mirror of
https://github.com/kakwa/ldapcherry
synced 2024-11-25 10:44:30 +01:00
many fixes in unit tests + fix in params + fix in constant
Oh god, python-ldap is crap... * add better unit test * correct params name * correct exception handling * disable testConnectSSLNoCheck (impossible to test with a certificate previously defined)
This commit is contained in:
parent
93ed190913
commit
189079cf21
@ -68,7 +68,7 @@ roles.file = '/etc/ldapcherry/roles.yml'
|
||||
|
||||
ldap.module = 'ldapcherry.backend.backendLdap'
|
||||
ldap.groupdn = 'ou=group,dc=example,dc=com'
|
||||
ldap.people = 'ou=group,dc=example,dc=com'
|
||||
ldap.userdn = 'ou=group,dc=example,dc=com'
|
||||
ldap.binddn = 'cn=ldapcherry,dc=example,dc=com'
|
||||
ldap.password = 'password'
|
||||
ldap.uri = 'ldaps://ldap.ldapcherry.org'
|
||||
|
@ -17,10 +17,13 @@ class Backend(ldapcherry.backend.Backend):
|
||||
self._logger = logger
|
||||
self.backend_name = name
|
||||
self.binddn = self.get_param('binddn')
|
||||
self.bindpassword = self.get_param('password')
|
||||
self.ca = self.get_param('ca', False)
|
||||
self.checkcert = self.get_param('checkcert', 'on')
|
||||
self.starttls = self.get_param('starttls', 'off')
|
||||
self.uri = self.get_param('uri')
|
||||
self.userdn = self.get_param('userdn')
|
||||
self.groupdn = self.get_param('groupdn')
|
||||
self.user_filter_tmpl = self.get_param('user_filter_tmpl')
|
||||
|
||||
def auth(self, username, password):
|
||||
@ -57,22 +60,23 @@ class Backend(ldapcherry.backend.Backend):
|
||||
ldap_client = self._connect()
|
||||
try:
|
||||
ldap_client.simple_bind_s(self.binddn, self.bindpassword)
|
||||
except ldap.INVALID_CREDENTIALS:
|
||||
except ldap.INVALID_CREDENTIALS as e:
|
||||
self._logger(
|
||||
logging.ERROR,
|
||||
"Configuration error, wrong credentials, unable to connect to ldap with '" + self.binddn + "'",
|
||||
)
|
||||
raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
|
||||
except ldap.SERVER_DOWN:
|
||||
#raise cherrypy.HTTPError("500", "Configuration Error, contact administrator")
|
||||
raise e
|
||||
except ldap.SERVER_DOWN as e:
|
||||
self._logger(
|
||||
logging.ERROR,
|
||||
"Unable to contact ldap server '" + self.uri + "', check 'auth.ldap.uri' and ssl/tls configuration",
|
||||
)
|
||||
return False
|
||||
raise e
|
||||
|
||||
user_filter = self.user_filter_tmpl % {
|
||||
'login': username
|
||||
}
|
||||
user_filter = self.user_filter_tmpl % {
|
||||
'username': username
|
||||
}
|
||||
|
||||
r = ldap_client.search_s(self.userdn,
|
||||
ldap.SCOPE_SUBTREE,
|
||||
@ -90,13 +94,16 @@ class Backend(ldapcherry.backend.Backend):
|
||||
ldap_client.set_option(ldap.OPT_REFERRALS, 0)
|
||||
if self.starttls == 'on':
|
||||
ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
|
||||
if self.ca:
|
||||
else:
|
||||
ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
|
||||
if self.ca and self.checkcert == 'on':
|
||||
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
|
||||
#else:
|
||||
# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
|
||||
if self.checkcert == 'off':
|
||||
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
|
||||
else:
|
||||
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
|
||||
|
||||
if self.starttls == 'on':
|
||||
try:
|
||||
ldap_client.start_tls_s()
|
||||
|
@ -68,8 +68,8 @@ roles.file = './tests/cfg/roles.yml'
|
||||
|
||||
ldap.module = 'ldapcherry.backend.backendLdap'
|
||||
ldap.groupdn = 'ou=group,dc=example,dc=com'
|
||||
ldap.people = 'ou=group,dc=example,dc=com'
|
||||
ldap.binddn = 'cn=ldapcherry,dc=example,dc=com'
|
||||
ldap.userdn = 'ou=group,dc=example,dc=com'
|
||||
ldap.binddn = 'cn=dnscherry,dc=example,dc=org'
|
||||
ldap.password = 'password'
|
||||
ldap.uri = 'ldaps://ldap.ldapcherry.org'
|
||||
ldap.ca = '/etc/dnscherry/TEST-cacert.pem'
|
||||
|
27
tests/cfg/wrong_ca.crt
Normal file
27
tests/cfg/wrong_ca.crt
Normal file
@ -0,0 +1,27 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIEpDCCA4ygAwIBAgIJAJPjqWBPSpcrMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
|
||||
VQQGEwJGUjELMAkGA1UECBMCRlIxDjAMBgNVBAcTBVBhcmlzMQ4wDAYDVQQKEwVQ
|
||||
YXJpczERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1lMREwDwYD
|
||||
VQQpEwhjaGFuZ2VtZTEdMBsGCSqGSIb3DQEJARYOa2Frd2FAa2Frd2EuZnIwHhcN
|
||||
MTIwNzIxMTgwMzExWhcNMjIwNzE5MTgwMzExWjCBkjELMAkGA1UEBhMCRlIxCzAJ
|
||||
BgNVBAgTAkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFUGFyaXMxETAPBgNV
|
||||
BAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdl
|
||||
bWUxHTAbBgkqhkiG9w0BCQEWDmtha3dhQGtha3dhLmZyMIIBIjANBgkqhkiG9w0B
|
||||
AQEFAAOCAQ8AMIIBCgKCAQEA2JAYpMeudhVLgUOCdnA4a4R+sGv7dNxcrBTK9Eh3
|
||||
PHbCwBtAfX8J2NXjKiSNlZLw2xc5A7wEks7JxieynBfClL3kruZ2pj9yxT4BH4ro
|
||||
fY560b887miofiqKjB1dEnpoOfQNxUwUKVdKlOU0U8oteHwEnet8EbJ3Th4bkftz
|
||||
Bk8PYDOCt2x+SK6mHJz8yOsezsLfsrNdOLlY+dDrgZFmIGekTdo7okGaiPIndr1s
|
||||
OYcDLlow188oHnUZ8I9uPQW6Tk6gveh65sDc4ThpdrF8dV7UQxOrP+lBTcbrQNf0
|
||||
dMy2UDuA4TauIA6o6JsxtBbsBRph4vmgGXc1AGfmC2QXqwIDAQABo4H6MIH3MB0G
|
||||
A1UdDgQWBBTS1NffwUVvC47DSsSh5WCPGXMvxDCBxwYDVR0jBIG/MIG8gBTS1Nff
|
||||
wUVvC47DSsSh5WCPGXMvxKGBmKSBlTCBkjELMAkGA1UEBhMCRlIxCzAJBgNVBAgT
|
||||
AkZSMQ4wDAYDVQQHEwVQYXJpczEOMAwGA1UEChMFUGFyaXMxETAPBgNVBAsTCGNo
|
||||
YW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHTAb
|
||||
BgkqhkiG9w0BCQEWDmtha3dhQGtha3dhLmZyggkAk+OpYE9KlyswDAYDVR0TBAUw
|
||||
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEATGrU92RcniJ5QkOPLR/Zy2850jtknHKq
|
||||
VynTH5+smoRqDm6MJNSXb4Hy437qRFZdIyPcIXLgn+C31z0yfkSxW6MoGvYsWo86
|
||||
SKjow/OG4XQcHiOr0ydOSqdWL9EXWq+0DwnwWcmaFpuRhN2pK4fZmIcokRBiIbv0
|
||||
