Mercurial > moin > 1.9
changeset 3657:2ef181f42a41
fix MoinMoinBugs/DummyPasswordInAutoCreatedLdapUserProfiles and add a test for it
| author | Thomas Waldmann <tw AT waldmann-edv DOT de> |
|---|---|
| date | Sun, 01 Jun 2008 18:50:00 +0200 |
| parents | 6060395dcdf1 |
| children | 97bb459d0873 |
| files | MoinMoin/auth/_tests/test_ldap_login.py MoinMoin/auth/ldap_login.py docs/CHANGES |
| diffstat | 3 files changed, 57 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/MoinMoin/auth/_tests/test_ldap_login.py Sun Jun 01 18:25:06 2008 +0200 +++ b/MoinMoin/auth/_tests/test_ldap_login.py Sun Jun 01 18:50:00 2008 +0200 @@ -10,6 +10,7 @@ from MoinMoin._tests.ldap_testbase import LDAPTestBase, LdapEnvironment, check_environ from MoinMoin._tests.ldap_testdata import * +from MoinMoin._tests import nuke_user # first check if we have python 2.4, python-ldap and slapd: msg = check_environ() @@ -70,6 +71,58 @@ # check if usera and userb have different ids: assert u1.id != u2.id +class TestBugDefaultPasswd(LDAPTestBase): + basedn = BASEDN + rootdn = ROOTDN + rootpw = ROOTPW + slapd_config = SLAPD_CONFIG + ldif_content = LDIF_CONTENT + + def teardown_class(self): + """ Stop slapd, remove LDAP server environment """ + #self.ldap_env.stop_slapd() # it is already stopped + self.ldap_env.destroy_env() + + def testBugDefaultPasswd(self): + """ Login via LDAP (this creates user profile and up to 1.7.0rc1 it put + a default password there), then try logging in via moin login using + that default password or an empty password. + """ + server_uri = self.ldap_env.slapd.url + base_dn = self.ldap_env.basedn + + from MoinMoin.auth.ldap_login import LDAPAuth + ldap_auth = LDAPAuth(server_uri=server_uri, base_dn=base_dn) + from MoinMoin.auth import MoinAuth + moin_auth = MoinAuth() + self.config = self.TestConfig(auth=[ldap_auth, moin_auth], user_autocreate=True) + + nuke_user(self.request, u'usera') + + handle_auth = self.request.handle_auth + + # do a LDAPAuth login (as a side effect, this autocreates the user profile): + u1 = handle_auth(None, username='usera', password='usera', login=True) + assert u1 is not None + assert u1.valid + + # now we kill the LDAP server: + self.ldap_env.slapd.stop() + + # now try a MoinAuth login: + # try the default password that worked in 1.7 up to rc1: + u2 = handle_auth(None, username='usera', password='{SHA}NotStored', login=True) + assert u2 is None + + # try using no password: + u2 = handle_auth(None, username='usera', password='', login=True) + assert u2 is None + + # try using wrong password: + u2 = handle_auth(None, username='usera', password='wrong', login=True) + assert u2 is None + + class TestComplexLdap: basedn = BASEDN rootdn = ROOTDN
--- a/MoinMoin/auth/ldap_login.py Sun Jun 01 18:25:06 2008 +0200 +++ b/MoinMoin/auth/ldap_login.py Sun Jun 01 18:50:00 2008 +0200 @@ -218,10 +218,10 @@ aliasname = aliasname.decode(coding) if email: - u = user.User(request, auth_username=username, password="{SHA}NotStored", auth_method=self.name, auth_attribs=('name', 'password', 'email', 'mailto_author', )) + u = user.User(request, auth_username=username, auth_method=self.name, auth_attribs=('name', 'password', 'email', 'mailto_author', )) u.email = email else: - u = user.User(request, auth_username=username, password="{SHA}NotStored", auth_method=self.name, auth_attribs=('name', 'password', 'mailto_author', )) + u = user.User(request, auth_username=username, auth_method=self.name, auth_attribs=('name', 'password', 'mailto_author', )) u.name = username u.aliasname = aliasname u.remember_me = 0 # 0 enforces cookie_lifetime config param
--- a/docs/CHANGES Sun Jun 01 18:25:06 2008 +0200 +++ b/docs/CHANGES Sun Jun 01 18:50:00 2008 +0200 @@ -30,6 +30,8 @@ Version 1.7.0current: Bug Fixes: + * Security Fix: fixed MoinMoinBugs/DummyPasswordInAutoCreatedLdapUserProfiles + (bug was present since 1.7.0alpha). * Fix editor preview not working for new pages. * Add ssh protocol to url_schemas. * Fix PageList macro with search errors.