0005-ldap-handle-ppolicy-control-changing-reseting-passwo.patch

Benjamin Renard, 22 septembre 2022 18:24

Voir les différences: en ligne côte à côte

Subject: [PATCH 5/5] ldap: handle ppolicy control changing/reseting password

 src/authentic2/backends/ldap_backend.py | 51 ++++++++++++++++++++++---
 tests/test_ldap.py                      |  6 +--
 2 files changed, 48 insertions(+), 9 deletions(-)

             return blocks
         @classmethod
         def process_controls(cls, request, block, conn, authz_id, ctrls):
         def process_bind_controls(cls, request, block, conn, authz_id, ctrls):
             attributes = cls.get_ppolicy_attributes(block, conn, authz_id)
             for c in ctrls:
                 if c.controlType == ppolicy.PasswordPolicyControl.controlType:
-...
                     message = str(vars(c))
                 log.info('ldap: bind error with authz_id "%s" -> "%s"', authz_id, message)
         @classmethod
         def process_modify_password_controls(cls, block, conn, authz_id, ctrls):
             attributes = cls.get_ppolicy_attributes(block, conn, authz_id)
             errors = []
             for c in ctrls:
                 if c.controlType == ppolicy.PasswordPolicyControl.controlType:
                     message = ' '.join(password_policy_control_messages(c, attributes))
                 else:
                     message = str(vars(c))
                 log.info('ldap: fail to modify password of "%s" -> "%s"', authz_id, message)
                 errors.append(message)
             raise PasswordChangeError(' '.join(errors))
         @classmethod
         def check_group_to_role_mappings(cls, block):
             group_to_role_mapping = block.get('group_to_role_mapping')
-...
                                 else:
                                     serverctrls = []
                                 results = conn.simple_bind_s(authz_id, password, serverctrls=serverctrls)
                                 self.process_controls(request, block, conn, authz_id, results[3])
                                 self.process_bind_controls(request, block, conn, authz_id, results[3])
                                 user_login_success(authz_id)
                                 if not block['connect_with_user_credentials']:
                                     try:
-...
                                 break
                             except ldap.INVALID_CREDENTIALS as e:
                                 if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
                                     self.process_controls(
                                     self.process_bind_controls(
                                         request, block, conn, authz_id, DecodeControlTuples(e.args[0]['ctrls'])
+                                    )
                                 success, error = self.bind(block, conn)
-...
         def modify_password(cls, conn, block, dn, old_password, new_password):
             '''Change user password with adaptation for Active Directory'''
             if old_password is not None and (block['use_password_modify'] and not block['active_directory']):
                 conn.passwd_s(dn, old_password, new_password)
                 try:
                     if block.get('use_controls'):
                         serverctrls = [ppolicy.PasswordPolicyControl()]
                     else:
                         serverctrls = []
                     results = conn.passwd_s(dn, old_password, new_password, serverctrls=serverctrls)
                     cls.process_modify_password_controls(block, conn, dn, results[3])
                 except ldap.LDAPError as e:
                     if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
                         cls.process_modify_password_controls(
                             block, conn, dn, DecodeControlTuples(e.args[0]['ctrls'])
+                        )
                     raise
             else:
                 modlist = []
                 if block['active_directory']:
-...
                         modlist = [(ldap.MOD_REPLACE, key, [value])]
                 else:
                     key = 'userPassword'
                     modlist = [(ldap.MOD_REPLACE, key, [new_password])]
                 conn.modify_s(dn, modlist)
                     modlist = [(ldap.MOD_REPLACE, key, [new_password.encode('utf-8')])]
                 try:
                     if block.get('use_controls'):
                         serverctrls = [ppolicy.PasswordPolicyControl()]
                     else:
                         serverctrls = []
                     results = conn.modify_ext_s(dn, modlist, serverctrls=serverctrls)
                     cls.process_modify_password_controls(block, conn, dn, results[3])
                 except ldap.LDAPError as e:
                     if block.get('use_controls') and len(e.args) > 0 and 'ctrls' in e.args[0]:
                         cls.process_modify_password_controls(
                             block, conn, dn, DecodeControlTuples(e.args[0]['ctrls'])
+                        )
                     raise
             log.debug('modified password for dn %r', dn)
         @classmethod

             '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+        )
         def patched_process_controls(cls, request, block, conn, authz_id, ctrls):
         def patched_process_bind_controls(cls, request, block, conn, authz_id, ctrls):
             raise exception[0]('oops')
         monkeypatch.setattr(
             ldap_backend.LDAPBackend,
             'process_controls',
             patched_process_controls,
             'process_bind_controls',
             patched_process_bind_controls,
+        )
         client.post(
             '/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0005-ldap-handle-ppolicy-control-changing-reseting-passwo.patch