def test_unbind_clientEOF(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[],
)
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
reactor.iterate() #TODO
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
server.connectionLost(error.ConnectionDone)
reactor.iterate() #TODO
client.assertSent(pureldap.LDAPBindRequest(),
'fake-unbind-by-LDAPClientTestDriver')
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
def test_search(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[
pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com',
[('a', ['b'])]),
pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com',
[('b', ['c'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
],
)
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3)))
reactor.iterate() #TODO
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(
pureldap.LDAPBindResponse(resultCode=0), id=2)) + str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=foo,dc=example,dc=com', [('a', ['b'])]),
id=3)) +
str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=bar,dc=example,dc=com', [('b', ['c'])]),
id=3)) +
str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3)))
def test_bind_match_success(self):
server = self.createServer(
services=[
'svc1',
'svc2',
'svc3',
],
fallback=True,
responses=[
# svc1
[
pureldap.LDAPSearchResultEntry(
r'cn=svc1+owner=cn\=jack\,dc\=example\,dc\=com,dc=example,dc=com',
attributes=[]),
pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode)
],
[
pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode)
],
])
server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=jack,dc=example,dc=com', auth='secret'),
id=4)))
reactor.iterate() #TODO
client = server.client
client.assertSent(
pureldap.LDAPSearchRequest(
baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter(
'(&' + '(objectClass=serviceSecurityObject)' +
'(owner=cn=jack,dc=example,dc=com)' + '(cn=svc1)' +
('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +
('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +
')'),
attributes=('1.1', )),
pureldap.LDAPBindRequest(
dn=
r'cn=svc1+owner=cn\=jack\,dc\=example\,dc\=com,dc=example,dc=com',
auth='secret'),
)
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN='cn=jack,dc=example,dc=com'),
id=4)))
def test_bind(self):
server = self.createServer([
pureldap.LDAPBindResponse(resultCode=0),
])
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4)))
reactor.iterate() #TODO
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=4)))
def _maybeFallback(self, entry, request, controls, reply):
if entry is not None:
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN=request.dn)
return msg
elif self.fallback:
self.handleUnknown(request, controls, reply)
else:
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode)
return msg
def test_bind(self):
self.server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=4)))
def test_bind_badVersion_1_anonymous(self):
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(version=1),
id=32)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPProtocolError.resultCode,
errorMessage='Version 1 not supported'),
id=32)))
def test_bind_invalidCredentials_nonExisting(self):
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=non-existing,dc=example,dc=com', auth='invalid'),
id=78)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode),
id=78)))
def test_bind_invalidCredentials_badPassword(self):
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=thingie,ou=stuff,dc=example,dc=com',
auth='invalid'),
id=734)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode),
id=734)))
def test_control_unknown_critical(self):
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(),
id=2,
controls=[
('42.42.42.42', True, None),
])))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPUnavailableCriticalExtension.
resultCode,
errorMessage='Unknown control 42.42.42.42'),
id=2)))
def test_bind_success(self):
self.thingie['userPassword'] = [
'{SSHA}yVLLj62rFf3kDAbzwEU0zYAVvbWrze8='
] # "secret"
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=thingie,ou=stuff,dc=example,dc=com', auth='secret'),
id=4)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=0,
matchedDN='cn=thingie,ou=stuff,dc=example,dc=com'),
id=4)))
def test_bind_badVersion_4_nonExisting(self):
