Enable/Disable authentication maps (ansible#530)

dmzoneill · web-flow · commit 7c71771fbd2c · 2024-11-22T15:37:24.000Z
diff --git a/ansible_base/authentication/migrations/0015_alter_authenticator_category_and_more.py b/ansible_base/authentication/migrations/0015_alter_authenticator_category_and_more.py
@@ -149,4 +149,9 @@ class Migration(migrations.Migration):
             name='revoke',
             field=models.BooleanField(default=False, help_text='Revoke the permission if a user does not meet this rule.'),
         ),
+        migrations.AddField(
+            model_name='authenticatormap',
+            name='enabled',
+            field=models.BooleanField(default=True, help_text='Enables or disables this authenticator map'),
+        ),
     ]
diff --git a/ansible_base/authentication/models/authenticator_map.py b/ansible_base/authentication/models/authenticator_map.py
@@ -88,3 +88,8 @@ class Meta:
             )
         ),
     )
+    enabled = models.BooleanField(
+        null=False,
+        default=True,
+        help_text=_("Enables or disables this authenticator map"),
+    )
diff --git a/ansible_base/authentication/utils/claims.py b/ansible_base/authentication/utils/claims.py
@@ -56,15 +56,29 @@ def create_claims(authenticator: Authenticator, username: str, attrs: dict, grou
     logger.debug(f"{username}'s attrs: {attrs}")
 
     # load the maps
+    logger.debug(f"Authenticator ID: {authenticator.id}")
+    maps = AuthenticatorMap.objects.order_by("order")
+    logger.debug(maps)
     maps = AuthenticatorMap.objects.filter(authenticator=authenticator.id).order_by("order")
+    logger.debug("==============================================================")
+    logger.debug(maps)
+
     for auth_map in maps:
+        logger.debug(auth_map)
+        logger.debug("++++")
         has_permission = None
         trigger_result = TriggerResult.SKIP
         allowed_keys = TRIGGER_DEFINITION.keys()
         invalid_keys = set(auth_map.triggers.keys()) - set(allowed_keys)
+
+        if auth_map.enabled is False:
+            logger.info(f"Skipping AuthenticatorMap {auth_map.id} because it is disabled")
+            rule_responses.append({auth_map.id: 'skipped', 'enabled': auth_map.enabled})
+            continue
+
         if invalid_keys:
             logger.warning(f"In AuthenticatorMap {auth_map.id} the following trigger keys are invalid: {', '.join(invalid_keys)}, rule will be ignored")
-            rule_responses.append({auth_map.id: 'invalid'})
+            rule_responses.append({auth_map.id: 'invalid', 'enabled': auth_map.enabled})
             continue
 
         for trigger_type, trigger in auth_map.triggers.items():
@@ -84,15 +98,15 @@ def create_claims(authenticator: Authenticator, username: str, attrs: dict, grou
 
         # If the trigger result is still SKIP, this auth map is not applicable to this user => no action needed
         if trigger_result is TriggerResult.SKIP:
-            rule_responses.append({auth_map.id: 'skipped'})
+            rule_responses.append({auth_map.id: 'skipped', 'enabled': auth_map.enabled})
             continue
 
         if trigger_result is TriggerResult.ALLOW:
             has_permission = True
         elif trigger_result is TriggerResult.DENY:
             has_permission = False
 
-        rule_responses.append({auth_map.id: has_permission})
+        rule_responses.append({auth_map.id: has_permission, 'enabled': auth_map.enabled})
 
         if auth_map.map_type == 'allow' and not has_permission:
             # If any rule does not allow we don't want to return this to true
diff --git a/test_app/tests/authentication/utils/test_claims.py b/test_app/tests/authentication/utils/test_claims.py
@@ -3,7 +3,7 @@
 import pytest
 from django.db import connection
 
-from ansible_base.authentication.models import AuthenticatorUser
+from ansible_base.authentication.models import AuthenticatorMap, AuthenticatorUser
 from ansible_base.authentication.utils import claims
 from test_app.tests.authentication.conftest import SYSTEM_ROLE_NAME
 
