Merge branch 'master' of gitlab.cip.ifi.lmu.de:jost/UniWorX

config/keter.yml

@@ -1,13 +1,6 @@
-# After you've edited this file, remove the following line to allow
-# `yesod keter` to build your bundle.
-user-edited: false
+root: ..
 
-# A Keter app is composed of 1 or more stanzas. The main stanza will define our
-# web application. See the Keter documentation for more information on
-# available stanzas.
 stanzas:
-
-  # Your Yesod application.
   - type: webapp
 
     # Name of your executable. You are unlikely to need to change this.
@@ -22,49 +15,28 @@ stanzas:
     args: []
 
     hosts:
-      # You can specify one or more hostnames for your application to respond
-      # to. The primary hostname will be used for generating your application
-      # root.
-      - www.uniworx.com
+      - testworx.tcs.ifi.lmu.de
 
-    # Enable to force Keter to redirect to https
-    # Can be added to any stanza
-    requires-secure: false
+    ssl: true
 
-  # Static files.
-  - type: static-files
-    hosts:
-      - static.uniworx.com
-    root: ../static
-
-    # Uncomment to turn on directory listings.
-    # directory-listing: true
-
-  # Redirect plain domain name to www.
-  - type: redirect
-
-    hosts:
-      - uniworx.com
-    actions:
-      - host: www.uniworx.com
-        # secure: false
-        # port: 80
-
-    # Uncomment to switch to a non-permanent redirect.
-    # status: 303
+    forward-env:
+      - LDAPURI
+      - LDAPDN
+      - LDAPPW
+      - LDAPBN
+      - DUMMY_LOGIN
+      - DETAILED_LOGGING
+      - LOG_ALL
 
 # Use the following to automatically copy your bundle upon creation via `yesod
 # keter`. Uses `scp` internally, so you can set it to a remote destination
 # copy-to: user@host:/opt/keter/incoming/
-
-# You can pass arguments to `scp` used above. This example limits bandwidth to
-# 1024 Kbit/s and uses port 2222 instead of the default 22
-# copy-to-args:
-#   - "-l 1024"
-#   - "-P 2222"
+copy-to: keter@testworx.tcs.ifi.lmu.de:/opt/keter/incoming/
+copy-to-args:
+  - "-P 30363"
 
 # If you would like to have Keter automatically create a PostgreSQL database
 # and set appropriate environment variables for it to be discovered, uncomment
 # the following line.
-# plugins:
-#   postgres: true
+plugins:
+  postgres: true

config/settings.yml

@@ -8,17 +8,17 @@ ip-from-header: "_env:IP_FROM_HEADER:false"
 
 # Default behavior: determine the application root from the request headers.
 # Uncomment to set an explicit approot
-#approot:        "_env:APPROOT:http://localhost:3000"
+approot:        "_env:APPROOT:http://localhost:3000"
 
 # Optional values with the following production defaults.
 # In development, they default to the inverse.
 #
-# detailed-logging: false
-# should-log-all: false
+detailed-logging: "_env:DETAILED_LOGGING:false"
+should-log-all: "_env:LOG_ALL:false"
 # reload-templates: false
 # mutable-static: false
 # skip-combining: false
-# auth-dummy-login : false
+auth-dummy-login: "_env:DUMMY_LOGIN:false"
 
 # NB: If you need a numeric value (e.g. 123) to parse as a String, wrap it in single quotes (e.g. "_env:PGPASS:'123'")
 # See https://github.com/yesodweb/yesod/wiki/Configuration#parsing-numeric-values-as-strings
@@ -32,6 +32,12 @@ database:
   database: "_env:PGDATABASE:uniworx"
   poolsize: "_env:PGPOOLSIZE:10"
 
+ldap:
+  uri:      "_env:LDAPURI:ldap://localhost:389"
+  dn:       "_env:LDAPDN:uniworx"
+  password: "_env:LDAPPW:"
+  basename: "_env:LDAPBN:"
+
 cryptoid-keyfile: "_env:CRYPTOID_KEYFILE:cryptoid_key.bf"
 
 copyright: Insert copyright statement here

docker/Dockerfile

@@ -0,0 +1,6 @@
+FROM fpco/stack-build:lts-9.3
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update
+RUN apt-get install libldap2-dev libsasl2-dev

models

@@ -1,7 +1,7 @@
 User
     plugin Text
     ident Text
-    matrikelnummer Text
+    matrikelnummer Text Maybe
     UniqueAuthentication plugin ident
 Term json
     name          TermIdentifier

package.yaml

@@ -72,6 +72,8 @@ dependencies:
 - generic-deriving
 - blaze-html
 - conduit-resumablesink >=0.2
+- yesod-auth-ldap
+- LDAP
 
 # The library contains all of our application code. The executable
 # defined below is just a thin wrapper.

src/Foundation.hs

@@ -6,6 +6,7 @@
 {-# LANGUAGE ViewPatterns #-}
 {-# LANGUAGE DataKinds #-}
 {-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE NamedFieldPuns #-}
 {-# LANGUAGE PatternGuards #-}
 
 module Foundation where
@@ -16,9 +17,13 @@ import Text.Hamlet          (hamletFile)
 import Text.Jasmine         (minifym)
 
 -- Used only when in "auth-dummy-login" setting is enabled.
+import Yesod.Auth.Message
 import Yesod.Auth.Dummy
+import Yesod.Auth.LDAP
+
+import LDAP.Data (LDAPScope(..))
+import LDAP.Search (LDAPEntry(..))
 
