compat zope-2.12
[GroupUserFolder.git] / LDAPUserFolderAdapter.py
1 # -*- coding: utf-8 -*-
2 ## GroupUserFolder
3 ## Copyright (C)2006 Ingeniweb
4
5 ## This program is free software; you can redistribute it and/or modify
6 ## it under the terms of the GNU General Public License as published by
7 ## the Free Software Foundation; either version 2 of the License, or
8 ## (at your option) any later version.
9
10 ## This program is distributed in the hope that it will be useful,
11 ## but WITHOUT ANY WARRANTY; without even the implied warranty of
12 ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 ## GNU General Public License for more details.
14
15 ## You should have received a copy of the GNU General Public License
16 ## along with this program; see the file COPYING. If not, write to the
17 ## Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
18 """
19
20 """
21 __version__ = "$Revision: $"
22 # $Source: $
23 # $Id: LDAPUserFolderAdapter.py 587 2008-07-31 09:20:06Z pin $
24 __docformat__ = 'restructuredtext'
25
26
27 from global_symbols import *
28 from Products.GroupUserFolder import postonly
29
30
31 # These mandatory attributes are required by LDAP schema.
32 # They will be filled with user name as a default value.
33 # You have to provide a gruf_ldap_required_fields python script
34 # in your Plone's skins if you want to override this.
35 MANDATORY_ATTRIBUTES = ("sn", "cn", )
36
37
38 def _doAddUser(self, name, password, roles, domains, **kw):
39 """
40 Special user adding method for use with LDAPUserFolder.
41 This will ensure parameters are correct for LDAP management
42 """
43 kwargs = {} # We will pass this dict
44 attrs = {}
45
46 # Get gruf_ldap_required_fields result and fill in mandatory stuff
47 if hasattr(self, "gruf_ldap_required_fields"):
48 attrs = self.gruf_ldap_required_fields(login = name)
49 else:
50 for attr in MANDATORY_ATTRIBUTES:
51 attrs[attr] = name
52 kwargs.update(attrs)
53
54 # We assume that name is rdn attribute
55 rdn_attr = self._rdnattr
56 kwargs[rdn_attr] = name
57
58 # Manage password(s)
59 kwargs['user_pw'] = password
60 kwargs['confirm_pw'] = password
61
62 # Mangle roles
63 kwargs['user_roles'] = self._mangleRoles(name, roles)
64
65 # Delegate to LDAPUF default method
66 msg = self.manage_addUser(kwargs = kwargs)
67 if msg:
68 raise RuntimeError, msg
69
70
71 def _doDelUsers(self, names):
72 """
73 Remove a bunch of users from LDAP.
74 We have to call manage_deleteUsers but, before, we need to find their dn.
75 """
76 dns = []
77 for name in names:
78 dns.append(self._find_user_dn(name))
79
80 self.manage_deleteUsers(dns)
81
82
83 def _find_user_dn(self, name):
84 """
85 Convert a name to an LDAP dn
86 """
87 # Search records matching name
88 login_attr = self._login_attr
89 v = self.findUser(search_param = login_attr, search_term = name)
90
91 # Filter to keep exact matches only
92 v = filter(lambda x: x[login_attr] == name, v)
93
94 # Now, decide what to do
95 l = len(v)
96 if not l:
97 # Invalid name
98 raise "Invalid user name: '%s'" % (name, )
99 elif l > 1:
100 # Several records... don't know how to handle
101 raise "Duplicate user name for '%s'" % (name, )
102 return v[0]['dn']
103
104
105 def _mangleRoles(self, name, roles):
106 """
107 Return role_dns for this user
108 """
109 # Local groups => the easiest part
110 if self._local_groups:
111 return roles
112
113 # We have to transform roles into group dns: transform them as a dict
114 role_dns = []
115 all_groups = self.getGroups()
116 all_roles = self.valid_roles()
117 groups = {}
118 for g in all_groups:
119 groups[g[0]] = g[1]
120
121 # LDAPUF does the mistake of adding possibly invalid roles to the user roles
122 # (for example, adding the cn of a group additionnaly to the mapped zope role).
123 # So we must remove from our 'roles' list all roles which are prefixed by group prefix
124 # but are not actually groups.
125 # See http://www.dataflake.org/tracker/issue_00376 for more information on that
126 # particular issue.
127 # If a group has the same name as a role, we assume that it should be a _role_.
128 # We should check against group/role mapping here, but... well... XXX TODO !
129 # See "HERE IT IS" comment below.
130
131 # Scan roles we are asking for to manage groups correctly
132 for role in roles:
133 if not role in all_roles:
134 continue # Do not allow propagation of invalid roles
135 if role.startswith(GROUP_PREFIX):
136 role = role[GROUP_PREFIX_LEN:] # Remove group prefix : groups are stored WITHOUT prefix in LDAP
137 if role in all_roles:
138 continue # HERE IT IS
139 r = groups.get(role, None)
140 if not r:
141 Log(LOG_WARNING, "LDAP Server doesn't provide a '%s' group (required for user '%s')." % (role, name, ))
142 else:
143 role_dns.append(r)
144
145 return role_dns
146
147
148 def _doChangeUser(self, name, password, roles, domains, **kw):
149 """
150 Update a user
151 """
152 # Find the dn at first
153 dn = self._find_user_dn(name)
154
155 # Change password
156 if password is not None:
157 if password == '':
158 raise ValueError, "Password must not be empty for LDAP users."
159 self.manage_editUserPassword(dn, password)
160
161 # Perform role change
162 self.manage_editUserRoles(dn, self._mangleRoles(name, roles))
163
164 # (No domain management with LDAP.)
165
166
167 def manage_editGroupRoles(self, user_dn, role_dns=[], REQUEST=None):
168 """ Edit the roles (groups) of a group """
169 from Products.LDAPUserFolder.utils import GROUP_MEMBER_MAP
170 try:
171 from Products.LDAPUserFolder.LDAPDelegate import ADD, DELETE
172 except ImportError:
173 # Support for LDAPUserFolder >= 2.6
174 ADD = self._delegate.ADD
175 DELETE = self._delegate.DELETE
176
177 msg = ""
178
179 ## Log(LOG_DEBUG, "assigning", role_dns, "to", user_dn)
180 all_groups = self.getGroups(attr='dn')
181 cur_groups = self.getGroups(dn=user_dn, attr='dn')
182 group_dns = []
183 for group in role_dns:
184 if group.find('=') == -1:
185 group_dns.append('cn=%s,%s' % (group, self.groups_base))
186 else:
187 group_dns.append(group)
188
189 if self._local_groups:
190 if len(role_dns) == 0:
191 del self._groups_store[user_dn]
192 else:
193 self._groups_store[user_dn] = role_dns
194
195 else:
196 for group in all_groups:
197 member_attr = GROUP_MEMBER_MAP.get(self.getGroupType(group))
198
199 if group in cur_groups and group not in group_dns:
200 action = DELETE
201 elif group in group_dns and group not in cur_groups:
202 action = ADD
203 else:
204 action = None
205 if action is not None:
206 msg = self._delegate.modify(
207 group
208 , action
209 , {member_attr : [user_dn]}
210 )
211 ## Log(LOG_DEBUG, "group", group, "subgroup", user_dn, "result", msg)
212
213 if msg:
214 raise RuntimeError, msg
215 manage_editGroupRoles = postonly(manage_editGroupRoles)