[ldap] Prohibit requests with empty password (ydb-platform#10401)

uzhastik · Oct 24, 2024 · c143dd8 · c143dd8
1 parent 8d559a6
commit c143dd8
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp b/ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp
@@ -257,6 +257,12 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
                             + NKikimrLdap::LdapError(*request.Ld),
                     .Retryable = false}}};
         }
+        if (request.Password.Empty()) {
+            NKikimrLdap::MemFree(dn);
+            return {{TEvLdapAuthProvider::EStatus::UNAUTHORIZED,
+                    {.Message = "LDAP login failed. Empty password",
+                    .Retryable = false}}};
+        }
         TEvLdapAuthProvider::TError error;
         int result = NKikimrLdap::Bind(*request.Ld, dn, request.Password);
         if (!NKikimrLdap::IsSuccess(result)) {

diff --git a/ydb/services/ydb/ydb_ldap_login_ut.cpp b/ydb/services/ydb/ydb_ldap_login_ut.cpp
@@ -380,6 +380,48 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
         ldapServer.Stop();
     }
 
+    Y_UNIT_TEST(LdapAuthWithEmptyPassword) {
+        TString login = "ldapUser";
+        TString password = "";
+
+        LdapMock::TLdapMockResponses responses;
+        responses.BindResponses.push_back({{{.Login = "cn=robouser,dc=search,dc=yandex,dc=net", .Password = "robouserPassword"}}, {.Status = LdapMock::EStatus::SUCCESS}});
+
+        LdapMock::TSearchRequestInfo fetchUserSearchRequestInfo {
+            {
+                .BaseDn = "dc=search,dc=yandex,dc=net",
+                .Scope = 2,
+                .DerefAliases = 0,
+                .Filter = {.Type = LdapMock::EFilterType::LDAP_FILTER_EQUALITY, .Attribute = "uid", .Value = login},
+                .Attributes = {"1.1"}
+            }
+        };
+
+        std::vector<LdapMock::TSearchEntry> fetchUserSearchResponseEntries {
+            {
+                .Dn = "uid=" + login + ",dc=search,dc=yandex,dc=net"
+            }
+        };
+
+        LdapMock::TSearchResponseInfo fetchUserSearchResponseInfo {
+            .ResponseEntries = fetchUserSearchResponseEntries,
+            .ResponseDone = {.Status = LdapMock::EStatus::SUCCESS}
+        };
+        responses.SearchResponses.push_back({fetchUserSearchRequestInfo, fetchUserSearchResponseInfo});
+
+        TLoginClientConnection loginConnection(InitLdapSettings);
+        LdapMock::TLdapSimpleServer ldapServer(loginConnection.GetLdapPort(), responses);
+
+        auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password});
+        auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
+        TStringBuilder expectedErrorMessage;
+        expectedErrorMessage << "LDAP login failed. Empty password";
+        UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, expectedErrorMessage);
+
+        loginConnection.Stop();
+        ldapServer.Stop();
+    }
+
     Y_UNIT_TEST(LdapAuthSetIncorrectDomain) {
         TString login = "ldapuser";
         TString password = "ldapUserPassword";