From 7d711308a9bb40a5da758c224ef23cf8cb0278fc Mon Sep 17 00:00:00 2001 From: Hanne Moa Date: Mon, 13 Nov 2023 09:07:36 +0100 Subject: [PATCH] Add toggle for automatic creation of remote users Add a new flag to the remote user config that by default is off. If remote users is enabled and the new flag is toggled on, the username in REMOTE_USER will be used to automatically create a new user with that username. Automatic creation regardless used to be the default behavior. --- python/nav/etc/webfront/webfront.conf | 8 ++++++-- python/nav/web/auth/remote_user.py | 29 ++++++++++++++++++--------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/python/nav/etc/webfront/webfront.conf b/python/nav/etc/webfront/webfront.conf index aa32fba9ca..9d6f428ecb 100644 --- a/python/nav/etc/webfront/webfront.conf +++ b/python/nav/etc/webfront/webfront.conf @@ -44,13 +44,13 @@ server = ldap.example.com # basedn = ou=people,dc=example,dc=com -# How to lookup a user object from LDAP. +# How to lookup a user object from LDAP. # 'direct' binds to =, # 'search' searches for = using basedn as searchbase. #lookupmethod=direct # Choose to bind to LDAP as the user with 'suffix' for Active Directory support. -# lookupmethod should be set to search for this option to function. +# lookupmethod should be set to search for this option to function. #suffix = @ad.example.com # If the LDAP directory requires an authenticated user to search for a user @@ -110,6 +110,10 @@ enabled = no # authenticated user? #varname = REMOTE_USER +# Whether a username set in REMOTE_USER should lead to the automatic creation +# of a user in the database if the user does not already exist. +# autocreate = off + # If the supplied remote username value needs modification to become more # "username-like", specify which workaround to use here. Only `feide-oidc` is # supported, at the moment. diff --git a/python/nav/web/auth/remote_user.py b/python/nav/web/auth/remote_user.py index 5b6dac3100..fe853503da 100644 --- a/python/nav/web/auth/remote_user.py +++ b/python/nav/web/auth/remote_user.py @@ -52,6 +52,7 @@ class RemoteUserConfigParser(NAVConfigParser): logout-url= varname=REMOTE_USER workaround=none +autocreate=off """ @@ -78,16 +79,11 @@ def authenticate(request): try: account = Account.objects.get(login=username) except Account.DoesNotExist: - # Store the remote user in the database and return the new account - account = Account(login=username, name=username, ext_sync='REMOTE_USER') - account.set_password(fake_password(32)) - account.save() - _logger.info("Created user %s from header REMOTE_USER", account.login) - template = 'Account "{actor}" created due to REMOTE_USER HTTP header' - LogEntry.add_log_entry( - account, 'create-account', template=template, subsystem='auth' - ) - return account + if _config.getboolean('remote-user', 'autocreate', fallback=False): + return autocreate_remote_user(username) + # Bail out! + _logger.info('User creation turned off, did not create "%s"', username) + return False # Bail out! Potentially evil user if account.locked: @@ -101,6 +97,19 @@ def authenticate(request): return account +def autocreate_remote_user(username): + # Store the remote user in the database and return the new account + account = Account(login=username, name=username, ext_sync='REMOTE_USER') + account.set_password(fake_password(32)) + account.save() + _logger.info("Created user %s from header REMOTE_USER", account.login) + template = 'Account "{actor}" created due to REMOTE_USER HTTP header' + LogEntry.add_log_entry( + account, 'create-account', template=template, subsystem='auth' + ) + return account + + def login(request): """Log in the user in REMOTE_USER, if any and enabled