security-and-privacy/ldapcherry
security-and-privacy/ldapcherry
1
0
Fork 0
mirror of https://github.com/kakwa/ldapcherry synced 2024-05-29 15:18:04 +02:00
Code Releases Activity

fix many encoding errors on login and password

Browse Source
This commit is contained in:
kakwa 2016-07-07 20:22:33 +02:00
parent 9600f47e13
commit 6c3fb4975d
5 changed files with 35 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ldapcherry/__init__.py
View File

@ -616,7 +616,7 @@ class LdapCherry(object):
key = self.attributes.get_key()
username = params['attrs'][key]
sess = cherrypy.session
admin = str(sess.get(SESSION_KEY, None))
admin = sess.get(SESSION_KEY, None)
cherrypy.log.error(
msg="user '" + username + "' added by '" + admin + "'",
@ -677,7 +677,7 @@ class LdapCherry(object):
severity=logging.DEBUG
)
sess = cherrypy.session
username = str(sess.get(SESSION_KEY, None))
username = sess.get(SESSION_KEY, None)
badd = self._modify_attrs(
params,
self.attributes.get_selfattributes(),
@ -707,7 +707,7 @@ class LdapCherry(object):
)
sess = cherrypy.session
admin = str(sess.get(SESSION_KEY, None))
admin = sess.get(SESSION_KEY, None)
cherrypy.log.error(
msg="user '" + username + "' modified by '" + admin + "'",
@ -793,7 +793,7 @@ class LdapCherry(object):
def _deleteuser(self, username):
sess = cherrypy.session
admin = str(sess.get(SESSION_KEY, None))
admin = sess.get(SESSION_KEY, None)
for b in self.backends:
self.backends[b].del_user(username)
@ -886,14 +886,12 @@ class LdapCherry(object):
self._check_auth(must_admin=False)
is_admin = self._check_admin()
sess = cherrypy.session
user = str(sess.get(SESSION_KEY, None))
user = sess.get(SESSION_KEY, None)
if self.auth_mode == 'none':
user_attrs = None
else:
user_attrs = self._get_user(user)
attrs_list = self.attributes.get_search_attributes()
print attrs_list
print user_attrs
return self.temp['index.tmpl'].render(
is_admin=is_admin,
attrs_list=attrs_list,
@ -1095,7 +1093,7 @@ class LdapCherry(object):
self._check_auth(must_admin=False)
is_admin = self._check_admin()
sess = cherrypy.session
user = str(sess.get(SESSION_KEY, None))
user = sess.get(SESSION_KEY, None)
if self.auth_mode == 'none':
return self.temp['error.tmpl'].render(
is_admin=is_admin,

26
ldapcherry/backend/backendLdap.py
View File

@ -244,10 +244,9 @@ class Backend(ldapcherry.backend.Backend):
username = ldap.filter.escape_filter_chars(username)
user_filter = self.user_filter_tmpl % {
'username': username
'username': self._uni(username)
}
user_filter = self._str(user_filter)
r = self._search(user_filter, attrs, self.userdn)
r = self._search(self._str(user_filter), attrs, self.userdn)
if len(r) == 0:
return None
@ -279,11 +278,14 @@ class Backend(ldapcherry.backend.Backend):
def auth(self, username, password):
"""Authentication of a user"""
binddn = self._str(self._get_user(username, NO_ATTR))
binddn = self._get_user(self._str(username), NO_ATTR)
if binddn is not None:
ldap_client = self._connect()
try:
ldap_client.simple_bind_s(binddn, password)
ldap_client.simple_bind_s(
self._str(binddn),
self._str(password)
)
except ldap.INVALID_CREDENTIALS:
ldap_client.unbind_s()
return False
@ -327,7 +329,7 @@ class Backend(ldapcherry.backend.Backend):
"""delete a user"""
ldap_client = self._bind()
# recover the user dn
dn = self._str(self._get_user(username, NO_ATTR))
dn = self._str(self._get_user(self._str(username), NO_ATTR))
# delete
if dn is not None:
ldap_client.delete_s(dn)
@ -339,7 +341,7 @@ class Backend(ldapcherry.backend.Backend):
def set_attrs(self, username, attrs):
""" Set user attributes"""
ldap_client = self._bind()
tmp = self._get_user(username, ALL_ATTRS)
tmp = self._get_user(self._str(username), ALL_ATTRS)
dn = self._str(tmp[0])
old_attrs = tmp[1]
for attr in attrs:
@ -382,7 +384,7 @@ class Backend(ldapcherry.backend.Backend):
def add_to_groups(self, username, groups):
ldap_client = self._bind()
# recover dn of the user and his attributes
tmp = self._get_user(username, ALL_ATTRS)
tmp = self._get_user(self._str(username), ALL_ATTRS)
dn = tmp[0]
attrs = tmp[1]
attrs['dn'] = dn
@ -435,7 +437,7 @@ class Backend(ldapcherry.backend.Backend):
# it follows the same logic than add_to_groups
# but with MOD_DELETE
ldap_client = self._bind()
tmp = self._get_user(username, ALL_ATTRS)
tmp = self._get_user(self._str(username), ALL_ATTRS)
dn = tmp[0]
attrs = tmp[1]
attrs['dn'] = dn
@ -467,7 +469,7 @@ class Backend(ldapcherry.backend.Backend):
def search(self, searchstring):
"""Search users"""
# escape special char to avoid injection
searchstring = ldap.filter.escape_filter_chars(searchstring)
searchstring = ldap.filter.escape_filter_chars(self._str(searchstring))
# fill the search string template
searchfilter = self.search_filter_tmpl % {
'searchstring': searchstring
@ -492,7 +494,7 @@ class Backend(ldapcherry.backend.Backend):
def get_user(self, username):
"""Gest a specific user"""
ret = {}
tmp = self._get_user(username, ALL_ATTRS)
tmp = self._get_user(self._str(username), ALL_ATTRS)
if tmp is None:
raise UserDoesntExist(username, self.backend_name)
attrs_tmp = tmp[1]
@ -506,7 +508,7 @@ class Backend(ldapcherry.backend.Backend):
def get_groups(self, username):
"""Get all groups of a user"""
username = ldap.filter.escape_filter_chars(username)
username = ldap.filter.escape_filter_chars(self._str(username))
userdn = self._get_user(username, NO_ATTR)
searchfilter = self.group_filter_tmpl % {

