def test_failed_verification_returns_none(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'FAILURE' request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE u = authenticate(request=request) self.assertIs(u, None)
def test_get_bound_ldapuser_invalid_password_cleans_up_settings(self): request = set_request('/', user=vars.USER_ALICE) self.assertRaises(ldap.INVALID_CREDENTIALS, get_bound_ldapuser, request, 'test') db_alias = 'ldap_%s' % request.session.cache_key self.assertNotIn('USER', settings.DATABASES.get(db_alias, {})) self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_secondary_password_gets_added_in_ldap(self): request = set_request(uri='/', user=vars.USER_ALICE) self.assertEqual(len(ldap_users('alice')[1]['userPassword']), 1) set_secondary_password(request, 'ldaptest') self.assertEqual(len(ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword']), 2)
def test_unmatched_email_returns_none(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE_WRONG_EMAIL u = authenticate(request=request) self.assertIs(u, None)
def test_incorrect_user_raises_login_failed(self): request = set_request(uri='/login', post=vars.LOGIN_WRONG, messages=True) response = login(request) response.context = RequestContext(request) self.assertMessage(response, 'Login failed', 40)
def test_passwords_dont_match(self): _form = vars.SIGNUP_TESTUSER.copy() _form["password_verify"] = "wrong" request = set_request(uri="/signup", post=_form) response = signup(request) response.context = RequestContext(request, {"signup_form": SignupForm(request.POST)}) self.assertFormError(response, "signup_form", "password_verify", "Passwords don't match")
def test_add_queued_account_to_ldap_prints_success_message(self): vars.QUEUEDUSER.save() activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id request = set_request(uri=activate_url, messages=True) response = activate(request, vars.QUEUEDUSER.encrypted_id) response.context = RequestContext(request) self.assertMessage(response, "Your account has been activated successfully", 25)
def test_get_bound_ldapuser_invalid_secondary_password(self): secondary_password = Random.get_random_bytes(48) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) self.assertRaises(ldap.INVALID_CREDENTIALS, get_bound_ldapuser, request)
def test_email_already_exists_in_ldap(self): _form = vars.SIGNUP_TESTUSER.copy() _form["email"] = "*****@*****.**" request = set_request(uri="/signup", post=_form, messages=True) response = signup(request) response.context = RequestContext(request) self.assertMessage(response, "Email already exists", 40)
def test_no_ldap_connection_raises_error_in_activation(self): vars.QUEUEDUSER.save() activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) response = activate(request, vars.QUEUEDUSER.encrypted_id) response.context = RequestContext(request) self.assertMessage(response, "Can't contact LDAP server", 40)
def test_queued_account_gets_added_to_ldap(self): vars.QUEUEDUSER.save() activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue( ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) ldap_account = ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1] self.assertEqual(ldap_account['objectClass'], settings.AUTH_LDAP_USER_OBJECTCLASS) self.assertEqual(ldap_account['sn'][0], vars.QUEUEDUSER.last_name) self.assertEqual( ldap_account['cn'][0], '%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertTrue( ldap_md5_crypt.verify(vars.QUEUEDUSER.password, ldap_account['userPassword'][0])) self.assertEqual(ldap_account['givenName'][0], vars.QUEUEDUSER.first_name) self.assertEqual(ldap_account['mail'][0], vars.QUEUEDUSER.email) self.assertEqual(ldap_account['uid'][0], vars.QUEUEDUSER.username) self.assertEqual(ldap_account['uidNumber'][0], '1002') self.assertEqual(ldap_account['gidNumber'][0], '100') self.assertEqual( ldap_account['gecos'][0], '%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertEqual(ldap_account['homeDirectory'][0], '/home/%s' % vars.QUEUEDUSER.username) self.assertEqual(ldap_account['gentooACL'][0], 'user.group')
def test_no_ldap_connection_raises_error_in_signup(self): request = set_request(uri='/signup', post=vars.SIGNUP_TESTUSER, messages=True) response = signup(request) response.context = RequestContext(request) self.assertMessage(response, "Can't contact LDAP server", 40)
def test_no_ldap_connection_raises_error_in_activation(self): vars.QUEUEDUSER.save() activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) response = activate(request, vars.QUEUEDUSER.encrypted_id) response.context = RequestContext(request) self.assertMessage(response, "Can't contact LDAP server", 40)
