0001-ldap_backend-search-mandatory-roles-in-default-ou-wh.patch
src/authentic2/backends/ldap_backend.py | ||
---|---|---|
973 | 973 |
except ValueError: |
974 | 974 |
pass |
975 | 975 |
if slug: |
976 |
default_ou = get_default_ou() |
|
976 | 977 |
try: |
977 | 978 |
return Role.objects.get(slug=slug, **kwargs), None |
978 | 979 |
except Role.DoesNotExist: |
... | ... | |
982 | 983 |
error = 'role %r does not exist' % role_id |
983 | 984 |
except Role.MultipleObjectsReturned: |
984 | 985 |
error = 'multiple objects returned, identifier is imprecise' |
986 |
if 'ou__slug' not in kwargs: |
|
987 |
try: |
|
988 |
return Role.objects.get(name=slug, ou=default_ou, **kwargs), None |
|
989 |
except Role.DoesNotExist: |
|
990 |
error = 'multiple objects returned none of which belongs to default ou, role *name* is ambiguous' |
|
991 |
except Role.MultipleObjectsReturned: |
|
992 |
pass |
|
985 | 993 |
except Role.MultipleObjectsReturned: |
986 | 994 |
error = 'multiple objects returned, identifier is imprecise' |
995 |
if 'ou__slug' not in kwargs: |
|
996 |
try: |
|
997 |
return Role.objects.get(slug=slug, ou=default_ou, **kwargs), None |
|
998 |
except Role.DoesNotExist: |
|
999 |
error = 'multiple objects returned none of which belongs to default ou, role *slug* is ambiguous' |
|
1000 |
except Role.MultipleObjectsReturned: |
|
1001 |
pass |
|
987 | 1002 |
else: |
988 | 1003 |
error = ( |
989 | 1004 |
'invalid role identifier must be slug, (slug, ou__slug) or (slug, ou__slug, service__slug)' |
tests/test_ldap.py | ||
---|---|---|
2337 | 2337 |
assert len(caplog.records) == 6 |
2338 | 2338 |
assert all(record.levelname == 'ERROR' for record in caplog.records) |
2339 | 2339 |
assert all('unable to build an external_id' in record.message for record in caplog.records) |
2340 | ||
2341 | ||
2342 |
def test_mandatory_role_slug_ambiguity_fallback_on_default_ou(db, rf, slapd, client, settings, caplog, ou1): |
|
2343 |
settings.LDAP_AUTH_SETTINGS = [ |
|
2344 |
{ |
|
2345 |
'url': [slapd.ldap_url], |
|
2346 |
'basedn': 'o=ôrga', |
|
2347 |
'use_tls': False, |
|
2348 |
'attributes': ['jpegPhoto'], |
|
2349 |
'set_mandatory_roles': ['ambiguous-role'], |
|
2350 |
} |
|
2351 |
] |
|
2352 | ||
2353 |
default_ou = get_default_ou() |
|
2354 |
Role.objects.create(slug='ambiguous-role', ou=default_ou) |
|
2355 |
Role.objects.create(slug='ambiguous-role', ou=ou1) |
|
2356 |
result = client.post( |
|
2357 |
'/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True |
|
2358 |
) |
|
2359 |
assert result.status_code == 200 |
|
2360 |
assert force_bytes('Étienne Michu') in result.content |
|
2361 |
assert User.objects.count() == 1 |
|
2362 |
user = User.objects.get() |
|
2363 |
role = user.roles.get(slug='ambiguous-role') |
|
2364 |
assert role.ou == default_ou |
|
2365 | ||
2366 | ||
2367 |
def test_mandatory_role_name_ambiguity_fallback_on_default_ou(db, rf, slapd, client, settings, caplog, ou1): |
|
2368 |
settings.LDAP_AUTH_SETTINGS = [ |
|
2369 |
{ |
|
2370 |
'url': [slapd.ldap_url], |
|
2371 |
'basedn': 'o=ôrga', |
|
2372 |
'use_tls': False, |
|
2373 |
'attributes': ['jpegPhoto'], |
|
2374 |
'set_mandatory_roles': ['Ambiguous role'], |
|
2375 |
} |
|
2376 |
] |
|
2377 | ||
2378 |
default_ou = get_default_ou() |
|
2379 |
Role.objects.create(name='Ambiguous role', ou=default_ou) |
|
2380 |
Role.objects.create(name='Ambiguous role', ou=ou1) |
|
2381 |
result = client.post( |
|
2382 |
'/login/', {'login-password-submit': '1', 'username': USERNAME, 'password': PASS}, follow=True |
|
2383 |
) |
|
2384 |
assert result.status_code == 200 |
|
2385 |
assert force_bytes('Étienne Michu') in result.content |
|
2386 |
assert User.objects.count() == 1 |
|
2387 |
user = User.objects.get() |
|
2388 |
role = user.roles.get(name='Ambiguous role') |
|
2389 |
assert role.ou == default_ou |
|
2340 |
- |