Use consistent exceptions for all user backends

Now all backends raise custom exception types and does not
forward the internal exception types. So there is no need
to import the ldap module in other modules.

5 files changed, 25 insertions, 11 deletions

diff --git a/accounts/__init__.py b/accounts/__init__.py
index d8abf32..e641e80 100644
--- a/accounts/__init__.py
+++ b/accounts/__init__.py
@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 
 import account
-import ldap
 import os
 from flask import Flask, g, session
 from utils import *
@@ -43,6 +42,7 @@ def initialize_user():
         password = ensure_utf8(session['password'])
         try:
             g.user = current_app.user_backend.auth(username, password)
-        except ldap.INVALID_CREDENTIALS:
+        except (current_app.user_backend.NoSuchUserError,
+                current_app.user_backend.InvalidPasswordError):
             # we had crap in the session, delete it
             logout_user()
diff --git a/accounts/backend/user/__init__.py b/accounts/backend/user/__init__.py
index 749f284..f66c138 100644
--- a/accounts/backend/user/__init__.py
+++ b/accounts/backend/user/__init__.py
@@ -5,6 +5,10 @@ class NoSuchUserError(ValueError):
     pass
 
 
+class InvalidPasswordError(ValueError):
+    pass
+
+
 class ShouldNotHappen(RuntimeError):
     pass
 
@@ -52,6 +56,11 @@ class Backend(object):
         #: Exception type, that is raised if no matching user was found.
         self.NoSuchUserError = NoSuchUserError
 
+        #: Exception type, that is raised if you try to authenticate with
+        #: wrong password. Because this backend is stateless, this exception
+        #: could also be raised, if you want to change user information.
+        self.InvalidPasswordError = InvalidPasswordError
+
     def auth(self, username, password):
         """
         Tries to authenticate a user with a given password. If the
diff --git a/accounts/backend/user/dummy.py b/accounts/backend/user/dummy.py
index c4925fb..6bfb516 100644
--- a/accounts/backend/user/dummy.py
+++ b/accounts/backend/user/dummy.py
@@ -49,7 +49,7 @@ class DummyBackend(Backend):
         """
         acc = self.get_by_uid(username)
         if acc.password != password:
-            raise ValueError("Invalid password")
+            raise self.InvalidPasswordError("Invalid password")
 
         return acc
 
@@ -80,7 +80,7 @@ class DummyBackend(Backend):
         stored_account = self.get_by_uid(account.uid)
         if not as_admin:
             if stored_account.password != account.password:
-                raise ValueError("Invalid password")
+                raise self.InvalidPasswordError("Invalid password")
 
         self._storage = [acc for acc in self._storage if acc.uid != account.uid]
         new_acc = deepcopy(account)
@@ -99,6 +99,6 @@ class DummyBackend(Backend):
         stored_account = self.get_by_uid(account.uid)
         if not as_admin:
             if stored_account.password != account.password:
-                raise ValueError("Invalid password")
+                raise self.InvalidPasswordError("Invalid password")
 
         self._storage = [acc for acc in self._storage if acc.uid != account.uid]
diff --git a/accounts/backend/user/ldap.py b/accounts/backend/user/ldap.py
index 5472caf..48cf9eb 100644
--- a/accounts/backend/user/ldap.py
+++ b/accounts/backend/user/ldap.py
@@ -28,7 +28,11 @@ class LdapBackend(Backend):
         """
         self._bind_anonymous()
         dn = self._format_dn([('uid', username), ('ou','users')])
-        dn_user, data_user = self.connection.search_s(dn, ldap.SCOPE_SUBTREE)[0]
+
+        try:
+            dn_user, data_user = self.connection.search_s(dn, ldap.SCOPE_SUBTREE)[0]
+        except ldap.NO_SUCH_OBJECT:
+            raise self.NoSuchUserError('No such user')
 
         self._bind_as_user(username, password)
         uid = data_user['uid'][0]
@@ -146,7 +150,10 @@ class LdapBackend(Backend):
         self.connection = ldap.initialize(self.ldap_host)
         self.connection.version = ldap.VERSION3
 
-        self.connection.simple_bind_s(dn, password)
+        try:
+            self.connection.simple_bind_s(dn, password)
+        except ldap.INVALID_CREDENTIALS:
+            raise self.InvalidPasswordError("Invalid Password")
 
     def _bind_as_admin(self):
         if self.binded:
diff --git a/accounts/utils/__init__.py b/accounts/utils/__init__.py
index 1538fd6..2b0f566 100644
--- a/accounts/utils/__init__.py
+++ b/accounts/utils/__init__.py
@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 import hmac
 import importlib
-import ldap
 import pickle
 import re
 import struct
@@ -70,9 +69,8 @@ def login_user(username, password):
 
     try:
         g.user = current_app.user_backend.auth(username, password)
-    except ldap.INVALID_CREDENTIALS:
-        return False
-    except ldap.NO_SUCH_OBJECT:
+    except (current_app.user_backend.NoSuchUserError,
+            current_app.user_backend.InvalidPasswordError):
         return False
 
     session['username'] = username