[AAP-52121] Fix attribute handling with 'and' condition (#830)

tznamena · web-flow · commit b5f10404cfb5 · 2025-09-10T09:18:24.000-06:00
diff --git a/ansible_base/authentication/utils/claims.py b/ansible_base/authentication/utils/claims.py
@@ -459,7 +459,15 @@ def process_user_attributes(trigger_condition: dict, attributes: dict, map_id: i
         # Check if user has the attribute
         user_value = attributes.get(attribute, None)
         if user_value is None:
-            _prefixed_debug(map_id, tracking_id, f"Attr [{attribute}] is not present in user attributes, skipping")
+            # if condition is not "and", the attribute value is not required, just move on
+            if join_condition != 'and':
+                _prefixed_debug(map_id, tracking_id, f"Attr [{attribute}] is not present in user attributes, skipping")
+            # else, condition is "and" which means the attribute value IS required, set access to False
+            else:
+                _prefixed_debug(
+                    map_id, tracking_id, f"Attr [{attribute}] is not present in user attributes but is required by condition 'and' changing access to false"
+                )
+                has_access = has_access_with_join(has_access, False, join_condition)
             continue
 
         # Normalize user value and process
diff --git a/test_app/tests/authentication/utils/test_claims.py b/test_app/tests/authentication/utils/test_claims.py
@@ -890,6 +890,27 @@ def test_has_access_with_join(current_access, new_access, condition, expected):
             claims.TriggerResult.SKIP,
             id="in operator with string value (invalid) should be ignored",
         ),
+        pytest.param(
+            {"cn": {"ends_with": "_admin"}, "employeeType": {"equals": "manager"}, "join_condition": "and"},
+            {"cn": ["ldap_admin"]},
+            False,
+            claims.TriggerResult.SKIP,
+            id="missing attribute required by 'and' condition should result in skip",
+        ),
+        pytest.param(
+            {"cn": {"ends_with": "_admin"}, "employeeType": {"equals": "manager"}, "join_condition": "or"},
+            {"cn": ["ldap_admin"]},
+            False,
+            claims.TriggerResult.ALLOW,
+            id="missing attribute when using 'or' condition should result in allow",
+        ),
+        pytest.param(
+            {"cn": {"ends_with": "_admin"}, "employeeType": {"equals": "manager"}, "join_condition": "and"},
+            {"cn": ["ldap_org_admin"], "employeeType": ["manager"]},
+            False,
+            claims.TriggerResult.ALLOW,
+            id="all attribute required by 'and' condition should result in allow",
+        ),
     ],
 )
 @pytest.mark.django_db
