Merge 9042f2c into 0bf880e

collective · Jun 10, 2020 · faccbfb · faccbfb
2 parents 0bf880e + 9042f2c
commit faccbfb
Show file tree

Hide file tree

Showing 16 changed files with 76 additions and 65 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -26,8 +26,8 @@ matrix:
 sudo: true
 install:
   - pip install -r requirements-${PLONE_VERSION}.txt
-  - buildout -Nc buildout-${PLONE_VERSION}.cfg buildout:download-cache=downloads code-analysis:return-status-codes=True annotate
-  - buildout -Nc buildout-${PLONE_VERSION}.cfg buildout:download-cache=downloads code-analysis:return-status-codes=True
+  - buildout -Nc buildout-${PLONE_VERSION}.cfg buildout:download-cache=downloads code-analysis:return-status-codes=True "parts=test code-analysis coverage test-coverage testldap" annotate
+  - buildout -Nc buildout-${PLONE_VERSION}.cfg buildout:download-cache=downloads code-analysis:return-status-codes=True "parts=test code-analysis coverage test-coverage testldap"
 script:
   - bin/code-analysis
   - bin/test

diff --git a/CHANGES.rst b/CHANGES.rst
@@ -2,11 +2,16 @@
 History
 =======
 
-1.7.3 (unreleased)
+1.8.0 (unreleased)
 ------------------
 
-- Nothing changed yet.
+Features:
 
+- Support for nested groups in AD using LDAP_MATCHING_RULE_IN_CHAIN.
+  [pbauer]
+
+- Support for plugin-external group DNs when using memberOf attribute.
+  [jensens]
 
 1.7.2 (2020-02-21)
 ------------------

diff --git a/TODO.rst b/TODO.rst
@@ -15,7 +15,7 @@ Milestone 2.0
 - modes for only groups or only users from ldap
 - SSL/TLS configuration TTW
 - creation defaults TTW
-- group in group (depends on: node.ext.ldap: group.groups support) (Done in 1.7.3)
+- group in group (depends on: node.ext.ldap: group.groups support) (Done for AD in 1.8.0)
 - roles from ldap
 - Option on LDAP inspector whether to use query filters from users and
   groups config
diff --git a/base.cfg b/base.cfg
@@ -8,6 +8,7 @@ parts +=
     test-coverage
     releaser
     code-analysis
+    vscode
 
 develop = .
 unzip = true
@@ -63,6 +64,7 @@ eggs = zest.releaser[recommended]
 [test]
 recipe = zc.recipe.testrunner
 eggs =
+    ${python-ldap:egg}
     pas.plugins.ldap[test]
 
 environment = testenv
@@ -95,3 +97,11 @@ recipe = collective.recipe.omelette
 eggs =
     ${plone:eggs}
 ignore-develop = true
+
+[vscode]
+recipe = collective.recipe.vscode
+eggs = ${test:eggs}
+flake8-enabled = false
+black-enabled = true
+generate-envfile = true
+
diff --git a/buildout-5.1.x.cfg b/buildout-5.1.x.cfg
@@ -1,5 +1,5 @@
 [buildout]
 extends =
     base.cfg
-    http://dist.plone.org/release/5.1-latest/versions.cfg
+    https://dist.plone.org/release/5.1-latest/versions.cfg
     versions.cfg
diff --git a/buildout-5.2.x.cfg b/buildout-5.2.x.cfg
@@ -1,5 +1,5 @@
 [buildout]
 extends =
     base.cfg
-    http://dist.plone.org/release/5.2-latest/versions.cfg
+    https://dist.plone.org/release/5.2-latest/versions.cfg
     versions.cfg
diff --git a/coredev-5.2.cfg b/coredev-5.2.cfg
diff --git a/ldap.cfg b/ldap.cfg
@@ -7,7 +7,7 @@ parts +=
 # this build needs (on debian based systems):
 # apt-get install libssl-dev
 recipe = zc.recipe.cmmi>=2.0.0
-url = http://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.47.tgz
+url = https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.49.tgz
 extra_options = --with-tls --enable-slapd=yes --enable-overlays --disable-bdb --disable-hdb CPPFLAGS=-D_GNU_SOURCE
 shared = true
 

