From edbfb7964e8e9830afa2d59ebc7c78e31b6ee004 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sun, 23 Feb 2020 16:52:30 +0100 Subject: [PATCH] [ldap] bind with admin to get attributes --- uncloud/opennebula/views.py | 27 ++++++++++++++++----------- uncloud/uncloud/secrets_sample.py | 8 ++++++++ uncloud/uncloud/settings.py | 26 +++++++++++++++++++------- uncloud/uncloud/urls.py | 5 +---- 4 files changed, 44 insertions(+), 22 deletions(-) diff --git a/uncloud/opennebula/views.py b/uncloud/opennebula/views.py index 5505b32..0d9a334 100644 --- a/uncloud/opennebula/views.py +++ b/uncloud/opennebula/views.py @@ -1,22 +1,27 @@ from rest_framework import viewsets, generics, permissions +from rest_framework.response import Response + +from django.contrib.auth import get_user_model + from .models import VM from .serializers import VMSerializer, OpenNebulaVMSerializer - -#class VMList(generics.ListAPIView): -# queryset = VM.objects.all() -# serializer_class = VMSerializer - - class RawVMViewSet(viewsets.ModelViewSet): -# lookup_field = 'vmid' queryset = VM.objects.all() serializer_class = VMSerializer - permission_classes = [permissions.IsAuthenticated] + permission_classes = [permissions.IsAdminUser] class VMViewSet(viewsets.ModelViewSet): - queryset = VM.objects.all() - serializer_class = OpenNebulaVMSerializer - permission_classes = [permissions.IsAuthenticated] + + def list(self, request): + queryset = VM.objects.filter(owner=request.user) + serializer = OpenNebulaVMSerializer(queryset, many=True) + return Response(serializer.data) + + def retrieve(self, request, pk=None): + queryset = VM.objects.filter(owner=request.user) + user = get_object_or_404(queryset, pk=pk) + serializer = OpenNebulaVMSerializer(queryset) + return Response(serializer.data) diff --git a/uncloud/uncloud/secrets_sample.py b/uncloud/uncloud/secrets_sample.py index b578a8b..8c4516c 100644 --- a/uncloud/uncloud/secrets_sample.py +++ b/uncloud/uncloud/secrets_sample.py @@ -8,3 +8,11 @@ OPENNEBULA_URL='https://opennebula.ungleich.ch:2634/RPC2' OPENNEBULA_USER_PASS='user:password' POSTGRESQL_DB_NAME="uncloud" + + +# See https://django-auth-ldap.readthedocs.io/en/latest/authentication.html +LDAP_ADMIN_DN="" +LDAP_ADMIN_PASSWORD="" +LDAP_SERVER_URI = "" + +SECRET_KEY="dx$iqt=lc&yrp^!z5$ay^%g5lhx1y3bcu=jg(jx0yj0ogkfqvf" diff --git a/uncloud/uncloud/settings.py b/uncloud/uncloud/settings.py index 0e08750..fc95a86 100644 --- a/uncloud/uncloud/settings.py +++ b/uncloud/uncloud/settings.py @@ -12,6 +12,10 @@ https://docs.djangoproject.com/en/3.0/ref/settings/ import os +# Uncommitted file with secrets +import uncloud.secrets + + # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) @@ -20,7 +24,7 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = 'dx$iqt=lc&yrp^!z5$ay^%g5lhx1y3bcu=jg(jx0yj0ogkfqvf' +SECRET_KEY = uncloud.secrets.SECRET_KEY # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True @@ -100,15 +104,25 @@ AUTH_PASSWORD_VALIDATORS = [ import ldap from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion +AUTH_LDAP_SERVER_URI = uncloud.secrets.LDAP_SERVER_URI -AUTH_LDAP_SERVER_URI = "ldaps://ldap1.ungleich.ch,ldaps://ldap2.ungleich.ch" - -AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=customer,dc=ungleich,dc=ch" +AUTH_LDAP_USER_ATTR_MAP = { + "first_name": "givenName", + "last_name": "sn", + "email": "mail" +} +AUTH_LDAP_BIND_DN = uncloud.secrets.LDAP_ADMIN_DN +AUTH_LDAP_BIND_PASSWORD = uncloud.secrets.LDAP_ADMIN_PASSWORD AUTH_LDAP_USER_SEARCH = LDAPSearch( - "ou=customer,dc=ungleich,dc=ch", ldap.SCOPE_SUBTREE, "(uid=%(user)s)" + "dc=ungleich,dc=ch", ldap.SCOPE_SUBTREE, "(uid=%(user)s)" ) +#AUTH_LDAP_BIND_AS_AUTHENTICATING_USER=True +#AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=customer,dc=ungleich,dc=ch" + + + ################################################################################ # AUTH/Django AUTHENTICATION_BACKENDS = [ @@ -150,8 +164,6 @@ USE_TZ = True STATIC_URL = '/static/' -# Uncommitted file with secrets -import uncloud.secrets # Database diff --git a/uncloud/uncloud/urls.py b/uncloud/uncloud/urls.py index 0291b7f..a01ef66 100644 --- a/uncloud/uncloud/urls.py +++ b/uncloud/uncloud/urls.py @@ -24,7 +24,7 @@ from opennebula import views as oneviews router = routers.DefaultRouter() router.register(r'users', views.UserViewSet) router.register(r'groups', views.GroupViewSet) -router.register(r'opennebula', oneviews.VMViewSet) +router.register(r'opennebula', oneviews.VMViewSet, basename='opennebula') router.register(r'opennebula_raw', oneviews.RawVMViewSet) # Wire up our API using automatic URL routing. @@ -34,7 +34,4 @@ urlpatterns = [ path('admin/', admin.site.urls), path('products/', views.ProductsView.as_view(), name='products'), path('api-auth/', include('rest_framework.urls', namespace='rest_framework')) -# path('vm/list/', oneviews.VMList.as_view(), name='vm_list'), -# path('vm/detail//', oneviews.VMDetail.as_view(), name='vm_detail'), - ]