ManageIQ · gtanzillo · Aug 11, 2017 · Jul 26, 2017 · Aug 7, 2017 · Aug 8, 2017
@@ -16,9 +16,12 @@ def self.validate_config(config)
       end
     end
 
-    def lookup_by_identity(username)
-      super ||
-        find_or_create_by_ldap(username)
+    def autocreate_user(username)
+      # when default group for ldap users is enabled, create the user
+      return unless config[:default_group_for_users]
+      default_group = MiqGroup.in_my_region.find_by(:description => config[:default_group_for_users])
+      return unless default_group
+      create_user_from_ldap(username) { [default_group] }
     end
 
     def user_authorizable_without_authentication?
@@ -41,30 +44,6 @@ def ldap_bind(username, password)
       ldap if ldap.bind(username, password)
     end
 
-    def find_or_create_by_ldap(username)
-      username = miq_ldap.fqusername(username)
-      user = userprincipal_for(username)
-      return user unless user.nil?
-
-      raise _("Unable to auto-create user because LDAP bind credentials are not configured") unless authorize?
-
-      create_user_from_ldap(username) do |lobj|
-        groups = match_groups(groups_for(lobj))
-        if groups.empty?
-          raise _("Unable to auto-create user because unable to match user's group membership to an EVM role")
-        end
-        groups
-      end
-    end
-
-    def autocreate_user(username)
-      # when default group for ldap users is enabled, create the user
-      return unless config[:default_group_for_users]
-      default_group = MiqGroup.in_my_region.find_by(:description => config[:default_group_for_users])
-      return unless default_group
-      create_user_from_ldap(username) { [default_group] }
-    end
-
     def create_user_from_ldap(username)
       lobj = ldap.get_user_object(username)
       if lobj.nil?
@@ -102,11 +81,6 @@ def find_external_identity(username, *_args)
       lobj
     end
 
-    def userprincipal_for(username)
-      lobj = find_external_identity(username)
-      User.find_by_userid(userid_for(lobj, username))
-    end
-
     def userid_for(lobj, username)
       ldap.normalize(ldap.get_attr(lobj, :userprincipalname) || username)
     end

@@ -133,39 +133,32 @@ def normalize(dn)
       expect(subject.lookup_by_identity('alice')).to eq(alice)
     end
 
-    it "normalizes usernames" do
-      expect(subject.lookup_by_identity('aXlice')).to eq(alice)
-    end
-
     context "using internal authorization" do
       it "refuses users that exist in LDAP" do
-        expect(-> { subject.lookup_by_identity('bob') }).to raise_error(/credentials are not configured/)
+        expect(subject.lookup_by_identity('bob')).to eq(nil)
       end
 
       it "refuses users that don't exist in LDAP" do
-        expect(subject).to receive(:userprincipal_for)
-        expect(-> { subject.lookup_by_identity('carol') }).to raise_error(/credentials are not configured/)
+        expect(subject.lookup_by_identity('carol')).to eq(nil)
       end
     end
 
-    context "using external authorization" do
-      let(:config) { super().merge(:ldap_role => true) }
+    context "not getting groups from LDAP" do
+      let(:config) { super().merge(:ldap_role => false) }
 
-      it "creates new users from LDAP" do
-        expect(subject.lookup_by_identity('bob')).to be_a(User)
-        expect(subject.lookup_by_identity('bob').name).to eq('Bob Builderson')
-      end
+      context "with a default group" do
+        let(:config) { super().merge(:default_group_for_users => 'wibble') }
 
-      it "normalizes new users' names" do
-        expect(subject.lookup_by_identity('bXob')).to be_a(User)
-        expect(subject.lookup_by_identity('bXob').userid).to eq('bob')
-        expect(subject.lookup_by_identity('bXob').name).to eq('Bob Builderson')
+        it "creates new users from LDAP" do
+          expect(subject.lookup_by_identity('bob')).to eq(nil)
+          expect(subject.autocreate_user('bob').name).to eq('Bob Builderson')
+        end
       end
 
-      context "with no matching groups" do
-        let(:bob_data) { super().merge(:groups => %w(bubble trouble)) }
+      context "with no default group" do
+        let(:config) { super().merge(:default_group_for_users => '') }
         it "refuses LDAP users" do
-          expect(-> { subject.lookup_by_identity('bob') }).to raise_error(/unable to match.*membership/)
+          expect(subject.autocreate_user('bob')).to eq(nil)
         end
       end
 
@@ -178,8 +171,7 @@ def normalize(dn)
       end
 
       it "refuses users that don't exist in LDAP" do
-        expect(subject).to receive(:userprincipal_for)
-        expect(-> { subject.lookup_by_identity('carol') }).to raise_error(/no data for user/)
+        expect(subject.lookup_by_identity('carol')).to eq(nil)
       end
     end
   end
@@ -192,10 +184,6 @@ def authenticate
     let(:username) { 'alice' }
     let(:password) { 'secret' }
 
-    before do
-      allow(subject).to receive(:find_or_create_by_ldap)
-    end
-
     context "when using LDAP" do
       let(:config) { super().merge(:ldap_role => true) }
 
@@ -378,11 +366,6 @@ def authenticate
             expect(authenticate).to be_a(User)
           end
 
-          it "looks in ldap" do
-            expect(subject).to receive(:find_or_create_by_ldap)
-            authenticate
-          end
-
           it "records two successful audit entries" do
             expect(AuditEvent).to receive(:success).with(
               :event   => 'authenticate_ldap',

@@ -14,6 +14,7 @@
 
   context ".lookup_by_identity" do
     let(:current_user) { @auth.lookup_by_identity(@username) }
+    let(:autocreate_current_user) { @auth.autocreate_user(@username) }
 
     before do
       @username    = "upnuser"
@@ -30,15 +31,16 @@
 
     it "user exists" do
       user = FactoryGirl.create(:user_admin, :userid => @fqusername)
-      allow(@auth).to receive(:userprincipal_for).and_return(user)
+      allow(@auth).to receive(:lookup_by_identity).and_return(user)
       expect(current_user).to eq(user)
     end
 
     it "user does not exist" do
       group = create_super_admin_group
+      @auth_config[:authentication][:default_group_for_users] = group.name
       setup_to_create_user(group)
 
-      expect(current_user).to be_present
+      expect(autocreate_current_user).to be_present
       expect(User.all.size).to eq(1)
     end
   end
@@ -84,7 +86,6 @@
 
         context "with default group for users enabled" do
           it "group exists" do
-            allow(@auth).to receive(:find_or_create_by_ldap)
             group = create_super_admin_group
             setup_to_create_user(group)
             @auth_config[:authentication][:default_group_for_users] = group.description