fix(frontend): login with spaces now fails (#1106)

issue #1100

fix(frontend): login with spaces now fails (#1106)
issue #1100
ec40facc · Francesc Guasch · GitHub · 516a6673 · ec40facc · ec40facc
Unverified Commit ec40facc authored Aug 13, 2019 by Francesc Guasch Committed by GitHub Aug 13, 2019
--- a/lib/Ravada/Auth/LDAP.pm
+++ b/lib/Ravada/Auth/LDAP.pm
@@ -51,7 +51,7 @@ Internal OO build

 sub BUILD {
    my $self = shift;
-    die "ERROR: Login failed ".$self->name
+    die "ERROR: Login failed '".$self->name."'"
        if !$self->login;
    return $self;
 }
@@ -175,6 +175,7 @@ sub search_user {
         _init_ldap_admin();
         return search_user(
                name => $username
+               ,base => $base
              ,field => $field
              ,retry => ++$retry
              ,typesonly => $typesonly
@@ -186,8 +187,10 @@ sub search_user {

    return if !$mesg->count();

-    my @entries = $mesg->entries;
-#    warn join ( "\n",map { $_->dn } @entries);
+    my @entries;
+    for my $entry ($mesg->entries) {
+        push @entries,($entry) if $entry->get_value($field) eq $username;
+    }

    return @entries;
 }
@@ -321,15 +324,29 @@ sub add_to_group {
 sub login($self) {
    my $user_ok;
    my $allowed;
-
-    if ($$CONFIG->{ldap}->{ravada_posix_group}) {
-        $allowed = search_user (name => $self->name, field => 'memberUid', base => $$CONFIG->{ldap}->{ravada_posix_group}) || 0;
-        $self->{_ldap_entry} = $allowed;
-    } else {
-        $allowed = 1;
+    my $posix_group_name = $$CONFIG->{ldap}->{ravada_posix_group};
+
+    if ($posix_group_name) {
+        my ($posix_group) = search_user (
+              name => $posix_group_name
+            ,field => 'cn'
+            , base => 'ou=groups,'._dc_base()
+        );
+        if (!$posix_group) {
+            warn "Warning: posix group $posix_group_name not found";
+            return;
+        }
+        my @member = $posix_group->get_value('memberUid');
+        my $user_name = $self->name;
+        my ($found) = grep /^$user_name$/,@member;
+        if (!$found) {
+            warn "Error: $user_name is not a member of posix group $posix_group_name\n";
+            warn Dumper(\@member) if $Ravada::DEBUG;
+            return;
+        }
+        $self->{_ldap_entry} = $posix_group;
    }

-    if ($allowed) {
        $user_ok = $self->_login_bind()
            if !exists $$CONFIG->{ldap}->{auth}
                || !$$CONFIG->{ldap}->{auth}
@@ -339,9 +356,6 @@ sub login($self) {
        $self->_check_user_profile($self->name)   if $user_ok;
        $LDAP_ADMIN->unbind if $LDAP_ADMIN && exists $self->{_auth} && $self->{_auth} eq 'bind';
        return $user_ok;
-    } else {
-        return 0;
-    }
 }

 sub _login_bind {

--- a/t/65_user_ldap.t
+++ b/t/65_user_ldap.t
 use warnings;
 use strict;

+use Carp qw(confess);
 use Data::Dumper;
 use Test::More;
 use YAML qw(LoadFile DumpFile);
@@ -76,11 +77,11 @@ sub test_user{

    ok(!$@, $@) or return;

-    _add_to_posix_group($name);
+    _add_to_posix_group($name, $with_posix_group);

    my $mcnulty;
    eval { $mcnulty = Ravada::Auth::LDAP->new(name => $name,password => $password) };
-    is($@,'', Dumper($Ravada::CONFIG)) or exit;
+    is($@,'', Dumper($Ravada::CONFIG)) or confess;

    ok($mcnulty,($@ or "ldap login failed for $name")) or return;
    ok(ref($mcnulty) =~ /Ravada/i,"User must be Ravada::Auth::LDAP , it is '".ref($mcnulty));
@@ -237,7 +238,7 @@ sub test_user_bind {

    Ravada::Auth::LDAP::init();

