Projet

Général

Profil

0004-ldap-bind-serverctrls-is-not-used-when-use_controls-.patch

Loïc Dachary, 11 février 2021 16:10

Télécharger (4,71 ko)

Voir les différences: 

Subject: [PATCH 4/4] ldap: bind serverctrls is not used when use_controls is
 false


 src/authentic2/backends/ldap_backend.py | 12 +++++---
 tests/test_ldap.py                      | 37 ++++++++++++++++++++-----
 2 files changed, 38 insertions(+), 11 deletions(-)
src/authentic2/backends/ldap_backend.py
540 540 
        'can_reset_password': False,
541 541 
        # mapping from LDAP attributes to User attributes
542 542 
        'user_attributes': [],
543 
        # https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap.html#ldap-controls
544 
        'use_controls': True,
543 545 
    }
544 546 
    _REQUIRED = ('url', 'basedn')
545 547 
    _TO_ITERABLE = ('url', 'groupsu', 'groupstaff', 'groupactive')
......
672 674 
                        if failed:
673 675 
                            continue
674 676 
                        try:
675 
                            results = conn.simple_bind_s(authz_id, password, serverctrls=[
676 
                                ppolicy.PasswordPolicyControl()
677 
                            ])
677 
                            if block.get('use_controls'):
678 
                                serverctrls = [ppolicy.PasswordPolicyControl()]
679 
                            else:
680 
                                serverctrls = []
681 
                            results = conn.simple_bind_s(authz_id, password, serverctrls=serverctrls)
678 682 
                            self.process_controls(request, authz_id, results[3])
679 683 
                            user_login_success(authz_id)
680 684 
                            if not block['connect_with_user_credentials']:
......
685 689 
                                    raise ldap.SERVER_DOWN
686 690 
                            break
687 691 
                        except ldap.INVALID_CREDENTIALS as e:
688 
                            if len(e.args) > 0 and 'ctrls' in e.args[0]:
692 
                            if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
689 693 
                                self.process_controls(request, authz_id, DecodeControlTuples(e.args[0]['ctrls']))
690 694 
                            user_login_failure(authz_id)
691 695 
                            pass
tests/test_ldap.py
951 951 
    assert 'account is locked' in str(response.pyquery('.messages'))
952 952 

  		




  953
  953
  
    

  		




  954
  
  
    
def test_authenticate_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, caplog):

  		




  955
  
  
    
    settings.LDAP_AUTH_SETTINGS = [{

  		




  956
  
  
    
        'url': [slapd_ppolicy.ldap_url],

  		




  957
  
  
    
        'basedn': u'o=ôrga',

  		




  958
  
  
    
        'use_tls': False,

  		




  959
  
  
    
    }]

  		




  960
  
  
    

  		




  
  954
  
    
def ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog):

  		




  961
  955
  
    
    pwdMaxFailure = 2

  		




  962
  956
  
    
    slapd_ppolicy.add_ldif('''

  		




  963
  957
  
    
dn: cn=default,ou=ppolicies,o=ôrga

  		




  ......




  987
  981
  
    
    for _ in range(pwdMaxFailure):

  		




  988
  982
  
    
        assert authenticate(username=USERNAME, password='incorrect') is None

  		




  989
  983
  
    
        assert "failed to login" in caplog.text

  		




  
  984
  
    

  		




  
  985
  
    

  		




  
  986
  
    
def test_authenticate_ppolicy_pwdMaxFailure(slapd_ppolicy, settings, db, caplog):

  		




  
  987
  
    
    settings.LDAP_AUTH_SETTINGS = [{

  		




  
  988
  
    
        'url': [slapd_ppolicy.ldap_url],

  		




  
  989
  
    
        'basedn': u'o=ôrga',

  		




  
  990
  
    
        'use_tls': False,

  		




  
  991
  
    
    }]

  		




  
  992
  
    

  		




  
  993
  
    
    ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog)

  		




  990
  994
  
    
    assert 'account is locked' not in caplog.text

  		




  991
  995
  
    
    assert authenticate(username=USERNAME, password='incorrect') is None

  		




  992
  996
  
    
    assert 'account is locked' in caplog.text

  		




  993
  997
  
    

  		




  994
  998
  
    

  		




  
  999
  
    
def test_do_not_use_controls(slapd_ppolicy, settings, db, caplog):

  		




  
  1000
  
    
    """

  		




  
  1001
  
    
    Same as test_authenticate_ppolicy_pwdMaxFailure but with use_controls

  		




  
  1002
  
    
    deactivated and therefore not logging when an account is locked.

  		




  
  1003
  
    
    """

  		




  
  1004
  
    
    settings.LDAP_AUTH_SETTINGS = [{

  		




  
  1005
  
    
        'url': [slapd_ppolicy.ldap_url],

  		




  
  1006
  
    
        'basedn': u'o=ôrga',

  		




  
  1007
  
    
        'use_tls': False,

  		




  
  1008
  
    
        'use_controls': False,

  		




  
  1009
  
    
    }]

  		




  
  1010
  
    

  		




  
  1011
  
    
    ppolicy_authenticate_exactly_pwdMaxFailure(slapd_ppolicy, caplog)

  		




  
  1012
  
    
    assert 'account is locked' not in caplog.text

  		




  
  1013
  
    
    assert authenticate(username=USERNAME, password='incorrect') is None

  		




  
  1014
  
    
    # this following line is the difference with test_authenticate_ppolicy_pwdMaxFailure

  		




  
  1015
  
    
    assert 'account is locked' not in caplog.text

  		




  
  1016
  
    

  		




  
  1017
  
    

  		




  995
  1018
  
    
def test_authenticate_ppolicy_pwdGraceAuthnLimit(slapd_ppolicy, settings, db, caplog):

  		




  996
  1019
  
    
    settings.LDAP_AUTH_SETTINGS = [{

  		




  997
  1020
  
    
        'url': [slapd_ppolicy.ldap_url],

  		




  998
  
  
    
-