globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

Actually authentify against LDAP password

Browse source
This commit is contained in:
Éloi Rivard 2020-08-19 13:49:38 +02:00
parent 5dca97106b
commit ccbe66de94
5 changed files with 18 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
docker/Dockerfile
View file

@ -1,10 +1,10 @@
FROM python:3-alpine FROM python:3-alpine
COPY requirements.txt /app/ RUN adduser -D -h /app oauthserver
COPY --chown=oauthserver:oauthserver . /app/
RUN apk add curl libldap libffi su-exec RUN apk add curl libldap libffi su-exec
RUN apk add --virtual .dev-dependencies gcc musl-dev openldap-dev libffi-dev RUN apk add --virtual .dev-dependencies gcc musl-dev openldap-dev libffi-dev
RUN adduser -D -h /app oauthserver RUN pip install /app/
RUN pip install --requirement /app/requirements.txt
WORKDIR /app WORKDIR /app
USER oauthserver USER oauthserver
@ -13,6 +13,4 @@ ENV FLASK_APP=web
ENV FLASK_ENV=development ENV FLASK_ENV=development
ENV AUTHLIB_INSECURE_TRANSPORT=1 ENV AUTHLIB_INSECURE_TRANSPORT=1
COPY --chown=oauthserver:oauthserver . /app/
ENTRYPOINT [ "flask", "run", "--host", "0.0.0.0" ] ENTRYPOINT [ "flask", "run", "--host", "0.0.0.0" ]

3
tests/conftest.py
View file

@ -129,4 +129,7 @@ def client(app, slapd_connection):
def user(app, slapd_connection): def user(app, slapd_connection):
u = User(cn="John Doe", sn="Doe",) u = User(cn="John Doe", sn="Doe",)
u.save(slapd_connection) u.save(slapd_connection)
slapd_connection.passwd_s(
u.dn.encode("utf-8"), None, "correct horse battery staple".encode("utf-8"),
)
return u return u

2
tests/test_authorization_code_flow.py
View file

@ -16,7 +16,7 @@ def test_success(testclient, slapd_connection, user, client):
assert 200 == res.status_code assert 200 == res.status_code
res.form["login"] = user.name res.form["login"] = user.name
res.form["password"] = "valid" res.form["password"] = "correct horse battery staple"
res = res.form.submit() res = res.form.submit()
assert 302 == res.status_code assert 302 == res.status_code

2
tests/test_password_flow.py
View file

@ -8,7 +8,7 @@ def test_success(testclient, slapd_connection, user, client):
params=dict( params=dict(
grant_type="password", grant_type="password",
username=user.name, username=user.name,
password="valid", password="correct horse battery staple",
scope="profile", scope="profile",
), ),
headers={"Authorization": f"Basic {client_credentials(client)}"}, headers={"Authorization": f"Basic {client_credentials(client)}"},

11
web/models.py
View file

@ -1,3 +1,4 @@
import ldap
import time import time
import datetime import datetime
from authlib.common.encoding import json_loads, json_dumps from authlib.common.encoding import json_loads, json_dumps
@ -6,6 +7,7 @@ from authlib.oauth2.rfc6749 import (
TokenMixin, TokenMixin,
AuthorizationCodeMixin, AuthorizationCodeMixin,
) )
from flask import current_app
from .ldaputils import LDAPObjectHelper from .ldaputils import LDAPObjectHelper
@ -15,7 +17,14 @@ class User(LDAPObjectHelper):
id = "cn" id = "cn"
def check_password(self, password): def check_password(self, password):
return password == "valid" conn = ldap.initialize(current_app.config["LDAP"]["URI"])
try:
conn.simple_bind_s(self.dn, password)
return True
except ldap.INVALID_CREDENTIALS:
return False
finally:
conn.unbind_s()
@property @property
def name(self): def name(self):