From 7b9319b1c837991ab187e2f280ff267c35a7c653 Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 13:02:49 +0200
Subject: move LDAP authentication to AuthenticationHandler

---
 synapse/handlers/auth.py | 54 ++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 48 insertions(+), 6 deletions(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index d5d6faa85f..eeca820845 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -30,6 +30,8 @@ import simplejson
 
 import synapse.util.stringutils as stringutils
 
+import ldap
+
 
 logger = logging.getLogger(__name__)
 
@@ -49,6 +51,15 @@ class AuthHandler(BaseHandler):
         self.sessions = {}
         self.INVALID_TOKEN_HTTP_STATUS = 401
 
+        self.ldap_enabled = hs.config.ldap_enabled
+        self.ldap_server = hs.config.ldap_server
+        self.ldap_port = hs.config.ldap_port
+        self.ldap_search_base = hs.config.ldap_search_base
+        self.ldap_search_property = hs.config.ldap_search_property
+        self.ldap_email_property = hs.config.ldap_email_property
+        self.ldap_full_name_property = hs.config.ldap_full_name_property
+
+
     @defer.inlineCallbacks
     def check_auth(self, flows, clientdict, clientip):
         """
@@ -215,8 +226,8 @@ class AuthHandler(BaseHandler):
         if not user_id.startswith('@'):
             user_id = UserID.create(user_id, self.hs.hostname).to_string()
 
-        user_id, password_hash = yield self._find_user_id_and_pwd_hash(user_id)
-        self._check_password(user_id, password, password_hash)
+        self._check_password(user_id, password)
+
         defer.returnValue(user_id)
 
     @defer.inlineCallbacks
@@ -340,8 +351,8 @@ class AuthHandler(BaseHandler):
             StoreError if there was a problem storing the token.
             LoginError if there was an authentication problem.
         """
-        user_id, password_hash = yield self._find_user_id_and_pwd_hash(user_id)
-        self._check_password(user_id, password, password_hash)
+
+        self._check_password(user_id, password)
 
         logger.info("Logging in user %s", user_id)
         access_token = yield self.issue_access_token(user_id)
@@ -407,12 +418,43 @@ class AuthHandler(BaseHandler):
         else:
             defer.returnValue(user_infos.popitem())
 
-    def _check_password(self, user_id, password, stored_hash):
+    def _check_password(self, user_id, password):
         """Checks that user_id has passed password, raises LoginError if not."""
-        if not self.validate_hash(password, stored_hash):
+
+        if not (self._check_ldap_password(user_id, password) or self._check_local_password(user_id, password)):
             logger.warn("Failed password login for user %s", user_id)
             raise LoginError(403, "", errcode=Codes.FORBIDDEN)
 
+    def _check_local_password(self, user_id, password):
+        user_id, password_hash = yield self._find_user_id_and_pwd_hash(user_id)
+        return not self.validate_hash(password, password_hash)
+
+    def _check_ldap_password(self, user_id, password):
+        if not self.ldap_enabled:
+            return False
+
+        logger.info("Authenticating %s with LDAP" % user_id)
+        try:
+            l = ldap.initialize("%s:%s" % (ldap_server, ldap_port))
+            if self.ldap_tls:
+                logger.debug("Initiating TLS")
+                self._connection.start_tls_s()
+
+            dn = "%s=%s, %s" % (ldap_search_property, user_id.localpart, ldap_search_base)
+            logger.debug("DN for LDAP authentication: %s" % dn)
+
+            l.simple_bind_s(dn.encode('utf-8'), password.encode('utf-8'))
+
+            if not self.does_user_exist(user_id):
+                user_id, access_token = (
+                    yield self.handlers.registration_handler.register(localpart=user_id.localpart)
+                )
+
+            return True
+        except ldap.LDAPError, e:
+            logger.info(e)
+            return False
+
     @defer.inlineCallbacks
     def issue_access_token(self, user_id):
         access_token = self.generate_access_token(user_id)
-- 
cgit 1.4.1


From 823b8be4b706b54457d6f1d8f1065ba37a14026d Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 16:58:50 +0200
Subject: add tls property and twist my head around twisted

---
 synapse/handlers/auth.py | 44 +++++++++++++++++++++++++++++---------------
 1 file changed, 29 insertions(+), 15 deletions(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index eeca820845..14a2a4d8b9 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -54,11 +54,13 @@ class AuthHandler(BaseHandler):
         self.ldap_enabled = hs.config.ldap_enabled
         self.ldap_server = hs.config.ldap_server
         self.ldap_port = hs.config.ldap_port
+        self.ldap_tls = hs.config.ldap_tls
         self.ldap_search_base = hs.config.ldap_search_base
         self.ldap_search_property = hs.config.ldap_search_property
         self.ldap_email_property = hs.config.ldap_email_property
         self.ldap_full_name_property = hs.config.ldap_full_name_property
 
+        self.hs = hs # FIXME better possibility to access registrationHandler later?
 
