/
ldap.py
386 lines (337 loc) · 15.6 KB
/
ldap.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""LDAP methods module."""
from hvac import exceptions
from hvac.api.vault_api_base import VaultApiBase
from hvac.constants.ldap import DEFAULT_GROUP_FILTER
DEFAULT_MOUNT_POINT = 'ldap'
class Ldap(VaultApiBase):
"""LDAP Auth Method (API).
Reference: https://www.vaultproject.io/api/auth/ldap/index.html
"""
def configure(self, user_dn, group_dn, url='ldap://127.0.0.1', case_sensitive_names=False, starttls=False,
tls_min_version='tls12', tls_max_version='tls12', insecure_tls=False, certificate=None, bind_dn=None,
bind_pass=None, user_attr='cn', discover_dn=False, deny_null_bind=True, upn_domain=None,
group_filter=DEFAULT_GROUP_FILTER, group_attr='cn', mount_point=DEFAULT_MOUNT_POINT):
"""
Configure the LDAP auth method.
Supported methods:
POST: /auth/{mount_point}/config. Produces: 204 (empty body)
:param user_dn: Base DN under which to perform user search. Example: ou=Users,dc=example,dc=com
:type user_dn: str | unicode
:param group_dn: LDAP search base to use for group membership search. This can be the root containing either
groups or users. Example: ou=Groups,dc=example,dc=com
:type group_dn: str | unicode
:param url: The LDAP server to connect to. Examples: ldap://ldap.myorg.com, ldaps://ldap.myorg.com:636.
Multiple URLs can be specified with commas, e.g. ldap://ldap.myorg.com,ldap://ldap2.myorg.com; these will be
tried in-order.
:type url: str | unicode
:param case_sensitive_names: If set, user and group names assigned to policies within the backend will be case
sensitive. Otherwise, names will be normalized to lower case. Case will still be preserved when sending the
username to the LDAP server at login time; this is only for matching local user/group definitions.
:type case_sensitive_names: bool
:param starttls: If true, issues a StartTLS command after establishing an unencrypted connection.
:type starttls: bool
:param tls_min_version: Minimum TLS version to use. Accepted values are tls10, tls11 or tls12.
:type tls_min_version: str | unicode
:param tls_max_version: Maximum TLS version to use. Accepted values are tls10, tls11 or tls12.
:type tls_max_version: str | unicode
:param insecure_tls: If true, skips LDAP server SSL certificate verification - insecure, use with caution!
:type insecure_tls: bool
:param certificate: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded.
:type certificate: str | unicode
:param bind_dn: Distinguished name of object to bind when performing user search. Example:
cn=vault,ou=Users,dc=example,dc=com
:type bind_dn: str | unicode
:param bind_pass: Password to use along with binddn when performing user search.
:type bind_pass: str | unicode
:param user_attr: Attribute on user attribute object matching the username passed when authenticating. Examples:
sAMAccountName, cn, uid
:type user_attr: str | unicode
:param discover_dn: Use anonymous bind to discover the bind DN of a user.
:type discover_dn: bool
:param deny_null_bind: This option prevents users from bypassing authentication when providing an empty password.
:type deny_null_bind: bool
:param upn_domain: The userPrincipalDomain used to construct the UPN string for the authenticating user. The
constructed UPN will appear as [username]@UPNDomain. Example: example.com, which will cause vault to bind as
username@example.com.
:type upn_domain: str | unicode
:param group_filter: Go template used when constructing the group membership query. The template can access the
following context variables: [UserDN, Username]. The default is
`(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))`, which is compatible with several
common directory schemas. To support nested group resolution for Active Directory, instead use the following
query: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})).
:type group_filter: str | unicode
:param group_attr: LDAP attribute to follow on objects returned by groupfilter in order to enumerate user group
membership. Examples: for groupfilter queries returning group objects, use: cn. For queries returning user
objects, use: memberOf. The default is cn.
:type group_attr: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the configure request.
:rtype: requests.Response
"""
params = {
'userdn': user_dn,
'groupdn': group_dn,
'url': url,
'case_sensitive_names': case_sensitive_names,
'starttls': starttls,
'tls_min_version': tls_min_version,
'tls_max_version': tls_max_version,
'insecure_tls': insecure_tls,
'certificate': certificate,
'userattr': user_attr,
'discoverdn': discover_dn,
'deny_null_bind': deny_null_bind,
'groupfilter': group_filter,
'groupattr': group_attr,
}
# Fill out params dictionary with any optional parameters provided
if upn_domain is not None:
params['upndomain'] = upn_domain
if bind_dn is not None:
params['binddn'] = bind_dn
if bind_pass is not None:
params['bindpass'] = bind_pass
if certificate is not None:
params['certificate'] = certificate
api_path = '/v1/auth/{mount_point}/config'.format(mount_point=mount_point)
return self._adapter.post(
url=api_path,
json=params,
)
def read_configuration(self, mount_point=DEFAULT_MOUNT_POINT):
"""
Retrieve the LDAP configuration for the auth method.
Supported methods:
GET: /auth/{mount_point}/config. Produces: 200 application/json
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the read_configuration request.
:rtype: dict
"""
api_path = '/v1/auth/{mount_point}/config'.format(mount_point=mount_point)
response = self._adapter.get(
url=api_path,
)
return response.json()
def create_or_update_group(self, name, policies=None, mount_point=DEFAULT_MOUNT_POINT):
"""
Create or update LDAP group policies.
Supported methods:
POST: /auth/{mount_point}/groups/{name}. Produces: 204 (empty body)
:param name: The name of the LDAP group
:type name: str | unicode
:param policies: List of policies associated with the group. This parameter is transformed to a comma-delimited
string before being passed to Vault.
