forked from OCA/server-auth
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ADD] users_ldap_populate: migrate functionality added to 6.1 after 7…
….0 port (OCA#408) * [ADD] possibility to deactivate users not found in ldap while populating * [IMP] search in ldap for every possibly unknown user to be really sure it actually is not present there * [FIX] refactoring mistake * [IMP] don't use self.query() to be sure to be stopped if any error occurs * [IMP] remove superfluous check as exceptions are not supressed any more * [FIX] typo in variable name [FIX] handle unicode characters in search filter [FIX] search for user's login, not her name * [FIX] don't pass user_name as assertion_value * [FIX] don't deactivate users if we got a non-existent ldap configuration * [FIX] flake8 * [FIX] more flake8 * [FIX] make form usable * [FIX] name clash between function and field * [ADD] test
- Loading branch information
Showing
7 changed files
with
388 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# -*- coding: utf-8 -*- | ||
############################################################################## | ||
# | ||
# OpenERP, Open Source Management Solution | ||
# This module copyright (C) 2012 Therp BV (<http://therp.nl>). | ||
# | ||
# This program is free software: you can redistribute it and/or modify | ||
# it under the terms of the GNU Affero General Public License as | ||
# published by the Free Software Foundation, either version 3 of the | ||
# License, or (at your option) any later version. | ||
# | ||
# This program is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU Affero General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Affero General Public License | ||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
# | ||
############################################################################## | ||
{ | ||
"name": "LDAP Populate", | ||
"summary": "Create users from LDAP before they log in", | ||
"version": "8.0.1.2.0", | ||
"author": "Therp BV,Odoo Community Association (OCA)", | ||
"license": "AGPL-3", | ||
"category": 'Authentication', | ||
"depends": [ | ||
'auth_ldap', | ||
], | ||
'external_dependencies': { | ||
'python': ['ldap'], | ||
}, | ||
"data": [ | ||
'view/users_ldap.xml', | ||
'view/populate_wizard.xml', | ||
], | ||
'installable': True, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# -*- coding: utf-8 -*- | ||
############################################################################## | ||
# | ||
# OpenERP, Open Source Management Solution | ||
# This module copyright (C) 2012 Therp BV (<http://therp.nl>). | ||
# | ||
# This program is free software: you can redistribute it and/or modify | ||
# it under the terms of the GNU Affero General Public License as | ||
# published by the Free Software Foundation, either version 3 of the | ||
# License, or (at your option) any later version. | ||
# | ||
# This program is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU Affero General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Affero General Public License | ||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
# | ||
############################################################################## | ||
from openerp.osv import orm, fields # pylint: disable=W0402 | ||
|
||
|
||
class CompanyLDAPPopulateWizard(orm.TransientModel): | ||
_name = 'res.company.ldap.populate_wizard' | ||
_description = 'Populate users from LDAP' | ||
_columns = { | ||
'name': fields.char('Name', size=16), | ||
'ldap_id': fields.many2one( | ||
'res.company.ldap', 'LDAP Configuration'), | ||
'users_created': fields.integer( | ||
'Number of users created', readonly=True), | ||
'users_deactivated': fields.integer( | ||
'Number of users deactivated', readonly=True), | ||
} | ||
|
||
def create(self, cr, uid, vals, context=None): | ||
ldap_pool = self.pool.get('res.company.ldap') | ||
if 'ldap_id' in vals: | ||
vals['users_created'], vals['users_deactivated'] =\ | ||
ldap_pool.action_populate( | ||
cr, uid, vals['ldap_id'], context=context) | ||
return super(CompanyLDAPPopulateWizard, self).create( | ||
cr, uid, vals, context=None) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,192 @@ | ||
# -*- coding: utf-8 -*- | ||
############################################################################## | ||
# | ||
# OpenERP, Open Source Management Solution | ||
# This module copyright (C) 2012 Therp BV (<http://therp.nl>). | ||
# | ||
# This program is free software: you can redistribute it and/or modify | ||
# it under the terms of the GNU Affero General Public License as | ||
# published by the Free Software Foundation, either version 3 of the | ||
# License, or (at your option) any later version. | ||
# | ||
# This program is distributed in the hope that it will be useful, | ||
# but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
# GNU Affero General Public License for more details. | ||
# | ||
# You should have received a copy of the GNU Affero General Public License | ||
# along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
# | ||
############################################################################## | ||
