[ldap] Prohibit requests with empty password (#10399)

Author: molotkov-and

ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp

@@ -261,6 +261,11 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
             return {{TEvLdapAuthProvider::EStatus::UNAUTHORIZED,
                     {.Message = ERROR_MESSAGE, .Retryable = false}}};
         }
+        if (request.Password.Empty()) {
+            LDAP_LOG_D("LDAP login failed for user " << TString(dn) << ". Empty password");
+            NKikimrLdap::MemFree(dn);
+            return {{.Status = TEvLdapAuthProvider::EStatus::UNAUTHORIZED, .Error = {.Message = TString(ERROR_MESSAGE) + ". Empty password", .Retryable = false}}};
+        }
         TEvLdapAuthProvider::TError error;
         LDAP_LOG_D("bind: bindDn: " << dn);
         int result = NKikimrLdap::Bind(*request.Ld, dn, request.Password);

ydb/services/ydb/ydb_ldap_login_ut.cpp

@@ -364,6 +364,46 @@ Y_UNIT_TEST_SUITE(TGRpcLdapAuthentication) {
         ldapServer.Stop();
     }
 
+    Y_UNIT_TEST(LdapAuthWithEmptyPassword) {
+        TString login = "ldapUser";
+        TString password = "";
+
+        LdapMock::TLdapMockResponses responses;
+        responses.BindResponses.push_back({{{.Login = "cn=robouser,dc=search,dc=yandex,dc=net", .Password = "robouserPassword"}}, {.Status = LdapMock::EStatus::SUCCESS}});
+
+        LdapMock::TSearchRequestInfo fetchUserSearchRequestInfo {
+            {
+                .BaseDn = "dc=search,dc=yandex,dc=net",
+                .Scope = 2,
+                .DerefAliases = 0,
+                .Filter = {.Type = LdapMock::EFilterType::LDAP_FILTER_EQUALITY, .Attribute = "uid", .Value = login},
+                .Attributes = {"1.1"}
+            }
+        };
+
+        std::vector<LdapMock::TSearchEntry> fetchUserSearchResponseEntries {
+            {
+                .Dn = "uid=" + login + ",dc=search,dc=yandex,dc=net"
+            }
+        };
+
+        LdapMock::TSearchResponseInfo fetchUserSearchResponseInfo {
+            .ResponseEntries = fetchUserSearchResponseEntries,
+            .ResponseDone = {.Status = LdapMock::EStatus::SUCCESS}
+        };
+        responses.SearchResponses.push_back({fetchUserSearchRequestInfo, fetchUserSearchResponseInfo});
+
+        TLoginClientConnection loginConnection(InitLdapSettings);
+        LdapMock::TLdapSimpleServer ldapServer(loginConnection.GetLdapPort(), responses);
+
+        auto factory = CreateLoginCredentialsProviderFactory({.User = login + "@ldap", .Password = password});
+        auto loginProvider = factory->CreateProvider(loginConnection.GetCoreFacility());
+        UNIT_ASSERT_EXCEPTION_CONTAINS(loginProvider->GetAuthInfo(), yexception, "User is unauthorized in LDAP server. Empty password");
+
+        loginConnection.Stop();
+        ldapServer.Stop();
+    }
+
     Y_UNIT_TEST(LdapAuthSetIncorrectDomain) {
         TString login = "ldapuser";
         TString password = "ldapUserPassword";