1 |
1 |
# -*- coding: utf-8 -*-
|
|
2 |
#
|
|
3 |
# Copyright (C) 2017-2019 Entr'ouvert
|
|
4 |
#
|
|
5 |
# This program is free software: you can redistribute it and/or modify it
|
|
6 |
# under the terms of the GNU Affero General Public License as published
|
|
7 |
# by the Free Software Foundation, either version 3 of the License, or
|
|
8 |
# (at your option) any later version.
|
|
9 |
#
|
|
10 |
# This program is distributed in the hope that it will be useful,
|
|
11 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
12 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
13 |
# GNU Affero General Public License for more details.
|
|
14 |
#
|
|
15 |
# You should have received a copy of the GNU Affero General Public License
|
|
16 |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
17 |
|
2 |
18 |
import os
|
3 |
19 |
|
4 |
20 |
import pytest
|
... | ... | |
6 |
22 |
|
7 |
23 |
import ldap
|
8 |
24 |
from ldap.dn import escape_dn_chars
|
9 |
|
import ldap
|
10 |
25 |
|
11 |
26 |
from ldaptools.slapd import Slapd, has_slapd
|
12 |
27 |
from django.contrib.auth import get_user_model
|
... | ... | |
18 |
33 |
from authentic2.a2_rbac.utils import get_default_ou
|
19 |
34 |
from django_rbac.utils import get_ou_model
|
20 |
35 |
from authentic2.backends import ldap_backend
|
21 |
|
from authentic2 import crypto
|
|
36 |
from authentic2 import crypto, models
|
22 |
37 |
|
23 |
38 |
import utils
|
24 |
39 |
|
|
40 |
User = get_user_model()
|
|
41 |
|
25 |
42 |
pytestmark = pytest.mark.skipunless(has_slapd(), reason='slapd is not installed')
|
26 |
43 |
|
27 |
44 |
USERNAME = u'etienne.michu'
|
... | ... | |
97 |
114 |
conn.simple_bind_s(DN, PASS)
|
98 |
115 |
|
99 |
116 |
|
100 |
|
@pytest.mark.django_db
|
101 |
|
def test_simple(slapd, settings, client):
|
|
117 |
def test_simple(slapd, settings, client, db):
|
102 |
118 |
settings.LDAP_AUTH_SETTINGS = [{
|
103 |
119 |
'url': [slapd.ldap_url],
|
104 |
120 |
'basedn': u'o=ôrga',
|
... | ... | |
109 |
125 |
'password': PASS}, follow=True)
|
110 |
126 |
assert result.status_code == 200
|
111 |
127 |
assert 'Étienne Michu' in str(result)
|
112 |
|
User = get_user_model()
|
113 |
128 |
assert User.objects.count() == 1
|
114 |
129 |
user = User.objects.get()
|
115 |
130 |
assert user.username == u'%s@ldap' % USERNAME
|
... | ... | |
138 |
153 |
'password': PASS}, follow=True)
|
139 |
154 |
assert result.status_code == 200
|
140 |
155 |
assert 'Étienne Michu' in str(result)
|
141 |
|
User = get_user_model()
|
142 |
156 |
assert User.objects.count() == 1
|
143 |
157 |
user = User.objects.get()
|
144 |
158 |
assert user.username == u'%s@ldap' % USERNAME
|
... | ... | |
152 |
166 |
assert not user.check_password(PASS)
|
153 |
167 |
assert 'password' not in client.session['ldap-data']
|
154 |
168 |
|
155 |
|
@pytest.mark.django_db
|
156 |
|
def test_double_login(slapd, simple_user, settings, app):
|
|
169 |
|
|
170 |
def test_double_login(slapd, simple_user, settings, app, db):
|
157 |
171 |
settings.LDAP_AUTH_SETTINGS = [{
|
158 |
172 |
'url': [slapd.ldap_url],
|
159 |
173 |
'basedn': u'o=ôrga',
|
... | ... | |
165 |
179 |
utils.login(app, UID, password=PASS, path='/admin/')
|
166 |
180 |
|
167 |
181 |
|
168 |
|
@pytest.mark.django_db
|
169 |
|
