def test_queued_account_gets_added_to_ldap(self): vars.QUEUEDUSER.save() activate_url = '/activate/%s/' % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue( ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) ldap_account = ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1] self.assertEqual(ldap_account['objectClass'], settings.AUTH_LDAP_USER_OBJECTCLASS) self.assertEqual(ldap_account['sn'][0], vars.QUEUEDUSER.last_name) self.assertEqual( ldap_account['cn'][0], '%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertTrue( ldap_md5_crypt.verify(vars.QUEUEDUSER.password, ldap_account['userPassword'][0])) self.assertEqual(ldap_account['givenName'][0], vars.QUEUEDUSER.first_name) self.assertEqual(ldap_account['mail'][0], vars.QUEUEDUSER.email) self.assertEqual(ldap_account['uid'][0], vars.QUEUEDUSER.username) self.assertEqual(ldap_account['uidNumber'][0], '1002') self.assertEqual(ldap_account['gidNumber'][0], '100') self.assertEqual( ldap_account['gecos'][0], '%s %s' % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertEqual(ldap_account['homeDirectory'][0], '/home/%s' % vars.QUEUEDUSER.username) self.assertEqual(ldap_account['gentooACL'][0], 'user.group')
def test_session_and_ldap_secondary_passwords_match(self): request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt( request.session['secondary_password'], 48)), ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][1]))
def test_dont_remove_primary_password_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(leftover) self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) alice = User.objects.create(username='******', password='******') request = set_request(uri='/', user=alice) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0]))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self): request = set_request('/', user=vars.USER_ALICE) with get_bound_ldapuser(request, password='******') as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertTrue( ldap_md5_crypt.verify( settings.DATABASES[db_alias]['PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))
def test_dont_remove_primary_password_while_cleaning_leftovers(self): leftover = ldap_md5_crypt.encrypt('leftover_password') self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(leftover) request = set_request(uri='/', user=vars.USER_ALICE) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify( 'ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def test_dont_remove_primary_password_while_removing_secondary_password(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode(secondary_password)) self.ldapobject.directory[get_ldap_user('alice')[0]]['userPassword'].append(secondary_password_crypt) self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice', directory=self.ldapobject.directory)]) alice = User.objects.create(username='******', password='******') request = set_request(uri='/', user=alice) request.session['secondary_password'] = cipher.encrypt(secondary_password) remove_secondary_password(request) self.assertTrue(ldap_md5_crypt.verify('ldaptest',get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][0]))
def test_dont_remove_primary_password_when_removing_secondary_passwd(self): secondary_password = Random.get_random_bytes(48) secondary_password_crypt = ldap_md5_crypt.encrypt(b64encode( secondary_password)) self.ldapobj.directory[ldap_users('alice')[0]][ 'userPassword'].append(secondary_password_crypt) request = set_request(uri='/', user=vars.USER_ALICE) request.session['secondary_password'] = cipher.encrypt( secondary_password) remove_secondary_password(request) self.assertTrue(ldap_md5_crypt.verify('ldaptest', ldap_users( 'alice', directory=self.ldapobj.directory)[1]['userPassword'][0]))
def _compare_s(self, dn, attr, value): self._check_valid_dn(dn) try: values = self.directory[dn].get(attr, []) except KeyError: raise ldap.NO_SUCH_OBJECT if attr == 'userPassword': for password in values: try: if ldap_md5_crypt.verify(value, password): return 1 except (NameError, ValueError): pass return (1 if (value in values) else 0)
def password_settings(request): """ Password settings """ with get_bound_ldapuser(request) as user_info: password_settings = None if request.method == "POST": password_settings = PasswordSettingsForm(request.POST) if password_settings.is_valid(): try: new_password = password_settings.cleaned_data[ 'new_password'] new_password_verify = password_settings.cleaned_data[ 'new_password_verify'] old_password = password_settings.cleaned_data[ 'old_password'] if old_password and (new_password == new_password_verify): for hash in list(user_info.password): print hash try: if ldap_md5_crypt.verify(old_password, hash): user_info.password.append( ldap_md5_crypt.encrypt( new_password_verify)) user_info.password.remove(hash) break except ValueError: # ignore unknown hashes pass try: user_info.save() except IntegrityError: pass except ldap.TYPE_OR_VALUE_EXISTS: pass except Exception as error: logger.critical(error, extra=log_extra_data(request)) logger_mail.exception(error) raise OkupyError("Can't contact LDAP server") else: password_settings = PasswordSettingsForm() return render(request, 'settings-password.html', { 'password_settings': password_settings, 'user_info': user_info, })
