def test_search(self):
"""
When performing an LDAP search against the server; the search results and
a single "search done" response is written to the transport.
"""
server = self.createServer(
[pureldap.LDAPBindResponse(resultCode=0)],
[
pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com',
[('a', ['b'])]),
pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com',
[('b', ['c'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)
],
)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire())
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire())
server.reactor.advance(1)
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=foo,dc=example,dc=com', [('a', ['b'])]),
id=3).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=bar,dc=example,dc=com', [('b', ['c'])]),
id=3).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3).toWire())
def test_bind_noMatchingServicesFound_fallback_success(self):
server = self.createServer(
services=['svc1',
'svc2',
'svc3',
],
fallback=True,
responses=[
[ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ],
[ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ],
[ pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode) ],
[ pureldap.LDAPBindResponse(resultCode=ldaperrors.Success.resultCode) ],
])
server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(dn='cn=jack,dc=example,dc=com', auth='s3krit'), id=4)))
reactor.iterate() #TODO
client = server.client
client.assertSent(
pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter('(&'
+'(objectClass=serviceSecurityObject)'
+'(owner=cn=jack,dc=example,dc=com)'
+'(cn=svc1)'
+('(|(!(validFrom=*))(validFrom<=%s))' % server.now)
+('(|(!(validUntil=*))(validUntil>=%s))' % server.now)
+')'),
attributes=('1.1',)),
pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter('(&'
+'(objectClass=serviceSecurityObject)'
+'(owner=cn=jack,dc=example,dc=com)'
+'(cn=svc2)'
+('(|(!(validFrom=*))(validFrom<=%s))' % server.now)
+('(|(!(validUntil=*))(validUntil>=%s))' % server.now)
+')'),
attributes=('1.1',)),
pureldap.LDAPSearchRequest(baseObject='dc=example,dc=com',
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=ldapfilter.parseFilter('(&'
+'(objectClass=serviceSecurityObject)'
+'(owner=cn=jack,dc=example,dc=com)'
+'(cn=svc3)'
+('(|(!(validFrom=*))(validFrom<=%s))' % server.now)
+('(|(!(validUntil=*))(validUntil>=%s))' % server.now)
+')'),
attributes=('1.1',)),
pureldap.LDAPBindRequest(dn='cn=jack,dc=example,dc=com', auth='s3krit'))
self.assertEquals(server.transport.value(),
str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=ldaperrors.Success.resultCode), id=4)))
def test_intercepted_search_response(self):
"""
When performing an LDAP search against the server; the search results are
intercepted and modified by the proxy.
"""
server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)], [
pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com',
[('a', ['b'])]),
pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com',
[('b', ['c'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)
],
protocol=ResponseInterceptingProxy)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire())
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire())
server.reactor.advance(1)
server.reactor.advance(5)
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=foo,dc=example,dc=com', [('a', ['b']),
('frotz', ['xyzzy'])]),
id=3).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=bar,dc=example,dc=com', [('b', ['c']),
('frotz', ['xyzzy'])]),
id=3).toWire() +
pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3).toWire())
def test_unbind_clientEOF(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[],
)
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
reactor.iterate() #TODO
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
server.connectionLost(error.ConnectionDone)
reactor.iterate() #TODO
client.assertSent(pureldap.LDAPBindRequest(),
'fake-unbind-by-LDAPClientTestDriver')
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
def test_realm_mapping_succeeds_case_sensitive(self):
marker = 'markerSecret'
password = '******'
service_dn = 'uid=passthrough,cn=users,dc=test,dc=local'
dn = 'uid=Hugo,cn=users,dc=test,DC=LOCAL'
server, client = self.create_server_and_client(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('someattr', ['somevalue'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(service_dn, 'service-secret')
# Assert that Proxy<->Backend uses the correct credentials
server.client.assertSent(
pureldap.LDAPBindRequest(dn=service_dn, auth='service-secret'), )
# Perform a simple search in the context of the service account
entry = LDAPEntry(client, dn)
r = yield entry.search('(|(objectClass=*)(objectclass=App-%s))' %
marker,
scope=pureldap.LDAP_SCOPE_baseObject)
# sleep half a second and then try to bind as hugo
time.sleep(0.5)
server2, client2 = self.create_server_and_client([
pureldap.LDAPBindResponse(
resultCode=0), # for service account (successful hugo bind)
])
yield client2.bind(
dn.lower(),
password) # this will work even though the DN has differing case
self.assertEqual(self.privacyidea.authentication_requests,
[('hugo', 'realmSecret', password, True)])
time.sleep(1) # to clean the reactor
def test_search(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[
pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com',
[('a', ['b'])]),
pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com',
[('b', ['c'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
],
)
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3)))
reactor.iterate() #TODO
self.assertEquals(
server.transport.value(),
str(
pureldap.LDAPMessage(
pureldap.LDAPBindResponse(resultCode=0), id=2)) + str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=foo,dc=example,dc=com', [('a', ['b'])]),
id=3)) +
str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=bar,dc=example,dc=com', [('b', ['c'])]),
id=3)) +
str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3)))
def test_realm_mapping_fails_wrong_password(self):
marker = 'markerSecret'
realm = 'realmSecret'
password = '******' # this is the wrong password!
service_dn = 'uid=passthrough,cn=users,dc=test,dc=local'
dn = 'uid=hugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('someattr', ['somevalue'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(service_dn, 'service-secret')
# Assert that Proxy<->Backend uses the correct credentials
server.client.assertSent(
pureldap.LDAPBindRequest(dn=service_dn, auth='service-secret'), )
# Perform a simple search in the context of the service account
entry = LDAPEntry(client, dn)
r = yield entry.search('(|(objectClass=*)(objectclass=App-%s))' %
marker,
scope=pureldap.LDAP_SCOPE_baseObject)
# sleep a second and then try to bind as hugo
time.sleep(0.5)
server2, client2 = self.create_server_and_client([
pureldap.LDAPBindResponse(
resultCode=0), # for service account (successful hugo bind)
])
d = client2.bind(dn, password)
yield self.assertFailure(d, ldaperrors.LDAPInvalidCredentials)
self.assertEqual(self.privacyidea.authentication_requests,
[('hugo', realm, password, False)])
time.sleep(1) # to clean the reactor
def test_unbind_clientUnbinds(self):
"""
The server disconnects from the client gracefully when the
client signals its intent to unbind.
"""
server = self.createServer(
[pureldap.LDAPBindResponse(resultCode=0)],
[],
)
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
server.reactor.advance(1)
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPUnbindRequest(), id=3)))
server.connectionLost(error.ConnectionDone)
server.reactor.advance(1)
client.assertSent(pureldap.LDAPBindRequest(),
pureldap.LDAPUnbindRequest())
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
def test_unbind_clientEOF(self):
"""
The server disconects correctly when the client terminates the
connection without sending an unbind request.
"""
server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)])
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2)))
server.reactor.advance(1)
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
server.connectionLost(error.ConnectionDone)
server.reactor.advance(1)
client.assertSent(pureldap.LDAPBindRequest(),
'fake-unbind-by-LDAPClientTestDriver')
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2)))
def test_search(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[
pureldap.LDAPSearchResultEntry("cn=foo,dc=example,dc=com",
[("a", ["b"])]),
pureldap.LDAPSearchResultEntry("cn=bar,dc=example,dc=com",
[("b", ["c"])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
],
)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire())
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=3).toWire())
reactor.iterate() # TODO
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire() +
pureldap.LDAPMessage(
pureldap.LDAPSearchResultEntry("cn=foo,dc=example,dc=com",
[("a", ["b"])]),
id=3,
).toWire() + pureldap.LDAPMessage(
pureldap.LDAPSearchResultEntry("cn=bar,dc=example,dc=com",
[("b", ["c"])]),
id=3,
).toWire() + pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=3).toWire(),
)
def test_bind(self):
server = self.createServer([ pureldap.LDAPBindResponse(resultCode=0),
])
server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4)))
reactor.iterate() #TODO
self.assertEqual(server.transport.value(),
str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=4)))
def test_unbind_clientUnbinds(self):
server = self.createServer(
[
pureldap.LDAPBindResponse(resultCode=0),
],
[],
)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=2).toWire())
reactor.iterate() # TODO
client = server.client
client.assertSent(pureldap.LDAPBindRequest())
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire(),
)
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPUnbindRequest(), id=3).toWire())
server.connectionLost(error.ConnectionDone)
reactor.iterate() # TODO
client.assertSent(pureldap.LDAPBindRequest(),
pureldap.LDAPUnbindRequest())
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=2).toWire(),
)
def test_bind(self):
"""
When binding to the server an `LDAPBindResponse` with a successful
result code.is written to the transport.
