canaille-globuzma/tests/backends/ldap/test_utils.py

import datetime
from unittest import mock

import ldap.dn
import pytest
from canaille.app import models
from canaille.app.configuration import ConfigurationException
from canaille.app.configuration import validate
from canaille.backends.ldap.backend import setup_ldap_models
from canaille.backends.ldap.ldapobject import LDAPObject
from canaille.backends.ldap.ldapobject import python_attrs_to_ldap
from canaille.backends.ldap.utils import ldap_to_python
from canaille.backends.ldap.utils import python_to_ldap
from canaille.backends.ldap.utils import Syntax


def test_object_creation(app, backend):
    user = models.User(
        formatted_name="Doe",  # leading space
        family_name="Doe",
        user_name="user",
        emails="john@doe.com",
    )
    assert not user.exists
    user.save()
    assert user.exists

    user = models.User.get(id=user.id)
    assert user.exists

    user.delete()


def test_repr(backend, foo_group, user):
    assert repr(foo_group) == "<Group display_name=foo>"
    assert repr(user) == "<User user_name=user>"


def test_dn_when_leading_space_in_id_attribute(testclient, backend):
    user = models.User(
        formatted_name=" Doe",  # leading space
        family_name=" Doe",
        user_name=" user",
        emails="john@doe.com",
    )
    user.save()

    assert ldap.dn.is_dn(user.dn)
    assert ldap.dn.dn2str(ldap.dn.str2dn(user.dn)) == user.dn
    assert user.dn == "uid=user,ou=users,dc=mydomain,dc=tld"

    assert user == models.User.get(user.identifier)
    assert user == models.User.get(user_name=user.identifier)
    assert user == models.User.get(id=user.dn)

    user.delete()


def test_special_chars_in_rdn(testclient, backend):
    user = models.User(
        formatted_name="#Doe",
        family_name="#Doe",
        user_name="#user",  # special char
        emails=["john@doe.com"],
    )
    user.save()

    assert ldap.dn.is_dn(user.dn)
    assert ldap.dn.dn2str(ldap.dn.str2dn(user.dn)) == user.dn
    assert user.dn == "uid=\\#user,ou=users,dc=mydomain,dc=tld"

    assert user == models.User.get(user.identifier)
    assert user == models.User.get(user_name=user.identifier)
    assert user == models.User.get(id=user.dn)

    user.delete()


def test_filter(backend, foo_group, bar_group):
    assert models.Group.query(display_name="foo") == [foo_group]
    assert models.Group.query(display_name="bar") == [bar_group]

    assert models.Group.query(display_name="foo") != 3

    assert models.Group.query(display_name=["foo"]) == [foo_group]
    assert models.Group.query(display_name=["bar"]) == [bar_group]

    assert set(models.Group.query(display_name=["foo", "bar"])) == {
        foo_group,
        bar_group,
    }


def test_ldap_to_python():
    assert (
        python_to_ldap(
            datetime.datetime(2000, 1, 2, 3, 4, 5, tzinfo=datetime.timezone.utc),
            Syntax.GENERALIZED_TIME,
        )
        == b"20000102030405Z"
    )
    assert (
        python_to_ldap(
            datetime.datetime(
                2000,
                1,
                2,
                3,
                4,
                5,
                tzinfo=datetime.timezone(datetime.timedelta(days=-1, seconds=79200)),
            ),
            Syntax.GENERALIZED_TIME,
        )
        == b"20000102030405-0200"
    )
    assert (
        python_to_ldap(datetime.datetime.min, Syntax.GENERALIZED_TIME)
        == b"000001010000Z"
    )

    assert python_to_ldap(1337, Syntax.INTEGER) == b"1337"

    assert python_to_ldap(True, Syntax.BOOLEAN) == b"TRUE"
    assert python_to_ldap(False, Syntax.BOOLEAN) == b"FALSE"

    assert python_to_ldap("foobar", Syntax.DIRECTORY_STRING) == b"foobar"

    assert python_to_ldap(b"foobar", Syntax.JPEG) == b"foobar"


