From 54c4f4018815056ee7ba14bab1942b2fbd927a63 Mon Sep 17 00:00:00 2001
From: ground7 <ground7@gmail.com>
Date: Fri, 27 Dec 2019 23:12:18 -0700
Subject: [PATCH] added LDAP import

update defaults
---
 cps/admin.py                   |  19 +++---
 cps/config_sql.py              |  15 +++--
 cps/services/simpleldap.py     |  17 ++++-
 cps/templates/admin.html       |  18 +++++-
 cps/templates/config_edit.html | 114 ++++++++++++++++++---------------
 cps/web.py                     |  27 +++++++-
 6 files changed, 142 insertions(+), 68 deletions(-)

diff --git a/cps/admin.py b/cps/admin.py
index 57796080..6ed48785 100644
--- a/cps/admin.py
+++ b/cps/admin.py
@@ -44,7 +44,7 @@ from .gdriveutils import is_gdrive_ready, gdrive_support
 from .web import admin_required, render_title_template, before_request, unconfigured, login_required_if_no_ano
 
 feature_support = {
-        'ldap': False, # bool(services.ldap),
+        'ldap': bool(services.ldap),
         'goodreads': bool(services.goodreads_support)
     }
 
@@ -326,13 +326,16 @@ def _configuration_update_helper():
             return _configuration_result('Please enter a LDAP service account and password', gdriveError)
         config.set_from_dictionary(to_save, "config_ldap_serv_password", base64.b64encode)
 
-    _config_checkbox("config_ldap_use_ssl")
-    _config_checkbox("config_ldap_use_tls")
-    _config_checkbox("config_ldap_openldap")
-    _config_checkbox("config_ldap_require_cert")
-    _config_string("config_ldap_cert_path")
-    if config.config_ldap_cert_path and not os.path.isfile(config.config_ldap_cert_path):
-        return _configuration_result('LDAP Certfile location is not valid, please enter correct path', gdriveError)
+        _config_string("config_ldap_group_object_filter")
+        _config_string("config_ldap_group_members_field")
+        _config_string("config_ldap_group_name")
+        _config_checkbox("config_ldap_use_ssl")
+        _config_checkbox("config_ldap_use_tls")
+        _config_checkbox("config_ldap_openldap")
+        _config_checkbox("config_ldap_require_cert")
+        _config_string("config_ldap_cert_path")
+        if config.config_ldap_cert_path and not os.path.isfile(config.config_ldap_cert_path):
+            return _configuration_result('LDAP Certfile location is not valid, please enter correct path', gdriveError)
 
     # Remote login configuration
     _config_checkbox("config_remote_login")
diff --git a/cps/config_sql.py b/cps/config_sql.py
index 809e97d8..fcffc3bc 100644
--- a/cps/config_sql.py
+++ b/cps/config_sql.py
@@ -37,6 +37,8 @@ _Base = declarative_base()
 class _Settings(_Base):
     __tablename__ = 'settings'
 
+    config_is_initial = Column(Boolean, default=True)
+    
     id = Column(Integer, primary_key=True)
     mail_server = Column(String, default='mail.example.org')
     mail_port = Column(Integer, default=25)
@@ -86,18 +88,21 @@ class _Settings(_Base):
 
     # config_oauth_provider = Column(Integer)
 
-    config_ldap_provider_url = Column(String, default='localhost')
+    config_ldap_provider_url = Column(String, default='example.org')
     config_ldap_port = Column(SmallInteger, default=389)
     config_ldap_schema = Column(String, default='ldap')
-    config_ldap_serv_username = Column(String)
+    config_ldap_serv_username = Column(String, default='cn=admin,dc=example,dc=org')
     config_ldap_serv_password = Column(String)
     config_ldap_use_ssl = Column(Boolean, default=False)
     config_ldap_use_tls = Column(Boolean, default=False)
     config_ldap_require_cert = Column(Boolean, default=False)
     config_ldap_cert_path = Column(String)
-    config_ldap_dn = Column(String)
-    config_ldap_user_object = Column(String)
-    config_ldap_openldap = Column(Boolean, default=False)
+    config_ldap_dn = Column(String, default='dc=example,dc=org')
+    config_ldap_user_object = Column(String, default='uid=%s')
+    config_ldap_openldap = Column(Boolean, default=True)
+    config_ldap_group_object_filter = Column(String, default='(&(objectclass=posixGroup)(cn=%s))')
+    config_ldap_group_members_field = Column(String, default='memberUid')
+    config_ldap_group_name = Column(String, default='calibreweb')
 
