def test_queued_account_gets_added_to_ldap(self):
vars.QUEUEDUSER.save()
activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id
request = set_request(activate_url, messages=True)
activate(request, vars.QUEUEDUSER.encrypted_id)
self.assertTrue(
ldap_users(vars.QUEUEDUSER.username,
directory=self.ldapobj.directory))
ldap_account = ldap_users(vars.QUEUEDUSER.username,
directory=self.ldapobj.directory)[1]
self.assertEqual(ldap_account['objectClass'],
settings.AUTH_LDAP_USER_OBJECTCLASS)
self.assertEqual(ldap_account['sn'][0], vars.QUEUEDUSER.last_name)
self.assertEqual(
ldap_account['cn'][0],
'%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name))
self.assertTrue(
ldap_md5_crypt.verify(vars.QUEUEDUSER.password,
ldap_account['userPassword'][0]))
self.assertEqual(ldap_account['givenName'][0],
vars.QUEUEDUSER.first_name)
self.assertEqual(ldap_account['mail'][0], vars.QUEUEDUSER.email)
self.assertEqual(ldap_account['uid'][0], vars.QUEUEDUSER.username)
self.assertEqual(ldap_account['uidNumber'][0], '1002')
self.assertEqual(ldap_account['gidNumber'][0], '100')
self.assertEqual(
ldap_account['gecos'][0],
'%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name))
self.assertEqual(ldap_account['homeDirectory'][0],
'/home/%s' % vars.QUEUEDUSER.username)
self.assertEqual(ldap_account['gentooACL'][0], 'user.group')
def test_session_and_ldap_secondary_passwords_match(self):
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt(
request.session['secondary_password'], 48)),
ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][1]))
def test_dont_remove_primary_password_while_cleaning_leftovers(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(leftover)
self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)])
alice = User.objects.create(username='******', password='******')
request = set_request(uri='/', user=alice)
set_secondary_password(request, 'ldaptest')
self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self):
request = set_request('/', user=vars.USER_ALICE)
with get_bound_ldapuser(request, password='******') as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertTrue(
ldap_md5_crypt.verify(
settings.DATABASES[db_alias]['PASSWORD'],
ldap_users('alice')[1]['userPassword'][0]))
def test_dont_remove_primary_password_while_cleaning_leftovers(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover)
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertTrue(ldap_md5_crypt.verify(
'ldaptest', ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_dont_remove_primary_password_while_removing_secondary_password(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password))
self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(secondary_password_crypt)
self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)])
alice = User.objects.create(username='******', password='******')
request = set_request(uri='/', user=alice)
request.session['secondary_password'] = cipher.encrypt(secondary_password)
remove_secondary_password(request)
self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0]))
def test_dont_remove_primary_password_when_removing_secondary_passwd(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request(uri='/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
remove_secondary_password(request)
self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][0]))
def _compare_s(self, dn, attr, value):
self._check_valid_dn(dn)
try:
values = self.directory[dn].get(attr, [])
except KeyError:
raise ldap.NO_SUCH_OBJECT
if attr == 'userPassword':
for password in values:
try:
if ldap_md5_crypt.verify(value, password):
return 1
except (NameError, ValueError):
pass
return (1 if (value in values) else 0)
def password_settings(request):
""" Password settings """
with get_bound_ldapuser(request) as user_info:
password_settings = None
if request.method == "POST":
password_settings = PasswordSettingsForm(request.POST)
if password_settings.is_valid():
try:
new_password = password_settings.cleaned_data[
'new_password']
new_password_verify = password_settings.cleaned_data[
'new_password_verify']
old_password = password_settings.cleaned_data[
'old_password']
if old_password and (new_password == new_password_verify):
for hash in list(user_info.password):
print hash
try:
if ldap_md5_crypt.verify(old_password, hash):
user_info.password.append(
ldap_md5_crypt.encrypt(
new_password_verify))
user_info.password.remove(hash)
break
except ValueError:
# ignore unknown hashes
pass
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
password_settings = PasswordSettingsForm()
return render(request, 'settings-password.html', {
'password_settings': password_settings,
'user_info': user_info,
})
def password_settings(request):
""" Password settings """
with get_bound_ldapuser(request) as user_info:
password_settings = None
if request.method == "POST":
password_settings = PasswordSettingsForm(request.POST)
if password_settings.is_valid():
try:
new_password = password_settings.cleaned_data[
'new_password']
new_password_verify = password_settings.cleaned_data[
'new_password_verify']
old_password = password_settings.cleaned_data[
'old_password']
if old_password and (new_password == new_password_verify):
for hash in list(user_info.password):
print hash
try:
if ldap_md5_crypt.verify(old_password, hash):
user_info.password.append(
ldap_md5_crypt.encrypt(
new_password_verify))
user_info.password.remove(hash)
break
except ValueError:
# ignore unknown hashes
pass
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
password_settings = PasswordSettingsForm()
return render(request, 'settings-password.html', {
'password_settings': password_settings,
'user_info': user_info,
