From 9bd51c650bde1c049184fea174054cf5b55cb2f0 Mon Sep 17 00:00:00 2001
From: Ozzieisaacs <ozzie.fernandez.isaacs@googlemail.com>
Date: Fri, 20 Nov 2020 19:47:50 +0100
Subject: [PATCH] Add config options for client certificate authentication

---
 cps/admin.py                   |  8 ++++++--
 cps/config_sql.py              |  2 ++
 cps/services/simpleldap.py     | 27 ++++++++++++++++++++++++---
 cps/templates/admin.html       |  1 -
 cps/templates/config_edit.html | 23 ++++++++++++++++++++---
 5 files changed, 52 insertions(+), 9 deletions(-)

diff --git a/cps/admin.py b/cps/admin.py
index 786c2281..85053489 100644
--- a/cps/admin.py
+++ b/cps/admin.py
@@ -572,7 +572,9 @@ def _configuration_ldap_helper(to_save, gdriveError):
     reboot_required |= _config_string(to_save, "config_ldap_group_members_field")
     reboot_required |= _config_checkbox(to_save, "config_ldap_openldap")
     reboot_required |= _config_int(to_save, "config_ldap_encryption")
+    reboot_required |= _config_string(to_save, "config_ldap_cacert_path")
     reboot_required |= _config_string(to_save, "config_ldap_cert_path")
+    reboot_required |= _config_string(to_save, "config_ldap_key_path")
     _config_string(to_save, "config_ldap_group_name")
     if "config_ldap_serv_password" in to_save and to_save["config_ldap_serv_password"] != "":
         reboot_required |= 1
@@ -612,9 +614,11 @@ def _configuration_ldap_helper(to_save, gdriveError):
         return reboot_required, _configuration_result(_('LDAP User Object Filter Has Unmatched Parenthesis'),
                                      gdriveError)
 
-    if config.config_ldap_cert_path and not os.path.isfile(config.config_ldap_cert_path):
+    if config.config_ldap_cacert_path and not (os.path.isfile(config.config_ldap_cacert_path)
+                                               or os.path.isfile(config.config_ldap_cacert_path)
+                                               or os.path.isfile(config.config_ldap_key_path)):
         return reboot_required, \
-               _configuration_result(_('LDAP Certificate Location is not Valid, Please Enter Correct Path'),
+               _configuration_result(_('LDAP CACertificate, Certificate or Key Location is not Valid, Please Enter Correct Path'),
                                      gdriveError)
     return reboot_required, None
 
diff --git a/cps/config_sql.py b/cps/config_sql.py
index 9dcb4528..7363e75c 100644
--- a/cps/config_sql.py
+++ b/cps/config_sql.py
@@ -108,7 +108,9 @@ class _Settings(_Base):
     config_ldap_serv_username = Column(String, default='cn=admin,dc=example,dc=org')
     config_ldap_serv_password = Column(String, default="")
     config_ldap_encryption = Column(SmallInteger, default=0)
+    config_ldap_cacert_path = Column(String, default="")
     config_ldap_cert_path = Column(String, default="")
+    config_ldap_key_path = Column(String, default="")
     config_ldap_dn = Column(String, default='dc=example,dc=org')
     config_ldap_user_object = Column(String, default='uid=%s')
     config_ldap_openldap = Column(Boolean, default=True)
diff --git a/cps/services/simpleldap.py b/cps/services/simpleldap.py
index 336b0f2c..4e2ce2d1 100644
--- a/cps/services/simpleldap.py
+++ b/cps/services/simpleldap.py
@@ -20,7 +20,7 @@ from __future__ import division, print_function, unicode_literals
 import base64
 
 from flask_simpleldap import LDAP, LDAPException
-
+from flask_simpleldap import ldap as pyLDAP
 from .. import constants, logger
 
 try:
@@ -54,8 +54,16 @@ def init_app(app, config):
         app.config['LDAP_USERNAME'] = ""
         app.config['LDAP_PASSWORD'] = base64.b64decode("")
     if bool(config.config_ldap_cert_path):
-        app.config['LDAP_REQUIRE_CERT'] = True
-        app.config['LDAP_CERT_PATH'] = config.config_ldap_cert_path
+        # app.config['LDAP_REQUIRE_CERT'] = True
+        # app.config['LDAP_CERT_PATH'] = config.config_ldap_cert_path
+        app.config['LDAP_CUSTOM_OPTIONS'] = {
+            pyLDAP.OPT_X_TLS_REQUIRE_CERT: pyLDAP.OPT_X_TLS_DEMAND,
+            pyLDAP.OPT_X_TLS_CACERTFILE: config.config_ldap_cacert_path,
+            pyLDAP.OPT_X_TLS_CERTFILE: config.config_ldap_cert_path,
+            pyLDAP.OPT_X_TLS_KEYFILE: config.config_ldap_key_path,
+            pyLDAP.OPT_X_TLS_NEWCTX: 0
+            }
+
     app.config['LDAP_BASE_DN'] = config.config_ldap_dn
     app.config['LDAP_USER_OBJECT_FILTER'] = config.config_ldap_user_object
 
