ldap: ignore unknown filters

This commit is contained in:
Valentin Tolmer 2022-05-30 19:27:42 +02:00 committed by nitnelave
parent 1d8582f937
commit a0b0b455ed

View File

@ -711,11 +711,20 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
)))) ))))
} }
} else { } else {
let field = map_field(field)?; let mapped_field = map_field(field);
if field == "display_name" { if mapped_field.is_ok()
&& (mapped_field.as_ref().unwrap() == "display_name"
|| mapped_field.as_ref().unwrap() == "user_id")
{
Ok(GroupRequestFilter::DisplayName(value.clone())) Ok(GroupRequestFilter::DisplayName(value.clone()))
} else { } else {
bail!("Unsupported group attribute: {:?}", field) warn!(
r#"Ignoring unknown group attribute "{:?}" in filter"#,
field
);
Ok(GroupRequestFilter::Not(Box::new(GroupRequestFilter::And(
vec![],
))))
} }
} }
} }
@ -786,13 +795,22 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
)))) ))))
} }
} else { } else {
let field = map_field(field)?; match map_field(field) {
Ok(field) => {
if field == "user_id" { if field == "user_id" {
Ok(UserRequestFilter::UserId(UserId::new(value))) Ok(UserRequestFilter::UserId(UserId::new(value)))
} else { } else {
Ok(UserRequestFilter::Equality(field, value.clone())) Ok(UserRequestFilter::Equality(field, value.clone()))
} }
} }
Err(_) => {
warn!(r#"Ignoring unknown user attribute "{}" in filter"#, field);
Ok(UserRequestFilter::Not(Box::new(UserRequestFilter::And(
vec![],
))))
}
}
}
} }
LdapFilter::Present(field) => { LdapFilter::Present(field) => {
let field = &field.to_ascii_lowercase(); let field = &field.to_ascii_lowercase();
@ -1330,6 +1348,9 @@ mod tests {
GroupRequestFilter::Not(Box::new(GroupRequestFilter::Not(Box::new( GroupRequestFilter::Not(Box::new(GroupRequestFilter::Not(Box::new(
GroupRequestFilter::And(vec![]), GroupRequestFilter::And(vec![]),
)))), )))),
GroupRequestFilter::Not(Box::new(
GroupRequestFilter::And(vec![]),
)),
])))) ]))))
.times(1) .times(1)
.return_once(|_| { .return_once(|_| {
@ -1355,6 +1376,7 @@ mod tests {
LdapFilter::Not(Box::new(LdapFilter::Present( LdapFilter::Not(Box::new(LdapFilter::Present(
"random_attribUte".to_string(), "random_attribUte".to_string(),
))), ))),
LdapFilter::Equality("unknown_attribute".to_string(), "randomValue".to_string()),
]), ]),
vec!["1.1"], vec!["1.1"],
); );
@ -1449,9 +1471,9 @@ mod tests {
let mut ldap_handler = setup_bound_handler(MockTestBackendHandler::new()).await; let mut ldap_handler = setup_bound_handler(MockTestBackendHandler::new()).await;
let request = make_search_request( let request = make_search_request(
"ou=groups,dc=example,dc=com", "ou=groups,dc=example,dc=com",
LdapFilter::And(vec![LdapFilter::Equality( LdapFilter::And(vec![LdapFilter::Substring(
"whatever".to_string(), "whatever".to_string(),
"group_1".to_string(), ldap3_server::proto::LdapSubstringFilter::default(),
)]), )]),
vec!["cn"], vec!["cn"],
); );
@ -1459,7 +1481,8 @@ mod tests {
ldap_handler.do_search(&request).await, ldap_handler.do_search(&request).await,
vec![make_search_error( vec![make_search_error(
LdapResultCode::UnwillingToPerform, LdapResultCode::UnwillingToPerform,
"Unsupported group filter: Unknown field: whatever".to_string() r#"Unsupported group filter: Unsupported group filter: Substring("whatever", LdapSubstringFilter { initial: None, any: [], final_: None })"#
.to_string()
)] )]
); );
} }
@ -1476,6 +1499,7 @@ mod tests {
UserRequestFilter::And(vec![]), UserRequestFilter::And(vec![]),
UserRequestFilter::And(vec![]), UserRequestFilter::And(vec![]),
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))), UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
UserRequestFilter::Not(Box::new(UserRequestFilter::And(vec![]))),
]), ]),
])))) ]))))
.times(1) .times(1)
@ -1492,6 +1516,7 @@ mod tests {
LdapFilter::Present("objectClass".to_string()), LdapFilter::Present("objectClass".to_string()),
LdapFilter::Present("uid".to_string()), LdapFilter::Present("uid".to_string()),
LdapFilter::Present("unknown".to_string()), LdapFilter::Present("unknown".to_string()),
LdapFilter::Equality("unknown_attribute".to_string(), "randomValue".to_string()),
])]), ])]),
vec!["objectClass"], vec!["objectClass"],
); );