def _create_kinit(authzid=None):
try:
cfg = get_config()
user = cfg["GSSAPIAUTH"]["user"]
password = cfg["GSSAPIAUTH"]["password"]
proc = subprocess.Popen(
["kinit", "--version"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
universal_newlines=True,
)
output = " ".join(proc.communicate())
if "Heimdal" in output:
# Heimdal Kerberos implementation.
with tempfile.NamedTemporaryFile() as psw_tmp:
psw_tmp.write(password.encode())
psw_tmp.flush()
cmd = ["kinit", "--password-file=%s" % psw_tmp.name, user]
subprocess.check_call(cmd)
else:
# MIT Kerberos implementation.
cmd = 'echo "%s" | kinit %s' % (password, user)
subprocess.check_output(cmd, shell=True)
host = "ldap://%s" % cfg["SERVER"]["hostname"]
client = LDAPClient(host)
client.set_credentials(
"GSSAPI",
cfg["GSSAPIAUTH"]["user"],
cfg["GSSAPIAUTH"]["password"],
None,
authzid,
)
return client.connect()
except subprocess.CalledProcessError:
pytest.fail("Receiving TGT is failed.")
def test_password_modify(client):
"""
Test modifying password with simple modify operation and
password policy.
"""
cli = LDAPClient(client.url)
user_dn = "cn=jeff,ou=nerdherd,dc=bonsai,dc=test"
cli.set_password_policy(True)
cli.set_credentials("SIMPLE", user_dn, "p@ssword")
conn, _ = cli.connect()
entry = conn.search(user_dn, 0)[0]
try:
entry["userPassword"] = "******"
entry.modify()
except Exception as exc:
assert isinstance(exc, bonsai.errors.PasswordModNotAllowed)
user_dn = "cn=skip,ou=nerdherd,dc=bonsai,dc=test"
cli.set_credentials("SIMPLE", user_dn, "p@ssword")
conn, _ = cli.connect()
entry = conn.search(user_dn, 0)[0]
try:
entry["userPassword"] = "******"
entry.modify()
except Exception as exc:
assert isinstance(exc, bonsai.errors.PasswordTooShort)
try:
entry["userPassword"] = "******"
entry.modify()
except Exception as exc:
assert isinstance(exc, bonsai.errors.PasswordInHistory)
def test_add_and_delete_referrals(cfg, ipaddr):
""" Test add and delete an LDAP referral with ManageDdsIT control. """
refdn = bonsai.LDAPDN("o=test-ref,ou=nerdherd,dc=bonsai,dc=test")
ref = "ldap://test.host/cn=nobody"
cli = LDAPClient("ldap://%s" % ipaddr)
cli.set_credentials("SIMPLE",
user=cfg["SIMPLEAUTH"]["user"],
password=cfg["SIMPLEAUTH"]["password"])
cli.managedsait = True
with cli.connect() as conn:
entry = bonsai.LDAPEntry(refdn, conn)
entry["objectClass"] = ["referral", "extensibleObject"]
entry["o"] = "test-ref"
entry["ref"] = ref
conn.add(entry)
res = conn.search(refdn, 0, attrlist=["ref"])[0]
assert entry.dn == res.dn
assert entry["ref"] == res["ref"]
cli.managedsait = False
with cli.connect() as conn:
with pytest.raises(bonsai.LDAPError):
conn.delete(entry.dn)
cli.managedsait = True
with cli.connect() as conn:
conn.delete(entry.dn)
res = conn.search(refdn, 0, attrlist=["ref"])
assert res == []
def _create_binding(auth, mech, authzid=None, realm=None):
cfg = get_config()
host = "ldap://%s" % cfg["SERVER"]["hostname"]
client = LDAPClient(host)
client.set_credentials(mech, cfg[auth]["user"], cfg[auth]["password"],
realm, authzid)
return client.connect()
def _create_kinit(authzid=None):
try:
cfg = get_config()
user = cfg["GSSAPIAUTH"]["user"]
password = cfg["GSSAPIAUTH"]["password"]
proc = subprocess.Popen(
["kinit", "--version"],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
universal_newlines=True,
)
output = " ".join(proc.communicate())
if "Heimdal" in output:
# Heimdal Kerberos implementation.
with tempfile.NamedTemporaryFile() as psw_tmp:
psw_tmp.write(password.encode())
psw_tmp.flush()
cmd = ["kinit", "--password-file=%s" % psw_tmp.name, user]
subprocess.check_call(cmd)
else:
# MIT Kerberos implementation.
cmd = 'echo "%s" | kinit %s' % (password, user)
subprocess.check_output(cmd, shell=True)
host = "ldap://%s" % cfg["SERVER"]["hostname"]
client = LDAPClient(host)
client.set_credentials(
"GSSAPI",
cfg["GSSAPIAUTH"]["user"],
cfg["GSSAPIAUTH"]["password"],
None,
authzid,
)
return client.connect()
except subprocess.CalledProcessError:
pytest.fail("Receiving TGT is failed.")
