]> git.ipfire.org Git - ipfire.org.git/blame_incremental - src/backend/accounts.py
projects / ipfire.org.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
lists: Implement some basic code to talk to Mailman
[ipfire.org.git] / src / backend / accounts.py
... / ...
CommitLineData
1#!/usr/bin/python
2# encoding: utf-8
3
4import asyncio
5import base64
6import datetime
7import hashlib
8import hmac
9import iso3166
10import json
11import kerberos
12import ldap
13import ldap.modlist
14import logging
15import os
16import phonenumbers
17import re
18import socket
19import sys
20import time
21import tornado.httpclient
22import urllib.parse
23import urllib.request
24import zxcvbn
25
26from . import countries
27from . import util
28from .decorators import *
29from .misc import Object
30
31# Set the client keytab name
32os.environ["KRB5_CLIENT_KTNAME"] = "/etc/ipfire.org/ldap.keytab"
33
34FQDN = socket.gethostname()
35
36class LDAPObject(Object):
37 def init(self, dn, attrs=None):
38 self.dn = dn
39
40 self.attributes = attrs or {}
41
42 def __eq__(self, other):
43 if isinstance(other, self.__class__):
44 return self.dn == other.dn
45
46 return NotImplemented
47
48 @property
49 def ldap(self):
50 return self.accounts.ldap
51
52 def _exists(self, key):
53 try:
54 self.attributes[key]
55 except KeyError:
56 return False
57
58 return True
59
60 def _get(self, key):
61 for value in self.attributes.get(key, []):
62 yield value
63
64 def _get_bytes(self, key, default=None):
65 for value in self._get(key):
66 return value
67
68 return default
69
70 def _get_strings(self, key):
71 for value in self._get(key):
72 yield value.decode()
73
74 def _get_string(self, key, default=None):
75 for value in self._get_strings(key):
76 return value
77
78 return default
79
80 def _get_phone_numbers(self, key):
81 for value in self._get_strings(key):
82 yield phonenumbers.parse(value, None)
83
84 def _get_timestamp(self, key):
85 value = self._get_string(key)
86
87 # Parse the timestamp value and returns a datetime object
88 if value:
89 return datetime.datetime.strptime(value, "%Y%m%d%H%M%SZ")
90
91 def _modify(self, modlist):
92 logging.debug("Modifying %s: %s" % (self.dn, modlist))
93
94 # Authenticate before performing any write operations
95 self.accounts._authenticate()
96
97 # Run modify operation
98 self.ldap.modify_s(self.dn, modlist)
99
100 def _set(self, key, values):
101 current = self._get(key)
102
103 # Don't do anything if nothing has changed
104 if list(current) == values:
105 return
106
107 # Remove all old values and add all new ones
108 modlist = []
109
110 if self._exists(key):
111 modlist.append((ldap.MOD_DELETE, key, None))
112
113 # Add new values
114 if values:
115 modlist.append((ldap.MOD_ADD, key, values))
116
117 # Run modify operation
118 self._modify(modlist)
119
120 # Update cache
121 self.attributes.update({ key : values })
122
123 def _set_bytes(self, key, values):
124 return self._set(key, values)
125
126 def _set_strings(self, key, values):
127 return self._set(key, [e.encode() for e in values if e])
128
129 def _set_string(self, key, value):
130 return self._set_strings(key, [value,])
131
132 def _add(self, key, values):
133 modlist = [
134 (ldap.MOD_ADD, key, values),
135 ]
136
137 self._modify(modlist)
138
139 def _add_strings(self, key, values):
140 return self._add(key, [e.encode() for e in values])
141
142 def _add_string(self, key, value):
143 return self._add_strings(key, [value,])
144
145 def _delete(self, key, values):
146 modlist = [
147 (ldap.MOD_DELETE, key, values),
148 ]
149
150 self._modify(modlist)
151
152 def _delete_strings(self, key, values):
153 return self._delete(key, [e.encode() for e in values])
154
155 def _delete_string(self, key, value):
156 return self._delete_strings(key, [value,])
157
158 def _delete_dn(self, dn):
159 logging.debug("Deleting %s" % dn)
160
161 # Authenticate before performing any delete operations
162 self.accounts._authenticate()
163
164 # Run delete operation
165 self.ldap.delete_s(dn)
166
167 @property
168 def objectclasses(self):
169 return self._get_strings("objectClass")
170
171 @staticmethod
172 def _parse_date(s):
173 return datetime.datetime.strptime(s.decode(), "%Y%m%d%H%M%SZ")
174
175
176class Accounts(Object):
177 def init(self):
178 self.search_base = self.settings.get("ldap_search_base")
179
180 def __len__(self):
181 return self._count("(objectClass=person)")
182
183 def __iter__(self):
184 accounts = self._search("(objectClass=person)")
185
186 return iter(sorted(accounts))
187
188 @lazy_property
189 def ldap(self):
190 # Connect to LDAP server
191 ldap_uri = self.settings.get("ldap_uri")
192
193 logging.debug("Connecting to LDAP server: %s" % ldap_uri)
194
195 # Connect to the LDAP server
196 connection = ldap.ldapobject.ReconnectLDAPObject(ldap_uri,
197 trace_level=2 if self.backend.debug else 0,
198 retry_max=sys.maxsize, retry_delay=3)
199
200 # Set maximum timeout for operations
201 connection.set_option(ldap.OPT_TIMEOUT, 10)
202
203 return connection
204
205 def _authenticate(self):
206 # Authenticate against LDAP server using Kerberos
207 self.ldap.sasl_gssapi_bind_s()
208
209 async def test_ldap(self):
210 logging.info("Testing LDAP connection...")
