Actually authentify against LDAP password

2020-08-19 13:49:38 +02:00 · 2020-08-19 13:49:38 +02:00 · ccbe66de94
commit ccbe66de94
parent 5dca97106b
5 changed files with 18 additions and 8 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -1,10 +1,10 @@
 FROM python:3-alpine

-COPY requirements.txt /app/
+RUN adduser -D -h /app oauthserver
+COPY --chown=oauthserver:oauthserver . /app/
 RUN apk add curl libldap libffi su-exec
 RUN apk add --virtual .dev-dependencies gcc musl-dev openldap-dev libffi-dev
-RUN adduser -D -h /app oauthserver
-RUN pip install --requirement /app/requirements.txt
+RUN pip install /app/

 WORKDIR /app
 USER oauthserver
@ -13,6 +13,4 @@ ENV FLASK_APP=web
 ENV FLASK_ENV=development
 ENV AUTHLIB_INSECURE_TRANSPORT=1

-COPY --chown=oauthserver:oauthserver . /app/
-
 ENTRYPOINT [ "flask", "run", "--host", "0.0.0.0" ]
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -129,4 +129,7 @@ def client(app, slapd_connection):
 def user(app, slapd_connection):
    u = User(cn="John Doe", sn="Doe",)
    u.save(slapd_connection)
+    slapd_connection.passwd_s(
+        u.dn.encode("utf-8"), None, "correct horse battery staple".encode("utf-8"),
+    )
    return u
--- a/tests/test_authorization_code_flow.py
+++ b/tests/test_authorization_code_flow.py
@ -16,7 +16,7 @@ def test_success(testclient, slapd_connection, user, client):
    assert 200 == res.status_code

    res.form["login"] = user.name
-    res.form["password"] = "valid"
+    res.form["password"] = "correct horse battery staple"
    res = res.form.submit()
    assert 302 == res.status_code

--- a/tests/test_password_flow.py
+++ b/tests/test_password_flow.py
@ -8,7 +8,7 @@ def test_success(testclient, slapd_connection, user, client):
        params=dict(
            grant_type="password",
            username=user.name,
-            password="valid",
+            password="correct horse battery staple",
            scope="profile",
        ),
        headers={"Authorization": f"Basic {client_credentials(client)}"},
--- a/web/models.py
+++ b/web/models.py
@ -1,3 +1,4 @@
+import ldap
 import time
 import datetime
 from authlib.common.encoding import json_loads, json_dumps
@ -6,6 +7,7 @@ from authlib.oauth2.rfc6749 import (
    TokenMixin,
    AuthorizationCodeMixin,
 )
+from flask import current_app
 from .ldaputils import LDAPObjectHelper


@ -15,7 +17,14 @@ class User(LDAPObjectHelper):
    id = "cn"

    def check_password(self, password):
-        return password == "valid"
+        conn = ldap.initialize(current_app.config["LDAP"]["URI"])
+        try:
+            conn.simple_bind_s(self.dn, password)
+            return True
+        except ldap.INVALID_CREDENTIALS:
+            return False
+        finally:
+            conn.unbind_s()

    @property
    def name(self):