def test_python_to_ldap():
    assert ldap_to_python(
        b"20000102030405Z", Syntax.GENERALIZED_TIME
    ) == datetime.datetime(2000, 1, 2, 3, 4, 5, tzinfo=datetime.timezone.utc)
    assert ldap_to_python(
        b"20000102030405-0200", Syntax.GENERALIZED_TIME
    ) == datetime.datetime(
        2000,
        1,
        2,
        3,
        4,
        5,
        tzinfo=datetime.timezone(datetime.timedelta(days=-1, seconds=79200)),
    )
    assert (
        ldap_to_python(b"000001010000Z", Syntax.GENERALIZED_TIME)
        == datetime.datetime.min
    )

    assert ldap_to_python(b"1337", Syntax.INTEGER) == 1337

    assert ldap_to_python(b"TRUE", Syntax.BOOLEAN) is True
    assert ldap_to_python(b"FALSE", Syntax.BOOLEAN) is False

    assert ldap_to_python(b"foobar", Syntax.DIRECTORY_STRING) == "foobar"

    assert ldap_to_python(b"foobar", Syntax.JPEG) == b"foobar"


def test_operational_attribute_conversion(backend):
    assert "oauthClientName" in LDAPObject.ldap_object_attributes(backend)
    assert "invalidAttribute" not in LDAPObject.ldap_object_attributes(backend)

    assert python_attrs_to_ldap(
        {
            "oauthClientName": ["foobar_name"],
            "invalidAttribute": ["foobar"],
        }
    ) == {
        "oauthClientName": [b"foobar_name"],
        "invalidAttribute": [b"foobar"],
    }


def test_guess_object_from_dn(backend, testclient, foo_group):
    foo_group.members = [foo_group]
    foo_group.save()
    g = LDAPObject.get(id=foo_group.dn)
    assert isinstance(g, models.Group)
    assert g == foo_group
    assert g.cn == foo_group.cn

    ou = LDAPObject.get(id=f"{models.Group.base},{models.Group.root_dn}")
    assert isinstance(ou, LDAPObject)


def test_object_class_update(backend, testclient):
    testclient.app.config["BACKENDS"]["LDAP"]["USER_CLASS"] = ["inetOrgPerson"]
    setup_ldap_models(testclient.app.config)

    user1 = models.User(cn="foo1", sn="bar1", user_name="baz1")
    user1.save()

    assert user1.objectClass == ["inetOrgPerson"]
    assert models.User.get(id=user1.id).objectClass == ["inetOrgPerson"]

    testclient.app.config["BACKENDS"]["LDAP"]["USER_CLASS"] = [
        "inetOrgPerson",
        "extensibleObject",
    ]
    setup_ldap_models(testclient.app.config)

    user2 = models.User(cn="foo2", sn="bar2", user_name="baz2")
    user2.save()

    assert user2.objectClass == ["inetOrgPerson", "extensibleObject"]
    assert models.User.get(id=user2.id).objectClass == [
        "inetOrgPerson",
        "extensibleObject",
    ]

    user1 = models.User.get(id=user1.id)
    assert user1.objectClass == ["inetOrgPerson"]

    user1.save()
    assert user1.objectClass == ["inetOrgPerson", "extensibleObject"]
    assert models.User.get(id=user1.id).objectClass == [
        "inetOrgPerson",
        "extensibleObject",
    ]

    user1.delete()
    user2.delete()


def test_ldap_connection_no_remote(testclient, configuration):
    validate(configuration)


def test_ldap_connection_remote(testclient, configuration, backend):
    validate(configuration, validate_remote=True)


def test_ldap_connection_remote_ldap_unreachable(testclient, configuration):
    configuration["BACKENDS"]["LDAP"]["URI"] = "ldap://invalid-ldap.com"
    with pytest.raises(
        ConfigurationException,
        match=r"Could not connect to the LDAP server",
    ):
        validate(configuration, validate_remote=True)


