YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

portal-api: improve handling of ldap interfaces

Browse source
This commit is contained in:
Alexandre Aubin 2023-12-22 01:11:49 +01:00
parent 2be1dccb91
commit 7e7a6845d5
1 changed files with 23 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
src/portal.py
View file

@ -24,10 +24,10 @@ from typing import Any, Union
import ldap import ldap
from moulinette.utils.filesystem import read_json from moulinette.utils.filesystem import read_json
from yunohost.authenticators.ldap_ynhuser import URI, USERDN, Authenticator as Auth, user_is_allowed_on_domain from yunohost.authenticators.ldap_ynhuser import Authenticator as Auth, user_is_allowed_on_domain
from yunohost.user import _hash_user_password from yunohost.user import _hash_user_password
from yunohost.utils.error import YunohostError, YunohostValidationError from yunohost.utils.error import YunohostError, YunohostValidationError
from yunohost.utils.ldap import LDAPInterface, _ldap_path_extract from yunohost.utils.ldap import _get_ldap_interface, _ldap_path_extract, LDAPInterface
from yunohost.utils.password import ( from yunohost.utils.password import (
assert_password_is_compatible, assert_password_is_compatible,
assert_password_is_strong_enough, assert_password_is_strong_enough,
@ -41,15 +41,14 @@ ADMIN_ALIASES = ["root", "admin", "admins", "webmaster", "postmaster", "abuse"]
def _get_user_infos( def _get_user_infos(
user_attrs: list[str], user_attrs: list[str],
) -> tuple[str, str, dict[str, Any], LDAPInterface]: ) -> tuple[str, str, dict[str, Any]]:
auth = Auth().get_session_cookie(decrypt_pwd=True) auth = Auth().get_session_cookie()
username = auth["user"] username = auth["user"]
ldap_interface = LDAPInterface(username, auth["pwd"]) result = _get_ldap_interface().search("ou=users", f"uid={username}", user_attrs)
result = ldap_interface.search("ou=users", f"uid={username}", user_attrs)
if not result: if not result:
raise YunohostValidationError("user_unknown", user=username) raise YunohostValidationError("user_unknown", user=username)
return username, auth["host"], result[0], ldap_interface return username, auth["host"], result[0]
def _get_portal_settings( def _get_portal_settings(
@ -123,7 +122,7 @@ def portal_me():
""" """
Get user informations Get user informations
""" """
username, domain, user, _ = _get_user_infos( username, domain, user = _get_user_infos(
["cn", "mail", "maildrop", "mailuserquota", "memberOf", "permission"] ["cn", "mail", "maildrop", "mailuserquota", "memberOf", "permission"]
) )
@ -163,7 +162,7 @@ def portal_update(
from yunohost.domain import domain_list from yunohost.domain import domain_list
domains = domain_list()["domains"] domains = domain_list()["domains"]
username, domain, current_user, ldap_interface = _get_user_infos( username, domain, current_user = _get_user_infos(
["givenName", "sn", "cn", "mail", "maildrop", "memberOf"] ["givenName", "sn", "cn", "mail", "maildrop", "memberOf"]
) )
new_attr_dict = {} new_attr_dict = {}
@ -198,7 +197,7 @@ def portal_update(
) )
try: try:
ldap_interface.validate_uniqueness({"mail": mail}) _get_ldap_interface().validate_uniqueness({"mail": mail})
except YunohostError: except YunohostError:
raise YunohostValidationError( raise YunohostValidationError(
"mail_already_exists", mail=mail, path=f"mailalias[{index}]" "mail_already_exists", mail=mail, path=f"mailalias[{index}]"
@ -221,19 +220,6 @@ def portal_update(
] ]
if newpassword: if newpassword:
# FIXME: this ldap stuff should be handled in utils/ldap.py imho ?
# Check that current password is valid
try:
con = ldap.ldapobject.ReconnectLDAPObject(URI, retry_max=0)
con.simple_bind_s(USERDN.format(username=username), currentpassword)
except ldap.INVALID_CREDENTIALS:
raise YunohostValidationError("invalid_password", path="currentpassword")
finally:
# Free the connection, we don't really need it to keep it open as the point is only to check authentication...
if con:
con.unbind_s()
# Ensure compatibility and sufficiently complex password # Ensure compatibility and sufficiently complex password
try: try:
assert_password_is_compatible(newpassword) assert_password_is_compatible(newpassword)
@ -248,10 +234,24 @@ def portal_update(
new_attr_dict["userPassword"] = [_hash_user_password(newpassword)] new_attr_dict["userPassword"] = [_hash_user_password(newpassword)]
# Check that current password is valid
# To be able to edit the user info, an authenticated ldap session is needed
if newpassword:
# When setting the password, check the user provided the valid current password
try:
ldap_interface = LDAPInterface(username, currentpassword)
except ldap.INVALID_CREDENTIALS:
raise YunohostValidationError("invalid_password", path="currentpassword")
else:
# Otherwise we use the encrypted password stored in the cookie
ldap_interface = LDAPInterface(username, Auth().get_session_cookie(decrypt_pwd=True)["pwd"])
try: try:
ldap_interface.update(f"uid={username},ou=users", new_attr_dict) ldap_interface.update(f"uid={username},ou=users", new_attr_dict)
except Exception as e: except Exception as e:
raise YunohostError("user_update_failed", user=username, error=e) raise YunohostError("user_update_failed", user=username, error=e)
finally:
del ldap_interface
if "userPassword" in new_attr_dict: if "userPassword" in new_attr_dict:
Auth.invalidate_all_sessions_for_user(username) Auth.invalidate_all_sessions_for_user(username)