def simple_bind_s(self, binduid, bindpwd):
self._last_bind = (self.simple_bind_s, (binduid, bindpwd), {})
if 'Manager' in binduid:
return 1
if bindpwd == '':
# Emulate LDAP mis-behavior
return 1
if self.hash_password:
bindpwd = hash_pwd(bindpwd)
rec = self.search_s( binduid
, scope=ldap.SCOPE_BASE
, attrs=('userPassword',)
)
rec_pwd = rec[0][1].get('userPassword')
if not rec_pwd:
raise ldap.INVALID_CREDENTIALS
if bindpwd == rec_pwd[0]:
return 1
else:
raise ldap.INVALID_CREDENTIALS
def simple_bind_s(self, binduid, bindpwd):
self._last_bind = (self.simple_bind_s, (binduid, bindpwd), {})
if b'Manager' in binduid:
return 1
if bindpwd in (b'', ''):
# Emulate LDAP mis-behavior
return 1
if self.hash_password:
bindpwd = hash_pwd(bindpwd)
rec = self.search_s(binduid, scope=ldap.SCOPE_BASE,
query=b'(objectClass=*)', attrs=(b'userPassword',))
rec_pwd = rec[0][1].get(b'userPassword')
if not rec_pwd:
raise ldap.INVALID_CREDENTIALS
if bindpwd == rec_pwd[0]:
return 1
else:
raise ldap.INVALID_CREDENTIALS
def test_password_is_hashed(self):
from dataflake.fakeldap.utils import hash_pwd
conn = self._makeOne()
self._addUser('foo')
res = conn.search_s(b'ou=users,dc=localhost', query=b'(cn=foo)')
pwd = res[0][1][b'userPassword'][0]
self.assertEqual(pwd, hash_pwd('foo_secret'))
def test_password_is_hashed(self):
from dataflake.fakeldap.utils import hash_pwd
conn = self._makeOne()
self._addUser('foo')
res = conn.search_s( 'ou=users,dc=localhost'
, query='(cn=foo)'
)
pwd = res[0][1]['userPassword'][0]
self.assertEquals(pwd, hash_pwd('foo_secret'))
def _addRecord(self, dn, **kw):
record = self.db.addTreeItems(dn)
for key, value in kw.items():
if not isinstance(key, six.binary_type):
key = key.encode('UTF-8')
if key.lower() == b'userpassword':
value = [hash_pwd(value)]
elif not isinstance(value, list):
value = [value]
record[key] = value
def test_bind_with_valid_unicode_credentials_from_connection(self):
conn = self._makeSimple()
conn.api_encoding = None
attrs = {'userPassword': hash_pwd('secret')}
conn.insert(u'dc=localhost', u'cn=føø', attrs=attrs)
conn.bind_dn = u'cn=føø,dc=localhost'
conn.bind_pwd = u'secret'
response = conn.search(u'dc=localhost', fltr=u'(cn=føø)')
self.assertEqual(response['size'], 1)
def test_bind_with_invalid_unicode_credentials_from_connection(self):
import ldap
conn = self._makeSimple()
conn.api_encoding = None
attrs = {'userPassword': hash_pwd('secret')}
conn.insert(u'dc=localhost', u'cn=føø', attrs=attrs)
conn.bind_dn = u'cn=føø,dc=localhost'
conn.bind_pwd = u'geheim'
self.assertRaises(ldap.INVALID_CREDENTIALS,
conn.search,
u'dc=localhost',
fltr=u'(cn=føø)')
def _addUser(self, name, mail=None):
from dataflake.fakeldap.utils import hash_pwd
conn = self._makeOne()
utf8_name = to_utf8(name)
user_dn = b'cn=%s,ou=users,dc=localhost' % utf8_name
user_pwd = '%s_secret' % name
if conn.hash_password:
pwd = hash_pwd(user_pwd)
else:
pwd = user_pwd
user = [(b'cn', [utf8_name]), (b'userPassword', [pwd]),
(b'objectClass', [b'top', b'person'])]
if mail is not None:
user.append((b'mail', [to_utf8(mail)]))
conn.add_s(user_dn, user)
return (user_dn, user_pwd)
def test_disconnect_clears_connection_cache(self):
conn = self._makeSimple()
attrs = {'userPassword': hash_pwd('pass')}
conn.insert('dc=localhost', 'cn=foo', attrs=attrs)
response = conn.search('dc=localhost',
fltr='(cn=foo)',
bind_dn='cn=foo,dc=localhost',
bind_pwd='pass')
self.assertEqual(response['size'], 1)
connection = conn._getConnection()
self.assertNotEqual(connection, None)
self.assertEqual(connection._last_bind[1],
(b'cn=foo,dc=localhost', b'pass'))
conn.disconnect()
self.assertEqual(conn._getConnection(), None)
def test_rebind_with_same_password(self):
conn = self._makeSimple()
attrs = {'userPassword': hash_pwd('pass')}
conn.insert('dc=localhost',
'cn=foo',
attrs=attrs,
bind_dn='cn=Manager,dc=localhost',
bind_pwd='pass')
connection = conn._getConnection()
self.assertEqual(connection._last_bind[1],
(b'cn=Manager,dc=localhost', b'pass'))
conn.search('dc=localhost',
fltr='(cn=foo)',
bind_dn='cn=foo,dc=localhost',
bind_pwd='pass')
connection = conn._getConnection()
self.assertEqual(connection._last_bind[1],
(b'cn=foo,dc=localhost', b'pass'))
def _addUser(self, name, mail=None):
from dataflake.fakeldap.utils import hash_pwd
conn = self._makeOne()
user_dn = 'cn=%s,ou=users,dc=localhost' % name
user_pwd = '%s_secret' % name
if conn.hash_password:
pwd = hash_pwd(user_pwd)
else:
pwd = user_pwd
user = [ ('cn', [name])
, ('userPassword', [pwd])
, ('objectClass', ['top', 'person'])
]
if mail is not None:
user.append(('mail', [mail]))
conn.add_s(user_dn, user)
return (user_dn, user_pwd)
def test_hash_unicode_pwd(self):
from dataflake.fakeldap.utils import hash_pwd
pwd = hash_pwd(u'bjørn')
self.assertTrue(isinstance(pwd, six.binary_type))
self.assertTrue(pwd.startswith(b'{SHA}'))
def test_hash_unicode_pwd(self):
from dataflake.fakeldap.utils import hash_pwd
pwd = hash_pwd(u'bjørn')
self.assertTrue(isinstance(pwd, str))
self.assertTrue(pwd.startswith('{SHA}'))