def test_ldap_connection_remote_ldap_wrong_credentials(testclient, configuration):
    configuration["BACKENDS"]["LDAP"]["BIND_PW"] = "invalid-password"
    with pytest.raises(
        ConfigurationException,
        match=r"LDAP authentication failed with user",
    ):
        validate(configuration, validate_remote=True)


def test_ldap_cannot_create_users(testclient, configuration, backend):
    from canaille.core.models import User

    def fake_init(*args, **kwarg):
        raise ldap.INSUFFICIENT_ACCESS

    with mock.patch.object(User, "__init__", fake_init):
        with pytest.raises(
            ConfigurationException,
            match=r"cannot create users at",
        ):
            validate(configuration, validate_remote=True)


def test_ldap_cannot_create_groups(testclient, configuration, backend):
    from canaille.core.models import Group

    def fake_init(*args, **kwarg):
        raise ldap.INSUFFICIENT_ACCESS

    with mock.patch.object(Group, "__init__", fake_init):
        with pytest.raises(
            ConfigurationException,
            match=r"cannot create groups at",
        ):
            validate(configuration, validate_remote=True)


def test_login_placeholder(testclient):
    testclient.app.config["BACKENDS"]["LDAP"]["USER_FILTER"] = "(uid={{ login }})"
    placeholder = testclient.get("/login").form["login"].attrs["placeholder"]
    assert placeholder == "jdoe"

    testclient.app.config["BACKENDS"]["LDAP"]["USER_FILTER"] = "(cn={{ login }})"
    placeholder = testclient.get("/login").form["login"].attrs["placeholder"]
    assert placeholder == "John Doe"

    testclient.app.config["BACKENDS"]["LDAP"]["USER_FILTER"] = "(mail={{ login }})"
    placeholder = testclient.get("/login").form["login"].attrs["placeholder"]
    assert placeholder == "john@doe.com"

    testclient.app.config["BACKENDS"]["LDAP"][
        "USER_FILTER"
    ] = "(|(uid={{ login }})(mail={{ login }}))"
    placeholder = testclient.get("/login").form["login"].attrs["placeholder"]
    assert placeholder == "jdoe or john@doe.com"
unit tests: ldap utils 2022-12-14 23:03:01 +00:00			`import datetime`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00			`from unittest import mock`
unit tests: ldap utils 2022-12-14 23:03:01 +00:00
fix dn in case of leading space or special char in id attribute according to openldap doc, the default is to silently eliminate spaces around AVA separators, RDN component separators and RDN separators https://www.openldap.org/software/man.cgi?query=ldap_str2dn 2022-03-02 17:31:48 +00:00			`import ldap.dn`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00			`import pytest`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`from canaille.app import models`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00			`from canaille.app.configuration import ConfigurationException`
			`from canaille.app.configuration import validate`
			`from canaille.backends.ldap.backend import setup_ldap_models`
			`from canaille.backends.ldap.ldapobject import LDAPObject`
			`from canaille.backends.ldap.ldapobject import python_attrs_to_ldap`
			`from canaille.backends.ldap.utils import ldap_to_python`
			`from canaille.backends.ldap.utils import python_to_ldap`
			`from canaille.backends.ldap.utils import Syntax`
Issue 12 groups 2021-06-03 13:00:11 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_object_creation(app, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`user = models.User(`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`formatted_name="Doe", # leading space`
			`family_name="Doe",`
			`user_name="user",`
Renamed User.email in User.emails 2023-06-22 13:14:07 +00:00			`emails="john@doe.com",`
Save one LDAP connection when calling save() 2023-03-09 12:00:17 +00:00			`)`
			`assert not user.exists`
			`user.save()`
			`assert user.exists`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`user = models.User.get(id=user.id)`
Save one LDAP connection when calling save() 2023-03-09 12:00:17 +00:00			`assert user.exists`

