ldap: enable check hostname only for python-ldap 3.4+ (#69470)

2022-09-23 10:03:34 +02:00 · 2022-09-23 10:03:34 +02:00 · 66889cb417
parent ffa717479f
commit 66889cb417
4 changed files with 23 additions and 12 deletions
--- a/passerelle/apps/ldap/models.py
+++ b/passerelle/apps/ldap/models.py
@ -34,6 +34,8 @@ from passerelle.utils.templates import render_to_string

 from . import forms

+LDAP_HAS_OPT_X_TLS_REQUIRE_SAN = hasattr(ldap, 'OPT_X_TLS_REQUIRE_SAN')  # only in python-ldap >= 3.4.0
+
 SEARCH_OP_SUBSTRING = 'substring'
 SEARCH_OP_PREFIX = 'prefix'
 SEARCH_OP_APPROX = 'approx'
@ -70,6 +72,9 @@ class Resource(BaseResource):
        verbose_name=_('TLS check hostname'),
        default=True,
        blank=True,
+        help_text=None
+        if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN
+        else _('Warning: this option is actually not supported (python-ldap < 3.4)'),
    )
    ldap_tls_check_cert = models.BooleanField(
        verbose_name=_('TLS check certificate'),
@ -123,10 +128,11 @@ class Resource(BaseResource):
        conn = ldap.initialize(self.ldap_url)
        conn.set_option(ldap.OPT_TIMEOUT, 5)
        conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 5)
-        if self.ldap_tls_check_hostname:
-            conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND)
-        else:
-            conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER)
+        if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN:
+            if self.ldap_tls_check_hostname:
+                conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND)
+            else:
+                conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER)
        if self.ldap_tls_check_cert:
            conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
        else:
--- a/tests/ldap/test_manager.py
+++ b/tests/ldap/test_manager.py
@ -41,6 +41,7 @@ def app(app, admin_user):

 def test_add(app, db, cert_content, key_content, resource_class):
    response = app.get('/manage/ldap/add')
+    assert 'this option is actually not supported' in response.text
    response.form.set('slug', 'resource')
    response.form.set('title', 'resource')
    response.form.set('description', 'resource')
@ -101,6 +102,11 @@ def test_missing_tls_cert(app, db, cert_content, key_content, resource_class):
    response = response.form.submit(status=200)


+def test_python_ldap_32(app, db):
+    response = app.get('/manage/ldap/add')
+    assert 'Warning: this option is actually not supported (python-ldap < 3.4)' in response.text
+
+
 EXPORT_JSON = {
    'resources': [
        {
--- a/tests/ldap/test_search_endpoint.py
+++ b/tests/ldap/test_search_endpoint.py
@ -68,14 +68,12 @@ def test_server_unavailaible(app, resource):
            'id_attribute': 'uid',
        },
    )
-    assert response.json == {
-        'data': [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}],
-        'err': 1,
-        'err_class': 'directory-server-unavailable',
-        'err_desc': '{\'result\': -1, \'desc\': "Can\'t contact LDAP server", '
-        "'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not "
-        "connected'}",
-    }
+    assert response.json['err'] == 1
+    assert response.json['data'] == [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}]
+    assert response.json['err_class'] == 'directory-server-unavailable'
+    assert "'info': 'Transport endpoint is not connected'" in response.json['err_desc']
+    assert "'errno': 107" in response.json['err_desc']
+    assert "'desc': \"Can't contact LDAP server\"" in response.json['err_desc']


 def test_q(app, resource, ldap_server):
--- a/tox.ini
+++ b/tox.ini
@ -47,6 +47,7 @@ deps =
  zeep<3.3
  codestyle: pre-commit
  ldaptools
+  python-ldap<=3.2  # align with Debian <= 11 (buster, bullseye)
 commands =
  ./get_wcs.sh
  py.test {posargs: --numprocesses {env:NUMPROCESSES:1} --dist loadfile {env:FAST:} {env:COVERAGE:} {env:JUNIT:} tests/}