Merge pull request #421 from TeskaLabs/fix/ldap-filtering

Fix handling of empty filter in LDAP credentials provider
TeskaLabs · Sep 16, 2024 · cc3d977 · cc3d977
2 parents 4e54524 + 294b0f8
commit cc3d977
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,13 +3,15 @@
 ## v24.36
 
 ### Pre-releases
+- v24.36-alpha4
 - v24.36-alpha3
 - ~~v24.36-alpha2~~
 - v24.36-alpha1
 - v24.29-alpha7
 - v24.29-alpha6
 
 ### Fix
+- Fix handling of empty filter in LDAP credentials provider (#421, `v24.36-alpha4`)
 - Upgrade CI/CD action versions (#418, `v24.36-alpha3`)
 - Sort assigned tenants and roles alphabetically (#417, `v24.36-alpha3`)
 - Do not check tenant existence when unassigning tenant (#415, `v24.29-alpha8`)

diff --git a/seacatauth/credentials/providers/ldap.py b/seacatauth/credentials/providers/ldap.py
@@ -176,20 +176,17 @@ def _get_worker(self, prefix, credentials_id, include=None) -> Optional[dict]:
 
 		# TODO: Validate credetials_id with regex
 
-		# Ensure that the base lies within configured base
-		base = base64.urlsafe_b64decode(credentials_id[len(prefix):]).decode("utf-8")
-		if not base.endswith(self.Config["base"]):
-			raise KeyError("Credentials {!r} do not end with {!r}".format(credentials_id, self.Config["base"]))
-
+		cn = base64.urlsafe_b64decode(credentials_id[len(prefix):]).decode("utf-8")
 		with self._ldap_client() as lc:
 			try:
 				sr = lc.search_s(
-					base,
+					cn,
 					ldap.SCOPE_BASE,
 					filterstr=self.Config["filter"],
 					attrlist=self.AttrList,
 				)
-			except ldap.NO_SUCH_OBJECT:
+			except ldap.NO_SUCH_OBJECT as e:
+				L.error(e)
 				sr = []
 
 		if len(sr) == 0:
@@ -288,11 +285,12 @@ async def iterate(self, offset: int = 0, limit: int = -1, filtr: str = None):
 			yield i
 
 	def _build_search_filter(self, filtr=None):
-		if filtr is None:
+		if not filtr:
 			filterstr = self.Config["filter"]
 		else:
 			# The query filter is the intersection of the filter from config
 			# and the filter defined by the search request
+			# The username must START WITH the given filter string
 			filter_template = "(&{}({}=*%s*))".format(self.Config["filter"], self.Config["attrusername"])
 			assertion_values = ["{}".format(filtr.lower())]
 			filterstr = ldap.filter.filter_format(