def test_keep_password_in_session(slapd, settings, client):
|
|
182 |
def test_keep_password_in_session(slapd, settings, client, db):
|
170 |
183 |
settings.LDAP_AUTH_SETTINGS = [{
|
171 |
184 |
'url': [slapd.ldap_url],
|
172 |
185 |
'basedn': u'o=ôrga',
|
... | ... | |
178 |
191 |
'password': PASS.decode('utf-8')}, follow=True)
|
179 |
192 |
assert result.status_code == 200
|
180 |
193 |
assert 'Étienne Michu' in str(result)
|
181 |
|
User = get_user_model()
|
182 |
194 |
assert User.objects.count() == 1
|
183 |
195 |
user = User.objects.get()
|
184 |
196 |
assert user.username == u'%s@ldap' % USERNAME
|
... | ... | |
207 |
219 |
'password': PASS}, follow=True)
|
208 |
220 |
assert result.status_code == 200
|
209 |
221 |
assert 'Étienne Michu' in str(result)
|
210 |
|
User = get_user_model()
|
211 |
222 |
assert User.objects.count() == 1
|
212 |
223 |
user = User.objects.get()
|
213 |
224 |
assert user.username == u'%s@ldap' % USERNAME
|
... | ... | |
217 |
228 |
assert not user.check_password(PASS)
|
218 |
229 |
|
219 |
230 |
|
220 |
|
@pytest.mark.django_db
|
221 |
|
def test_wrong_ou(slapd, settings, client):
|
|
231 |
def test_wrong_ou(slapd, settings, client, db):
|
222 |
232 |
settings.LDAP_AUTH_SETTINGS = [{
|
223 |
233 |
'url': [slapd.ldap_url],
|
224 |
234 |
'basedn': u'o=ôrga',
|
... | ... | |
246 |
256 |
assert formatter.format('uid={uid}', uid=['john doé!#$"\'-_']) == 'uid=john doé!#$\\"\'-_'
|
247 |
257 |
|
248 |
258 |
|
249 |
|
@pytest.mark.django_db
|
250 |
|
def test_group_mapping(slapd, settings, client):
|
|
259 |
def test_group_mapping(slapd, settings, client, db):
|
251 |
260 |
from django.contrib.auth.models import Group
|
252 |
261 |
|
253 |
262 |
settings.LDAP_AUTH_SETTINGS = [{
|
... | ... | |
268 |
277 |
assert response.context['user'].groups.count() == 1
|
269 |
278 |
|
270 |
279 |
|
271 |
|
@pytest.mark.django_db
|
272 |
|
def test_posix_group_mapping(slapd, settings, client):
|
|
280 |
def test_posix_group_mapping(slapd, settings, client, db):
|
273 |
281 |
from django.contrib.auth.models import Group
|
274 |
282 |
|
275 |
283 |
settings.LDAP_AUTH_SETTINGS = [{
|
... | ... | |
291 |
299 |
assert response.context['user'].groups.count() == 1
|
292 |
300 |
|
293 |
301 |
|
294 |
|
@pytest.mark.django_db
|
295 |
|
def test_group_to_role_mapping(slapd, settings, client):
|
|
302 |
def test_group_to_role_mapping(slapd, settings, client, db):
|
296 |
303 |
from authentic2.a2_rbac.models import Role
|
297 |
304 |
|
298 |
305 |
Role.objects.get_or_create(name='Role1')
|
... | ... | |
311 |
318 |
assert response.context['user'].roles.count() == 1
|
312 |
319 |
|
313 |
320 |
|
314 |
|
@pytest.mark.django_db
|
315 |
|
def test_posix_group_to_role_mapping(slapd, settings, client):
|
|
321 |
def test_posix_group_to_role_mapping(slapd, settings, client, db):
|
316 |
322 |
from authentic2.a2_rbac.models import Role
|
317 |
323 |
|
318 |
324 |
Role.objects.get_or_create(name='Role2')
|
... | ... | |
332 |
338 |
assert response.context['user'].roles.count() == 1
|
333 |
339 |
|
334 |
340 |
|
335 |
|
@pytest.mark.django_db
|
336 |
|
def test_group_su(slapd, settings, client):
|
|
341 |
def test_group_su(slapd, settings, client, db):
|
337 |
342 |
from django.contrib.auth.models import Group
|
338 |
343 |
|
339 |