-    _add_to_posix_group('jimmy.mcnulty') if $with_posix_group;
+    _add_to_posix_group('jimmy.mcnulty', $with_posix_group);

    my $mcnulty;
    eval { $mcnulty = Ravada::Auth::LDAP->new(name => 'jimmy.mcnulty',password => 'jameson') };
@@ -321,17 +322,31 @@ sub _add_posix_group {
    $mesg = $ldap->search( filter => "cn=$RAVADA_POSIX_GROUP",base => $base );
    my @group = $mesg->entries;
    ok($group[0],"Expecting group $RAVADA_POSIX_GROUP") or return;
+    push @USERS,($group[0]);
    return $group[0];
 }

-sub _add_to_posix_group {
-    my $user_name = shift;
+sub _add_to_posix_group($user_name, $with_posix_group) {
    my $group = _add_posix_group();

    my $ldap = Ravada::Auth::LDAP::_init_ldap_admin();
-    $group->add(memberUid => $user_name);
-    my $mesg = $group->update($ldap);
-    die $mesg->code." ".$mesg->error if $mesg->code && $mesg->code != 20;
+    if ($with_posix_group) {
+        $group->add(memberUid => $user_name);
+        my $mesg = $group->update($ldap);
+                                                            # 20: no such object
+        die $mesg->code." ".$mesg->error if $mesg->code && $mesg->code != 20;
+    } else {
+        $group->delete(memberUid => $user_name );
+        my $mesg = $group->update($ldap);
+                                                            # 16: no such attrib
+        die $mesg->code." ".$mesg->error if $mesg->code && $mesg->code != 16;
+    }
+    my @member = $group->get_value('memberUid');
+
+    my ($found) = grep /^$user_name$/,@member;
+
+    ok( $found, "Expecting $user_name in $RAVADA_POSIX_GROUP") if $with_posix_group;
+    ok( !$found ) if !$with_posix_group;
 }

 sub test_filter {
@@ -398,7 +413,7 @@ sub test_posix_group {
    } else {
        ok($user_login);
    }
-    _add_to_posix_group($user_name);
+    _add_to_posix_group($user_name, $with_posix_group);

    eval { $user_login= Ravada::Auth::LDAP->new(name => $user_name,password => $password) };
    is($@,'');
@@ -446,11 +461,10 @@ SKIP: {
        ok($ldap) and do {

            test_user_fail();
-            test_user( );
-
+            test_user( 'pepe.mcnulty', $with_posix_group );

            test_add_group();
-            test_manage_group($with_admin);
+            test_manage_group($with_admin, $with_posix_group);
            test_posix_group($with_posix_group);

            test_user_bind($fly_config, $with_posix_group);

--- a/t/front/60_ldap.t
+++ b/t/front/60_ldap.t
@@ -65,6 +65,38 @@ sub test_ldap {
    ok(Ravada::Auth::LDAP::_init_ldap_admin(),"Expecting LDAP admin connected");
 }

+sub test_ldap_space {
+    create_ldap_user($USER_DATA->{name}, $USER_DATA->{password});
+    my %user = %$USER_DATA;
+    $user{name} = " ".$user{name};
+    my $login_ok;
+
+    $Ravada::CONFIG->{ldap}->{auth} = 'bind';
+
+    eval { $login_ok = Ravada::Auth::LDAP->new(name => $user{name}, password => $user{password}) };
+    like($@, qr'.');
+    ok(!$login_ok,"Expecting no login with $user{name}");
+
+    eval { $login_ok = Ravada::Auth::login($user{name}, $user{password}) };
+    like($@, qr'.');
+    ok(!$login_ok,"Expecting no login with $user{name}");
+
+    $Ravada::CONFIG->{ldap}->{auth} = 'match';
+
+    eval { $login_ok = Ravada::Auth::LDAP->new(name => $user{name}, password => $user{password}) };
+    like($@, qr'.');
+    ok(!$login_ok,"Expecting no login with $user{name}");
+
+    eval { $login_ok = Ravada::Auth::login($user{name}, $user{password}) };
+    like($@, qr'.');
+    ok(!$login_ok,"Expecting no login with $user{name}");
+}
+
+sub test_ldap_search_space {
+    my @entries = Ravada::Auth::LDAP::search_user( name =>" $USER_DATA->{name}");
+    is(scalar@entries, 0);
+}
+
 #########################################################################

 SKIP: {
@@ -73,6 +105,7 @@ SKIP: {
    $ravada->_install();
    my $ldap;

+    delete $Ravada::CONFIG->{ldap}->{ravada_posix_group};

    eval { $ldap = Ravada::Auth::LDAP::_init_ldap_admin() };

@@ -87,6 +120,9 @@ SKIP: {

    ok($ldap) and do {

+        test_ldap_space();
+        test_ldap_search_space();
+
        test_ldap();

    };