211
212 self._authenticate()
213
214 logging.info("Successfully authenticated as %s" % self.ldap.whoami_s())
215
216 def _query(self, query, attrlist=None, limit=0, search_base=None):
217 logging.debug("Performing LDAP query (%s): %s" \
218 % (search_base or self.search_base, query))
219
220 t = time.time()
221
222 # Ask for up to 512 results being returned at a time
223 page_control = ldap.controls.SimplePagedResultsControl(True, size=512, cookie="")
224
225 results = []
226 pages = 0
227
228 # Perform the search
229 while True:
230 response = self.ldap.search_ext(search_base or self.search_base,
231 ldap.SCOPE_SUBTREE, query, attrlist=attrlist, sizelimit=limit,
232 serverctrls=[page_control],
233 )
234
235 # Fetch all results
236 type, data, rmsgid, serverctrls = self.ldap.result3(response)
237
238 # Append to local copy
239 results += data
240 pages += 1
241
242 controls = [c for c in serverctrls
243 if c.controlType == ldap.controls.SimplePagedResultsControl.controlType]
244
245 if not controls:
246 break
247
248 # Set the cookie for more results
249 page_control.cookie = controls[0].cookie
250
251 # There are no more results
252 if not page_control.cookie:
253 break
254
255 # Log time it took to perform the query
256 logging.debug("Query took %.2fms (%s page(s))" % ((time.time() - t) * 1000.0, pages))
257
258 return results
259
260 def _count(self, query):
261 res = self._query(query, attrlist=["dn"])
262
263 return len(res)
264
265 def _search(self, query, attrlist=None, limit=0):
266 accounts = []
267 for dn, attrs in self._query(query, attrlist=["dn"], limit=limit):
268 account = self.get_by_dn(dn)
269 accounts.append(account)
270
271 return accounts
272
273 def _get_attrs(self, dn):
274 """
275 Fetches all attributes for the given distinguished name
276 """
277 results = self._query("(objectClass=*)", search_base=dn, limit=1,
278 attrlist=("*", "createTimestamp", "modifyTimestamp"))
279
280 for dn, attrs in results:
281 return attrs
282
283 def get_by_dn(self, dn):
284 attrs = self._get_attrs(dn)
285
286 return Account(self.backend, dn, attrs)
287
288 @staticmethod
289 def _format_date(t):
290 return t.strftime("%Y%m%d%H%M%SZ")
291
292 def get_recently_registered(self, limit=None):
293 # Check the last two weeks
294 t = datetime.datetime.utcnow() - datetime.timedelta(days=14)
295
296 # Fetch all accounts created after t
297 accounts = self.get_created_after(t)
298
299 # Order by creation date and put latest first
300 accounts.sort(key=lambda a: a.created_at, reverse=True)
301
302 # Cap at the limit
303 if accounts and limit:
304 accounts = accounts[:limit]
305
306 return accounts
307
308 def get_created_after(self, ts):
309 return self._search("(&(objectClass=person)(createTimestamp>=%s))" % self._format_date(ts))
310
311 def count_created_after(self, ts):
312 return self._count("(&(objectClass=person)(createTimestamp>=%s))" % self._format_date(ts))
313
314 def search(self, query):
315 # Try finding an exact match
316 account = self._search_one(
317 "(&"
318 "(objectClass=person)"
319 "(|"
320 "(uid=%s)"
321 "(mail=%s)"
322 "(mailAlternateAddress=%s)"
323 ")"
324 ")" % (query, query, query))
325 if account:
326 return [account]
327
328 # Otherwise search for a substring match
329 accounts = self._search(
330 "(&"
331 "(objectClass=person)"
332 "(|"
333 "(cn=*%s*)"
334 "(uid=*%s*)"
335 "(displayName=*%s*)"
336 "(mail=*%s*)"
337 ")"
338 ")" % (query, query, query, query))
339
340 return sorted(accounts)
341
342 def _search_one(self, query):
343 results = self._search(query, limit=1)
344
345 for result in results:
346 return result
347
348 def uid_is_valid(self, uid):
349 # https://unix.stackexchange.com/questions/157426/what-is-the-regex-to-validate-linux-users
350 m = re.match(r"^[a-z_][a-z0-9_-]{3,31}$", uid)
351 if m:
352 return True
353
354 return False
355
356 def uid_exists(self, uid):
357 if self.get_by_uid(uid):
358 return True
359
360 res = self.db.get("SELECT 1 FROM account_activations \
361 WHERE uid = %s AND expires_at > NOW()", uid)
362
363 if res:
364 return True
365
366 # Account with uid does not exist, yet
367 return False
368
369 def mail_is_valid(self, mail):
370 username, delim, domain = mail.partition("@")
371
372 # There must be an @ and a domain part
373 if not domain:
374 return False
375
376 # The domain cannot end on a dot
377 if domain.endswith("."):
378 return False
379
380 # The domain should at least have one dot to fully qualified
381 if not "." in domain:
382 return False
383
384 # Looks like a valid email address
385 return True
386
387 def mail_is_blacklisted(self, mail):
388 username, delim, domain = mail.partition("@")
389
390 if domain:
391 return self.domain_is_blacklisted(domain)
392
393 def domain_is_blacklisted(self, domain):
394 res = self.db.get("SELECT TRUE AS found FROM blacklisted_domains \
395 WHERE domain = %s OR %s LIKE '%%.' || domain", domain, domain)
396
397 if res and res.found:
398 return True
399
400 return False
401
402 def get_by_uid(self, uid):
403 return self._search_one("(&(objectClass=person)(uid=%s))" % uid)
404
405 def get_by_mail(self, mail):
406 return self._search_one("(&(objectClass=inetOrgPerson)(mail=%s))" % mail)
407
408 def find_account(self, s):
409 account = self.get_by_uid(s)
410 if account:
411 return account
412
413 return self.get_by_mail(s)
414
415 def get_by_sip_id(self, sip_id):
416 if not sip_id:
417 return
418
419 return self._search_one(
420 "(|(&(objectClass=sipUser)(sipAuthenticationUser=%s))(&(objectClass=sipRoutingObject)(sipLocalAddress=%s)))" \
421 % (sip_id, sip_id))
422
423 def get_by_phone_number(self, number):
424 if not number:
