External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-20 07:17:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6187 from jangsutsr/6169_prevent_third_party_based_user_to_impose_tower_user

Browse Source 
Prevent third-party-based user from imposing tower user
This commit is contained in:
Aaron Tan
2017-05-08 14:43:32 -04:00
committed by GitHub
parent 3110a9b4b0 7a6364c642
commit 6728bb2315
2 changed files with 27 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
awx/sso/backends.py
View File

@@ -138,7 +138,9 @@ class RADIUSBackend(BaseRADIUSBackend):
if not feature_enabled('enterprise_auth'): if not feature_enabled('enterprise_auth'):
logger.error("Unable to get_user, license does not support RADIUS authentication") logger.error("Unable to get_user, license does not support RADIUS authentication")
return None return None
return super(RADIUSBackend, self).get_user(user_id) user = super(RADIUSBackend, self).get_user(user_id)
if not user.has_usable_password():
return user
def get_django_user(self, username, password=None): def get_django_user(self, username, password=None):
try: try:
@@ -190,7 +192,9 @@ class TACACSPlusBackend(object):
logger.exception("TACACS+ Authentication Error: %s" % (e.message,)) logger.exception("TACACS+ Authentication Error: %s" % (e.message,))
return None return None
if auth.valid: if auth.valid:
return self._get_or_set_user(username, password) user = self._get_or_set_user(username, password)
if not user.has_usable_password():
return user
else: else:
return None return None
return None return None

23
awx/sso/tests/unit/test_tacacsplus.py
View File

@@ -50,16 +50,35 @@ def test_client_return_invalid_fails_auth(tacacsplus_backend, feature_enabled):
assert ret_user is None assert ret_user is None
def test_user_with_password_fails_auth(tacacsplus_backend, feature_enabled):
auth = mock.MagicMock()
auth.valid = True
client = mock.MagicMock()
client.authenticate.return_value = auth
user = mock.MagicMock()
user.has_usable_password = mock.MagicMock(return_value=True)
with mock.patch('awx.sso.backends.django_settings') as settings,\
mock.patch('awx.sso.backends.feature_enabled', feature_enabled('enterprise_auth')),\
mock.patch('tacacs_plus.TACACSClient', return_value=client),\
mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value=user):
settings.TACACSPLUS_HOST = 'localhost'
settings.TACACSPLUS_AUTH_PROTOCOL = 'ascii'
ret_user = tacacsplus_backend.authenticate(u"user", u"pass")
assert ret_user is None
def test_client_return_valid_passes_auth(tacacsplus_backend, feature_enabled): def test_client_return_valid_passes_auth(tacacsplus_backend, feature_enabled):
auth = mock.MagicMock() auth = mock.MagicMock()
auth.valid = True auth.valid = True
client = mock.MagicMock() client = mock.MagicMock()
client.authenticate.return_value = auth client.authenticate.return_value = auth
user = mock.MagicMock()
user.has_usable_password = mock.MagicMock(return_value=False)
with mock.patch('awx.sso.backends.django_settings') as settings,\ with mock.patch('awx.sso.backends.django_settings') as settings,\
mock.patch('awx.sso.backends.feature_enabled', feature_enabled('enterprise_auth')),\ mock.patch('awx.sso.backends.feature_enabled', feature_enabled('enterprise_auth')),\
mock.patch('tacacs_plus.TACACSClient', return_value=client),\ mock.patch('tacacs_plus.TACACSClient', return_value=client),\
mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value="user"): mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value=user):
settings.TACACSPLUS_HOST = 'localhost' settings.TACACSPLUS_HOST = 'localhost'
settings.TACACSPLUS_AUTH_PROTOCOL = 'ascii' settings.TACACSPLUS_AUTH_PROTOCOL = 'ascii'
ret_user = tacacsplus_backend.authenticate(u"user", u"pass") ret_user = tacacsplus_backend.authenticate(u"user", u"pass")
assert ret_user == "user" assert ret_user == user