aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKelley Spoon <kelley.spoon@linaro.org>2022-02-02 04:59:01 -0600
committerKelley Spoon <kelley.spoon@linaro.org>2022-02-02 11:02:51 +0000
commitc43b8fd558fa4871f84697dd10c5a344be23b914 (patch)
tree408c7002b36629b8e183a9b49471e8f366ab392f
parent6f19b63a6e257d9ac51eec9d4783579fabe0d840 (diff)
downloadlinaro-license-protection-c43b8fd558fa4871f84697dd10c5a344be23b914.tar.gz
group_auth_ldap: fix an error with user group authorization
There is a bug in the ldap group authorization code where we use the full django username for authentication (which is the full email), but only the UID (first.lastname) is stored in the group membership table. We should also take this time to just try to look up the UID in the groups table instead of trying to build a list of group memberships for the user and compare that to the required groups. Change-Id: I41209fb8745a6225f3e7344910dc89c19d336a76 Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org> Reviewed-on: https://review.linaro.org/c/infrastructure/linaro-license-protection/+/40448
-rw-r--r--license_protected_downloads/group_auth_ldap.py9
1 files changed, 3 insertions, 6 deletions
diff --git a/license_protected_downloads/group_auth_ldap.py b/license_protected_downloads/group_auth_ldap.py
index 07f7a77..3896beb 100644
--- a/license_protected_downloads/group_auth_ldap.py
+++ b/license_protected_downloads/group_auth_ldap.py
@@ -16,15 +16,12 @@ def process_group_auth(request, required_groups):
if not request.user.is_authenticated():
return redirect(settings.LOGIN_URL + "?next=" + request.path)
- user = request.user.username
+ user = request.user.username.split('@').pop(0)
log.warn("Authenticating using LDAP API: %s", user)
ldap_groups = linaro_ldap.get_groups_and_users()
- user_groups = [g for g in ldap_groups if user in ldap_groups[g]]
- log.info("User groups are: %s", user_groups)
-
- for user_group in user_groups:
- if user_group in required_groups:
+ for group in required_groups:
+ if user in ldap_groups[group]:
return True
return False