425 return
426
427 return self._search_one(
428 "(&(objectClass=inetOrgPerson)(|(sipAuthenticationUser=%s)(telephoneNumber=%s)(homePhone=%s)(mobile=%s)))" \
429 % (number, number, number, number))
430
431 @property
432 def pending_registrations(self):
433 res = self.db.get("SELECT COUNT(*) AS c FROM account_activations")
434
435 return res.c or 0
436
437 def auth(self, username, password):
438 # Find account
439 account = self.backend.accounts.find_account(username)
440
441 # Check credentials
442 if account and account.check_password(password):
443 return account
444
445 # Registration
446
447 def register(self, uid, email, first_name, last_name, country_code=None):
448 # Convert all uids to lowercase
449 uid = uid.lower()
450
451 # Check if UID is valid
452 if not self.uid_is_valid(uid):
453 raise ValueError("UID is invalid: %s" % uid)
454
455 # Check if UID is unique
456 if self.uid_exists(uid):
457 raise ValueError("UID exists: %s" % uid)
458
459 # Check if the email address is valid
460 if not self.mail_is_valid(email):
461 raise ValueError("Email is invalid: %s" % email)
462
463 # Check if the email address is blacklisted
464 if self.mail_is_blacklisted(email):
465 raise ValueError("Email is blacklisted: %s" % email)
466
467 # Generate a random activation code
468 activation_code = util.random_string(36)
469
470 # Create an entry in our database until the user
471 # has activated the account
472 self.db.execute("INSERT INTO account_activations(uid, activation_code, \
473 email, first_name, last_name, country_code) VALUES(%s, %s, %s, %s, %s, %s)",
474 uid, activation_code, email, first_name, last_name, country_code)
475
476 # Send an account activation email
477 self.backend.messages.send_template("auth/messages/register",
478 priority=100, uid=uid, activation_code=activation_code, email=email,
479 first_name=first_name, last_name=last_name)
480
481 def activate(self, uid, activation_code):
482 res = self.db.get("DELETE FROM account_activations \
483 WHERE uid = %s AND activation_code = %s AND expires_at > NOW() \
484 RETURNING *", uid, activation_code)
485
486 # Return nothing when account was not found
487 if not res:
488 return
489
490 # Return the account if it has already been created
491 account = self.get_by_uid(uid)
492 if account:
493 return account
494
495 # Create a new account on the LDAP database
496 account = self.create(uid, res.email,
497 first_name=res.first_name, last_name=res.last_name,
498 country_code=res.country_code)
499
500 # Non-EU users do not need to consent to promo emails
501 if account.country_code and not account.country_code in countries.EU_COUNTRIES:
502 account.consents_to_promotional_emails = True
503
504 # Send email about account registration
505 self.backend.messages.send_template("people/messages/new-account",
506 account=account)
507
508 # Launch drip campaigns
509 for campaign in ("signup", "christmas"):
510 self.backend.campaigns.launch(campaign, account)
511
512 return account
513
514 def create(self, uid, email, first_name, last_name, country_code=None):
515 cn = "%s %s" % (first_name, last_name)
516
517 # Account Parameters
518 account = {
519 "objectClass" : [b"top", b"person", b"inetOrgPerson"],
520 "mail" : email.encode(),
521
522 # Name
523 "cn" : cn.encode(),
524 "sn" : last_name.encode(),
525 "givenName" : first_name.encode(),
526 }
527
528 logging.info("Creating new account: %s: %s" % (uid, account))
529
530 # Create DN
531 dn = "uid=%s,ou=People,dc=ipfire,dc=org" % uid
532
533 # Create account on LDAP
534 self.accounts._authenticate()
535 self.ldap.add_s(dn, ldap.modlist.addModlist(account))
536
537 # Fetch the account
538 account = self.get_by_dn(dn)
539
540 # Optionally set country code
541 if country_code:
542 account.country_code = country_code
543
544 # Return account
545 return account
546
547 # Session stuff
548
549 def create_session(self, account, host):
550 session_id = util.random_string(64)
551
552 res = self.db.get("INSERT INTO sessions(host, uid, session_id) VALUES(%s, %s, %s) \
553 RETURNING session_id, time_expires", host, account.uid, session_id)
554
555 # Session could not be created
556 if not res:
557 return None, None
558
559 logging.info("Created session %s for %s which expires %s" \
560 % (res.session_id, account, res.time_expires))
561 return res.session_id, res.time_expires
562
563 def destroy_session(self, session_id, host):
564 logging.info("Destroying session %s" % session_id)
565
566 self.db.execute("DELETE FROM sessions \
567 WHERE session_id = %s AND host = %s", session_id, host)
568
569 def get_by_session(self, session_id, host):
570 logging.debug("Looking up session %s" % session_id)
571
572 res = self.db.get("SELECT uid FROM sessions WHERE session_id = %s \
573 AND host = %s AND NOW() BETWEEN time_created AND time_expires",
574 session_id, host)
575
576 # Session does not exist or has expired
577 if not res:
578 return
579
580 # Update the session expiration time
581 self.db.execute("UPDATE sessions SET time_expires = NOW() + INTERVAL '14 days' \
582 WHERE session_id = %s AND host = %s", session_id, host)
583
584 return self.get_by_uid(res.uid)
585
586 def cleanup(self):
587 # Cleanup expired sessions
588 self.db.execute("DELETE FROM sessions WHERE time_expires <= NOW()")
589
590 # Cleanup expired account activations
591 self.db.execute("DELETE FROM account_activations WHERE expires_at <= NOW()")
592
593 # Cleanup expired account password resets
594 self.db.execute("DELETE FROM account_password_resets WHERE expires_at <= NOW()")
595
596 async def _delete(self, *args, **kwargs):
597 """
598 Deletes given users
599 """
600 # Who is deleting?
