def test_queued_account_gets_added_to_ldap(self):
vars.QUEUEDUSER.save()
activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id
request = set_request(activate_url, messages=True)
activate(request, vars.QUEUEDUSER.encrypted_id)
self.assertTrue(
ldap_users(vars.QUEUEDUSER.username,
directory=self.ldapobj.directory))
ldap_account = ldap_users(vars.QUEUEDUSER.username,
directory=self.ldapobj.directory)[1]
self.assertEqual(ldap_account['objectClass'],
settings.AUTH_LDAP_USER_OBJECTCLASS)
self.assertEqual(ldap_account['sn'][0], vars.QUEUEDUSER.last_name)
self.assertEqual(
ldap_account['cn'][0],
'%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name))
self.assertTrue(
ldap_md5_crypt.verify(vars.QUEUEDUSER.password,
ldap_account['userPassword'][0]))
self.assertEqual(ldap_account['givenName'][0],
vars.QUEUEDUSER.first_name)
self.assertEqual(ldap_account['mail'][0], vars.QUEUEDUSER.email)
self.assertEqual(ldap_account['uid'][0], vars.QUEUEDUSER.username)
self.assertEqual(ldap_account['uidNumber'][0], '1002')
self.assertEqual(ldap_account['gidNumber'][0], '100')
self.assertEqual(
ldap_account['gecos'][0],
'%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name))
self.assertEqual(ldap_account['homeDirectory'][0],
'/home/%s' % vars.QUEUEDUSER.username)
self.assertEqual(ldap_account['gentooACL'][0], 'user.group')
def test_secondary_password_gets_added_in_ldap(self):
request = set_request(uri='/', user=vars.USER_ALICE)
self.assertEqual(len(ldap_users('alice')[1]['userPassword']), 1)
set_secondary_password(request, 'ldaptest')
self.assertEqual(len(ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword']), 2)
def test_add_first_user_in_empty_ldap_directory(self):
vars.QUEUEDUSER.save()
activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id
self.ldapobj.directory = ldap_users(clean=True)
request = set_request(activate_url, messages=True)
activate(request, vars.QUEUEDUSER.encrypted_id)
self.assertTrue(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory))
self.assertEqual(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1]["uidNumber"][0], "1")
def test_remove_leftovers_before_adding_secondary_password(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover)
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertNotIn(leftover, ldap_users(
'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_secondary_password_is_removed_in_logout(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password))
self.ldapobj.directory[ldap_users("alice")[0]]["userPassword"].append(secondary_password_crypt)
request = set_request(uri="/login", post=vars.LOGIN_ALICE, user=vars.USER_ALICE)
request.session["secondary_password"] = cipher.encrypt(secondary_password)
logout(request)
self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 1)
def test_dont_remove_primary_password_while_cleaning_leftovers(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover)
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertTrue(ldap_md5_crypt.verify(
'ldaptest', ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_dont_remove_unknown_hashes_while_cleaning_leftovers(self):
leftover = ldap_md5_crypt.encrypt('leftover_password')
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover)
leftover2 = 'plain_leftover2'
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(leftover2)
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertIn(leftover2, ldap_users(
'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_remove_secondary_password_from_ldap(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request(uri='/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
remove_secondary_password(request)
self.assertNotIn(secondary_password_crypt, ldap_users(
'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_add_first_user_in_empty_ldap_directory(self):
vars.QUEUEDUSER.save()
activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id
self.ldapobj.directory = ldap_users(clean=True)
request = set_request(activate_url, messages=True)
activate(request, vars.QUEUEDUSER.encrypted_id)
self.assertTrue(
ldap_users(vars.QUEUEDUSER.username,
directory=self.ldapobj.directory))
self.assertEqual(
ldap_users(vars.QUEUEDUSER.username,
directory=self.ldapobj.directory)[1]['uidNumber'][0],
'1')
def test_dont_remove_primary_password_when_removing_secondary_passwd(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request(uri='/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
remove_secondary_password(request)
self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self):
request = set_request('/', user=vars.USER_ALICE)
with get_bound_ldapuser(request, password='******') as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertTrue(
ldap_md5_crypt.verify(
settings.DATABASES[db_alias]['PASSWORD'],
ldap_users('alice')[1]['userPassword'][0]))
def test_secondary_password_is_removed_in_logout(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request(uri='/login',
post=vars.LOGIN_ALICE,
user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
logout(request)
self.assertEqual(
len(
ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword']), 1)
