backends: cast username to unicode (fixes #31206)

src/authentic2_auth_kerberos/backends.py

@@ -6,7 +6,10 @@ except ImportError:
     ldap = None
 
 from django.core.exceptions import ImproperlyConfigured
+from django.utils import six
+
 from django_kerberos.backends import KerberosBackend
+
 from authentic2.backends.ldap_backend import LDAPBackend
 from authentic2.ldap_utils import FilterFormatter
 
@@ -72,6 +75,7 @@ class A2LdapKerberosBackend(LDAPBackend):
                 return user
 
     def authenticate_block(self, block, username, realm, logger):
+        username = six.text_type(username)
         if not block['principal_filter']:
             return
         if block['limit_to_realm'] and realm != block['realm']:

tests/test_ldap_backend.py

@@ -4,8 +4,6 @@ import pytest
 from ldaptools.slapd import Slapd
 
 
-pytestmark = pytest.mark.django_db
-
 @pytest.fixture
 def slapd(request, settings):
     slapd = Slapd(ldap_url=getattr(request, 'param', None))
@@ -27,20 +25,22 @@ uid: john.doe@entrouvert.com
     ]
     return slapd
 
-def test_authenticate_no_principal_filter(slapd):
+
+def test_authenticate_no_principal_filter(slapd, db):
     from authentic2_auth_kerberos.backends import A2LdapKerberosBackend
 
     backend = A2LdapKerberosBackend()
     assert backend.authenticate(principal='john.doe@ENTROUVERT.COM') is None
 
-def test_authenticate_success(slapd, settings, django_user_model, caplog):
+
+def test_authenticate_success(slapd, db, settings, django_user_model, caplog):
     from authentic2_auth_kerberos.backends import A2LdapKerberosBackend
 
     User = django_user_model
     settings.LDAP_AUTH_SETTINGS[0]['principal_filter'] = 'uid={username}'
     backend = A2LdapKerberosBackend()
     with caplog.at_level(logging.INFO):
-        assert not backend.authenticate(principal='john.doe@ENTROUVERT.COM') is None
+        assert backend.authenticate(principal='john.doe@ENTROUVERT.COM') is not None
     user = User.objects.get()
     assert user.username == 'john.doe@ldap'
     assert user.email == 'john.doe@example.com'
@@ -54,7 +54,7 @@ def test_authenticate_principal_filter_with_realm(slapd, settings, django_user_m
     settings.LDAP_AUTH_SETTINGS[0]['principal_filter'] = 'uid={username}@{realm}'
     backend = A2LdapKerberosBackend()
     with caplog.at_level(logging.INFO):
-        assert not backend.authenticate(principal='john.doe@ENTROUVERT.COM') is None
+        assert backend.authenticate(principal='john.doe@ENTROUVERT.COM') is not None
     user = User.objects.get()
     assert user.username == 'john.doe@ldap'
     assert user.email == 'john.doe@example.com'
@@ -64,7 +64,6 @@ def test_authenticate_principal_filter_with_realm(slapd, settings, django_user_m
 def test_authenticate_bad_principal_filter(slapd, settings, django_user_model, caplog):
     from authentic2_auth_kerberos.backends import A2LdapKerberosBackend
 
-    User = django_user_model
     settings.LDAP_AUTH_SETTINGS[0]['principal_filter'] = 'uid={user}'
     backend = A2LdapKerberosBackend()
     with caplog.at_level(logging.INFO):
@@ -73,10 +72,20 @@ def test_authenticate_bad_principal_filter(slapd, settings, django_user_model, c
     assert 'principal_filter does not' in caplog.text
 
 
+def test_authenticate_missing_realm_in_principal_filter(slapd, settings, django_user_model, caplog):
+    from authentic2_auth_kerberos.backends import A2LdapKerberosBackend
+
+    settings.LDAP_AUTH_SETTINGS[0]['principal_filter'] = 'uid={username}'
+    backend = A2LdapKerberosBackend()
+    with caplog.at_level(logging.INFO):
+        assert backend.authenticate(principal='foo.bar@ENTROUVERT.COM') is None
+    assert len(caplog.records) == 1
+    assert 'principal foo.bar@ENTROUVERT.COM not found' in caplog.text
+
+
 def test_authenticate_limit_to_realm_failure(slapd, settings, django_user_model, caplog):
     from authentic2_auth_kerberos.backends import A2LdapKerberosBackend
 
-    User = django_user_model
     settings.LDAP_AUTH_SETTINGS[0]['principal_filter'] = 'uid={username}'
     settings.LDAP_AUTH_SETTINGS[0]['limit_to_realm'] = True
     backend = A2LdapKerberosBackend()
@@ -93,18 +102,6 @@ def test_authenticate_limit_to_realm_success(slapd, settings, django_user_model)
     settings.LDAP_AUTH_SETTINGS[0]['limit_to_realm'] = True
     settings.LDAP_AUTH_SETTINGS[0]['realm'] = 'ENTROUVERT.COM'
     backend = A2LdapKerberosBackend()
-    assert not backend.authenticate(principal='john.doe@ENTROUVERT.COM') is None
+    assert backend.authenticate(principal='john.doe@ENTROUVERT.COM') is not None
     user = User.objects.get()
     assert user.username == 'john.doe@ENTROUVERT.COM'
-
-
-def test_authenticate_limit_to_realm_success(slapd, settings, django_user_model, caplog):
-    from authentic2_auth_kerberos.backends import A2LdapKerberosBackend
-
-    User = django_user_model
-    settings.LDAP_AUTH_SETTINGS[0]['principal_filter'] = 'uid={username}'
-    backend = A2LdapKerberosBackend()
-    with caplog.at_level(logging.INFO):
-        assert backend.authenticate(principal='foo.bar@ENTROUVERT.COM') is None
-    assert len(caplog.records) == 1
-    assert 'principal foo.bar@ENTROUVERT.COM not found' in caplog.text

tox.ini

@@ -6,7 +6,7 @@
 
 [tox]
 toxworkdir = {env:TMPDIR:/tmp}/tox-{env:USER}/authentic2-auth-kerberos/{env:BRANCH_NAME:}
-envlist = py27-coverage-{dj18,dj111}-{pg,sqlite},pylint
+envlist = py27-coverage-{dj18,dj111}-{pg,sqlite}-{oldldap,},pylint
 
 [testenv]
 whitelist_externals =
@@ -32,6 +32,7 @@ deps =
     pytest-django
     ldaptools
     http://git.entrouvert.org/authentic.git/snapshot/authentic-master.tar.bz2
+    oldldap: python-ldap<3
 commands =
     ./getlasso.sh
     py.test {env:COVERAGE:} -o junit_suite_name={envname} --junit-xml=junit-{envname}.xml {posargs:tests}