gramex: Add additional user details post LDAP Auth and a conditional redirection

Question

Consider a SQLite DB with user table having user_id, first_name, last_name, access_level columns.

After LDAP authentication, I'd like to update current_user object with additional metadata (from sql table) of the user_id.

Now, using this additional information (access_level included), user must be redirected to the view based on access permissions(access_level).

Answer 1

Let's say your sqlite database was called auth.db and was created like this:

$ sqlite3 auth.db
sqlite> CREATE TABLE user (user_id TEXT PRIMARY KEY, first_name TEXT, last_name TEXT, access_level TEXT);
sqlite> INSERT INTO user VALUES ('employee', 'Emp', 'Loyee', 'user');
sqlite> INSERT INTO user VALUES ('manager', 'Man', 'Ager', 'manager');

Construct your gramex.yaml like this:

url:
  # Home page displays the current user object
  home:
    pattern: /$YAMLURL/
    handler: FunctionHandler
    kwargs:
      function: json.dumps(handler.current_user)
  # Login page uses LDAP auth
  login:
    pattern: /$YAMLURL/login
    handler: LDAPAuth
    kwargs:
      # Let's connect to a test server. Login: employee. Password: Secret123
      host: ipa.demo1.freeipa.org
      use_ssl: true
      user: 'uid={user},cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org'
      password: '{password}'
      # After the user logs in, send them to /login-redirect.
      # This will update the current_user with additional metadata and redirect
      redirect:
        url: /$YAMLURL/login-redirect
  # login-redirect sets the user object and redirects to relevant page
  login-redirect:
    pattern: /$YAMLURL/login-redirect
    handler: FunctionHandler
    kwargs:
      function: mymodule.login_redirect(r'$YAMLPATH/auth.db', handler)

This relies on a mymodule.py which looks like this:

import sqlite3
import gramex.cache
import pandas as pd


def login_redirect(db, handler):
    # The LDAP id is like uid=employee,cn=users,...
    ldap_id = handler.current_user['id']
    # Convert this into just the uid, which is "employee"
    user_id = ldap_id.split(',')[0].split('=')[1]

    # Look up the user's ID from the sqlite database
    con = gramex.cache.open(db, sqlite3.connect)
    result = pd.read_sql('SELECT * FROM user WHERE user_id=?', con, params=[user_id])

    # Update the current user with the first entry (assuming it exists)
    handler.current_user.update(result.iloc[0].to_dict())

    # Redirect based on the access level
    access_level = handler.current_user['access_level']
    handler.redirect('.?employee-page' if access_level == 'user' else '.?invalid-page')

To try this:

• Visit /login. you can log into the freeipa demo LDAP server with login employee and password Secret123
• You will be redirected to /login-redirect. This looks up the user ID in auth.db, adds all other attributes into .current_user and redirects based on the access_level