Remove fallback to local database when LDAP is unavailable.
In many environments this will not work as the LDAP password and the copy stored in Pleroma will stay synchronized.
This commit is contained in:
parent
f7146583e5
commit
0f9aecbca4
@ -28,10 +28,6 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
|
|||||||
%User{} = user <- ldap_user(name, password) do
|
%User{} = user <- ldap_user(name, password) do
|
||||||
{:ok, user}
|
{:ok, user}
|
||||||
else
|
else
|
||||||
{:error, {:ldap_connection_error, _}} ->
|
|
||||||
# When LDAP is unavailable, try default authenticator
|
|
||||||
@base.get_user(conn)
|
|
||||||
|
|
||||||
{:ldap, _} ->
|
{:ldap, _} ->
|
||||||
@base.get_user(conn)
|
@base.get_user(conn)
|
||||||
|
|
||||||
|
@ -7,7 +7,6 @@ defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
|
|||||||
alias Pleroma.Repo
|
alias Pleroma.Repo
|
||||||
alias Pleroma.Web.OAuth.Token
|
alias Pleroma.Web.OAuth.Token
|
||||||
import Pleroma.Factory
|
import Pleroma.Factory
|
||||||
import ExUnit.CaptureLog
|
|
||||||
import Mock
|
import Mock
|
||||||
|
|
||||||
@skip if !Code.ensure_loaded?(:eldap), do: :skip
|
@skip if !Code.ensure_loaded?(:eldap), do: :skip
|
||||||
@ -99,50 +98,6 @@ defmodule Pleroma.Web.OAuth.LDAPAuthorizationTest do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
@tag @skip
|
|
||||||
test "falls back to the default authorization when LDAP is unavailable" do
|
|
||||||
password = "testpassword"
|
|
||||||
user = insert(:user, password_hash: Pbkdf2.hash_pwd_salt(password))
|
|
||||||
app = insert(:oauth_app, scopes: ["read", "write"])
|
|
||||||
|
|
||||||
host = Pleroma.Config.get([:ldap, :host]) |> to_charlist
|
|
||||||
port = Pleroma.Config.get([:ldap, :port])
|
|
||||||
|
|
||||||
with_mocks [
|
|
||||||
{:eldap, [],
|
|
||||||
[
|
|
||||||
open: fn [^host], [{:port, ^port}, {:ssl, false} | _] -> {:error, 'connect failed'} end,
|
|
||||||
simple_bind: fn _connection, _dn, ^password -> :ok end,
|
|
||||||
close: fn _connection ->
|
|
||||||
send(self(), :close_connection)
|
|
||||||
:ok
|
|
||||||
end
|
|
||||||
]}
|
|
||||||
] do
|
|
||||||
log =
|
|
||||||
capture_log(fn ->
|
|
||||||
conn =
|
|
||||||
build_conn()
|
|
||||||
|> post("/oauth/token", %{
|
|
||||||
"grant_type" => "password",
|
|
||||||
"username" => user.nickname,
|
|
||||||
"password" => password,
|
|
||||||
"client_id" => app.client_id,
|
|
||||||
"client_secret" => app.client_secret
|
|
||||||
})
|
|
||||||
|
|
||||||
assert %{"access_token" => token} = json_response(conn, 200)
|
|
||||||
|
|
||||||
token = Repo.get_by(Token, token: token)
|
|
||||||
|
|
||||||
assert token.user_id == user.id
|
|
||||||
end)
|
|
||||||
|
|
||||||
assert log =~ "Could not open LDAP connection: 'connect failed'"
|
|
||||||
refute_received :close_connection
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
@tag @skip
|
@tag @skip
|
||||||
test "disallow authorization for wrong LDAP credentials" do
|
test "disallow authorization for wrong LDAP credentials" do
|
||||||
password = "testpassword"
|
password = "testpassword"
|
||||||
|
Loading…
Reference in New Issue
Block a user