Disable federated login for new users if user creation is disabled
Fixes https://www.pivotaltracker.com/story/show/144821585
This commit is contained in:
Joseph Schorr
parent
118ed4a37e
commit
b3d7577473
3 changed files with 42 additions and 3 deletions
|
|
@ -10,6 +10,8 @@ logger = logging.getLogger(__name__)
|
|||
|
||||
UserInformation = namedtuple('UserInformation', ['username', 'email', 'id'])
|
||||
|
||||
DISABLED_MESSAGE = 'User creation is disabled. Please contact your adminstrator to gain access.'
|
||||
|
||||
class FederatedUsers(object):
|
||||
""" Base class for all federated users systems. """
|
||||
|
||||
|
|
@ -96,7 +98,10 @@ class FederatedUsers(object):
|
|||
def _get_and_link_federated_user_info(self, username, email):
|
||||
db_user = model.user.verify_federated_login(self._federated_service, username)
|
||||
if not db_user:
|
||||
# We must create the user in our db
|
||||
# We must create the user in our db. Check to see if this is allowed.
|
||||
if not features.USER_CREATION:
|
||||
return (None, DISABLED_MESSAGE)
|
||||
|
||||
valid_username = None
|
||||
for valid_username in generate_valid_usernames(username):
|
||||
if model.user.is_username_unique(valid_username):
|
||||
|
|
|
|||
36
data/users/test/test_users.py
Normal file
36
data/users/test/test_users.py
Normal file
|
|
@ -0,0 +1,36 @@
|
|||
import pytest
|
||||
|
||||
from mock import patch
|
||||
|
||||
from data.database import model
|
||||
from data.users.federated import DISABLED_MESSAGE
|
||||
from test.test_ldap import mock_ldap
|
||||
from test.test_keystone_auth import fake_keystone
|
||||
|
||||
from test.fixtures import *
|
||||
|
||||
@pytest.mark.parametrize('auth_system_builder, user1, user2', [
|
||||
(mock_ldap, ('someuser', 'somepass'), ('testy', 'password')),
|
||||
(fake_keystone, ('cool.user', 'password'), ('some.neat.user', 'foobar')),
|
||||
])
|
||||
def test_auth_createuser(auth_system_builder, user1, user2, config, app):
|
||||
with auth_system_builder() as auth:
|
||||
# Login as a user and ensure a row in the database is created for them.
|
||||
user, err = auth.verify_and_link_user(*user1)
|
||||
assert err is None
|
||||
assert user
|
||||
|
||||
federated_info = model.user.lookup_federated_login(user, auth.federated_service)
|
||||
assert federated_info is not None
|
||||
|
||||
# Disable user creation.
|
||||
with patch('features.USER_CREATION', False):
|
||||
# Ensure that the existing user can login.
|
||||
user_again, err = auth.verify_and_link_user(*user1)
|
||||
assert err is None
|
||||
assert user_again.id == user.id
|
||||
|
||||
# Ensure that a new user cannot.
|
||||
new_user, err = auth.verify_and_link_user(*user2)
|
||||
assert new_user is None
|
||||
assert err == DISABLED_MESSAGE
|
||||
|
|
@ -27,5 +27,3 @@ class FeatureNameValue(object):
|
|||
|
||||
def __nonzero__(self):
|
||||
return self.value.__nonzero__()
|
||||
|
||||
|
||||
|
|
|
|||
Reference in a new issue