changeset 3657:2ef181f42a41

fix MoinMoinBugs/DummyPasswordInAutoCreatedLdapUserProfiles and add a test for it
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 01 Jun 2008 18:50:00 +0200
parents 6060395dcdf1
children 97bb459d0873
files MoinMoin/auth/_tests/test_ldap_login.py MoinMoin/auth/ldap_login.py docs/CHANGES
diffstat 3 files changed, 57 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/auth/_tests/test_ldap_login.py	Sun Jun 01 18:25:06 2008 +0200
+++ b/MoinMoin/auth/_tests/test_ldap_login.py	Sun Jun 01 18:50:00 2008 +0200
@@ -10,6 +10,7 @@
 
 from MoinMoin._tests.ldap_testbase import LDAPTestBase, LdapEnvironment, check_environ
 from MoinMoin._tests.ldap_testdata import *
+from MoinMoin._tests import nuke_user
 
 # first check if we have python 2.4, python-ldap and slapd:
 msg = check_environ()
@@ -70,6 +71,58 @@
         # check if usera and userb have different ids:
         assert u1.id != u2.id
 
+class TestBugDefaultPasswd(LDAPTestBase):
+    basedn = BASEDN
+    rootdn = ROOTDN
+    rootpw = ROOTPW
+    slapd_config = SLAPD_CONFIG
+    ldif_content = LDIF_CONTENT
+
+    def teardown_class(self):
+        """ Stop slapd, remove LDAP server environment """
+        #self.ldap_env.stop_slapd()  # it is already stopped
+        self.ldap_env.destroy_env()
+
+    def testBugDefaultPasswd(self):
+        """ Login via LDAP (this creates user profile and up to 1.7.0rc1 it put
+            a default password there), then try logging in via moin login using
+            that default password or an empty password.
+        """
+        server_uri = self.ldap_env.slapd.url
+        base_dn = self.ldap_env.basedn
+
+        from MoinMoin.auth.ldap_login import LDAPAuth
+        ldap_auth = LDAPAuth(server_uri=server_uri, base_dn=base_dn)
+        from MoinMoin.auth import MoinAuth
+        moin_auth = MoinAuth()
+        self.config = self.TestConfig(auth=[ldap_auth, moin_auth], user_autocreate=True)
+
+        nuke_user(self.request, u'usera')
+
+        handle_auth = self.request.handle_auth
+
+        # do a LDAPAuth login (as a side effect, this autocreates the user profile):
+        u1 = handle_auth(None, username='usera', password='usera', login=True)
+        assert u1 is not None
+        assert u1.valid
+
+        # now we kill the LDAP server:
+        self.ldap_env.slapd.stop()
+
+        # now try a MoinAuth login:
+        # try the default password that worked in 1.7 up to rc1:
+        u2 = handle_auth(None, username='usera', password='{SHA}NotStored', login=True)
+        assert u2 is None
+
+        # try using no password:
+        u2 = handle_auth(None, username='usera', password='', login=True)
+        assert u2 is None
+
+        # try using wrong password:
+        u2 = handle_auth(None, username='usera', password='wrong', login=True)
+        assert u2 is None
+
+
 class TestComplexLdap:
     basedn = BASEDN
     rootdn = ROOTDN
--- a/MoinMoin/auth/ldap_login.py	Sun Jun 01 18:25:06 2008 +0200
+++ b/MoinMoin/auth/ldap_login.py	Sun Jun 01 18:50:00 2008 +0200
@@ -218,10 +218,10 @@
                 aliasname = aliasname.decode(coding)
 
                 if email:
-                    u = user.User(request, auth_username=username, password="{SHA}NotStored", auth_method=self.name, auth_attribs=('name', 'password', 'email', 'mailto_author', ))
+                    u = user.User(request, auth_username=username, auth_method=self.name, auth_attribs=('name', 'password', 'email', 'mailto_author', ))
                     u.email = email
                 else:
-                    u = user.User(request, auth_username=username, password="{SHA}NotStored", auth_method=self.name, auth_attribs=('name', 'password', 'mailto_author', ))
+                    u = user.User(request, auth_username=username, auth_method=self.name, auth_attribs=('name', 'password', 'mailto_author', ))
                 u.name = username
                 u.aliasname = aliasname
                 u.remember_me = 0 # 0 enforces cookie_lifetime config param
--- a/docs/CHANGES	Sun Jun 01 18:25:06 2008 +0200
+++ b/docs/CHANGES	Sun Jun 01 18:50:00 2008 +0200
@@ -30,6 +30,8 @@
 Version 1.7.0current:
 
   Bug Fixes:
+    * Security Fix: fixed MoinMoinBugs/DummyPasswordInAutoCreatedLdapUserProfiles
+      (bug was present since 1.7.0alpha).
     * Fix editor preview not working for new pages.
     * Add ssh protocol to url_schemas.
     * Fix PageList macro with search errors.