			`user.delete()`


Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_repr(backend, foo_group, user):`
Renamed group attributes to match SCIM naming convention 2023-02-05 18:39:52 +00:00			`assert repr(foo_group) == "<Group display_name=foo>"`
Use a unique identifier to indentify users in URLS Previously we used the uid since we supposed this value was always valid, but some users user the mail attribute as the User RDN in their OpenLDAP installation, and do not have a uuid. 2023-06-27 15:41:00 +00:00			`assert repr(user) == "<User user_name=user>"`
unit tests: ldap objects repr 2022-12-14 20:06:59 +00:00

ldap backend: make sure to escape special chars in object identifiers 2023-06-28 16:31:17 +00:00			`def test_dn_when_leading_space_in_id_attribute(testclient, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`user = models.User(`
Renamed user attributes to match SCIM naming convention 2023-02-05 17:57:18 +00:00			`formatted_name=" Doe", # leading space`
ldap backend: make sure to escape special chars in object identifiers 2023-06-28 16:31:17 +00:00			`family_name=" Doe",`
			`user_name=" user",`
Renamed User.email in User.emails 2023-06-22 13:14:07 +00:00			`emails="john@doe.com",`
fix dn in case of leading space or special char in id attribute according to openldap doc, the default is to silently eliminate spaces around AVA separators, RDN component separators and RDN separators https://www.openldap.org/software/man.cgi?query=ldap_str2dn 2022-03-02 17:31:48 +00:00			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`user.save()`
fix dn in case of leading space or special char in id attribute according to openldap doc, the default is to silently eliminate spaces around AVA separators, RDN component separators and RDN separators https://www.openldap.org/software/man.cgi?query=ldap_str2dn 2022-03-02 17:31:48 +00:00
			`assert ldap.dn.is_dn(user.dn)`
			`assert ldap.dn.dn2str(ldap.dn.str2dn(user.dn)) == user.dn`
Use a unique identifier to indentify users in URLS Previously we used the uid since we supposed this value was always valid, but some users user the mail attribute as the User RDN in their OpenLDAP installation, and do not have a uuid. 2023-06-27 15:41:00 +00:00			`assert user.dn == "uid=user,ou=users,dc=mydomain,dc=tld"`
fix dn in case of leading space or special char in id attribute according to openldap doc, the default is to silently eliminate spaces around AVA separators, RDN component separators and RDN separators https://www.openldap.org/software/man.cgi?query=ldap_str2dn 2022-03-02 17:31:48 +00:00
ldap backend: make sure to escape special chars in object identifiers 2023-06-28 16:31:17 +00:00			`assert user == models.User.get(user.identifier)`
			`assert user == models.User.get(user_name=user.identifier)`
			`assert user == models.User.get(id=user.dn)`

Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`user.delete()`
Test refactoring 2022-05-18 09:31:26 +00:00
fix dn in case of leading space or special char in id attribute according to openldap doc, the default is to silently eliminate spaces around AVA separators, RDN component separators and RDN separators https://www.openldap.org/software/man.cgi?query=ldap_str2dn 2022-03-02 17:31:48 +00:00
ldap backend: make sure to escape special chars in object identifiers 2023-06-28 16:31:17 +00:00			`def test_special_chars_in_rdn(testclient, backend):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`user = models.User(`
ldap backend: make sure to escape special chars in object identifiers 2023-06-28 16:31:17 +00:00			`formatted_name="#Doe",`
			`family_name="#Doe",`
			`user_name="#user", # special char`
			`emails=["john@doe.com"],`
fix dn in case of leading space or special char in id attribute according to openldap doc, the default is to silently eliminate spaces around AVA separators, RDN component separators and RDN separators https://www.openldap.org/software/man.cgi?query=ldap_str2dn 2022-03-02 17:31:48 +00:00			`)`
Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`user.save()`
fix dn in case of leading space or special char in id attribute according to openldap doc, the default is to silently eliminate spaces around AVA separators, RDN component separators and RDN separators https://www.openldap.org/software/man.cgi?query=ldap_str2dn 2022-03-02 17:31:48 +00:00
			`assert ldap.dn.is_dn(user.dn)`
			`assert ldap.dn.dn2str(ldap.dn.str2dn(user.dn)) == user.dn`
Use a unique identifier to indentify users in URLS Previously we used the uid since we supposed this value was always valid, but some users user the mail attribute as the User RDN in their OpenLDAP installation, and do not have a uuid. 2023-06-27 15:41:00 +00:00			`assert user.dn == "uid=\\#user,ou=users,dc=mydomain,dc=tld"`
Test refactoring 2022-05-18 09:31:26 +00:00
ldap backend: make sure to escape special chars in object identifiers 2023-06-28 16:31:17 +00:00			`assert user == models.User.get(user.identifier)`
			`assert user == models.User.get(user_name=user.identifier)`
			`assert user == models.User.get(id=user.dn)`