-import Yesod.Auth.OpenId    (authOpenId, IdentifierType (Claimed))
 import Yesod.Default.Util   (addStaticContentExternal)
 import Yesod.Core.Types     (Logger)
 import qualified Yesod.Core.Unsafe as Unsafe
@@ -279,29 +284,54 @@ instance YesodAuth UniWorX where
     -- Override the above two destinations when a Referer: header is present
     redirectToReferer _ = True
 
-    authenticate Creds{..} = runDB $ do
-        let (plugin, ident)
-              | credsPlugin == "dummy"
-              , [dummyPlugin, dummyIdent] <- Text.splitOn ":" credsIdent
-              = (dummyPlugin, dummyIdent)
-              | otherwise
-              = (credsPlugin, credsIdent)
-        x <- getBy $ UniqueAuthentication plugin ident
-        case x of
-            Just (Entity uid _) -> return $ Authenticated uid
-            Nothing -> Authenticated <$> insert User
-                { userPlugin = plugin
-                , userIdent = ident
-                , userMatrikelnummer = "DummyMatrikel"
-                }
+    authenticate creds@(Creds{..}) = runDB $ do
+      let (userPlugin, userIdent)
+            | isDummy
+            , [dummyPlugin, dummyIdent] <- Text.splitOn ":" credsIdent
+            = (dummyPlugin, dummyIdent)
+            | otherwise
+            = (credsPlugin, credsIdent)
+          isDummy = credsPlugin == "dummy"
+          uAuth = UniqueAuthentication userPlugin userIdent
+
+      $logDebugS "auth" $ tshow ((userPlugin, userIdent), creds)
+
+      case isDummy of
+        True  ->
+          maybe (UserError $ IdentifierNotFound credsIdent) (Authenticated . entityKey) <$> getBy uAuth
+        False -> do
+          let
+            userMatrikelnummer = lookup "LMU-Stud-Matrikelnummer" credsExtra
+            
+            newUser = User{..}
+            userUpdate = [ UserMatrikelnummer =. userMatrikelnummer
+                         ]
+          Authenticated . entityKey <$> upsertBy uAuth newUser userUpdate 
 
     -- You can add other plugins like Google Email, email or OAuth here
-    authPlugins app = [authOpenId Claimed []] ++ extraAuthPlugins
+    authPlugins app = [genericAuthLDAP $ ldapConfig app] ++ extraAuthPlugins
         -- Enable authDummy login if enabled.
         where extraAuthPlugins = [authDummy | appAuthDummyLogin $ appSettings app]
 
     authHttpManager = getHttpManager
 
+ldapConfig :: UniWorX -> LDAPConfig
+ldapConfig app@(appSettings -> settings) = LDAPConfig
+  { usernameFilter = \u -> principalName <> "=" <> u
+  , identifierModifier
+  , ldapUri = appLDAPURI settings
+  , initDN = appLDAPDN settings
+  , initPass = appLDAPPw settings
+  , baseDN = appLDAPBaseName settings
+  , ldapScope = LdapScopeSubtree
+  }
+  where
+    principalName :: IsString a => a
+    principalName = "userPrincipalName" 
+    identifierModifier _ entry = case lookup principalName $ leattrs entry of
+      Just [n] -> Text.pack n
+      _        -> error "Could not determine user principal name"
+
 -- | Access function to determine if a user is logged in.
 isAuthenticated :: Handler AuthResult
 isAuthenticated = do

src/Settings.hs

@@ -43,6 +43,11 @@ data AppSettings = AppSettings
     -- ^ Get the IP address from the header when logging. Useful when sitting
     -- behind a reverse proxy.
 
+    , appLDAPURI                :: String
+    , appLDAPDN                 :: String
+    , appLDAPPw                 :: String
+    , appLDAPBaseName           :: Maybe String
+
     , appDetailedRequestLogging :: Bool
     -- ^ Use detailed request logging system
     , appShouldLogAll           :: Bool
@@ -80,6 +85,9 @@ instance FromJSON AppSettings where
         appPort                   <- o .: "port"
         appIpFromHeader           <- o .: "ip-from-header"
 
+        ( appLDAPURI, appLDAPDN, appLDAPPw, appLDAPBaseName )
+          <- (=<< o .: "ldap") . withObject "LDAP" $ \obj -> (,,,) <$> obj .: "uri" <*> obj .: "dn" <*> obj .: "password" <*> obj .:? "basename"
+
         appDetailedRequestLogging <- o .:? "detailed-logging" .!= defaultDev
         appShouldLogAll           <- o .:? "should-log-all"   .!= defaultDev
         appReloadTemplates        <- o .:? "reload-templates" .!= defaultDev

stack.yaml

@@ -1,5 +1,9 @@
 flags: {}
+docker:
+  enable: true
+  image: uniworx
 nix:
+  enable: false
   packages: []
   pure: false
   shell-file: ./stack.nix
@@ -10,6 +14,14 @@ packages:
     git: https://github.com/pngwjpgh/zip-stream.git
     commit: 9272bbed000928d500febad1cdc98d1da29d399e
   extra-dep: true
+- location:
+    git: https://github.com/mlitchard/yesod-auth-ldap.git
+    commit: 69e08ef687ab96df3352ff4267562135453c6f02
+  extra-dep: true
+- location:
+    git: https://github.com/mlitchard/authenticate-ldap.git
+    commit: cc2770024766a8fa29d3086688df60aaf65fb954
+  extra-dep: true
 extra-deps:
 - colonnade-1.1.1
 - yesod-colonnade-1.1.0
@@ -22,4 +34,6 @@ extra-deps:
 
 - encoding-0.8.2
 - regex-compat-0.93.1
+
+- LDAP-0.6.11
 resolver: lts-9.3