Bac 3830/disabled auth (#303)

* authentication should only work for disabled users when using an auth code * add pyrad to travis packages
SpiderOak · Jun 7, 2018 · c2b8d33 · c2b8d33
1 parent 57198bb
commit c2b8d33
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 6 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -10,6 +10,7 @@ addons:
       - python-ldap 
       - python-cerealizer
       - python-dev 
+      - python-pyrad
       - libldap2-dev 
       - libsasl2-dev 
       - libssl-dev

diff --git a/bin/add_missing_groups.py b/bin/add_missing_groups.py
@@ -6,19 +6,21 @@
 config = config_mgr.ConfigManager(config_mgr.default_config())
 
 api = Api.create(
-    'https://spideroak.com/apis/accounts/v1/',
+    config.config['api_root'],
     config.config['api_user'],
     config.config['api_password'],
 )
 
 
 groups = api.list_groups()
 
+
 def find_group(group_id):
     for g in config.config['groups']:
         if g['group_id'] == group_id:
             return g
-
+
+
 for group in groups:
     if not find_group(group['group_id']):
         config.config['groups'].append({
@@ -32,4 +34,3 @@ def find_group(group_id):
 
 
 config.apply_config()
-
diff --git a/netkes/account_mgr/__init__.py b/netkes/account_mgr/__init__.py
@@ -116,6 +116,10 @@ def authenticator(config, username, password, use_admin_tokens=True):
     if use_admin_tokens and admin_token_auth(config, user, username, password):
         return True
 
+    if not user['enabled']:
+        # Auth should only work for disabled users when using an auth token.
+        return False
+
     if auth_method == 'ldap':
         log.debug("Attempting to use LDAP simple bind for authenticating %s" % (username,))
         from account_mgr.user_source import ldap_source

diff --git a/netkes/account_mgr/test/test_account_mgr.py b/netkes/account_mgr/test/test_account_mgr.py
@@ -1,11 +1,11 @@
 import unittest
-from mock import MagicMock, sentinel
+from mock import MagicMock, sentinel, patch
 from datetime import datetime, timedelta
 
 import account_mgr
 
 
-class TestAdminTokenAuth(unittest.TestCase):
+class TestAdminAuth(unittest.TestCase):
     def setUp(self):
         account_mgr.get_cursor = MagicMock()
         cur = MagicMock()
@@ -14,9 +14,31 @@ def setUp(self):
         account_mgr.get_api = MagicMock()
         self.api = MagicMock()
         account_mgr.get_api.return_value = self.api
-        self.user = {'avatar_id': sentinel.avatar_id}
+        self.user = {
+            'avatar_id': sentinel.avatar_id,
+            'email': sentinel.email,
+        }
+        self.api.get_user.return_value = self.user
         self.time = datetime.now() + timedelta(hours=1)
 
+    @patch('account_mgr.user_source.ldap_source')
+    def test_user_disabled(self, ldap_source):
+        ldap_source.can_auth.return_value = True
+        self.cur.rowcount = 0
+        self.user['enabled'] = False
+        self.assertFalse(
+            account_mgr.authenticator({'auth_method': 'ldap', }, 'test', 'pass')
+        )
+
+    @patch('account_mgr.user_source.ldap_source')
+    def test_user_enabled(self, ldap_source):
+        ldap_source.can_auth.return_value = True
+        self.cur.rowcount = 0
+        self.user['enabled'] = True
+        self.assertTrue(
+            account_mgr.authenticator({'auth_method': 'ldap', }, 'test', 'pass')
+        )
+
     def test_no_restrictions(self):
         self.cur.rowcount = 1
         self.cur.fetchone.return_value = (False, False, self.time, False)

diff --git a/netkes/account_mgr/user_source/__init__.py b/netkes/account_mgr/user_source/__init__.py
@@ -5,3 +5,4 @@
 
 Provides the bits for working with LDAP.
 """
+import group_manager, ldap_source, local_source, radius_source  # NOQA
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,3 +5,4 @@

		Provides the bits for working with LDAP.
		"""
		import group_manager, ldap_source, local_source, radius_source # NOQA