From daa860f8f080cb4236ad65ec52253ed10b13c447 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Tue, 18 Mar 2014 09:21:13 +0000
Subject: [PATCH] when ASPs are enabled, standard password should not work
 anymore

---
 authserv/auth.py                           |  2 +
 authserv/test/fixtures/test-user-totp.ldif |  2 +-
 authserv/test/test_auth_ldap.py            | 58 ++++++++++++++++++----
 3 files changed, 50 insertions(+), 12 deletions(-)

diff --git a/authserv/auth.py b/authserv/auth.py
index 237f3ca..f62993a 100644
--- a/authserv/auth.py
+++ b/authserv/auth.py
@@ -37,6 +37,8 @@ def authenticate(user, service, password, otp_token):
         if _check_app_specific_password(user.get_app_specific_passwords(service),
                                         password) == protocol.OK:
             return protocol.OK
+        else:
+            return protocol.ERR_AUTHENTICATION_FAILURE
 
     if user.otp_enabled():
         if not otp_token:
diff --git a/authserv/test/fixtures/test-user-totp.ldif b/authserv/test/fixtures/test-user-totp.ldif
index 4e917db..096deeb 100644
--- a/authserv/test/fixtures/test-user-totp.ldif
+++ b/authserv/test/fixtures/test-user-totp.ldif
@@ -20,6 +20,7 @@ givenName: Private
 shadowLastChange: 12345
 shadowWarning: 7
 userPassword:: e2NyeXB0fXp6WFVIZlVSbkdnOEk=
+totpSecret: 089421
 
 dn: mail=test@investici.org,uid=test@investici.org,ou=People,dc=investici,dc=org,o=Anarchy
 changetype: add
@@ -37,6 +38,5 @@ originalHost: latitanza
 userPassword:: e2NyeXB0fXp6WFVIZlVSbkdnOEk=
 recoverQuestion: question
 recoverAnswer:: e2NyeXB0fWFhd1IuamRHTVIwMTY=
-totpSecret: 089421
 appSpecificPassword:: bWFpbDokMSQkNXp2RTI5emVIOVc3S0sweVRPMERaMQ==
 
diff --git a/authserv/test/test_auth_ldap.py b/authserv/test/test_auth_ldap.py
index 9e72a4c..08fe57e 100644
--- a/authserv/test/test_auth_ldap.py
+++ b/authserv/test/test_auth_ldap.py
@@ -12,6 +12,10 @@ class LdapAuthTestBase(LdapTestBase):
             'base': 'ou=People,dc=investici,dc=org,o=Anarchy',
             'filter': '(&(status=active)(mail=%s))',
         },
+        'account': {
+            'dn': 'uid=%s,ou=People,dc=investici,dc=org,o=Anarchy',
+        },
+        'aliased-service': 'account',
     }
 
     def setUp(self):
@@ -28,6 +32,18 @@ class LdapAuthTest(LdapAuthTestBase):
         'test-user.ldif',
     ]
 
+    def test_userdb_get_user(self):
+        self.assertTrue(
+            self.userdb.get_user('test@investici.org', 'account'))
+
+    def test_userdb_unknown_service(self):
+        self.assertFalse(
+            self.userdb.get_user('test@investici.org', 'unknownservice'))
+
+    def test_userdb_service_alias(self):
+        self.assertTrue(
+            self.userdb.get_user('test@investici.org', 'aliased-service'))
+
     def test_auth_password_ok(self):
         u = self.userdb.get_user('test@investici.org', 'mail')
         self.assertTrue(u)
@@ -50,48 +66,68 @@ class LdapOtpTest(LdapAuthTestBase):
     ]
 
     def test_auth_password_requires_otp(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         self.assertEquals(
             protocol.ERR_OTP_REQUIRED,
-            authenticate(u, 'mail', 'password', None))
+            authenticate(u, 'account', 'password', None))
 
     def test_auth_bad_password_requires_otp(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         self.assertEquals(
             protocol.ERR_OTP_REQUIRED,
-            authenticate(u, 'mail', 'wrong password', None))
+            authenticate(u, 'account', 'wrong password', None))
 
     def test_auth_otp_ok(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         secret= '089421'
         token = totp(secret, format='dec6', period=30)
         self.assertEquals(
             protocol.OK,
-            authenticate(u, 'mail', 'password', str(token)))
+            authenticate(u, 'account', 'password', str(token)))
 
     def test_auth_otp_ok_bad_password(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         secret= '089421'
         token = totp(secret, format='dec6', period=30)
         self.assertEquals(
             protocol.ERR_AUTHENTICATION_FAILURE,
-            authenticate(u, 'mail', 'wrong password', str(token)))
+            authenticate(u, 'account', 'wrong password', str(token)))
 
     def test_auth_bad_otp(self):
-        u = self.userdb.get_user('test@investici.org', 'mail')
+        u = self.userdb.get_user('test@investici.org', 'account')
         self.assertTrue(u)
         self.assertEquals(
             protocol.ERR_AUTHENTICATION_FAILURE,
-            authenticate(u, 'mail', 'password', '123456'))
+            authenticate(u, 'account', 'password', '123456'))
 
-    def test_app_specific_password(self):
+
+class LdapASPTest(LdapAuthTestBase):
+
+    LDIFS = [
+        'test-user-totp.ldif',
+    ]
+
+    def test_app_specific_password_ok(self):
         u = self.userdb.get_user('test@investici.org', 'mail')
         self.assertTrue(u)
         self.assertEquals(
             protocol.OK,
             authenticate(u, 'mail', 'veryspecificpassword', None))
 
+    def test_plain_password_fails(self):
+        u = self.userdb.get_user('test@investici.org', 'mail')
+        self.assertTrue(u)
+        self.assertEquals(
+            protocol.ERR_AUTHENTICATION_FAILURE,
+            authenticate(u, 'mail', 'password', None))
+
+    def test_plain_password_and_otp_fails(self):
+        u = self.userdb.get_user('test@investici.org', 'mail')
+        self.assertTrue(u)
+        self.assertEquals(
+            protocol.ERR_AUTHENTICATION_FAILURE,
+            authenticate(u, 'mail', 'password', '123456'))
-- 
GitLab