fix: ldap connection with tls (#365)

bihealth · Jan 14, 2025 · 0b72e85 · 0b72e85
1 parent 3221fa6
commit 0b72e85
Show file tree

Hide file tree

Showing 8 changed files with 76 additions and 26 deletions.
diff --git a/adminsec/ldap.py b/adminsec/ldap.py
@@ -1,4 +1,5 @@
 import logging as _logging
+import ssl
 
 import ldap3
 from django.conf import settings
@@ -34,7 +35,19 @@ def connect(self):
 
         if settings.ENABLE_LDAP:
             logger.debug("LDAP enabled")
-            server1 = ldap3.Server(settings.AUTH_LDAP_SERVER_URI)
+            ssl_options = {}
+            url = settings.AUTH_LDAP_SERVER_URI
+
+            if settings.AUTH_LDAP_START_TLS and not self.test_mode:
+                url = settings.AUTH_LDAP_SERVER_URI.replace("ldap://", "ldaps://")
+                ssl_options = {
+                    "tls": ldap3.Tls(
+                        ca_certs_file=settings.AUTH_LDAP_CA_CERT_FILE,
+                        validate=ssl.CERT_REQUIRED,
+                    ),
+                }
+
+            server1 = ldap3.Server(url, **ssl_options)
 
             logger.debug("Connecting to LDAP server: %s", settings.AUTH_LDAP_SERVER_URI)
             self.connection1 = ldap3.Connection(

diff --git a/adminsec/tests/test_ldap.py b/adminsec/tests/test_ldap.py
@@ -28,6 +28,7 @@
 LDAP_DEFAULT_MOCKS = {
     "ENABLE_LDAP": ENABLE_LDAP,
     "ENABLE_LDAP_SECONDARY": ENABLE_LDAP_SECONDARY,
+    "AUTH_LDAP_START_TLS": False,
     "AUTH_LDAP_SERVER_URI": AUTH_LDAP_SERVER_URI,
     "AUTH_LDAP2_SERVER_URI": AUTH_LDAP2_SERVER_URI,
     "AUTH_LDAP_BIND_DN": AUTH_LDAP_BIND_DN,

diff --git a/usersec/forms.py b/usersec/forms.py
@@ -265,7 +265,7 @@ def clean(self):
                     "email",
                     (
                         "This is no institute email address. "
-                        f"Valid domains are: {', '.join(valid_domains)}",
+                        f"Valid domains are: {', '.join(valid_domains)}"
                     ),
                 )
                 return

diff --git a/usersec/rules.py b/usersec/rules.py
@@ -2,7 +2,7 @@
 from django.conf import settings
 
 from adminsec.rules import is_hpcadmin
-from usersec.models import REQUEST_STATUS_ACTIVE, HpcGroupInvitation
+from usersec.models import INVITATION_STATUS_PENDING, REQUEST_STATUS_ACTIVE, HpcGroupInvitation
 
 # ------------------------------------------------------------------------------
 # Predicates
@@ -25,7 +25,9 @@ def _has_pending_group_request(user):
 
 @rules.predicate
 def _has_group_invitation(user):
-    return HpcGroupInvitation.objects.filter(username=user.username).exists()
+    return HpcGroupInvitation.objects.filter(
+        username=user.username, status=INVITATION_STATUS_PENDING
+    ).exists()
 
 
 @rules.predicate

diff --git a/usersec/templates/usersec/hpcgroupinvitation_detail.html b/usersec/templates/usersec/hpcgroupinvitation_detail.html
@@ -4,27 +4,50 @@
 
 {% block content %}
 
-  <h1>
-    You've been invited to the BIH cluster to join group
-    <span class="text-danger">{{ object.hpcusercreaterequest.group.name }}</span>
-  </h1>
+  {% if object.status == "REJECTED" %}
 
-  <h3 class="mt-4">Terms &amp; Conditions</h3>
+  <h2 class="mt-4">
+    You've rejected your invitation to join group
+    <strong>{{ object.hpcusercreaterequest.group.name }}</strong>.
+  </h2>
 
