SECURITY FIX FOR LDAP

It appears the recent migration of the LDAP code and add of a check for the admin username/password being invalid *broke the LDAP password check*, allowing any password to succeed for login. This fixes the problem, add unit tests to verify the fix and add some tests to our other external auth test suite.

A release will be needed immediately along with an announcement

test/test_external_jwt_authn.py

@@ -114,6 +114,9 @@ class JWTAuthTestCase(LiveServerTestCase):
     self.assertIsNotNone(result)
 
     # Confirm a user with the same internal and external username.
+    result, _ = self.jwt_auth.confirm_existing_user('cooluser', 'invalidpassword')
+    self.assertIsNone(result)
+
     result, _ = self.jwt_auth.confirm_existing_user('cooluser', 'password')
     self.assertIsNotNone(result)
     self.assertEquals('cooluser', result.username)

test/test_ldap.py

@@ -112,6 +112,17 @@ class TestLDAP(unittest.TestCase):
     (response, _) = self.ldap.confirm_existing_user('someuser', 'somepass')
     self.assertEquals(response.username, 'someuser')
 
+  def test_invalid_password(self):
+    # Verify we cannot login with an invalid password.
+    (response, err_msg) = self.ldap.verify_and_link_user('someuser', 'invalidpass')
+    self.assertIsNone(response)
+    self.assertEquals(err_msg, 'Invalid password')
+
+    # Verify we cannot confirm the user.
+    (response, err_msg) = self.ldap.confirm_existing_user('someuser', 'invalidpass')
+    self.assertIsNone(response)
+    self.assertEquals(err_msg, 'Invalid user')
+
   def test_missing_mail(self):
     (response, err_msg) = self.ldap.verify_and_link_user('nomail', 'somepass')
     self.assertIsNone(response)