def test_managedsait(self):
""" Test managedsait property. """
client = LDAPClient(self.url)
self.assertRaises(TypeError, lambda: client.set_managedsait("B"))
self.assertFalse(client.managedsait)
client.managedsait = True
self.assertTrue(client.managedsait)
def test_auto_acquire_prop(self):
""" Test auto_page_acquire property. """
client = LDAPClient(self.url)
self.assertRaises(TypeError, lambda: client.set_auto_page_acquire("A"))
self.assertTrue(client.auto_page_acquire)
client.auto_page_acquire = False
self.assertFalse(client.auto_page_acquire)
def _bind_external(self, authzid):
if 'EXTERNALAUTH' not in self.cfg:
self.skipTest("EXTERNAL authentication is not set.")
if sys.platform == "win32":
self.skipTest("Windows relies on set certs in its cert store.")
tls_impl = bonsai.get_tls_impl_name()
if tls_impl == "GnuTLS" or tls_impl == "OpenSSL":
curdir = os.path.abspath(os.path.dirname(__file__))
cert_path = os.path.join(curdir, 'testenv', 'certs')
cli = LDAPClient(self.host, tls=True)
cli.set_ca_cert(cert_path + '/cacert.pem')
cli.set_client_cert(cert_path + '/client.pem')
cli.set_client_key(cert_path + '/client.key')
cli.set_credentials('EXTERNAL', (authzid,))
try:
conn = cli.connect()
except (bonsai.errors.ConnectionError, \
bonsai.errors.AuthenticationError):
self.fail()
else:
self.assertNotEqual("anonymous", conn.whoami(),
"EXTERNAL authentication was"
" unsuccessful.")
return conn
else:
self.skipTest("")
def _create_binding(auth, mech, authzid=None, realm=None):
cfg = get_config()
host = "ldap://%s" % cfg["SERVER"]["hostname"]
client = LDAPClient(host)
client.set_credentials(
mech, cfg[auth]["user"], cfg[auth]["password"], realm, authzid
)
return client.connect()
def test_ldapurl(self):
""" Test setting LDAPURL. """
url = bonsai.LDAPURL(self.url)
client = LDAPClient(url)
self.assertEqual(client.url, url)
self.assertRaises(TypeError, lambda: LDAPClient(None))
client.url = "ldap://localhost"
self.assertEqual(client.url, "ldap://localhost")
def test_server_chase_referrals(self):
""" Test server_chase_referrals property. """
client = LDAPClient(self.url)
self.assertRaises(TypeError,
lambda: client.set_server_chase_referrals(2))
self.assertTrue(client.server_chase_referrals)
client.server_chase_referrals = False
self.assertFalse(client.server_chase_referrals)
def test_ldapurl(url):
""" Test setting LDAPURL. """
cli = LDAPClient(url)
assert cli.url == url
with pytest.raises(TypeError):
_ = LDAPClient(None)
cli.url = "ldap://localhost"
assert cli.url == "ldap://localhost"
def test_tls_timeout(url):
""" Test TLS connection timeout. """
client = LDAPClient(url, True)
client.set_cert_policy("ALLOW")
client.set_ca_cert(None)
client.set_ca_cert_dir(None)
with network_delay(9.0):
with pytest.raises(bonsai.TimeoutError):
client.connect(timeout=5.0)
def test_client_prop(host_url):
""" Testing client property. """
client = LDAPClient(host_url)
ref = LDAPReference(client, [])
assert ref.client == client
with pytest.raises(TypeError):
ref.client = "b"
ref.client = LDAPClient()
assert ref.client != client
def test_add_and_delete_referrals(cfg, ipaddr):
""" Test add and delete an LDAP referral with ManageDdsIT control. """
refdn = bonsai.LDAPDN("o=test-ref,ou=nerdherd,dc=bonsai,dc=test")
ref = "ldap://test.host/cn=nobody"
cli = LDAPClient("ldap://%s" % ipaddr)
cli.set_credentials(
"SIMPLE", user=cfg["SIMPLEAUTH"]["user"], password=cfg["SIMPLEAUTH"]["password"]
)
cli.managedsait = True
with cli.connect() as conn:
entry = bonsai.LDAPEntry(refdn, conn)
entry["objectClass"] = ["referral", "extensibleObject"]
entry["o"] = "test-ref"
entry["ref"] = ref
conn.add(entry)
res = conn.search(refdn, 0, attrlist=["ref"])[0]
assert entry.dn == res.dn
assert entry["ref"] == res["ref"]
cli.managedsait = False
with cli.connect() as conn:
with pytest.raises(bonsai.LDAPError):
conn.delete(entry.dn)
cli.managedsait = True
with cli.connect() as conn:
conn.delete(entry.dn)
res = conn.search(refdn, 0, attrlist=["ref"])
assert res == []
def test_password_modify(client):
"""
Test modifying password with simple modify operation and
password policy.
