From 66a2165ad65f4431d3244ea92afbf80243d1eea9 Mon Sep 17 00:00:00 2001
From: Paul Marillonnet <pmarillonnet@entrouvert.com>
Date: Wed, 6 Dec 2017 10:24:25 +0100
Subject: [PATCH] ldap_backend: remove imprecise role creation capability
 (#20454)

---
 src/authentic2/backends/ldap_backend.py | 18 +++++-------------
 tests/test_ldap.py                      | 13 +++++++------
 2 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py
index ba43f64d..96f8e625 100644
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@@ -249,8 +249,6 @@ class LDAPBackend(object):
         'is_staff': None,
         # create missing group if needed
         'create_group': False,
-        # create missing role if needed
-        'create_role': False,
         # attributes to retrieve and store with the user object
         'attributes': ['uid'],
         # default value for some attributes
@@ -587,18 +585,12 @@ class LDAPBackend(object):
             except Group.DoesNotExist:
                 return None
 
-    def get_role_by_name(self, block, role_name, create=None):
+    def get_role_by_name(self, block, role_name):
         '''Obtain a Django role'''
-        if create is None:
-            create = block['create_role']
-        if create:
-            role, created = Role.objects.get_or_create(name=role_name)
-            return role
-        else:
-            try:
-                return Role.objects.get(name=role_name)
-            except Role.DoesNotExist:
-                return None
+        try:
+            return Role.objects.get(name=role_name)
+        except Role.DoesNotExist:
+            return None
 
     def populate_mandatory_groups(self, user, block):
         mandatory_groups = block.get('set_mandatory_groups')
diff --git a/tests/test_ldap.py b/tests/test_ldap.py
index 1ab923bf..2c62b7a3 100644
--- a/tests/test_ldap.py
+++ b/tests/test_ldap.py
@@ -359,7 +359,11 @@ def test_get_users(slapd, settings):
 
 
 @pytest.mark.django_db
-def test_create_mandatory_roles(slapd, settings):
+def test_set_mandatory_roles(slapd, settings):
+    from authentic2.a2_rbac.models import Role
+
+    Role.objects.get_or_create(name='_pytest_tech')
+    Role.objects.get_or_create(name='_pytest_admin')
     User = get_user_model()
     settings.LDAP_AUTH_SETTINGS = [{
         'url': [slapd.ldap_url],
@@ -370,11 +374,10 @@ def test_create_mandatory_roles(slapd, settings):
             ('cn=group2,o=orga', ['Group2']),
         ],
         'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'set_mandatory_roles': ['tech', 'admin'],
-        'create_role': True,
+        'set_mandatory_roles': ['_pytest_tech', '_pytest_admin'],
     }]
 
-    users = list(ldap_backend.LDAPBackend.get_users())
+    list(ldap_backend.LDAPBackend.get_users())
     assert User.objects.first().roles.count() == 2
 
 
@@ -391,7 +394,6 @@ def test_nocreate_mandatory_roles(slapd, settings):
         ],
         'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
         'set_mandatory_roles': ['tech', 'admin'],
-        'create_role': False,
     }]
 
     list(ldap_backend.LDAPBackend.get_users())
@@ -424,7 +426,6 @@ def test_no_connect_with_user_credentials(slapd_strict_acl, db, settings, app):
         ],
         'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
         'set_mandatory_roles': ['tech', 'admin'],
-        'create_role': False,
     }]
     response = app.get('/login/')
     response.form.set('username', USERNAME)
-- 
2.11.0