AAP-45047: Fix allow map to process grant case in create_claims

[web3dozie]

Description

• What is being changed?
  • The create_claims() function in claims.py now correctly handles map_type=allow when the trigger fires (has_permission=True), allowing a later allow map to override an earlier deny.
• Why is this change needed?
  • The allow map only handled the deny case (has_permission=False). When a trigger fired and has_permission=True, the code fell through to the catch-all else branch, logging "does not know how to be processed" and never setting access_allowed = True. This broke the documented deny-all + allow-override pattern.
• How does this change address the issue?
  • Changes the conditional from if auth_map.map_type == 'allow' and not has_permission: to if auth_map.map_type == 'allow': and sets access_allowed = has_permission. This handles both grant and deny cases and respects map ordering (later maps override earlier ones).

Fixes: AAP-45047, AAP-45394

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Test update

Self-Review Checklist

• I have performed a self-review of my code
• I have added relevant comments to complex code sections
• I have updated documentation where needed
• I have considered the security impact of these changes
• I have considered performance implications
• I have thought about error handling and edge cases
• I have tested the changes in my local environment

Testing Instructions

Prerequisites

Any authenticator (LDAP or Local Database).

Steps to Test

1. Create two authenticator maps on an authenticator:
   • "Deny All": map_type=allow, triggers={"never": {}}, order=1
   • "Allow Override": map_type=allow, triggers={"always": {}}, order=2
2. Attempt to log in as any user through that authenticator

Expected Results

• Login succeeds. The allow override at order 2 overrides the deny at order 1.
• No "does not know how to be processed" error in logs.

Before this fix

• Login fails (HTTP 401)
• Log: ERROR Map type allow of rule Allow Override does not know how to be processed
• Log: WARNING User <username> failed an allow map and was denied access

Summary by CodeRabbit

• Bug Fixes

  • Corrected authentication claims handling to ensure allow-type rules consistently and directly reflect permission decisions across all scenarios.

• Tests

  • Added comprehensive regression tests for authentication claims behavior, including group-based and attribute-based authorization, deny-all override patterns, and edge-case interactions.

[github-actions]

DVCS PR Check Results:

PR appears valid (JIRA key(s) found)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between e956f20 and 59e2bdb.

📒 Files selected for processing (2)

• ansible_base/authentication/utils/claims.py
• test_app/tests/authentication/utils/test_claims.py

---

📝 Walkthrough

Walkthrough

The pull request modifies the authentication access control logic for 'allow' type maps, changing from conditionally updating access only when permission is False to always setting access_allowed based on the map's permission result. Comprehensive regression tests are added to cover allow/deny map interactions and edge cases.

Changes

Cohort / File(s)	Summary
Authentication Claims Logic ansible_base/authentication/utils/claims.py	Modified access control logic for 'allow' type maps to always set access_allowed to has_permission value and mark map as understood, removing conditional dependency on lacking permission.
Authentication Claims Tests test_app/tests/authentication/utils/test_claims.py	Added regression test cases covering allow/deny map scenarios: allow grant without errors, deny-all override by allow maps, group-based triggers, and attribute-based access interactions. Expanded parameterization of existing test to include 'allow' map cases.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing the 'allow' map to properly process grant cases in the create_claims function, matching the core logic fix in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}