External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-19 14:57:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

implement multiple ldap servers

Browse Source
This commit is contained in:
Chris Meyers
2018-01-09 10:20:24 -05:00
parent 9431b0b6ff
commit 2ed97aeb0c
11 changed files with 846 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
awx/main/tests/data/ldap_ansible.ldif Normal file
View File

@@ -0,0 +1,163 @@
dn: dc=ansible,dc=com
dc: ansible
description: My wonderful company as much text as you want to place
in this line up to 32K continuation data for the line above must
have <CR> or <CR><LF> i.e. ENTER work
on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: ansible.com
# groups
dn: ou=groups,dc=ansible,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
# group: Superusers
dn: cn=superusers,ou=groups,dc=ansible,dc=com
objectClass: top
objectClass: groupOfNames
cn: superusers
member: cn=super_user1,ou=people,dc=ansible,dc=com
# group: Engineering
dn: cn=engineering,ou=groups,dc=ansible,dc=com
objectClass: top
objectClass: groupOfNames
cn: engineering
member: cn=eng_admin1,ou=people,dc=ansible,dc=com
member: cn=eng_user1,ou=people,dc=ansible,dc=com
member: cn=eng_user2,ou=people,dc=ansible,dc=com
dn: cn=engineering_admins,ou=groups,dc=ansible,dc=com
objectClass: top
objectClass: groupOfNames
cn: engineering_admins
member: cn=eng_admin1,ou=people,dc=ansible,dc=com
# group: Sales
dn: cn=sales,ou=groups,dc=ansible,dc=com
objectClass: top
objectClass: groupOfNames
cn: sales
member: cn=sales_user1,ou=people,dc=ansible,dc=com
member: cn=sales_user2,ou=people,dc=ansible,dc=com
# group: IT
dn: cn=it,ou=groups,dc=ansible,dc=com
objectClass: top
objectClass: groupOfNames
cn: it
member: cn=it_user1,ou=people,dc=ansible,dc=com
member: cn=it_user2,ou=people,dc=ansible,dc=com
# users
dn: ou=people,dc=ansible,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
# users - superusers
dn: cn=super_user1,ou=people,dc=ansible,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: super_user1
sn: User 1
givenName: Super
mail: super_user1@ansible.com
userPassword: password
# users - engineering
dn: cn=eng_user1,ou=people,dc=ansible,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: eng_user1
sn: User 1
givenName: Engineering
mail: eng_user1@ansible.com
userPassword: password
dn: cn=eng_user2,ou=people,dc=ansible,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: eng_user2
sn: User 2
givenName: Engineering
mail: eng_user2@ansible.com
userPassword: password
dn: cn=eng_admin1,ou=people,dc=ansible,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: eng_admin1
sn: Admin 1
givenName: Engineering
mail: eng_admin1@ansible.com
userPassword: password
# users - IT
dn: cn=it_user1,ou=people,dc=ansible,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: it_user1
sn: Technology User 1
givenName: Information
mail: it_user1@ansible.com
userPassword: password
dn: cn=it_user2,ou=people,dc=ansible,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: it_user2
sn: Technology User 2
givenName: Information
mail: it_user2@ansible.com
userPassword: password
# users - Sales
dn: cn=sales_user1,ou=people,dc=ansible,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: sales_user1
sn: Person 1
givenName: Sales
mail: sales_user1@ansible.com
userPassword: password
dn: cn=sales_user2,ou=people,dc=ansible,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: sales_user2
sn: Person 2
givenName: Sales
mail: sales_user2@ansible.com
userPassword: password

78
awx/main/tests/data/ldap_example.ldif Normal file
View File

@@ -0,0 +1,78 @@
dn: dc=example,dc=com
dc: example
description: My wonderful company as much text as you want to place
in this line up to 32K continuation data for the line above must
have <CR> or <CR><LF> i.e. ENTER work
on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: example.com
# groups
dn: ou=groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
# group: Superusers
dn: cn=superusers,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: superusers
member: cn=super_user1,ou=people,dc=example,dc=com
# group: Sales
dn: cn=sales,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: sales
member: cn=sales_user1,ou=people,dc=example,dc=com
member: cn=sales_user2,ou=people,dc=example,dc=com
# users
dn: ou=people,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
# users - superusers
dn: cn=super_user1,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: super_user1
sn: User 1
givenName: Super
mail: super_user1@example.com
userPassword: password
# users - Sales
dn: cn=sales_user1,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: sales_user1
sn: Person 1
givenName: Sales
mail: sales_user1@example.com
userPassword: password
dn: cn=sales_user2,ou=people,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: sales_user2
sn: Person 2
givenName: Sales
mail: sales_user2@example.com
userPassword: password

