0001-ldap-enable-check-hostname-only-for-python-ldap-3.4-.patch
passerelle/apps/ldap/models.py | ||
---|---|---|
34 | 34 | |
35 | 35 |
from . import forms |
36 | 36 | |
37 |
LDAP_HAS_OPT_X_TLS_REQUIRE_SAN = hasattr(ldap, 'OPT_X_TLS_REQUIRE_SAN') # only in python-ldap >= 3.4.0 |
|
38 | ||
37 | 39 |
SEARCH_OP_SUBSTRING = 'substring' |
38 | 40 |
SEARCH_OP_PREFIX = 'prefix' |
39 | 41 |
SEARCH_OP_APPROX = 'approx' |
... | ... | |
70 | 72 |
verbose_name=_('TLS check hostname'), |
71 | 73 |
default=True, |
72 | 74 |
blank=True, |
75 |
help_text=None |
|
76 |
if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN |
|
77 |
else _('Warning: this option is actually not supported (python-ldap < 3.4)'), |
|
73 | 78 |
) |
74 | 79 |
ldap_tls_check_cert = models.BooleanField( |
75 | 80 |
verbose_name=_('TLS check certificate'), |
... | ... | |
123 | 128 |
conn = ldap.initialize(self.ldap_url) |
124 | 129 |
conn.set_option(ldap.OPT_TIMEOUT, 5) |
125 | 130 |
conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 5) |
126 |
if self.ldap_tls_check_hostname: |
|
127 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND) |
|
128 |
else: |
|
129 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER) |
|
131 |
if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN: |
|
132 |
if self.ldap_tls_check_hostname: |
|
133 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND) |
|
134 |
else: |
|
135 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER) |
|
130 | 136 |
if self.ldap_tls_check_cert: |
131 | 137 |
conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND) |
132 | 138 |
else: |
tests/ldap/test_manager.py | ||
---|---|---|
41 | 41 | |
42 | 42 |
def test_add(app, db, cert_content, key_content, resource_class): |
43 | 43 |
response = app.get('/manage/ldap/add') |
44 |
assert 'this option is actually not supported' in response.text |
|
44 | 45 |
response.form.set('slug', 'resource') |
45 | 46 |
response.form.set('title', 'resource') |
46 | 47 |
response.form.set('description', 'resource') |
... | ... | |
101 | 102 |
response = response.form.submit(status=200) |
102 | 103 | |
103 | 104 | |
105 |
def test_python_ldap_32(app, db): |
|
106 |
response = app.get('/manage/ldap/add') |
|
107 |
assert 'Warning: this option is actually not supported (python-ldap < 3.4)' in response.text |
|
108 | ||
109 | ||
104 | 110 |
EXPORT_JSON = { |
105 | 111 |
'resources': [ |
106 | 112 |
{ |
tests/ldap/test_search_endpoint.py | ||
---|---|---|
68 | 68 |
'id_attribute': 'uid', |
69 | 69 |
}, |
70 | 70 |
) |
71 |
assert response.json == { |
|
72 |
'data': [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}], |
|
73 |
'err': 1, |
|
74 |
'err_class': 'directory-server-unavailable', |
|
75 |
'err_desc': '{\'result\': -1, \'desc\': "Can\'t contact LDAP server", ' |
|
76 |
"'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not " |
|
77 |
"connected'}", |
|
78 |
} |
|
71 |
assert response.json['err'] == 1 |
|
72 |
assert response.json['data'] == [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}] |
|
73 |
assert response.json['err_class'] == 'directory-server-unavailable' |
|
74 |
assert "'info': 'Transport endpoint is not connected'" in response.json['err_desc'] |
|
75 |
assert "'errno': 107" in response.json['err_desc'] |
|
76 |
assert "'desc': \"Can't contact LDAP server\"" in response.json['err_desc'] |
|
79 | 77 | |
80 | 78 | |
81 | 79 |
def test_q(app, resource, ldap_server): |
tox.ini | ||
---|---|---|
47 | 47 |
zeep<3.3 |
48 | 48 |
codestyle: pre-commit |
49 | 49 |
ldaptools |
50 |
python-ldap<=3.2 # align with Debian <= 11 (buster, bullseye) |
|
50 | 51 |
commands = |
51 | 52 |
./get_wcs.sh |
52 | 53 |
py.test {posargs: --numprocesses {env:NUMPROCESSES:1} --dist loadfile {env:FAST:} {env:COVERAGE:} {env:JUNIT:} tests/} |
53 |
- |