"""
server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)])
server.dataReceived(str(pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4)))
server.reactor.advance(1)
self.assertEqual(server.transport.value(),
str(pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0), id=4)))
def _maybeFallback(self, entry, request, controls, reply):
if entry is not None:
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode, matchedDN=request.dn)
return msg
elif self.fallback:
self.handleUnknown(request, controls, reply)
else:
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.LDAPInvalidCredentials.resultCode)
return msg
def handleProxiedResponse(self, response, request, controls):
global binds
if isinstance(request, pureldap.LDAPCompareRequest):
print(request)
print("Compare Request")
if isinstance(request, pureldap.LDAPBindRequest):
dnrequested = str(request.dn.decode('utf-8').strip())
dnpassword = str(request.auth.decode('utf-8').strip())
try:
jwtsecret = os.environ.get("JWT_SECRET")
token = jwt.decode(dnpassword, jwtsecret, algorithms="HS256")
log.msg("Token received, details follow:")
log.msg(token)
epoch_time = int(time.time())
try:
expiresat = int(token['expires_at'])
username = str(token['username'])
if (expiresat - epoch_time < 0):
#token has expired
log.msg("JWT was expired; return failure")
response = pureldap.LDAPBindResponse(resultCode=49)
return defer.succeed(response)
if username.lower() == dnrequested.lower():
log.msg("JWT was provided and valid, return success")
response = pureldap.LDAPBindResponse(resultCode=0)
return defer.succeed(response)
else:
log.msg(
"JWT did not match requested user, return failure")
response = pureldap.LDAPBindResponse(resultCode=49)
return defer.succeed(response)
except:
log.msg("JWT token format was invalid; return failure")
response = pureldap.LDAPBindResponse(resultCode=49)
return defer.succeed(response)
except:
#not a JWT
#log.msg("Not a JWT; proxying")
pass
log.msg("LDAP Bind for " + str(dnrequested) +
", proxying to upstream")
return defer.succeed(response)
def test_subsequent_binds_succeed(self):
dn = 'uid=hugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client([
pureldap.LDAPBindResponse(resultCode=0), # for service account
])
yield client.bind(dn, 'secret')
time.sleep(0.5)
server2, client2 = self.create_server_and_client([
pureldap.LDAPBindResponse(resultCode=0), # for service account
])
yield client2.bind(dn, 'secret')
# but only one authentication request to privacyIDEA!
self.assertEqual(self.privacyidea.authentication_requests,
[('hugo', 'default', 'secret', True)])
time.sleep(2) # to clean the reactor
def test_reusing_connection_succeeds2(self):
# User Bind, User Bind
server, client = self.create_server_and_client(
[pureldap.LDAPBindResponse(resultCode=0)],
[pureldap.LDAPBindResponse(resultCode=0)])
yield client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret')
yield client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret')
server.client.assertSent(
pureldap.LDAPBindRequest(
dn='uid=service,cn=users,dc=test,dc=local',
auth='service-secret'),
pureldap.LDAPBindRequest(
dn='uid=service,cn=users,dc=test,dc=local',
auth='service-secret'),
)
def _cb(entry):
self.boundUser = entry
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN=entry.dn.getText(),
)
return msg
def test_intercepted_search_request(self):
"""
When performing an LDAP search against the server; the requests are
intercepted and custom responses are written to the transport.
