Disable federated login for new users if user creation is disabled

Fixes https://www.pivotaltracker.com/story/show/144821585
2017-05-05 13:20:20 -04:00 · 2017-05-05 13:20:20 -04:00 · b3d7577473
commit b3d7577473
parent 118ed4a37e
3 changed files with 42 additions and 3 deletions
--- a/data/users/federated.py
+++ b/data/users/federated.py
@ -10,6 +10,8 @@ logger = logging.getLogger(__name__)
 UserInformation = namedtuple('UserInformation', ['username', 'email', 'id'])
 DISABLED_MESSAGE = 'User creation is disabled. Please contact your adminstrator to gain access.'
 class FederatedUsers(object):
  """ Base class for all federated users systems. """
@ -96,7 +98,10 @@ class FederatedUsers(object):
  def _get_and_link_federated_user_info(self, username, email):
    db_user = model.user.verify_federated_login(self._federated_service, username)
    if not db_user:
-      # We must create the user in our db
+      # We must create the user in our db. Check to see if this is allowed.
      if not features.USER_CREATION:
        return (None, DISABLED_MESSAGE)
      valid_username = None
      for valid_username in generate_valid_usernames(username):
        if model.user.is_username_unique(valid_username):
--- a/data/users/test/test_users.py
+++ b/data/users/test/test_users.py
@ -0,0 +1,36 @@
 import pytest
 from mock import patch
 from data.database import model
 from data.users.federated import DISABLED_MESSAGE
 from test.test_ldap import mock_ldap
 from test.test_keystone_auth import fake_keystone
 from test.fixtures import *
@pytest.mark.parametrize('auth_system_builder, user1, user2', [
  (mock_ldap, ('someuser', 'somepass'), ('testy', 'password')),
  (fake_keystone, ('cool.user', 'password'), ('some.neat.user', 'foobar')),
 ])
 def test_auth_createuser(auth_system_builder, user1, user2, config, app):
  with auth_system_builder() as auth:
    # Login as a user and ensure a row in the database is created for them.
    user, err = auth.verify_and_link_user(*user1)
    assert err is None
    assert user
    federated_info = model.user.lookup_federated_login(user, auth.federated_service)
    assert federated_info is not None
    # Disable user creation.
    with patch('features.USER_CREATION', False):
      # Ensure that the existing user can login.
      user_again, err = auth.verify_and_link_user(*user1)
      assert err is None
      assert user_again.id == user.id
      # Ensure that a new user cannot.
      new_user, err = auth.verify_and_link_user(*user2)
      assert new_user is None
      assert err == DISABLED_MESSAGE
--- a/features/init.py
+++ b/features/init.py
@ -27,5 +27,3 @@ class FeatureNameValue(object):
  def __nonzero__(self):
    return self.value.__nonzero__()
`@ -27,5 +27,3 @@ class FeatureNameValue(object):`

	`def __nonzero__(self):`	`def __nonzero__(self):`
	`return self.value.__nonzero__()`	`return self.value.__nonzero__()`