def test_authenticate_and_behavior_failure_non_group_member_of_all_required_groups_1(
self):
# User is member of two of the required groups (1 and 3) but not all three of them
# (1, 2, 3)
required_group_dns = [
'cn=group1,dc=stackstorm,dc=net',
'cn=group2,dc=stackstorm,dc=net',
'cn=group3,dc=stackstorm,dc=net',
]
backend = ldap_backend.LDAPAuthenticationBackend(LDAP_BIND_DN,
LDAP_BIND_PASSWORD,
LDAP_BASE_OU,
required_group_dns,
LDAP_HOST,
id_attr=LDAP_ID_ATTR,
group_dns_check='and')
authenticated = backend.authenticate(LDAP_USER_UID,
LDAP_USER_BAD_PASSWD)
self.assertFalse(authenticated)
def test_client_options(self):
client_options = {
ldap.OPT_RESTART: 0,
ldap.OPT_SIZELIMIT: 2014,
ldap.OPT_DIAGNOSTIC_MESSAGE: 'test',
# Not using a constant, 20482 is OPT_TIMEOUT
'20482': 9
}
backend = ldap_backend.LDAPAuthenticationBackend(
LDAP_BIND_DN,
LDAP_BIND_PASSWORD,
LDAP_BASE_OU,
LDAP_GROUP_DNS,
LDAP_HOST,
id_attr=LDAP_ID_ATTR,
client_options=client_options)
conn = backend._init_connection()
for option_name, option_value in client_options.items():
self.assertEqual(conn.get_option(int(option_name)), option_value)
def test_authenticate_and_is_default_behavior_non_group_member_of_all_required_groups(
self):
# User is member of two of the required groups and two non-required, but not
# all of the required groups
# Verify "and" is a default group_dns_check_behavior
required_group_dns = [
'cn=group1,dc=stackstorm,dc=net',
'cn=group2,dc=stackstorm,dc=net',
'cn=group5,dc=stackstorm,dc=net',
'cn=group6,dc=stackstorm,dc=net',
]
backend = ldap_backend.LDAPAuthenticationBackend(LDAP_BIND_DN,
LDAP_BIND_PASSWORD,
LDAP_BASE_OU,
required_group_dns,
LDAP_HOST,
id_attr=LDAP_ID_ATTR)
authenticated = backend.authenticate(LDAP_USER_UID,
LDAP_USER_BAD_PASSWD)
self.assertFalse(authenticated)
def test_get_groups_caching_no_cross_username_cache_polution(self):
required_group_dns = [
'cn=group3,dc=stackstorm,dc=net', 'cn=group4,dc=stackstorm,dc=net'
]
# Test which verifies that cache items are correctly scoped per username
backend = ldap_backend.LDAPAuthenticationBackend(
LDAP_BIND_DN,
LDAP_BIND_PASSWORD,
LDAP_BASE_OU,
required_group_dns,
LDAP_HOST,
id_attr=LDAP_ID_ATTR,
group_dns_check='or',
cache_user_groups_response=True)
user_groups = backend.get_user_groups(username=LDAP_USER_UID)
self.assertEqual(user_groups, ['cn=group3,dc=stackstorm,dc=net'])
self.assertEqual(backend._user_groups_cache[LDAP_USER_UID],
['cn=group3,dc=stackstorm,dc=net'])
user_groups = backend.get_user_groups(username=LDAP_USER_UID_2)
self.assertEqual(user_groups, ['cn=group4,dc=stackstorm,dc=net'])
self.assertEqual(backend._user_groups_cache[LDAP_USER_UID_2],
['cn=group4,dc=stackstorm,dc=net'])
def test_special_characters_in_username_are_escaped(self):
# User is not member of any of the required group
backend = ldap_backend.LDAPAuthenticationBackend(LDAP_BIND_DN,
LDAP_BIND_PASSWORD,
LDAP_BASE_OU,
LDAP_GROUP_DNS,
LDAP_HOST,
id_attr=LDAP_ID_ATTR)
values = [
('stanleyA', 'stanleyA'),
('stanley!@?.,&', 'stanley!@?.,&'),
# Special characters () should be escaped
('(stanley)', '\\28stanley\\29'),
# Special characters () should be escaped
('(stanley=)', '\\28stanley=\\29'),
]
for actual_username, expected_username in values:
authenticated = backend.authenticate(actual_username,
LDAP_USER_BAD_PASSWD)
call_args_1 = ldap.ldapobject.SimpleLDAPObject.search_s.call_args_list[
0][0]
call_args_2 = ldap.ldapobject.SimpleLDAPObject.search_s.call_args_list[
1][0]
# First search_s call (find user by uid)
filter_call_value = call_args_1[2]
self.assertEqual(filter_call_value, 'uid=%s' % (expected_username))
# Second search_s call (group membership test)
filter_call_value = call_args_2[2]
self.assertTrue('(memberUid=%s)' %
(expected_username) in filter_call_value)
ldap.ldapobject.SimpleLDAPObject.search_s = mock.MagicMock(
side_effect=[LDAP_USER_SEARCH_RESULT, []])
def test_get_user_specifying_account_pattern(self):
expected_username = '******'
required_group_dns = [
'cn=group3,dc=stackstorm,dc=net', 'cn=group4,dc=stackstorm,dc=net'
]
scope = 'subtree'
scope_number = ldap_backend.SEARCH_SCOPES[scope]
account_pattern = '''
(&
(objectClass=person)
(|
(accountName={username})
(mail={username})
)
)
'''.replace('\n', '').replace(' ', '')
expected_account_pattern = account_pattern.format(
username=expected_username)
backend = ldap_backend.LDAPAuthenticationBackend(
LDAP_BIND_DN,
LDAP_BIND_PASSWORD,
LDAP_BASE_OU,
required_group_dns,
LDAP_HOST,
scope=scope,
account_pattern=account_pattern,
)
connection = mock.MagicMock()
backend._init_connection = mock.MagicMock(return_value=connection)
backend.get_user(expected_username)
connection.search_s.assert_called_once_with(LDAP_BASE_OU, scope_number,
expected_account_pattern,
[])