@@ -20,7 +20,7 @@
             True,
             True,
             {"team_membership": {}, "organization_membership": {}, 'rbac_roles': {'system': {'roles': {}}, 'organizations': {}}},
-            [{1: True}],
+            [{1: True, 'enabled': True}],
             id="Set flag 'is_superuser' to True (trigger 'always')",
         ),
         pytest.param(
@@ -32,7 +32,7 @@
             True,
             False,
             {"team_membership": {}, "organization_membership": {}, 'rbac_roles': {'system': {'roles': {}}, 'organizations': {}}},
-            [{1: False}],
+            [{1: False, 'enabled': True}],
             id="Set flag 'is_superuser' to False (trigger 'never')",
         ),
         pytest.param(
@@ -44,7 +44,7 @@
             True,
             None,
             {"team_membership": {}, "organization_membership": {}, 'rbac_roles': {'system': {'roles': {}}, 'organizations': {}}},
-            [{1: "invalid"}],
+            [{1: "invalid", 'enabled': True}],
             id="Wrong trigger, thus flag 'is_superuser' is not set, auth. map is ignored",
         ),
         pytest.param(
@@ -56,7 +56,7 @@
             True,
             None,
             {"team_membership": {}, "organization_membership": {}, 'rbac_roles': {'system': {'roles': {}}, 'organizations': {}}},
-            [{1: "skipped"}],
+            [{1: "skipped", 'enabled': True}],
             id="Define no trigger, thus flag 'is_superuser' is not set",
         ),
         pytest.param(
@@ -68,7 +68,7 @@
             False,
             None,
             {"team_membership": {}, "organization_membership": {}, 'rbac_roles': {'system': {'roles': {}}, 'organizations': {}}},
-            [{1: False}],
+            [{1: False, 'enabled': True}],
             id="map_type 'allow' with trigger 'never' sets 'access_allowed' to False",
         ),
         pytest.param(
@@ -84,7 +84,7 @@
                 "team_membership": {"testorg": {"testteam": True}},
                 'rbac_roles': {'system': {'roles': {}}, 'organizations': {'testorg': {'roles': {}, 'teams': {'testteam': {'roles': {'Team Member': True}}}}}},
             },
-            [{1: True}],
+            [{1: True, 'enabled': True}],
             id="Assign 'Team Member' role to team 'testteam'",
         ),
         pytest.param(
@@ -100,7 +100,7 @@
                 "team_membership": {"testorg": {"testteam": False}},
                 'rbac_roles': {'system': {'roles': {}}, 'organizations': {'testorg': {'roles': {}, 'teams': {'testteam': {'roles': {'Team Member': False}}}}}},
             },
-            [{1: False}],
+            [{1: False, 'enabled': True}],
             id="Remove 'Team Member' role from team 'testteam'",
         ),
         pytest.param(
@@ -116,7 +116,7 @@
                 "team_membership": {},
                 'rbac_roles': {'system': {'roles': {}}, 'organizations': {'testorg': {'roles': {'Organization Member': True}, 'teams': {}}}},
             },
-            [{1: True}],
+            [{1: True, 'enabled': True}],
             id="Assign 'Organization Member' role to organization 'testorg'",
         ),
         pytest.param(
@@ -132,7 +132,7 @@
                 "team_membership": {},
                 'rbac_roles': {'system': {'roles': {}}, 'organizations': {'testorg': {'roles': {'Organization Member': False}, 'teams': {}}}},
             },
-            [{1: False}],
+            [{1: False, 'enabled': True}],
             id="Remove 'Organization Member' role from organization 'testorg'",
         ),
         pytest.param(
@@ -148,7 +148,7 @@
                 "team_membership": {"testorg": {"testteam": True}},
                 'rbac_roles': {'system': {'roles': {}}, 'organizations': {'testorg': {'roles': {}, 'teams': {'testteam': {'roles': {'Team Member': True}}}}}},
             },
-            [{1: True}],
+            [{1: True, 'enabled': True}],
             id="Assign 'Team Member' role to team 'testteam' using map_type 'role'",
         ),
         pytest.param(
@@ -164,7 +164,7 @@
                 "team_membership": {},
                 'rbac_roles': {'system': {'roles': {}}, 'organizations': {'testorg': {'roles': {'Organization Member': True}, 'teams': {}}}},
             },
-            [{1: True}],
+            [{1: True, 'enabled': True}],
             id="Assign 'Organization Member' role to organization 'testorg' using map_type 'role'",
         ),
         pytest.param(
@@ -176,7 +176,7 @@
             True,
             None,
             {"organization_membership": {}, "team_membership": {}, 'rbac_roles': {'system': {'roles': {SYSTEM_ROLE_NAME: True}}, 'organizations': {}}},
-            [{1: True}],
+            [{1: True, 'enabled': True}],
             id="Assign System role to user",
         ),
         pytest.param(
@@ -188,7 +188,7 @@
             True,
             None,
             {"organization_membership": {}, "team_membership": {}, 'rbac_roles': {'system': {'roles': {}}, 'organizations': {}}},
-            [{1: False}],
+            [{1: False, 'enabled': True}],
             id="Wrong map type, this auth. map is ignored",
         ),
     ],
@@ -324,9 +324,9 @@ def test_create_claims_revoke(local_authenticator_map, process_function, trigger
     assert res["is_superuser"] is granted
     assert res["claims"] == {"team_membership": {}, "organization_membership": {}, "rbac_roles": default_rbac_roles_claims}
     if revoke:
-        assert res["last_login_map_results"] == [{local_authenticator_map.pk: False}]
+        assert res["last_login_map_results"] == [{local_authenticator_map.pk: False, 'enabled': True}]
     else:
-        assert res["last_login_map_results"] == [{local_authenticator_map.pk: "skipped"}]
+        assert res["last_login_map_results"] == [{local_authenticator_map.pk: "skipped", 'enabled': True}]
 
