Use session identifiers for unique LDAP db aliases.

Since user binding is done per session, this should be both safer and cleaner.
author: Michał Górny <mgorny@gentoo.org> 2013-09-06 23:42:37 +0200
committer: Michał Górny <mgorny@gentoo.org> 2013-09-12 15:39:07 +0200
commit: a54332c523c8025c2a92199f609d84aa034a8905 (patch)
tree: f3b819e494a2cebac9d5ee5a14f909c984ee044a
parent: Merge pull request #88 from tampakrap/templates (diff)
download: identity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.tar.gz
identity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.tar.bz2
identity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.zip
2 files changed, 9 insertions, 5 deletions
diff --git a/okupy/common/ldap_helpers.py b/okupy/common/ldap_helpers.py
index 27bc813..ff8cd97 100644
--- a/okupy/common/ldap_helpers.py
+++ b/okupy/common/ldap_helpers.py
@@ -25,7 +25,7 @@ def get_bound_ldapuser(request, password=None):
                 'Secondary password not available (no strong auth?)')
 
     bound_cls = LDAPUser.bind_as(
-        alias='ldap_%s' % username,
+        alias='ldap_%s' % request.session.cache_key,
         username=username,
         password=password,
     )
@@ -37,7 +37,8 @@ def set_secondary_password(request, password):
     user = get_bound_ldapuser(request, password)
 
     secondary_password = Random.get_random_bytes(48)
-    request.session['secondary_password'] = cipher.encrypt(secondary_password)
+    request.session['secondary_password'] = (
+        cipher.encrypt(secondary_password))
     # Clean up possible leftover secondary passwords from the LDAP account
     if len(user.password) > 1:
         for hash in list(user.password):
@@ -48,7 +49,8 @@ def set_secondary_password(request, password):
                 # don't remove unknown hashes
                 pass
     # Add a new generated encrypted password to LDAP
-    user.password.append(ldap_md5_crypt.encrypt(b64encode(secondary_password)))
+    user.password.append(
+        ldap_md5_crypt.encrypt(b64encode(secondary_password)))
     user.save()
 
 
diff --git a/okupy/tests/unit/test_ldapuser.py b/okupy/tests/unit/test_ldapuser.py
index f793009..a160571 100644
--- a/okupy/tests/unit/test_ldapuser.py
+++ b/okupy/tests/unit/test_ldapuser.py
@@ -57,13 +57,15 @@ class LDAPUserUnitTests(TestCase):
         request.session['secondary_password'] = cipher.encrypt(
             secondary_password)
         get_bound_ldapuser(request)
-        self.assertEqual(settings.DATABASES['ldap_alice']['PASSWORD'],
+        db_alias = 'ldap_%s' % request.session.cache_key
+        self.assertEqual(settings.DATABASES[db_alias]['PASSWORD'],
                          b64encode(secondary_password))
 
     def test_get_bound_ldapuser_bind_as_is_properly_set_from_password(self):
         request = set_request('/', user=vars.USER_ALICE)
         get_bound_ldapuser(request, password='ldaptest')
-        self.assertTrue(ldap_md5_crypt.verify(settings.DATABASES['ldap_alice'][
+        db_alias = 'ldap_%s' % request.session.cache_key
+        self.assertTrue(ldap_md5_crypt.verify(settings.DATABASES[db_alias][
             'PASSWORD'], ldap_users('alice')[1]['userPassword'][0]))
 
     def test_get_bound_ldapuser_password_set(self):
author	Michał Górny <mgorny@gentoo.org>	2013-09-06 23:42:37 +0200
committer	Michał Górny <mgorny@gentoo.org>	2013-09-12 15:39:07 +0200
commit	a54332c523c8025c2a92199f609d84aa034a8905 (patch)
tree	f3b819e494a2cebac9d5ee5a14f909c984ee044a
parent	Merge pull request #88 from tampakrap/templates (diff)
download	identity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.tar.gz identity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.tar.bz2 identity.gentoo.org-a54332c523c8025c2a92199f609d84aa034a8905.zip