mirror of https://github.com/zulip/zulip.git
auth: Remove `invalid_subdomain` restriction from LDAP backend.
Fixes: #11692.
This commit is contained in:
parent
0e2dc873ba
commit
216b7b0a19
|
@ -2548,19 +2548,23 @@ class TestLDAP(ZulipLDAPTestCase):
|
|||
self.assertIs(user_profile, None)
|
||||
|
||||
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
|
||||
def test_login_failure_due_to_wrong_subdomain(self) -> None:
|
||||
def test_login_success_with_different_subdomain(self) -> None:
|
||||
self.mock_ldap.directory = {
|
||||
'uid=hamlet,ou=users,dc=zulip,dc=com': {
|
||||
'userPassword': ['testing', ]
|
||||
'fn': ['King Hamlet', ],
|
||||
'sn': ['Hamlet', ],
|
||||
'userPassword': ['testing', ],
|
||||
}
|
||||
}
|
||||
ldap_user_attr_map = {'full_name': 'fn', 'short_name': 'sn'}
|
||||
with self.settings(
|
||||
LDAP_APPEND_DOMAIN='zulip.com',
|
||||
AUTH_LDAP_BIND_PASSWORD='',
|
||||
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
|
||||
user_profile = self.backend.authenticate(self.example_email("hamlet"), 'testing',
|
||||
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com',
|
||||
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map):
|
||||
user_profile = self.backend.authenticate(self.example_email('hamlet'), 'testing',
|
||||
realm=get_realm('zephyr'))
|
||||
self.assertIs(user_profile, None)
|
||||
self.assertEqual(user_profile.email, self.example_email('hamlet'))
|
||||
|
||||
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
|
||||
def test_login_failure_due_to_invalid_subdomain(self) -> None:
|
||||
|
|
|
@ -38,6 +38,7 @@ from zerver.lib.actions import (
|
|||
get_stream,
|
||||
do_create_default_stream_group,
|
||||
do_add_default_stream,
|
||||
do_create_realm,
|
||||
)
|
||||
from zerver.lib.send_email import send_email, send_future_email, FromAddress
|
||||
from zerver.lib.initial_password import initial_password
|
||||
|
@ -2686,6 +2687,49 @@ class UserSignUpTest(InviteUserBase):
|
|||
self.assertEqual(birthday_field_value.value, '1990-12-19')
|
||||
self.assertEqual(phone_number_field_value.value, 'a-new-number')
|
||||
|
||||
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',))
|
||||
def test_ldap_registration_multiple_realms(self) -> None:
|
||||
password = "testing"
|
||||
email = "newuser@zulip.com"
|
||||
|
||||
ldap_user_attr_map = {
|
||||
'full_name': 'fn',
|
||||
'short_name': 'sn',
|
||||
}
|
||||
full_name = 'New LDAP fullname'
|
||||
mock_directory = {
|
||||
'uid=newuser,ou=users,dc=zulip,dc=com': {
|
||||
'userPassword': ['testing', ],
|
||||
'fn': [full_name],
|
||||
'sn': ['shortname'],
|
||||
}
|
||||
}
|
||||
init_fakeldap(mock_directory)
|
||||
do_create_realm('test', 'test', False)
|
||||
|
||||
with self.settings(
|
||||
POPULATE_PROFILE_VIA_LDAP=True,
|
||||
LDAP_APPEND_DOMAIN='zulip.com',
|
||||
AUTH_LDAP_BIND_PASSWORD='',
|
||||
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
|
||||
AUTH_LDAP_USER_DN_TEMPLATE='uid=%(user)s,ou=users,dc=zulip,dc=com'):
|
||||
|
||||
subdomain = "zulip"
|
||||
self.login_with_return(email, password,
|
||||
HTTP_HOST=subdomain + ".testserver")
|
||||
|
||||
user_profile = UserProfile.objects.get(email=email, realm=get_realm('zulip'))
|
||||
self.assertEqual(user_profile.email, email)
|
||||
self.logout()
|
||||
|
||||
# Test registration in another realm works.
|
||||
subdomain = "test"
|
||||
self.login_with_return(email, password,
|
||||
HTTP_HOST=subdomain + ".testserver")
|
||||
|
||||
user_profile = UserProfile.objects.get(email=email, realm=get_realm('test'))
|
||||
self.assertEqual(user_profile.email, email)
|
||||
|
||||
@override_settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipLDAPAuthBackend',
|
||||
'zproject.backends.ZulipDummyBackend'))
|
||||
def test_ldap_registration_when_names_changes_are_disabled(self) -> None:
|
||||
|
|
|
@ -451,12 +451,11 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
|
|||
raise ZulipLDAPException("Realm has been deactivated")
|
||||
if return_data.get("inactive_user"):
|
||||
raise ZulipLDAPException("User has been deactivated")
|
||||
if return_data.get("invalid_subdomain"):
|
||||
# TODO: Implement something in the caller for this to
|
||||
# provide a nice user-facing error message for this
|
||||
# situation (right now it just acts like any other auth
|
||||
# failure).
|
||||
raise ZulipLDAPException("Wrong subdomain")
|
||||
# An invalid_subdomain `return_data` value here is ignored,
|
||||
# since that just means we're trying to create an account in a
|
||||
# second realm on the server (`ldap_auth_enabled(realm)` would
|
||||
# have been false if this user wasn't meant to have an account
|
||||
# in this second realm).
|
||||
if self._realm.deactivated:
|
||||
# This happens if no account exists, but the realm is
|
||||
# deactivated, so we shouldn't create a new user account
|
||||
|
|
Loading…
Reference in New Issue