def test_email_already_exists_in_ldap(self): _form = vars.SIGNUP_TESTUSER.copy() _form['email'] = '*****@*****.**' request = set_request(uri='/signup', post=_form, messages=True) response = signup(request) response.context = RequestContext(request) self.assertMessage(response, 'Email already exists', 40)
def test_valid_certificate_authenticates_alice(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE u = authenticate(request=request) self.assertEqual(u.username, vars.LOGIN_ALICE['username'])
def test_email_already_pending_activation(self): _form = vars.SIGNUP_TESTUSER.copy() _form["email"] = "*****@*****.**" vars.QUEUEDUSER.save() request = set_request(uri="/signup", post=_form, messages=True) response = signup(request) response.context = RequestContext(request) self.assertMessage(response, "Account is already pending activation", 40)
def test_add_first_user_in_empty_ldap_directory(self): vars.QUEUEDUSER.save() activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id self.ldapobj.directory = ldap_users(clean=True) request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) self.assertEqual(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1]["uidNumber"][0], "1")
def test_second_email_authenticates_alice(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS' request.META['SSL_CLIENT_RAW_CERT'] = ( vars.TEST_CERTIFICATE_WITH_TWO_EMAIL_ADDRESSES) u = authenticate(request=request) self.assertEqual(u.username, vars.LOGIN_ALICE['username'])
def test_no_database_raises_critical(self): request = set_request(uri='/login', post=vars.LOGIN_ALICE, messages=True) response = login(request) response.context = RequestContext(request) self.assertMessage(response, "Can't contact the LDAP server or the database", 40)
def test_no_ldap_connection_sends_notification_mail_in_signup(self): request = set_request(uri="/signup", post=vars.SIGNUP_TESTUSER, messages=True) response = signup(request) response.context = RequestContext(request) self.assertEqual(len(mail.outbox), 1) self.assertEqual( mail.outbox[0].subject, "%sERROR: {'desc': \"Can't contact LDAP server\"}" % settings.EMAIL_SUBJECT_PREFIX )
def test_no_ldap_connection_raises_ldaperror_in_login(self): request = set_request(uri='/login', post=vars.LOGIN_WRONG, messages=True) response = login(request) response.context = RequestContext(request) self.assertMessage(response, "Can't contact the LDAP server or the database", 40)
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self): request = set_request('/', user=vars.USER_ALICE) with get_bound_ldapuser(request, password='******') as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertTrue( ldap_md5_crypt.verify( settings.DATABASES[db_alias]['PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))
def test_valid_data_to_signup_form_prints_info_message(self): request = set_request(uri='/signup', post=vars.SIGNUP_TESTUSER, messages=True) response = signup(request) response.context = RequestContext(request) self.assertMessage(response, 'You will shortly receive an activation mail', 20)
def test_secondary_password_is_removed_in_logout(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) self.ldapobj.directory[ldap_users("alice")[0]]["userPassword"].append(secondary_password_crypt) request = set_request(uri="/login", post=vars.LOGIN_ALICE, user=vars.USER_ALICE) request.session["secondary_password"] = cipher.encrypt(secondary_password) logout(request) self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 1)
def test_remove_leftovers_before_adding_secondary_password(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertNotIn(leftover, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_add_queued_account_to_ldap_prints_success_message(self): vars.QUEUEDUSER.save() activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id request = set_request(uri=activate_url, messages=True) response = activate(request, vars.QUEUEDUSER.encrypted_id) response.context = RequestContext(request) self.assertMessage(response, 'Your account has been activated successfully', 25)
def test_session_and_ldap_secondary_passwords_match(self): request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt( request.session['secondary_password'], 48)), ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][1]))
def test_empty_user_raises_form_error_messages(self): request = set_request(uri='/login') response = login(request) response.context = RequestContext( request, {'login_form': LoginForm(request.POST)}) self.assertFormError(response, 'login_form', 'username', 'This field is required.') self.assertFormError(response, 'login_form', 'password', 'This field is required.')
