many fixes in unit tests + fix in params + fix in constant

Oh god, python-ldap is crap...
* add better unit test
* correct params name
* correct exception handling
* disable testConnectSSLNoCheck (impossible to test with a certificate
  previously defined)

conf/ldapcherry.ini

@@ -68,7 +68,7 @@ roles.file = '/etc/ldapcherry/roles.yml'
 
 ldap.module = 'ldapcherry.backend.backendLdap'
 ldap.groupdn = 'ou=group,dc=example,dc=com'
-ldap.people = 'ou=group,dc=example,dc=com'
+ldap.userdn = 'ou=group,dc=example,dc=com'
 ldap.binddn = 'cn=ldapcherry,dc=example,dc=com'
 ldap.password = 'password'
 ldap.uri = 'ldaps://ldap.ldapcherry.org'

ldapcherry/backend/backendLdap.py

@@ -17,10 +17,13 @@ class Backend(ldapcherry.backend.Backend):
         self._logger = logger
         self.backend_name = name
         self.binddn = self.get_param('binddn')
+        self.bindpassword = self.get_param('password')
         self.ca = self.get_param('ca', False)
         self.checkcert = self.get_param('checkcert', 'on')
         self.starttls = self.get_param('starttls', 'off')
         self.uri = self.get_param('uri')
+        self.userdn = self.get_param('userdn')
+        self.groupdn = self.get_param('groupdn')
         self.user_filter_tmpl = self.get_param('user_filter_tmpl')
 
     def auth(self, username, password):
@@ -57,21 +60,22 @@ class Backend(ldapcherry.backend.Backend):
         ldap_client = self._connect()
         try:
             ldap_client.simple_bind_s(self.binddn, self.bindpassword)
-        except ldap.INVALID_CREDENTIALS:
+        except ldap.INVALID_CREDENTIALS as e:
             self._logger(
                     logging.ERROR,
                     "Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",
                 )
-            raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
+            #raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
-        except ldap.SERVER_DOWN:
+            raise e
+        except ldap.SERVER_DOWN as e:
             self._logger(
                     logging.ERROR,
                     "Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",
                 )
-            return False
+            raise e 
 
         user_filter = self.user_filter_tmpl % {
-                'login': username
+            'username': username
         }
 
         r = ldap_client.search_s(self.userdn,
@@ -90,13 +94,16 @@ class Backend(ldapcherry.backend.Backend):
         ldap_client.set_option(ldap.OPT_REFERRALS, 0)
         if self.starttls == 'on':
             ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
-        if self.ca:
+        else:
+            ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
+        if self.ca and self.checkcert == 'on':
             ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
+        #else:
+        #    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
         if self.checkcert == 'off':
             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
         else:
             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
-
         if self.starttls == 'on': 
             try:
                 ldap_client.start_tls_s()

tests/cfg/ldapcherry.ini

@@ -68,8 +68,8 @@ roles.file = './tests/cfg/roles.yml'
 
 ldap.module = 'ldapcherry.backend.backendLdap'
 ldap.groupdn = 'ou=group,dc=example,dc=com'
-ldap.people = 'ou=group,dc=example,dc=com'
+ldap.userdn = 'ou=group,dc=example,dc=com'
-ldap.binddn = 'cn=ldapcherry,dc=example,dc=com'
+ldap.binddn = 'cn=dnscherry,dc=example,dc=org'
 ldap.password = 'password'
 ldap.uri = 'ldaps://ldap.ldapcherry.org'
 ldap.ca = '/etc/dnscherry/TEST-cacert.pem'

