Sign upLogin

OCA/server-tools

View on GitHub
Star
users_ldap_groups/models/users_ldap_groups.py

Summary

Maintainability
A
1 hr
Test Coverage
# -*- coding: utf-8 -*-
##############################################################################
#
#    OpenERP, Open Source Management Solution
#    This module copyright (C) 2012 Therp BV (<http://therp.nl>).
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as
#    published by the Free Software Foundation, either version 3 of the
#    License, or (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU Affero General Public License for more details.
#
#    You should have received a copy of the GNU Affero General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
#
##############################################################################

import logging
from openerp import models
from openerp import fields
from openerp import api
from string import Template


_logger = logging.getLogger(__name__)


class LDAPOperator(models.AbstractModel):
    _name = "res.company.ldap.operator"

    def operators(self):
        return ('contains', 'equals', 'query')

    def contains(self, ldap_entry, attribute, value, ldap_config, company):
        return (attribute in ldap_entry[1]) and \
            (value in ldap_entry[1][attribute])

    def equals(self, ldap_entry, attribute, value, ldap_config, company):
        return attribute in ldap_entry[1] and \
            unicode(value) == unicode(ldap_entry[1][attribute])

    def query(self, ldap_entry, attribute, value, ldap_config, company):
        query_string = Template(value).safe_substitute(dict(
            [(attr, ldap_entry[1][attr][0]) for attr in ldap_entry[1]]
            )
        )
        _logger.debug('evaluating query group mapping, filter: %s' %
                      query_string)
        results = company.query(ldap_config, query_string)
        _logger.debug(results)
        return bool(results)


class CompanyLDAPGroupMapping(models.Model):

    _name = 'res.company.ldap.group_mapping'
    _rec_name = 'ldap_attribute'
    _order = 'ldap_attribute'

    def _get_operators(self):
        op_obj = self.env['res.company.ldap.operator']
        operators = [(op, op) for op in op_obj.operators()]
        return tuple(operators)

    ldap_id = fields.Many2one('res.company.ldap', 'LDAP server', required=True)
    ldap_attribute = fields.Char(
        'LDAP attribute',
        help='The LDAP attribute to check.\n'
             'For active directory, use memberOf.')
    operator = fields.Selection(
        _get_operators, 'Operator',
        help='The operator to check the attribute against the value\n'
        'For active directory, use \'contains\'', required=True)
    value = fields.Char(
        'Value',
        help='The value to check the attribute against.\n'
        'For active directory, use the dn of the desired group',
        required=True)
    group = fields.Many2one(
        'res.groups', 'OpenERP group',
        help='The OpenERP group to assign', required=True)


class CompanyLDAP(models.Model):
    _inherit = 'res.company.ldap'

    group_mappings = fields.One2many(
        'res.company.ldap.group_mapping',
        'ldap_id', 'Group mappings',
        help='Define how OpenERP groups are assigned to ldap users')
    only_ldap_groups = fields.Boolean(
        'Only ldap groups',
        help='If this is checked, manual changes to group membership are '
             'undone on every login (so OpenERP groups are always synchronous '
             'with LDAP groups). If not, manually added groups are preserved.')

    _default = {
        'only_ldap_groups': False,
    }

    def map_groups(self, user_id, ldap_config, ldap_entry):

        user_obj = self.env['res.users']
        operator_obj = self.env['res.company.ldap.operator']

        user = user_obj.browse(user_id)
        if self.only_ldap_groups:
            _logger.debug('deleting all groups from user %d' % user_id)
            user.write({'groups_id': [(5, )]})

        for mapping in self.group_mappings:
            operator = getattr(operator_obj, mapping.operator)
            _logger.debug('checking mapping %s' % mapping)
            if operator(ldap_entry, mapping['ldap_attribute'],
                        mapping['value'], ldap_config, self):
                _logger.debug('adding user %d to group %s' %
                              (user_id, mapping.group.name))
                user.write({'groups_id': [(4, mapping.group.id)]})

    @api.model
    def get_or_create_user(self, ldap_config, login, ldap_entry):

        user_id = super(CompanyLDAP, self).get_or_create_user(
            ldap_config, login, ldap_entry)

        if user_id:
            self.browse(ldap_config['id']).map_groups(user_id, ldap_config,
                                                      ldap_entry)

        return user_id