def test_no_ldap_connection_in_logout_sends_notification_mail(self): request = set_request(uri='/login', post=vars.LOGIN_ALICE, user=vars.USER_ALICE) request.session['secondary_password'] = '******' logout(request) self.assertEqual(len(mail.outbox), 1) self.assertTrue(mail.outbox[0].subject.startswith( '%sERROR:' % settings.EMAIL_SUBJECT_PREFIX))
def test_secondary_password_is_added_in_login(self): request = set_request(uri='/login', post=vars.LOGIN_ALICE) login(request) self.assertEqual( len( ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword']), 2) self.assertEqual(len(request.session['secondary_password']), 48)
def test_no_database_connection_sends_notification_mail_in_signup(self): request = set_request(uri='/signup', post=vars.SIGNUP_TESTUSER, messages=True) response = signup(request) response.context = RequestContext(request) self.assertEqual(len(mail.outbox), 1) self.assertTrue(mail.outbox[0].subject.startswith( '%sERROR:' % settings.EMAIL_SUBJECT_PREFIX))
def test_passwords_dont_match(self): _form = vars.SIGNUP_TESTUSER.copy() _form['password_verify'] = 'wrong' request = set_request(uri='/signup', post=_form) response = signup(request) response.context = RequestContext( request, {'signup_form': SignupForm(request.POST)}) self.assertFormError(response, 'signup_form', 'password_verify', "Passwords don't match")
def test_no_database_sends_notification_mail(self): request = set_request(uri='/login', post=vars.LOGIN_ALICE, messages=True) response = login(request) response.context = RequestContext(request) self.assertEqual(len(mail.outbox), 1) self.assertTrue(mail.outbox[0].subject.startswith( '%sERROR:' % settings.EMAIL_SUBJECT_PREFIX))
def test_email_already_pending_activation(self): _form = vars.SIGNUP_TESTUSER.copy() _form['email'] = '*****@*****.**' vars.QUEUEDUSER.save() request = set_request(uri='/signup', post=_form, messages=True) response = signup(request) response.context = RequestContext(request) self.assertMessage(response, 'Account is already pending activation', 40)
def test_no_ldap_connection_sends_notification_mail_in_activation(self): vars.QUEUEDUSER.save() activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) response = activate(request, vars.QUEUEDUSER.encrypted_id) response.context = RequestContext(request) self.assertEqual(len(mail.outbox), 1) self.assertEqual( mail.outbox[0].subject, "%sERROR: {'desc': \"Can't contact LDAP server\"}" % settings.EMAIL_SUBJECT_PREFIX )
def test_empty_signup_form_raises_form_error_messages(self): request = set_request(uri="/signup") response = signup(request) response.context = RequestContext(request, {"signup_form": SignupForm(request.POST)}) self.assertFormError(response, "signup_form", "username", "This field is required.") self.assertFormError(response, "signup_form", "first_name", "This field is required.") self.assertFormError(response, "signup_form", "last_name", "This field is required.") self.assertFormError(response, "signup_form", "email", "This field is required.") self.assertFormError(response, "signup_form", "password_origin", "This field is required.") self.assertFormError(response, "signup_form", "password_verify", "This field is required.")
