Merge pull request #77 from mgorny/more-tests

Tests for SSL auth

4 files changed, 125 insertions, 8 deletions

diff --git a/bin/runtests b/bin/runtests
index f7f2197..5060cf3 100755
--- a/bin/runtests
+++ b/bin/runtests
@@ -3,7 +3,6 @@
 while getopts sa:dc arg; do
     case ${arg} in
         s) SETTINGS="--settings=okupy.tests.settings" ;;
-        a) APPS=${OPTARG} ;;
         d) TDAEMON="tdaemon -t django" ;;
         c) COVERAGE="coverage" ;;
         2) SUFFIX="2" ;;
@@ -12,12 +11,12 @@ done
 
 if [[ -n ${TDAEMON} ]]; then
     [[ -n ${COVERAGE} ]] && COVERAGE="-c"
-    ${TDAEMON} ${COVERAGE} --custom-args="${SETTINGS} ${APPS}"
+    ${TDAEMON} ${COVERAGE} --custom-args="${SETTINGS} ${*:${OPTIND}}"
 elif [[ -n ${COVERAGE} ]]; then
-    ${COVERAGE} run manage.py test --traceback ${SETTINGS} ${APPS}
+    ${COVERAGE} run manage.py test --traceback ${SETTINGS} "${@:${OPTIND}}"
     ${COVERAGE} report -m
 else
-    COMMAND="python${SUFFIX} manage.py test --traceback ${SETTINGS} ${APPS}"
+    COMMAND="python${SUFFIX} manage.py test --traceback ${SETTINGS} ${*:${OPTIND}}"
     echo "Executing: $COMMAND"
     $COMMAND
 fi
diff --git a/okupy/common/auth.py b/okupy/common/auth.py
index 0747d12..d7a7f95 100644
--- a/okupy/common/auth.py
+++ b/okupy/common/auth.py
@@ -15,10 +15,7 @@ class SSLCertAuthBackend(ModelBackend):
     It requires one of owner e-mails to match in LDAP.
     """
 