601 who = self.get_by_uid("ms")
602
603 for uid in args:
604 account = self.get_by_uid(uid)
605
606 # Delete the account
607 with self.db.transaction():
608 await account.delete(who)
609
610 # Discourse
611
612 def decode_discourse_payload(self, payload, signature):
613 # Check signature
614 calculated_signature = self.sign_discourse_payload(payload)
615
616 if not hmac.compare_digest(signature, calculated_signature):
617 raise ValueError("Invalid signature: %s" % signature)
618
619 # Decode the query string
620 qs = base64.b64decode(payload).decode()
621
622 # Parse the query string
623 data = {}
624 for key, val in urllib.parse.parse_qsl(qs):
625 data[key] = val
626
627 return data
628
629 def encode_discourse_payload(self, **args):
630 # Encode the arguments into an URL-formatted string
631 qs = urllib.parse.urlencode(args).encode()
632
633 # Encode into base64
634 return base64.b64encode(qs).decode()
635
636 def sign_discourse_payload(self, payload, secret=None):
637 if secret is None:
638 secret = self.settings.get("discourse_sso_secret")
639
640 # Calculate a HMAC using SHA256
641 h = hmac.new(secret.encode(),
642 msg=payload.encode(), digestmod="sha256")
643
644 return h.hexdigest()
645
646 @property
647 def countries(self):
648 ret = {}
649
650 for country in iso3166.countries:
651 count = self._count("(&(objectClass=person)(st=%s))" % country.alpha2)
652
653 if count:
654 ret[country] = count
655
656 return ret
657
658 async def get_all_emails(self):
659 # Returns all email addresses
660 for dn, attrs in self._query("(objectClass=person)", attrlist=("mail",)):
661 mails = attrs.get("mail", None)
662 if not mails:
663 continue
664
665 for mail in mails:
666 print(mail.decode())
667
668
669class Account(LDAPObject):
670 def __str__(self):
671 if self.nickname:
672 return self.nickname
673
674 return self.name
675
676 def __repr__(self):
677 return "<%s %s>" % (self.__class__.__name__, self.dn)
678
679 def __lt__(self, other):
680 if isinstance(other, self.__class__):
681 return self.name < other.name
682
683 return NotImplemented
684
685 @property
686 def kerberos_principal_dn(self):
687 return "krbPrincipalName=%s@IPFIRE.ORG,cn=IPFIRE.ORG,cn=krb5,dc=ipfire,dc=org" % self.uid
688
689 @lazy_property
690 def kerberos_attributes(self):
691 res = self.backend.accounts._query(
692 "(&(objectClass=krbPrincipal)(krbPrincipalName=%s@IPFIRE.ORG))" % self.uid,
693 attrlist=[
694 "krbLastSuccessfulAuth",
695 "krbLastPasswordChange",
696 "krbLastFailedAuth",
697 "krbLoginFailedCount",
698 ],
699 limit=1,
700 search_base="cn=krb5,%s" % self.backend.accounts.search_base)
701
702 for dn, attrs in res:
703 return { key : attrs[key][0] for key in attrs }
704
705 return {}
706
707 @property
708 def last_successful_authentication(self):
709 try:
710 s = self.kerberos_attributes["krbLastSuccessfulAuth"]
711 except KeyError:
712 return None
713
714 return self._parse_date(s)
715
716 @property
717 def last_failed_authentication(self):
718 try:
719 s = self.kerberos_attributes["krbLastFailedAuth"]
720 except KeyError:
721 return None
722
723 return self._parse_date(s)
724
725 @property
726 def failed_login_count(self):
727 try:
728 count = self.kerberos_attributes["krbLoginFailedCount"].decode()
729 except KeyError:
730 return 0
731
732 try:
733 return int(count)
734 except ValueError:
735 return 0
736
737 def passwd(self, password):
738 """
739 Sets a new password
740 """
741 # The new password must have a score of 3 or better
742 quality = self.check_password_quality(password)
743 if quality["score"] < 3:
744 raise ValueError("Password too weak")
745
746 self.accounts._authenticate()
747 self.ldap.passwd_s(self.dn, None, password)
748
749 def check_password(self, password):
750 """
751 Bind to the server with given credentials and return
752 true if password is corrent and false if not.
