Merge branch 'master' of code.ungleich.ch:uncloud/uncloud

requirements.txt

@@ -4,6 +4,7 @@ django-auth-ldap
 stripe
 xmltodict
 psycopg2
+ldap3
 
 parsedatetime
 

uncloud/.gitignore

@@ -1 +1,2 @@
 local_settings.py
+ldap_max_uid_file

uncloud/urls.py

@@ -65,6 +65,7 @@ router.register(r'v1/admin/vpnpool', netviews.VPNPoolViewSet)
 # User/Account
 router.register(r'v1/my/user', authviews.UserViewSet, basename='user')
 router.register(r'v1/admin/user', authviews.AdminUserViewSet, basename='useradmin')
+router.register(r'v1/user/register', authviews.AccountManagementViewSet, basename='user/register')
 
 urlpatterns = [
     path(r'api/', include(router.urls)),

uncloud_auth/serializers.py

@@ -1,25 +1,72 @@
 from django.contrib.auth import get_user_model
+from django.db import transaction
+from ldap3.core.exceptions import LDAPEntryAlreadyExistsResult
 from rest_framework import serializers
 
 from uncloud_pay import AMOUNT_DECIMALS, AMOUNT_MAX_DIGITS
 from uncloud_pay.models import BillingAddress
 
+from .ungleich_ldap import LdapManager
+
+
 class UserSerializer(serializers.ModelSerializer):
     class Meta:
         model = get_user_model()
         read_only_fields = [ 'username', 'balance', 'maximum_credit' ]
-        fields =  read_only_fields + [ 'email', 'primary_billing_address' ]
+        fields =  read_only_fields + [ 'email' ]  # , 'primary_billing_address' ]
 
     def validate(self, data):
         """
         Ensure that the primary billing address belongs to the user
         """
-
-        if 'primary_billing_address' in data:
-            if not data['primary_billing_address'].owner == self.instance:
-                raise serializers.ValidationError("Invalid data")
+        # The following is raising exceptions probably, it is WIP somewhere
+        # if 'primary_billing_address' in data:
+        #     if not data['primary_billing_address'].owner == self.instance:
+        #         raise serializers.ValidationError('Invalid data')
 
         return data
 
+    def update(self, instance, validated_data):
+        ldap_manager = LdapManager()
+        return_val, _ = ldap_manager.change_user_details(
+            instance.username, {'mail': validated_data.get('email')}
+        )
+        if not return_val:
+            raise serializers.ValidationError('Couldn\'t update email')
+        instance.email = validated_data.get('email')
+        instance.save()
+        return instance
+
+
+class UserRegistrationSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = get_user_model()
+        fields = ['username', 'first_name', 'last_name', 'email', 'password']
+        extra_kwargs = {
+            'password': {'style': {'input_type': 'password'}},
+            'first_name': {'allow_blank': False, 'required': True},
+            'last_name': {'allow_blank': False, 'required': True},
+            'email': {'allow_blank': False, 'required': True},
+        }
+
+    def create(self, validated_data):
+        ldap_manager = LdapManager()
+        try:
+            data = {
+                'user': validated_data['username'],
+                'password': validated_data['password'],
+                'email': validated_data['email'],
+                'firstname': validated_data['first_name'],
+                'lastname': validated_data['last_name'],
+            }
+            ldap_manager.create_user(**data)
+        except LDAPEntryAlreadyExistsResult:
+            raise serializers.ValidationError(
+                {'username': ['A user with that username already exists.']}
+            )
+        else:
+            return get_user_model().objects.create_user(**validated_data)
+
+
 class ImportUserSerializer(serializers.Serializer):
     username = serializers.CharField()

