ldap: enable check hostname only for python-ldap 3.4+ (#69470)
This commit is contained in:
parent
ffa717479f
commit
66889cb417
|
@ -34,6 +34,8 @@ from passerelle.utils.templates import render_to_string
|
||||||
|
|
||||||
from . import forms
|
from . import forms
|
||||||
|
|
||||||
|
LDAP_HAS_OPT_X_TLS_REQUIRE_SAN = hasattr(ldap, 'OPT_X_TLS_REQUIRE_SAN') # only in python-ldap >= 3.4.0
|
||||||
|
|
||||||
SEARCH_OP_SUBSTRING = 'substring'
|
SEARCH_OP_SUBSTRING = 'substring'
|
||||||
SEARCH_OP_PREFIX = 'prefix'
|
SEARCH_OP_PREFIX = 'prefix'
|
||||||
SEARCH_OP_APPROX = 'approx'
|
SEARCH_OP_APPROX = 'approx'
|
||||||
|
@ -70,6 +72,9 @@ class Resource(BaseResource):
|
||||||
verbose_name=_('TLS check hostname'),
|
verbose_name=_('TLS check hostname'),
|
||||||
default=True,
|
default=True,
|
||||||
blank=True,
|
blank=True,
|
||||||
|
help_text=None
|
||||||
|
if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN
|
||||||
|
else _('Warning: this option is actually not supported (python-ldap < 3.4)'),
|
||||||
)
|
)
|
||||||
ldap_tls_check_cert = models.BooleanField(
|
ldap_tls_check_cert = models.BooleanField(
|
||||||
verbose_name=_('TLS check certificate'),
|
verbose_name=_('TLS check certificate'),
|
||||||
|
@ -123,10 +128,11 @@ class Resource(BaseResource):
|
||||||
conn = ldap.initialize(self.ldap_url)
|
conn = ldap.initialize(self.ldap_url)
|
||||||
conn.set_option(ldap.OPT_TIMEOUT, 5)
|
conn.set_option(ldap.OPT_TIMEOUT, 5)
|
||||||
conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 5)
|
conn.set_option(ldap.OPT_NETWORK_TIMEOUT, 5)
|
||||||
if self.ldap_tls_check_hostname:
|
if LDAP_HAS_OPT_X_TLS_REQUIRE_SAN:
|
||||||
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND)
|
if self.ldap_tls_check_hostname:
|
||||||
else:
|
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_DEMAND)
|
||||||
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER)
|
else:
|
||||||
|
conn.set_option(ldap.OPT_X_TLS_REQUIRE_SAN, ldap.OPT_X_TLS_NEVER)
|
||||||
if self.ldap_tls_check_cert:
|
if self.ldap_tls_check_cert:
|
||||||
conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
|
conn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
|
||||||
else:
|
else:
|
||||||
|
|
|
@ -41,6 +41,7 @@ def app(app, admin_user):
|
||||||
|
|
||||||
def test_add(app, db, cert_content, key_content, resource_class):
|
def test_add(app, db, cert_content, key_content, resource_class):
|
||||||
response = app.get('/manage/ldap/add')
|
response = app.get('/manage/ldap/add')
|
||||||
|
assert 'this option is actually not supported' in response.text
|
||||||
response.form.set('slug', 'resource')
|
response.form.set('slug', 'resource')
|
||||||
response.form.set('title', 'resource')
|
response.form.set('title', 'resource')
|
||||||
response.form.set('description', 'resource')
|
response.form.set('description', 'resource')
|
||||||
|
@ -101,6 +102,11 @@ def test_missing_tls_cert(app, db, cert_content, key_content, resource_class):
|
||||||
response = response.form.submit(status=200)
|
response = response.form.submit(status=200)
|
||||||
|
|
||||||
|
|
||||||
|
def test_python_ldap_32(app, db):
|
||||||
|
response = app.get('/manage/ldap/add')
|
||||||
|
assert 'Warning: this option is actually not supported (python-ldap < 3.4)' in response.text
|
||||||
|
|
||||||
|
|
||||||
EXPORT_JSON = {
|
EXPORT_JSON = {
|
||||||
'resources': [
|
'resources': [
|
||||||
{
|
{
|
||||||
|
|
|
@ -68,14 +68,12 @@ def test_server_unavailaible(app, resource):
|
||||||
'id_attribute': 'uid',
|
'id_attribute': 'uid',
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
assert response.json == {
|
assert response.json['err'] == 1
|
||||||
'data': [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}],
|
assert response.json['data'] == [{'disabled': True, 'id': '', 'text': 'Directory server is unavailable'}]
|
||||||
'err': 1,
|
assert response.json['err_class'] == 'directory-server-unavailable'
|
||||||
'err_class': 'directory-server-unavailable',
|
assert "'info': 'Transport endpoint is not connected'" in response.json['err_desc']
|
||||||
'err_desc': '{\'result\': -1, \'desc\': "Can\'t contact LDAP server", '
|
assert "'errno': 107" in response.json['err_desc']
|
||||||
"'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not "
|
assert "'desc': \"Can't contact LDAP server\"" in response.json['err_desc']
|
||||||
"connected'}",
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def test_q(app, resource, ldap_server):
|
def test_q(app, resource, ldap_server):
|
||||||
|
|
1
tox.ini
1
tox.ini
|
@ -47,6 +47,7 @@ deps =
|
||||||
zeep<3.3
|
zeep<3.3
|
||||||
codestyle: pre-commit
|
codestyle: pre-commit
|
||||||
ldaptools
|
ldaptools
|
||||||
|
python-ldap<=3.2 # align with Debian <= 11 (buster, bullseye)
|
||||||
commands =
|
commands =
|
||||||
./get_wcs.sh
|
./get_wcs.sh
|
||||||
py.test {posargs: --numprocesses {env:NUMPROCESSES:1} --dist loadfile {env:FAST:} {env:COVERAGE:} {env:JUNIT:} tests/}
|
py.test {posargs: --numprocesses {env:NUMPROCESSES:1} --dist loadfile {env:FAST:} {env:COVERAGE:} {env:JUNIT:} tests/}
|
||||||
|
|
Loading…
Reference in New Issue