mirror of https://github.com/zulip/zulip.git
ldap: Disallow creating non-ldap accounts matching LDAP_APPEND_DOMAIN.
In configurations with LDAP_APPEND_DOMAIN, we don't want people creating non-ldap accounts with emails matching the ldap domain. So in the registration flow, if the email isn't found in LDAP, but matches LDAP_APPEND_DOMAIN, we stop, rather than proceeding with account creation. In case of emails not matching LDAP_APPEND_DOMAIN, we will still continue to make a normal, non-ldap account.
This commit is contained in:
Mateusz Mandera
Tim Abbott
parent
82674b9b83
commit
fcc91ae370
|
|
@ -2991,9 +2991,29 @@ class UserSignUpTest(InviteUserBase):
|
|||
self.assertEqual(result.url, "/accounts/login/?email=newuser%40zulip.com")
|
||||
self.assertFalse(UserProfile.objects.filter(email=email).exists())
|
||||
|
||||
# If the user's email is not in the LDAP directory, though, we
|
||||
# successfully create an account with a password in the Zulip
|
||||
# database.
|
||||
# For the rest of the test we delete the user from ldap.
|
||||
del self.mock_ldap.directory["uid=newuser,ou=users,dc=zulip,dc=com"]
|
||||
|
||||
# If the user's email is not in the LDAP directory, but fits LDAP_APPEND_DOMAIN,
|
||||
# we refuse to create the account.
|
||||
with self.settings(
|
||||
POPULATE_PROFILE_VIA_LDAP=True,
|
||||
LDAP_APPEND_DOMAIN='zulip.com',
|
||||
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
|
||||
):
|
||||
result = self.submit_reg_form_for_user(email,
|
||||
password,
|
||||
full_name="Non-LDAP Full Name",
|
||||
# Pass HTTP_HOST for the target subdomain
|
||||
HTTP_HOST=subdomain + ".testserver")
|
||||
self.assertEqual(result.status_code, 302)
|
||||
# We get redirected back to the login page because emails matching LDAP_APPEND_DOMAIN,
|
||||
# aren't allowed to create non-ldap accounts.
|
||||
self.assertEqual(result.url, "/accounts/login/?email=newuser%40zulip.com")
|
||||
self.assertFalse(UserProfile.objects.filter(email=email).exists())
|
||||
|
||||
# If the email is outside of LDAP_APPEND_DOMAIN, we succesfully create a non-ldap account,
|
||||
# with the password managed in the zulip database.
|
||||
with self.settings(
|
||||
POPULATE_PROFILE_VIA_LDAP=True,
|
||||
LDAP_APPEND_DOMAIN='example.com',
|
||||
|
|
|
|||
|
|
@ -34,7 +34,8 @@ from zerver.views.auth import create_preregistration_user, redirect_and_log_into
|
|||
redirect_to_deactivation_notice, get_safe_redirect_to
|
||||
|
||||
from zproject.backends import ldap_auth_enabled, password_auth_enabled, \
|
||||
ZulipLDAPExceptionNoMatchingLDAPUser, email_auth_enabled, ZulipLDAPAuthBackend
|
||||
ZulipLDAPExceptionNoMatchingLDAPUser, email_auth_enabled, ZulipLDAPAuthBackend, \
|
||||
email_belongs_to_ldap
|
||||
|
||||
from confirmation.models import Confirmation, RealmCreationKey, ConfirmationKeyException, \
|
||||
validate_key, create_confirmation_link, get_object_from_key, \
|
||||
|
|
@ -279,7 +280,13 @@ def accounts_register(request: HttpRequest) -> HttpResponse:
|
|||
prereg_user=prereg_user,
|
||||
return_data=return_data)
|
||||
if user_profile is None:
|
||||
if return_data.get("no_matching_ldap_user") and email_auth_enabled(realm):
|
||||
can_use_different_backend = email_auth_enabled(realm)
|
||||
if settings.LDAP_APPEND_DOMAIN:
|
||||
# In LDAP_APPEND_DOMAIN configurations, we don't allow making a non-ldap account
|
||||
# if the email matches the ldap domain.
|
||||
can_use_different_backend = can_use_different_backend and (
|
||||
not email_belongs_to_ldap(realm, email))
|
||||
if return_data.get("no_matching_ldap_user") and can_use_different_backend:
|
||||
# If both the LDAP and Email auth backends are
|
||||
# enabled, and there's no matching user in the LDAP
|
||||
# directory then the intent is to create a user in the
|
||||
|
|
|
|||
Loading…
Reference in New Issue