mgoetz/ldap_account_manager
Archived
2
2
Fork 0
Code Issues 9 Pull Requests Releases 2 Wiki Activity

Implement cross realm user protection, Close #45

Browse Source
This commit is contained in:
Götz 2019-04-15 17:18:00 +02:00
parent 8bbe8c26d6
commit f0b819a5f8
3 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/account_manager/main_views.py
View File

@ -47,7 +47,7 @@ def realm_list(request):
realm_base_dn = re.compile('(uid=[a-zA-Z0-9_]*),(ou=[a-zA-Z_]*),(.*)').match(user.dn).group(3) realm_base_dn = re.compile('(uid=[a-zA-Z0-9_]*),(ou=[a-zA-Z_]*),(.*)').match(user.dn).group(3)
realm = Realm.objects.get(ldap_base_dn=realm_base_dn) realm = Realm.objects.get(ldap_base_dn=realm_base_dn)
return redirect('realm-user-detail', realm.id, user.dn) return redirect('user-detail', user.dn, realm.id )
except ObjectDoesNotExist as err: except ObjectDoesNotExist as err:
logger.info('Anmeldung fehlgeschlagen', err) logger.info('Anmeldung fehlgeschlagen', err)
return HttpResponse("Invalid login. Please try again.") return HttpResponse("Invalid login. Please try again.")

2
src/account_manager/urls.py
View File

@ -55,6 +55,8 @@ urlpatterns = [
name='realm-group-delete'), name='realm-group-delete'),
# User # User
path('user/<str:user_dn>/update/realm/<int:realm_id>/', user_views.user_detail,
name='user-detail'),
path('user/<str:user_dn>/update/realm/<int:realm_id>/', user_views.user_update, path('user/<str:user_dn>/update/realm/<int:realm_id>/', user_views.user_update,
name='user-update'), name='user-update'),
path('user/<str:user_dn>/delete/realm/<int:realm_id>/confirm/', path('user/<str:user_dn>/delete/realm/<int:realm_id>/confirm/',

35
src/account_manager/views/user_views.py
View File

@ -4,6 +4,7 @@ from django.contrib.auth.views import PasswordResetConfirmView, PasswordChangeVi
from django.contrib.sites.shortcuts import get_current_site from django.contrib.sites.shortcuts import get_current_site
from django.core.exceptions import ObjectDoesNotExist from django.core.exceptions import ObjectDoesNotExist
from django.shortcuts import render, redirect from django.shortcuts import render, redirect
from django.http import HttpResponse
from ldap import ALREADY_EXISTS, OBJECT_CLASS_VIOLATION from ldap import ALREADY_EXISTS, OBJECT_CLASS_VIOLATION
from account_helper.models import Realm from account_helper.models import Realm
from account_manager.forms import AddLDAPUserForm, UserDeleteListForm, UpdateLDAPUserForm, AdminUpdateLDAPUserForm, \ from account_manager.forms import AddLDAPUserForm, UserDeleteListForm, UpdateLDAPUserForm, AdminUpdateLDAPUserForm, \
@ -12,6 +13,18 @@ from account_manager.main_views import is_realm_admin
from account_manager.models import LdapUser, LdapGroup from account_manager.models import LdapUser, LdapGroup
def protect_cross_realm_user_access(view_func):
def decorator(request, *args, **kwargs):
realm_id = kwargs.get('realm_id', None)
user_dn = kwargs.get('user_dn', None)
if realm_id and user_dn and Realm.objects.get(id=realm_id).ldap_base_dn not in user_dn:
return HttpResponse("Ressource konnte nicht gefunden werden.", status=404)
return view_func(request, *args, **kwargs)
return decorator
@login_required @login_required
@is_realm_admin @is_realm_admin
def realm_user(request, realm_id): def realm_user(request, realm_id):
@ -32,17 +45,26 @@ def realm_user(request, realm_id):
@login_required @login_required
@is_realm_admin
@protect_cross_realm_user_access
def realm_user_detail(request, realm_id, user_dn): def realm_user_detail(request, realm_id, user_dn):
realm = Realm.objects.get(id=realm_id) realm = Realm.objects.get(id=realm_id)
LdapUser.base_dn = realm.ldap_base_dn LdapUser.base_dn = realm.ldap_base_dn
user = LdapUser.objects.get(dn=user_dn)
LdapGroup.base_dn = LdapGroup.ROOT_DN LdapGroup.base_dn = LdapGroup.ROOT_DN
user = LdapUser.objects.get(dn=user_dn)
groups = LdapGroup.objects.filter(members=user.dn) groups = LdapGroup.objects.filter(members=user.dn)
if realm_id and (request.user.is_superuser or len(
Realm.objects.filter(id=realm_id).filter(
admin_group__user__username__contains=request.user.username)) > 0):
return render(request, 'user/realm_user_detail.jinja2', {'user': user, 'groups': groups, 'realm': realm}) return render(request, 'user/realm_user_detail.jinja2', {'user': user, 'groups': groups, 'realm': realm})
else:
@login_required
def user_detail(request, realm_id, user_dn):
realm = Realm.objects.get(id=realm_id)
LdapUser.base_dn = realm.ldap_base_dn
LdapGroup.base_dn = LdapGroup.ROOT_DN
user = LdapUser.objects.get(dn=user_dn)
groups = LdapGroup.objects.filter(members=user.dn)
return render(request, 'user/user_detail.jinja2', {'user': user, 'groups': groups, 'realm': realm}) return render(request, 'user/user_detail.jinja2', {'user': user, 'groups': groups, 'realm': realm})
@ -87,6 +109,7 @@ def user_add(request, realm_id):
@login_required @login_required
@is_realm_admin @is_realm_admin
@protect_cross_realm_user_access
def realm_user_update(request, realm_id, user_dn): def realm_user_update(request, realm_id, user_dn):
realm_obj = Realm.objects.get(id=realm_id) realm_obj = Realm.objects.get(id=realm_id)
LdapUser.base_dn = f'ou=people,{realm_obj.ldap_base_dn}' LdapUser.base_dn = f'ou=people,{realm_obj.ldap_base_dn}'
@ -107,6 +130,7 @@ def realm_user_update(request, realm_id, user_dn):
@login_required @login_required
@is_realm_admin @is_realm_admin
@protect_cross_realm_user_access
def realm_user_delete(request, realm_id, user_dn): def realm_user_delete(request, realm_id, user_dn):
realm = Realm.objects.get(id=realm_id) realm = Realm.objects.get(id=realm_id)
LdapUser.base_dn = f'ou=people,{realm.ldap_base_dn}' LdapUser.base_dn = f'ou=people,{realm.ldap_base_dn}'
@ -129,6 +153,7 @@ def realm_user_delete(request, realm_id, user_dn):
@login_required @login_required
@is_realm_admin @is_realm_admin
@protect_cross_realm_user_access
def realm_user_delete_confirm(request, realm_id, user_dn): def realm_user_delete_confirm(request, realm_id, user_dn):
realm = Realm.objects.get(id=realm_id) realm = Realm.objects.get(id=realm_id)
LdapUser.base_dn = f'ou=people,{realm.ldap_base_dn}' LdapUser.base_dn = f'ou=people,{realm.ldap_base_dn}'