|
||
import re | ||
from openerp.osv import orm, fields # pylint: disable=W0402 | ||
import ldap | ||
from openerp import SUPERUSER_ID | ||
import logging | ||
|
||
_logger = logging.getLogger(__name__) | ||
|
||
try: | ||
from ldap.filter import filter_format | ||
except ImportError: | ||
_logger.debug('Can not `from ldap.filter import filter_format`.') | ||
|
||
|
||
class CompanyLDAP(orm.Model): | ||
_inherit = 'res.company.ldap' | ||
|
||
_columns = { | ||
'no_deactivate_user_ids': fields.many2many( | ||
'res.users', 'res_company_ldap_no_deactivate_user_rel', | ||
'ldap_id', 'user_id', | ||
'Users never to deactivate', | ||
help='List users who never should be deactivated by' | ||
' the deactivation wizard'), | ||
'deactivate_unknown_users': fields.boolean( | ||
'Deactivate unknown users'), | ||
} | ||
|
||
_defaults = { | ||
'no_deactivate_user_ids': [(6, 0, [SUPERUSER_ID])], | ||
'deactivate_unknown_users': False, | ||
} | ||
|
||
def action_populate(self, cr, uid, ids, context=None): | ||
""" | ||
Prepopulate the user table from one or more LDAP resources. | ||
Obviously, the option to create users must be toggled in | ||
the LDAP configuration. | ||
Return the number of users created (as far as we can tell). | ||
""" | ||
if isinstance(ids, (int, float)): | ||
ids = [ids] | ||
|
||
users_pool = self.pool.get('res.users') | ||
users_no_before = users_pool.search( | ||
cr, uid, [], context=context, count=True) | ||
logger = logging.getLogger('orm.ldap') | ||
logger.debug("action_populate called on res.company.ldap ids %s", ids) | ||
|
||
deactivate_unknown = None | ||
known_user_ids = [uid] | ||
for this in self.read(cr, uid, ids, | ||
[ | ||
'no_deactivate_user_ids', | ||
'deactivate_unknown_users', | ||
], | ||
context=context, load='_classic_write'): | ||
if deactivate_unknown is None: | ||
deactivate_unknown = True | ||
known_user_ids.extend(this['no_deactivate_user_ids']) | ||
deactivate_unknown &= this['deactivate_unknown_users'] | ||
|
||
if deactivate_unknown: | ||
logger.debug("will deactivate unknown users") | ||
|
||
for conf in self.get_ldap_dicts(cr, ids): | ||
if not conf['create_user']: | ||
continue | ||
attribute_match = re.search( | ||
r'([a-zA-Z_]+)=\%s', conf['ldap_filter']) | ||
if attribute_match: | ||
login_attr = attribute_match.group(1) | ||
else: | ||
raise orm.except_orm( | ||
"No login attribute found", | ||
"Could not extract login attribute from filter %s" % | ||
conf['ldap_filter']) | ||
results = self.get_ldap_entry_dicts(conf) | ||
for result in results: | ||
user_id = self.get_or_create_user( | ||
cr, uid, conf, result[1][login_attr][0], result) | ||
# this happens if something goes wrong while creating the user | ||
# or fetching information from ldap | ||
if not user_id: | ||
deactivate_unknown = False | ||
known_user_ids.append(user_id) | ||
|
||
users_no_after = users_pool.search( | ||
cr, uid, [], context=context, count=True) | ||
users_created = users_no_after - users_no_before | ||
|
||
deactivated_users_count = 0 | ||
if deactivate_unknown: | ||
deactivated_users_count = self.do_deactivate_unknown_users( | ||
cr, uid, ids, known_user_ids, context=context) | ||
|
||
logger.debug("%d users created", users_created) | ||
logger.debug("%d users deactivated", deactivated_users_count) | ||
return users_created, deactivated_users_count | ||
|
||
def do_deactivate_unknown_users( | ||
self, cr, uid, ids, known_user_ids, context=None): | ||
""" | ||
Deactivate users not found in last populate run | ||
""" | ||
res_users = self.pool.get('res.users') | ||
unknown_user_ids = [] | ||
for unknown_user in res_users.read( | ||
cr, uid, | ||
res_users.search( | ||
cr, uid, | ||
[('id', 'not in', known_user_ids)], | ||
context=context), | ||
['login'], | ||
context=context): | ||
present_in_ldap = False | ||
for conf in self.get_ldap_dicts(cr, ids): | ||
present_in_ldap |= bool(self.get_ldap_entry_dicts( | ||
conf, user_name=unknown_user['login'])) | ||
if not present_in_ldap: | ||
res_users.write( | ||
cr, uid, unknown_user['id'], {'active': False}, | ||
context=context) | ||
unknown_user_ids.append(unknown_user['id']) | ||
|
||
return len(unknown_user_ids) | ||
|
||
def get_ldap_entry_dicts(self, conf, user_name='*'): | ||
""" | ||
Execute ldap query as defined in conf | ||
Don't call self.query because it supresses possible exceptions | ||