163
awx/main/tests/data/ldap_redhat.ldif Normal file
View File

@@ -0,0 +1,163 @@
dn: dc=redhat,dc=com
dc: redhat
description: My wonderful company as much text as you want to place
in this line up to 32K continuation data for the line above must
have <CR> or <CR><LF> i.e. ENTER work
on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: redhat.com
# groups
dn: ou=groups,dc=redhat,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups
# group: Superusers
dn: cn=superusers,ou=groups,dc=redhat,dc=com
objectClass: top
objectClass: groupOfNames
cn: superusers
member: cn=super_user1,ou=people,dc=redhat,dc=com
# group: Engineering
dn: cn=engineering,ou=groups,dc=redhat,dc=com
objectClass: top
objectClass: groupOfNames
cn: engineering
member: cn=eng_admin1,ou=people,dc=redhat,dc=com
member: cn=eng_user1,ou=people,dc=redhat,dc=com
member: cn=eng_user2,ou=people,dc=redhat,dc=com
dn: cn=engineering_admins,ou=groups,dc=redhat,dc=com
objectClass: top
objectClass: groupOfNames
cn: engineering_admins
member: cn=eng_admin1,ou=people,dc=redhat,dc=com
# group: Sales
dn: cn=sales,ou=groups,dc=redhat,dc=com
objectClass: top
objectClass: groupOfNames
cn: sales
member: cn=sales_user1,ou=people,dc=redhat,dc=com
member: cn=sales_user2,ou=people,dc=redhat,dc=com
# group: IT
dn: cn=it,ou=groups,dc=redhat,dc=com
objectClass: top
objectClass: groupOfNames
cn: it
member: cn=it_user1,ou=people,dc=redhat,dc=com
member: cn=it_user2,ou=people,dc=redhat,dc=com
# users
dn: ou=people,dc=redhat,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people
# users - superusers
dn: cn=super_user1,ou=people,dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: super_user1
sn: User 1
givenName: Super
mail: super_user1@redhat.com
userPassword: password
# users - engineering
dn: cn=eng_user1,ou=people,dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: eng_user1
sn: User 1
givenName: Engineering
mail: eng_user1@redhat.com
userPassword: password
dn: cn=eng_user2,ou=people,dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: eng_user2
sn: User 2
givenName: Engineering
mail: eng_user2@redhat.com
userPassword: password
dn: cn=eng_admin1,ou=people,dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: eng_admin1
sn: Admin 1
givenName: Engineering
mail: eng_admin1@redhat.com
userPassword: password
# users - IT
dn: cn=it_user1,ou=people,dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: it_user1
sn: Technology User 1
givenName: Information
mail: it_user1@redhat.com
userPassword: password
dn: cn=it_user2,ou=people,dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: it_user2
sn: Technology User 2
givenName: Information
mail: it_user2@redhat.com
userPassword: password
# users - Sales
dn: cn=sales_user1,ou=people,dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: sales_user1
sn: Person 1
givenName: Sales
mail: sales_user1@redhat.com
userPassword: password
dn: cn=sales_user2,ou=people,dc=redhat,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: sales_user2
sn: Person 2
givenName: Sales
mail: sales_user2@redhat.com
userPassword: password

3
awx/main/tests/functional/conftest.py
View File

@@ -73,7 +73,8 @@ def user():
try:
user = User.objects.get(username=name)
except User.DoesNotExist:
user = User(username=name, is_superuser=is_superuser, password=name)
user = User(username=name, is_superuser=is_superuser)
user.set_password(name)
user.save()
return user
return u

