1 |
1 |
# -*- coding: utf-8 -*-
|
|
2 |
import os
|
|
3 |
|
2 |
4 |
import pytest
|
3 |
5 |
import mock
|
4 |
6 |
|
... | ... | |
29 |
31 |
PASS = 'passé'
|
30 |
32 |
EMAIL = 'etienne.michu@example.net'
|
31 |
33 |
|
|
34 |
base_dir = os.path.dirname(__file__)
|
|
35 |
key_file = os.path.join(base_dir, 'key.pem')
|
|
36 |
cert_file = os.path.join(base_dir, 'cert.pem')
|
|
37 |
|
|
38 |
|
|
39 |
@pytest.fixture
|
|
40 |
def slapd():
|
|
41 |
with create_slapd() as s:
|
|
42 |
yield s
|
|
43 |
|
32 |
44 |
|
33 |
45 |
@pytest.fixture
|
34 |
|
def slapd(request):
|
35 |
|
slapd = Slapd()
|
|
46 |
def tls_slapd():
|
|
47 |
with Slapd(ldap_url='ldap://localhost:4389', tls=(key_file, cert_file)) as s:
|
|
48 |
yield create_slapd(s)
|
|
49 |
|
|
50 |
|
|
51 |
def create_slapd(slapd=None):
|
|
52 |
slapd = slapd or Slapd()
|
36 |
53 |
slapd.add_db('o=ôrga')
|
37 |
54 |
slapd.add_ldif('''dn: o=ôrga
|
38 |
55 |
objectClass: organization
|
... | ... | |
72 |
89 |
group_ldif += 'memberUid: michu{i}\n'.format(i=i)
|
73 |
90 |
group_ldif += '\n\n'
|
74 |
91 |
slapd.add_ldif(group_ldif)
|
75 |
|
|
76 |
|
def finalize():
|
77 |
|
slapd.clean()
|
78 |
|
request.addfinalizer(finalize)
|
79 |
92 |
return slapd
|
80 |
93 |
|
81 |
94 |
|
... | ... | |
588 |
601 |
assert 'Password' not in response
|
589 |
602 |
response = app.get('/accounts/password/change/')
|
590 |
603 |
assert response['Location'].endswith('/accounts/')
|
|
604 |
|
|
605 |
|
|
606 |
def test_tls(db, tls_slapd, settings, client):
|
|
607 |
conn = tls_slapd.get_connection_admin()
|
|
608 |
conn.modify_s('cn=config', [
|
|
609 |
(ldap.MOD_ADD, 'olcTLSCACertificateFile', cert_file),
|
|
610 |
(ldap.MOD_ADD, 'olcTLSVerifyClient', 'demand'),
|
|
611 |
])
|
|
612 |
|
|
613 |
# without TLS it does not work
|
|
614 |
settings.LDAP_AUTH_SETTINGS = [{
|
|
615 |
'url': [tls_slapd.ldap_url],
|
|
616 |
'basedn': u'o=ôrga',
|
|
617 |
'use_tls': False,
|
|
618 |
}]
|
|
619 |
result = client.post('/login/', {'login-password-submit': '1',
|
|
620 |
'username': USERNAME,
|
|
621 |
'password': PASS}, follow=True)
|
|
622 |
assert result.status_code == 200
|
|
623 |
assert 'Étienne Michu' not in str(result)
|
|
624 |
assert 'name="username"' in str(result)
|
|
625 |
|
|
626 |
# without TLS client authentication it does not work
|
|
627 |
settings.LDAP_AUTH_SETTINGS = [{
|
|
628 |
'url': [tls_slapd.ldap_url],
|
|
629 |
'basedn': u'o=ôrga',
|
|
630 |
'use_tls': True,
|
|
631 |
'cacertfile': cert_file,
|
|
632 |
}]
|
|
633 |
result = client.post('/login/', {'login-password-submit': '1',
|
|
634 |
'username': USERNAME,
|
|
635 |
'password': PASS}, follow=True)
|
|
636 |
assert result.status_code == 200
|
|
637 |
assert 'Étienne Michu' not in str(result)
|
|
638 |
assert 'name="username"' in str(result)
|
|
639 |
|
|
640 |
# now it works !
|
|
641 |
settings.LDAP_AUTH_SETTINGS = [{
|
|
642 |
'url': [tls_slapd.ldap_url],
|
|
643 |
'basedn': u'o=ôrga',
|
|
644 |
'use_tls': True,
|
|
645 |
'cacertfile': cert_file,
|
|
646 |
'certfile': cert_file,
|
|
647 |
'keyfile': key_file,
|
|
648 |
}]
|
|
649 |
result = client.post('/login/', {'login-password-submit': '1',
|
|
650 |
'username': USERNAME,
|
|
651 |
'password': PASS}, follow=True)
|
|
652 |
assert result.status_code == 200
|
|
653 |
assert 'Étienne Michu' in str(result)
|
|
654 |
assert 'name="username"' not in str(result)
|