ldap: do not fail if Role.MultipleObjectsReturned is raised (#39274)

2020-01-28 16:18:14 +01:00 · 2020-01-28 16:18:14 +01:00 · f03e3aae66
parent 82532d5bd2
commit f03e3aae66
2 changed files with 71 additions and 0 deletions
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@ -855,6 +855,8 @@ class LDAPBackend(object):
                    return Role.objects.get(name=slug, **kwargs), None
                except Role.DoesNotExist:
                    error = ('role %r does not exist' % role_id)
+                except Role.MultipleObjectsReturned:
+                    error = 'multiple objects returned, identifier is imprecise'
            except Role.MultipleObjectsReturned:
                error = 'multiple objects returned, identifier is imprecise'
        else:
--- a/tests/test_ldap.py
+++ b/tests/test_ldap.py
@ -32,6 +32,7 @@ from django.utils.encoding import force_text
 from django.utils import timezone
 from django.utils.six.moves.urllib import parse as urlparse

+from authentic2.models import Service
 from authentic2.a2_rbac.utils import get_default_ou
 from django_rbac.utils import get_ou_model
 from authentic2.backends import ldap_backend
@ -497,6 +498,74 @@ def test_nocreate_mandatory_roles(slapd, settings, db):
    assert User.objects.first().roles.count() == 0


+def test_from_slug_set_mandatory_roles(slapd, settings, db):
+    from authentic2.a2_rbac.models import Role
+
+    Role.objects.get_or_create(name='Tech', slug='tech')
+    Role.objects.get_or_create(name='Admin', slug='admin')
+    settings.LDAP_AUTH_SETTINGS = [{
+        'url': [slapd.ldap_url],
+        'basedn': u'o=ôrga',
+        'use_tls': False,
+        'create_group': True,
+        'group_mapping': [
+            [u'cn=group2,o=ôrga', ['Group2']],
+        ],
+        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+        'set_mandatory_roles': ['tech', 'admin'],
+    }]
+
+    list(ldap_backend.LDAPBackend.get_users())
+    assert User.objects.first().roles.count() == 2
+
+
+def test_multiple_slug_set_mandatory_roles(slapd, settings, db):
+    from authentic2.a2_rbac.models import Role
+
+    service1 = Service.objects.create(name='s1', slug='s1')
+    service2 = Service.objects.create(name='s2', slug='s2')
+    Role.objects.create(name='foo', slug='tech', service=service1)
+    Role.objects.create(name='bar', slug='tech', service=service2)
+    settings.LDAP_AUTH_SETTINGS = [{
+        'url': [slapd.ldap_url],
+        'basedn': u'o=ôrga',
+        'use_tls': False,
+        'create_group': True,
+        'group_mapping': [
+            [u'cn=group2,o=ôrga', ['Group2']],
+        ],
+        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+        'set_mandatory_roles': ['tech'],
+    }]
+
+    list(ldap_backend.LDAPBackend.get_users())
+    assert User.objects.first().roles.count() == 0
+
+
+def test_multiple_name_set_mandatory_roles(slapd, settings, db):
+    from authentic2.a2_rbac.models import Role
+
+    OU = get_ou_model()
+    ou1 = OU.objects.create(name='test1', slug='test1')
+    ou2 = OU.objects.create(name='test2', slug='test2')
+    Role.objects.create(name='tech', slug='foo', ou=ou1)
+    Role.objects.create(name='tech', slug='bar', ou=ou2)
+    settings.LDAP_AUTH_SETTINGS = [{
+        'url': [slapd.ldap_url],
+        'basedn': u'o=ôrga',
+        'use_tls': False,
+        'create_group': True,
+        'group_mapping': [
+            [u'cn=group2,o=ôrga', ['Group2']],
+        ],
+        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
+        'set_mandatory_roles': ['tech'],
+    }]
+
+    list(ldap_backend.LDAPBackend.get_users())
+    assert User.objects.first().roles.count() == 0
+
+
@pytest.fixture
 def slapd_strict_acl(slapd):
    # forbid modifications by user themselves