uncloud_auth/ungleich_ldap.py

@@ -0,0 +1,284 @@
+import base64
+import hashlib
+import logging
+import random
+
+import ldap3
+from django.conf import settings
+
+logger = logging.getLogger(__name__)
+
+
+class LdapManager:
+    __instance = None
+    def __new__(cls):
+        if LdapManager.__instance is None:
+            LdapManager.__instance = object.__new__(cls)
+        return LdapManager.__instance
+
+    def __init__(self):
+        """
+        Initialize the LDAP subsystem.
+        """
+        self.rng = random.SystemRandom()
+        self.server = ldap3.Server(settings.AUTH_LDAP_SERVER)
+
+
+    def get_admin_conn(self):
+        """
+        Return a bound :class:`ldap3.Connection` instance which has write
+        permissions on the dn in which the user accounts reside.
+        """
+        conn = self.get_conn(user=settings.LDAP_ADMIN_DN,
+                        password=settings.LDAP_ADMIN_PASSWORD,
+                        raise_exceptions=True)
+        conn.bind()
+        return conn
+
+
+    def get_conn(self, **kwargs):
+        """
+        Return an unbound :class:`ldap3.Connection` which talks to the configured
+        LDAP server.
+
+        The *kwargs* are passed to the constructor of :class:`ldap3.Connection` and
+        can be used to set *user*, *password* and other useful arguments.
+        """
+        return ldap3.Connection(self.server, **kwargs)
+
+
+    def _ssha_password(self, password):
+        """
+        Apply the SSHA password hashing scheme to the given *password*.
+        *password* must be a :class:`bytes` object, containing the utf-8
+        encoded password.
+
+        Return a :class:`bytes` object containing ``ascii``-compatible data
+        which can be used as LDAP value, e.g. after armoring it once more using
+        base64 or decoding it to unicode from ``ascii``.
+        """
+        SALT_BYTES = 15
+
+        sha1 = hashlib.sha1()
+        salt = self.rng.getrandbits(SALT_BYTES * 8).to_bytes(SALT_BYTES,
+                                                               "little")
+        sha1.update(password)
+        sha1.update(salt)
+
+        digest = sha1.digest()
+        passwd = b"{SSHA}" + base64.b64encode(digest + salt)
+        return passwd
+
+
+    def create_user(self, user, password, firstname, lastname, email):
+        conn = self.get_admin_conn()
+        uidNumber = self._get_max_uid() + 1
+        logger.debug("uidNumber={uidNumber}".format(uidNumber=uidNumber))
+        user_exists = True
+        while user_exists:
+            user_exists, _ = self.check_user_exists(
+                "",
+                '(&(objectClass=inetOrgPerson)(objectClass=posixAccount)'
+                '(objectClass=top)(uidNumber={uidNumber}))'.format(
+                    uidNumber=uidNumber
+                )
+            )
+            if user_exists:
+                logger.debug(
+                    "{uid} exists. Trying next.".format(uid=uidNumber)
+                )
+                uidNumber += 1
+        logger.debug("{uid} does not exist. Using it".format(uid=uidNumber))
+        self._set_max_uid(uidNumber)
+        try:
+            uid = user  # user.encode("utf-8")
+            conn.add("uid={uid},{customer_dn}".format(
+                    uid=uid, customer_dn=settings.LDAP_CUSTOMER_DN
+                ),
+                ["inetOrgPerson", "posixAccount", "ldapPublickey"],
+                {
+                    "uid": [uid],
+                    "sn": [lastname.encode("utf-8")],
+                    "givenName": [firstname.encode("utf-8")],
+                    "cn": [uid],
+                    "displayName": ["{} {}".format(firstname, lastname).encode("utf-8")],
+                    "uidNumber": [str(uidNumber)],
+                    "gidNumber": [str(settings.LDAP_CUSTOMER_GROUP_ID)],
+                    "loginShell": ["/bin/bash"],
+                    "homeDirectory": ["/home/{}".format(user).encode("utf-8")],
+                    "mail": email.encode("utf-8"),
+                    "userPassword": [self._ssha_password(
+                        password.encode("utf-8")
+                    )]
+                }
+            )
+            logger.debug('Created user %s %s' % (user.encode('utf-8'),
+                                                 uidNumber))
+        except Exception as ex:
+            logger.debug('Could not create user %s' % user.encode('utf-8'))
+            logger.error("Exception: " + str(ex))
+            raise
+        finally:
+            conn.unbind()
+
+
+    def change_password(self, uid, new_password):
+        """
+        Changes the password of the user identified by user_dn
+
+        :param uid: str The uid that identifies the user
+        :param new_password: str The new password string
+        :return: True if password was changed successfully False otherwise
+        """
+        conn = self.get_admin_conn()
+
+        # Make sure the user exists first to change his/her details
+        user_exists, entries = self.check_user_exists(
+            uid=uid,
+            search_base=settings.ENTIRE_SEARCH_BASE
+        )
+        return_val = False
+        if user_exists:
+            try:
+                return_val = conn.modify(
+                    entries[0].entry_dn,
+                    {
+                        "userpassword": (
+                            ldap3.MODIFY_REPLACE,
+                            [self._ssha_password(new_password.encode("utf-8"))]
+                        )
+                    }
+                )
+            except Exception as ex:
+                logger.error("Exception: " + str(ex))
+        else:
+            logger.error("User {} not found".format(uid))
+
+        conn.unbind()
+        return return_val
+
+    def change_user_details(self, uid, details):
+        """
+        Updates the user details as per given values in kwargs of the user
+        identified by user_dn.
+
+        Assumes that all attributes passed in kwargs are valid.
+
+        :param uid: str The uid that identifies the user
+        :param details: dict A dictionary containing the new values
+        :return: True if user details were updated successfully False otherwise
+        """
+        conn = self.get_admin_conn()
+
+        # Make sure the user exists first to change his/her details
+        user_exists, entries = self.check_user_exists(
+            uid=uid,
+            search_base=settings.ENTIRE_SEARCH_BASE
+        )
+
+        return_val = False
+        if user_exists:
+            details_dict = {k: (ldap3.MODIFY_REPLACE, [v.encode("utf-8")]) for
+                            k, v in details.items()}
+            try:
+                return_val = conn.modify(entries[0].entry_dn, details_dict)
+                msg = "success"
+            except Exception as ex:
+                msg = str(ex)
+                logger.error("Exception: " + msg)
+            finally:
+                conn.unbind()
+        else:
+            msg = "User {} not found".format(uid)
+            logger.error(msg)
+            conn.unbind()
+        return return_val, msg
+
+    def check_user_exists(self, uid, search_filter="", attributes=None,
+                          search_base=settings.LDAP_CUSTOMER_DN):
+        """
+        Check if the user with the given uid exists in the customer group.
+
+        :param uid: str representing the user
+        :param search_filter: str representing the filter condition to find
+                            users. If its empty, the search finds the user with
+                            the given uid.
+        :param attributes: list A list of str representing all the attributes
+                           to be obtained in the result entries
+        :param search_base: str
+        :return: tuple (bool, [ldap3.abstract.entry.Entry ..])
+                       A bool indicating if the user exists
+                       A list of all entries obtained in the search
+        """
+        conn = self.get_admin_conn()
+        entries = []
+        try:
+            result = conn.search(
+                search_base=search_base,
+                search_filter=search_filter if len(search_filter)> 0 else
+                '(uid={uid})'.format(uid=uid),
+                attributes=attributes
+            )
+            entries = conn.entries
+        finally:
+            conn.unbind()
+        return result, entries
+
+    def delete_user(self, uid):
+        """
+        Deletes the user with the given uid from ldap
+
+        :param uid: str representing the user
+        :return: True if the delete was successful False otherwise
+        """
+        conn = self.get_admin_conn()
+        try:
+            return_val = conn.delete(
+                ("uid={uid}," + settings.LDAP_CUSTOMER_DN).format(uid=uid),
+            )
+            msg = "success"
+        except Exception as ex:
+            msg = str(ex)
+            logger.error("Exception: " + msg)
+            return_val = False
+        finally:
+            conn.unbind()
+        return return_val, msg
+
+    def _set_max_uid(self, max_uid):
+        """
+        a utility function to save max_uid value to a file
+
+        :param max_uid: an integer representing the max uid
+        :return:
+        """
+        with open(settings.LDAP_MAX_UID_FILE_PATH, 'w+') as handler:
+            handler.write(str(max_uid))
+
+    def _get_max_uid(self):
+        """
+        A utility function to read the max uid value that was previously set
+
+        :return: An integer representing the max uid value that was previously
+         set
+        """
+        try:
+            with open(settings.LDAP_MAX_UID_FILE_PATH, 'r+') as handler:
+                try:
+                    return_value = int(handler.read())
+                except ValueError as ve:
+                    logger.error(
+                        "Error reading int value from {}. {}"
+                        "Returning default value {} instead".format(
+                            settings.LDAP_MAX_UID_PATH,
+                            str(ve),
+                            settings.LDAP_DEFAULT_START_UID
+                        )
+                    )
+                    return_value = settings.LDAP_DEFAULT_START_UID
+                return return_value
+        except FileNotFoundError as fnfe:
+            logger.error("File not found : " + str(fnfe))
+            return_value = settings.LDAP_DEFAULT_START_UID
+            logger.error("So, returning UID={}".format(return_value))
+            return return_value