130
awx/main/tests/functional/test_ldap.py Normal file
View File

@@ -0,0 +1,130 @@
import ldap
import ldif
import pytest
import os
from mockldap import MockLdap
from awx.api.versioning import reverse
@pytest.fixture
def ldap_generator():
def fn(fname, host='localhost'):
fh = open(os.path.join(os.path.dirname(os.path.realpath(__file__)), fname), 'rb')
ctrl = ldif.LDIFRecordList(fh)
ctrl.parse()
directory = dict(ctrl.all_records)
mockldap = MockLdap(directory)
mockldap.start()
mockldap['ldap://{}/'.format(host)]
conn = ldap.initialize('ldap://{}/'.format(host))
return conn
#mockldap.stop()
return fn
@pytest.fixture
def ldap_settings_generator():
def fn(prefix='', dc='ansible', host='ldap.ansible.com'):
prefix = '_{}'.format(prefix) if prefix else ''
data = {
'AUTH_LDAP_SERVER_URI': 'ldap://{}'.format(host),
'AUTH_LDAP_BIND_DN': 'cn=eng_user1,ou=people,dc={},dc=com'.format(dc),
'AUTH_LDAP_BIND_PASSWORD': 'password',
"AUTH_LDAP_USER_SEARCH": [
"ou=people,dc={},dc=com".format(dc),
"SCOPE_SUBTREE",
"(cn=%(user)s)"
],
"AUTH_LDAP_TEAM_MAP": {
"LDAP Sales": {
"organization": "LDAP Organization",
"users": "cn=sales,ou=groups,dc={},dc=com".format(dc),
"remove": True
},
"LDAP IT": {
"organization": "LDAP Organization",
"users": "cn=it,ou=groups,dc={},dc=com".format(dc),
"remove": True
},
"LDAP Engineering": {
"organization": "LDAP Organization",
"users": "cn=engineering,ou=groups,dc={},dc=com".format(dc),
"remove": True
}
},
"AUTH_LDAP_REQUIRE_GROUP": None,
"AUTH_LDAP_USER_ATTR_MAP": {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
},
"AUTH_LDAP_GROUP_SEARCH": [
"dc={},dc=com".format(dc),
"SCOPE_SUBTREE",
"(objectClass=groupOfNames)"
],
"AUTH_LDAP_USER_FLAGS_BY_GROUP": {
"is_superuser": "cn=superusers,ou=groups,dc={},dc=com".format(dc)
},
"AUTH_LDAP_ORGANIZATION_MAP": {
"LDAP Organization": {
"admins": "cn=engineering_admins,ou=groups,dc={},dc=com".format(dc),
"remove_admins": False,
"users": [
"cn=engineering,ou=groups,dc={},dc=com".format(dc),
"cn=sales,ou=groups,dc={},dc=com".format(dc),
"cn=it,ou=groups,dc={},dc=com".format(dc)
],
"remove_users": False
}
},
}
if prefix:
data_new = dict()
for k,v in data.iteritems():
k_new = k.replace('AUTH_LDAP', 'AUTH_LDAP{}'.format(prefix))
data_new[k_new] = v
else:
data_new = data
return data_new
return fn
# Note: mockldap isn't fully featured. Fancy queries aren't fully baked.
# However, objects returned are solid so they should flow through django ldap middleware nicely.
@pytest.mark.django_db
def test_login(ldap_generator, patch, post, admin, ldap_settings_generator):
auth_url = reverse('api:auth_token_view')
ldap_settings_url = reverse('api:setting_singleton_detail', kwargs={'category_slug': 'ldap'})
# Generate mock ldap servers and init with ldap data
ldap_generator("../data/ldap_example.ldif", "ldap.example.com")
ldap_generator("../data/ldap_redhat.ldif", "ldap.redhat.com")
ldap_generator("../data/ldap_ansible.ldif", "ldap.ansible.com")
ldap_settings_example = ldap_settings_generator(dc='example')
ldap_settings_ansible = ldap_settings_generator(prefix='1', dc='ansible')
ldap_settings_redhat = ldap_settings_generator(prefix='2', dc='redhat')
# eng_user1 exists in ansible and redhat but not example
patch(ldap_settings_url, user=admin, data=ldap_settings_example, expect=200)
post(auth_url, data={'username': 'eng_user1', 'password': 'password'}, expect=400)
patch(ldap_settings_url, user=admin, data=ldap_settings_ansible, expect=200)
patch(ldap_settings_url, user=admin, data=ldap_settings_redhat, expect=200)
post(auth_url, data={'username': 'eng_user1', 'password': 'password'}, expect=200)

