From 2a65183991d84f8c4ceb016faff0ff340b665799 Mon Sep 17 00:00:00 2001 From: Mateusz Mandera Date: Fri, 24 Nov 2023 20:18:28 +0100 Subject: [PATCH] tests: Add test for nocoverage userAccountControl case in ldap auth. This logic has been #nocoverage since its implementation, but since this is an authentication codepath, it seems important for it to have a test. --- zerver/tests/test_auth_backends.py | 20 ++++++++++++++++++++ zproject/backends.py | 2 +- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/zerver/tests/test_auth_backends.py b/zerver/tests/test_auth_backends.py index 4dffac8bfd..37a4ea216f 100644 --- a/zerver/tests/test_auth_backends.py +++ b/zerver/tests/test_auth_backends.py @@ -6424,6 +6424,26 @@ class TestLDAP(ZulipLDAPTestCase): ) self.assertIs(user_profile, None) + @override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",)) + def test_login_failure_user_account_control(self) -> None: + self.change_ldap_user_attr("hamlet", "userAccountControl", "2") + + with self.settings( + LDAP_APPEND_DOMAIN="zulip.com", + AUTH_LDAP_USER_ATTR_MAP={"userAccountControl": "userAccountControl"}, + ), self.assertLogs("django_auth_ldap", "DEBUG") as debug_log: + user_profile = self.backend.authenticate( + request=mock.MagicMock(), + username=self.example_email("hamlet"), + password=self.ldap_password("hamlet"), + realm=get_realm("zulip"), + ) + self.assertIs(user_profile, None) + self.assertIn( + "DEBUG:django_auth_ldap:Authentication failed for hamlet: User has been deactivated", + debug_log.output, + ) + @override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",)) @override_settings( AUTH_LDAP_USER_ATTR_MAP={ diff --git a/zproject/backends.py b/zproject/backends.py index fa3397ea0d..2828daef1e 100644 --- a/zproject/backends.py +++ b/zproject/backends.py @@ -1058,7 +1058,7 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase): if self.is_account_realm_access_forbidden(ldap_user, self._realm): raise ZulipLDAPError("User not allowed to access realm") - if ldap_should_sync_active_status(): # nocoverage + if ldap_should_sync_active_status(): ldap_disabled = self.is_user_disabled_in_ldap(ldap_user) if ldap_disabled: # Treat disabled users as deactivated in Zulip.