From c43b8fd558fa4871f84697dd10c5a344be23b914 Mon Sep 17 00:00:00 2001 From: Kelley Spoon Date: Wed, 2 Feb 2022 04:59:01 -0600 Subject: group_auth_ldap: fix an error with user group authorization There is a bug in the ldap group authorization code where we use the full django username for authentication (which is the full email), but only the UID (first.lastname) is stored in the group membership table. We should also take this time to just try to look up the UID in the groups table instead of trying to build a list of group memberships for the user and compare that to the required groups. Change-Id: I41209fb8745a6225f3e7344910dc89c19d336a76 Signed-off-by: Kelley Spoon Reviewed-on: https://review.linaro.org/c/infrastructure/linaro-license-protection/+/40448 --- license_protected_downloads/group_auth_ldap.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/license_protected_downloads/group_auth_ldap.py b/license_protected_downloads/group_auth_ldap.py index 07f7a77..3896beb 100644 --- a/license_protected_downloads/group_auth_ldap.py +++ b/license_protected_downloads/group_auth_ldap.py @@ -16,15 +16,12 @@ def process_group_auth(request, required_groups): if not request.user.is_authenticated(): return redirect(settings.LOGIN_URL + "?next=" + request.path) - user = request.user.username + user = request.user.username.split('@').pop(0) log.warn("Authenticating using LDAP API: %s", user) ldap_groups = linaro_ldap.get_groups_and_users() - user_groups = [g for g in ldap_groups if user in ldap_groups[g]] - log.info("User groups are: %s", user_groups) - - for user_group in user_groups: - if user_group in required_groups: + for group in required_groups: + if user in ldap_groups[group]: return True return False -- cgit v1.2.3