def _compare_s(self, dn, attr, value): dn = self._dn(dn) if dn not in self.directory: raise ldap.NO_SUCH_OBJECT if attr not in self.directory[dn]: raise ldap.NO_SUCH_ATTRIBUTE if attr == 'userPassword': for password in self.directory[dn][attr]: try: # TODO: Implement more ldap pwd hashes from passlib # http://pythonhosted.org/passlib/lib/passlib.hash.html#ldap-hashes if ldap_md5_crypt.verify(value, password): return 1 except (NameError, ValueError): pass return (value in self.directory[dn][attr]) and 1 or 0
def remove_secondary_password(request): """ Remove secondary password on logout """ try: password = b64encode( cipher.decrypt(request.session['secondary_password'], 48)) except KeyError: return with get_bound_ldapuser(request, password) as user: if len(user.password) > 1: for hash in list(user.password): try: if ldap_md5_crypt.verify(password, hash): user.password.remove(hash) break except ValueError: # ignore unknown hashes pass user.save()
def set_secondary_password(request, password): """ Generate a secondary passsword and encrypt it in the session """ with get_bound_ldapuser(request, password) as user: secondary_password = Random.get_random_bytes(48) request.session['secondary_password'] = \ cipher.encrypt(secondary_password) # Clean up possible leftover secondary passwords from the LDAP account if len(user.password) > 1: for hash in list(user.password): try: if not ldap_md5_crypt.verify(password, hash): user.password.remove(hash) except ValueError: # don't remove unknown hashes pass # Add a new generated encrypted password to LDAP user.password.append( ldap_md5_crypt.encrypt(b64encode(secondary_password))) user.save()
def remove_secondary_password(request): """ Remove secondary password on logout """ try: password = b64encode(cipher.decrypt( request.session['secondary_password'], 48)) except KeyError: return with get_bound_ldapuser(request, password) as user: if len(user.password) > 1: for hash in list(user.password): try: if ldap_md5_crypt.verify(password, hash): user.password.remove(hash) break except ValueError: # ignore unknown hashes pass user.save()
def test_queued_account_gets_added_to_ldap(self): vars.QUEUEDUSER.save() activate_url = "/activate/%s/" % vars.QUEUEDUSER.encrypted_id request = set_request(activate_url, messages=True) activate(request, vars.QUEUEDUSER.encrypted_id) self.assertTrue(ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)) ldap_account = ldap_users(vars.QUEUEDUSER.username, directory=self.ldapobj.directory)[1] self.assertEqual(ldap_account["objectClass"], settings.AUTH_LDAP_USER_OBJECTCLASS) self.assertEqual(ldap_account["sn"][0], vars.QUEUEDUSER.last_name) self.assertEqual(ldap_account["cn"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertTrue(ldap_md5_crypt.verify(vars.QUEUEDUSER.password, ldap_account["userPassword"][0])) self.assertEqual(ldap_account["givenName"][0], vars.QUEUEDUSER.first_name) self.assertEqual(ldap_account["mail"][0], vars.QUEUEDUSER.email) self.assertEqual(ldap_account["uid"][0], vars.QUEUEDUSER.username) self.assertEqual(ldap_account["uidNumber"][0], "1002") self.assertEqual(ldap_account["gidNumber"][0], "100") self.assertEqual(ldap_account["gecos"][0], "%s %s" % (vars.QUEUEDUSER.first_name, vars.QUEUEDUSER.last_name)) self.assertEqual(ldap_account["homeDirectory"][0], "/home/%s" % vars.QUEUEDUSER.username) self.assertEqual(ldap_account["gentooACL"][0], "user.group")
def set_secondary_password(request, password): """ Generate a secondary passsword and encrypt it in the session """ username = request.user.username user = LDAPUser.bind_as(alias='ldap_%s' % username, username=username, password=password).objects.get(username=username) secondary_password = Random.get_random_bytes(48) request.session['secondary_password'] = cipher.encrypt(secondary_password) # Clean up possible leftover secondary passwords from the LDAP account if len(user.password) > 1: for hash in user.password: try: if not ldap_md5_crypt.verify(password, hash): user.password.remove(hash) except ValueError: # don't remove unknown hashes pass # Add a new generated encrypted password to LDAP user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password))) user.save()
def remove_secondary_password(request): """ Remove secondary password on logout """ try: password = b64encode(cipher.decrypt( request.session['secondary_password'], 48)) except KeyError: return username = request.user.username user = LDAPUser.bind_as(alias='ldap_%s' % username, username=username, password=password).objects.get(username=username) if len(user.password) > 1: for hash in user.password: try: if ldap_md5_crypt.verify(password, hash): user.password.remove(hash) except ValueError: # ignore unknown hashes pass user.save()
def verifyPassword(password, hashvalue): valid = ldap_md5_crypt.verify(password, hashvalue) return valid
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self): request = set_request('/', user=vars.USER_ALICE) with get_bound_ldapuser(request, password='******') as user: # noqa db_alias = 'ldap_%s' % request.session.cache_key self.assertTrue(ldap_md5_crypt.verify(settings.DATABASES[db_alias][ 'PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))
def test_session_and_ldap_secondary_passwords_match(self): self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice'))([get_ldap_user('alice')]) alice = User.objects.create(username='******', password='******') request = set_request(uri='/', user=alice) set_secondary_password(request, 'ldaptest') self.assertTrue(ldap_md5_crypt.verify(b64encode(cipher.decrypt(request.session['secondary_password'], 48)), get_ldap_user('alice', directory=self.ldapobject.directory)[1]['userPassword'][1]))