Mercurial > kallithea

changeset 1290:74685a31cc43 beta

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Enable start_tls connection encryption.
author "Lorenzo M. Catucci" <lorenzo@sancho.ccd.uniroma2.it>
date Tue, 26 Apr 2011 19:17:06 +0200
parents f56533aa1caa
children 34a9b64a5e00
files rhodecode/controllers/admin/ldap_settings.py rhodecode/lib/auth.py rhodecode/lib/auth_ldap.py rhodecode/lib/db_manage.py rhodecode/model/forms.py rhodecode/model/settings.py rhodecode/templates/admin/ldap/ldap.html
diffstat 7 files changed, 30 insertions(+), 14 deletions(-) [+]
line wrap: on
line diff
--- a/rhodecode/controllers/admin/ldap_settings.py	Tue Apr 26 14:03:00 2011 +0200
+++ b/rhodecode/controllers/admin/ldap_settings.py	Tue Apr 26 19:17:06 2011 +0200
@@ -59,6 +59,13 @@
                            ]
     tls_reqcert_default = 'DEMAND'
 
+    tls_kind_choices = [('PLAIN', _('No encryption'),),
+                        ('LDAPS', _('LDAPS connection'),),
+                        ('START_TLS', _('START_TLS on LDAP connection'),)
+                        ]
+
+    tls_kind_default = 'PLAIN'
+
     @LoginRequired()
     @HasPermissionAllDecorator('hg.admin')
     def __before__(self):
@@ -66,12 +73,14 @@
         c.admin_username = session.get('admin_username')
         c.search_scope_choices = self.search_scope_choices
         c.tls_reqcert_choices = self.tls_reqcert_choices
+        c.tls_kind_choices = self.tls_kind_choices
         super(LdapSettingsController, self).__before__()
 
     def index(self):
         defaults = SettingsModel().get_ldap_settings()
         c.search_scope_cur = defaults.get('ldap_search_scope')
         c.tls_reqcert_cur = defaults.get('ldap_tls_reqcert')
+        c.tls_kind_cur = defaults.get('ldap_tls_kind')
 
         return htmlfill.render(
                     render('admin/ldap/ldap.html'),
@@ -84,7 +93,8 @@
 
         settings_model = SettingsModel()
         _form = LdapSettingsForm([x[0] for x in self.tls_reqcert_choices],
-                                 [x[0] for x in self.search_scope_choices])()
+                                 [x[0] for x in self.search_scope_choices],
+                                 [x[0] for x in self.tls_kind_choices])()
 
         try:
             form_result = _form.to_python(dict(request.POST))
--- a/rhodecode/lib/auth.py	Tue Apr 26 14:03:00 2011 +0200
+++ b/rhodecode/lib/auth.py	Tue Apr 26 19:17:06 2011 +0200
@@ -190,7 +190,7 @@
                   'port': ldap_settings.get('ldap_port'),
                   'bind_dn': ldap_settings.get('ldap_dn_user'),
                   'bind_pass': ldap_settings.get('ldap_dn_pass'),
-                  'use_ldaps': str2bool(ldap_settings.get('ldap_ldaps')),
+                  'tls_kind': ldap_settings.get('ldap_tls_kind'),
                   'tls_reqcert': ldap_settings.get('ldap_tls_reqcert'),
                   'ldap_filter': ldap_settings.get('ldap_filter'),
                   'search_scope': ldap_settings.get('ldap_search_scope'),
--- a/rhodecode/lib/auth_ldap.py	Tue Apr 26 14:03:00 2011 +0200
+++ b/rhodecode/lib/auth_ldap.py	Tue Apr 26 19:17:06 2011 +0200
@@ -34,14 +34,19 @@
 class AuthLdap(object):
 
     def __init__(self, server, base_dn, port=389, bind_dn='', bind_pass='',
-                 use_ldaps=False, tls_reqcert='DEMAND', ldap_version=3,
+                 tls_kind = 'PLAIN', tls_reqcert='DEMAND', ldap_version=3,
                  ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
                  search_scope='SUBTREE',
                  attr_login='uid'):
         self.ldap_version = ldap_version
-        if use_ldaps:
+        ldap_server_type = 'ldap'
+
+        self.TLS_KIND = tls_kind
+
+        if self.TLS_KIND == 'LDAPS':
             port = port or 689
-        self.LDAP_USE_LDAPS = use_ldaps
+            ldap_server_type = ldap_server_type + 's'
+
         self.TLS_REQCERT = ldap.__dict__['OPT_X_TLS_' + tls_reqcert]
         self.LDAP_SERVER_ADDRESS = server
         self.LDAP_SERVER_PORT = port
@@ -50,8 +55,6 @@
         self.LDAP_BIND_DN = bind_dn
         self.LDAP_BIND_PASS = bind_pass
 
