Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ldap: Prevent creation of users with malformed email value.

This commit is contained in:
Mateusz Mandera 2021-06-09 15:39:18 +02:00 committed by Tim Abbott
parent 18dab5619c
commit b1da5d9d76
2 changed files with 32 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
zerver/tests/test_signup.py
View File

@ -4283,6 +4283,28 @@ class UserSignUpTest(InviteUserBase):
) )
self.assertEqual(phone_number_field_value.value, "a-new-number") self.assertEqual(phone_number_field_value.value, "a-new-number")
@override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",))
def test_ldap_auto_registration_on_login_invalid_email_in_directory(self) -> None:
password = self.ldap_password("newuser_with_email")
username = "newuser_with_email"
subdomain = "zulip"
self.init_default_ldap_database()
self.change_ldap_user_attr("newuser_with_email", "mail", "thisisnotavalidemail")
with self.settings(
LDAP_EMAIL_ATTR="mail",
), self.assertLogs("zulip.auth.ldap", "WARNING") as mock_log:
original_user_count = UserProfile.objects.count()
self.login_with_return(username, password, HTTP_HOST=subdomain + ".testserver")
# Verify that the process failed as intended - no UserProfile is created.
self.assertEqual(UserProfile.objects.count(), original_user_count)
self.assertEqual(
mock_log.output,
["WARNING:zulip.auth.ldap:thisisnotavalidemail is not a valid email address."],
)
@override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",)) @override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",))
def test_ldap_registration_multiple_realms(self) -> None: def test_ldap_registration_multiple_realms(self) -> None:
password = self.ldap_password("newuser") password = self.ldap_password("newuser")

10
zproject/backends.py
View File

@ -832,6 +832,16 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
# deactivated, so we shouldn't create a new user account # deactivated, so we shouldn't create a new user account
raise ZulipLDAPException("Realm has been deactivated") raise ZulipLDAPException("Realm has been deactivated")
try:
validate_email(username)
except ValidationError:
error_message = f"{username} is not a valid email address."
# This indicates a misconfiguration of ldap settings
# or a malformed email value in the ldap directory,
# so we should log a warning about this before failing.
self.logger.warning(error_message)
raise ZulipLDAPException(error_message)
# Makes sure that email domain hasn't be restricted for this # Makes sure that email domain hasn't be restricted for this
# realm. The main thing here is email_allowed_for_realm; but # realm. The main thing here is email_allowed_for_realm; but
# we also call validate_email_not_already_in_realm just for consistency, # we also call validate_email_not_already_in_realm just for consistency,