     config_ebookconverter = Column(Integer, default=0)
     config_converterpath = Column(String)
diff --git a/cps/services/simpleldap.py b/cps/services/simpleldap.py
index 42a9aacd..03f9704c 100644
--- a/cps/services/simpleldap.py
+++ b/cps/services/simpleldap.py
@@ -35,8 +35,7 @@ def init_app(app, config):
     app.config['LDAP_HOST'] = config.config_ldap_provider_url
     app.config['LDAP_PORT'] = config.config_ldap_port
     app.config['LDAP_SCHEMA'] = config.config_ldap_schema
-    app.config['LDAP_USERNAME'] = config.config_ldap_user_object.replace('%s', config.config_ldap_serv_username)\
-                                  + ',' + config.config_ldap_dn
+    app.config['LDAP_USERNAME'] = config.config_ldap_serv_username
     app.config['LDAP_PASSWORD'] = base64.b64decode(config.config_ldap_serv_password)
     app.config['LDAP_REQUIRE_CERT'] = bool(config.config_ldap_require_cert)
     if config.config_ldap_require_cert:
@@ -46,17 +45,29 @@ def init_app(app, config):
     app.config['LDAP_USE_SSL'] = bool(config.config_ldap_use_ssl)
     app.config['LDAP_USE_TLS'] = bool(config.config_ldap_use_tls)
     app.config['LDAP_OPENLDAP'] = bool(config.config_ldap_openldap)
+    app.config['LDAP_GROUP_OBJECT_FILTER'] = config.config_ldap_group_object_filter
+    app.config['LDAP_GROUP_MEMBERS_FIELD'] = config.config_ldap_group_members_field
 
     _ldap.init_app(app)
 
 
+def get_object_details(user=None, group=None, query_filter=None, dn_only=False):
+    return _ldap.get_object_details(user, group, query_filter, dn_only)
+
+
+def bind():
+    return _ldap.bind()
+
+
+def get_group_members(group):
+    return _ldap.get_group_members(group)
+
 
 def basic_auth_required(func):
     return _ldap.basic_auth_required(func)
 
 
 def bind_user(username, password):
-    # ulf= _ldap.get_object_details('admin')
     '''Attempts a LDAP login.
 
     :returns: True if login succeeded, False if login failed, None if server unavailable.
diff --git a/cps/templates/admin.html b/cps/templates/admin.html
index 17b84f34..ef60ab33 100644
--- a/cps/templates/admin.html
+++ b/cps/templates/admin.html
@@ -32,7 +32,11 @@
           {% endif %}
         {% endfor %}
       </table>
-      <div class="btn btn-default" id="admin_new_user"><a href="{{url_for('admin.new_user')}}">{{_('Add new user')}}</a></div>
+      {% if not (config.config_login_type == 1) %}
+        <div class="btn btn-default" id="admin_new_user"><a href="{{url_for('admin.new_user')}}">{{_('Add new user')}}</a></div>
+      {% else %}
+        <a href=# id=import_ldap_users name=import_ldap_users><button type="submit" class="btn btn-default">{{_('Import LDAP Users')}}</button></a>
+      {% endif %}
     </div>
   </div>
 
