manage: do not crash while trying to impersonate stale ldap user (#62868)

2022-09-21 11:09:34 +02:00 · 2022-09-21 11:09:34 +02:00 · 07b1fdc98f
parent 4ba89d00b7
commit 07b1fdc98f
2 changed files with 29 additions and 1 deletions
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@ -1604,6 +1604,8 @@ class SuView(View):
        # LDAP ad-hoc behaviour
        if user.userexternalid_set.exists():
            user = utils_misc.authenticate(request, user=user)
+        if not user:
+            raise Http404(_('Logging in to Publik as stale LDAP user is not allowed.'))
        return utils_misc.simulate_authentication(request, user, 'su')


--- a/tests/test_user_manager.py
+++ b/tests/test_user_manager.py
@ -26,6 +26,7 @@ from django.contrib.auth import get_user_model
 from django.contrib.contenttypes.models import ContentType
 from django.urls import reverse
 from webtest import Upload
+from webtest.app import AppError

 from authentic2.a2_rbac.models import OrganizationalUnit as OU
 from authentic2.a2_rbac.models import Permission, Role
@ -33,7 +34,8 @@ from authentic2.a2_rbac.utils import get_default_ou, get_view_user_perm
 from authentic2.apps.journal.models import Event
 from authentic2.custom_user.models import User
 from authentic2.manager import user_import
-from authentic2.models import Attribute, AttributeValue
+from authentic2.models import Attribute, AttributeValue, UserExternalId
+from authentic2.utils import misc as utils_misc
 from authentic2_idp_oidc.models import OIDCAuthorization, OIDCClient
 from django_rbac.models import VIEW_OP
 from django_rbac.utils import get_operation
@ -645,6 +647,30 @@ def test_su_superuser_dialog(app, app_factory, superuser, simple_user):
    assert new_app.session['_auth_user_id'] == str(simple_user.pk)


+def test_su_permission_ldap_user_authn_failed(app, app_factory, superuser, simple_user, monkeypatch):
+    external_id = UserExternalId(
+        user=simple_user,
+        source='ldap',
+        external_id='abc',
+    )
+    external_id.save()
+    simple_user.userexternalid_set.set([external_id])
+    resp = login(app, superuser, '/manage/users/%s/' % simple_user.pk)
+    su_view_url = resp.pyquery('button[name="su"]')[0].get('data-url')
+    resp = app.get(su_view_url)
+    anchors = resp.pyquery('a#su-link')
+    su_url = anchors[0].get('href')
+    new_app = app_factory()
+
+    def patched_authenticate(request, user=None):
+        return None
+
+    monkeypatch.setattr(utils_misc, 'authenticate', patched_authenticate)
+    with pytest.raises(AppError) as exc_info:
+        new_app.get(su_url).follow()
+    assert exc_info.match('Bad response: 404 Not Found')
+
+
 def import_csv(csv_content, app):
    response = app.get('/manage/users/')
    response = response.click('Import users')