Refactored tests so ldap connection is not a mandatory argument anymore for most LDAPObject methods 2022-05-08 14:31:17 +00:00			`user.delete()`
unit tests: ldap utils 2022-12-14 23:03:01 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_filter(backend, foo_group, bar_group):`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`assert models.Group.query(display_name="foo") == [foo_group]`
			`assert models.Group.query(display_name="bar") == [bar_group]`
unit tests: ldap filter tests 2022-12-14 23:15:10 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`assert models.Group.query(display_name="foo") != 3`
LDAPObject pagination performance improvements Creates a LDAPObjectQuery class that is returned by LDAPObject.filter This avoids to create objects for each ldap result, but only for the asked slice. It also store the whole results length so `len` calls are a bit faster. 2023-03-02 17:35:26 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`assert models.Group.query(display_name=["foo"]) == [foo_group]`
			`assert models.Group.query(display_name=["bar"]) == [bar_group]`
unit tests: ldap filter tests 2022-12-14 23:15:10 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`assert set(models.Group.query(display_name=["foo", "bar"])) == {`
			`foo_group,`
			`bar_group,`
			`}`
unit tests: ldap filter tests 2022-12-14 23:15:10 +00:00

unit tests: ldap utils 2022-12-14 23:03:01 +00:00			`def test_ldap_to_python():`
			`assert (`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`python_to_ldap(`
			`datetime.datetime(2000, 1, 2, 3, 4, 5, tzinfo=datetime.timezone.utc),`
			`Syntax.GENERALIZED_TIME,`
			`)`
			`== b"20000102030405Z"`
unit tests: ldap utils 2022-12-14 23:03:01 +00:00			`)`
			`assert (`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`python_to_ldap(`
			`datetime.datetime(`
			`2000,`
			`1,`
			`2,`
			`3,`
			`4,`
			`5,`
			`tzinfo=datetime.timezone(datetime.timedelta(days=-1, seconds=79200)),`
			`),`
			`Syntax.GENERALIZED_TIME,`
			`)`
			`== b"20000102030405-0200"`
			`)`
			`assert (`
			`python_to_ldap(datetime.datetime.min, Syntax.GENERALIZED_TIME)`
			`== b"000001010000Z"`
unit tests: ldap utils 2022-12-14 23:03:01 +00:00			`)`

			`assert python_to_ldap(1337, Syntax.INTEGER) == b"1337"`

			`assert python_to_ldap(True, Syntax.BOOLEAN) == b"TRUE"`
			`assert python_to_ldap(False, Syntax.BOOLEAN) == b"FALSE"`

			`assert python_to_ldap("foobar", Syntax.DIRECTORY_STRING) == b"foobar"`

			`assert python_to_ldap(b"foobar", Syntax.JPEG) == b"foobar"`


			`def test_python_to_ldap():`
			`assert ldap_to_python(`
			`b"20000102030405Z", Syntax.GENERALIZED_TIME`
Properly handle LDAP date timezones 2023-03-17 23:38:56 +00:00			`) == datetime.datetime(2000, 1, 2, 3, 4, 5, tzinfo=datetime.timezone.utc)`
			`assert ldap_to_python(`
			`b"20000102030405-0200", Syntax.GENERALIZED_TIME`
			`) == datetime.datetime(`
			`2000,`
			`1,`
			`2,`
			`3,`
			`4,`
			`5,`
			`tzinfo=datetime.timezone(datetime.timedelta(days=-1, seconds=79200)),`
			`)`
unit tests: ldap utils 2022-12-14 23:03:01 +00:00			`assert (`
			`ldap_to_python(b"000001010000Z", Syntax.GENERALIZED_TIME)`
			`== datetime.datetime.min`
			`)`