753
754 Raises exceptions from the server on any other errors.
755 """
756 if not password:
757 return
758
759 logging.debug("Checking credentials for %s" % self.dn)
760
761 # Check the credentials against the Kerberos database
762 try:
763 kerberos.checkPassword(self.uid, password, "host/%s" % FQDN, "IPFIRE.ORG")
764
765 # Catch any authentication errors
766 except kerberos.BasicAuthError as e:
767 logging.debug("Could not authenticate %s: %s" % (self.uid, e))
768
769 return False
770
771 # Otherwise return True
772 else:
773 logging.info("Successfully authenticated %s" % self)
774
775 return True
776
777 def check_password_quality(self, password):
778 """
779 Passwords are passed through zxcvbn to make sure
780 that they are strong enough.
781 """
782 return zxcvbn.zxcvbn(password, user_inputs=(
783 self.first_name, self.last_name,
784 ))
785
786 def request_password_reset(self, address=None):
787 reset_code = util.random_string(64)
788
789 self.db.execute("INSERT INTO account_password_resets(uid, reset_code, address) \
790 VALUES(%s, %s, %s)", self.uid, reset_code, address)
791
792 # Send a password reset email
793 self.backend.messages.send_template("auth/messages/password-reset",
794 priority=100, account=self, reset_code=reset_code)
795
796 def reset_password(self, reset_code, new_password):
797 # Delete the reset token
798 res = self.db.query("DELETE FROM account_password_resets \
799 WHERE uid = %s AND reset_code = %s AND expires_at >= NOW() \
800 RETURNING *", self.uid, reset_code)
801
802 # The reset code was invalid
803 if not res:
804 raise ValueError("Invalid password reset token for %s: %s" % (self, reset_code))
805
806 # Perform password change
807 return self.passwd(new_password)
808
809 def is_admin(self):
810 return self.is_member_of_group("sudo")
811
812 def is_staff(self):
813 return self.is_member_of_group("staff")
814
815 def is_moderator(self):
816 return self.is_member_of_group("moderators")
817
818 def has_shell(self):
819 return "posixAccount" in self.classes
820
821 def has_mail(self):
822 return "postfixMailUser" in self.classes
823
824 def has_sip(self):
825 return "sipUser" in self.classes or "sipRoutingObject" in self.classes
826
827 def is_blog_author(self):
828 return self.is_member_of_group("blog-authors")
829
830 def is_lwl(self):
831 return self.is_member_of_group("lwl-staff")
832
833 def can_be_managed_by(self, account):
834 """
835 Returns True if account is allowed to manage this account
836 """
837 # Admins can manage all accounts
838 if account.is_admin():
839 return True
840
841 # Users can manage themselves
842 return self == account
843
844 @property
845 def classes(self):
846 return self._get_strings("objectClass")
847
848 @property
849 def uid(self):
850 return self._get_string("uid")
851
852 @property
853 def name(self):
854 return self._get_string("cn")
855
856 # Delete
857
858 async def delete(self, user):
859 """
860 Deletes this user
861 """
862 # Check if this user can be deleted
863 if not self.can_be_deleted_by(user):
864 raise RuntimeError("Cannot delete user %s" % self)
865
866 logging.info("Deleting user %s" % self)
867
868 async with asyncio.TaskGroup() as tasks:
869 t = datetime.datetime.now()
870
871 # Disable this account on Bugzilla
872 tasks.create_task(
873 self._disable_on_bugzilla("Deleted by %s, %s" % (user, t)),
874 )
875
876 # XXX Delete on Discourse
877
878 # Delete on LDAP
879 self._delete()
880
881 def can_be_deleted_by(self, user):
882 """
883 Return True if the user can be deleted by user
884 """
885 # Check permissions
886 if not self.can_be_managed_by(user):
887 return False
888
889 # Cannot delete shell users
890 if self.has_shell():
891 return False
892
893 # Looks okay
894 return True
895
896 def _delete(self):
897 """
898 Deletes this object from LDAP
899 """
900 # Delete the Kerberos Principal
901 self._delete_dn(self.kerberos_principal_dn)
902
903 # Delete this object
904 self._delete_dn(self.dn)
905
906 # Nickname
907
908 def get_nickname(self):
909 return self._get_string("displayName")
910
911 def set_nickname(self, nickname):
912 self._set_string("displayName", nickname)
913
914 nickname = property(get_nickname, set_nickname)
915
916 # First Name
917
918 def get_first_name(self):
919 return self._get_string("givenName")
920
921 def set_first_name(self, first_name):
922 self._set_string("givenName", first_name)
923
924 # Update Common Name
925 self._set_string("cn", "%s %s" % (first_name, self.last_name))
926
927 first_name = property(get_first_name, set_first_name)
928
929 # Last Name
930
931 def get_last_name(self):
932 return self._get_string("sn")
933
934 def set_last_name(self, last_name):
935 self._set_string("sn", last_name)
936
937 # Update Common Name
