IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

LDAP: Disable user in case it has been removed from LDAP directory (#60231)

Browse Source 
* Fix login flow

* Align test

* Fix comments

* Improve test
This commit is contained in:
Misi 2022-12-14 09:41:51 +01:00 committed by GitHub
parent ed28324233
commit 6d8bf5ac01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/login/ldap_login.go
View File

@ -47,6 +47,7 @@ var loginUsingLDAP = func(ctx context.Context, query *models.LoginUserQuery, log
ldapLogger.Debug("Failed to disable external user", "err", err) ldapLogger.Debug("Failed to disable external user", "err", err)
} }
// Return invalid credentials if we couldn't find the user anywhere
return true, ldap.ErrInvalidCredentials return true, ldap.ErrInvalidCredentials
} }

22
pkg/services/multildap/multildap.go
View File

@ -106,6 +106,8 @@ func (multiples *MultiLDAP) Login(query *models.LoginUserQuery) (
return nil, ErrNoLDAPServers return nil, ErrNoLDAPServers
} }
ldapSilentErrors := []error{}
for index, config := range multiples.configs { for index, config := range multiples.configs {
server := newLDAP(config) server := newLDAP(config)
@ -122,12 +124,9 @@ func (multiples *MultiLDAP) Login(query *models.LoginUserQuery) (
defer server.Close() defer server.Close()
user, err := server.Login(query) user, err := server.Login(query)
// FIXME
if user != nil {
return user, nil
}
if err != nil { if err != nil {
if isSilentError(err) { if isSilentError(err) {
ldapSilentErrors = append(ldapSilentErrors, err)
logger.Debug( logger.Debug(
"unable to login with LDAP - skipping server", "unable to login with LDAP - skipping server",
"host", config.Host, "host", config.Host,
@ -139,10 +138,21 @@ func (multiples *MultiLDAP) Login(query *models.LoginUserQuery) (
return nil, err return nil, err
} }
if user != nil {
return user, nil
}
} }
// Return invalid credentials if we couldn't find the user anywhere // Return ErrInvalidCredentials in case any of the errors was ErrInvalidCredentials (means that the authentication has failed at least once)
return nil, ErrInvalidCredentials for _, ldapErr := range ldapSilentErrors {
if errors.Is(ldapErr, ErrInvalidCredentials) {
return nil, ErrInvalidCredentials
}
}
// Return ErrCouldNotFindUser if all of the configured LDAP servers returned with ErrCouldNotFindUser
return nil, ErrCouldNotFindUser
} }
// User attempts to find an user by login/username by searching into all of the configured LDAP servers. Then, if the user is found it returns the user alongisde the server it was found. // User attempts to find an user by login/username by searching into all of the configured LDAP servers. Then, if the user is found it returns the user alongisde the server it was found.

5
pkg/services/multildap/multildap_test.go
View File

@ -99,6 +99,7 @@ func TestMultiLDAP(t *testing.T) {
t.Run("Should call underlying LDAP methods", func(t *testing.T) { t.Run("Should call underlying LDAP methods", func(t *testing.T) {
mock := setup() mock := setup()
mock.loginErrReturn = ErrInvalidCredentials
multi := New([]*ldap.ServerConfig{ multi := New([]*ldap.ServerConfig{
{}, {}, {}, {},
@ -109,7 +110,7 @@ func TestMultiLDAP(t *testing.T) {
require.Equal(t, 2, mock.loginCalledTimes) require.Equal(t, 2, mock.loginCalledTimes)
require.Equal(t, 2, mock.closeCalledTimes) require.Equal(t, 2, mock.closeCalledTimes)
require.Equal(t, ErrInvalidCredentials, err) require.Equal(t, ldap.ErrInvalidCredentials, err)
teardown() teardown()
}) })
@ -150,7 +151,7 @@ func TestMultiLDAP(t *testing.T) {
require.Equal(t, 2, mock.loginCalledTimes) require.Equal(t, 2, mock.loginCalledTimes)
require.Equal(t, 2, mock.closeCalledTimes) require.Equal(t, 2, mock.closeCalledTimes)
require.Equal(t, ErrInvalidCredentials, err) require.Equal(t, ErrCouldNotFindUser, err)
teardown() teardown()
}) })