diff --git a/setup.py b/setup.py
@@ -4,7 +4,7 @@
 import os
 
 
-version = "1.7.3.dev0"
+version = "1.8.0.dev0"
 shortdesc = "LDAP/AD Plugin for Plone/Zope PluggableAuthService (users+groups)"
 longdesc = open(os.path.join(os.path.dirname(__file__), "README.rst")).read()
 longdesc += open(os.path.join(os.path.dirname(__file__), "TODO.rst")).read()
@@ -51,7 +51,7 @@
         "bda.cache",
         "five.globalrequest",
         "node",
-        "node.ext.ldap>=1.0b9",
+        "node.ext.ldap>=1.0b12",
         "odict",
         "plone.registry",
         "Products.CMFCore",
@@ -63,7 +63,7 @@
         "setuptools",
         "six",
         "yafowil>=2.3.1",
-        "yafowil.plone>=3.0.0",
+        "yafowil.plone>=4.0.0a3",
         "yafowil.widget.array",
         "yafowil.widget.dict",
         "yafowil.yaml",

diff --git a/src/pas/plugins/ldap/defaults.py b/src/pas/plugins/ldap/defaults.py
@@ -26,6 +26,8 @@
     "users.objectClasses": ["inetOrgPerson"],
     "users.defaults": {},
     "users.memberOfSupport": False,
+    "users.recursiveGroups": False,
+    "users.memberOfExternalGroupDNs": [],
     "users.account_expiration": False,
     "users.expires_attr": "shadowExpire",
     "users.expires_unit": 0,
@@ -41,6 +43,8 @@
     "groups.objectClasses": ["groupOfNames"],
     "groups.defaults": {},
     "groups.memberOfSupport": False,
+    "groups.recursiveGroups": False,
+    "groups.memberOfExternalGroupDNs": [],
     "groups.expires_attr": "unused",
     "groups.expires_unit": 0,
 }
diff --git a/src/pas/plugins/ldap/plonecontrolpanel/profiles/base/ldapsettings.xml b/src/pas/plugins/ldap/plonecontrolpanel/profiles/base/ldapsettings.xml
@@ -32,6 +32,9 @@
  <element key="users.baseDN"
     type="string">ou=users,ou=groupOfNames_10_10,dc=my-domain,dc=com</element>
  <element key="users.memberOfSupport" type="bool">False</element>
+ <element key="users.recursiveGroups" type="bool">False</element>
+ <element key="users.memberOfExternalGroupDNs" type="list">
+ </element>
  <element key="users.account_expiration" type="bool">False</element>
  <element key="users.expires_attr" type="string">shadowExpire</element>
  <element key="users.expires_unit" type="int">0</element>

diff --git a/src/pas/plugins/ldap/plugin.py b/src/pas/plugins/ldap/plugin.py
@@ -94,7 +94,7 @@ def _wrapper(self, *args, **kwargs):
             except Exception as e:
                 self._v_ldaperror_msg = str(e)
                 self._v_ldaperror_timeout = time.time()
-                logger.exception("Error in {0} -> {1}".format(prefix))
+                logger.exception("Error in {0}".format(prefix))
                 return default
 
         return _wrapper
@@ -323,20 +323,16 @@ def getGroupsForPrincipal(self, principal, request=None):
         if not users:
             return default
         try:
-            _principal = self.users[principal.getId()]
+            ugm_principal = self.users[principal.getId()]
         except KeyError:
             # XXX: that's where group in group will happen, but so far
             # group nodes do not provide membership info so we just
             # return if there is no user
             return default
-        if self.groups:
-            # XXX: provide group_ids function in UGM! Way too calculation-heavy
-            #      now
-            try:
-                return [_.id for _ in _principal.groups]
-            except Exception:
-                logger.exception("Problems with groups settings!")
-                return default
+        try:
+            return ugm_principal.group_ids
+        except Exception:
+            logger.exception("Problems getting group_ids!")
         return default
 
     # ##
@@ -667,8 +663,6 @@ def allowGroupRemove(self, principal_id, group_id):
     # plonepas_interfaces.capabilities.IGroupIntrospection
     # (plone ui specific)
 
-    # XXX: why dont we have security declarations here?
-
     @security.public
     def getGroupById(self, group_id):
         """

diff --git a/src/pas/plugins/ldap/properties.py b/src/pas/plugins/ldap/properties.py
@@ -146,6 +146,8 @@ def fetch(name, default=UNSET):
         objectClasses = fetch("users.object_classes")
         users.objectClasses = objectClasses
         users.memberOfSupport = fetch("users.memberOfSupport")
+        users.recursiveGroups = fetch("users.recursiveGroups")
+        users.memberOfExternalGroupDNs = fetch("users.memberOfExternalGroupDNs")
         users.account_expiration = fetch("users.account_expiration")
         users._expiresAttr = fetch("users.expires_attr")
         users._expiresUnit = int(fetch("users.expires_unit", 0))
@@ -162,7 +164,8 @@ def fetch(name, default=UNSET):
         objectClasses = fetch("groups.object_classes")
         groups.objectClasses = objectClasses
         groups.memberOfSupport = fetch("groups.memberOfSupport")
-        users.attrmap
+        groups.recursiveGroups = False
+        groups.memberOfExternalGroupDNs = []
 
