Prevent third-party-based user from imposing tower user.

2026-01-23 07:28:02 -03:30 · 2017-05-04 17:31:57 -04:00 · 2017-05-04 17:31:57 -04:00 · 7a6364c642
commit 7a6364c642
parent 6c7028f657
2 changed files with 27 additions and 4 deletions
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@ -138,7 +138,9 @@ class RADIUSBackend(BaseRADIUSBackend):
        if not feature_enabled('enterprise_auth'):
            logger.error("Unable to get_user, license does not support RADIUS authentication")
            return None
-        return super(RADIUSBackend, self).get_user(user_id)
+        user = super(RADIUSBackend, self).get_user(user_id)
+        if not user.has_usable_password():
+            return user

    def get_django_user(self, username, password=None):
        try:
@ -190,7 +192,9 @@ class TACACSPlusBackend(object):
            logger.exception("TACACS+ Authentication Error: %s" % (e.message,))
            return None
        if auth.valid:
-            return self._get_or_set_user(username, password)
+            user = self._get_or_set_user(username, password)
+            if not user.has_usable_password():
+                return user
        else:
            return None
        return None
--- a/awx/sso/tests/unit/test_tacacsplus.py
+++ b/awx/sso/tests/unit/test_tacacsplus.py
@ -50,16 +50,35 @@ def test_client_return_invalid_fails_auth(tacacsplus_backend, feature_enabled):
        assert ret_user is None


+def test_user_with_password_fails_auth(tacacsplus_backend, feature_enabled):
+    auth = mock.MagicMock()
+    auth.valid = True
+    client = mock.MagicMock()
+    client.authenticate.return_value = auth
+    user = mock.MagicMock()
+    user.has_usable_password = mock.MagicMock(return_value=True)
+    with mock.patch('awx.sso.backends.django_settings') as settings,\
+            mock.patch('awx.sso.backends.feature_enabled', feature_enabled('enterprise_auth')),\
+            mock.patch('tacacs_plus.TACACSClient', return_value=client),\
+            mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value=user):
+        settings.TACACSPLUS_HOST = 'localhost'
+        settings.TACACSPLUS_AUTH_PROTOCOL = 'ascii'
+        ret_user = tacacsplus_backend.authenticate(u"user", u"pass")
+        assert ret_user is None
+
+
 def test_client_return_valid_passes_auth(tacacsplus_backend, feature_enabled):
    auth = mock.MagicMock()
    auth.valid = True
    client = mock.MagicMock()
    client.authenticate.return_value = auth
+    user = mock.MagicMock()
+    user.has_usable_password = mock.MagicMock(return_value=False)
    with mock.patch('awx.sso.backends.django_settings') as settings,\
            mock.patch('awx.sso.backends.feature_enabled', feature_enabled('enterprise_auth')),\
            mock.patch('tacacs_plus.TACACSClient', return_value=client),\
-            mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value="user"):
+            mock.patch.object(tacacsplus_backend, '_get_or_set_user', return_value=user):
        settings.TACACSPLUS_HOST = 'localhost'
        settings.TACACSPLUS_AUTH_PROTOCOL = 'ascii'
        ret_user = tacacsplus_backend.authenticate(u"user", u"pass")
-        assert ret_user == "user"
+        assert ret_user == user