uncloud_auth/views.py

@@ -1,9 +1,11 @@
-from rest_framework import viewsets, permissions, status
-from .serializers import *
 from django_auth_ldap.backend import LDAPBackend
+from rest_framework import mixins, permissions, status, viewsets
 from rest_framework.decorators import action
 from rest_framework.response import Response
 
+from .serializers import *
+
+
 class UserViewSet(viewsets.GenericViewSet):
     permission_classes = [permissions.IsAuthenticated]
     serializer_class = UserSerializer
@@ -19,19 +21,29 @@ class UserViewSet(viewsets.GenericViewSet):
         serializer = self.get_serializer(user, context = {'request': request})
         return Response(serializer.data)
 
-    def create(self, request):
-        """
-        Modify existing user data
-        """
-
-        user = request.user
-        serializer = self.get_serializer(user,
-                                         context = {'request': request},
-                                         data=request.data)
+    @action(detail=False, methods=['post'])
+    def change_email(self, request):
+        serializer = self.get_serializer(
+            request.user, data=request.data, context={'request': request}
+        )
         serializer.is_valid(raise_exception=True)
         serializer.save()
         return Response(serializer.data)
 
+
+class AccountManagementViewSet(mixins.CreateModelMixin, viewsets.GenericViewSet):
+    serializer_class = UserRegistrationSerializer
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        self.perform_create(serializer)
+        headers = self.get_success_headers(serializer.data)
+        return Response(
+            serializer.data, status=status.HTTP_201_CREATED, headers=headers
+        )
+
+
 class AdminUserViewSet(viewsets.ReadOnlyModelViewSet):
     permission_classes = [permissions.IsAdminUser]