From ce08819494eb86b23e2840beb711c971491d1e33 Mon Sep 17 00:00:00 2001 From: Lukas Garberg Date: Mon, 4 Nov 2024 09:44:06 +0100 Subject: [PATCH 1/2] cli: Improve quote of usernames and passwords Instruct the urllib quote function to also quote '/'. --- nipap-cli/nipap_cli/nipap_cli.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nipap-cli/nipap_cli/nipap_cli.py b/nipap-cli/nipap_cli/nipap_cli.py index ab3cf31f9..de26443ae 100755 --- a/nipap-cli/nipap_cli/nipap_cli.py +++ b/nipap-cli/nipap_cli/nipap_cli.py @@ -87,8 +87,8 @@ def setup_connection(): con_params['password'] = getpass.getpass() # Quote username & password - con_params['username'] = quote(con_params['username']) - con_params['password'] = quote(con_params['password']) + con_params['username'] = quote(con_params['username'], safe="") + con_params['password'] = quote(con_params['password'], safe="") # build XML-RPC URI pynipap.xmlrpc_uri = "%(protocol)s://%(username)s:%(password)s@%(hostname)s:%(port)s" % con_params From 18d3ccdb13710862ca5a9f2d856f696d31e64582 Mon Sep 17 00:00:00 2001 From: Lukas Garberg Date: Mon, 4 Nov 2024 09:45:17 +0100 Subject: [PATCH 2/2] auth: Fix LDAP RO group handling Make sure the LDAP RO group name is encoded before validating whether the user is member of it or not. --- nipap/nipap/authlib.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nipap/nipap/authlib.py b/nipap/nipap/authlib.py index 7cddf5870..92fd12c73 100644 --- a/nipap/nipap/authlib.py +++ b/nipap/nipap/authlib.py @@ -553,6 +553,8 @@ def authenticate(self): ['cn', 'memberOf'], ) + self._logger.debug("User %s is member of groups: %s", self.username, res[0][1].get('memberOf', [])) + # Data received from LDAP is bytes, make sure to decode/encode # accordingly before using it if res[0][1]['cn'][0] is not None: @@ -569,7 +571,7 @@ def authenticate(self): # if ro_group is configured, and the user is a member of # neither the ro_group nor the rw_group, fail authentication. if self._ldap_ro_group: - if self._ldap_ro_group not in res[0][1].get('memberOf', []): + if self._ldap_ro_group.encode('utf-8') not in res[0][1].get('memberOf', []): self._authenticated = False return self._authenticated else: