Split concern between spawner attributes and spawner user attributes in providing dynamic attributes for now

Author: rasmunk

example/setup_ldap_hook_test_config.py

@@ -0,0 +1,71 @@
+# Example config
+from jhubauthenticators import RegexUsernameParser
+from ldap_hooks import setup_ldap_entry_hook
+from ldap_hooks import LDAP, LDAP_SEARCH_ATTRIBUTE_QUERY, \
+    SPAWNER_SUBMIT_DATA, INCREMENT_ATTRIBUTE, SPAWNER_USER_ATTRIBUTE
+c = get_config()
+
+c.JupyterHub.ip = '0.0.0.0'
+c.JupyterHub.hub_ip = '0.0.0.0'
+c.JupyterHub.port = 80
+
+# Spawner setup
+c.JupyterHub.spawner_class = 'dockerspawner.DockerSpawner'
+c.DockerSpawner.image = 'nielsbohr/base-notebook:latest'
+c.DockerSpawner.pre_spawn_hook = setup_ldap_entry_hook
+
+# Authenticator setup
+c.JupyterHub.authenticator_class = 'jhubauthenticators.HeaderAuthenticator'
+c.HeaderAuthenticator.enable_auth_state = True
+c.HeaderAuthenticator.allowed_headers = {'auth': 'Remote-User'}
+c.HeaderAuthenticator.header_parser_classes = {'auth': RegexUsernameParser}
+c.HeaderAuthenticator.user_external_allow_attributes = ['data']
+# Email regex
+RegexUsernameParser.username_extract_regex = '([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]' \
+    '+\.[a-zA-Z0-9-.]+)'
+
+
+# Define LDAP connection options
+LDAP.url = "openldap"
+LDAP.user = "cn=admin,dc=migrid,dc=org"
+LDAP.password = "dummyldap_password"
+LDAP.base_dn = "dc=migrid,dc=org"
+
+# LDAP get dn to submit to the DIT
+LDAP.submit_spawner_attribute = 'user.data'
+LDAP.submit_spawner_attribute_keys = ('User', 'CERT')
+
+# Prepare LDAP object
+LDAP.replace_object_with = {'/': '+'}
+
+# Dynamic attributes and where to find the value
+LDAP.dynamic_attributes = {
+    'emailAddress': SPAWNER_SUBMIT_DATA,
+    'name': SPAWNER_USER_ATTRIBUTE,
+    'uidNumber': LDAP_SEARCH_ATTRIBUTE_QUERY
+}
+
+LDAP.set_spawner_attributes = {
+    'environment': {'NB_USER': '{name}',
+                    'NB_UID': '{uidNumber}'},
+}
+
+# Attributes used to check whether the ldap data
+# of type object_classes already exists
+# LDAP.unique_object_attributes = ['emailAddress']
+LDAP.search_attribute_queries = [
+    {'search_base': LDAP.base_dn,
+     'search_filter': '(objectclass=X-nextUserIdentifier)',
+     'attributes': ['uidNumber']}
+]
+
+modify_dn = 'cn=uidNext' + ',' + LDAP.base_dn
+LDAP.search_result_operations = {'uidNumber': {'action': INCREMENT_ATTRIBUTE,
+                                               'modify_dn': modify_dn}}
+
+# Submit object settings
+LDAP.object_classes = ['X-certsDistinguishedName', 'PosixAccount']
+LDAP.object_attributes = {'uid': '{name}',
+                          'uidNumber': '{uidNumber}',
+                          'gidNumber': '100',
+                          'homeDirectory': '/home/{name}'}

ldap_hooks/hooks.py

@@ -14,11 +14,13 @@
 
 SPAWNER_SUBMIT_DATA = '1'
 LDAP_SEARCH_ATTRIBUTE_QUERY = '2'
-SPAWNER_ATTR = '3'
+SPAWNER_ATTRIBUTE = '3'
+SPAWNER_USER_ATTRIBUTE = '4'
+
 DYNAMIC_ATTRIBUTE_METHODS = (SPAWNER_SUBMIT_DATA,
                              LDAP_SEARCH_ATTRIBUTE_QUERY,
-                             SPAWNER_ATTR)
-
+                             SPAWNER_ATTRIBUTE,
+                             SPAWNER_USER_ATTRIBUTE)
 INCREMENT_ATTRIBUTE = '1'
 SEARCH_RESULT_OPERATION_ACTIONS = (INCREMENT_ATTRIBUTE,)
 
@@ -272,13 +274,19 @@ def get_dict_key(input_dict, attr):
     return input_dict[attr]
 
