Add authentication backend for renamed user accounts (ansible#611)

David Newswanger · web-flow · commit 1bf711f3a1ce · 2024-09-11T15:23:02.000Z
diff --git a/ansible_base/lib/backends/__init__.py b/ansible_base/lib/backends/__init__.py
diff --git a/ansible_base/lib/backends/prefixed_user_auth.py b/ansible_base/lib/backends/prefixed_user_auth.py
@@ -0,0 +1,21 @@
+import logging
+
+from django.conf import settings
+from django.contrib.auth.backends import ModelBackend
+
+PREFIX = getattr(settings, "RENAMED_USERNAME_PREFIX", None)
+logger = logging.getLogger('ansible_base.authentication.authenticator_plugins.github_enterprise_team')
+
+
+class PrefixedUserAuthenticationMixin:
+    def authenticate(self, request, **kwargs):
+        if not PREFIX:
+            return None
+        if username := kwargs.get("username", None):
+            if not username.startswith(PREFIX):
+                kwargs["username"] = PREFIX + username
+                return super().authenticate(request, **kwargs)
+
+
+class PrefixedUserAuthBackend(PrefixedUserAuthenticationMixin, ModelBackend):
+    pass
diff --git a/test_app/settings.py b/test_app/settings.py
@@ -92,6 +92,7 @@
 # set some vanilla social auth plugins so that we can test the social_auth based
 # users in the resource registry
 AUTHENTICATION_BACKENDS = [
+    'ansible_base.lib.backends.prefixed_user_auth.PrefixedUserAuthBackend',
     'social_core.backends.github.GithubOAuth2',
 ]
 
@@ -197,3 +198,5 @@
 }
 RESOURCE_SERVICE_PATH = "/api/v1/service-index/"
 RESOURCE_SERVER_SYNC_ENABLED = False
+
+RENAMED_USERNAME_PREFIX = "dab:"
diff --git a/test_app/tests/lib/test_prefixed_authentication_backend.py b/test_app/tests/lib/test_prefixed_authentication_backend.py
@@ -0,0 +1,40 @@
+import pytest
+from rest_framework.test import APIClient
+
+from ansible_base.lib.utils.response import get_relative_url
+from test_app.models import User
+
+
+@pytest.fixture
+@pytest.mark.django_db(transaction=True)
+def prefixed_user(local_authenticator):
+    user = User.objects.create(username='dab:foo')
+    user.set_password("pass")
+    user.save()
+    return user
+
+
+def test_prefixed_user_can_login_with_original_username(prefixed_user):
+    url = get_relative_url("rest_framework:login")
+    me_url = get_relative_url("user-me")
+    client = APIClient()
+
+    data = {"username": "foo", "password": "pass"}
+    resp = client.post(url, data=data, follow=True)
+    resp = client.get(me_url)
+
+    assert resp.status_code == 200
+    assert resp.data["username"] == "dab:foo"
+
+
+def test_prefixed_user_can_login_with_prefixed_username(prefixed_user):
+    url = get_relative_url("rest_framework:login")
+    me_url = get_relative_url("user-me")
+    client = APIClient()
+
+    data = {"username": "dab:foo", "password": "pass"}
+    resp = client.post(url, data=data, follow=True)
+    resp = client.get(me_url)
+
+    assert resp.status_code == 200
+    assert resp.data["username"] == "dab:foo"

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@`
`92`	`92`	`# set some vanilla social auth plugins so that we can test the social_auth based`
`93`	`93`	`# users in the resource registry`
`94`	`94`	`AUTHENTICATION_BACKENDS = [`
	`95`	`+ 'ansible_base.lib.backends.prefixed_user_auth.PrefixedUserAuthBackend',`
`95`	`96`	`'social_core.backends.github.GithubOAuth2',`
`96`	`97`	`]`
`97`	`98`
`@@ -197,3 +198,5 @@`
`197`	`198`	`}`
`198`	`199`	`RESOURCE_SERVICE_PATH = "/api/v1/service-index/"`
`199`	`200`	`RESOURCE_SERVER_SYNC_ENABLED = False`
	`201`	`+`
	`202`	`+RENAMED_USERNAME_PREFIX = "dab:"`