Add support for cadir, client-key and client-cert options

metbosch · metbosch · commit 4a296cfd0375 · 2024-10-08T09:13:44.000+02:00
This changes add support for OPT_X_TLS_CACERTDIR, OPT_X_TLS_CERTFILE and OPT_X_TLS_KEYFILE options from python-ldap
diff --git a/src/node/ext/ldap/base.py b/src/node/ext/ldap/base.py
@@ -103,6 +103,9 @@ def __init__(self, props=None):
         self._start_tls = props.start_tls
         self._ignore_cert = props.ignore_cert
         self._tls_cacert_file = props.tls_cacertfile
+        self._tls_cacert_dir = props.tls_cacertdir
+        self._tls_clcert_file = props.tls_clcertfile
+        self._tls_clkey_file = props.tls_clkeyfile
         self._retry_max = props.retry_max
         self._retry_delay = props.retry_delay
         # backward compatibility:
@@ -118,6 +121,13 @@ def bind(self):
             ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
         elif self._tls_cacert_file:  # pragma: no cover
             ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self._tls_cacert_file)
+        elif self._tls_cacert_dir:  # pragma: no cover
+            ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self._tls_cacert_dir)
+        if self._tls_clcert_file and self._tls_clkey_file:  # pragma: no cover
+            ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self._tls_clcert_file)
+            ldap.set_option(ldap.OPT_X_TLS_KEYFILE, self._tls_clkey_file)
+        elif self._tls_clcert_file or self._tls_clkey_file:  # pragma: no cover
+            logger.exception("Only client certificate or key have been provided.")
         self._con = ldap.ldapobject.ReconnectLDAPObject(
             self._uri,
             bytes_mode=False,
diff --git a/src/node/ext/ldap/interfaces.py b/src/node/ext/ldap/interfaces.py
@@ -39,14 +39,11 @@ class ILDAPProps(Interface):
 
     tls_cacertfile = Attribute('Name of CA Cert file')
 
-    # XXX
-    # tls_cacertdir = Attribute('Path to CA Cert directory')
+    tls_cacertdir = Attribute('Path to CA Cert directory')
 
-    # XXX
-    # tls_clcertfile = Attribute('Name of CL Cert file')
+    tls_clcertfile = Attribute('Name of client Cert file')
 
-    # XXX
-    # tls_clkeyfile = Attribute('Path to CL key file')
+    tls_clkeyfile = Attribute('Path to client key file')
 
     retry_max = Attribute('Retry count')
 
diff --git a/src/node/ext/ldap/properties.py b/src/node/ext/ldap/properties.py
@@ -48,9 +48,9 @@ def __init__(
         start_tls=0,
         ignore_cert=0,
         tls_cacertfile=None,
-        # tls_cacertdir=None,
-        # tls_clcertfile=None,
-        # tls_clkeyfile=None,
+        tls_cacertdir=None,
+        tls_clcertfile=None,
+        tls_clkeyfile=None,
         retry_max=1,
         retry_delay=10.0,
         multivalued_attributes=MULTIVALUED_DEFAULTS,
@@ -89,9 +89,11 @@ def __init__(
             needed if the CA is not in the default CA keyring (i.e. with
             self-signed certificates). Under Windows its possible that
             python-ldap lib does recognize the system keyring.
-        :param tls_cacertdir: Not yet
-        :param tls_clcertfile: Not yet
-        :param tls_clkeyfile: Not yet
+        :param tls_cacertdir: Provide a directory with CA Certificates.
+        :param tls_clcertfile: Provide a specific client certificate file to be
+            used for client authentication. Requires tls_clkeyfile to be set.
+        :param tls_clkeyfile: Provide a specific client key file to be used for
+            client authentication. Requires tls_clcertfile to be set.
         :param retry_max: Maximum count of reconnect trials. Value has to be >= 1
         :param retry_delay: Time span to wait between two reconnect trials.
         :param multivalued_attributes: Set of attributes names considered as
@@ -120,9 +122,9 @@ def __init__(
         self.start_tls = start_tls
         self.ignore_cert = ignore_cert
         self.tls_cacertfile = tls_cacertfile
-        # self.tls_cacertdir = tls_cacertdir
-        # self.tls_clcertfile = tls_clcertfile
-        # self.tls_clkeyfile = tls_clkeyfile
+        self.tls_cacertdir = tls_cacertdir
+        self.tls_clcertfile = tls_clcertfile
+        self.tls_clkeyfile = tls_clkeyfile
         self.retry_max = retry_max
         self.retry_delay = retry_delay
         self.multivalued_attributes = multivalued_attributes
diff --git a/src/node/ext/ldap/tests/test_properties.py b/src/node/ext/ldap/tests/test_properties.py
@@ -47,6 +47,9 @@ def test_LDAPProps(self):
         self.assertEqual(props.start_tls, 0)
         self.assertEqual(props.ignore_cert, 0)
         self.assertEqual(props.tls_cacertfile, None)
+        self.assertEqual(props.tls_cacertdir, None)
+        self.assertEqual(props.tls_clcertfile, None)
+        self.assertEqual(props.tls_clkeyfile, None)
         self.assertEqual(props.retry_max, 1)
         self.assertEqual(props.retry_delay, 10.)
         self.assertEqual(props.multivalued_attributes, MULTIVALUED_DEFAULTS)
