Extract new password in passwd_s (#246)

mistotebe · mistotebe · commit 4f6002d02818 · 2019-08-20T10:42:50.000+01:00
diff --git a/Lib/ldap/extop/__init__.py b/Lib/ldap/extop/__init__.py
@@ -65,3 +65,4 @@ def decodeResponseValue(self,value):
 
 # Import sub-modules
 from ldap.extop.dds import *
+from ldap.extop.passwd import *
diff --git a/Lib/ldap/extop/passwd.py b/Lib/ldap/extop/passwd.py
@@ -0,0 +1,32 @@
+# -*- coding: utf-8 -*-
+"""
+ldap.extop.passwd - Classes for Password Modify extended operation
+(see RFC 3062)
+
+See https://www.python-ldap.org/ for details.
+"""
+
+from ldap.extop import ExtendedRequest,ExtendedResponse
+
+# Imports from pyasn1
+from pyasn1.type import namedtype,univ,tag
+from pyasn1.codec.der import decoder
+
+
+class PasswordModifyResponse(ExtendedResponse):
+  responseName = None
+
+  class PasswordModifyResponseValue(univ.Sequence):
+    componentType = namedtype.NamedTypes(
+      namedtype.OptionalNamedType(
+        'genPasswd',
+        univ.OctetString().subtype(
+          implicitTag=tag.Tag(tag.tagClassContext,tag.tagFormatSimple,0)
+        )
+      )
+    )
+
+  def decodeResponseValue(self,value):
+    respValue,_ = decoder.decode(value,asn1Spec=self.PasswordModifyResponseValue())
+    self.genPasswd = bytes(respValue.getComponentByName('genPasswd'))
+    return self.genPasswd
diff --git a/Lib/ldap/ldapobject.py b/Lib/ldap/ldapobject.py
@@ -27,7 +27,7 @@
 
 from ldap.schema import SCHEMA_ATTRS
 from ldap.controls import LDAPControl,DecodeControlTuples,RequestControlTuples
-from ldap.extop import ExtendedRequest,ExtendedResponse
+from ldap.extop import ExtendedRequest,ExtendedResponse,PasswordModifyResponse
 from ldap.compat import reraise
 
 from ldap import LDAPError
@@ -658,7 +658,12 @@ def passwd(self,user,oldpw,newpw,serverctrls=None,clientctrls=None):
 
   def passwd_s(self,user,oldpw,newpw,serverctrls=None,clientctrls=None):
     msgid = self.passwd(user,oldpw,newpw,serverctrls,clientctrls)
-    return self.extop_result(msgid,all=1,timeout=self.timeout)
+    respoid, respvalue = self.extop_result(msgid, all=1, timeout=self.timeout)
+    if respoid != PasswordModifyResponse.responseName:
+      raise ldap.PROTOCOL_ERROR("Unexpected OID %s in extended response!" % respoid)
+    if respvalue:
+        respvalue = PasswordModifyResponse(PasswordModifyResponse.responseName, respvalue)
+    return (respoid, respvalue)
 
   def rename(self,dn,newrdn,newsuperior=None,delold=1,serverctrls=None,clientctrls=None):
     """
diff --git a/Tests/t_ldapobject.py b/Tests/t_ldapobject.py
@@ -673,6 +673,43 @@ def test_compare_s_invalidattr(self):
         with self.assertRaises(ldap.UNDEFINED_TYPE):
             result = l.compare_s('cn=Foo1,%s' % base, 'invalidattr', b'invalid')
 
+    def test_passwd_s(self):
+        l = self._ldap_conn
+
+        # first, create a user to change password on
+        dn = "cn=PasswordTest," + self.server.suffix
+        result, pmsg, msgid, ctrls = l.add_ext_s(
+            dn,
+            [
+                ('objectClass', b'person'),
+                ('sn', b'PasswordTest'),
+                ('cn', b'PasswordTest'),
+                ('userPassword', b'initial'),
+            ]
+        )
+        self.assertEqual(result, ldap.RES_ADD)
+        self.assertEqual(type(msgid), type(0))
+        self.assertEqual(pmsg, [])
+        self.assertEqual(ctrls, [])
+
+        # try changing password with a wrong old-pw
+        with self.assertRaises(ldap.UNWILLING_TO_PERFORM):
+            l.passwd_s(dn, b'bogus', b'ignored')
+
+        # have the server generate a new random pw
+        respoid, respvalue = l.passwd_s(dn, b'initial', None)
+        self.assertEqual(respoid, None)
+
+        password = respvalue.genPasswd
+        self.assertEqual(type(password), bytes)
+
+        # try changing password back
+        respoid, respvalue = l.passwd_s(dn, password, b'initial')
+        self.assertEqual(respoid, None)
+        self.assertEqual(respvalue, None)
+
+        l.delete_s(dn)
+
 
 class Test01_ReconnectLDAPObject(Test00_SimpleLDAPObject):
     """

Original file line number	Diff line number	Diff line change
`@@ -65,3 +65,4 @@ def decodeResponseValue(self,value):`
`65`	`65`
`66`	`66`	`# Import sub-modules`
`67`	`67`	`from ldap.extop.dds import *`
	`68`	`+from ldap.extop.passwd import *`