"""
cli = LDAPClient(client.url)
user_dn = "cn=jeff,ou=nerdherd,dc=bonsai,dc=test"
cli.set_password_policy(True)
cli.set_credentials("SIMPLE", user_dn, "p@ssword")
conn, _ = cli.connect()
entry = conn.search(user_dn, 0)[0]
try:
entry["userPassword"] = "******"
entry.modify()
except Exception as exc:
assert isinstance(exc, bonsai.errors.PasswordModNotAllowed)
user_dn = "cn=skip,ou=nerdherd,dc=bonsai,dc=test"
cli.set_credentials("SIMPLE", user_dn, "p@ssword")
conn, _ = cli.connect()
entry = conn.search(user_dn, 0)[0]
try:
entry["userPassword"] = "******"
entry.modify()
except Exception as exc:
assert isinstance(exc, bonsai.errors.PasswordTooShort)
try:
entry["userPassword"] = "******"
entry.modify()
except Exception as exc:
assert isinstance(exc, bonsai.errors.PasswordInHistory)
def test_password_modify(self):
"""
Test modifing password with simple modify operation and
password policy.
"""
if sys.platform == "win32":
self.skipTest("Cannot use password policy on Windows")
cli = LDAPClient(self.client.url)
user_dn = "cn=jeff,ou=nerdherd,dc=bonsai,dc=test"
cli.set_password_policy(True)
cli.set_credentials("SIMPLE", (user_dn, "p@ssword"))
conn, ctrl = cli.connect()
entry = conn.search(user_dn, 0)[0]
try:
entry['userPassword'] = "******"
entry.modify()
except Exception as exc:
self.assertIsInstance(exc, bonsai.errors.PasswordModNotAllowed)
user_dn = "cn=skip,ou=nerdherd,dc=bonsai,dc=test"
cli.set_credentials("SIMPLE", (user_dn, "p@ssword"))
conn, ctrl = cli.connect()
entry = conn.search(user_dn, 0)[0]
try:
entry['userPassword'] = "******"
entry.modify()
except Exception as exc:
self.assertIsInstance(exc, bonsai.errors.PasswordTooShort)
try:
entry['userPassword'] = "******"
entry.modify()
except Exception as exc:
self.assertIsInstance(exc, bonsai.errors.PasswordInHistory)
def test_wrong_search_param(ipaddr):
""" Test passing wrong parameters for search method. """
with pytest.raises(ClosedConnection):
cli = LDAPClient("ldap://%s" % ipaddr)
LDAPConnection(cli).search()
with pytest.raises(ValueError):
cli = LDAPClient("ldap://%s" % ipaddr)
LDAPConnection(cli).open().search()
with pytest.raises(TypeError):
cli = LDAPClient("ldap://%s" % ipaddr)
LDAPConnection(cli).open().search("", 0, 3)
def test_digest_auth_error(cfg):
""" Test DIGEST-MD5 authentication error. """
client = LDAPClient("ldap://%s" % cfg["SERVER"]["hostname"])
if cfg["DIGESTAUTH"]["realm"] == "None":
realm = None
else:
realm = cfg["DIGESTAUTH"]["realm"].upper()
client.set_credentials("DIGEST-MD5", cfg["DIGESTAUTH"]["user"],
"wrongpassword", realm, None)
with pytest.raises(bonsai.AuthenticationError):
_ = client.connect()
def test_digest_auth_error(cfg):
""" Test DIGEST-MD5 authentication error. """
client = LDAPClient("ldap://%s" % cfg["SERVER"]["hostname"])
if cfg["DIGESTAUTH"]["realm"] == "None":
realm = None
else:
realm = cfg["DIGESTAUTH"]["realm"].upper()
client.set_credentials(
"DIGEST-MD5", cfg["DIGESTAUTH"]["user"], "wrongpassword", realm, None
)
with pytest.raises(bonsai.AuthenticationError):
_ = client.connect()
def test_client_prop(self):
""" Testing client property. """
client = LDAPClient(self.url)
ref = LDAPReference(client, [])
self.assertEqual(ref.client, client)
def error():
ref.client = "b"
self.assertRaises(TypeError, error)
ref.client = LDAPClient()
self.assertNotEqual(ref.client, client)
def test_search_with_managedsait_ctrl(ipaddr):
""" Test searching with manageDsaIT control. """
refdn = LDAPDN("o=admin-ref,ou=nerdherd,dc=bonsai,dc=test")
cli = LDAPClient("ldap://%s" % ipaddr)
with cli.connect() as conn:
res = conn.search(refdn, LDAPSearchScope.BASE, attrlist=["ref"])[0]
assert str(res.dn) == "cn=admin,dc=bonsai,dc=test"
cli.set_managedsait(True)
with cli.connect() as conn:
res = conn.search(refdn, LDAPSearchScope.BASE, attrlist=["ref"])[0]
assert refdn == res.dn
assert "ldap://bonsai.test/cn=admin,dc=bonsai,dc=test" == res["ref"][0]
def test_digest_auth_error(self):
""" Test DIGEST-MD5 authentication error. """
if "DIGESTAUTH" not in self.cfg:
self.skipTest("No digest authentication is set.")
client = LDAPClient(self.url)
if self.cfg["DIGESTAUTH"]["realm"] == "None":
realm = None
else:
realm = self.cfg["DIGESTAUTH"]["realm"]
client.set_credentials("DIGEST-MD5", (self.cfg["DIGESTAUTH"]["user"], \
"wrongpassword", \
realm, None))
self.assertRaises(bonsai.AuthenticationError, lambda: client.connect())
def test_digest_auth_error(self):
""" Test DIGEST-MD5 authentication error. """
if "DIGESTAUTH" not in self.cfg:
self.skipTest("No digest authentication is set.")