 
 @pytest.mark.parametrize(
@@ -772,3 +772,22 @@ def test_update_user_claims_groups(user, local_authenticator_map):
     assert local_authenticator_map.authenticator == authenticator_user.provider  # sanity check
     result = claims.update_user_claims(user, authenticator, ["foo"])
     assert result is user
+
+
+@pytest.mark.parametrize("enabled", [True, False])
+def test_create_claims_with_map_enabled_or_disabled(enabled, local_authenticator):
+    # Create an AuthenticatorMap object with the parameterized "enabled" value
+    AuthenticatorMap.objects.create(
+        authenticator=local_authenticator,
+        triggers={"always": {}},
+        map_type="is_superuser",
+        enabled=enabled,
+    )
+
+    result = claims.create_claims(local_authenticator, "testuser", {}, [])
+
+    # Assert based on the "enabled" value
+    if enabled:
+        assert result["is_superuser"] is not None, "Claim should be present when enabled is True"
+    else:
+        assert result["is_superuser"] is None, "Claim should be None when enabled is False"
diff --git a/test_app/tests/conftest.py b/test_app/tests/conftest.py
@@ -465,6 +465,7 @@ def local_authenticator_map(db, local_authenticator, user, randname):
         triggers={"always": {}},
         organization="testorg",
         team="testteam",
+        enabled=True,
     )
     return authenticator_map
 

Original file line number	Diff line number	Diff line change
`@@ -88,3 +88,8 @@ class Meta:`
`88`	`88`	`)`
`89`	`89`	`),`
`90`	`90`	`)`
	`91`	`+ enabled = models.BooleanField(`
	`92`	`+ null=False,`
	`93`	`+ default=True,`
	`94`	`+ help_text=_("Enables or disables this authenticator map"),`
	`95`	`+ )`
Original file line number	Diff line number	Diff line change
`@@ -465,6 +465,7 @@ def local_authenticator_map(db, local_authenticator, user, randname):`
`465`	`465`	`triggers={"always": {}},`
`466`	`466`	`organization="testorg",`
`467`	`467`	`team="testteam",`
	`468`	`+ enabled=True,`
`468`	`469`	`)`
`469`	`470`	`return authenticator_map`
`470`	`471`