@@ -190,3 +194,15 @@
   </div>
 </div>
 {% endblock %}
+{% block js %}
+<script type="text/javascript">
+    $(function() {
+        $('a#import_ldap_users').bind('click', function() {
+            $.getJSON('/import_ldap_users',
+                function(data) {}
+            );
+            location.reload();
+        });
+    });
+</script>
+{% endblock %}
diff --git a/cps/templates/config_edit.html b/cps/templates/config_edit.html
index 85b9598e..88d2631d 100644
--- a/cps/templates/config_edit.html
+++ b/cps/templates/config_edit.html
@@ -186,6 +186,7 @@
       </div>
     </div>
     {% endif %}
+    {% if not config.config_is_initial %}
     {% if feature_support['ldap'] or feature_support['oauth'] %}
       <div class="form-group">
         <label for="config_login_type">{{_('Login type')}}</label>
@@ -199,59 +200,71 @@
            {% endif %}
         </select>
       </div>
-        {% if feature_support['ldap'] %}
-       <div data-related="login-settings-1">
-        <div class="form-group">
-          <label for="config_ldap_provider_url">{{_('LDAP Server Host Name or IP Address')}}</label>
-          <input type="text" class="form-control" id="config_ldap_provider_url" name="config_ldap_provider_url" value="{% if config.config_ldap_provider_url != None %}{{ config.config_ldap_provider_url }}{% endif %}" autocomplete="off">
-        </div>
-        <div class="form-group">
-          <label for="config_ldap_port">{{_('LDAP Server Port')}}</label>
-          <input type="text" class="form-control" id="config_ldap_port" name="config_ldap_port" value="{% if config.config_ldap_port != None %}{{ config.config_ldap_port }}{% endif %}" autocomplete="off">
-        </div>
-        <div class="form-group">
-          <label for="config_ldap_schema">{{_('LDAP schema (ldap or ldaps)')}}</label>
-          <input type="text" class="form-control" id="config_ldap_schema" name="config_ldap_schema" value="{% if config.config_ldap_schema != None %}{{ config.config_ldap_schema }}{% endif %}" autocomplete="off">
-        </div>
-        <div class="form-group">
-          <label for="config_ldap_serv_username">{{_('LDAP Admin username')}}</label>
-          <input type="text" class="form-control" id="config_ldap_serv_username" name="config_ldap_serv_username" value="{% if config.config_ldap_serv_username != None %}{{ config.config_ldap_serv_username }}{% endif %}" autocomplete="off">
-        </div>
-        <div class="form-group">
-          <label for="config_ldap_serv_password">{{_('LDAP Admin password')}}</label>
-          <input type="password" class="form-control" id="config_ldap_serv_password" name="config_ldap_serv_password" value="{% if config.config_ldap_serv_password != None %}{{ config.config_ldap_serv_password }}{% endif %}" autocomplete="off">
-        </div>
-        <div class="form-group">
-          <input type="checkbox" id="config_ldap_use_ssl" name="config_ldap_use_ssl" {% if config.config_ldap_use_ssl %}checked{% endif %}>
-          <label for="config_ldap_use_ssl">{{_('LDAP Server use SSL')}}</label>
-        </div>
-        <div class="form-group">
-          <input type="checkbox" id="config_ldap_use_tls" name="config_ldap_use_tls" {% if config.config_ldap_use_tls %}checked{% endif %}>
-          <label for="config_ldap_use_tls">{{_('LDAP Server use TLS')}}</label>
-        </div>
-        <div class="form-group">
-          <input type="checkbox" id="config_ldap_require_cert" name="config_ldap_require_cert" data-control="ldap-cert-settings" {% if config.config_ldap_require_cert %}checked{% endif %}>
-          <label for="config_ldap_require_cert">{{_('LDAP Server Certificate')}}</label>
-        </div>
-        <div data-related="ldap-cert-settings">
+      {% if feature_support['ldap'] %}
+          <div data-related="login-settings-1">
           <div class="form-group">
-            <label for="config_ldap_cert_path">{{_('LDAP SSL Certificate Path')}}</label>
-            <input type="text" class="form-control" id="config_ldap_cert_path" name="config_ldap_cert_path" value="{% if config.config_ldap_cert_path != None and config.config_ldap_require_cert !=None %}{{ config.config_ldap_cert_path }}{% endif %}" autocomplete="off">
+            <label for="config_ldap_provider_url">{{_('LDAP Server Host Name or IP Address')}}</label>
+            <input type="text" class="form-control" id="config_ldap_provider_url" name="config_ldap_provider_url" value="{% if config.config_ldap_provider_url != None %}{{ config.config_ldap_provider_url }}{% endif %}" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_port">{{_('LDAP Server Port')}}</label>
+            <input type="text" class="form-control" id="config_ldap_port" name="config_ldap_port" value="{% if config.config_ldap_port != None %}{{ config.config_ldap_port }}{% endif %}" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_schema">{{_('LDAP schema (ldap or ldaps)')}}</label>
+            <input type="text" class="form-control" id="config_ldap_schema" name="config_ldap_schema" value="{% if config.config_ldap_schema != None %}{{ config.config_ldap_schema }}{% endif %}" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_serv_username">{{_('LDAP Admin username')}}</label>
