def test_get_bound_ldapuser_invalid_secondary_password(self): secondary_password = Random.get_random_bytes(48) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) self.assertRaises(ldap.INVALID_CREDENTIALS, get_bound_ldapuser, request)
def test_secondary_password_is_removed_in_logout(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) self.ldapobj.directory[ldap_users("alice")[0]]["userPassword"].append(secondary_password_crypt) request = set_request(uri="/login", post=vars.LOGIN_ALICE, user=vars.USER_ALICE) request.session["secondary_password"] = cipher.encrypt(secondary_password) logout(request) self.assertEqual(len(ldap_users("alice", directory=self.ldapobj.directory)[1]["userPassword"]), 1)
def test_get_bound_ldapuser_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: self.assertEqual(user.username, vars.USER_ALICE.username)
def test_get_bound_ldapuser_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: self.assertEqual(user.username, vars.USER_ALICE.username)
def test_remove_secondary_password_from_ldap(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertNotIn(secondary_password_crypt, ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'])
def test_dont_remove_primary_password_when_removing_secondary_passwd(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'], b64encode(secondary_password))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_request(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'], b64encode(secondary_password))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa pass db_alias = 'ldap_%s' % request.session.cache_key self.assertNotIn('USER', settings.DATABASES.get(db_alias, {})) self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_get_bound_ldapuser_context_manager_cleans_up_settings(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request('/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) with get_bound_ldapuser(request) as user: # noqa pass db_alias = 'ldap_%s' % request.session.cache_key self.assertNotIn('USER', settings.DATABASES.get(db_alias, {})) self.assertNotIn('PASSWORD', settings.DATABASES.get(db_alias, {}))
def test_secondary_password_is_removed_in_logout(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt( b64encode(secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]]['userPassword'].append( secondary_password_crypt) request = set_request(uri='/login', post=vars.LOGIN_ALICE, user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) logout(request) self.assertEqual( len( ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword']), 1)
def set_secondary_password(request, password): """ Generate a secondary passsword and encrypt it in the session """ with get_bound_ldapuser(request, password) as user: secondary_password = Random.get_random_bytes(48) request.session['secondary_password'] = \ cipher.encrypt(secondary_password) # Clean up possible leftover secondary passwords from the LDAP account if len(user.password) > 1: for hash in list(user.password): try: if not ldap_md5_crypt.verify(password, hash): user.password.remove(hash) except ValueError: # don't remove unknown hashes pass # Add a new generated encrypted password to LDAP user.password.append( ldap_md5_crypt.encrypt(b64encode(secondary_password))) user.save()
def test_verify_password_more_than_twice_block_size(self): data = self._random_string[:cipher.block_size * 2 + 3] hash = cipher.encrypt(data) self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_ciphertext_not_multiple_of_block_size_raises_valueerror(self): data = self._random_string[:cipher.block_size/2] hash = cipher.encrypt(data)[:cipher.block_size/2] self.assertRaises(ValueError, cipher.decrypt, hash, len(data))
def test_verify_password_exact_block_size(self): data = self._random_string[:cipher.block_size] hash = cipher.encrypt(data) self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_encrypt_random_bytes(self): data = Random.get_random_bytes(45) hash = cipher.encrypt(data) self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_ciphertext_shorter_than_req_output_raises_valueerror(self): data = self._random_string[:cipher.block_size*2] hash = cipher.encrypt(data)[:cipher.block_size] self.assertRaises(ValueError, cipher.decrypt, hash, len(data))
def test_verify_password_more_than_twice_block_size(self): data = self._random_string[:cipher.block_size*2+3] hash = cipher.encrypt(data) self.assertEqual(cipher.decrypt(hash, len(data)), data)
def test_ciphertext_not_multiple_of_block_size_raises_valueerror(self): data = self._random_string[:cipher.block_size / 2] hash = cipher.encrypt(data)[:cipher.block_size / 2] self.assertRaises(ValueError, cipher.decrypt, hash, len(data))
def test_ciphertext_shorter_than_req_output_raises_valueerror(self): data = self._random_string[:cipher.block_size * 2] hash = cipher.encrypt(data)[:cipher.block_size] self.assertRaises(ValueError, cipher.decrypt, hash, len(data))