def test_get_bound_ldapuser_invalid_secondary_password(self):
secondary_password = Random.get_random_bytes(48)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
self.assertRaises(ldap.INVALID_CREDENTIALS, get_bound_ldapuser,
request)
def test_get_bound_ldapuser_invalid_secondary_password(self):
secondary_password = Random.get_random_bytes(48)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
self.assertRaises(ldap.INVALID_CREDENTIALS, get_bound_ldapuser,
request)
def test_secondary_password_is_removed_in_logout(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password))
self.ldapobj.directory[ldap_users("alice")[0]]["userPassword"].append(secondary_password_crypt)
request = set_request(uri="/login", post=vars.LOGIN_ALICE, user=vars.USER_ALICE)
request.session["secondary_password"] = cipher.encrypt(secondary_password)
logout(request)
self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 1)
def test_get_bound_ldapuser_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user:
self.assertEqual(user.username, vars.USER_ALICE.username)
def test_get_bound_ldapuser_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user:
self.assertEqual(user.username, vars.USER_ALICE.username)
def test_remove_secondary_password_from_ldap(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request(uri='/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
remove_secondary_password(request)
self.assertNotIn(secondary_password_crypt, ldap_users(
'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_dont_remove_primary_password_when_removing_secondary_passwd(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request(uri='/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
remove_secondary_password(request)
self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'],
b64encode(secondary_password))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'],
b64encode(secondary_password))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
pass
db_alias = 'ldap_%s' % request.session.cache_key
self.assertNotIn('USER', settings.DATABASES.get(db_alias, {}))
self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
pass
db_alias = 'ldap_%s' % request.session.cache_key
self.assertNotIn('USER', settings.DATABASES.get(db_alias, {}))
self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_secondary_password_is_removed_in_logout(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request(uri='/login',
post=vars.LOGIN_ALICE,
user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
logout(request)
self.assertEqual(
len(
ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword']), 1)
def set_secondary_password(request, password):
""" Generate a secondary passsword and encrypt it in the session """
with get_bound_ldapuser(request, password) as user:
secondary_password = Random.get_random_bytes(48)
request.session['secondary_password'] = \
cipher.encrypt(secondary_password)
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in list(user.password):
try:
if not ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
user.password.append(
ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
def set_secondary_password(request, password):
""" Generate a secondary passsword and encrypt it in the session """
with get_bound_ldapuser(request, password) as user:
secondary_password = Random.get_random_bytes(48)
request.session['secondary_password'] = \
cipher.encrypt(secondary_password)
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in list(user.password):
try:
if not ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
user.password.append(
ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
def test_verify_password_more_than_twice_block_size(self):
data = self._random_string[:cipher.block_size * 2 + 3]
hash = cipher.encrypt(data)
self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_ciphertext_not_multiple_of_block_size_raises_valueerror(self):
data = self._random_string[:cipher.block_size/2]
hash = cipher.encrypt(data)[:cipher.block_size/2]
self.assertRaises(ValueError, cipher.decrypt, hash, len(data))
def test_verify_password_exact_block_size(self):
data = self._random_string[:cipher.block_size]
hash = cipher.encrypt(data)
self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_encrypt_random_bytes(self):
data = Random.get_random_bytes(45)
hash = cipher.encrypt(data)
self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_ciphertext_shorter_than_req_output_raises_valueerror(self):
data = self._random_string[:cipher.block_size*2]
hash = cipher.encrypt(data)[:cipher.block_size]
self.assertRaises(ValueError, cipher.decrypt, hash, len(data))
def test_verify_password_more_than_twice_block_size(self):
data = self._random_string[:cipher.block_size*2+3]
hash = cipher.encrypt(data)
self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_verify_password_exact_block_size(self):
data = self._random_string[:cipher.block_size]
hash = cipher.encrypt(data)
self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_ciphertext_not_multiple_of_block_size_raises_valueerror(self):
data = self._random_string[:cipher.block_size / 2]
hash = cipher.encrypt(data)[:cipher.block_size / 2]
self.assertRaises(ValueError, cipher.decrypt, hash, len(data))
def test_ciphertext_shorter_than_req_output_raises_valueerror(self):
data = self._random_string[:cipher.block_size * 2]
hash = cipher.encrypt(data)[:cipher.block_size]
self.assertRaises(ValueError, cipher.decrypt, hash, len(data))
def test_encrypt_random_bytes(self):
data = Random.get_random_bytes(45)
hash = cipher.encrypt(data)
self.assertEqual(cipher.decrypt(hash, len(data)), data)
