vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

SECURITY FIX FOR LDAP

Browse source 
It appears the recent migration of the LDAP code and add of a check for the admin username/password being invalid *broke the LDAP password check*, allowing any password to succeed for login. This fixes the problem, add unit tests to verify the fix and add some tests to our other external auth test suite.

A release will be needed immediately along with an announcement
This commit is contained in:
Joseph Schorr 2015-08-18 12:15:40 -04:00
parent c3518c2c99
commit 0854d20cbd
3 changed files with 34 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

3
test/test_external_jwt_authn.py
View file

@ -114,6 +114,9 @@ class JWTAuthTestCase(LiveServerTestCase):
self.assertIsNotNone(result)
# Confirm a user with the same internal and external username.
result, _ = self.jwt_auth.confirm_existing_user('cooluser', 'invalidpassword')
self.assertIsNone(result)
result, _ = self.jwt_auth.confirm_existing_user('cooluser', 'password')
self.assertIsNotNone(result)
self.assertEquals('cooluser', result.username)