LdapOU) The OU object to add.
+    :return:
+    """
+    conn = get_tapis_ldap_connection()
+    try:
+        result = conn.add(ou.dn, ou.object_class)
+    except Exception as e:
+        msg = f'got an error trying to add an ou. Exception: {e}; ou.dn: {ou.dn}; ou.object_class: {ou.object_class}'
+        logger.error(msg)
+    if not result:
+        msg = f'Got False result trying to add OU to LDAP; error data: {conn.result}'
+        logger.error(msg)
+        raise DAOError("Unable to add OU to LDAP database; "
+                       "Required fields could be missing or improperly formatted.")
+    return True
+
+
+def list_tapis_ous():
+    """
+    List the OUs associated with the Tapis LDAP server.
+    :return:
+    """
+    conn = get_tapis_ldap_connection()
+    try:
+        # search for all cn's under the tapis tenants base_dn and pull back all attributes
+        result = conn.search(conf.dev_ldap_tenants_base_dn, '(ou=*)', attributes=['*'])
+    except Exception as e:
+        msg = f'Got an exception trying to list Tapis OUs. Exception: {e}'
+        logger.error(msg)
+        raise DAOError(msg)
+    if not result:
+        msg = f'Got an error trying to list Tapis OUs. message: {conn.result}'
+        logger.error(msg)
+    # return the results -
+    result = []
+    for ent in conn.entries:
+        result.append(ent.entry_attributes_as_dict)
+    return result
+
+
+def create_tapis_ldap_tenant_ou(tenant_id):
+    """
+    Create an OU in the Tapis LDAP for a tenant id.
+    :param tenant_id:
+    :return:
+    """
+    base_dn = tapis_ldap['base_dn']
+    ou = LdapOU(dn=f'ou=tenants.{tenant_id},{base_dn}')
+    return add_tapis_ou(ou)
+
+
+def get_tenant_ldap_connection(tenant_id, bind_dn=None, bind_password=None):
+    """
+    Convenience wrapper function to get an ldap connection to the ldap server corresponding to the tenant_id.
+    :param tenant_id: (str) The id of the tenant.
+    :param bind_dn: (str) Optional dn to use to bind. Pass this to check validity of a username/password.
+    :param bind_password (str) Optional password to use to bind. Pass this to check validity of a username/password.
     :return: 
     """
     tenant = get_tenant_config(tenant_id)
-    server = Server(tenant['ldap_url'], port=tenant['ldap_port'], use_ssl=tenant['ldap_use_ssl'])
-    if bind_dn and bind_credential:
-        conn = Connection(server, bind_dn, bind_credential, auto_bind=True)
-    else:
-        conn = Connection(server, tenant['ldap_bind_dn'], tenant['ldap_bind_credential'], auto_bind=True)
-    return conn
+    # if we are passed specific bind credentials, use those:
+    if not bind_dn is None:
+        return get_ldap_connection(ldap_server=tenant['ldap_url'],
+                                   ldap_port=tenant['ldap_port'],
+                                   bind_dn=bind_dn,
+                                   bind_password=bind_password,
+                                   use_ssl=tenant['ldap_use_ssl'])
+    # otherwise, return the connection associated with the tenant's bind credentials -
+    return get_ldap_connection(ldap_server=tenant['ldap_url'],
+                               ldap_port=tenant['ldap_port'],
+                               bind_dn=tenant['ldap_bind_dn'],
+                               bind_password=tenant['ldap_bind_credential'],
+                               use_ssl=tenant['ldap_use_ssl'])
+
+def list_tenant_users(tenant_id):
+    """
+    List all users in a tenant
+    :param tenant_id: (str) the tenant id to use.
+    :return:
+    """
+    tenant = get_tenant_config(tenant_id)
+    conn = get_tenant_ldap_connection(tenant_id)
+    result = conn.search(tenant['ldap_user_dn'], '(cn=*)', attributes=['*'])
+    if not result:
+        msg = f'Error retrieving users; debug information: {conn.result}'
+        logger.error(msg)
+        raise DAOError(msg)
+    result = []
+    for ent in conn.entries:
+        result.append(ent.entry_attributes_as_dict)
+    return result
 
 def get_dn(tenant_id, username):
     """
@@ -32,7 +168,7 @@ def get_dn(tenant_id, username):
     """
     tenant = get_tenant_config(tenant_id)
     ldap_user_dn = tenant['ldap_user_dn']
-    return f'uid={username},{ldap_user_dn}'
+    return f'cn={username},{ldap_user_dn}'
 
 def check_username_password(tenant_id, username, password):
     """
@@ -44,18 +180,36 @@ def check_username_password(tenant_id, username, password):
     """
     bind_dn = get_dn(tenant_id, username)
     try:
-        get_ldap_connection(tenant_id, bind_dn, password)
+        conn = get_tenant_ldap_connection(tenant_id, bind_dn=bind_dn, bind_password=password)
     except LDAPBindError as e:
-        logger.debg(f'got exception checking password: {e}')
+        logger.debug(f'got exception checking password: {e}')
         raise InvalidPasswordError("Invalid username/password combination.")
 