"""
server = self.createServer([pureldap.LDAPBindResponse(resultCode=0)], [
pureldap.LDAPSearchResultEntry('cn=foo,dc=example,dc=com',
[('a', ['b'])]),
pureldap.LDAPSearchResultEntry('cn=bar,dc=example,dc=com',
[('b', ['c'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
],
protocol=RequestInterceptingProxy)
server.responses = [
pureldap.LDAPSearchResultEntry('cn=xyzzy,dc=example,dc=com',
[('frobnitz', ['zork'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode)
]
server.dataReceived(
str(pureldap.LDAPMessage(pureldap.LDAPSearchRequest(), id=1)))
server.reactor.advance(1)
self.assertEqual(len(server.clientTestDriver.sent), 0)
self.assertEqual(
server.transport.value(),
str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultEntry(
'cn=xyzzy,dc=example,dc=com', [('frobnitz', ['zork'])]),
id=1)) +
str(
pureldap.LDAPMessage(pureldap.LDAPSearchResultDone(
ldaperrors.Success.resultCode),
id=1)))
def test_simple_search(self):
dn = 'uid=hugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('someattr', ['somevalue'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(dn, 'secret')
# Assert that Proxy<->Backend uses the correct credentials
server.client.assertSent(
pureldap.LDAPBindRequest(
dn='uid=service,cn=users,dc=test,dc=local',
auth='service-secret'), )
# Perform a simple search in the context of the service account
entry = LDAPEntry(client, dn)
results = yield entry.search('(objectClass=*)',
scope=pureldap.LDAP_SCOPE_baseObject)
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0]['someattr']), 1)
(value, ) = results[0]['someattr']
self.assertEqual(value, 'somevalue')
def test_bind(self):
self.server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(), id=4).toWire())
self.assertEqual(
self.server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(resultCode=0),
id=4).toWire())
def test_bind_cache_cleared(self):
dn = 'uid=hugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client([
pureldap.LDAPBindResponse(resultCode=0), # for service account
])
yield client.bind(dn, 'secret')
time.sleep(3) # which cleans the bind cache
server2, client2 = self.create_server_and_client([
pureldap.LDAPBindResponse(resultCode=0), # for service account
])
yield client2.bind(dn, 'secret')
# two authentication requests to privacyIDEA!
self.assertEqual(self.privacyidea.authentication_requests,
[('hugo', 'default', 'secret', True),
('hugo', 'default', 'secret', True)])
time.sleep(2) # to clean the reactor
def _bind_callback(self, data):
cookies, user = data
self.cookies = cookies
return pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN=user.dn)
def test_simple_bind(self):
dn = 'uid=thegreathugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client()
service_account_client = self.inject_service_account_server(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('sAMAccountName', ['hugo'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(dn, 'secret')
# Assert that Proxy<->Backend (the actual connection) did not send anything
server.client.assertNothingSent()
# Assert that Proxy<->Backend (the lookup connection) did send something
service_account_client.assertSent(
pureldap.LDAPBindRequest(
dn='uid=service,cn=users,dc=test,dc=local',
auth='service-secret'),
pureldap.LDAPSearchRequest(
baseObject='uid=thegreathugo,cn=users,dc=test,dc=local',
scope=0,
derefAliases=0,
sizeLimit=0,
timeLimit=0,
typesOnly=0,
filter=pureldap.LDAPFilter_present(value='objectClass'),
attributes=()), 'fake-unbind-by-LDAPClientTestDriver')
def test_realm_mapping_fails_fake_search_by_user(self):
service_dn = 'uid=passthrough,cn=users,dc=test,dc=local'
dn = 'uid=hugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client(
[
pureldap.LDAPBindResponse(resultCode=0), # for service account
],
[
pureldap.LDAPSearchResultEntry(dn,
[('someattr', ['somevalue'])]),