938 self._set_string("cn", "%s %s" % (self.first_name, last_name))
939
940 last_name = property(get_last_name, set_last_name)
941
942 @lazy_property
943 def groups(self):
944 return self.backend.groups._get_groups("(| \
945 (&(objectClass=groupOfNames)(member=%s)) \
946 (&(objectClass=posixGroup)(memberUid=%s)) \
947 )" % (self.dn, self.uid))
948
949 def is_member_of_group(self, gid):
950 """
951 Returns True if this account is a member of this group
952 """
953 return gid in (g.gid for g in self.groups)
954
955 # Created/Modified at
956
957 @property
958 def created_at(self):
959 return self._get_timestamp("createTimestamp")
960
961 @property
962 def modified_at(self):
963 return self._get_timestamp("modifyTimestamp")
964
965 # Address
966
967 @property
968 def address(self):
969 address = []
970
971 if self.street:
972 address += self.street.splitlines()
973
974 if self.postal_code and self.city:
975 if self.country_code in ("AT", "DE"):
976 address.append("%s %s" % (self.postal_code, self.city))
977 else:
978 address.append("%s, %s" % (self.city, self.postal_code))
979 else:
980 address.append(self.city or self.postal_code)
981
982 if self.country_name:
983 address.append(self.country_name)
984
985 return [line for line in address if line]
986
987 def get_street(self):
988 return self._get_string("street") or self._get_string("homePostalAddress")
989
990 def set_street(self, street):
991 self._set_string("street", street)
992
993 street = property(get_street, set_street)
994
995 def get_city(self):
996 return self._get_string("l") or ""
997
998 def set_city(self, city):
999 self._set_string("l", city)
1000
1001 city = property(get_city, set_city)
1002
1003 def get_postal_code(self):
1004 return self._get_string("postalCode") or ""
1005
1006 def set_postal_code(self, postal_code):
1007 self._set_string("postalCode", postal_code)
1008
1009 postal_code = property(get_postal_code, set_postal_code)
1010
1011 # XXX This should be c
1012 def get_country_code(self):
1013 return self._get_string("st")
1014
1015 def set_country_code(self, country_code):
1016 self._set_string("st", country_code)
1017
1018 country_code = property(get_country_code, set_country_code)
1019
1020 @property
1021 def country_name(self):
1022 if self.country_code:
1023 return self.backend.get_country_name(self.country_code)
1024
1025 @property
1026 def email(self):
1027 return self._get_string("mail")
1028
1029 @property
1030 def email_to(self):
1031 return "%s <%s>" % (self, self.email)
1032
1033 @lazy_property
1034 def alternate_email_addresses(self):
1035 addresses = self._get_strings("mailAlternateAddress")
1036
1037 return sorted(addresses)
1038
1039 # Mail Routing Address
1040
1041 def get_mail_routing_address(self):
1042 return self._get_string("mailRoutingAddress", None)
1043
1044 def set_mail_routing_address(self, address):
1045 self._set_string("mailRoutingAddress", address or None)
1046
1047 mail_routing_address = property(get_mail_routing_address, set_mail_routing_address)
1048
1049 @property
1050 def sip_id(self):
1051 if "sipUser" in self.classes:
1052 return self._get_string("sipAuthenticationUser")
1053
1054 if "sipRoutingObject" in self.classes:
1055 return self._get_string("sipLocalAddress")
1056
1057 @property
1058 def sip_password(self):
1059 return self._get_string("sipPassword")
1060
1061 @staticmethod
1062 def _generate_sip_password():
1063 return util.random_string(8)
1064
1065 @property
1066 def sip_url(self):
1067 return "%s@ipfire.org" % self.sip_id
1068
1069 def uses_sip_forwarding(self):
1070 if self.sip_routing_address:
1071 return True
1072
1073 return False
1074
1075 # SIP Routing
1076
1077 def get_sip_routing_address(self):
1078 if "sipRoutingObject" in self.classes:
1079 return self._get_string("sipRoutingAddress")
1080
1081 def set_sip_routing_address(self, address):
1082 if not address:
1083 address = None
1084
1085 # Don't do anything if nothing has changed
1086 if self.get_sip_routing_address() == address:
1087 return
1088
1089 if address:
1090 # This is no longer a SIP user any more
1091 try:
1092 self._modify([
1093 (ldap.MOD_DELETE, "objectClass", b"sipUser"),
1094 (ldap.MOD_DELETE, "sipAuthenticationUser", None),
1095 (ldap.MOD_DELETE, "sipPassword", None),
1096 ])
1097 except ldap.NO_SUCH_ATTRIBUTE:
1098 pass
1099
1100 # Set new routing object
1101 try:
1102 self._modify([
1103 (ldap.MOD_ADD, "objectClass", b"sipRoutingObject"),
1104 (ldap.MOD_ADD, "sipLocalAddress", self.sip_id.encode()),
1105 (ldap.MOD_ADD, "sipRoutingAddress", address.encode()),
1106 ])
1107
1108 # If this is a change, we cannot add this again
1109 except ldap.TYPE_OR_VALUE_EXISTS:
1110 self._set_string("sipRoutingAddress", address)
1111 else:
1112 try:
1113 self._modify([