client = LDAPClient(self.url)
if self.cfg["DIGESTAUTH"]["realm"] == "None":
realm = None
else:
realm = self.cfg["DIGESTAUTH"]["realm"]
client.set_credentials("DIGEST-MD5", (self.cfg["DIGESTAUTH"]["user"], \
"wrongpassword", \
realm, None))
self.assertRaises(bonsai.AuthenticationError, lambda: client.connect())
def test_paged_search_with_auto_acq(self):
""" Test paged results control with automatic page acquiring. """
client = LDAPClient(self.url)
conn = client.connect()
search_dn = "ou=nerdherd,%s" % self.basedn
res = conn.search(search_dn, 1, page_size=3)
if len(res) != 3:
self.fail("The size of the page is not what is expected.")
entry = 0
for ent in res:
self.assertIsInstance(ent, bonsai.LDAPEntry)
entry += 1
self.assertEqual(entry, 6)
self.assertIsNone(res.acquire_next_page())
def test_paged_search_with_auto_acq(cfg, basedn):
""" Test paged results control with automatic page acquiring. """
client = LDAPClient("ldap://%s" % cfg["SERVER"]["hostname"])
conn = client.connect()
search_dn = "ou=nerdherd,%s" % basedn
res = conn.paged_search(search_dn, 1, page_size=3)
if len(res) != 3:
pytest.fail("The size of the page is not what is expected.")
entry = 0
for ent in res:
assert isinstance(ent, bonsai.LDAPEntry)
entry += 1
assert entry == 6
assert res.acquire_next_page() is None
def client():
""" Get an LDAPClient with simple authentication. """
cfg = get_config()
url = "ldap://%s:%s/%s??%s" % (
cfg["SERVER"]["hostip"],
cfg["SERVER"]["port"],
cfg["SERVER"]["basedn"],
cfg["SERVER"]["search_scope"],
)
cli = LDAPClient(url)
cli.set_credentials(
"SIMPLE", user=cfg["SIMPLEAUTH"]["user"], password=cfg["SIMPLEAUTH"]["password"]
)
return cli
def test_referral_chasing(host_url):
""" Testing referral chasing option. """
refdn = "o=admin,ou=nerdherd-refs,dc=bonsai,dc=test"
client = LDAPClient(host_url)
with client.connect() as conn:
res = conn.search(refdn, 0)
assert isinstance(res[0], bonsai.LDAPEntry)
client.server_chase_referrals = False
with client.connect() as conn:
res = conn.search(refdn, 0)
assert len(res) == 0
res = conn.search("ou=nerdherd-refs,dc=bonsai,dc=test", 1)
refs = [item for item in res if isinstance(item, LDAPReference)]
assert any(refs)
def _generate_client(cfg):
url = "ldap://{host}:{port}/ou=nerdherd,{basedn}?{attr}?{scope}".format(
host=cfg["SERVER"]["hostip"],
port=cfg["SERVER"]["port"],
basedn=cfg["SERVER"]["basedn"],
attr=cfg["SERVER"]["search_attr"],
scope=cfg["SERVER"]["search_scope"],
)
client = LDAPClient(url)
client.set_credentials("SIMPLE",
user=cfg["SIMPLEAUTH"]["user"],
password=cfg["SIMPLEAUTH"]["password"])
client.auto_page_acquire = False
return client
def test_paged_search_with_auto_acq(cfg, basedn):
""" Test paged results control with automatic page acquiring. """
client = LDAPClient("ldap://%s" % cfg["SERVER"]["hostname"])
conn = client.connect()
search_dn = "ou=nerdherd,%s" % basedn
res = conn.paged_search(search_dn, 1, page_size=3)
if len(res) != 3:
pytest.fail("The size of the page is not what is expected.")