:type policies: list
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the create_or_update_group request.
:rtype: requests.Response
"""
if policies is None:
policies = []
if not isinstance(policies, list):
error_msg = '"policies" argument must be an instance of list or None, "{policies_type}" provided.'.format(
policies_type=type(policies),
)
raise exceptions.ParamValidationError(error_msg)
params = {
'policies': ','.join(policies),
}
api_path = '/v1/auth/{mount_point}/groups/{name}'.format(
mount_point=mount_point,
name=name,
)
return self._adapter.post(
url=api_path,
json=params,
)
def list_groups(self, mount_point=DEFAULT_MOUNT_POINT):
"""
List existing LDAP existing groups that have been created in this auth method.
Supported methods:
LIST: /auth/{mount_point}/groups. Produces: 200 application/json
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the list_groups request.
:rtype: dict
"""
api_path = '/v1/auth/{mount_point}/groups'.format(mount_point=mount_point)
response = self._adapter.list(
url=api_path,
)
return response.json()
def read_group(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""
Read policies associated with a LDAP group.
Supported methods:
GET: /auth/{mount_point}/groups/{name}. Produces: 200 application/json
:param name: The name of the LDAP group
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the read_group request.
:rtype: dict
"""
params = {
'name': name,
}
api_path = '/v1/auth/{mount_point}/groups/{name}'.format(
mount_point=mount_point,
name=name,
)
response = self._adapter.get(
url=api_path,
json=params,
)
return response.json()
def delete_group(self, name, mount_point=DEFAULT_MOUNT_POINT):
"""
Delete a LDAP group and policy association.
Supported methods:
DELETE: /auth/{mount_point}/groups/{name}. Produces: 204 (empty body)
:param name: The name of the LDAP group
:type name: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the delete_group request.
:rtype: requests.Response
"""
api_path = '/v1/auth/{mount_point}/groups/{name}'.format(
mount_point=mount_point,
name=name,
)
return self._adapter.delete(
url=api_path,
)
def create_or_update_user(self, username, policies=None, groups=None, mount_point=DEFAULT_MOUNT_POINT):
"""
Create or update LDAP users policies and group associations.
Supported methods:
POST: /auth/{mount_point}/users/{username}. Produces: 204 (empty body)
:param username: The username of the LDAP user
:type username: str | unicode
:param policies: List of policies associated with the user. This parameter is transformed to a comma-delimited
string before being passed to Vault.
:type policies: str | unicode
:param groups: List of groups associated with the user. This parameter is transformed to a comma-delimited
string before being passed to Vault.
:type groups: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the create_or_update_user request.
:rtype: requests.Response
"""
if policies is None:
policies = []
if groups is None:
groups = []
list_required_params = {
'policies': policies,
'groups': groups,
}
for param_name, param_arg in list_required_params.items():
if not isinstance(param_arg, list):
error_msg = '"{param_name}" argument must be an instance of list or None, "{param_type}" provided.'.format(
param_name=param_name,
param_type=type(param_arg),
)
raise exceptions.ParamValidationError(error_msg)
params = {
'policies': ','.join(policies),
'groups': ','.join(groups),
}
api_path = '/v1/auth/{mount_point}/users/{username}'.format(
mount_point=mount_point,
username=username,
)
return self._adapter.post(
url=api_path,
json=params,
)
def list_users(self, mount_point=DEFAULT_MOUNT_POINT):
"""
List existing users in the method.
Supported methods:
LIST: /auth/{mount_point}/users. Produces: 200 application/json
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the list_users request.
:rtype: dict
"""
api_path = '/v1/auth/{mount_point}/users'.format(mount_point=mount_point)
response = self._adapter.list(
url=api_path,
)
return response.json()
def read_user(self, username, mount_point=DEFAULT_MOUNT_POINT):
"""
Read policies associated with a LDAP user.
Supported methods:
GET: /auth/{mount_point}/users/{username}. Produces: 200 application/json
:param username: The username of the LDAP user
:type username: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The JSON response of the read_user request.
:rtype: dict
"""
api_path = '/v1/auth/{mount_point}/users/{username}'.format(
mount_point=mount_point,
username=username,
)
response = self._adapter.get(
url=api_path,
)
return response.json()
def delete_user(self, username, mount_point=DEFAULT_MOUNT_POINT):
"""
Delete a LDAP user and policy association.
Supported methods:
DELETE: /auth/{mount_point}/users/{username}. Produces: 204 (empty body)
:param username: The username of the LDAP user
:type username: str | unicode
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the delete_user request.
:rtype: requests.Response
"""
api_path = '/v1/auth/{mount_point}/users/{username}'.format(
mount_point=mount_point,
username=username,
)
return self._adapter.delete(
url=api_path,
)
def login(self, username, password, use_token=True, mount_point=DEFAULT_MOUNT_POINT):
"""
Log in with LDAP credentials.
Supported methods:
POST: /auth/{mount_point}/login/{username}. Produces: 200 application/json
:param username: The username of the LDAP user
:type username: str | unicode
:param password: The password for the LDAP user
:type password: str | unicode
:param use_token: if True, uses the token in the response received from the auth request to set the "token"
attribute on the the :py:meth:`hvac.adapters.Adapter` instance under the _adapater Client attribute.
:type use_token: bool
:param mount_point: The "path" the method/backend was mounted on.
:type mount_point: str | unicode
:return: The response of the login_with_user request.
:rtype: requests.Response
"""
params = {
'password': password,
}
api_path = '/v1/auth/{mount_point}/login/{username}'.format(
mount_point=mount_point,
username=username,
)
return self._adapter.login(
url=api_path,
use_token=use_token,
json=params,
)