From 6ef92894a3a0c693837f6152aee03a64d8d44659 Mon Sep 17 00:00:00 2001
From: Alexander Sulfrian <alex@spline.inf.fu-berlin.de>
Date: Wed, 4 Sep 2013 15:30:25 +0000
Subject: auth: add custom flask_peewee auth module for ldap auth

---
 auth.py             | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 settings.py.default |  5 +++++
 2 files changed, 64 insertions(+)
 create mode 100644 auth.py

diff --git a/auth.py b/auth.py
new file mode 100644
index 0000000..0ab23cc
--- /dev/null
+++ b/auth.py
@@ -0,0 +1,59 @@
+from flask_peewee.auth import Auth
+from models import User
+from app import app, db, pad
+from datetime import datetime
+import ldap
+
+class LdapAuth(Auth):
+    def get_user_model(self):
+        return User
+
+    def authenticate(self, username, password):
+        ldap.protocol_version = 3
+        l = ldap.initialize(app.config['LDAP']['host'])
+	l.set_option( ldap.OPT_X_TLS_DEMAND, True )
+        try:
+            user_dn = self._format_dn([('uid', username)])
+            l.simple_bind_s(user_dn, password)
+        except ldap.INVALID_CREDENTIALS:
+            return False
+
+	try:
+            user = User.get(User.username == username)
+        except User.DoesNotExist:
+            user_data = l.search_s(user_dn, ldap.SCOPE_BASE)
+            if (len(user_data) != 1):
+                return False
+
+            (dn, user_data) = user_data[0]
+            user = User.create(
+                username = username,
+                email = user_data['mail'][0],
+                api_id = pad.createAuthorIfNotExistsFor(user_dn, username))
+
+        return user
+
+    def login_user(self, user):
+        user.last_login = datetime.now()
+        user.save()
+        super(LdapAuth, self).login_user(user)
+
+    def _format_dn(self, attr, with_base_dn = True):
+        if with_base_dn:
+            attr.extend(app.config['LDAP']['base_dn'])
+
+        dn = ['%s=%s' % (item[0], self._escape(item[1])) for item in attr]
+
+        return ','.join(dn)
+
+    def _escape(self, s, wildcard=False):
+        chars_to_escape = ['\\',',','=','+','<','>',';','"','\'','#','(',')','\0']
+
+        if not wildcard:
+            chars_to_escape.append('*')
+
+        escape = lambda x,y: x.replace(y,'\%02X' % ord(y))
+
+        return reduce(escape, chars_to_escape, s)
+
+auth = LdapAuth(app, db, user_model=User)
diff --git a/settings.py.default b/settings.py.default
index 902f39e..3379f94 100644
--- a/settings.py.default
+++ b/settings.py.default
@@ -3,6 +3,11 @@ PAD = {
     'host': 'localhost'
 }
 
+LDAP = {
+    'host': 'ldaps://host',
+    'base_dn': [('ou', 'people'), ('dc', 'example'), ('dc', 'org')],
+}
+
 DATABASE = {
     'name': 'example.db',
     'engine': 'peewee.SqliteDatabase',
-- 
cgit v1.2.3-1-g7c22