entry = 0
for ent in res:
assert isinstance(ent, bonsai.LDAPEntry)
entry += 1
assert entry == 6
assert res.acquire_next_page() is None
def _generate_client(cfg):
url = "ldap://{host}:{port}/ou=nerdherd,{basedn}?{attr}?{scope}".format(
host=cfg["SERVER"]["hostip"],
port=cfg["SERVER"]["port"],
basedn=cfg["SERVER"]["basedn"],
attr=cfg["SERVER"]["search_attr"],
scope=cfg["SERVER"]["search_scope"],
)
client = LDAPClient(url)
client.set_credentials(
"SIMPLE", user=cfg["SIMPLEAUTH"]["user"], password=cfg["SIMPLEAUTH"]["password"]
)
client.auto_page_acquire = False
return client
def test_tls(url):
""" Test TLS connection. """
client = LDAPClient(url, True)
client.set_cert_policy("ALLOW")
client.set_ca_cert(None)
client.set_ca_cert_dir(None)
try:
conn = client.connect()
conn.close()
except Exception as exc:
pytest.fail("TLS connection is failed with: %s" % str(exc))
def _create_external(authzid=None):
tls_impl = bonsai.get_tls_impl_name()
if tls_impl == "GnuTLS" or tls_impl == "OpenSSL":
cfg = get_config()
curdir = os.path.abspath(os.path.dirname(__file__))
cert_path = os.path.join(curdir, "testenv", "certs")
host = "ldap://%s" % cfg["SERVER"]["hostname"]
cli = LDAPClient(host, tls=True)
cli.set_ca_cert(cert_path + "/cacert.pem")
cli.set_client_cert(cert_path + "/client.pem")
cli.set_client_key(cert_path + "/client.key")
cli.set_credentials("EXTERNAL", authz_id=authzid)
return cli.connect()
else:
pytest.skip("")
def test_referral_chasing(self):
""" Testing referral chasing option. """
refdn = "o=admin-ref,ou=nerdherd,dc=bonsai,dc=test"
client = LDAPClient(self.url)
conn = client.connect()
res = conn.search(refdn, 0)
self.assertIsInstance(res[0], bonsai.LDAPEntry)
conn.close()
client.server_chase_referrals = False
conn = client.connect()
res = conn.search(refdn, 0)
self.assertEqual(len(res), 0)
res = conn.search("ou=nerdherd,dc=bonsai,dc=test", 1)
refs = [item for item in res if isinstance(item, LDAPReference)]
self.assertTrue(any(refs))
def test_ldap_over_tls(ldaps_url):
""" Test LDAP over TLS connection. """
client = LDAPClient(ldaps_url)
client.set_cert_policy("ALLOW")
client.set_ca_cert(None)
client.set_ca_cert_dir(None)
try:
conn = client.connect()
assert conn is not None
conn.close()
except Exception as exc:
pytest.fail("TLS connection is failed with: %s" % str(exc))
def _binding(self, auth, mech, authzid, realm=None):
if auth not in self.cfg:
self.skipTest("%s authentication is not set." % mech)
client = LDAPClient(self.host)
client.set_credentials(mech, (self.cfg[auth]["user"],
self.cfg[auth]["password"],
realm, authzid))
try:
conn = client.connect()
except (bonsai.errors.ConnectionError, \
bonsai.errors.AuthenticationError) as err:
self.fail(err)
else:
self.assertNotEqual("anonymous", conn.whoami(),
"%s authentication was unsuccessful." % mech)
return conn
def test_wrong_add_param(conn, ipaddr):
""" Test passing wrong parameter for add method. """
with pytest.raises(ClosedConnection):
cli = LDAPClient("ldap://%s" % ipaddr)
LDAPConnection(cli).add(bonsai.LDAPEntry("cn=dummy"))
with pytest.raises(TypeError):
conn.add("wrong")
def test_bind_gssapi_error(self):
""" Test automatic TGT requesting with wrong realm name. """
if "GSSAPIAUTH" not in self.cfg:
self.skipTest("GSSAPI authentication is not set.")
if not bonsai.has_krb5_support():
self.skipTest("Module doesn't have KRB5 support.")
if ("realm" not in self.cfg["GSSAPIAUTH"]
or self.cfg["GSSAPIAUTH"]["realm"] == "None"):
self.skipTest("Realm is not set.")
client = LDAPClient(self.url)
client.set_credentials("GSSAPI", (self.cfg["GSSAPIAUTH"]["user"],
self.cfg["GSSAPIAUTH"]["password"],
self.cfg["GSSAPIAUTH"]["realm"],
None))
self.assertRaises(bonsai.AuthenticationError,
lambda: client.connect())
def test_wrong_delete_param(conn, ipaddr):
""" Test passing wrong parameter for delete method. """
with pytest.raises(ClosedConnection):
cli = LDAPClient("ldap://%s" % ipaddr)
LDAPConnection(cli).delete("cn=dummy")
with pytest.raises(TypeError):
conn.delete(0)
def test_modify_referrals(client):
""" Test modifying an LDAP referral with ManageDdsIT control. """
refdn = bonsai.LDAPDN("o=invalid-ref,ou=nerdherd,dc=bonsai,dc=test")
newref = "ldap://invalid.host/cn=nobody"
cli = LDAPClient(client.url)
cli.set_credentials(client.mechanism, **client.credentials)
cli.managedsait = True
with cli.connect() as conn:
entry = LDAPEntry(refdn, conn)
entry.change_attribute("ref", LDAPModOp.ADD, newref)
