Skip to content

Commit

Permalink
various fix on ssl/tls + tests
Browse files Browse the repository at this point in the history 
* making ssl cert check and cert no check works
* adding a test to check if the cafile does exist
* reenable and fix ssl checks on travis
  • Loading branch information
@kakwa
kakwa committed Jul 5, 2015
1 parent 405367f commit e9d5331
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 19 deletions.
31 changes: 24 additions & 7 deletions ldapcherry/backend/backendLdap.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,19 @@
import ldap.modlist as modlist
import logging
import ldapcherry.backend
import os
import re

class DelUserDontExists(Exception):
def __init__(self, user):
self.user = user
self.log = "cannot remove user, user <%(user)s> does not exist" % { 'user' : user}

class CaFileDontExist(Exception):
def __init__(self, cafile):
self.cafile = cafile
self.log = "CA file %(cafile)s don't exist" % { 'cafile': cafile }

NO_ATTR = 0
DISPLAYED_ATTRS = 1
LISTED_ATTRS = 2
Expand Down Expand Up @@ -112,20 +118,31 @@ def _exception_handler(self, e):

def _connect(self):
ldap_client = ldap.initialize(self.uri)
ldap_client.set_option(ldap.OPT_REFERRALS, 0)
ldap_client.set_option(ldap.OPT_TIMEOUT, self.timeout)
ldap.set_option(ldap.OPT_REFERRALS, 0)
ldap.set_option(ldap.OPT_TIMEOUT, self.timeout)
if self.starttls == 'on':
ldap_client.set_option(ldap.OPT_X_TLS_DEMAND, True)
ldap.set_option(ldap.OPT_X_TLS_DEMAND, True)
else:
ldap_client.set_option(ldap.OPT_X_TLS_DEMAND, False)
ldap.set_option(ldap.OPT_X_TLS_DEMAND, False)
if self.ca and self.checkcert == 'on':
ldap_client.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
if os.path.isfile(self.ca):
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca)
else:
raise CaFileDontExist(self.ca)
#else:
# ldap_client.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
# ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '')
if self.checkcert == 'off':
ldap_client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
# this is dark magic
# remove any of these two lines and it doesn't work
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap_client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
else:
# this is even darker magic
ldap_client.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
# it doesn't make sense to set it to never (don't check certifate)
# but it only works with this option... and it checks the certificat
# (I've lost my sanity over this)
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
if self.starttls == 'on':
try:
ldap_client.start_tls_s()
Expand Down
31 changes: 19 additions & 12 deletions tests/test_BackendLdap.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
import pytest
import sys
from sets import Set
from ldapcherry.backend.backendLdap import Backend, DelUserDontExists
from ldapcherry.backend.backendLdap import Backend, DelUserDontExists, CaFileDontExist
from ldapcherry.exceptions import *
from disable import travis_disabled
import cherrypy
Expand All @@ -21,7 +21,7 @@
'binddn' : 'cn=dnscherry,dc=example,dc=org',
'password' : 'password',
'uri' : 'ldap://ldap.dnscherry.org:390',
'ca' : './test/cfg/ca.crt',
'ca' : './tests/test_env/etc/ldapcherry/TEST-cacert.pem',
'starttls' : 'off',
'checkcert' : 'off',
'user_filter_tmpl' : '(uid=%(username)s)',
Expand All @@ -46,7 +46,6 @@ def testNominal(self):
inv = Backend(cfg, cherrypy.log, 'ldap', attr, 'uid')
return True

@travis_disabled
def testConnectSSLNoCheck(self):
cfg2 = cfg.copy()
cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
Expand All @@ -61,7 +60,6 @@ def testConnect(self):
ldap.simple_bind_s(inv.binddn, inv.bindpassword)
return True

@travis_disabled
def testConnectSSL(self):
cfg2 = cfg.copy()
cfg2['uri'] = 'ldaps://ldap.dnscherry.org:637'
Expand All @@ -75,28 +73,40 @@ def testLdapUnavaible(self):
cfg2['uri'] = 'ldaps://notaldap:637'
cfg2['checkcert'] = 'on'
inv = Backend(cfg2, cherrypy.log, 'ldap', attr, 'uid')
ldapc = inv._connect()
try:
ldapc = inv._connect()
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
except ldap.SERVER_DOWN as e:
return
else:
raise AssertionError("expected an exception")

@travis_disabled
def testMissingCA(self):
cfg2 = cfg.copy()
cfg2['uri'] = 'ldaps://ldap.dnscherry.org:637'
cfg2['checkcert'] = 'on'
cfg2['ca'] = './test/cfg/not_a_ca.crt'
try:
inv = Backend(cfg2, cherrypy.log, 'ldap', attr, 'uid')
ldapc = inv._connect()
except CaFileDontExist as e:
return
else:
raise AssertionError("expected an exception")

def testConnectSSLWrongCA(self):
cfg2 = cfg.copy()
cfg2['uri'] = 'ldaps://ldap.ldapcherry.org:637'
cfg2['checkcert'] = 'on'
cfg2['ca'] = './test/cfg/wrong_ca.crt'
inv = Backend(cfg2, cherrypy.log, 'ldap', attr, 'uid')
ldapc = inv._connect()
try:
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
except ldap.SERVER_DOWN as e:
assert e[0]['info'] == 'TLS: hostname does not match CN in peer certificate'
else:
raise AssertionError("expected an exception")

@travis_disabled
def testConnectStartTLS(self):
cfg2 = cfg.copy()
cfg2['uri'] = 'ldap://ldap.ldapcherry.org:390'
Expand All @@ -105,10 +115,7 @@ def testConnectStartTLS(self):
cfg2['ca'] = './test/cfg/ca.crt'
inv = Backend(cfg2, cherrypy.log, 'ldap', attr, 'uid')
ldapc = inv._connect()
try:
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)
except ldap.SERVER_DOWN as e:
assert e[0]['info'] == 'TLS: hostname does not match CN in peer certificate'
ldapc.simple_bind_s(inv.binddn, inv.bindpassword)

def testAuthSuccess(self):
inv = Backend(cfg, cherrypy.log, 'ldap', attr, 'uid')
Expand Down

0 comments on commit e9d5331

Please sign in to comment.