def test_session_and_ldap_secondary_passwords_match(self):
request = set_request(uri='/', user=vars.USER_ALICE)
set_secondary_password(request, 'ldaptest')
self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt(
request.session['secondary_password'], 48)),
ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword'][1]))
def test_secondary_password_is_added_in_login(self):
request = set_request(uri='/login', post=vars.LOGIN_ALICE)
login(request)
self.assertEqual(
len(
ldap_users(
'alice',
directory=self.ldapobj.directory)[1]['userPassword']), 2)
self.assertEqual(len(request.session['secondary_password']), 48)
def test_queued_account_gets_added_to_ldap(self):
vars.QUEUEDUSER.save()
activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id
request = set_request(activate_url, messages=True)
activate(request, vars.QUEUEDUSER.encrypted_id)
self.assertTrue(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory))
ldap_account = ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1]
self.assertEqual(ldap_account["objectClass"], settings.AUTH_LDAP_USER_OBJECTCLASS)
self.assertEqual(ldap_account["sn"][0], vars.QUEUEDUSER.last_name)
self.assertEqual(ldap_account["cn"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name))
self.assertTrue(ldap_md5_crypt.verify(vars.QUEUEDUSER.password, ldap_account["userPassword"][0]))
self.assertEqual(ldap_account["givenName"][0], vars.QUEUEDUSER.first_name)
self.assertEqual(ldap_account["mail"][0], vars.QUEUEDUSER.email)
self.assertEqual(ldap_account["uid"][0], vars.QUEUEDUSER.username)
self.assertEqual(ldap_account["uidNumber"][0], "1002")
self.assertEqual(ldap_account["gidNumber"][0], "100")
self.assertEqual(ldap_account["gecos"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name))
self.assertEqual(ldap_account["homeDirectory"][0], "/home/%s" % vars.QUEUEDUSER.username)
self.assertEqual(ldap_account["gentooACL"][0], "user.group")
def test_get_bound_ldapuser_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user:
self.assertEqual(user.username, vars.USER_ALICE.username)
def test_get_bound_ldapuser_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user:
self.assertEqual(user.username, vars.USER_ALICE.username)
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'],
b64encode(secondary_password))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'],
b64encode(secondary_password))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(
secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]][
'userPassword'].append(secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
pass
db_alias = 'ldap_%s' % request.session.cache_key
self.assertNotIn('USER', settings.DATABASES.get(db_alias, {}))
self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self):
secondary_password = Random.get_random_bytes(48)
secondary_password_crypt = ldap_md5_crypt.encrypt(
b64encode(secondary_password))
self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append(
secondary_password_crypt)
request = set_request('/', user=vars.USER_ALICE)
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
with get_bound_ldapuser(request) as user: # noqa
pass
db_alias = 'ldap_%s' % request.session.cache_key
self.assertNotIn('USER', settings.DATABASES.get(db_alias, {}))
self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_valid_rsa_key_with_comment_authenticates_bob(self):
dn, bob = ldap_users('bob')
key = paramiko.RSAKey(data=self.get_ssh_key(bob))
u = authenticate(ssh_key=key)
self.assertEqual(u.username, bob['uid'][0])
def test_valid_rsa_key_with_comment_authenticates_bob(self):
dn, bob = ldap_users('bob')
key = paramiko.RSAKey(data=self.get_ssh_key(bob))
u = authenticate(ssh_key=key)
self.assertEqual(u.username, bob['uid'][0])
def test_secondary_password_is_added_in_login(self):
request = set_request(uri="/login", post=vars.LOGIN_ALICE)
login(request)
self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 2)
self.assertEqual(len(request.session["secondary_password"]), 48)
def test_valid_rsa_ssh_key_authenticates_alice(self):
dn, alice = ldap_users('alice')
key = paramiko.RSAKey(data=self.get_ssh_key(alice))
u = authenticate(ssh_key=key)
self.assertEqual(u.username, alice['uid'][0])
def test_valid_dss_ssh_key_authenticates_bob(self):
dn, bob = ldap_users('bob')
key = paramiko.DSSKey(data=self.get_ssh_key(bob, 1))
u = authenticate(ssh_key=key)
self.assertEqual(u.username, bob['uid'][0])
def test_valid_rsa_ssh_key_authenticates_alice(self):
dn, alice = ldap_users('alice')
key = paramiko.RSAKey(data=self.get_ssh_key(alice))
u = authenticate(ssh_key=key)
self.assertEqual(u.username, alice['uid'][0])
def test_valid_dss_ssh_key_authenticates_bob(self):
dn, bob = ldap_users('bob')
key = paramiko.DSSKey(data=self.get_ssh_key(bob, 1))
u = authenticate(ssh_key=key)
self.assertEqual(u.username, bob['uid'][0])
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self):
request = set_request('/', user=vars.USER_ALICE)
with get_bound_ldapuser(request, password='******') as user: # noqa
db_alias = 'ldap_%s' % request.session.cache_key
self.assertTrue(ldap_md5_crypt.verify(settings.DATABASES[db_alias][
'PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))