xnuyFvCTpsEOJHaYRQdE71omb47OBFhSA+ytGihmD6FycNqP9mriA0fPw2o/oVSd
|
||||
WC55yNfi9JqimfH/AN2ApMXD6TQD9JyyNJ2Qciwf7WsU+h3I/qIS15RsG+VUFm5E
|
||||
D62QGIMu6rRj06GO4e7+0+doiHvV9b8rk37aMOEhWmTw2v6aHJcGHw==
|
||||
-----END CERTIFICATE-----
|
@ -11,15 +11,16 @@ from ldapcherry.backend.backendLdap import Backend
|
||||
from ldapcherry import syslog_error
|
||||
from ldapcherry.exceptions import *
|
||||
import cherrypy
|
||||
from ldap import SERVER_DOWN
|
||||
|
||||
cfg = {
|
||||
'module' : 'ldapcherry.backend.ldap',
|
||||
'groupdn' : 'ou=group,dc=example,dc=com',
|
||||
'people' : 'ou=group,dc=example,dc=com',
|
||||
'binddn' : 'cn=ldapcherry,dc=example,dc=com',
|
||||
'groupdn' : 'ou=group,dc=example,dc=org',
|
||||
'userdn' : 'ou=People,dc=example,dc=org',
|
||||
'binddn' : 'cn=dnscherry,dc=example,dc=org',
|
||||
'password' : 'password',
|
||||
'uri' : 'ldaps://ldap.ldapcherry.org',
|
||||
'ca' : '/etc/dnscherry/TEST-cacert.pem',
|
||||
'uri' : 'ldap://ldap.ldapcherry.org:390',
|
||||
'ca' : './tests/test_env/etc/ldapcherry/TEST-cacert.pem',
|
||||
'starttls' : 'off',
|
||||
'checkcert' : 'off',
|
||||
'user_filter_tmpl' : '(uid=%(username)s)',
|
||||
@ -36,16 +37,37 @@ class TestError(object):
|
||||
|
||||
def testConnect(self):
|
||||
inv = Backend(cfg, cherrypy.log, 'ldap')
|
||||
inv._connect()
|
||||
ldap = inv._connect()
|
||||
ldap.simple_bind_s(inv.binddn, inv.bindpassword)
|
||||
return True
|
||||
|
||||
def testConnectSSL(self):
|
||||
inv = Backend(cfg, cherrypy.log, 'ldap')
|
||||
return True
|
||||
cfg2 = cfg.copy()
|
||||
cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
|
||||
cfg2['checkcert'] = 'on'
|
||||
inv = Backend(cfg2, cherrypy.log, 'ldap')
|
||||
ldap = inv._connect()
|
||||
ldap.simple_bind_s(inv.binddn, inv.bindpassword)
|
||||
|
||||
def testConnectSSLNoCheck(self):
|
||||
inv = Backend(cfg, cherrypy.log, 'ldap')
|
||||
return True
|
||||
def testConnectSSLWrongCA(self):
|
||||
cfg2 = cfg.copy()
|
||||
cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
|
||||
cfg2['checkcert'] = 'on'
|
||||
cfg2['ca'] = './cfg/wrong_ca.crt'
|
||||
inv = Backend(cfg2, cherrypy.log, 'ldap')
|
||||
ldapc = inv._connect()
|
||||
try:
|
||||
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
|
||||
except SERVER_DOWN as e:
|
||||
assert e[0]['info'] == 'TLS: hostname does not match CN in peer certificate'
|
||||
|
||||
# def testConnectSSLNoCheck(self):
|
||||
# cfg2 = cfg.copy()
|
||||
# cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
|
||||
# cfg2['checkcert'] = 'off'
|
||||
# inv = Backend(cfg2, cherrypy.log, 'ldap')
|
||||
# ldap = inv._connect()
|
||||
# ldap.simple_bind_s(inv.binddn, inv.bindpassword)
|
||||
|
||||
def testAuthSuccess(self):
|
||||
inv = Backend(cfg, cherrypy.log, 'ldap')
|
||||
|
Loading…
Reference in New Issue
Block a user