1114 (ldap.MOD_DELETE, "objectClass", b"sipRoutingObject"),
1115 (ldap.MOD_DELETE, "sipLocalAddress", None),
1116 (ldap.MOD_DELETE, "sipRoutingAddress", None),
1117 ])
1118 except ldap.NO_SUCH_ATTRIBUTE:
1119 pass
1120
1121 self._modify([
1122 (ldap.MOD_ADD, "objectClass", b"sipUser"),
1123 (ldap.MOD_ADD, "sipAuthenticationUser", self.sip_id.encode()),
1124 (ldap.MOD_ADD, "sipPassword", self._generate_sip_password().encode()),
1125 ])
1126
1127 # XXX Cache is invalid here
1128
1129 sip_routing_address = property(get_sip_routing_address, set_sip_routing_address)
1130
1131 # SIP Registrations
1132
1133 async def get_sip_registrations(self):
1134 if not self.has_sip():
1135 return []
1136
1137 return await self.backend.asterisk.get_registrations(self.sip_id)
1138
1139 # SIP Channels
1140
1141 async def get_sip_channels(self):
1142 if not self.has_sip():
1143 return []
1144
1145 return await self.backend.asterisk.get_sip_channels(self.sip_id)
1146
1147 # Phone Numbers
1148
1149 @lazy_property
1150 def phone_number(self):
1151 """
1152 Returns the IPFire phone number
1153 """
1154 if self.sip_id:
1155 return phonenumbers.parse("+4923636035%s" % self.sip_id)
1156
1157 @lazy_property
1158 def fax_number(self):
1159 if self.sip_id:
1160 return phonenumbers.parse("+49236360359%s" % self.sip_id)
1161
1162 def get_phone_numbers(self):
1163 ret = []
1164
1165 for field in ("telephoneNumber", "homePhone", "mobile"):
1166 for number in self._get_phone_numbers(field):
1167 ret.append(number)
1168
1169 return ret
1170
1171 def set_phone_numbers(self, phone_numbers):
1172 # Sort phone numbers by landline and mobile
1173 _landline_numbers = []
1174 _mobile_numbers = []
1175
1176 for number in phone_numbers:
1177 try:
1178 number = phonenumbers.parse(number, None)
1179 except phonenumbers.phonenumberutil.NumberParseException:
1180 continue
1181
1182 # Convert to string (in E.164 format)
1183 s = phonenumbers.format_number(number, phonenumbers.PhoneNumberFormat.E164)
1184
1185 # Separate mobile numbers
1186 if phonenumbers.number_type(number) == phonenumbers.PhoneNumberType.MOBILE:
1187 _mobile_numbers.append(s)
1188 else:
1189 _landline_numbers.append(s)
1190
1191 # Save
1192 self._set_strings("telephoneNumber", _landline_numbers)
1193 self._set_strings("mobile", _mobile_numbers)
1194
1195 phone_numbers = property(get_phone_numbers, set_phone_numbers)
1196
1197 @property
1198 def _all_telephone_numbers(self):
1199 ret = [ self.sip_id, ]
1200
1201 if self.phone_number:
1202 s = phonenumbers.format_number(self.phone_number, phonenumbers.PhoneNumberFormat.E164)
1203 ret.append(s)
1204
1205 for number in self.phone_numbers:
1206 s = phonenumbers.format_number(number, phonenumbers.PhoneNumberFormat.E164)
1207 ret.append(s)
1208
1209 return ret
1210
1211 # Description
1212
1213 def get_description(self):
1214 return self._get_string("description")
1215
1216 def set_description(self, description):
1217 self._set_string("description", description)
1218
1219 description = property(get_description, set_description)
1220
1221 # Avatar
1222
1223 @property
1224 def avatar_hash(self):
1225 payload = (
1226 self.uid,
1227 "%s" % self.modified_at,
1228 )
1229
1230 # String the payload together
1231 payload = "-".join(payload)
1232
1233 # Run MD5() over the payload
1234 h = hashlib.new("md5", payload.encode())
1235
1236 return h.hexdigest()[:7]
1237
1238 def avatar_url(self, size=None, absolute=False):
1239 # This cannot be async because we are calling it from the template engine
1240 url = "/users/%s.jpg?h=%s" % (self.uid, self.avatar_hash)
1241
1242 # Return an absolute URL
1243 if absolute:
1244 url = urllib.parse.urljoin("https://www.ipfire.org", url)
1245
1246 if size:
1247 url += "&size=%s" % size
1248
1249 return url
1250
1251 async def get_avatar(self, size=None):
1252 photo = self._get_bytes("jpegPhoto")
1253
1254 # Exit if no avatar is available
1255 if not photo:
1256 return
1257
1258 # Return the raw image if no size was requested
1259 if size is None:
1260 return photo
1261
1262 # Try to retrieve something from the cache
1263 avatar = await self.backend.cache.get("accounts:%s:avatar:%s" % (self.dn, size))
1264 if avatar:
1265 return avatar
1266
1267 # Generate a new thumbnail
1268 avatar = util.generate_thumbnail(photo, size, square=True)
1269
1270 # Save to cache for 15m
1271 await self.backend.cache.set("accounts:%s:avatar:%s" % (self.dn, size), avatar, 900)
1272
1273 return avatar
1274
1275 def upload_avatar(self, avatar):
1276 self._set("jpegPhoto", avatar)
1277
1278 # Consent to promotional emails
1279
1280 def get_consents_to_promotional_emails(self):
1281 return self.is_member_of_group("promotional-consent")
1282
1283 def set_contents_to_promotional_emails(self, value):
