0001-ldap-enable-check-hostname-only-for-python-ldap-3.4-.patch
| passerelle/apps/ldap/models.py | ||
|---|---|---|
| 34 | 34 | |
| 35 | 35 |
from . import forms |
| 36 | 36 | |
| 37 |
LDAP_HAS_OPT_X_TLS_REQUIRE_SAN = hasattr(ldap, 'OPT_X_TLS_REQUIRE_SAN') # only in python-ldap >= 3.4.0 |
|
| 38 | ||
| 37 | 39 |
SEARCH_OP_SUBSTRING = 'substring' |
| 38 | 40 |
SEARCH_OP_PREFIX = 'prefix' |
| 39 | 41 |
SEARCH_OP_APPROX = 'approx' |
| ... | ... | |
| 70 | 72 |
verbose_name=_('TLS check hostname'),
|
| 71 | 73 |
default=True, |
| 72 | 74 |
blank=True, |
| 75 |
help_text=None |
|
| 76 |
if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN |
|
| 77 |
else _('Warning: this option is actually not supported (python-ldap < 3.4)'),
|
|
| 73 | 78 |
) |
| 74 | 79 |
ldap_tls_check_cert = models.BooleanField( |
| 75 | 80 |
verbose_name=_('TLS check certificate'),
|
| ... | ... | |
| 123 | 128 |
conn = ldap.initialize(self.ldap_url) |
| 124 | 129 |
conn.set_option(ldap.OPT_TIMEOUT, 5) |
| 125 | 130 |
conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 5) |
| 126 |
if self.ldap_tls_check_hostname: |
|
| 127 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND) |
|
| 128 |
else: |
|
| 129 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER) |
|
| 131 |
if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN: |
|
| 132 |
if self.ldap_tls_check_hostname: |
|
| 133 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND) |
|
| 134 |
else: |
|
| 135 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER) |
|
| 130 | 136 |
if self.ldap_tls_check_cert: |
| 131 | 137 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND) |
| 132 | 138 |
else: |
| tests/ldap/test_manager.py | ||
|---|---|---|
| 41 | 41 | |
| 42 | 42 |
def test_add(app, db, cert_content, key_content, resource_class): |
| 43 | 43 |
response = app.get('/manage/ldap/add')
|
| 44 |
assert 'this option is actually not supported' in response.text |
|
| 44 | 45 |
response.form.set('slug', 'resource')
|
| 45 | 46 |
response.form.set('title', 'resource')
|
| 46 | 47 |
response.form.set('description', 'resource')
|
| ... | ... | |
| 101 | 102 |
response = response.form.submit(status=200) |
| 102 | 103 | |
| 103 | 104 | |
| 105 |
def test_python_ldap_32(app, db): |
|
| 106 |
response = app.get('/manage/ldap/add')
|
|
| 107 |
assert 'Warning: this option is actually not supported (python-ldap < 3.4)' in response.text |
|
| 108 | ||
| 109 | ||
| 104 | 110 |
EXPORT_JSON = {
|
| 105 | 111 |
'resources': [ |
| 106 | 112 |
{
|
| tests/ldap/test_search_endpoint.py | ||
|---|---|---|
| 68 | 68 |
'id_attribute': 'uid', |
| 69 | 69 |
}, |
| 70 | 70 |
) |
| 71 |
assert response.json == {
|
|
| 72 |
'data': [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}],
|
|
| 73 |
'err': 1, |
|
| 74 |
'err_class': 'directory-server-unavailable', |
|
| 75 |
'err_desc': '{\'result\': -1, \'desc\': "Can\'t contact LDAP server", '
|
|
| 76 |
"'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not " |
|
| 77 |
"connected'}", |
|
| 78 |
} |
|
| 71 |
assert response.json['err'] == 1 |
|
| 72 |
assert response.json['data'] == [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}]
|
|
| 73 |
assert response.json['err_class'] == 'directory-server-unavailable' |
|
| 74 |
assert "'info': 'Transport endpoint is not connected'" in response.json['err_desc'] |
|
| 75 |
assert "'errno': 107" in response.json['err_desc'] |
|
| 76 |
assert "'desc': \"Can't contact LDAP server\"" in response.json['err_desc'] |
|
| 79 | 77 | |
| 80 | 78 | |
| 81 | 79 |
def test_q(app, resource, ldap_server): |
| tox.ini | ||
|---|---|---|
| 47 | 47 |
zeep<3.3 |
| 48 | 48 |
codestyle: pre-commit |
| 49 | 49 |
ldaptools |
| 50 |
python-ldap<=3.2 # align with Debian <= 11 (buster, bullseye) |
|
| 50 | 51 |
commands = |
| 51 | 52 |
./get_wcs.sh |
| 52 | 53 |
py.test {posargs: --numprocesses {env:NUMPROCESSES:1} --dist loadfile {env:FAST:} {env:COVERAGE:} {env:JUNIT:} tests/}
|
| 53 |
- |
|