 
+def get_attr(obj, attr):
+    has_attr = hasattr(obj, attr)
+    if not has_attr:
+        return False
+    return getattr(obj, attr)
+
+
 def rec_get_attr(obj, attr):
     attributes = attr.split('.')
     for attr in attributes:
-        has_attr = hasattr(obj, attr)
-        if not has_attr:
+        obj = get_attr(obj, attr)
+        if not obj:
             return False
-        obj = getattr(obj, attr)
     return obj
 
 
@@ -360,28 +368,31 @@ def get_interpolated_dynamic_attributes(logger, sources, dynamic_attributes):
                     and sources[SPAWNER_SUBMIT_DATA]:
                 val = get_dict_key(sources[SPAWNER_SUBMIT_DATA],
                                    attr_key)
-        if attr_val == SPAWNER_ATTR:
-            if SPAWNER_ATTR in sources \
-                    and sources[SPAWNER_ATTR]:
-                val = rec_get_attr(sources[SPAWNER_ATTR],
-                                   attr_key)
+        if attr_val == SPAWNER_ATTRIBUTE:
+            if SPAWNER_ATTRIBUTE in sources \
+                    and sources[SPAWNER_ATTRIBUTE]:
+                val = get_attr(sources[SPAWNER_ATTRIBUTE], attr_key)
+        if attr_val == SPAWNER_USER_ATTRIBUTE:
+            if SPAWNER_USER_ATTRIBUTE in sources \
+                    and sources[SPAWNER_USER_ATTRIBUTE]:
+                val = get_attr(sources[SPAWNER_USER_ATTRIBUTE], attr_key)
         if not val:
-            logger.error("LDAP - Missing {} in {} which is required for {} in"
-                         " get_interpolated_dynamic_attributes".format(
+            logger.error("LDAP - Missing {} in {} which is required for {} in "
+                         "get_interpolated_dynamic_attributes".format(
                              attr_val, sources, attr_key))
             return False
         set_attributes[attr_key] = val
     return set_attributes
 
 
 def update_spawner_attributes(spawner, spawner_attributes):
-    for spawner_attr, spawner_value in spawner_attributes.items():
-        if hasattr(spawner, spawner_attr):
-            attr = getattr(spawner, spawner_attr)
+    for SPAWNER_ATTRIBUTE, spawner_value in spawner_attributes.items():
+        if hasattr(spawner, SPAWNER_ATTRIBUTE):
+            attr = getattr(spawner, SPAWNER_ATTRIBUTE)
             if isinstance(attr, dict):
                 attr.update(spawner_value)
             if isinstance(attr, list) or isinstance(attr, str):
-                setattr(spawner, spawner_attr, spawner_value)
+                setattr(spawner, SPAWNER_ATTRIBUTE, spawner_value)
 
 
 @gen.coroutine
@@ -393,7 +404,6 @@ def hello_hook(spawner):
 @gen.coroutine
 def setup_ldap_entry_hook(spawner):
     instance = LDAP()
-
     # TODO, copy entire default config options dynamically
     instance.dynamic_attributes = copy.deepcopy(instance.dynamic_attributes)
     instance.set_spawner_attributes = copy.deepcopy(
@@ -434,8 +444,7 @@ def setup_ldap_entry_hook(spawner):
                           tuple):
             spawner.log.error("LDAP - submit_spawner_attribute_keys is "
                               "of incorrect type: {} must be a tuple".format(
-                                  type(instance.submit_spawner_attribute_keys
-                                       ))
+                                  type(instance.submit_spawner_attribute_keys))
                               )
             return False
 
@@ -446,8 +455,7 @@ def setup_ldap_entry_hook(spawner):
             spawner.log.error("LDAP - Failed to extract the specified dict "
                               "tuple string: {} from dict: {}".format(
                                   instance.submit_spawner_attribute_keys,
-                                  ldap_data
-                              ))
+                                  ldap_data))
             return False
 
         ldap_data = new_ldap_data
@@ -490,8 +498,7 @@ def setup_ldap_entry_hook(spawner):
         if missing:
             spawner.log.error("LDAP - only found: {} required "
                               "supported objectclasses, missing: {}".format(
-                                  found, missing
-                              ))
+                                  found, missing))
             return False
 