entry.modify()
res = conn.search(refdn, 0, attrlist=["ref"])[0]
assert len(res["ref"]) == 3
assert newref in res["ref"]
entry.change_attribute("ref", LDAPModOp.DELETE, newref)
entry.modify()
def _binding(self, auth, mech, authzid, realm=None):
if auth not in self.cfg:
self.skipTest("%s authentication is not set." % mech)
client = LDAPClient(self.url)
client.set_credentials(mech,
(self.cfg[auth]["user"],
self.cfg[auth]["password"], realm, authzid))
try:
conn = client.connect()
except (bonsai.errors.ConnectionError, \
bonsai.errors.AuthenticationError) as err:
self.fail(err)
else:
self.assertNotEqual("anonymous", conn.whoami(),
"%s authentication was unsuccessful." % mech)
return conn
def setUp(self):
""" Set LDAP URL and open connection. """
curdir = os.path.abspath(os.path.dirname(__file__))
self.cfg = configparser.ConfigParser()
self.cfg.read(os.path.join(curdir, 'test.ini'))
self.url = "ldap://%s:%s/%s?%s?%s" % (self.cfg["SERVER"]["hostip"], \
self.cfg["SERVER"]["port"], \
self.cfg["SERVER"]["basedn"], \
self.cfg["SERVER"]["search_attr"], \
self.cfg["SERVER"]["search_scope"])
self.basedn = self.cfg["SERVER"]["basedn"]
client = LDAPClient(self.url)
client.set_credentials("SIMPLE", (self.cfg["SIMPLEAUTH"]["user"],
self.cfg["SIMPLEAUTH"]["password"]))
self.conn = client.connect()
self.async_conn = LDAPConnection(client, True)
def gclient():
""" Get an LDAPClient with GeventLDAPConnection async class. """
cfg = get_config()
url = "ldap://%s:%s/%s?%s?%s" % (
cfg["SERVER"]["hostip"],
cfg["SERVER"]["port"],
cfg["SERVER"]["basedn"],
cfg["SERVER"]["search_attr"],
cfg["SERVER"]["search_scope"],
)
cli = LDAPClient(url)
cli.set_credentials(
"SIMPLE", user=cfg["SIMPLEAUTH"]["user"], password=cfg["SIMPLEAUTH"]["password"]
)
cli.set_async_connection_class(GeventLDAPConnection)
return cli
def test_tls(self):
""" Test TLS connection. """
if self.cfg['SERVER']['has_tls'] == 'False':
self.skipTest("TLS is not set.")
client = LDAPClient(self.url, True)
client.set_cert_policy("ALLOW")
client.set_ca_cert(None)
client.set_ca_cert_dir(None)
try:
conn = client.connect()
conn.close()
except Exception as exc:
self.fail("TLS connection is failed with: %s" % str(exc))
def test_password_lockout(conn, ipaddr):
""" Test password locking with password policy. """
user_dn = "cn=jeff,ou=nerdherd,dc=bonsai,dc=test"
cli = LDAPClient("ldap://%s" % ipaddr)
cli.set_password_policy(True)
try:
cli.set_credentials("SIMPLE", user_dn, "wrong_pass")
test_conn, ctrl = cli.connect()
except bonsai.errors.AuthenticationError:
with pytest.raises(bonsai.errors.AccountLocked):
cli.set_credentials("SIMPLE", user_dn, "p@ssword")
test_conn, ctrl = cli.connect()
finally:
entry = conn.search(user_dn, 0, attrlist=["pwdAccountLockedTime"])[0]
if "pwdAccountLockedTime" in entry.keys():
del entry["pwdAccountLockedTime"]
entry.modify()
def test_init_errors(self):
""" Testing errors during initialization of LDAPReference. """
client = LDAPClient(self.url)
self.assertRaises(TypeError, lambda: LDAPReference(None, ["ldap://a"]))
self.assertRaises(TypeError, lambda: LDAPReference(client, [0]))
self.assertRaises(
ValueError,
lambda: LDAPReference(client, ["asd", LDAPURL("ldap://b")]))
def setUp(self):
""" Set LDAP URL and open connection. """
curdir = os.path.abspath(os.path.dirname(__file__))
self.cfg = configparser.ConfigParser()
self.cfg.read(os.path.join(curdir, 'test.ini'))
self.ipaddr = self.cfg["SERVER"]["hostip"]
self.url = "ldap://%s:%s/ou=nerdherd,%s?%s?%s" % \
(self.cfg["SERVER"]["hostip"], self.cfg["SERVER"]["port"],
self.cfg["SERVER"]["basedn"], self.cfg["SERVER"]["search_attr"],
self.cfg["SERVER"]["search_scope"])
self.host = "ldap://%s" % self.cfg['SERVER']['hostname']
self.basedn = self.cfg["SERVER"]["basedn"]
client = LDAPClient(self.url)
client.set_credentials("SIMPLE", (self.cfg["SIMPLEAUTH"]["user"],
self.cfg["SIMPLEAUTH"]["password"]))
self.conn = client.connect()
self.async_conn = LDAPConnection(client, True)
def setUpClass(cls):
""" Set host url and connection. """
curdir = os.path.abspath(os.path.dirname(__file__))
cfg = configparser.ConfigParser()
cfg.read(os.path.join(curdir, 'test.ini'))
cls.url = "ldap://%s:%s" % (cfg["SERVER"]["hostip"],
cfg["SERVER"]["port"])
cls.client = LDAPClient(cls.url)
def test_tls(self):
""" Test TLS connection. """
if self.cfg['SERVER']['has_tls'] == 'False':
self.skipTest("TLS is not set.")
