Add toggle for automatic creation of remote users

Add a new flag to the remote user config that by default is off. If remote users is enabled and the new flag is toggled on, the username in REMOTE_USER will be used to automatically create a new user with that username. Automatic creation regardless used to be the default behavior.
Uninett · Nov 6, 2023 · a2dcea3 · a2dcea3
1 parent c6ed8be
commit a2dcea3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 12 deletions.
diff --git a/python/nav/etc/webfront/webfront.conf b/python/nav/etc/webfront/webfront.conf
@@ -44,13 +44,13 @@ server = ldap.example.com
 #
 basedn = ou=people,dc=example,dc=com
 
-# How to lookup a user object from LDAP. 
+# How to lookup a user object from LDAP.
 # 'direct' binds to <uid_attr>=<login name>,<user_basedn>
 # 'search' searches for <uid_attr>=<login name> using basedn as searchbase.
 #lookupmethod=direct
 
 # Choose to bind to LDAP as the user with 'suffix' for Active Directory support.
-# lookupmethod should be set to search for this option to function. 
+# lookupmethod should be set to search for this option to function.
 #suffix = @ad.example.com
 
 # If the LDAP directory requires an authenticated user to search for a user
@@ -110,6 +110,10 @@ enabled = no
 # authenticated user?
 #varname = REMOTE_USER
 
+# Whether usernames set in REMOTE_USER should automatically be created in the
+# database if they do not already exist.
+# autocreate = off
+
 # If the supplied remote username value needs modification to become more
 # "username-like", specify which workaround to use here. Only `feide-oidc` is
 # supported, at the moment.

diff --git a/python/nav/web/auth/remote_user.py b/python/nav/web/auth/remote_user.py
@@ -52,6 +52,7 @@ class RemoteUserConfigParser(NAVConfigParser):
 logout-url=
 varname=REMOTE_USER
 workaround=none
+autocreate=off
 """
 
 
@@ -78,16 +79,11 @@ def authenticate(request):
     try:
         account = Account.objects.get(login=username)
     except Account.DoesNotExist:
-        # Store the remote user in the database and return the new account
-        account = Account(login=username, name=username, ext_sync='REMOTE_USER')
-        account.set_password(fake_password(32))
-        account.save()
-        _logger.info("Created user %s from header REMOTE_USER", account.login)
-        template = 'Account "{actor}" created due to REMOTE_USER HTTP header'
-        LogEntry.add_log_entry(
-            account, 'create-account', template=template, subsystem='auth'
-        )
-        return account
+        if _config.getboolean('remote-user', 'autocreate', fallback=False):
+            return autocreate_remote_user(username)
+        # Bail out!
+        _logger.info('User creation turned off, did not create "%s"', username)
+        return False
 
     # Bail out! Potentially evil user
     if account.locked:
@@ -101,6 +97,19 @@ def authenticate(request):
     return account
 
 
+def autocreate_remote_user(username):
+    # Store the remote user in the database and return the new account
+    account = Account(login=username, name=username, ext_sync='REMOTE_USER')
+    account.set_password(fake_password(32))
+    account.save()
+    _logger.info("Created user %s from header REMOTE_USER", account.login)
+    template = 'Account "{actor}" created due to REMOTE_USER HTTP header'
+    LogEntry.add_log_entry(
+        account, 'create-account', template=template, subsystem='auth'
+    )
+    return account
+
+
 def login(request):
     """Log in the user in REMOTE_USER, if any and enabled