various fix on ssl/tls + tests

* making ssl cert check and cert no check works * adding a test to check if the cafile does exist * reenable and fix ssl checks on travis
2025-07-04 20:37:48 +02:00 · 2015-07-05 22:01:09 +02:00 · 2015-07-05 22:01:09 +02:00 · e9d5331d6a
commit e9d5331d6a
parent 405367fd75
2 changed files with 43 additions and 19 deletions
--- a/ldapcherry/backend/backendLdap.py
+++ b/ldapcherry/backend/backendLdap.py
@ -10,6 +10,7 @@ import ldap
 import ldap.modlist as modlist
 import logging
 import ldapcherry.backend
+import os
 import re

 class DelUserDontExists(Exception):
@ -17,6 +18,11 @@ class DelUserDontExists(Exception):
        self.user = user
        self.log = "cannot remove user, user <%(user)s> does not exist" % { 'user' : user}

+class CaFileDontExist(Exception):
+    def __init__(self, cafile):
+        self.cafile = cafile
+        self.log = "CA file %(cafile)s don't exist" % { 'cafile': cafile }
+
 NO_ATTR   = 0
 DISPLAYED_ATTRS = 1
 LISTED_ATTRS = 2
@ -112,20 +118,31 @@ class Backend(ldapcherry.backend.Backend):

    def _connect(self):
        ldap_client = ldap.initialize(self.uri)
-        ldap_client.set_option(ldap.OPT_REFERRALS, 0)
-        ldap_client.set_option(ldap.OPT_TIMEOUT, self.timeout)
+        ldap.set_option(ldap.OPT_REFERRALS, 0)
+        ldap.set_option(ldap.OPT_TIMEOUT, self.timeout)
        if self.starttls == 'on':
-            ldap_client.set_option(ldap.OPT_X_TLS_DEMAND, True)
+            ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
        else:
-            ldap_client.set_option(ldap.OPT_X_TLS_DEMAND, False)
+            ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
        if self.ca and self.checkcert == 'on':
-            ldap_client.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
+            if os.path.isfile(self.ca):
+                ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
+            else:
+                raise CaFileDontExist(self.ca)
        #else:
-        #    ldap_client.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
+        #    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
        if self.checkcert == 'off':
-            ldap_client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
+            # this is dark magic
+            # remove any of these two lines and it doesn't work
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+            ldap_client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
        else:
+            # this is even darker magic
            ldap_client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
+            # it doesn't make sense to set it to never (don't check certifate) 
+            # but it only works with this option... and it checks the certificat
+            # (I've lost my sanity over this)
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
        if self.starttls == 'on':
            try:
                ldap_client.start_tls_s()