			`assert ldap_to_python(b"1337", Syntax.INTEGER) == 1337`

			`assert ldap_to_python(b"TRUE", Syntax.BOOLEAN) is True`
			`assert ldap_to_python(b"FALSE", Syntax.BOOLEAN) is False`

			`assert ldap_to_python(b"foobar", Syntax.DIRECTORY_STRING) == "foobar"`

			`assert ldap_to_python(b"foobar", Syntax.JPEG) == b"foobar"`
Fixed LDAP operational attributes handling 2022-12-15 11:41:31 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_operational_attribute_conversion(backend):`
			`assert "oauthClientName" in LDAPObject.ldap_object_attributes(backend)`
			`assert "invalidAttribute" not in LDAPObject.ldap_object_attributes(backend)`
Fixed LDAP operational attributes handling 2022-12-15 11:41:31 +00:00
LDAPObject refactoring 2023-03-09 00:14:07 +00:00			`assert python_attrs_to_ldap(`
Fixed LDAP operational attributes handling 2022-12-15 11:41:31 +00:00			`{`
			`"oauthClientName": ["foobar_name"],`
			`"invalidAttribute": ["foobar"],`
			`}`
			`) == {`
			`"oauthClientName": [b"foobar_name"],`
			`"invalidAttribute": [b"foobar"],`
			`}`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_guess_object_from_dn(backend, testclient, foo_group):`
Fixes calls to the LDAP 'Group.member' attribute 2023-05-12 22:24:24 +00:00			`foo_group.members = [foo_group]`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`foo_group.save()`
Used 'id' instead of 'dn' 2023-02-05 18:08:25 +00:00			`g = LDAPObject.get(id=foo_group.dn)`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`assert isinstance(g, models.Group)`
LDAPObject dn attributes are automatically initialized 2023-03-08 22:53:53 +00:00			`assert g == foo_group`
			`assert g.cn == foo_group.cn`

Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`ou = LDAPObject.get(id=f"{models.Group.base},{models.Group.root_dn}")`
Fixes calls to the LDAP 'Group.member' attribute 2023-05-12 22:24:24 +00:00			`assert isinstance(ou, LDAPObject)`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00

Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_object_class_update(backend, testclient):`
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`testclient.app.config["BACKENDS"]["LDAP"]["USER_CLASS"] = ["inetOrgPerson"]`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`setup_ldap_models(testclient.app.config)`

Use a unique identifier to indentify users in URLS Previously we used the uid since we supposed this value was always valid, but some users user the mail attribute as the User RDN in their OpenLDAP installation, and do not have a uuid. 2023-06-27 15:41:00 +00:00			`user1 = models.User(cn="foo1", sn="bar1", user_name="baz1")`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`user1.save()`

			`assert user1.objectClass == ["inetOrgPerson"]`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`assert models.User.get(id=user1.id).objectClass == ["inetOrgPerson"]`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00
Moved LDAP configuration entry to BACKENDS.LDAP 2023-04-10 18:31:54 +00:00			`testclient.app.config["BACKENDS"]["LDAP"]["USER_CLASS"] = [`
			`"inetOrgPerson",`
			`"extensibleObject",`
			`]`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`setup_ldap_models(testclient.app.config)`

Use a unique identifier to indentify users in URLS Previously we used the uid since we supposed this value was always valid, but some users user the mail attribute as the User RDN in their OpenLDAP installation, and do not have a uuid. 2023-06-27 15:41:00 +00:00			`user2 = models.User(cn="foo2", sn="bar2", user_name="baz2")`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`user2.save()`

			`assert user2.objectClass == ["inetOrgPerson", "extensibleObject"]`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`assert models.User.get(id=user2.id).objectClass == [`
			`"inetOrgPerson",`
			`"extensibleObject",`
			`]`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`user1 = models.User.get(id=user1.id)`
LDAPObject can have several objectClass 2023-03-11 18:46:12 +00:00			`assert user1.objectClass == ["inetOrgPerson"]`

