From ccbe66de94cb6df64c9e8952afd2ab4d26ed49bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89loi=20Rivard?= Date: Wed, 19 Aug 2020 13:49:38 +0200 Subject: [PATCH] Actually authentify against LDAP password --- docker/Dockerfile | 8 +++----- tests/conftest.py | 3 +++ tests/test_authorization_code_flow.py | 2 +- tests/test_password_flow.py | 2 +- web/models.py | 11 ++++++++++- 5 files changed, 18 insertions(+), 8 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index ee67d9f7..228a169c 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,10 +1,10 @@ FROM python:3-alpine -COPY requirements.txt /app/ +RUN adduser -D -h /app oauthserver +COPY --chown=oauthserver:oauthserver . /app/ RUN apk add curl libldap libffi su-exec RUN apk add --virtual .dev-dependencies gcc musl-dev openldap-dev libffi-dev -RUN adduser -D -h /app oauthserver -RUN pip install --requirement /app/requirements.txt +RUN pip install /app/ WORKDIR /app USER oauthserver @@ -13,6 +13,4 @@ ENV FLASK_APP=web ENV FLASK_ENV=development ENV AUTHLIB_INSECURE_TRANSPORT=1 -COPY --chown=oauthserver:oauthserver . /app/ - ENTRYPOINT [ "flask", "run", "--host", "0.0.0.0" ] diff --git a/tests/conftest.py b/tests/conftest.py index 355a626b..1875a494 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -129,4 +129,7 @@ def client(app, slapd_connection): def user(app, slapd_connection): u = User(cn="John Doe", sn="Doe",) u.save(slapd_connection) + slapd_connection.passwd_s( + u.dn.encode("utf-8"), None, "correct horse battery staple".encode("utf-8"), + ) return u diff --git a/tests/test_authorization_code_flow.py b/tests/test_authorization_code_flow.py index 42b0bd72..ef6f93be 100644 --- a/tests/test_authorization_code_flow.py +++ b/tests/test_authorization_code_flow.py @@ -16,7 +16,7 @@ def test_success(testclient, slapd_connection, user, client): assert 200 == res.status_code res.form["login"] = user.name - res.form["password"] = "valid" + res.form["password"] = "correct horse battery staple" res = res.form.submit() assert 302 == res.status_code diff --git a/tests/test_password_flow.py b/tests/test_password_flow.py index dc76add4..993462ba 100644 --- a/tests/test_password_flow.py +++ b/tests/test_password_flow.py @@ -8,7 +8,7 @@ def test_success(testclient, slapd_connection, user, client): params=dict( grant_type="password", username=user.name, - password="valid", + password="correct horse battery staple", scope="profile", ), headers={"Authorization": f"Basic {client_credentials(client)}"}, diff --git a/web/models.py b/web/models.py index 73efcd0f..9a21f83e 100644 --- a/web/models.py +++ b/web/models.py @@ -1,3 +1,4 @@ +import ldap import time import datetime from authlib.common.encoding import json_loads, json_dumps @@ -6,6 +7,7 @@ from authlib.oauth2.rfc6749 import ( TokenMixin, AuthorizationCodeMixin, ) +from flask import current_app from .ldaputils import LDAPObjectHelper @@ -15,7 +17,14 @@ class User(LDAPObjectHelper): id = "cn" def check_password(self, password): - return password == "valid" + conn = ldap.initialize(current_app.config["LDAP"]["URI"]) + try: + conn.simple_bind_s(self.dn, password) + return True + except ldap.INVALID_CREDENTIALS: + return False + finally: + conn.unbind_s() @property def name(self):