2
awx/main/tests/functional/utils/test_common.py
View File

@@ -20,7 +20,7 @@ def test_model_to_dict_user(alice):
output_dict = model_to_dict(alice)
assert output_dict['username'] == username
assert output_dict['password'] == 'hidden'
assert alice.username == password
assert alice.username == username
assert alice.password == password

5
awx/settings/defaults.py
View File

@@ -305,6 +305,11 @@ REST_FRAMEWORK = {
AUTHENTICATION_BACKENDS = (
'awx.sso.backends.LDAPBackend',
'awx.sso.backends.LDAPBackend1',
'awx.sso.backends.LDAPBackend2',
'awx.sso.backends.LDAPBackend3',
'awx.sso.backends.LDAPBackend4',
'awx.sso.backends.LDAPBackend5',
'awx.sso.backends.RADIUSBackend',
'awx.sso.backends.TACACSPlusBackend',
'social_core.backends.google.GoogleOAuth2',

20
awx/sso/backends.py
View File

@@ -133,6 +133,26 @@ class LDAPBackend(BaseLDAPBackend):
return set()
class LDAPBackend1(LDAPBackend):
settings_prefix = 'AUTH_LDAP_1_'
class LDAPBackend2(LDAPBackend):
settings_prefix = 'AUTH_LDAP_2_'
class LDAPBackend3(LDAPBackend):
settings_prefix = 'AUTH_LDAP_3_'
class LDAPBackend4(LDAPBackend):
settings_prefix = 'AUTH_LDAP_4_'
class LDAPBackend5(LDAPBackend):
settings_prefix = 'AUTH_LDAP_5_'
def _decorate_enterprise_user(user, provider):
user.set_unusable_password()
user.save()

42
awx/sso/conf.py
View File

@@ -129,8 +129,12 @@ register(
# LDAP AUTHENTICATION SETTINGS
###############################################################################
def _register_ldap(append=None):
append_str = '_{}'.format(append) if append else ''
register(
'AUTH_LDAP_SERVER_URI',
'AUTH_LDAP{}_SERVER_URI'.format(append_str),
field_class=fields.LDAPServerURIField,
allow_blank=True,
default='',
@@ -146,7 +150,7 @@ register(
)
register(
'AUTH_LDAP_BIND_DN',
'AUTH_LDAP{}_BIND_DN'.format(append_str),
field_class=fields.CharField,
allow_blank=True,
default='',
@@ -161,7 +165,7 @@ register(
)
register(
'AUTH_LDAP_BIND_PASSWORD',
'AUTH_LDAP{}_BIND_PASSWORD'.format(append_str),
field_class=fields.CharField,
allow_blank=True,
default='',
@@ -174,7 +178,7 @@ register(
)
register(
'AUTH_LDAP_START_TLS',
'AUTH_LDAP{}_START_TLS'.format(append_str),
field_class=fields.BooleanField,
default=False,
label=_('LDAP Start TLS'),
@@ -185,7 +189,7 @@ register(
)
register(
'AUTH_LDAP_CONNECTION_OPTIONS',
'AUTH_LDAP{}_CONNECTION_OPTIONS'.format(append_str),
field_class=fields.LDAPConnectionOptionsField,
default={'OPT_REFERRALS': 0, 'OPT_NETWORK_TIMEOUT': 30},
label=_('LDAP Connection Options'),
@@ -205,7 +209,7 @@ register(
)
register(
'AUTH_LDAP_USER_SEARCH',
'AUTH_LDAP{}_USER_SEARCH'.format(append_str),
field_class=fields.LDAPSearchUnionField,
default=[],
label=_('LDAP User Search'),
@@ -226,7 +230,7 @@ register(
)
register(
'AUTH_LDAP_USER_DN_TEMPLATE',
'AUTH_LDAP{}_USER_DN_TEMPLATE'.format(append_str),
field_class=fields.LDAPDNWithUserField,
allow_blank=True,
allow_null=True,
@@ -244,7 +248,7 @@ register(
)
register(
'AUTH_LDAP_USER_ATTR_MAP',
'AUTH_LDAP{}_USER_ATTR_MAP'.format(append_str),
field_class=fields.LDAPUserAttrMapField,
default={},
label=_('LDAP User Attribute Map'),
@@ -263,7 +267,7 @@ register(
)
register(
'AUTH_LDAP_GROUP_SEARCH',
'AUTH_LDAP{}_GROUP_SEARCH'.format(append_str),
field_class=fields.LDAPSearchField,
default=[],
label=_('LDAP Group Search'),
@@ -281,7 +285,7 @@ register(
)
register(
'AUTH_LDAP_GROUP_TYPE',
'AUTH_LDAP{}_GROUP_TYPE'.format(append_str),
field_class=fields.LDAPGroupTypeField,
label=_('LDAP Group Type'),
help_text=_('The group type may need to be changed based on the type of the '
@@ -294,7 +298,7 @@ register(
)
register(
'AUTH_LDAP_REQUIRE_GROUP',
'AUTH_LDAP{}_REQUIRE_GROUP'.format(append_str),
field_class=fields.LDAPDNField,
allow_blank=True,
allow_null=True,
@@ -311,7 +315,7 @@ register(
)
register(
'AUTH_LDAP_DENY_GROUP',
'AUTH_LDAP{}_DENY_GROUP'.format(append_str),
field_class=fields.LDAPDNField,
allow_blank=True,
allow_null=True,
@@ -327,7 +331,7 @@ register(
)
register(
'AUTH_LDAP_USER_FLAGS_BY_GROUP',
'AUTH_LDAP{}_USER_FLAGS_BY_GROUP'.format(append_str),
field_class=fields.LDAPUserFlagsField,
default={},
label=_('LDAP User Flags By Group'),
@@ -344,7 +348,7 @@ register(
)
register(
'AUTH_LDAP_ORGANIZATION_MAP',
'AUTH_LDAP{}_ORGANIZATION_MAP'.format(append_str),
field_class=fields.LDAPOrganizationMapField,
default={},
label=_('LDAP Organization Map'),
@@ -372,7 +376,7 @@ register(
)
register(
'AUTH_LDAP_TEAM_MAP',
'AUTH_LDAP{}_TEAM_MAP'.format(append_str),
field_class=fields.LDAPTeamMapField,
default={},
label=_('LDAP Team Map'),
@@ -395,6 +399,14 @@ register(
feature_required='ldap',
)
_register_ldap()
_register_ldap('1')
_register_ldap('2')
_register_ldap('3')
_register_ldap('4')
_register_ldap('5')
###############################################################################
# RADIUS AUTHENTICATION SETTINGS
###############################################################################