@@ -65,8 +73,21 @@ def init_app(app, config):
     app.config['LDAP_GROUP_OBJECT_FILTER'] = config.config_ldap_group_object_filter
     app.config['LDAP_GROUP_MEMBERS_FIELD'] = config.config_ldap_group_members_field
 
+
     try:
         _ldap.init_app(app)
+    except ValueError:
+        if bool(config.config_ldap_cert_path):
+            app.config['LDAP_CUSTOM_OPTIONS'] = {
+                pyLDAP.OPT_X_TLS_REQUIRE_CERT: pyLDAP.OPT_X_TLS_DEMAND,
+                pyLDAP.OPT_X_TLS_CACERTFILE: config.config_ldap_cacert_path,
+                pyLDAP.OPT_X_TLS_CERTFILE: config.config_ldap_cert_path,
+                pyLDAP.OPT_X_TLS_KEYFILE: config.config_ldap_key_path,
+            }
+        try:
+            _ldap.init_app(app)
+        except RuntimeError as e:
+            log.error(e)
     except RuntimeError as e:
         log.error(e)
 
diff --git a/cps/templates/admin.html b/cps/templates/admin.html
index 0e495030..e014935b 100644
--- a/cps/templates/admin.html
+++ b/cps/templates/admin.html
@@ -44,7 +44,6 @@
         <div class="btn btn-default" id="admin_new_user"><a href="{{url_for('admin.new_user')}}">{{_('Add New User')}}</a></div>
       {% if (config.config_login_type == 1) %}
         <div class="btn btn-default" id="import_ldap_users" data-toggle="modal" data-target="#StatusDialog">{{_('Import LDAP Users')}}</div>
-        <!--a href="#" id="import_ldap_users" name="import_ldap_users"><button type="submit" class="btn btn-default">{{_('Import LDAP Users')}}</button></a-->
       {% endif %}
     </div>
   </div>
diff --git a/cps/templates/config_edit.html b/cps/templates/config_edit.html
index 132db5cf..89e97ee5 100644
--- a/cps/templates/config_edit.html
+++ b/cps/templates/config_edit.html
@@ -15,8 +15,8 @@
     </div>
     <div id="collapseOne" class="panel-collapse collapse in">
       <div class="panel-body">
+       <label for="config_calibre_dir">{{_('Location of Calibre Database')}}</label>
        <div class="form-group required input-group">
-        <label for="config_calibre_dir" class="sr-only">{{_('Location of Calibre Database')}}</label>
         <input type="text" class="form-control" id="config_calibre_dir" name="config_calibre_dir" value="{% if config.config_calibre_dir != None %}{{ config.config_calibre_dir }}{% endif %}" autocomplete="off">
         <span class="input-group-btn">
           <button type="button" id="library_path" class="btn btn-default"><span class="glyphicon glyphicon-folder-open"></span></button>
@@ -264,9 +264,26 @@
             </select>
         </div>
         <div data-related="ldap-cert-settings">
-          <div class="form-group">
-            <label for="config_ldap_cert_path">{{_('LDAP Certificate Path')}}</label>
+          <label for="config_ldap_cacert_path" >{{_('LDAP CACertificate Path')}}</label>
+          <div class="form-group input-group">
+            <input type="text" class="form-control" id="config_ldap_cacert_path" name="config_ldap_cacert_path" value="{% if config.config_ldap_cacert_path != None %}{{ config.config_ldap_cacert_path }}{% endif %}" autocomplete="off">
+            <span class="input-group-btn">
+              <button type="button" id="library_path" class="btn btn-default"><span class="glyphicon glyphicon-folder-open"></span></button>
+            </span>
+          </div>
+          <label for="config_ldap_cert_path">{{_('LDAP Certificate Path')}}</label>
+          <div class="form-group input-group">
             <input type="text" class="form-control" id="config_ldap_cert_path" name="config_ldap_cert_path" value="{% if config.config_ldap_cert_path != None %}{{ config.config_ldap_cert_path }}{% endif %}" autocomplete="off">
+            <span class="input-group-btn">
+              <button type="button" id="library_path" class="btn btn-default"><span class="glyphicon glyphicon-folder-open"></span></button>
+            </span>
+          </div>
+          <label for="config_ldap_key_path">{{_('LDAP Keyfile Path')}}</label>
+          <div class="form-group input-group">
+            <input type="text" class="form-control" id="config_ldap_key_path" name="config_ldap_key_path" value="{% if config.config_ldap_key_path != None %}{{ config.config_ldap_key_path }}{% endif %}" autocomplete="off">
+            <span class="input-group-btn">
+              <button type="button" id="library_path" class="btn btn-default"><span class="glyphicon glyphicon-folder-open"></span></button>
+            </span>
           </div>
         </div>
         <div class="form-group">