22
tests/test_BackendLdap.py
View File

@ -120,12 +120,12 @@ class TestError(object):
def testAuthSuccess(self):
inv = Backend(cfg, cherrypy.log, 'ldap', attr, 'uid')
ret = inv.auth('jwatson', 'passwordwatson')
ret = inv.auth(u'jwatsoné', u'passwordwatsoné')
assert ret == True
def testAuthFailure(self):
inv = Backend(cfg, cherrypy.log, 'ldap', attr, 'uid')
res = inv.auth('notauser', 'password') or inv.auth('jwatson', 'notapassword')
res = inv.auth('notauser', 'password') or inv.auth(u'jwatsoné', 'notapasswordé')
assert res == False
def testMissingParam(self):
@ -140,13 +140,13 @@ class TestError(object):
def testGetUser(self):
inv = Backend(cfg, cherrypy.log, 'ldap', attr, 'uid')
ret = inv.get_user('jwatson')
expected = {'uid': 'jwatson', 'cn': 'John Watson', 'sn': 'watson'}
ret = inv.get_user(u'jwatsoné')
expected = {'uid': u'jwatsoné', 'cn': 'John Watson', 'sn': 'watson'}
assert ret == expected
def testGetGroups(self):
inv = Backend(cfg, cherrypy.log, 'ldap', attr, 'uid')
ret = inv.get_groups('jwatson')
ret = inv.get_groups(u'jwatsoné')
expected = ['cn=itpeople,ou=Groups,dc=example,dc=org']
assert ret == expected
@ -156,11 +156,11 @@ class TestError(object):
'cn=hrpeople,ou=Groups,dc=example,dc=org',
'cn=itpeople,ou=Groups,dc=example,dc=org',
]
inv.add_to_groups('jwatson', groups)
ret = inv.get_groups('jwatson')
inv.add_to_groups(u'jwatsoné', groups)
ret = inv.get_groups(u'jwatsoné')
print ret
inv.del_from_groups('jwatson', ['cn=hrpeople,ou=Groups,dc=example,dc=org'])
inv.del_from_groups('jwatson', ['cn=hrpeople,ou=Groups,dc=example,dc=org'])
inv.del_from_groups(u'jwatsoné', ['cn=hrpeople,ou=Groups,dc=example,dc=org'])
inv.del_from_groups(u'jwatsoné', ['cn=hrpeople,ou=Groups,dc=example,dc=org'])
assert ret == ['cn=itpeople,ou=Groups,dc=example,dc=org', 'cn=hrpeople,ou=Groups,dc=example,dc=org']
@ -236,8 +236,8 @@ class TestError(object):
def testGetUser(self):
inv = Backend(cfg, cherrypy.log, 'ldap', attr, 'uid')
ret = inv.get_user('jwatson')
expected = {'uid': 'jwatson', 'objectClass': 'inetOrgPerson', 'carLicense': 'HERCAR 125', 'sn': 'watson', 'mail': 'j.watson@example.com', 'homePhone': '555-111-2225', 'cn': 'John Watson', 'userPassword': u'passwordwatson'}
ret = inv.get_user(u'jwatsoné')
expected = {'uid': u'jwatsoné', 'objectClass': 'inetOrgPerson', 'carLicense': 'HERCAR 125', 'sn': 'watson', 'mail': 'j.watson@example.com', 'homePhone': '555-111-2225', 'cn': 'John Watson', 'userPassword': u'passwordwatsoné'}
assert ret == expected
def testAddUserMissingMustattribute(self):

4
tests/test_LdapCherry.py
View File

@ -158,7 +158,7 @@ class TestError(object):
loadconf('./tests/cfg/ldapcherry_test.ini', app)
app.auth_mode = 'or'
try:
app.login('jwatson', 'passwordwatson')
app.login('jwatsoné', 'passwordwatsoné')
except cherrypy.HTTPRedirect as e:
expected = 'http://127.0.0.1:8080/'
assert e[0][0] == expected
@ -170,7 +170,7 @@ class TestError(object):
loadconf('./tests/cfg/ldapcherry_test.ini', app)
app.auth_mode = 'or'
try:
app.login('jwatson', 'wrongPassword')
app.login('jwatsoné', 'wrongPasswordé')
except cherrypy.HTTPRedirect as e:
expected = 'http://127.0.0.1:8080/signin'
assert e[0][0] == expected

4
tests/test_env/etc/ldap/content.ldif
View File

@ -61,8 +61,8 @@ dn: cn=John Watson,ou=people,dc=example,dc=org
objectclass: inetOrgPerson
cn: John Watson
sn: watson
uid: jwatson
userpassword: passwordwatson
uid: jwatsoné
userpassword: passwordwatsoné
carlicense: HERCAR 125
homephone: 555-111-2225
mail: j.watson@example.com