def test_queued_account_gets_added_to_ldap(self): vars.QUEUEDUSER.save() activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue( ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) ldap_account = ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1] self.assertEqual(ldap_account['objectClass'], settings.AUTH_LDAP_USER_OBJECTCLASS) self.assertEqual(ldap_account['sn'][0], vars.QUEUEDUSER.last_name) self.assertEqual( ldap_account['cn'][0], '%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertTrue( ldap_md5_crypt.verify(vars.QUEUEDUSER.password, ldap_account['userPassword'][0])) self.assertEqual(ldap_account['givenName'][0], vars.QUEUEDUSER.first_name) self.assertEqual(ldap_account['mail'][0], vars.QUEUEDUSER.email) self.assertEqual(ldap_account['uid'][0], vars.QUEUEDUSER.username) self.assertEqual(ldap_account['uidNumber'][0], '1002') self.assertEqual(ldap_account['gidNumber'][0], '100') self.assertEqual( ldap_account['gecos'][0], '%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertEqual(ldap_account['homeDirectory'][0], '/home/%s' % vars.QUEUEDUSER.username) self.assertEqual(ldap_account['gentooACL'][0], 'user.group')
def test_secondary_password_gets_added_in_ldap(self): request = set_request(uri='/', user=vars.USER_ALICE) self.assertEqual(len(ldap_users('alice')[1]['userPassword']), 1) set_secondary_password(request, 'ldaptest') self.assertEqual(len(ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword']), 2)
def test_add_first_user_in_empty_ldap_directory(self): vars.QUEUEDUSER.save() activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id self.ldapobj.directory = ldap_users(clean=True) request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) self.assertEqual(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1]["uidNumber"][0], "1")
def test_remove_leftovers_before_adding_secondary_password(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertNotIn(leftover, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_secondary_password_is_removed_in_logout(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) self.ldapobj.directory[ldap_users("alice")[0]]["userPassword"].append(secondary_password_crypt) request = set_request(uri="/login", post=vars.LOGIN_ALICE, user=vars.USER_ALICE) request.session["secondary_password"] = cipher.encrypt(secondary_password) logout(request) self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 1)
def test_dont_remove_primary_password_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify( 'ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_dont_remove_unknown_hashes_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) leftover2 = 'plain_leftover2' self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover2) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertIn(leftover2, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_remove_secondary_password_from_ldap(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertNotIn(secondary_password_crypt, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_add_first_user_in_empty_ldap_directory(self): vars.QUEUEDUSER.save() activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id self.ldapobj.directory = ldap_users(clean=True) request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue( ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) self.assertEqual( ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1]['uidNumber'][0], '1')
def test_dont_remove_primary_password_when_removing_secondary_passwd(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self): request = set_request('/', user=vars.USER_ALICE) with get_bound_ldapuser(request, password='******') as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertTrue( ldap_md5_crypt.verify( settings.DATABASES[db_alias]['PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))
def test_secondary_password_is_removed_in_logout(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request(uri='/login', post=vars.LOGIN_ALICE, user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) logout(request) self.assertEqual( len( ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword']), 1)
def test_session_and_ldap_secondary_passwords_match(self): request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt( request.session['secondary_password'], 48)), ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][1]))
def test_secondary_password_is_added_in_login(self): request = set_request(uri='/login', post=vars.LOGIN_ALICE) login(request) self.assertEqual( len( ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword']), 2) self.assertEqual(len(request.session['secondary_password']), 48)
def test_queued_account_gets_added_to_ldap(self): vars.QUEUEDUSER.save() activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) ldap_account = ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1] self.assertEqual(ldap_account["objectClass"], settings.AUTH_LDAP_USER_OBJECTCLASS) self.assertEqual(ldap_account["sn"][0], vars.QUEUEDUSER.last_name) self.assertEqual(ldap_account["cn"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertTrue(ldap_md5_crypt.verify(vars.QUEUEDUSER.password, ldap_account["userPassword"][0])) self.assertEqual(ldap_account["givenName"][0], vars.QUEUEDUSER.first_name) self.assertEqual(ldap_account["mail"][0], vars.QUEUEDUSER.email) self.assertEqual(ldap_account["uid"][0], vars.QUEUEDUSER.username) self.assertEqual(ldap_account["uidNumber"][0], "1002") self.assertEqual(ldap_account["gidNumber"][0], "100") self.assertEqual(ldap_account["gecos"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertEqual(ldap_account["homeDirectory"][0], "/home/%s" % vars.QUEUEDUSER.username) self.assertEqual(ldap_account["gentooACL"][0], "user.group")
def test_get_bound_ldapuser_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: self.assertEqual(user.username, vars.USER_ALICE.username)
def test_get_bound_ldapuser_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: self.assertEqual(user.username, vars.USER_ALICE.username)
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'], b64encode(secondary_password))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'], b64encode(secondary_password))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa pass db_alias = 'ldap_%s' % request.session.cache_key self.assertNotIn('USER', settings.DATABASES.get(db_alias, {})) self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa pass db_alias = 'ldap_%s' % request.session.cache_key self.assertNotIn('USER', settings.DATABASES.get(db_alias, {})) self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_valid_rsa_key_with_comment_authenticates_bob(self): dn, bob = ldap_users('bob') key = paramiko.RSAKey(data=self.get_ssh_key(bob)) u = authenticate(ssh_key=key) self.assertEqual(u.username, bob['uid'][0])
def test_secondary_password_is_added_in_login(self): request = set_request(uri="/login", post=vars.LOGIN_ALICE) login(request) self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 2) self.assertEqual(len(request.session["secondary_password"]), 48)
def test_valid_rsa_ssh_key_authenticates_alice(self): dn, alice = ldap_users('alice') key = paramiko.RSAKey(data=self.get_ssh_key(alice)) u = authenticate(ssh_key=key) self.assertEqual(u.username, alice['uid'][0])
def test_valid_dss_ssh_key_authenticates_bob(self): dn, bob = ldap_users('bob') key = paramiko.DSSKey(data=self.get_ssh_key(bob, 1)) u = authenticate(ssh_key=key) self.assertEqual(u.username, bob['uid'][0])
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self): request = set_request('/', user=vars.USER_ALICE) with get_bound_ldapuser(request, password='******') as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertTrue(ldap_md5_crypt.verify(settings.DATABASES[db_alias][ 'PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))