def test_valid_data_to_signup_form_sends_activation_mail(self): request = set_request(uri='/signup', post=vars.SIGNUP_TESTUSER, messages=True) response = signup(request) response.context = RequestContext(request) self.assertEqual(len(mail.outbox), 1) self.assertEqual( mail.outbox[0].subject, '%sAccount Activation' % settings.EMAIL_SUBJECT_PREFIX)
def test_dont_remove_primary_password_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify( 'ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_no_ldap_connection_sends_notification_mail_in_activation(self): vars.QUEUEDUSER.save() activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) response = activate(request, vars.QUEUEDUSER.encrypted_id) response.context = RequestContext(request) self.assertEqual(len(mail.outbox), 1) self.assertEqual( mail.outbox[0].subject, '%sERROR: {\'desc\': "Can\'t contact LDAP server"}' % settings.EMAIL_SUBJECT_PREFIX)
def test_no_ldap_connection_sends_notification_mail_in_signup(self): request = set_request(uri='/signup', post=vars.SIGNUP_TESTUSER, messages=True) response = signup(request) response.context = RequestContext(request) self.assertEqual(len(mail.outbox), 1) self.assertEqual( mail.outbox[0].subject, '%sERROR: {\'desc\': "Can\'t contact LDAP server"}' % settings.EMAIL_SUBJECT_PREFIX)
def test_dont_remove_unknown_hashes_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) leftover2 = 'plain_leftover2' self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover2) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertIn(leftover2, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_get_bound_ldapuser_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: self.assertEqual(user.username, vars.USER_ALICE.username)
def test_remove_secondary_password_from_ldap(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertNotIn(secondary_password_crypt, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'], b64encode(secondary_password))
def test_dont_remove_primary_password_when_removing_secondary_passwd(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_valid_data_to_signup_form_adds_user_to_queue(self): request = set_request(uri="/signup", post=vars.SIGNUP_TESTUSER, messages=True) response = signup(request) response.context = RequestContext(request) self.assertEqual(Queue.objects.count(), 1) vars.QUEUEDUSER = Queue.objects.get(pk=1) self.assertEqual(vars.QUEUEDUSER.username, vars.SIGNUP_TESTUSER["username"]) self.assertEqual(vars.QUEUEDUSER.first_name, vars.SIGNUP_TESTUSER["first_name"]) self.assertEqual(vars.QUEUEDUSER.last_name, vars.SIGNUP_TESTUSER["last_name"]) self.assertEqual(vars.QUEUEDUSER.email, vars.SIGNUP_TESTUSER["email"]) self.assertEqual(vars.QUEUEDUSER.password, vars.SIGNUP_TESTUSER["password_origin"]) # note: this needs to be kept in line with used cipher self.assertRegexpMatches(vars.QUEUEDUSER.encrypted_id, "^[a-zA-Z0-9_-]{22}$")
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa pass db_alias = 'ldap_%s' % request.session.cache_key self.assertNotIn('USER', settings.DATABASES.get(db_alias, {})) self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def auth(session_id, key): try: session = sessionrefcipher.decrypt(session_id) except ValueError: return None request = set_request('/') user = authenticate(ssh_key=key) if user and user.is_active: login(request, user) init_otp(request) session.update(request.session) session.save() return 'Authenticated.' return None
def test_queued_account_gets_added_to_ldap(self): vars.QUEUEDUSER.save() activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) ldap_account = ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1] self.assertEqual(ldap_account["objectClass"], settings.AUTH_LDAP_USER_OBJECTCLASS) self.assertEqual(ldap_account["sn"][0], vars.QUEUEDUSER.last_name) self.assertEqual(ldap_account["cn"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertTrue(ldap_md5_crypt.verify(vars.QUEUEDUSER.password, ldap_account["userPassword"][0])) self.assertEqual(ldap_account["givenName"][0], vars.QUEUEDUSER.first_name) self.assertEqual(ldap_account["mail"][0], vars.QUEUEDUSER.email) self.assertEqual(ldap_account["uid"][0], vars.QUEUEDUSER.username) self.assertEqual(ldap_account["uidNumber"][0], "1002") self.assertEqual(ldap_account["gidNumber"][0], "100") self.assertEqual(ldap_account["gecos"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertEqual(ldap_account["homeDirectory"][0], "/home/%s" % vars.QUEUEDUSER.username) self.assertEqual(ldap_account["gentooACL"][0], "user.group")
def test_no_certificate_returns_none(self): request = set_request(uri='/login') request.META['SSL_CLIENT_VERIFY'] = 'NONE' u = authenticate(request=request) self.assertIs(u, None)