         # Prepare ldap data
@@ -554,8 +561,7 @@ def setup_ldap_entry_hook(spawner):
                              attributes=ALL_ATTRIBUTES)
         if success:
             spawner.log.info("LDAP - {} already exist, response {}".format(
-                ldap_dict, conn_manager.get_response())
-            )
+                ldap_dict, conn_manager.get_response()))
 
             response = conn_manager.get_response()
             if len(response) > 1:
@@ -578,22 +584,23 @@ def setup_ldap_entry_hook(spawner):
             # Extract attributes from existing object
             sources = {LDAP_SEARCH_ATTRIBUTE_QUERY: attributes,
                        SPAWNER_SUBMIT_DATA: ldap_dict,
-                       SPAWNER_ATTR: spawner}
+                       SPAWNER_ATTRIBUTE: spawner,
+                       SPAWNER_USER_ATTRIBUTE: spawner.user}
             spawner.log.debug("LDAP - dynamic_attributes "
                               "pre interpolated: {}".format(
-                                  instance.dynamic_attributes
-                              ))
+                                  instance.dynamic_attributes))
             prepared_dynamic_attributes = get_interpolated_dynamic_attributes(
-                spawner.log, sources, instance.dynamic_attributes
-            )
+                spawner.log, sources, instance.dynamic_attributes)
 
             if instance.dynamic_attributes and not prepared_dynamic_attributes:
                 spawner.log.error("LDAP - Failed to setup prepared_attributes:"
                                   " {} with attribute_dict: {}".format(
                                       prepared_dynamic_attributes,
-                                      attributes
-                                  ))
+                                      attributes))
                 return False
+            spawner.log.debug("LDAP - dynamic_attributes "
+                              "post interpolated: {}".format(
+                                  prepared_dynamic_attributes))
             # Setup set_spawner_attributes
             recursive_format(instance.set_spawner_attributes,
                              prepared_dynamic_attributes)
@@ -659,19 +666,21 @@ def setup_ldap_entry_hook(spawner):
 
         # Prepare required dynamic attributes
         sources.update({SPAWNER_SUBMIT_DATA: ldap_dict,
-                        SPAWNER_ATTR: spawner})
-        spawner.log.debug("LDAP - Sources state before interpolating with "
-                          " dynamic attributes {}".format(sources))
+                        SPAWNER_ATTRIBUTE: spawner,
+                        SPAWNER_USER_ATTRIBUTE: spawner.user})
+        spawner.log.debug(
+            "LDAP - Sources state before interpolation "
+            "with dynamic attributes {}".format(sources))
         prepared_dynamic_attributes = get_interpolated_dynamic_attributes(
-            spawner.log, sources, instance.dynamic_attributes
-        )
+            spawner.log, sources, instance.dynamic_attributes)
+        spawner.log.debug("LDAP - dynamic_attributes "
+                          "post interpolated: {}".format(
+                              prepared_dynamic_attributes))
 
         if instance.dynamic_attributes and not prepared_dynamic_attributes:
             spawner.log.error("LDAP - Failed to setup prepared_attributes:"
                               " {} with attribute_dict: {}".format(
-                                  prepared_dynamic_attributes,
-                                  ldap_dict
-                              ))
+                                  prepared_dynamic_attributes, ldap_dict))
             return False
 
         # Format dn provided variables
@@ -681,11 +690,9 @@ def setup_ldap_entry_hook(spawner):
                          prepared_dynamic_attributes)
 
         spawner.log.debug("LDAP - prepared spawner attributes {}".format(
-            instance.set_spawner_attributes
-        ))
+            instance.set_spawner_attributes))
         spawner.log.debug("LDAP - prepared object attributes {}".format(
-            instance.object_attributes
-        ))
+            instance.object_attributes))
 
         # Add DN
         spawner.log.info("LDAP - submit object: {}, attributes: {} "
@@ -715,14 +722,12 @@ def setup_ldap_entry_hook(spawner):
         search_filter = '(&{}'.format(
             ''.join(['(objectclass={})'.format(object_class)
                      for object_class in
-                     instance.object_classes])
-        )
+                     instance.object_classes]))
 
         search_filter += '{})'.format(
             ''.join(['({}={})'.format(attr_key, attr_val)
                      for attr_key, attr_val in
-                     instance.object_attributes.items()])
-        )
+                     instance.object_attributes.items()]))
         spawner.log.debug("LDAP - search_for, "
                           "search_base {}, search_filter {}".format(
                               search_base, search_filter))
@@ -731,12 +736,10 @@ def setup_ldap_entry_hook(spawner):
                              search_filter)
         if not success:
             spawner.log.error("Failed to find {} at {}".format(
-                (search_base, search_filter), instance.url)
-            )
+                (search_base, search_filter), instance.url))
             return False
         spawner.log.info("LDAP - found {} in {}".format(
-            conn_manager.get_response(), instance.url)
-        )
+            conn_manager.get_response(), instance.url))
 
         # Pass prepared attributes to spawner attributes
         update_spawner_attributes(spawner, instance.set_spawner_attributes)