})
def _compare_s(self, dn, attr, value):
dn = self._dn(dn)
if dn not in self.directory:
raise ldap.NO_SUCH_OBJECT
if attr not in self.directory[dn]:
raise ldap.NO_SUCH_ATTRIBUTE
if attr == 'userPassword':
for password in self.directory[dn][attr]:
try:
# TODO: Implement more ldap pwd hashes from passlib
# http://pythonhosted.org/passlib/lib/passlib.hash.html#ldap-hashes
if ldap_md5_crypt.verify(value, password):
return 1
except (NameError, ValueError):
pass
return (value in self.directory[dn][attr]) and 1 or 0
def remove_secondary_password(request):
""" Remove secondary password on logout """
try:
password = b64encode(
cipher.decrypt(request.session['secondary_password'], 48))
except KeyError:
return
with get_bound_ldapuser(request, password) as user:
if len(user.password) > 1:
for hash in list(user.password):
try:
if ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
break
except ValueError:
# ignore unknown hashes
pass
user.save()
def set_secondary_password(request, password):
""" Generate a secondary passsword and encrypt it in the session """
with get_bound_ldapuser(request, password) as user:
secondary_password = Random.get_random_bytes(48)
request.session['secondary_password'] = \
cipher.encrypt(secondary_password)
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in list(user.password):
try:
if not ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
user.password.append(
ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
def remove_secondary_password(request):
""" Remove secondary password on logout """
try:
password = b64encode(cipher.decrypt(
request.session['secondary_password'], 48))
except KeyError:
return
with get_bound_ldapuser(request, password) as user:
if len(user.password) > 1:
for hash in list(user.password):
try:
if ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
break
except ValueError:
# ignore unknown hashes
pass
user.save()
def set_secondary_password(request, password):
""" Generate a secondary passsword and encrypt it in the session """
with get_bound_ldapuser(request, password) as user:
secondary_password = Random.get_random_bytes(48)
request.session['secondary_password'] = \
cipher.encrypt(secondary_password)
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in list(user.password):
try:
if not ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
user.password.append(
ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
def test_queued_account_gets_added_to_ldap(self):
vars.QUEUEDUSER.save()
activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id
request = set_request(activate_url, messages=True)
activate(request, vars.QUEUEDUSER.encrypted_id)
self.assertTrue(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory))
ldap_account = ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1]
self.assertEqual(ldap_account["objectClass"], settings.AUTH_LDAP_USER_OBJECTCLASS)
self.assertEqual(ldap_account["sn"][0], vars.QUEUEDUSER.last_name)
self.assertEqual(ldap_account["cn"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name))
self.assertTrue(ldap_md5_crypt.verify(vars.QUEUEDUSER.password, ldap_account["userPassword"][0]))
self.assertEqual(ldap_account["givenName"][0], vars.QUEUEDUSER.first_name)
self.assertEqual(ldap_account["mail"][0], vars.QUEUEDUSER.email)
self.assertEqual(ldap_account["uid"][0], vars.QUEUEDUSER.username)
self.assertEqual(ldap_account["uidNumber"][0], "1002")
self.assertEqual(ldap_account["gidNumber"][0], "100")
self.assertEqual(ldap_account["gecos"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name))
self.assertEqual(ldap_account["homeDirectory"][0], "/home/%s" % vars.QUEUEDUSER.username)
self.assertEqual(ldap_account["gentooACL"][0], "user.group")
def set_secondary_password(request, password):
""" Generate a secondary passsword and encrypt it in the session """
username = request.user.username
user = LDAPUser.bind_as(alias='ldap_%s' % username,
username=username,
password=password).objects.get(username=username)
secondary_password = Random.get_random_bytes(48)
request.session['secondary_password'] = cipher.encrypt(secondary_password)
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in user.password:
try:
if not ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
def remove_secondary_password(request):
""" Remove secondary password on logout """
try:
password = b64encode(cipher.decrypt(
request.session['secondary_password'], 48))
except KeyError:
return
username = request.user.username
user = LDAPUser.bind_as(alias='ldap_%s' % username,
username=username,
password=password).objects.get(username=username)
if len(user.password) > 1:
for hash in user.password:
try:
if ldap_md5_crypt.verify(password, hash):
user.password.remove(hash)
except ValueError:
# ignore unknown hashes
pass
user.save()
def verifyPassword(password, hashvalue):
valid = ldap_md5_crypt.verify(password, hashvalue)
return valid
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self):
request = set_request('/', user=vars.USER_ALICE)
with get_bound_ldapuser(request, password='******') as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertTrue(ldap_md5_crypt.verify(settings.DATABASES[db_alias][
'PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))
def test_session_and_ldap_secondary_passwords_match(self):
self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice')])
alice = User.objects.create(username='******', password='******')
request = set_request(uri='/', user=alice)
set_secondary_password(request, 'ldaptest')
self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt(request.session['secondary_password'], 48)), get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][1]))