client = LDAPClient(self.url, True)
client.set_cert_policy("ALLOW")
client.set_ca_cert(None)
client.set_ca_cert_dir(None)
try:
conn = client.connect()
conn.close()
except Exception as exc:
self.fail("TLS connection is failed with: %s" % str(exc))
def test_password_lockout(conn, ipaddr):
""" Test password locking with password policy. """
user_dn = "cn=jeff,ou=nerdherd,dc=bonsai,dc=test"
cli = LDAPClient("ldap://%s" % ipaddr)
cli.set_password_policy(True)
try:
cli.set_credentials("SIMPLE", user_dn, "wrong_pass")
test_conn, ctrl = cli.connect()
except bonsai.errors.AuthenticationError:
with pytest.raises(bonsai.errors.AccountLocked):
cli.set_credentials("SIMPLE", user_dn, "p@ssword")
test_conn, ctrl = cli.connect()
finally:
entry = conn.search(user_dn, 0, attrlist=["pwdAccountLockedTime"])[0]
if "pwdAccountLockedTime" in entry.keys():
del entry["pwdAccountLockedTime"]
entry.modify()
def setUp(self):
""" Set LDAP URL and open connection. """
curdir = os.path.abspath(os.path.dirname(__file__))
self.cfg = configparser.ConfigParser()
self.cfg.read(os.path.join(curdir, 'test.ini'))
self.url = "ldap://%s:%s/%s?%s?%s" % (self.cfg["SERVER"]["hostip"], \
self.cfg["SERVER"]["port"], \
self.cfg["SERVER"]["basedn"], \
self.cfg["SERVER"]["search_attr"], \
self.cfg["SERVER"]["search_scope"])
self.basedn = self.cfg["SERVER"]["basedn"]
self.ipaddr = self.cfg["SERVER"]["hostip"]
self.client = LDAPClient(self.url)
self.client.set_credentials("SIMPLE", (self.cfg["SIMPLEAUTH"]["user"],
self.cfg["SIMPLEAUTH"]["password"]))
self.client.set_async_connection_class(TornadoLDAPConnection)
self.io_loop = self.get_new_ioloop()
def test_bind_gssapi_keytab(cfg, ktpath):
client = LDAPClient("ldap://%s" % cfg["SERVER"]["hostname"])
client.set_credentials(
"GSSAPI",
user=cfg["GSSAPIAUTH"]["user"],
realm=cfg["GSSAPIAUTH"]["realm"].upper(),
keytab=ktpath,
)
conn = client.connect()
assert conn.whoami() == "dn:cn=chuck,ou=nerdherd,dc=bonsai,dc=test"
client.set_credentials(
"GSSAPI", user="******", realm=cfg["GSSAPIAUTH"]["realm"].upper(), keytab=ktpath
)
conn = client.connect()
assert conn.whoami() == "dn:cn=admin,dc=bonsai,dc=test"
def test_password_lockout(self):
""" Test password locking with password policy. """
if sys.platform == "win32":
self.skipTest("Cannot use password policy on Windows")
user_dn = "cn=jeff,ou=nerdherd,dc=bonsai,dc=test"
cli = LDAPClient("ldap://%s" % self.ipaddr)
cli.set_password_policy(True)
try:
cli.set_credentials("SIMPLE", (user_dn, "wrong_pass"))
conn, ctrl = cli.connect()
except bonsai.errors.AuthenticationError:
try:
cli.set_credentials("SIMPLE", (user_dn, "p@ssword"))
conn, ctrl = cli.connect()
except Exception as exc:
self.assertIsInstance(exc, bonsai.errors.AccountLocked)
else:
self.fail("No exception.")
finally:
entry = self.conn.search(user_dn, 0,
attrlist=["pwdAccountLockedTime"])[0]
if "pwdAccountLockedTime" in entry.keys():
del entry['pwdAccountLockedTime']
entry.modify()
def test_bind_gssapi_keytab_error(cfg, ktpath):
client = LDAPClient("ldap://%s" % cfg["SERVER"]["hostname"])
client.set_credentials(
"GSSAPI",
user=cfg["GSSAPIAUTH"]["user"],
realm=cfg["GSSAPIAUTH"]["realm"].upper(),
keytab="invalid",
)
with pytest.raises(bonsai.AuthenticationError):
_ = client.connect()
client.set_credentials(
"GSSAPI",
user="******",
realm=cfg["GSSAPIAUTH"]["realm"].upper(),
keytab=ktpath,
)
with pytest.raises(bonsai.AuthenticationError):
_ = client.connect()
def setUp(self):
""" Set LDAP URL and open connection. """
self.cfg = get_config()
self.url = "ldap://%s:%s/%s?%s?%s" % (
self.cfg["SERVER"]["hostip"],
self.cfg["SERVER"]["port"],
self.cfg["SERVER"]["basedn"],
self.cfg["SERVER"]["search_attr"],
self.cfg["SERVER"]["search_scope"],
)
self.basedn = self.cfg["SERVER"]["basedn"]
self.ipaddr = self.cfg["SERVER"]["hostip"]
self.client = LDAPClient(self.url)
self.client.set_credentials(
"SIMPLE",
user=self.cfg["SIMPLEAUTH"]["user"],
password=self.cfg["SIMPLEAUTH"]["password"],
)
self.client.set_async_connection_class(TornadoLDAPConnection)
self.io_loop = self.get_new_ioloop()
def test_extended_dn(self):
""" Test extended dn control. """