-def add_user(tenant_id, username, password):
+
+def add_user(tenant_id, user):
     """
-    Add an LDAP record
-    :param tenant_id: 
-    :param username: 
-    :param password: 
+    Add an LDAP record representing a user in a specific tenant.
+    :param tenant_id: (str) The tenant id of the tenant where the user should be added.
+    :param user: (LdapUser) An LdapUser object containing the details of the user to add.
     :return: 
     """
+    conn = get_tenant_ldap_connection(tenant_id)
+    user.save(conn)
 
-
+def add_test_user(tenant_id, username):
+    """
+    Add a testuser to the Tapis LDAP for tenant id, tenant_id. The username is required and from it, all inetorgperson
+    attributes are derived.
+    :param tenant_id: (str) the tenant id.
+    :param username: (str) the username of the test account.
+    :return:
+    """
+    # first, create an LdapUser object with the appropriate attributes.
+    base_dn = tapis_ldap['base_dn']
+    user = LdapUser(dn=f'cn={username},ou=tenants.{tenant_id},{base_dn}',
+                    givenName=username,
+                    sn=username,
+                    mail=f'{username}@test.tapis.io',
+                    userPassword=username)
+    # now call the generic add user for the tenant id:
+    add_user(tenant_id, user)
diff --git a/service/models.py b/service/models.py
@@ -8,6 +8,9 @@
 
 from common.config import conf
 from common.errors import DAOError
+from common.logs import get_logger
+logger = get_logger(__name__)
+
 
 app = Flask(__name__)
 app.config['SQLALCHEMY_DATABASE_URI'] = conf.sql_db_url
@@ -116,7 +119,7 @@ class LdapUser(object):
     # dn for the record;
     dn = None
     # we use inetOrgPerson for all LDAP user object
-    object_classes = [u'inetOrgPerson']
+    object_class = 'inetOrgPerson'
 
     # attributes
     # inetOrgPerson -----
@@ -133,14 +136,22 @@ class LdapUser(object):
     username = None
     password = None
 
-    def __init__(self, dn, givenName, sn, cn, mail, telephoneNumber, mobile,
-                 createTimestamp, uidNumber, uid, userPassword):
+    def __init__(self,
+                 dn,
+                 givenName=None,
+                 sn=None,
+                 mail=None,
+                 telephoneNumber=None,
+                 mobile=None,
+                 createTimestamp=None,
+                 uidNumber=None,
+                 uid=None,
+                 userPassword=None):
         """
-        Create a LdapUser object from an LDAP row.
+        Create an LdapUser object corresponding to an entry in an LDAP server.
         :param dn: 
         :param givenName: 
-        :param sn: 
-        :param cn: 
+        :param sn:
         :param mail: 
         :param telephoneNumber: 
         :param mobile: 
@@ -152,7 +163,6 @@ def __init__(self, dn, givenName, sn, cn, mail, telephoneNumber, mobile,
         self.dn = dn
         self.given_name = givenName
         self.last_name = sn
-        self.full_name = cn
         self.email = mail
         self.phone = telephoneNumber
         self.mobile_phone = mobile
@@ -161,6 +171,58 @@ def __init__(self, dn, givenName, sn, cn, mail, telephoneNumber, mobile,
         self.username = uid
         self.password = userPassword
 
+    def save(self, conn):
+        """
+        Save an LdapUser object in an LDAP server with connection, conn.
+        :param conn (ldap3.core.connection.Connection) A connection to the ldap server.
+        :return:
+        """
+        # first, get the ldap representation of this object and remove any fields not allowed to be passed to
+        # ldap on save:
+        repr = self.serialize_to_ldap
+        repr.pop('create_time', None)
+        repr.pop('dn')
+        try:
+            result = conn.add(self.dn, self.object_class, repr)
+        except Exception as e:
+            msg = f'Got exception trying to add a user to LDAP; exception: {e}'
+            logger.error(msg)
+            raise DAOError("Unable to communicate with LDAP database when trying to save user account.")
+        if not result:
+            msg = f'Got False result trying to add a user to LDAP; error data: {conn.result}'
+            logger.error(msg)
+            raise DAOError("Unable to save user account in LDAP database; "
+                           "Required fields could be missing or improperly formatted.")
+        # the object was saved successfully so we can now return it:
+        return True
+
+    @property
+    def serialize_to_ldap(self):
+        """
+        Creates a Python dictionary using the LDAP inetorgperson attributes names.
+        :return:
+        """
+        result = {'dn': self.dn}
+        if self.given_name:
+            result['givenName'] = self.given_name
+        if self.last_name:
+            result['sn'] = self.last_name
+        if self.email:
+            result['mail'] = self.email
+        if self.phone:
+            result['telephoneNumber'] = self.phone
+        if self.mobile_phone:
+            result['mobile'] = self.mobile_phone
+        if self.create_time:
+            result['createTimestamp'] = self.create_time
+        if self.uid:
+            result['uidNumber'] = self.uid
+        if self.username:
+            result['uid'] = self.username
+        if self.password:
+            result['userPassword'] = self.password
+        return result
+
 
 class LdapOU(object):
     """
@@ -173,11 +235,14 @@ class LdapOU(object):
 
     # LDAP meta-data -----
     dn = None
-    object_classes = [u'organizationalUnit']
+    object_class = 'organizationalUnit'
 
     # attributes
     ou = None
 
+    def __init__(self, dn):
+        self.dn = dn
+
     def __str__(self):
         return self.ou
 
diff --git a/service/tests/__init__.py b/service/tests/__init__.py
diff --git a/service/tests/basic_test.py b/service/tests/basic_test.py
@@ -0,0 +1,18 @@
+import pytest
+import json
+from unittest import TestCase
+from service.api import app
+from common import auth
+
+# These tests are intended to be run locally.
+
+@pytest.fixture
+def client():
+    app.debug = True
+    return app.test_client()
+
+
+def test_invalid_post(client):
+    with client:
+        response = client.post("http://localhost:5000/v3/oauth/clients")
+        assert response.status_code == 400
diff --git a/tests-requirements.txt b/tests-requirements.txt
@@ -0,0 +1 @@
+pytest==5.1.2
