1638 reject empty password ldap auth (#14136)

* Do not allow empty password in LDAP logins
6 years ago · 088f9fc72a
parent a2360360bd
commit 088f9fc72a
4 changed files with 16 additions and 1 deletions
--- a/NEWS.md
+++ b/NEWS.md
@ -573,6 +573,10 @@ ion for time-series (#12670)
 * Fix broken import when `ogc_fid` or `gid` have nulls (https://github.com/CartoDB/support/issues/1338)
 * Allow inviting viewers for org even if regular seats are full (https://github.com/CartoDB/support/issues/1373)
 * Add rake to remove duplicate legends in layer
+* Fix private visualization imports when user has no private tables permission (https://github.com/CartoDB/cartodb/issues/14052)
+* Export and import `user`'s `client_application` and `oauth_tokens` (https://github.com/CartoDB/cartodb/pull/14060)
+* Do not allow empty password in LDAP logins
+* Disable syncs for locked users (https://github.com/CartoDB/cartodb/issues/13832)
 * Fix bugs in legends (https://github.com/CartoDB/support/issues/1339, )

 ### Internals
--- a/app/models/carto/ldap/configuration.rb
+++ b/app/models/carto/ldap/configuration.rb
@ -66,6 +66,7 @@ class Carto::Ldap::Configuration < ActiveRecord::Base
  # @param String username. No full CN, just the username, e.g. 'administrator1'
  # @param String password
  def authenticate(username, password)
+    return false if username.blank? || password.blank?
    ldap_connection = Net::LDAP.new(connect_timeout: CONNECTION_TIMEOUT)
    ldap_connection.host = self.host
    ldap_connection.port = self.port
--- a/config/initializers/warden.rb
+++ b/config/initializers/warden.rb
@ -109,7 +109,7 @@ Warden::Strategies.add(:ldap) do
  include LoginEventTrigger

  def authenticate!
-    (fail! and return) unless (params[:email] && params[:password])
+    (fail! and return) if (params[:email].blank? || params[:password].blank?)

    user = nil
    begin
--- a/spec/models/carto/ldap/configuration_spec.rb
+++ b/spec/models/carto/ldap/configuration_spec.rb
@ -26,6 +26,16 @@ describe Carto::Ldap::Configuration do
    FakeNetLdap.clear_query_registrations
  end

+  it 'returns right away if empty user' do
+    ldap = Carto::Ldap::Configuration.new
+    ldap.authenticate('', 'something').should eq false
+  end
+
+  it 'returns right away if empty password' do
+    ldap = Carto::Ldap::Configuration.new
+    ldap.authenticate('some@one.es', '').should eq false
+  end
+
  it 'tests basic authentication' do
    auth_username = 'admin'
    auth_cn = "cn=#{auth_username},#{@domain_bases[0]}"