aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichał Górny <mgorny@gentoo.org>2013-09-06 23:42:37 +0200
committerMichał Górny <mgorny@gentoo.org>2013-09-12 15:39:07 +0200
commita54332c523c8025c2a92199f609d84aa034a8905 (patch)
treef3b819e494a2cebac9d5ee5a14f909c984ee044a
parentMerge pull request #88 from tampakrap/templates (diff)
downloadidentity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.tar.gz
identity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.tar.bz2
identity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.zip
Use session identifiers for unique LDAP db aliases.
Since user binding is done per session, this should be both safer and cleaner.
-rw-r--r--okupy/common/ldap_helpers.py8
-rw-r--r--okupy/tests/unit/test_ldapuser.py6
2 files changed, 9 insertions, 5 deletions
diff --git a/okupy/common/ldap_helpers.py b/okupy/common/ldap_helpers.py
index 27bc813..ff8cd97 100644
--- a/okupy/common/ldap_helpers.py
+++ b/okupy/common/ldap_helpers.py
@@ -25,7 +25,7 @@ def get_bound_ldapuser(request, password=None):
'Secondary password not available (no strong auth?)')
bound_cls = LDAPUser.bind_as(
- alias='ldap_%s' % username,
+ alias='ldap_%s' % request.session.cache_key,
username=username,
password=password,
)
@@ -37,7 +37,8 @@ def set_secondary_password(request, password):
user = get_bound_ldapuser(request, password)
secondary_password = Random.get_random_bytes(48)
- request.session['secondary_password'] = cipher.encrypt(secondary_password)
+ request.session['secondary_password'] = (
+ cipher.encrypt(secondary_password))
# Clean up possible leftover secondary passwords from the LDAP account
if len(user.password) > 1:
for hash in list(user.password):
@@ -48,7 +49,8 @@ def set_secondary_password(request, password):
# don't remove unknown hashes
pass
# Add a new generated encrypted password to LDAP
- user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password)))
+ user.password.append(
+ ldap_md5_crypt.encrypt(b64encode(secondary_password)))
user.save()
diff --git a/okupy/tests/unit/test_ldapuser.py b/okupy/tests/unit/test_ldapuser.py
index f793009..a160571 100644
--- a/okupy/tests/unit/test_ldapuser.py
+++ b/okupy/tests/unit/test_ldapuser.py
@@ -57,13 +57,15 @@ class LDAPUserUnitTests(TestCase):
request.session['secondary_password'] = cipher.encrypt(
secondary_password)
get_bound_ldapuser(request)
- self.assertEqual(settings.DATABASES['ldap_alice']['PASSWORD'],
+ db_alias = 'ldap_%s' % request.session.cache_key
+ self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'],
b64encode(secondary_password))
def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self):
request = set_request('/', user=vars.USER_ALICE)
get_bound_ldapuser(request, password='ldaptest')
- self.assertTrue(ldap_md5_crypt.verify(settings.DATABASES['ldap_alice'][
+ db_alias = 'ldap_%s' % request.session.cache_key
+ self.assertTrue(ldap_md5_crypt.verify(settings.DATABASES[db_alias][
'PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))
def test_get_bound_ldapuser_password_set(self):