+            <input type="text" class="form-control" id="config_ldap_serv_username" name="config_ldap_serv_username" value="{% if config.config_ldap_serv_username != None %}{{ config.config_ldap_serv_username }}{% endif %}" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_serv_password">{{_('LDAP Admin password')}}</label>
+            <input type="password" class="form-control" id="config_ldap_serv_password" name="config_ldap_serv_password" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <input type="checkbox" id="config_ldap_use_ssl" name="config_ldap_use_ssl" {% if config.config_ldap_use_ssl %}checked{% endif %}>
+            <label for="config_ldap_use_ssl">{{_('LDAP Server use SSL')}}</label>
+          </div>
+          <div class="form-group">
+            <input type="checkbox" id="config_ldap_use_tls" name="config_ldap_use_tls" {% if config.config_ldap_use_tls %}checked{% endif %}>
+            <label for="config_ldap_use_tls">{{_('LDAP Server use TLS')}}</label>
+          </div>
+          <div class="form-group">
+            <input type="checkbox" id="config_ldap_require_cert" name="config_ldap_require_cert" data-control="ldap-cert-settings" {% if config.config_ldap_require_cert %}checked{% endif %}>
+            <label for="config_ldap_require_cert">{{_('LDAP Server Certificate')}}</label>
+          </div>
+          <div data-related="ldap-cert-settings">
+            <div class="form-group">
+              <label for="config_ldap_cert_path">{{_('LDAP SSL Certificate Path')}}</label>
+              <input type="text" class="form-control" id="config_ldap_cert_path" name="config_ldap_cert_path" value="{% if config.config_ldap_cert_path != None and config.config_ldap_require_cert !=None %}{{ config.config_ldap_cert_path }}{% endif %}" autocomplete="off">
+            </div>
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_dn">{{_('LDAP Distinguished Name (DN)')}}</label>
+            <input type="text" class="form-control" id="config_ldap_dn" name="config_ldap_dn" value="{% if config.config_ldap_dn != None %}{{ config.config_ldap_dn }}{% endif %}" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_user_object">{{_('LDAP User object filter')}}</label>
+            <input type="text" class="form-control" id="config_ldap_user_object" name="config_ldap_user_object" value="{% if config.config_ldap_user_object != None %}{{ config.config_ldap_user_object }}{% endif %}" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <input type="checkbox" id="config_ldap_openldap" name="config_ldap_openldap" {% if config.config_ldap_openldap %}checked{% endif %}>
+            <label for="config_ldap_openldap">{{_('LDAP Server is OpenLDAP?')}}</label>
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_group_object_filter">{{_('LDAP Group Object Filter')}}</label>
+            <input type="text" class="form-control" id="config_ldap_group_object_filter" name="config_ldap_group_object_filter" value="{% if config.config_ldap_group_object_filter != None %}{{ config.config_ldap_group_object_filter }}{% endif %}" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_group_members_field">{{_('LDAP Group Members Field')}}</label>
+            <input type="text" class="form-control" id="config_ldap_group_members_field" name="config_ldap_group_members_field" value="{% if config.config_ldap_group_members_field != None %}{{ config.config_ldap_group_members_field }}{% endif %}" autocomplete="off">
+          </div>
+          <div class="form-group">
+            <label for="config_ldap_group_name">{{_('LDAP Group Name')}}</label>
+            <input type="text" class="form-control" id="config_ldap_group_name" name="config_ldap_group_name" value="{% if config.config_ldap_group_name != None %}{{ config.config_ldap_group_name }}{% endif %}" autocomplete="off">
           </div>
         </div>
-        <div class="form-group">
-          <label for="config_ldap_dn">{{_('LDAP Distinguished Name (DN)')}}</label>
-          <input type="text" class="form-control" id="config_ldap_dn" name="config_ldap_dn" value="{% if config.config_ldap_dn != None %}{{ config.config_ldap_dn }}{% endif %}" autocomplete="off">
-        </div>
-        <div class="form-group">
-          <label for="config_ldap_user_object">{{_('LDAP User object filter')}}</label>
-          <input type="text" class="form-control" id="config_ldap_user_object" name="config_ldap_user_object" value="{% if config.config_ldap_user_object != None %}{{ config.config_ldap_user_object }}{% endif %}" autocomplete="off">
-        </div>
-        <div class="form-group">
-          <input type="checkbox" id="config_ldap_openldap" name="config_ldap_openldap" {% if config.config_ldap_openldap %}checked{% endif %}>
-          <label for="config_ldap_openldap">{{_('LDAP Server is OpenLDAP?')}}</label>
-        </div>
-      </div>
       {% endif %}
       {% if feature_support['oauth'] %}
         <div data-related="login-settings-2">
@@ -270,6 +283,7 @@
         {% endfor %}
         </div>
       {% endif %}
+      {% endif %}
     {% endif %}
       </div>
     </div>
diff --git a/cps/web.py b/cps/web.py
index 572ac969..e55cfc7d 100644
--- a/cps/web.py
+++ b/cps/web.py
@@ -54,7 +54,7 @@ from .pagination import Pagination
 from .redirect import redirect_back
 
