From de6352ef734c7b103a8d2fc2fd2b633e3a356987 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 28 Apr 2017 17:09:47 -0400
Subject: [PATCH] Make sure we don't allow anonymous binding in LDAP auth

We already prevented it, but let's make sure we never allow it by adding some tests
---
 test/test_ldap.py | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/test/test_ldap.py b/test/test_ldap.py
index 46085fb54..4e35fd667 100644
--- a/test/test_ldap.py
+++ b/test/test_ldap.py
@@ -211,6 +211,31 @@ class TestLDAP(unittest.TestCase):
       (response, _) = ldap.confirm_existing_user('someuser', 'somepass')
       self.assertEquals(response.username, 'someuser')
 
+  def test_login_empty_password(self):
+    with mock_ldap() as ldap:
+      # Verify we cannot login.
+      (response, err_msg) = ldap.verify_and_link_user('someuser', '')
+      self.assertIsNone(response)
+      self.assertEquals(err_msg, 'Anonymous binding not allowed')
+
+      # Verify we cannot confirm the user.
+      (response, err_msg) = ldap.confirm_existing_user('someuser', '')
+      self.assertIsNone(response)
+      self.assertEquals(err_msg, 'Invalid user')
+
+  def test_login_whitespace_password(self):
+    with mock_ldap() as ldap:
+      # Verify we cannot login.
+      (response, err_msg) = ldap.verify_and_link_user('someuser', '    ')
+      self.assertIsNone(response)
+      self.assertEquals(err_msg, 'Invalid password')
+
+      # Verify we cannot confirm the user.
+      (response, err_msg) = ldap.confirm_existing_user('someuser', '    ')
+      self.assertIsNone(response)
+      self.assertEquals(err_msg, 'Invalid user')
+
+
   def test_login_secondary(self):
     with mock_ldap() as ldap:
       # Verify we can login.