-        ldap_server_type = 'ldap'
-        if self.LDAP_USE_LDAPS:ldap_server_type = ldap_server_type + 's'
         self.LDAP_SERVER = "%s://%s:%s" % (ldap_server_type,
                                                self.LDAP_SERVER_ADDRESS,
                                                self.LDAP_SERVER_PORT)
@@ -85,7 +88,7 @@
             ldap.set_option(ldap.OPT_TIMEOUT, 20)
             ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
             ldap.set_option(ldap.OPT_TIMELIMIT, 15)
-            if self.LDAP_USE_LDAPS:
+            if self.TLS_KIND != 'PLAIN':
                 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
             server = ldap.initialize(self.LDAP_SERVER)
             if self.ldap_version == 2:
@@ -93,6 +96,9 @@
             else:
                 server.protocol = ldap.VERSION3
 
+            if self.TLS_KIND == 'START_TLS':
+                server.start_tls_s()
+
             if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
                 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
 
--- a/rhodecode/lib/db_manage.py	Tue Apr 26 14:03:00 2011 +0200
+++ b/rhodecode/lib/db_manage.py	Tue Apr 26 19:17:06 2011 +0200
@@ -312,7 +312,7 @@
 
         try:
             for k, v in [('ldap_active', 'false'), ('ldap_host', ''),
-                        ('ldap_port', '389'), ('ldap_ldaps', 'false'),
+                        ('ldap_port', '389'), ('ldap_tls_kind', 'PLAIN'),
                         ('ldap_tls_reqcert', ''), ('ldap_dn_user', ''),
                         ('ldap_dn_pass', ''), ('ldap_base_dn', ''),
                         ('ldap_filter', ''), ('ldap_search_scope', ''),
--- a/rhodecode/model/forms.py	Tue Apr 26 14:03:00 2011 +0200
+++ b/rhodecode/model/forms.py	Tue Apr 26 19:17:06 2011 +0200
@@ -556,7 +556,7 @@
     return _DefaultPermissionsForm
 
 
-def LdapSettingsForm(tls_reqcert_choices, search_scope_choices):
+def LdapSettingsForm(tls_reqcert_choices, search_scope_choices, tls_kind_choices):
     class _LdapSettingsForm(formencode.Schema):
         allow_extra_fields = True
         filter_extra_fields = True
@@ -564,7 +564,7 @@
         ldap_active = StringBoolean(if_missing=False)
         ldap_host = UnicodeString(strip=True,)
         ldap_port = Number(strip=True,)
-        ldap_ldaps = StringBoolean(if_missing=False)
+        ldap_tls_kind = OneOf(tls_kind_choices)
         ldap_tls_reqcert = OneOf(tls_reqcert_choices)
         ldap_dn_user = UnicodeString(strip=True,)
         ldap_dn_pass = UnicodeString(strip=True,)
--- a/rhodecode/model/settings.py	Tue Apr 26 14:03:00 2011 +0200
+++ b/rhodecode/model/settings.py	Tue Apr 26 19:17:06 2011 +0200
@@ -70,7 +70,7 @@
         ldap_active
         ldap_host
         ldap_port
-        ldap_ldaps
+        ldap_tls_kind
         ldap_tls_reqcert
         ldap_dn_user
         ldap_dn_pass
--- a/rhodecode/templates/admin/ldap/ldap.html	Tue Apr 26 14:03:00 2011 +0200
+++ b/rhodecode/templates/admin/ldap/ldap.html	Tue Apr 26 19:17:06 2011 +0200
@@ -47,8 +47,8 @@
                 <div class="input">${h.password('ldap_dn_pass',class_='small')}</div>
             </div>
             <div class="field">
-                <div class="label label-checkbox"><label for="ldap_ldaps">${_('Enable LDAPS')}</label></div>
-                <div class="checkboxes"><div class="checkbox">${h.checkbox('ldap_ldaps',True,class_='small')}</div></div>
+                <div class="label"><label for="ldap_tls_kind">${_('Connection security')}</label></div>
+                <div class="select">${h.select('ldap_tls_kind',c.tls_kind_cur,c.tls_kind_choices,class_='small')}</div>
             </div>
             <div class="field">
                 <div class="label"><label for="ldap_tls_reqcert">${_('Certificate Checks')}</label></div>