344 |
settings.LDAP_AUTH_SETTINGS = [{
|
... | ... | |
351 |
356 |
assert not response.context['user'].is_staff
|
352 |
357 |
|
353 |
358 |
|
354 |
|
@pytest.mark.django_db
|
355 |
|
def test_group_staff(slapd, settings, client):
|
|
359 |
def test_group_staff(slapd, settings, client, db):
|
356 |
360 |
from django.contrib.auth.models import Group
|
357 |
361 |
|
358 |
362 |
settings.LDAP_AUTH_SETTINGS = [{
|
... | ... | |
370 |
374 |
assert not response.context['user'].is_superuser
|
371 |
375 |
|
372 |
376 |
|
373 |
|
@pytest.mark.django_db
|
374 |
|
def test_get_users(slapd, settings):
|
|
377 |
def test_get_users(slapd, settings, db):
|
375 |
378 |
import django.db.models.base
|
376 |
379 |
from types import MethodType
|
377 |
380 |
|
378 |
|
User = get_user_model()
|
379 |
381 |
settings.LDAP_AUTH_SETTINGS = [{
|
380 |
382 |
'url': [slapd.ldap_url],
|
381 |
383 |
'basedn': u'o=ôrga',
|
... | ... | |
434 |
436 |
save.reset_mock()
|
435 |
437 |
bulk_create.reset_mock()
|
436 |
438 |
u = ldap_backend.LDAPUser.objects.create(username=UID.capitalize())
|
437 |
|
eid = ldap_backend.UserExternalId.objects.create(external_id=UID.capitalize(),
|
438 |
|
source='ldap', user=u)
|
|
439 |
ldap_backend.UserExternalId.objects.create(external_id=UID.capitalize(),
|
|
440 |
source='ldap', user=u)
|
439 |
441 |
# set user login time as if he logged in
|
440 |
|
user = ldap_backend.LDAPUser.objects.get(username='%s@ldap'%UID)
|
|
442 |
user = ldap_backend.LDAPUser.objects.get(username='%s@ldap' % UID)
|
441 |
443 |
user.last_login = timezone.now()
|
442 |
444 |
user.save()
|
443 |
445 |
assert ldap_backend.LDAPUser.objects.count() == 102
|
... | ... | |
445 |
447 |
assert len(users) == 101
|
446 |
448 |
assert ldap_backend.LDAPUser.objects.filter(username='%s' % UID.capitalize()).count() == 0
|
447 |
449 |
|
448 |
|
@pytest.mark.django_db
|
449 |
|
def test_set_mandatory_roles(slapd, settings):
|
|
450 |
|
|
451 |
def test_set_mandatory_roles(slapd, settings, db):
|
450 |
452 |
from authentic2.a2_rbac.models import Role
|
451 |
453 |
|
452 |
454 |
Role.objects.get_or_create(name='tech')
|
453 |
455 |
Role.objects.get_or_create(name='admin')
|
454 |
|
User = get_user_model()
|
455 |
456 |
settings.LDAP_AUTH_SETTINGS = [{
|
456 |
457 |
'url': [slapd.ldap_url],
|
457 |
458 |
'basedn': u'o=ôrga',
|
... | ... | |
468 |
469 |
assert User.objects.first().roles.count() == 2
|
469 |
470 |
|
470 |
471 |
|
471 |
|
@pytest.mark.django_db
|
472 |
|
def test_nocreate_mandatory_roles(slapd, settings):
|
473 |
|
User = get_user_model()
|
|
472 |
def test_nocreate_mandatory_roles(slapd, settings, db):
|
474 |
473 |
settings.LDAP_AUTH_SETTINGS = [{
|
475 |
474 |
'url': [slapd.ldap_url],
|
476 |
475 |
'basedn': u'o=ôrga',
|
... | ... | |
542 |
541 |
'basedn': u'o=ôrga',
|
543 |
542 |
'use_tls': False,
|
544 |
543 |
}]
|
545 |
|
User = get_user_model()
|
546 |
544 |
assert User.objects.count() == 0
|
547 |
545 |
# first login
|
548 |
546 |
response = app.get('/login/')
|
... | ... | |
590 |
588 |
'use_tls': False,
|
591 |
589 |
'user_can_change_password': False,
|
592 |
590 |
}]
|
593 |
|
User = get_user_model()
|
594 |
591 |
assert User.objects.count() == 0
|
595 |
592 |
# first login
|
596 |
593 |
response = app.get('/login/')
|
597 |
|
-
|