def get_bound_ldapuser(request, password=None, username=None): """ Get LDAPUser with connection bound to the current user. Uses either provided password or the secondary password saved in session. """ if not username: username = request.user.username if not password: try: password = b64encode( cipher.decrypt(request.session['secondary_password'], 48)) except KeyError: raise OkupyError( 'Secondary password not available (no strong auth?)') bound_cls = LDAPUser.bind_as( alias='ldap_%s' % request.session.cache_key, username=username, password=password, ) try: return bound_cls.objects.get(username=username) except Exception as e: bound_cls.restore_alias() raise e
def get_bound_ldapuser(request, password=None, username=None): """ Get LDAPUser with connection bound to the current user. Uses either provided password or the secondary password saved in session. """ if not username: username = request.user.username if not password: try: password = b64encode(cipher.decrypt( request.session['secondary_password'], 48)) except KeyError: raise OkupyError( 'Secondary password not available (no strong auth?)') bound_cls = LDAPUser.bind_as( alias='ldap_%s' % request.session.cache_key, username=username, password=password, ) try: return bound_cls.objects.get(username=username) except Exception as e: bound_cls.restore_alias() raise e
def test_session_and_ldap_secondary_passwords_match(self): request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt( request.session['secondary_password'], 48)), ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][1]))
def remove_secondary_password(request): """ Remove secondary password on logout """ try: password = b64encode( cipher.decrypt(request.session['secondary_password'], 48)) except KeyError: return with get_bound_ldapuser(request, password) as user: if len(user.password) > 1: for hash in list(user.password): try: if ldap_md5_crypt.verify(password, hash): user.password.remove(hash) break except ValueError: # ignore unknown hashes pass user.save()
def remove_secondary_password(request): """ Remove secondary password on logout """ try: password = b64encode(cipher.decrypt( request.session['secondary_password'], 48)) except KeyError: return with get_bound_ldapuser(request, password) as user: if len(user.password) > 1: for hash in list(user.password): try: if ldap_md5_crypt.verify(password, hash): user.password.remove(hash) break except ValueError: # ignore unknown hashes pass user.save()
def test_encrypt_random_bytes(self): data = Random.get_random_bytes(45) hash = cipher.encrypt(data) self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_verify_password_more_than_twice_block_size(self): data = self._random_string[:cipher.block_size*2+3] hash = cipher.encrypt(data) self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_verify_password_exact_block_size(self): data = self._random_string[:cipher.block_size] hash = cipher.encrypt(data) self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_verify_password_more_than_twice_block_size(self): data = self._random_string[:cipher.block_size * 2 + 3] hash = cipher.encrypt(data) self.assertEqual(cipher.decrypt(hash, len(data)), data)