1284 group = self.backend.groups.get_by_gid("promotional-consent")
1285 assert group, "Could not find group: promotional-consent"
1286
1287 if value is True:
1288 group.add_member(self)
1289 else:
1290 group.del_member(self)
1291
1292 consents_to_promotional_emails = property(
1293 get_consents_to_promotional_emails,
1294 set_contents_to_promotional_emails,
1295 )
1296
1297 # Bugzilla
1298
1299 async def _disable_on_bugzilla(self, text=None):
1300 """
1301 Disables the user on Bugzilla
1302 """
1303 user = await self.backend.bugzilla.get_user(self.email)
1304
1305 # Do nothing if the user does not exist
1306 if not user:
1307 return
1308
1309 # Disable the user
1310 await user.disable(text)
1311
1312 # Mailman
1313
1314 async def get_lists(self):
1315 return await self.backend.lists.get_subscribed_lists(self)
1316
1317
1318class Groups(Object):
1319 hidden_groups = (
1320 "cn=LDAP Read Only,ou=Group,dc=ipfire,dc=org",
1321 "cn=LDAP Read Write,ou=Group,dc=ipfire,dc=org",
1322
1323 # Everyone is a member of people
1324 "cn=people,ou=Group,dc=ipfire,dc=org",
1325 )
1326
1327 @property
1328 def search_base(self):
1329 return "ou=Group,%s" % self.backend.accounts.search_base
1330
1331 def _query(self, *args, **kwargs):
1332 kwargs.update({
1333 "search_base" : self.backend.groups.search_base,
1334 })
1335
1336 return self.backend.accounts._query(*args, **kwargs)
1337
1338 def __iter__(self):
1339 groups = self.get_all()
1340
1341 return iter(groups)
1342
1343 def _get_groups(self, query, **kwargs):
1344 res = self._query(query, **kwargs)
1345
1346 groups = []
1347 for dn, attrs in res:
1348 # Skip any hidden groups
1349 if dn in self.hidden_groups:
1350 continue
1351
1352 g = Group(self.backend, dn, attrs)
1353 groups.append(g)
1354
1355 return sorted(groups)
1356
1357 def _get_group(self, query, **kwargs):
1358 kwargs.update({
1359 "limit" : 1,
1360 })
1361
1362 groups = self._get_groups(query, **kwargs)
1363 if groups:
1364 return groups[0]
1365
1366 def get_all(self):
1367 return self._get_groups(
1368 "(|(objectClass=posixGroup)(objectClass=groupOfNames))",
1369 )
1370
1371 def get_by_gid(self, gid):
1372 return self._get_group(
1373 "(&(|(objectClass=posixGroup)(objectClass=groupOfNames))(cn=%s))" % gid,
1374 )
1375
1376
1377class Group(LDAPObject):
1378 def __repr__(self):
1379 if self.description:
1380 return "<%s %s (%s)>" % (
1381 self.__class__.__name__,
1382 self.gid,
1383 self.description,
1384 )
1385
1386 return "<%s %s>" % (self.__class__.__name__, self.gid)
1387
1388 def __str__(self):
1389 return self.description or self.gid
1390
1391 def __lt__(self, other):
1392 if isinstance(other, self.__class__):
1393 return (self.description or self.gid) < (other.description or other.gid)
1394
1395 return NotImplemented
1396
1397 def __bool__(self):
1398 return True
1399
1400 def __len__(self):
1401 """
1402 Returns the number of members in this group
1403 """
1404 l = 0
1405
1406 for attr in ("member", "memberUid"):
1407 a = self.attributes.get(attr, None)
1408 if a:
1409 l += len(a)
1410
1411 return l
1412
1413 def __iter__(self):
1414 return iter(self.members)
1415
1416 @property
1417 def gid(self):
1418 return self._get_string("cn")
1419
1420 @property
1421 def description(self):
1422 return self._get_string("description")
1423
1424 @property
1425 def email(self):
1426 return self._get_string("mail")
1427
1428 @lazy_property
1429 def members(self):
1430 members = []
1431
1432 # Get all members by DN
1433 for dn in self._get_strings("member"):
1434 member = self.backend.accounts.get_by_dn(dn)
1435 if member:
1436 members.append(member)
1437
1438 # Get all members by UID
1439 for uid in self._get_strings("memberUid"):
1440 member = self.backend.accounts.get_by_uid(uid)
1441 if member:
1442 members.append(member)
1443
1444 return sorted(members)
1445
1446 def add_member(self, account):
1447 """
1448 Adds a member to this group
1449 """
1450 # Do nothing if this user is already in the group
1451 if account.is_member_of_group(self.gid):
1452 return
1453
1454 if "posixGroup" in self.objectclasses:
1455 self._add_string("memberUid", account.uid)
1456 else:
1457 self._add_string("member", account.dn)
1458
1459 # Append to cached list of members
1460 self.members.append(account)
1461 self.members.sort()
1462
1463 def del_member(self, account):
1464 """
1465 Removes a member from a group
1466 """
1467 # Do nothing if this user is not in the group
1468 if not account.is_member_of_group(self.gid):
1469 return
1470
1471 if "posixGroup" in self.objectclasses:
1472 self._delete_string("memberUid", account.uid)
1473 else:
1474 self._delete_string("member", account.dn)
1475
1476
1477if __name__ == "__main__":
1478 a = Accounts()
1479
1480 print(a.list())
The website of ipfire.org.