-    def authenticate(self, request=None):
-        if request is None:
-            return None
-
+    def authenticate(self, request):
         # it can be: SUCCESS, NONE and likely some string for failure ;)
         cert_verify = request.META.get('SSL_CLIENT_VERIFY', None)
         if cert_verify != 'SUCCESS':
diff --git a/okupy/tests/unit/test_auth.py b/okupy/tests/unit/test_auth.py
new file mode 100644
index 0000000..5793d53
--- /dev/null
+++ b/okupy/tests/unit/test_auth.py
@@ -0,0 +1,67 @@
+# vim:fileencoding=utf8:et:ts=4:sts=4:sw=4:ft=python
+
+from mockldap import MockLdap
+
+from django.conf import settings
+from django.contrib.auth import authenticate
+
+from .. import vars
+from ...common.test_helpers import OkupyTestCase, set_request, ldap_users, set_search_seed
+
+
+class AuthUnitTests(OkupyTestCase):
+    @classmethod
+    def setUpClass(cls):
+        cls.mockldap = MockLdap(vars.DIRECTORY)
+
+    def setUp(self):
+        self.mockldap.start()
+        self.ldapobject = self.mockldap[settings.AUTH_LDAP_SERVER_URI]
+
+    def tearDown(self):
+        self.mockldap.stop()
+
+    def test_valid_certificate_authenticates_alice(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+        request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE
+
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')])
+        u = authenticate(request=request)
+        self.assertEqual(u.username, vars.LOGIN_ALICE['username'])
+
+    def test_second_email_authenticates_alice(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+        request.META['SSL_CLIENT_RAW_CERT'] = (
+            vars.TEST_CERTIFICATE_WITH_TWO_EMAIL_ADDRESSES)
+
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('test@test.com', 'mail'))([])
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')])
+        u = authenticate(request=request)
+        self.assertEqual(u.username, vars.LOGIN_ALICE['username'])
+
+    def test_no_certificate_returns_none(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'NONE'
+
+        u = authenticate(request=request)
+        self.assertIs(u, None)
+
+    def test_failed_verification_returns_none(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'FAILURE'
+        request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE
+
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('alice@test.com', 'mail'))([ldap_users('alice')])
+        u = authenticate(request=request)
+        self.assertIs(u, None)
+
+    def test_unmatched_email_returns_none(self):
+        request = set_request(uri='/login')
+        request.META['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+        request.META['SSL_CLIENT_RAW_CERT'] = vars.TEST_CERTIFICATE_WRONG_EMAIL
+
+        self.ldapobject.search_s.seed(settings.AUTH_LDAP_USER_BASE_DN, 2, set_search_seed('wrong@test.com', 'mail'))([])
+        u = authenticate(request=request)
+        self.assertIs(u, None)
diff --git a/okupy/tests/vars.py b/okupy/tests/vars.py
index f4edbc1..e559195 100644
--- a/okupy/tests/vars.py
+++ b/okupy/tests/vars.py
@@ -67,3 +67,57 @@ SIGNUP_TESTUSER = {
     'password_origin': 'testpassword',
     'password_verify': 'testpassword',
 }
+
+# SSL certificates
+
+TEST_CERTIFICATE = '''-----BEGIN CERTIFICATE-----
+MIICmzCCAiWgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ
+MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh
+bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w
+bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTgzMjIyWhgPMjExMjAzMTYxODMyMjJa
+MHAxCzAJBgNVBAYTAkVYMRAwDgYDVQQIDAdFeGFtcGxlMRAwDgYDVQQKDAdFeGFt
+cGxlMR4wHAYDVQQDDBVFeGFtcGx1cyBFeGFtcGxpZmljdXMxHTAbBgkqhkiG9w0B
+CQEWDmFsaWNlQHRlc3QuY29tMHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKUQ3vP0
+im6+perWzGyjCR59IybPVL55ZdoI3z9vIkhjNW3tvts8j3b94DxMs2W1cpTrT/bF
+Ufof6miRAl1IG6LhITuWh0/3e2WPQZjgL/hWDjNnO2ssa5pFBDC90UlmqQIDAQAB
+o3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRl
+ZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUINRMT6uaia+DuzD0UizZwmr6ewkwHwYD
+VR0jBBgwFoAUF8OTfUF4T4McbqiA4uruxlKCanUwDQYJKoZIhvcNAQEFBQADYQCJ
+kSBK5nabnbmeFs53szVk7KemFq+Ew8BdVqjejSdbTB2wsGM+IknlmYOnqfLn1osW
+HBbiw3zv4xb9ahmA68ChbeEyJXj6WKExD4WpAT1sDDAwlqA0fo0KSY/3E0zocs4=
+-----END CERTIFICATE-----'''
+
+TEST_CERTIFICATE_WRONG_EMAIL = '''-----BEGIN CERTIFICATE-----
+MIICkzCCAh2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ
+MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh
+bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w
+bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTg0ODEzWhgPMjExMjAzMTYxODQ4MTNa
+MGgxCzAJBgNVBAYTAkVYMRAwDgYDVQQIDAdFeGFtcGxlMRAwDgYDVQQKDAdFeGFt
+cGxlMRYwFAYDVQQDDA1Xcm9uZyBFYQhtYWlsMR0wGwYJKoZIhvcNAQkBFg53cm9u
+Z0B0ZXN0LmNvbTB8MA0GCSqGSIb3DQEBAQUAA2sAMGgCYQClEN7z9IpuvqXq1sxs
+owkefSMmz1S+eWXaCN8/byJIYzVt7b7bPI92/eA8TLNltXKU60/2xVH6H+pokQJd
+SBui4SE7lodP93tlj0GY4C/4Vg4zZztrLGuaRQQwvdFJZqkCAwEAAaN7MHkwCQYD
+VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
+aWNhdGUwHQYDVR0OBBYEFCDUTE+rmomvg7sw9FIs2cJq+nsJMB8GA1UdIwQYMBaA
+FBfDk31BeE+DHG6ogOLq7sZSgmp1MA0GCSqGSIb3DQEBBQUAA2EAWjm5DIIpuE6e
+v8NFzLjLUTJroCCMxkkCZ/9qRBFIhdHSIjH+m2vgVEfQH3ub44ncVY58WWm/A3xL
+0Va/G/jNXbKVQYiUS12/BF917HDZoYmW2nbyVLXMqcbxu5gIln6C
+-----END CERTIFICATE-----'''
+
+TEST_CERTIFICATE_WITH_TWO_EMAIL_ADDRESSES = '''-----BEGIN CERTIFICATE-----
+MIICsTCCAjugAwIBAgIBAzANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJFWDEQ
+MA4GA1UECAwHRXhhbXBsZTEQMA4GA1UEBwwHRXhhbXBsZTEQMA4GA1UECgwHRXhh
+bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1w
+bGVAZXhhbXBsZS5jb20wIBcNMTMwODIyMTkwMjUwWhgPMjExMjAzMTYxOTAyNTBa
+MIGFMQswCQYDVQQGEwJFWDEQMA4GA1UECAwHRXhhbXBsZTEQMA4GA1UECgwHRXhh
+bXBsZTEVMBMGA1UEAwwMU29tZW9uZSBFbHNlMRwwGgYJKoZIhvcNAQkBFg10ZXN0
+QHRlc3QuY29tMR0wGwYJKoZIhvcNAQkBFg5hbGljZUB0ZXN0LmNvbTB8MA0GCSqG
+SIb3DQEBAQUAA2sAMGgCYQClEN7z9IpuvqXq1sxsowkefSMmz1S+eWXaCN8/byJI
+YzVt7b7bPI92/eA8TLNltXKU60/2xVH6H+pokQJdSBui4SE7lodP93tlj0GY4C/4
+Vg4zZztrLGuaRQQwvdFJZqkCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhC
+AQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFCDU
+TE+rmomvg7sw9FIs2cJq+nsJMB8GA1UdIwQYMBaAFBfDk31BeE+DHG6ogOLq7sZS
+gmp1MA0GCSqGSIb3DQEBBQUAA2EAH+Qaz/Dmd5QqU1pVgPUz2loWQhy+cX6bgubJ
+vj3k/SSqj6qjnxryY6QSKWOTRbKhwmRHrrsFRuR2rCZWYZUJ6ohCDYrwVKvs7i2R
+VNG3Q7+oqLajmyDfZmHkENQ0rCdc
+-----END CERTIFICATE-----'''