			`user1.save()`
			`assert user1.objectClass == ["inetOrgPerson", "extensibleObject"]`
Moved every model import to canaille.models 2023-04-09 09:37:04 +00:00			`assert models.User.get(id=user1.id).objectClass == [`
			`"inetOrgPerson",`
			`"extensibleObject",`
			`]`
Properly delete users in ldap unit tests 2023-04-08 18:14:30 +00:00
			`user1.delete()`
			`user2.delete()`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00

			`def test_ldap_connection_no_remote(testclient, configuration):`
			`validate(configuration)`


Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_ldap_connection_remote(testclient, configuration, backend):`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00			`validate(configuration, validate_remote=True)`


			`def test_ldap_connection_remote_ldap_unreachable(testclient, configuration):`
			`configuration["BACKENDS"]["LDAP"]["URI"] = "ldap://invalid-ldap.com"`
			`with pytest.raises(`
			`ConfigurationException,`
			`match=r"Could not connect to the LDAP server",`
			`):`
			`validate(configuration, validate_remote=True)`


			`def test_ldap_connection_remote_ldap_wrong_credentials(testclient, configuration):`
			`configuration["BACKENDS"]["LDAP"]["BIND_PW"] = "invalid-password"`
			`with pytest.raises(`
			`ConfigurationException,`
			`match=r"LDAP authentication failed with user",`
			`):`
			`validate(configuration, validate_remote=True)`


Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_ldap_cannot_create_users(testclient, configuration, backend):`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00			`from canaille.core.models import User`

			`def fake_init(args, *kwarg):`
			`raise ldap.INSUFFICIENT_ACCESS`

			`with mock.patch.object(User, "__init__", fake_init):`
			`with pytest.raises(`
			`ConfigurationException,`
			`match=r"cannot create users at",`
			`):`
			`validate(configuration, validate_remote=True)`


Refactored the unit test backend fixtures 2023-05-20 15:17:46 +00:00			`def test_ldap_cannot_create_groups(testclient, configuration, backend):`
Moved canaille.ldap_backend to canaille.backends.ldap 2023-04-08 18:09:52 +00:00			`from canaille.core.models import Group`

			`def fake_init(args, *kwarg):`
			`raise ldap.INSUFFICIENT_ACCESS`

			`with mock.patch.object(Group, "__init__", fake_init):`
			`with pytest.raises(`
			`ConfigurationException,`
			`match=r"cannot create groups at",`
			`):`
			`validate(configuration, validate_remote=True)`
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00

			`def test_login_placeholder(testclient):`
USER_FILTER is parsed with jinja 2023-07-04 16:34:16 +00:00			`testclient.app.config["BACKENDS"]["LDAP"]["USER_FILTER"] = "(uid={{ login }})"`
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00			`placeholder = testclient.get("/login").form["login"].attrs["placeholder"]`
			`assert placeholder == "jdoe"`

USER_FILTER is parsed with jinja 2023-07-04 16:34:16 +00:00			`testclient.app.config["BACKENDS"]["LDAP"]["USER_FILTER"] = "(cn={{ login }})"`
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00			`placeholder = testclient.get("/login").form["login"].attrs["placeholder"]`
			`assert placeholder == "John Doe"`

USER_FILTER is parsed with jinja 2023-07-04 16:34:16 +00:00			`testclient.app.config["BACKENDS"]["LDAP"]["USER_FILTER"] = "(mail={{ login }})"`
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00			`placeholder = testclient.get("/login").form["login"].attrs["placeholder"]`
			`assert placeholder == "john@doe.com"`

			`testclient.app.config["BACKENDS"]["LDAP"][`
			`"USER_FILTER"`
USER_FILTER is parsed with jinja 2023-07-04 16:34:16 +00:00			`] = "(\|(uid={{ login }})(mail={{ login }}))"`
Moved login placeholder mechanism in the backend module 2023-04-10 11:59:39 +00:00			`placeholder = testclient.get("/login").form["login"].attrs["placeholder"]`
			`assert placeholder == "jdoe or john@doe.com"`