     @defer.inlineCallbacks
     def check_auth(self, flows, clientdict, clientip):
@@ -352,7 +354,10 @@ class AuthHandler(BaseHandler):
             LoginError if there was an authentication problem.
         """
 
-        self._check_password(user_id, password)
+        if not self._check_password(user_id, password):
+            logger.warn("Failed password login for user %s", user_id)
+            raise LoginError(403, "", errcode=Codes.FORBIDDEN)
+
 
         logger.info("Logging in user %s", user_id)
         access_token = yield self.issue_access_token(user_id)
@@ -418,42 +423,51 @@ class AuthHandler(BaseHandler):
         else:
             defer.returnValue(user_infos.popitem())
 
+    @defer.inlineCallbacks
     def _check_password(self, user_id, password):
-        """Checks that user_id has passed password, raises LoginError if not."""
+        defer.returnValue(not ((yield self._check_ldap_password(user_id, password)) or (yield self._check_local_password(user_id, password))))
 
-        if not (self._check_ldap_password(user_id, password) or self._check_local_password(user_id, password)):
-            logger.warn("Failed password login for user %s", user_id)
-            raise LoginError(403, "", errcode=Codes.FORBIDDEN)
 
+    @defer.inlineCallbacks
     def _check_local_password(self, user_id, password):
-        user_id, password_hash = yield self._find_user_id_and_pwd_hash(user_id)
-        return not self.validate_hash(password, password_hash)
+        try:
+            user_id, password_hash = yield self._find_user_id_and_pwd_hash(user_id)
+            defer.returnValue(not self.validate_hash(password, password_hash))
+        except:
+            defer.returnValue(False)
 
+
+    @defer.inlineCallbacks
     def _check_ldap_password(self, user_id, password):
         if not self.ldap_enabled:
-            return False
+            logger.info("LDAP not configured")
+            defer.returnValue(False)
 
         logger.info("Authenticating %s with LDAP" % user_id)
         try:
-            l = ldap.initialize("%s:%s" % (ldap_server, ldap_port))
+            ldap_url = "%s:%s" % (self.ldap_server, self.ldap_port)
+            logger.debug("Connecting LDAP server at %s" % ldap_url)
+            l = ldap.initialize(ldap_url)
             if self.ldap_tls:
                 logger.debug("Initiating TLS")
                 self._connection.start_tls_s()
 
-            dn = "%s=%s, %s" % (ldap_search_property, user_id.localpart, ldap_search_base)
+            local_name = UserID.from_string(user_id).localpart
+
+            dn = "%s=%s, %s" % (self.ldap_search_property, local_name, self.ldap_search_base)
             logger.debug("DN for LDAP authentication: %s" % dn)
 
             l.simple_bind_s(dn.encode('utf-8'), password.encode('utf-8'))
 
-            if not self.does_user_exist(user_id):
+            if not (yield self.does_user_exist(user_id)):
                 user_id, access_token = (
-                    yield self.handlers.registration_handler.register(localpart=user_id.localpart)
+                    yield self.hs.get_handlers().registration_handler.register(localpart=local_name)
                 )
 
-            return True
+            defer.returnValue(True)
         except ldap.LDAPError, e:
-            logger.info(e)
-            return False
+            logger.info("LDAP error: %s" % e)
+            defer.returnValue(False)
 
     @defer.inlineCallbacks
     def issue_access_token(self, user_id):
-- 
cgit 1.4.1


From afff321e9a4d4a4d27841cc5cd737720d78dbffd Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 17:32:06 +0200
Subject: code style

---
 synapse/handlers/auth.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 14a2a4d8b9..37cbaa0b46 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -60,7 +60,7 @@ class AuthHandler(BaseHandler):
         self.ldap_email_property = hs.config.ldap_email_property
         self.ldap_full_name_property = hs.config.ldap_full_name_property
 
-        self.hs = hs # FIXME better possibility to access registrationHandler later?
+        self.hs = hs  # FIXME better possibility to access registrationHandler later?
 