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client.bind(service_dn, 'service-secret')
# Assert that Proxy<->Backend uses the correct credentials
server.client.assertSent(
pureldap.LDAPBindRequest(dn=service_dn, auth='service-secret'), )
# Perform a simple search in the context of the service account
entry = LDAPEntry(client, dn)
r = yield entry.search(
'(|(objectClass=*)(objectcLAsS=App-markerSecret))',
scope=pureldap.LDAP_SCOPE_baseObject)
# sleep half a second and then try to bind as hugo
time.sleep(0.5)
server2, client2 = self.create_server_and_client(
[
pureldap.LDAPBindResponse(
resultCode=0
), # for service account (successful hugo bind)
],
[
pureldap.LDAPSearchResultEntry(
dn, [('someattr', ['somevalue'])]), # hugo's search
pureldap.LDAPSearchResultDone(ldaperrors.Success.resultCode),
])
yield client2.bind(dn, 'secret')
self.assertEqual(self.privacyidea.authentication_requests,
[('hugo', 'realmSecret', 'secret', True)])
# Perform another search in hugo's context
entry2 = LDAPEntry(client2, dn)
r = yield entry2.search(
'(|(objectClass=*)(objectcLAsS=App-markerOfficial))',
scope=pureldap.LDAP_SCOPE_baseObject)
self.assertTrue(
server.factory.app_cache.get_cached_marker(dn) in ('markerSecret',
None))
time.sleep(1) # to clean the reactor
def send_bind_response(self, result, request, reply):
"""
Given a bind request, authentication result and a reply function, send a successful or a failed bind response.
:param result: A tuple ``(success, message/app marker)``
:param request: The corresponding ``LDAPBindRequest``
:param reply: A function that expects a ``LDAPResult`` object
:return: nothing
"""
success, message = result
if success:
log.info('Sending BindResponse "success"')
app_marker = message
self.factory.finalize_authentication(request.dn, app_marker, request.auth)
reply(pureldap.LDAPBindResponse(ldaperrors.Success.resultCode))
else:
log.info('Sending BindResponse "invalid credentials": {message}', message=message)
reply(pureldap.LDAPBindResponse(ldaperrors.LDAPInvalidCredentials.resultCode, errorMessage=message))
def test_bind_cache_different_password(self):
dn = 'uid=hugo,cn=users,dc=test,dc=local'
server, client = self.create_server_and_client([
pureldap.LDAPBindResponse(resultCode=0), # for service account
])
yield client.bind(dn, 'secret')
time.sleep(0.5)
server2, client2 = self.create_server_and_client([
pureldap.LDAPBindResponse(resultCode=0), # for service account
])
d = client2.bind(dn, 'something-else')
yield self.assertFailure(d, ldaperrors.LDAPInvalidCredentials)
# two authentication requests to privacyIDEA!
self.assertEqual(self.privacyidea.authentication_requests,
[('hugo', 'default', 'secret', True),
('hugo', 'default', 'something-else', False)])
time.sleep(2) # to clean the reactor
def test_reusing_connection_fails2(self):
# Scenario 2: User Bind, Passthrough Bind
server, client = self.create_server_and_client(
[pureldap.LDAPBindResponse(resultCode=0)])
yield client.bind('uid=hugo,cn=users,dc=test,dc=local', 'secret')
d = client.bind('uid=passthrough,cn=users,dc=test,dc=local',
'some-secret')
yield self.assertFailure(d, ldaperrors.LDAPInvalidCredentials)
def test_bind_sasl_no_credentials(self):
# result code 14 is saslInprogress, with some server credentials.
server = self.createServer([
pureldap.LDAPBindResponse(resultCode=14,
serverSaslCreds='test123'),
])
server.dataReceived(
pureldap.LDAPMessage(pureldap.LDAPBindRequest(auth=('GSS-SPNEGO',
None),
sasl=True),
id=4).toWire())
reactor.iterate() #TODO
self.assertEqual(
server.transport.value(),
pureldap.LDAPMessage(pureldap.LDAPBindResponse(
resultCode=14, serverSaslCreds='test123'),
id=4).toWire())
def _cb(entry):
"""
Called when BIND operation was successful.
"""
self.boundUser = entry
msg = pureldap.LDAPBindResponse(
resultCode=ldaperrors.Success.resultCode,
matchedDN=entry.dn)
return msg