 feature_support = {
-        'ldap': False, # bool(services.ldap),
+        'ldap': bool(services.ldap),
         'goodreads': bool(services.goodreads_support)
     }
 
@@ -253,6 +253,29 @@ def before_request():
         return redirect(url_for('admin.basic_configuration'))
 
 
+@app.route('/import_ldap_users')
+def import_ldap_users():
+    new_users = services.ldap.get_group_members(config.config_ldap_group_name)
+    for username in new_users:
+        user_data = services.ldap.get_object_details(user=username, group=None, query_filter=None, dn_only=False)
+        content = ub.User()
+        content.nickname = username
+        content.password = username # dummy password which will be replaced by ldap one
+        content.email = user_data['mail'][0]
+        if (len(user_data['mail']) > 1):
+            content.kindle_mail = user_data['mail'][1]
+        content.role = config.config_default_role
+        content.sidebar_view = config.config_default_show
+        content.mature_content = bool(config.config_default_show & constants.MATURE_CONTENT)
+        ub.session.add(content)
+        try:
+            ub.session.commit()
+        except Exception as e:
+            log.warning("Failed to create LDAP user: %s - %s", username, e)
+            ub.session.rollback()
+    return ""
+
+    
 # ################################### data provider functions #########################################################
 
 
@@ -1155,10 +1178,12 @@ def login():
                 if user and check_password_hash(str(user.password), form['password']) and user.nickname != "Guest":
                     login_user(user, remember=True)
                     flash(_(u"You are now logged in as: '%(nickname)s'", nickname=user.nickname), category="success")
+                    config.config_is_initial = False
                     return redirect_back(url_for("web.index"))
                 else:
                     log.info('Login failed for user "%s" IP-adress: %s', form['username'], ipAdress)
                     flash(_(u"Wrong Username or Password"), category="error")
+    
     settings = config.get_mail_settings()
     mail_configured = bool(settings.get("mail_server", "mail.example.org") != "mail.example.org")