vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make sure to escape LDAP queries

Browse source 
Fixes an issue in team sync around group names that contain *s

Fixes https://www.pivotaltracker.com/story/show/144628235
This commit is contained in:
Joseph Schorr 2017-05-01 14:00:54 -04:00
parent 02c4d75634
commit 30a681343f
2 changed files with 46 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

55
test/test_ldap.py
View file

@ -46,7 +46,7 @@ def mock_ldap(requires_email=True):
'uid': ['testy'],
'userPassword': ['password'],
'mail': ['bar@baz.com'],
'memberOf': ['cn=AwesomeFolk,dc=quay,dc=io'],
'memberOf': ['cn=AwesomeFolk,dc=quay,dc=io', 'cn=*Guys,dc=quay,dc=io'],
},
'uid=someuser,ou=employees,dc=quay,dc=io': {
'dc': ['quay', 'io'],
@ -54,7 +54,7 @@ def mock_ldap(requires_email=True):
'uid': ['someuser'],
'userPassword': ['somepass'],
'mail': ['foo@bar.com'],
'memberOf': ['cn=AwesomeFolk,dc=quay,dc=io'],
'memberOf': ['cn=AwesomeFolk,dc=quay,dc=io', 'cn=*Guys,dc=quay,dc=io'],
},
'uid=nomail,ou=employees,dc=quay,dc=io': {
'dc': ['quay', 'io'],
@ -235,7 +235,6 @@ class TestLDAP(unittest.TestCase):
self.assertIsNone(response)
self.assertEquals(err_msg, 'Invalid user')
def test_login_secondary(self):
with mock_ldap() as ldap:
# Verify we can login.
@ -246,6 +245,18 @@ class TestLDAP(unittest.TestCase):
(response, _) = ldap.confirm_existing_user('secondaryuser', 'somepass')
self.assertEquals(response.username, 'secondaryuser')
def test_invalid_wildcard(self):
with mock_ldap() as ldap:
# Verify we cannot login with a wildcard.
(response, err_msg) = ldap.verify_and_link_user('some*', 'somepass')
self.assertIsNone(response)
self.assertEquals(err_msg, 'Username not found')
# Verify we cannot confirm the user.
(response, err_msg) = ldap.confirm_existing_user('some*', 'somepass')
self.assertIsNone(response)
self.assertEquals(err_msg, 'Invalid user')
def test_invalid_password(self):
with mock_ldap() as ldap:
# Verify we cannot login with an invalid password.
@ -401,27 +412,28 @@ class TestLDAP(unittest.TestCase):
def test_iterate_group_members_with_pagination(self):
with mock_ldap() as ldap:
(it, err) = ldap.iterate_group_members({'group_dn': 'cn=AwesomeFolk'}, page_size=1)
self.assertIsNone(err)
for dn in ['cn=AwesomeFolk', 'cn=*Guys']:
(it, err) = ldap.iterate_group_members({'group_dn': dn}, page_size=1)
self.assertIsNone(err)
results = list(it)
self.assertEquals(2, len(results))
results = list(it)
self.assertEquals(2, len(results))
first = results[0][0]
second = results[1][0]
first = results[0][0]
second = results[1][0]
if first.id == 'testy':
testy, someuser = first, second
else:
testy, someuser = second, first
if first.id == 'testy':
testy, someuser = first, second
else:
testy, someuser = second, first
self.assertEquals('testy', testy.id)
self.assertEquals('testy', testy.username)
self.assertEquals('bar@baz.com', testy.email)
self.assertEquals('testy', testy.id)
self.assertEquals('testy', testy.username)
self.assertEquals('bar@baz.com', testy.email)
self.assertEquals('someuser', someuser.id)
self.assertEquals('someuser', someuser.username)
self.assertEquals('foo@bar.com', someuser.email)
self.assertEquals('someuser', someuser.id)
self.assertEquals('someuser', someuser.username)
self.assertEquals('foo@bar.com', someuser.email)
def test_check_group_lookup_args(self):
with mock_ldap() as ldap:
@ -435,6 +447,11 @@ class TestLDAP(unittest.TestCase):
self.assertTrue(result)
self.assertIsNone(err)
(result, err) = ldap.check_group_lookup_args({'group_dn': 'cn=*Guys'},
disable_pagination=True)
self.assertTrue(result)
self.assertIsNone(err)
def test_metadata(self):
with mock_ldap() as ldap:
assert 'base_dn' in ldap.service_metadata()