-  {% for obj in terms_list %}
-    <h4 class="mt-4">{{ obj.title }}</h4>
-    <p>{{ obj.text }}</p>
-    <div class="input-group mb-4">
-      <span class="input-group-text">
-        <input type="checkbox" class="form-check-input m-0 consent" name="consent{{ forloop.counter }}" id="id_consent{{ forloop.counter }}">
-      </span>
-      <label for="id_consent{{ forloop.counter }}">
-        <span class="form-control fw-bold">
-          I consent to <em>{{ obj.title }}</em>.
+  <p>
+    <a class="btn btn-secondary" href="{% url 'home' %}">
+      Return to index page
+    </a>
+  </p>
+
+  {% else %}
+
+  <h2 class="mt-4">
+    You've been invited to the BIH cluster
+  </h2>
+
+  <p class="lead">
+    You've been invited to the HPC cluster to join the group
+    <strong>{{ object.hpcusercreaterequest.group.name }}</strong>.
+    You can accept or reject the invitation below.
+    Please confirm any conditions.
+  </p>
+
+  {% if terms_list %}
+    <h3 class="mt-4">Terms &amp; Conditions</h3>
+
+    {% for obj in terms_list %}
+      <h4 class="mt-4">{{ obj.title }}</h4>
+      <p>{{ obj.text }}</p>
+      <div class="input-group mb-4">
+        <span class="input-group-text">
+          <input type="checkbox" class="form-check-input m-0 consent" name="consent{{ forloop.counter }}" id="id_consent{{ forloop.counter }}">
         </span>
-      </label>
-    </div>
-  {% endfor %}
+        <label for="id_consent{{ forloop.counter }}">
+          <span class="form-control fw-bold">
+            I consent to <em>{{ obj.title }}</em>.
+          </span>
+        </label>
+      </div>
+    {% endfor %}
+  {% endif %}
 
   <a
     class="btn btn-success disabled"
@@ -40,7 +63,7 @@ <h4 class="mt-4">{{ obj.title }}</h4>
     <i class="iconify" data-icon="mdi:cancel"></i>
     Reject
   </a>
-
+  {% endif %}
 {% endblock content %}
 
 {% block inline_javascript %}

diff --git a/usersec/tests/test_forms.py b/usersec/tests/test_forms.py
@@ -175,7 +175,10 @@ def test_form_invalid_email_wrong_domain(self):
         data_invalid = {**self.data_valid, "email": "[email protected]"}
         form = HpcUserCreateRequestForm(user=self.user, data=data_invalid)
         self.assertFalse(form.is_valid())
-        self.assertEqual(form.errors["email"], ["No institute email address."])
+        self.assertEqual(
+            form.errors["email"],
+            ["This is no institute email address. Valid domains are: charite.de, mdc-berlin.de"],
+        )
 
     def test_form_valid_hpcadmin(self):
         form = HpcUserCreateRequestForm(user=self.user_hpcadmin, data=self.data_valid)

diff --git a/usersec/tests/test_rules.py b/usersec/tests/test_rules.py
@@ -4123,7 +4123,12 @@ def test_hpc_group_invitation_reject_view_post(self):
             ),
         )
         self.assert_permissions_on_url(
-            bad_users, url, "POST", 302, redirect_url=reverse("home"), not_authorized=True
+            bad_users,
+            url,
+            "POST",
+            302,
+            redirect_url=reverse("home"),
+            not_authorized=True,
         )
 
     def test_hpc_project_invitation_accept_view(self):

diff --git a/usersec/views.py b/usersec/views.py
@@ -42,6 +42,7 @@
 )
 from usersec.models import (
     INVITATION_STATUS_ACCEPTED,
+    INVITATION_STATUS_PENDING,
     INVITATION_STATUS_REJECTED,
     OBJECT_STATUS_ACTIVE,
     REQUEST_STATUS_ACTIVE,
@@ -152,7 +153,9 @@ def get(self, request, *args, **kwargs):
             )
 
         if rules.test_rule("usersec.has_group_invitation", request.user):
-            invitation = HpcGroupInvitation.objects.get(username=request.user.username)
+            invitation = HpcGroupInvitation.objects.get(
+                username=request.user.username, status=INVITATION_STATUS_PENDING
+            )
             return redirect(
                 reverse(
                     "usersec:hpcgroupinvitation-detail",