20
awx/sso/fields.py
View File

@@ -31,6 +31,21 @@ class AuthenticationBackendsField(fields.StringListField):
('awx.sso.backends.LDAPBackend', [
'AUTH_LDAP_SERVER_URI',
]),
('awx.sso.backends.LDAPBackend1', [
'AUTH_LDAP_1_SERVER_URI',
]),
('awx.sso.backends.LDAPBackend2', [
'AUTH_LDAP_2_SERVER_URI',
]),
('awx.sso.backends.LDAPBackend3', [
'AUTH_LDAP_3_SERVER_URI',
]),
('awx.sso.backends.LDAPBackend4', [
'AUTH_LDAP_4_SERVER_URI',
]),
('awx.sso.backends.LDAPBackend5', [
'AUTH_LDAP_5_SERVER_URI',
]),
('awx.sso.backends.RADIUSBackend', [
'RADIUS_SERVER',
]),
@@ -70,6 +85,11 @@ class AuthenticationBackendsField(fields.StringListField):
REQUIRED_BACKEND_FEATURE = {
'awx.sso.backends.LDAPBackend': 'ldap',
'awx.sso.backends.LDAPBackend1': 'ldap',
'awx.sso.backends.LDAPBackend2': 'ldap',
'awx.sso.backends.LDAPBackend3': 'ldap',
'awx.sso.backends.LDAPBackend4': 'ldap',
'awx.sso.backends.LDAPBackend5': 'ldap',
'awx.sso.backends.RADIUSBackend': 'enterprise_auth',
'awx.sso.backends.SAMLAuth': 'enterprise_auth',
}

1
requirements/requirements_dev.txt
View File

@@ -16,3 +16,4 @@ uwsgitop
jupyter
matplotlib
backports.tempfile # support in unit tests for py32+ tempfile.TemporaryDirectory
mockldap