     @defer.inlineCallbacks
     def check_auth(self, flows, clientdict, clientip):
@@ -425,8 +425,12 @@ class AuthHandler(BaseHandler):
 
     @defer.inlineCallbacks
     def _check_password(self, user_id, password):
-        defer.returnValue(not ((yield self._check_ldap_password(user_id, password)) or (yield self._check_local_password(user_id, password))))
-
+        defer.returnValue(
+            not (
+                (yield self._check_ldap_password(user_id, password))
+                or
+                (yield self._check_local_password(user_id, password))
+            ))
 
     @defer.inlineCallbacks
     def _check_local_password(self, user_id, password):
@@ -436,7 +440,6 @@ class AuthHandler(BaseHandler):
         except:
             defer.returnValue(False)
 
-
     @defer.inlineCallbacks
     def _check_ldap_password(self, user_id, password):
         if not self.ldap_enabled:
@@ -454,14 +457,18 @@ class AuthHandler(BaseHandler):
 
             local_name = UserID.from_string(user_id).localpart
 
-            dn = "%s=%s, %s" % (self.ldap_search_property, local_name, self.ldap_search_base)
+            dn = "%s=%s, %s" % (
+                self.ldap_search_property,
+                local_name,
+                self.ldap_search_base)
             logger.debug("DN for LDAP authentication: %s" % dn)
 
             l.simple_bind_s(dn.encode('utf-8'), password.encode('utf-8'))
 
             if not (yield self.does_user_exist(user_id)):
                 user_id, access_token = (
-                    yield self.hs.get_handlers().registration_handler.register(localpart=local_name)
+                    handler = self.hs.get_handlers().registration_handler
+                    yield handler.register(localpart=local_name)
                 )
 
             defer.returnValue(True)
-- 
cgit 1.4.1


From 67f3a50e9ae68b66b465b5b4b86bc81da625d1e6 Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 17:44:03 +0200
Subject: fix exception handling

---
 synapse/handlers/auth.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 37cbaa0b46..0e6b7c9e26 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -437,7 +437,7 @@ class AuthHandler(BaseHandler):
         try:
             user_id, password_hash = yield self._find_user_id_and_pwd_hash(user_id)
             defer.returnValue(not self.validate_hash(password, password_hash))
-        except:
+        except LoginError:
             defer.returnValue(False)
 
     @defer.inlineCallbacks
@@ -473,7 +473,7 @@ class AuthHandler(BaseHandler):
 
             defer.returnValue(True)
         except ldap.LDAPError, e:
-            logger.info("LDAP error: %s" % e)
+            logger.warn("LDAP error: %s", e)
             defer.returnValue(False)
 
     @defer.inlineCallbacks
-- 
cgit 1.4.1


From 875ed05bdcfdee72452a3eab196e3935a79e4004 Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 17:48:36 +0200
Subject: fix pep8

---
 synapse/handlers/auth.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 0e6b7c9e26..ee2b285cc1 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -358,7 +358,6 @@ class AuthHandler(BaseHandler):
             logger.warn("Failed password login for user %s", user_id)
             raise LoginError(403, "", errcode=Codes.FORBIDDEN)
 
-
         logger.info("Logging in user %s", user_id)
         access_token = yield self.issue_access_token(user_id)
         refresh_token = yield self.issue_refresh_token(user_id)
@@ -466,8 +465,8 @@ class AuthHandler(BaseHandler):
             l.simple_bind_s(dn.encode('utf-8'), password.encode('utf-8'))
 
             if not (yield self.does_user_exist(user_id)):
+                handler = self.hs.get_handlers().registration_handler
                 user_id, access_token = (
-                    handler = self.hs.get_handlers().registration_handler
                     yield handler.register(localpart=local_name)
                 )
 
-- 
cgit 1.4.1


From 4c5e8adf8b326798ec71a1cc1caac49f63980ba8 Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 17:56:12 +0200
Subject: conditionally import ldap

---
 synapse/handlers/auth.py       | 7 +++++--
 synapse/python_dependencies.py | 1 -
 2 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index ee2b285cc1..12585abb1b 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -30,8 +30,6 @@ import simplejson
 
 import synapse.util.stringutils as stringutils
 
-import ldap
-
 
 logger = logging.getLogger(__name__)
 
@@ -60,6 +58,9 @@ class AuthHandler(BaseHandler):
         self.ldap_email_property = hs.config.ldap_email_property
         self.ldap_full_name_property = hs.config.ldap_full_name_property
 
+        if self.ldap_enabled:
+            import ldap
+
         self.hs = hs  # FIXME better possibility to access registrationHandler later?
 
