From de94d98293ec26ae8fa5a50dd4835b1220f67741 Mon Sep 17 00:00:00 2001
From: frekk <frekk@ucc.asn.au>
Date: Mon, 6 May 2019 20:38:16 +0800
Subject: [PATCH] logger definition for memberdb, separate django loglevel,
 updated example config

---
 src/gms/settings.py               | 12 ++++++---
 src/gms/settings_local.example.py | 45 ++++++++++++++++++++-----------
 2 files changed, 38 insertions(+), 19 deletions(-)

diff --git a/src/gms/settings.py b/src/gms/settings.py
index c86e13f..9dfb8a7 100644
--- a/src/gms/settings.py
+++ b/src/gms/settings.py
@@ -129,24 +129,28 @@ LOGGING = {
 		'django': {
 			'handlers':['logfile', 'console'],
 			'propagate': True,
-			'level': LOG_LEVEL,
+			'level': LOG_LEVEL_DJANGO,
 		},
 		'django.db.backends': {
 			'handlers': ['logfile', 'console'],
-			'level': LOG_LEVEL,
+			'level': LOG_LEVEL_DJANGO,
 			'propagate': False,
 		},
 		'django.contrib.auth': {
 			'handlers': ['logfile', 'console'],
-			'level': LOG_LEVEL,
+			'level': LOG_LEVEL_DJANGO,
 		},
 		'django_auth_ldap': {
-			'level': LOG_LEVEL,
+			'level': LOG_LEVEL_DJANGO,
 			'handlers': ['logfile', 'console'],
 		},
 		'squarepay': {
 			'level': LOG_LEVEL,
 			'handlers': ['logfile', 'console'],
+		},
+		'memberdb': {
+			'level': LOG_LEVEL,
+			'handlers': ['logfile', 'console'],
 		}
 	},
 }
diff --git a/src/gms/settings_local.example.py b/src/gms/settings_local.example.py
index e4d608c..1f5c4a2 100644
--- a/src/gms/settings_local.example.py
+++ b/src/gms/settings_local.example.py
@@ -16,7 +16,7 @@ ADMINS = (
 ### Database connection options ###
 DATABASES = {
 	'default': {
-		'ENGINE': '${DB_ENGINE}',     # Add 'postgresql', 'mysql', 'sqlite3' or 'oracle'.
+		'ENGINE': '${DB_ENGINE}',     # django.db.backends.XXX where XXX is 'postgresql', 'mysql', 'sqlite3' or 'oracle'.
 		# this should end up in uccportal/.db/members.db
 		'NAME': '${DB_NAME}',   # Or path to database file if using sqlite3.
 		'USER': '${DB_USER}',                                 # Not used with sqlite3.
@@ -41,17 +41,12 @@ SECRET_KEY = '${APP_SECRET}'
 ALLOWED_HOSTS = ['${DEPLOY_HOST}']
 
 LOG_LEVEL = 'DEBUG'
+LOG_LEVEL_DJANGO = 'WARNING'
 LOG_FILENAME = os.path.join(ROOT_DIR, "django.log")
 
 import ldap
 from django_auth_ldap.config import LDAPSearch, ActiveDirectoryGroupType, LDAPGroupQuery
 
-# LDAP admin settings
-LDAP_BASE_DN = 'DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
-LDAP_USER_SEARCH_DN = 'CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
-LDAP_BIND_DN = 'CN=uccportal,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
-LDAP_BIND_SECRET = "${LDAP_SECRET}"
-
 # this could be ad.ucc.gu.uwa.edu.au but that doesn't resolve externally -
 # useful for testing, but should be changed in production so failover works
 AUTH_LDAP_SERVER_URI = 'ldaps://ad.ucc.gu.uwa.edu.au'
@@ -61,15 +56,30 @@ AUTH_LDAP_GLOBAL_OPTIONS = {
 	ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER,
 }
 
-# directly attempt to authenticate users to bind to LDAP
-AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = True
+# LDAP admin settings - NOT for django_auth_ldap
+LDAP_BASE_DN = "DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au"
+LDAP_USER_SEARCH_DN = 'CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
+
+# settings used by memberdb LDAP backend and django_auth_ldap
+AUTH_LDAP_BIND_DN = "CN=uccportal,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au"
+AUTH_LDAP_BIND_PASSWORD = "${LDAP_SECRET}"
+
+# just for django_auth_ldap
+AUTH_LDAP_BIND_AS_AUTHENTICATING_USER = False
 AUTH_LDAP_ALWAYS_UPDATE_USER = True
 AUTH_LDAP_MIRROR_GROUPS = False
 AUTH_LDAP_GROUP_TYPE = ActiveDirectoryGroupType()
-AUTH_LDAP_FIND_GROUP_PERMS = False
 
+# give user permissions from Django groups corresponding to names of AD groups
+AUTH_LDAP_FIND_GROUP_PERMS = True
+
+# speed it up by not having to search for the username, we can predict the DN
 AUTH_LDAP_USER_DN_TEMPLATE = 'CN=%(user)s,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au'
 
+# include the search thing anyway, just in case it's needed somewhere...
+AUTH_LDAP_USER_SEARCH = LDAPSearch('CN=%(user)s,CN=Users,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au',
+	ldap.SCOPE_BASE, "(objectClass=user)")
+
 AUTH_LDAP_GROUP_SEARCH = LDAPSearch("OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au",
 	ldap.SCOPE_SUBTREE, "(objectClass=group)")
 
@@ -81,19 +91,24 @@ AUTH_LDAP_USER_ATTR_MAP = {
 	"email": "email",
 }
 
-ADMIN_ACCESS_QUERY = \
-		LDAPGroupQuery("CN=committee,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au") | \
-		LDAPGroupQuery("CN=door,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au") | \
-		LDAPGroupQuery("CN=wheel,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au")
+DOOR_GROUP_QUERY = LDAPGroupQuery("CN=door,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au")
+COMMITTEE_GROUP_QUERY = LDAPGroupQuery("CN=committee,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au")
+WHEEL_GROUP_QUERY = LDAPGroupQuery("CN=wheel,OU=Groups,DC=ad,DC=ucc,DC=gu,DC=uwa,DC=edu,DC=au")
 
+ADMIN_ACCESS_QUERY = COMMITTEE_GROUP_QUERY | DOOR_GROUP_QUERY | WHEEL_GROUP_QUERY
+
+# assign user object flags based on group memberships (independent from permissions)
 AUTH_LDAP_USER_FLAGS_BY_GROUP = {
 	# staff can login to the admin site
 	"is_staff": ADMIN_ACCESS_QUERY,
 
 	# superusers have all permissions (but also need staff to login to admin site)
-	"is_superuser": ADMIN_ACCESS_QUERY,
+	"is_superuser": COMMITTEE_GROUP_QUERY | WHEEL_GROUP_QUERY,
 }
 
+# cache group memberships for 5 minutes
+AUTH_LDAP_CACHE_TIMEOUT = 300
+
 # the Square app and location data (set to sandbox unless you want it to charge people)
 SQUARE_APP_ID = '${SQUARE_APP_ID}'
 SQUARE_LOCATION = '${SQUARE_LOCATION}'
-- 
GitLab