tests/cfg/wrong_ca.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEpDCCA4ygAwIBAgIJAJPjqWBPSpcrMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
+VQQGEwJGUjELMAkGA1UECBMCRlIxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVQ
+YXJpczERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1lMREwDwYD
+VQQpEwhjaGFuZ2VtZTEdMBsGCSqGSIb3DQEJARYOa2Frd2FAa2Frd2EuZnIwHhcN
+MTIwNzIxMTgwMzExWhcNMjIwNzE5MTgwMzExWjCBkjELMAkGA1UEBhMCRlIxCzAJ
+BgNVBAgTAkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFUGFyaXMxETAPBgNV
+BAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdl
+bWUxHTAbBgkqhkiG9w0BCQEWDmtha3dhQGtha3dhLmZyMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEA2JAYpMeudhVLgUOCdnA4a4R+sGv7dNxcrBTK9Eh3
+PHbCwBtAfX8J2NXjKiSNlZLw2xc5A7wEks7JxieynBfClL3kruZ2pj9yxT4BH4ro
+fY560b887miofiqKjB1dEnpoOfQNxUwUKVdKlOU0U8oteHwEnet8EbJ3Th4bkftz
+Bk8PYDOCt2x+SK6mHJz8yOsezsLfsrNdOLlY+dDrgZFmIGekTdo7okGaiPIndr1s
+OYcDLlow188oHnUZ8I9uPQW6Tk6gveh65sDc4ThpdrF8dV7UQxOrP+lBTcbrQNf0
+dMy2UDuA4TauIA6o6JsxtBbsBRph4vmgGXc1AGfmC2QXqwIDAQABo4H6MIH3MB0G
+A1UdDgQWBBTS1NffwUVvC47DSsSh5WCPGXMvxDCBxwYDVR0jBIG/MIG8gBTS1Nff
+wUVvC47DSsSh5WCPGXMvxKGBmKSBlTCBkjELMAkGA1UEBhMCRlIxCzAJBgNVBAgT
+AkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFUGFyaXMxETAPBgNVBAsTCGNo
+YW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHTAb
+BgkqhkiG9w0BCQEWDmtha3dhQGtha3dhLmZyggkAk+OpYE9KlyswDAYDVR0TBAUw
+AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEATGrU92RcniJ5QkOPLR/Zy2850jtknHKq
+VynTH5+smoRqDm6MJNSXb4Hy437qRFZdIyPcIXLgn+C31z0yfkSxW6MoGvYsWo86
+SKjow/OG4XQcHiOr0ydOSqdWL9EXWq+0DwnwWcmaFpuRhN2pK4fZmIcokRBiIbv0
+xnuyFvCTpsEOJHaYRQdE71omb47OBFhSA+ytGihmD6FycNqP9mriA0fPw2o/oVSd
+WC55yNfi9JqimfH/AN2ApMXD6TQD9JyyNJ2Qciwf7WsU+h3I/qIS15RsG+VUFm5E
+D62QGIMu6rRj06GO4e7+0+doiHvV9b8rk37aMOEhWmTw2v6aHJcGHw==
+-----END CERTIFICATE-----

tests/test_BackendLdap.py

@@ -11,15 +11,16 @@ from ldapcherry.backend.backendLdap import Backend
 from ldapcherry import syslog_error
 from ldapcherry.exceptions import * 
 import cherrypy
+from ldap import SERVER_DOWN
 
 cfg = {
 'module'            : 'ldapcherry.backend.ldap',
-'groupdn'           : 'ou=group,dc=example,dc=com',
+'groupdn'           : 'ou=group,dc=example,dc=org',
-'people'            : 'ou=group,dc=example,dc=com',
+'userdn'            : 'ou=People,dc=example,dc=org',
-'binddn'            : 'cn=ldapcherry,dc=example,dc=com',
+'binddn'            : 'cn=dnscherry,dc=example,dc=org',
 'password'          : 'password',
-'uri'               : 'ldaps://ldap.ldapcherry.org',
+'uri'               : 'ldap://ldap.ldapcherry.org:390',
-'ca'                : '/etc/dnscherry/TEST-cacert.pem',
+'ca'                : './tests/test_env/etc/ldapcherry/TEST-cacert.pem',
 'starttls'          : 'off',
 'checkcert'         : 'off',
 'user_filter_tmpl'  : '(uid=%(username)s)',
@@ -36,16 +37,37 @@ class TestError(object):
 
     def testConnect(self):
         inv = Backend(cfg, cherrypy.log, 'ldap')
-        inv._connect()
+        ldap = inv._connect()
+        ldap.simple_bind_s(inv.binddn, inv.bindpassword)
         return True
 
     def testConnectSSL(self):
-        inv = Backend(cfg, cherrypy.log, 'ldap')
+        cfg2 = cfg.copy()
-        return True
+        cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
+        cfg2['checkcert'] = 'on'
+        inv = Backend(cfg2, cherrypy.log, 'ldap')
+        ldap = inv._connect()
+        ldap.simple_bind_s(inv.binddn, inv.bindpassword)
 
-    def testConnectSSLNoCheck(self):
+    def testConnectSSLWrongCA(self):
-        inv = Backend(cfg, cherrypy.log, 'ldap')
+        cfg2 = cfg.copy()
-        return True
+        cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
+        cfg2['checkcert'] = 'on'
+        cfg2['ca'] = './cfg/wrong_ca.crt'
+        inv = Backend(cfg2, cherrypy.log, 'ldap')
+        ldapc = inv._connect()
+        try:
+            ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
+        except SERVER_DOWN as e:
+            assert e[0]['info'] == 'TLS: hostname does not match CN in peer certificate'
+
+#    def testConnectSSLNoCheck(self):
+#        cfg2 = cfg.copy()
+#        cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
+#        cfg2['checkcert'] = 'off'
+#        inv = Backend(cfg2, cherrypy.log, 'ldap')
+#        ldap = inv._connect()
+#        ldap.simple_bind_s(inv.binddn, inv.bindpassword)
 
     def testAuthSuccess(self):
         inv = Backend(cfg, cherrypy.log, 'ldap')