     @defer.inlineCallbacks
@@ -445,6 +446,8 @@ class AuthHandler(BaseHandler):
             logger.info("LDAP not configured")
             defer.returnValue(False)
 
+        import ldap
+
         logger.info("Authenticating %s with LDAP" % user_id)
         try:
             ldap_url = "%s:%s" % (self.ldap_server, self.ldap_port)
diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py
index d6b6e82bd7..cf1414b4db 100644
--- a/synapse/python_dependencies.py
+++ b/synapse/python_dependencies.py
@@ -37,7 +37,6 @@ REQUIREMENTS = {
     "pysaml2>=3.0.0,<4.0.0": ["saml2>=3.0.0,<4.0.0"],
     "pymacaroons-pynacl": ["pymacaroons"],
     "pyjwt": ["jwt"],
-    "python-ldap": ["ldap"],
 }
 CONDITIONAL_REQUIREMENTS = {
     "web_client": {
-- 
cgit 1.4.1


From 3555a659ec5a78ef1dad2a9fb1e28d2fcb4f06b5 Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 18:03:55 +0200
Subject: output ldap version for info and to pacify pep8

---
 synapse/handlers/auth.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 12585abb1b..cae81dbd67 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -60,6 +60,8 @@ class AuthHandler(BaseHandler):
 
         if self.ldap_enabled:
             import ldap
+            logger.info("Import ldap version: %s", ldap.__version__)
+
 
         self.hs = hs  # FIXME better possibility to access registrationHandler later?
 
-- 
cgit 1.4.1


From 27a0c21c38f83572f984b9556ab5740a91428caf Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 18:10:14 +0200
Subject: make tests for ldap more specific to not be fooled by Mocks

---
 synapse/handlers/auth.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index cae81dbd67..f3acdf00da 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -58,7 +58,7 @@ class AuthHandler(BaseHandler):
         self.ldap_email_property = hs.config.ldap_email_property
         self.ldap_full_name_property = hs.config.ldap_full_name_property
 
-        if self.ldap_enabled:
+        if self.ldap_enabled is True:
             import ldap
             logger.info("Import ldap version: %s", ldap.__version__)
 
@@ -444,8 +444,8 @@ class AuthHandler(BaseHandler):
 
     @defer.inlineCallbacks
     def _check_ldap_password(self, user_id, password):
-        if not self.ldap_enabled:
-            logger.info("LDAP not configured")
+        if self.ldap_enabled is not True:
+            logger.debug("LDAP not configured")
             defer.returnValue(False)
 
         import ldap
-- 
cgit 1.4.1


From 9c62fcdb688d889c6d3deffbc82ac4bbfbd4ffc4 Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 18:16:35 +0200
Subject: remove line

---
 synapse/handlers/auth.py | 1 -
 1 file changed, 1 deletion(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index f3acdf00da..7c62f833ae 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -62,7 +62,6 @@ class AuthHandler(BaseHandler):
             import ldap
             logger.info("Import ldap version: %s", ldap.__version__)
 
-
         self.hs = hs  # FIXME better possibility to access registrationHandler later?
 
     @defer.inlineCallbacks
-- 
cgit 1.4.1


From ed4d18f516385c2d367388aed00d13879273e99c Mon Sep 17 00:00:00 2001
From: Christoph Witzany <christoph@web.crofting.com>
Date: Wed, 6 Apr 2016 18:30:11 +0200
Subject: fix check for failed authentication

---
 synapse/handlers/auth.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'synapse/handlers')

diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py
index 7c62f833ae..7a13a8b11c 100644
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@@ -230,7 +230,9 @@ class AuthHandler(BaseHandler):
         if not user_id.startswith('@'):
             user_id = UserID.create(user_id, self.hs.hostname).to_string()
 
-        self._check_password(user_id, password)
+        if not (yield self._check_password(user_id, password)):
+            logger.warn("Failed password login for user %s", user_id)
+            raise LoginError(403, "", errcode=Codes.FORBIDDEN)
 
         defer.returnValue(user_id)
 
@@ -356,7 +358,7 @@ class AuthHandler(BaseHandler):
             LoginError if there was an authentication problem.
         """
 
-        if not self._check_password(user_id, password):
+        if not (yield self._check_password(user_id, password)):
             logger.warn("Failed password login for user %s", user_id)
             raise LoginError(403, "", errcode=Codes.FORBIDDEN)
 
-- 
cgit 1.4.1