     def userpassanon_extractor(self, widget, data):
         if not data.extracted or data["anonymous"].extracted:
@@ -293,6 +296,8 @@ def __init__(self, plugin):
     objectClasses = propproxy("users.objectClasses")
     defaults = propproxy("users.defaults")
     memberOfSupport = propproxy("users.memberOfSupport")
+    recursiveGroups = propproxy("users.recursiveGroups")
+    memberOfExternalGroupDNs = propproxy("users.memberOfExternalGroupDNs")
     account_expiration = propproxy("users.account_expiration")
     _expiresAttr = propproxy("users.expires_attr")
     _expiresUnit = propproxy("users.expires_unit")
@@ -321,5 +326,7 @@ def __init__(self, plugin):
     objectClasses = propproxy("groups.objectClasses")
     defaults = propproxy("groups.defaults")
     memberOfSupport = propproxy("groups.memberOfSupport")
+    recursiveGroups = propproxy("groups.recursiveGroups")
+    memberOfExternalGroupDNs = propproxy("groups.memberOfExternalGroupDNs")
     expiresAttr = propproxy("groups.expires_attr")
     expiresUnit = propproxy("groups.expires_unit")
diff --git a/src/pas/plugins/ldap/properties.yaml b/src/pas/plugins/ldap/properties.yaml
@@ -88,6 +88,21 @@ widgets:
         value: expr:context.users.memberOfSupport
         props:
             label: memberOf attribute supported?
+    - recursiveGroups:
+        factory: '#field:checkbox'
+        value: expr:context.users.recursiveGroups
+        props:
+            label: Support recursive/nested groups?
+            help: If your LDAP/AD supports it this will use LDAP_MATCHING_RULE_IN_CHAIN. By default only AD supports this.
+    - memberOfExternalGroupDNs:
+        factory: '#array'
+        value: expr:context.users.memberOfExternalGroupDNs
+        props:
+            array.help: "Group DNs outside of the groups base DN are ignored, except if listed here"
+            array.label: memberOf external allowed Group DNs
+        widgets:
+            - dn:
+                factory: field:text
     - account_expiration:
         factory: '#field:checkbox'
         value: expr:context.users.account_expiration

diff --git a/travis.cfg b/travis.cfg
diff --git a/versions.cfg b/versions.cfg
@@ -1,22 +1,21 @@
 [buildout]
+show-picked-versions = true
+
 extensions = mr.developer
 sources-dir = ${buildout:directory}/devsrc
 always-checkout = force
-auto-checkout = *
-show-picked-versions = true
-
 auto-checkout +=
-#     node
-    node.ext.ldap
+#    node
+#    node.ext.ldap
 #    node.ext.ugm
-#     yafowil
-#     yafowil.plone
-#     yafowil.widget.array
-#     yafowil.widget.dict
+#    yafowil
+#    yafowil.plone
+#    yafowil.widget.array
+#    yafowil.widget.dict
 
 [versions]
 # Test
-plone.recipe.codeanalysis = >=2.1
+plone.recipe.codeanalysis = >=3.0.1
 flake8 = >=2.3.0
 coverage = 3.7.1
 
@@ -25,13 +24,17 @@ Sphinx = >=1.3.1
 docutils = >=0.12
 Pygments = >=2.0.2
 
+[versions:python27]
+configparser = 4.0.2
+zipp = 1.2
+
 [repo]
 rw = git@github.com:bluedynamics
 ro = https://github.com/bluedynamics
 
 [sources]
 # node                 = git ${repo:ro}/node.git pushurl=${repo:rw}/node.git
-node.ext.ldap        = git ${repo:ro}/node.ext.ldap.git pushurl=${repo:rw}/node.ext.ldap.git
+# node.ext.ldap        = git ${repo:ro}/node.ext.ldap.git pushurl=${repo:rw}/node.ext.ldap.git
 # node.ext.ugm         = git ${repo:ro}/node.ext.ugm.git pushurl=${repo:rw}/node.ext.ugm.git
 # yafowil              = git ${repo:ro}/yafowil.git pushurl=${repo:rw}/yafowil.git
 # yafowil.plone        = git ${repo:ro}/yafowil.plone.git pushurl=${repo:rw}/yafowil.plone.git