# TODO make a test just like this one that would pass authentication
# if version was correct, to ensure we don't leak that info either.
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
version=4,
dn='cn=non-existing,dc=example,dc=com',
auth='invalid'),
id=11)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPProtocolError.resultCode,
errorMessage='Version 4 not supported'),
id=11)))
def test_control_unknown_nonCritical(self):
self.thingie['userPassword'] = [
'{SSHA}yVLLj62rFf3kDAbzwEU0zYAVvbWrze8='
] # "secret"
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=thingie,ou=stuff,dc=example,dc=com', auth='secret'),
controls=[('42.42.42.42', False, None)],
id=4)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=0,
matchedDN='cn=thingie,ou=stuff,dc=example,dc=com'),
id=4)))
def test_passwordModify_simple(self):
# first bind to some entry
self.thingie['userPassword'] = [
'{SSHA}yVLLj62rFf3kDAbzwEU0zYAVvbWrze8='
] # "secret"
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=thingie,ou=stuff,dc=example,dc=com', auth='secret'),
id=4)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=0,
matchedDN='cn=thingie,ou=stuff,dc=example,dc=com'),
id=4)))
self.server.transport.clear()
self.server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPPasswordModifyRequest(
userIdentity='cn=thingie,ou=stuff,dc=example,dc=com',
newPasswd='hushhush'),
id=2)))
self.assertEquals(
self.server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPExtendedResponse(
resultCode=ldaperrors.Success.resultCode,
responseName=pureldap.LDAPPasswordModifyRequest.oid),
id=2)),
)
# tree changed
secrets = self.thingie.get('userPassword', [])
self.assertEquals(len(secrets), 1)
for secret in secrets:
self.assertEquals(secret[:len('{SSHA}')], '{SSHA}')
raw = base64.decodestring(secret[len('{SSHA}'):])
salt = raw[20:]
self.assertEquals(entry.sshaDigest('hushhush', salt), secret)
def handle_LDAPBindRequest(self, request, controls, reply):
if request.version != 3:
raise ldaperrors.LDAPProtocolError, \
'Version %u not supported' % request.version
self.checkControls(controls)
if request.dn == '':
# anonymous bind
self.boundUser = None
return pureldap.LDAPBindResponse(resultCode=0)
else:
dn = distinguishedname.DistinguishedName(request.dn)
root = interfaces.IConnectedLDAPEntry(self.factory)
d = root.lookup(dn)
def _noEntry(fail):
fail.trap(ldaperrors.LDAPNoSuchObject)
return None
d.addErrback(_noEntry)
def _gotEntry(entry, auth):
if entry is None:
raise ldaperrors.LDAPInvalidCredentials
d = entry.bind(auth)
def _cb(entry):
self.boundUser = entry
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN=str(entry.dn))
return msg
d.addCallback(_cb)
return d
d.addCallback(_gotEntry, request.auth)
return d
def _cb(entry):
self.boundUser = entry
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN=str(entry.dn))
return msg
def test_bind_noMatchingServicesFound_fallback_badAuth(self):
server = self.createServer(
services=[
'svc1',
'svc2',
'svc3',
],
fallback=True,
responses=[
[pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)],
[pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)],
[pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)],
[
pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode
),
],
])
server.dataReceived(
str(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(
dn='cn=jack,dc=example,dc=com', auth='wrong-s3krit'),
id=4)))
reactor.iterate() #TODO
client = server.client
client.assertSent(
pureldap.LDAPSearchRequest(
baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter(
'(&' + '(objectClass=serviceSecurityObject)' +
'(owner=cn=jack,dc=example,dc=com)' + '(cn=svc1)' +
('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +
('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +
')'),
attributes=('1.1', )),
pureldap.LDAPSearchRequest(
baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter(
'(&' + '(objectClass=serviceSecurityObject)' +
'(owner=cn=jack,dc=example,dc=com)' + '(cn=svc2)' +
('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +
('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +
')'),
attributes=('1.1', )),
pureldap.LDAPSearchRequest(
baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter(
'(&' + '(objectClass=serviceSecurityObject)' +
'(owner=cn=jack,dc=example,dc=com)' + '(cn=svc3)' +
('(|(!(validFrom=*))(validFrom<=%s))' % server.now) +
('(|(!(validUntil=*))(validUntil>=%s))' % server.now) +
')'),
attributes=('1.1', )),
pureldap.LDAPBindRequest(dn='cn=jack,dc=example,dc=com',
auth='wrong-s3krit'))
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode),
id=4)))
