Merge LDAP improvements branch into develop.
This commit is contained in:
commit
d49d257ffa
3 changed files with 82 additions and 12 deletions
|
@ -6,7 +6,10 @@ module Import
|
|||
|
||||
def initialize(resource, *args)
|
||||
handle_args(resource, *args)
|
||||
initialize_associations_states
|
||||
import(resource, *args)
|
||||
return if @resource.blank?
|
||||
store_associations(:after, @resource)
|
||||
end
|
||||
|
||||
def import_class
|
||||
|
@ -30,8 +33,7 @@ module Import
|
|||
end
|
||||
|
||||
def attributes_changed?
|
||||
return true if changed_attributes.present?
|
||||
@associations_init != associations_state(@resource)
|
||||
changed_attributes.present? || changed_associations.present?
|
||||
end
|
||||
|
||||
def changed_attributes
|
||||
|
@ -42,6 +44,15 @@ module Import
|
|||
@resource.previous_changes
|
||||
end
|
||||
|
||||
def changed_associations
|
||||
changes = {}
|
||||
tracked_associations.each do |association|
|
||||
next if @associations[:before][association] == @associations[:after][association]
|
||||
changes[association] = [@associations[:before][association], @associations[:after][association]]
|
||||
end
|
||||
changes
|
||||
end
|
||||
|
||||
def created?
|
||||
return false if @resource.blank?
|
||||
# dry run
|
||||
|
@ -52,6 +63,13 @@ module Import
|
|||
|
||||
private
|
||||
|
||||
def initialize_associations_states
|
||||
@associations = {}
|
||||
%i(before after).each do |state|
|
||||
@associations[state] ||= {}
|
||||
end
|
||||
end
|
||||
|
||||
def import(resource, *args)
|
||||
create_or_update(map(resource, *args), *args)
|
||||
rescue => e
|
||||
|
@ -96,13 +114,13 @@ module Import
|
|||
return if !synced_instance
|
||||
instance = import_class.find_by(id: synced_instance.o_id)
|
||||
|
||||
store_associations_state(instance)
|
||||
store_associations(:before, instance)
|
||||
|
||||
instance
|
||||
end
|
||||
|
||||
def store_associations_state(instance)
|
||||
@associations_init = associations_state(instance)
|
||||
def store_associations(state, instance)
|
||||
@associations[state] = associations_state(instance)
|
||||
end
|
||||
|
||||
def associations_state(instance)
|
||||
|
|
|
@ -31,7 +31,6 @@ module Import
|
|||
|
||||
def create_or_update(resource, *args)
|
||||
return if skip?(resource)
|
||||
resource[:role_ids] = role_ids(resource)
|
||||
result = super(resource, *args)
|
||||
|
||||
ldap_log(
|
||||
|
@ -58,14 +57,49 @@ module Import
|
|||
return @signup_role_ids if !dn
|
||||
# check if roles are mapped for the found dn
|
||||
roles = @dn_roles[ dn.downcase ]
|
||||
# use signup roles if no mapped roles were found
|
||||
return @signup_role_ids if !roles
|
||||
# return found roles
|
||||
roles
|
||||
return roles if roles
|
||||
# return signup roles if there is a role mapping in general
|
||||
# this makes the LDAP the leading source of roles
|
||||
return @signup_role_ids if @dn_roles.present?
|
||||
|
||||
# special case: there is no LDAP role mapping configured
|
||||
#
|
||||
# if there is no role mapping in general the signup roles
|
||||
# should only get used for newly created users (see .create method)
|
||||
# otherwise users might overwrite their local assigned
|
||||
# roles with less privileged roles and lock theirselfs out
|
||||
#
|
||||
# see issue 350#issuecomment-295252402
|
||||
#
|
||||
# this method only gets called from the .updated? method
|
||||
# so we won't return any roles which will keep the current
|
||||
# role assignment for the User
|
||||
# the signup roles will be taken in this case direcly in
|
||||
# the .create method
|
||||
nil
|
||||
end
|
||||
|
||||
def updated?(resource, *_args)
|
||||
super
|
||||
|
||||
# this is needed for the special case described in the role_ids method
|
||||
#
|
||||
# assign roles only if there are any found in the mapping
|
||||
# otherwise keep those stored to the User
|
||||
update_roles = role_ids(resource)
|
||||
resource[:role_ids] = update_roles if update_roles
|
||||
|
||||
user_found = super
|
||||
|
||||
# in case a User was found and we had no roles
|
||||
# to set/update we have to note the currently
|
||||
# assigned roles so that our action check won't
|
||||
# falsly detect changes to the User
|
||||
if user_found && update_roles.blank?
|
||||
resource[:role_ids] = @resource.role_ids
|
||||
end
|
||||
|
||||
user_found
|
||||
rescue => e
|
||||
ldap_log(
|
||||
action: "update -> #{resource[:login]}",
|
||||
|
@ -94,7 +128,7 @@ module Import
|
|||
remote: resource,
|
||||
)
|
||||
|
||||
store_associations_state(instance)
|
||||
store_associations(:before, instance)
|
||||
end
|
||||
|
||||
instance
|
||||
|
@ -122,6 +156,11 @@ module Import
|
|||
end
|
||||
|
||||
def create(resource, *_args)
|
||||
|
||||
# this is needed for the special case described in the role_ids method
|
||||
#
|
||||
# in case we have no role IDs yet we have to fall back to the signup roles
|
||||
resource[:role_ids] ||= @signup_role_ids
|
||||
super
|
||||
rescue => e
|
||||
ldap_log(
|
||||
|
|
|
@ -99,7 +99,12 @@ RSpec.describe Import::Ldap::User do
|
|||
context 'update' do
|
||||
|
||||
before(:each) do
|
||||
user = create(:user, login: uid)
|
||||
user = create(:user,
|
||||
login: uid,
|
||||
role_ids: [
|
||||
Role.find_by(name: 'Agent').id,
|
||||
Role.find_by(name: 'Admin').id
|
||||
])
|
||||
|
||||
ExternalSync.create(
|
||||
source: 'Ldap::User',
|
||||
|
@ -119,6 +124,14 @@ RSpec.describe Import::Ldap::User do
|
|||
}
|
||||
end
|
||||
|
||||
it "doesn't change roles if no role mapping is configured" do
|
||||
expect do
|
||||
described_class.new(user_entry, ldap_config, {}, signup_role_ids)
|
||||
end.to not_change {
|
||||
User.last.role_ids
|
||||
}
|
||||
end
|
||||
|
||||
it 'creates an HTTP Log entry' do
|
||||
expect do
|
||||
described_class.new(user_entry, ldap_config, user_roles, signup_role_ids)
|
||||
|
|
Loading…
Reference in a new issue