From 09c5d111c1a226ac06c3a511ed43de5ee7d77b1b Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Thu, 23 Sep 2021 15:44:53 +0200
Subject: [PATCH] ldap: allow passing realm to sync-ldap-users command (#57038)

---
 src/authentic2/backends/ldap_backend.py       |  5 +++-
 .../management/commands/sync-ldap-users.py    |  5 +++-
 tests/test_ldap.py                            | 25 +++++++++++++++++++
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py
index 975d8a19..38539d2f 100644
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@@ -1545,12 +1545,15 @@ class LDAPBackend:
             yield from cls.normalize_ldap_results(data)
 
     @classmethod
-    def get_users(cls):
+    def get_users(cls, realm=None):
         blocks = cls.get_config()
         if not blocks:
             log.info('No LDAP server configured.')
             return
         for block in blocks:
+            if realm and realm != block['realm']:
+                continue
+
             log.info('Synchronising users from realm "%s"', block['realm'])
             conn = cls.get_connection(block)
             if conn is None:
diff --git a/src/authentic2/management/commands/sync-ldap-users.py b/src/authentic2/management/commands/sync-ldap-users.py
index e7b97fd0..dd59c9b5 100644
--- a/src/authentic2/management/commands/sync-ldap-users.py
+++ b/src/authentic2/management/commands/sync-ldap-users.py
@@ -29,6 +29,9 @@ from authentic2.backends.ldap_backend import LDAPBackend
 
 
 class Command(BaseCommand):
+    def add_arguments(self, parser):
+        parser.add_argument('--realm', help='Limit sync to this realm')
+
     def handle(self, *args, **kwargs):
         root_logger = logging.getLogger()
         ldap_logger = logging.getLogger('authentic2.backends.ldap_backend')
@@ -55,5 +58,5 @@ class Command(BaseCommand):
         elif verbosity == 3:
             ldap_logger.setLevel(logging.DEBUG)
 
-        for user in LDAPBackend.get_users():
+        for user in LDAPBackend.get_users(realm=kwargs['realm']):
             continue
diff --git a/tests/test_ldap.py b/tests/test_ldap.py
index 55ae92d1..156d981d 100644
--- a/tests/test_ldap.py
+++ b/tests/test_ldap.py
@@ -1803,6 +1803,31 @@ def test_sync_ldap_users(slapd, settings, app, db, caplog):
     assert len(caplog.records) == 42
 
 
+def test_get_users_select_realm(slapd, settings, db, caplog):
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'realm': 'first',
+            'basedn': 'o=ôrga',
+            'use_tls': False,
+        },
+        {
+            'url': [slapd.ldap_url],
+            'realm': 'second',
+            'basedn': 'o=ôrga',
+            'use_tls': False,
+        },
+    ]
+    management.call_command('sync-ldap-users', verbosity=2)
+    assert 'Synchronising users from realm "first"' in caplog.messages
+    assert 'Synchronising users from realm "second"' in caplog.messages
+
+    caplog.clear()
+    management.call_command('sync-ldap-users', verbosity=2, realm='second')
+    assert 'Synchronising users from realm "first"' not in caplog.messages
+    assert 'Synchronising users from realm "second"' in caplog.messages
+
+
 def test_alert_on_wrong_user_filter(slapd, settings, client, db, caplog):
     settings.LDAP_AUTH_SETTINGS = [
         {
-- 
2.30.2