added python ldap / login pages

main.py

@@ -1,4 +1,4 @@
-from flask import Flask, render_template, request, redirect, jsonify
+from flask import Flask, render_template, request, redirect, jsonify, url_for, render_template_string
 from flask_sqlalchemy import SQLAlchemy
 from sqlalchemy.exc import SQLAlchemyError
 from flask_marshmallow import Marshmallow
@@ -7,6 +7,13 @@ from wtforms import SubmitField, StringField, HiddenField, SelectField, IntegerF
 from flask_wtf import FlaskForm
 from status import st, Status
 from shared import CreateSelect, CreateFoldersSelect, LocationIcon, DB_URL
+from flask_login import login_required, current_user
+
+
+# for ldap auth
+from flask_ldap3_login import LDAP3LoginManager
+from flask_login import LoginManager, login_user, UserMixin, current_user
+from flask_ldap3_login.forms import LDAPLoginForm
 
 import re
 import socket
@@ -23,9 +30,30 @@ app = Flask(__name__)
 app.config['SQLALCHEMY_DATABASE_URI'] = DB_URL
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
 app.config.from_mapping( SECRET_KEY=b'\xd6\x04\xbdj\xfe\xed$c\x1e@\xad\x0f\x13,@G')
+
+# ldap config vars: (the last one is required, or python ldap freaks out)
+app.config['LDAP_HOST'] = 'mara.ddp.net'
+app.config['LDAP_BASE_DN'] = 'dc=depaoli,dc=id,dc=au'
+app.config['LDAP_USER_DN'] = 'ou=users'
+app.config['LDAP_GROUP_DN'] = 'ou=groups'
+app.config['LDAP_USER_RDN_ATTR'] = 'cn'
+app.config['LDAP_USER_LOGIN_ATTR'] = 'uid'
+app.config['LDAP_BIND_USER_DN'] = None
+app.config['LDAP_BIND_USER_PASSWORD'] = None
+app.config['LDAP_GROUP_OBJECT_FILTER'] = '(objectclass=posixGroup)'
+
 db = SQLAlchemy(app)
 ma = Marshmallow(app)
 Bootstrap(app)
+login_manager = LoginManager(app)              # Setup a Flask-Login Manager
+ldap_manager = LDAP3LoginManager(app)          # Setup a LDAP3 Login Manager.
+login_manager.login_view = "login"             # default login route, failed with url_for, so hard-coded
+
+# Create a dictionary to store the users in when they authenticate
+# This example stores users in memory.
+users = {}
+
+
 
 ################################# Now, import non-book classes ###################################
 from settings import Settings
@@ -50,11 +78,70 @@ app.jinja_env.globals['CreateFoldersSelect'] = CreateFoldersSelect
 app.jinja_env.globals['LocationIcon'] = LocationIcon
 app.jinja_env.globals['StoragePathNames'] = StoragePathNames
 
+
+# Declare an Object Model for the user, and make it comply with the
+# flask-login UserMixin mixin.
+class User(UserMixin):
+    def __init__(self, dn, username, data):
+        self.dn = dn
+        self.username = username
+        self.data = data
+
+    def __repr__(self):
+        return self.dn
+
+    def get_id(self):
+        return self.dn
+
+# Declare a User Loader for Flask-Login.
+# Simply returns the User if it exists in our 'database', otherwise
+# returns None.
+@login_manager.user_loader
+def load_user(id):
+    if id in users:
+        return users[id]
+    return None
+
+# Declare The User Saver for Flask-Ldap3-Login
+# This method is called whenever a LDAPLoginForm() successfully validates.
+# Here you have to save the user, and return it so it can be used in the
+# login controller.
+@ldap_manager.save_user
+def save_user(dn, username, data, memberships):
+    user = User(dn, username, data)
+    users[dn] = user
+    return user
+
 # default page, just the navbar
 @app.route("/", methods=["GET"])
+@login_required
 def main_page():
+    # Redirect users who are not logged in.
+    if not current_user or current_user.is_anonymous:
+        return redirect(url_for('login'))
+    
     return render_template("base.html")
 
+@app.route('/login', methods=['GET', 'POST'])
+def login():
+    # Instantiate a LDAPLoginForm which has a validator to check if the user
+    # exists in LDAP.
+    form = LDAPLoginForm()
+    form.submit.label.text="Login"
+
+    if form.validate_on_submit():
+        # Successfully logged in, We can now access the saved user object
+        # via form.user.
+        login_user(form.user, remember=True)  # Tell flask-login to log them in.
+        next = request.args.get("next")
+        if next:
+            return redirect(next)  # Send them back where they came from
+        else:
+            return redirect('/')
+
+    return render_template("login.html", form=form)
+
+
 if __name__ == "__main__":
     if hostname == PROD_HOST:
         app.run(ssl_context=('/etc/letsencrypt/live/book.depaoli.id.au/cert.pem', '/etc/letsencrypt/live/book.depaoli.id.au/privkey.pem'), host="0.0.0.0", debug=False)