From edbfb7964e8e9830afa2d59ebc7c78e31b6ee004 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sun, 23 Feb 2020 16:52:30 +0100 Subject: [PATCH 1/3] [ldap] bind with admin to get attributes --- uncloud/opennebula/views.py | 27 ++++++++++++++++----------- uncloud/uncloud/secrets_sample.py | 8 ++++++++ uncloud/uncloud/settings.py | 26 +++++++++++++++++++------- uncloud/uncloud/urls.py | 5 +---- 4 files changed, 44 insertions(+), 22 deletions(-) diff --git a/uncloud/opennebula/views.py b/uncloud/opennebula/views.py index 5505b32..0d9a334 100644 --- a/uncloud/opennebula/views.py +++ b/uncloud/opennebula/views.py @@ -1,22 +1,27 @@ from rest_framework import viewsets, generics, permissions +from rest_framework.response import Response + +from django.contrib.auth import get_user_model + from .models import VM from .serializers import VMSerializer, OpenNebulaVMSerializer - -#class VMList(generics.ListAPIView): -# queryset = VM.objects.all() -# serializer_class = VMSerializer - - class RawVMViewSet(viewsets.ModelViewSet): -# lookup_field = 'vmid' queryset = VM.objects.all() serializer_class = VMSerializer - permission_classes = [permissions.IsAuthenticated] + permission_classes = [permissions.IsAdminUser] class VMViewSet(viewsets.ModelViewSet): - queryset = VM.objects.all() - serializer_class = OpenNebulaVMSerializer - permission_classes = [permissions.IsAuthenticated] + + def list(self, request): + queryset = VM.objects.filter(owner=request.user) + serializer = OpenNebulaVMSerializer(queryset, many=True) + return Response(serializer.data) + + def retrieve(self, request, pk=None): + queryset = VM.objects.filter(owner=request.user) + user = get_object_or_404(queryset, pk=pk) + serializer = OpenNebulaVMSerializer(queryset) + return Response(serializer.data) diff --git a/uncloud/uncloud/secrets_sample.py b/uncloud/uncloud/secrets_sample.py index b578a8b..8c4516c 100644 --- a/uncloud/uncloud/secrets_sample.py +++ b/uncloud/uncloud/secrets_sample.py @@ -8,3 +8,11 @@ OPENNEBULA_URL='https://opennebula.ungleich.ch:2634/RPC2' OPENNEBULA_USER_PASS='user:password' POSTGRESQL_DB_NAME="uncloud" + + +# See https://django-auth-ldap.readthedocs.io/en/latest/authentication.html +LDAP_ADMIN_DN="" +LDAP_ADMIN_PASSWORD="" +LDAP_SERVER_URI = "" + +SECRET_KEY="dx$iqt=lc&yrp^!z5$ay^%g5lhx1y3bcu=jg(jx0yj0ogkfqvf" diff --git a/uncloud/uncloud/settings.py b/uncloud/uncloud/settings.py index 0e08750..fc95a86 100644 --- a/uncloud/uncloud/settings.py +++ b/uncloud/uncloud/settings.py @@ -12,6 +12,10 @@ https://docs.djangoproject.com/en/3.0/ref/settings/ import os +# Uncommitted file with secrets +import uncloud.secrets + + # Build paths inside the project like this: os.path.join(BASE_DIR, ...) BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) @@ -20,7 +24,7 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) # See https://docs.djangoproject.com/en/3.0/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = 'dx$iqt=lc&yrp^!z5$ay^%g5lhx1y3bcu=jg(jx0yj0ogkfqvf' +SECRET_KEY = uncloud.secrets.SECRET_KEY # SECURITY WARNING: don't run with debug turned on in production! DEBUG = True @@ -100,15 +104,25 @@ AUTH_PASSWORD_VALIDATORS = [ import ldap from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion +AUTH_LDAP_SERVER_URI = uncloud.secrets.LDAP_SERVER_URI -AUTH_LDAP_SERVER_URI = "ldaps://ldap1.ungleich.ch,ldaps://ldap2.ungleich.ch" - -AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=customer,dc=ungleich,dc=ch" +AUTH_LDAP_USER_ATTR_MAP = { + "first_name": "givenName", + "last_name": "sn", + "email": "mail" +} +AUTH_LDAP_BIND_DN = uncloud.secrets.LDAP_ADMIN_DN +AUTH_LDAP_BIND_PASSWORD = uncloud.secrets.LDAP_ADMIN_PASSWORD AUTH_LDAP_USER_SEARCH = LDAPSearch( - "ou=customer,dc=ungleich,dc=ch", ldap.SCOPE_SUBTREE, "(uid=%(user)s)" + "dc=ungleich,dc=ch", ldap.SCOPE_SUBTREE, "(uid=%(user)s)" ) +#AUTH_LDAP_BIND_AS_AUTHENTICATING_USER=True +#AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=customer,dc=ungleich,dc=ch" + + + ################################################################################ # AUTH/Django AUTHENTICATION_BACKENDS = [ @@ -150,8 +164,6 @@ USE_TZ = True STATIC_URL = '/static/' -# Uncommitted file with secrets -import uncloud.secrets # Database diff --git a/uncloud/uncloud/urls.py b/uncloud/uncloud/urls.py index 0291b7f..a01ef66 100644 --- a/uncloud/uncloud/urls.py +++ b/uncloud/uncloud/urls.py @@ -24,7 +24,7 @@ from opennebula import views as oneviews router = routers.DefaultRouter() router.register(r'users', views.UserViewSet) router.register(r'groups', views.GroupViewSet) -router.register(r'opennebula', oneviews.VMViewSet) +router.register(r'opennebula', oneviews.VMViewSet, basename='opennebula') router.register(r'opennebula_raw', oneviews.RawVMViewSet) # Wire up our API using automatic URL routing. @@ -34,7 +34,4 @@ urlpatterns = [ path('admin/', admin.site.urls), path('products/', views.ProductsView.as_view(), name='products'), path('api-auth/', include('rest_framework.urls', namespace='rest_framework')) -# path('vm/list/', oneviews.VMList.as_view(), name='vm_list'), -# path('vm/detail//', oneviews.VMDetail.as_view(), name='vm_detail'), - ] From 46921c43ad1956a70c8377e589791302b64005b9 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sun, 23 Feb 2020 17:11:05 +0100 Subject: [PATCH 2/3] update ldap, update syncvm --- uncloud/opennebula/management/commands/syncvm.py | 10 +++++++--- uncloud/opennebula/views.py | 2 +- uncloud/uncloud/settings.py | 6 +----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/uncloud/opennebula/management/commands/syncvm.py b/uncloud/opennebula/management/commands/syncvm.py index 136e145..795d53a 100644 --- a/uncloud/opennebula/management/commands/syncvm.py +++ b/uncloud/opennebula/management/commands/syncvm.py @@ -26,11 +26,14 @@ class Command(BaseCommand): vms = json.loads(json.dumps(parse(response)))['VM_POOL']['VM'] for i, vm in enumerate(vms): vm_id = vm['ID'] - vm_owner = vm['UNAME'] + vm_owner_email = vm['UNAME'] + try: - user = get_user_model().objects.get(username=vm_owner) + user = get_user_model().objects.get(email=vm_owner_email) except get_user_model().DoesNotExist: - user = get_user_model().objects.create_user(username=vm_owner) + print("Skipping VM import for unknown user with email: {}".format(vm_owner_email)) + continue + # user = get_user_model().objects.create_user(username=vm_owner) VMModel.objects.update_or_create( defaults= { 'data': vm, @@ -40,3 +43,4 @@ class Command(BaseCommand): else: print(response) + print(uncloud.secrets.OPENNEBULA_USER_PASS) diff --git a/uncloud/opennebula/views.py b/uncloud/opennebula/views.py index 0d9a334..29fdb64 100644 --- a/uncloud/opennebula/views.py +++ b/uncloud/opennebula/views.py @@ -17,7 +17,7 @@ class VMViewSet(viewsets.ModelViewSet): def list(self, request): queryset = VM.objects.filter(owner=request.user) - serializer = OpenNebulaVMSerializer(queryset, many=True) + serializer = OpenNebulaVMSerializer(queryset, many=True, context={'request': request}) return Response(serializer.data) def retrieve(self, request, pk=None): diff --git a/uncloud/uncloud/settings.py b/uncloud/uncloud/settings.py index fc95a86..2267be2 100644 --- a/uncloud/uncloud/settings.py +++ b/uncloud/uncloud/settings.py @@ -102,7 +102,7 @@ AUTH_PASSWORD_VALIDATORS = [ # AUTH/LDAP import ldap -from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion +from django_auth_ldap.config import LDAPSearch AUTH_LDAP_SERVER_URI = uncloud.secrets.LDAP_SERVER_URI @@ -118,10 +118,6 @@ AUTH_LDAP_USER_SEARCH = LDAPSearch( "dc=ungleich,dc=ch", ldap.SCOPE_SUBTREE, "(uid=%(user)s)" ) -#AUTH_LDAP_BIND_AS_AUTHENTICATING_USER=True -#AUTH_LDAP_USER_DN_TEMPLATE = "uid=%(user)s,ou=customer,dc=ungleich,dc=ch" - - ################################################################################ # AUTH/Django From 8c6e4eee00a20a249c993c949741878e59d845fd Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sun, 23 Feb 2020 17:20:28 +0100 Subject: [PATCH 3/3] -- merge conflict --- uncloud/uncloud/settings.py | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/uncloud/uncloud/settings.py b/uncloud/uncloud/settings.py index b2fc7ef..5ce8e92 100644 --- a/uncloud/uncloud/settings.py +++ b/uncloud/uncloud/settings.py @@ -111,14 +111,7 @@ AUTH_PASSWORD_VALIDATORS = [ ################################################################################ # AUTH/LDAP -<<<<<<< HEAD -import ldap -from django_auth_ldap.config import LDAPSearch - AUTH_LDAP_SERVER_URI = uncloud.secrets.LDAP_SERVER_URI -======= -AUTH_LDAP_SERVER_URI = "ldaps://ldap1.ungleich.ch,ldaps://ldap2.ungleich.ch" ->>>>>>> ahmed/master AUTH_LDAP_USER_ATTR_MAP = { "first_name": "givenName", @@ -126,15 +119,10 @@ AUTH_LDAP_USER_ATTR_MAP = { "email": "mail" } -<<<<<<< HEAD + AUTH_LDAP_BIND_DN = uncloud.secrets.LDAP_ADMIN_DN AUTH_LDAP_BIND_PASSWORD = uncloud.secrets.LDAP_ADMIN_PASSWORD -======= -AUTH_LDAP_BIND_DN = secrets.AUTH_LDAP_BIND_DN -AUTH_LDAP_BIND_PASSWORD = secrets.AUTH_LDAP_BIND_PASSWORD - ->>>>>>> ahmed/master AUTH_LDAP_USER_SEARCH = LDAPSearch( "dc=ungleich,dc=ch", ldap.SCOPE_SUBTREE, "(uid=%(user)s)" )