client = LDAPClient(self.url)
self.assertRaises(TypeError, lambda: client.set_extended_dn("A"))
self.assertRaises(ValueError, lambda: client.set_extended_dn(2))
client.extended_dn_format = 0
self.assertEqual(client.extended_dn_format, 0)
conn = client.connect()
root_dse = client.get_rootDSE()
result = conn.search("ou=nerdherd,dc=bonsai,dc=test", 0)[0]
if '1.2.840.113556.1.4.529' in root_dse['supportedControl']:
self.assertIsNotNone(result.extended_dn)
self.assertEqual(result.extended_dn.split(';')[-1], str(result.dn))
else:
self.assertIsNone(result.extended_dn)
def test_ppolicy(self):
""" Test password policy setting. """
client = LDAPClient(self.url)
self.assertRaises(TypeError, lambda: client.set_password_policy("F"))
client.password_policy = True
client.set_credentials("SIMPLE", ("cn=chuck,ou=nerdherd,dc=bonsai,dc=test",
"p@ssword"))
ret_val = client.connect()
self.assertIsInstance(ret_val, tuple)
self.assertIsInstance(ret_val[0], LDAPConnection)
if ret_val[1] is None:
pass
elif type(ret_val[1]) == dict:
self.assertIn("oid", ret_val[1].keys())
self.assertIn("expire", ret_val[1].keys())
self.assertIn("grace", ret_val[1].keys())
self.assertEqual('1.3.6.1.4.1.42.2.27.8.5.1', ret_val[1]['oid'])
else:
self.fail("Invalid second object in the tuple.")
ret_val[0].close()
def test_password_expire(self):
""" Test password expiring with password policy. """
if sys.platform == "win32":
self.skipTest("Cannot use password policy on Windows")
user_dn = "cn=skip,ou=nerdherd,dc=bonsai,dc=test"
cli = LDAPClient("ldap://%s" % self.ipaddr)
cli.set_password_policy(True)
cli.set_credentials("SIMPLE", (user_dn, "p@ssword"))
conn, ctrl = cli.connect()
entry = conn.search(user_dn, 0)[0]
entry['userPassword'] = "******"
entry.modify()
conn.close()
cli.set_credentials("SIMPLE", (user_dn, "newvalidpassword"))
time.sleep(2.0)
conn, ctrl = cli.connect()
if not (ctrl['expire'] <= 10 and ctrl['expire'] > 0):
self.fail("Expire time is in "
"the wrong range (Expire: %d)." % ctrl['expire'])
conn.close()
time.sleep(10)
conn, ctrl = cli.connect()
self.assertEqual(ctrl['grace'], 1)
conn.close()
try:
conn, ctrl = cli.connect()
except Exception as exc:
self.assertIsInstance(exc, bonsai.errors.PasswordExpired)
finally:
entry = self.conn.search(user_dn, 0,
attrlist=["userPassword"])[0]
entry['userPassword'] = "******"
entry.modify()
entry = self.conn.search(user_dn, 0,
attrlist=["pwdChangeTime",
"pwdGraceUseTime"])[0]
if ("pwdChangeTime", "pwdGraceUseTime") in entry.keys():
del entry['pwdChangeTime']
del entry['pwdGraceUseTime']
entry.modify()
def test_password_modify_extop(self):
""" Test Password Modify extended operation. """
if sys.platform == "win32":
self.skipTest("Cannot use password modify extended opertion"
" on Windows")
user_dn = LDAPDN("cn=skip,ou=nerdherd,dc=bonsai,dc=test")
cli = LDAPClient("ldap://%s" % self.ipaddr)
cli.set_credentials("SIMPLE", (str(user_dn), "p@ssword"))
conn = cli.connect()
self.assertRaises(TypeError,
lambda: conn.modify_password(new_password=0))
conn.modify_password(user_dn, "newpassword", "p@ssword")
conn.close()
self.assertRaises(ClosedConnection,
lambda: conn.modify_password())
try:
cli.set_credentials("SIMPLE", (str(user_dn), "newpassword"))
cli.set_password_policy(True)
conn, ctrl = cli.connect()
newpass = conn.modify_password()
conn.close()
self.assertIsInstance(newpass, str)
cli.set_credentials("SIMPLE", (str(user_dn), newpass))
conn, ctrl = cli.connect()
conn.close()
except bonsai.AuthenticationError:
self.fail("Failed to authenticate with the new password.")
finally:
entry = self.conn.search(user_dn, 0,
attrlist=["userPassword"])[0]
entry['userPassword'] = "******"
entry.modify()
entry = self.conn.search(user_dn, 0,
attrlist=["pwdChangeTime",
"pwdGraceUseTime"])[0]
if ("pwdChangeTime", "pwdGraceUseTime") in entry.keys():
del entry['pwdChangeTime']
del entry['pwdGraceUseTime']
entry.modify()
def test_simple_auth_error(self):
""" Test simple authentication error. """
client = LDAPClient(self.url)
client.set_credentials("SIMPLE", ("cn=wrong", "wronger"))
self.assertRaises(bonsai.AuthenticationError, lambda: client.connect())