From 953fd4a2ac43ffcdf7edb4a35e0ca6a1c573092d Mon Sep 17 00:00:00 2001
From: Jose Castro Leon <jose.castro.leon@cern.ch>
Date: Thu, 6 Jun 2013 10:57:09 -0500
Subject: [PATCH] Force simple Bind for authentication

The authentication code was using a common code path with
other LDAP code that got an LDAP connection.  If the system
was configured to do Anonymous binding, users could by pass
the authentication check.

This patch forces the authentication code to do a simple_bind.

Change-Id: Id0c19f09d615446927db1ba074561b129329b5c8
---
 keystone/identity/backends/ldap/core.py | 14 ++------------
 tests/test_backend_ldap.py              | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/keystone/identity/backends/ldap/core.py b/keystone/identity/backends/ldap/core.py
index 03d3ab6..e5bfcf6 100644
--- a/keystone/identity/backends/ldap/core.py
+++ b/keystone/identity/backends/ldap/core.py
@@ -58,18 +58,6 @@ class Identity(identity.Driver):
         self.tenant = TenantApi(CONF)
         self.role = RoleApi(CONF)
 
-    def get_connection(self, user=None, password=None):
-        if self.LDAP_URL.startswith('fake://'):
-            conn = fakeldap.FakeLdap(self.LDAP_URL)
-        else:
-            conn = common_ldap.LdapWrapper(self.LDAP_URL)
-        if user is None:
-            user = self.LDAP_USER
-        if password is None:
-            password = self.LDAP_PASSWORD
-        conn.simple_bind_s(user, password)
-        return conn
-
     # Identity interface
     def authenticate(self, user_id=None, tenant_id=None, password=None):
         """Authenticate based on a user, tenant and password.
@@ -85,6 +73,8 @@ class Identity(identity.Driver):
         except exception.UserNotFound:
             raise AssertionError('Invalid user / password')
 
+        if not user_id or not password:
+            raise AssertionError('Invalid user / password')
         try:
             conn = self.user.get_connection(self.user._id_to_dn(user_id),
                                             password)
diff --git a/tests/test_backend_ldap.py b/tests/test_backend_ldap.py
index 5f0137c..88e48c5 100644
--- a/tests/test_backend_ldap.py
+++ b/tests/test_backend_ldap.py
@@ -65,3 +65,19 @@ class LDAPIdentity(test.TestCase, test_backend.IdentityTests):
         user_api = identity_ldap.UserApi(CONF)
         self.assertTrue(user_api)
         self.assertEquals(user_api.tree_dn, "ou=Users,%s" % CONF.ldap.suffix)
+
+    def test_authenticate_requires_simple_bind(self):
+        user = {
+            'id': uuid.uuid4().hex,
+            'name': uuid.uuid4().hex,
+            'password': uuid.uuid4().hex,
+            'enabled': True,
+        }
+        self.identity_api.create_user(user['id'], user)
+        self.identity_api.user.LDAP_USER = None
+        self.identity_api.user.LDAP_PASSWORD = None
+
+        self.assertRaises(AssertionError,
+                          self.identity_api.authenticate,
+                          user_id=user['id'],
+                          password=None)
-- 
1.8.2.3