""" | ||
ldap_filter = filter_format(conf['ldap_filter'] % user_name, ()) | ||
conn = self.connect(conf) | ||
conn.simple_bind_s(conf['ldap_binddn'] or '', | ||
conf['ldap_password'] or '') | ||
results = conn.search_st(conf['ldap_base'], ldap.SCOPE_SUBTREE, | ||
ldap_filter.encode('utf8'), None, | ||
timeout=60) | ||
conn.unbind() | ||
|
||
return results | ||
|
||
def populate_wizard(self, cr, uid, ids, context=None): | ||
""" | ||
GUI wrapper for the populate method that reports back | ||
the number of users created. | ||
""" | ||
if not ids: | ||
return | ||
if isinstance(ids, (int, float)): | ||
ids = [ids] | ||
wizard_obj = self.pool.get('res.company.ldap.populate_wizard') | ||
res_id = wizard_obj.create( | ||
cr, uid, {'ldap_id': ids[0]}, context=context) | ||
|
||
return { | ||
'name': wizard_obj._description, | ||
'view_type': 'form', | ||
'view_mode': 'form', | ||
'res_model': wizard_obj._name, | ||
'domain': [], | ||
'context': context, | ||
'type': 'ir.actions.act_window', | ||
'target': 'new', | ||
'res_id': res_id, | ||
'nodestroy': True, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# -*- coding: utf-8 -*- | ||
# © 2016 Therp BV <http://therp.nl> | ||
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). | ||
from . import test_users_ldap_populate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# -*- coding: utf-8 -*- | ||
# © 2016 Therp BV <http://therp.nl> | ||
# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html). | ||
from openerp.tests.common import TransactionCase | ||
from contextlib import contextmanager | ||
|
||
|
||
class patch_ldap_connection(object): | ||
def __init__(self, results): | ||
self.results = results | ||
|
||
def simple_bind_s(self, user, password): | ||
return True | ||
|
||
def search_st(self, base, scope, ldap_filter, attributes, timeout=None): | ||
if ldap_filter == '(uid=*)': | ||
return self.results | ||
else: | ||
return [] | ||
|
||
def unbind(self): | ||
return True | ||
|
||
|
||
@contextmanager | ||
def patch_ldap(self, results): | ||
""" defuse ldap functions to return fake entries instead of talking to a | ||
server. Use this in your own ldap related tests """ | ||
import ldap | ||
original_initialize = ldap.initialize | ||
|
||
def initialize(uri): | ||
return patch_ldap_connection(results) | ||
ldap.initialize = initialize | ||
yield | ||
ldap.initialize = original_initialize | ||
|
||
|
||
def get_fake_ldap(self): | ||
company = self.env.ref('base.main_company') | ||
company.write({ | ||
'ldaps': [(0, 0, { | ||
'ldap_server': 'fake', | ||
'ldap_port': 'fake', | ||
'ldap_filter': '(uid=%s)', | ||
'ldap_base': 'fake', | ||
'deactivate_unknown_users': True, | ||
'no_deactivate_user_ids': [(6, 0, [ | ||
self.env.ref('base.user_root').id, | ||
])], | ||
})], | ||
}) | ||
return company.ldaps.filtered( | ||
lambda x: x.ldap_server == 'fake' | ||
) | ||
|
||
|
||
class TestUsersLdapPopulate(TransactionCase): | ||
def test_users_ldap_populate(self): | ||
with patch_ldap(self, [('DN=fake', { | ||
'cn': ['fake'], | ||
'uid': ['fake'], | ||
'mail': ['fake@fakery.com'], | ||
})]): | ||
get_fake_ldap(self).populate_wizard() | ||
self.assertFalse(self.env.ref('base.user_demo').active) | ||
self.assertTrue(self.env.ref('base.user_root').active) | ||
self.assertTrue(self.env['res.users'].search([ | ||
('login', '=', 'fake') | ||
])) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
<?xml version="1.0"?> | ||
<openerp> | ||
<data> | ||
<record model="ir.ui.view" id="populate_wizard_view"> | ||
<field name="model">res.company.ldap.populate_wizard</field> | ||
<field name="arch" type="xml"> | ||
<form string="Add populate button to ldap view"> | ||
<group> | ||
<field name="users_created"/> | ||
<field name="users_deactivated"/> | ||
<button icon="gtk-ok" string="OK" special="cancel"/> | ||
</group> | ||
</form> | ||
</field> | ||
</record> | ||
</data> | ||
</openerp> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
<?xml version="1.0"?> | ||
<openerp> | ||
<data> | ||
<record model="ir.ui.view" id="company_form_view"> | ||
<field name="name">Add populate button to ldap view</field> | ||
<field name="model">res.company</field> | ||
<field name="inherit_id" ref="auth_ldap.company_form_view"/> | ||
<field name="arch" type="xml"> | ||
<xpath expr="//form[@string='LDAP Configuration']" position="inside"> | ||
<group string="Populate user database"> | ||
<field name="deactivate_unknown_users"/> | ||
<field name="no_deactivate_user_ids" attrs="{'invisible': [('deactivate_unknown_users', '=', False)]}" widget="many2many_tags" /> | ||
</group> | ||
<button name="populate_wizard" | ||
string="Populate" | ||
type="object" | ||
colspan="2"/> | ||
</xpath> | ||
</field> | ||
</record> | ||
</data> | ||
</openerp> |