From 120cdd5684ebcbe5ce35647b9fb519950194eb71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20Palancher?= <remi@rackslab.io>
Date: Wed, 28 Aug 2024 21:07:51 +0200
Subject: [PATCH] feat(auth): optional LDAP user primary group

Support absence of primary group attribute optional in LDAP user
entries. Just emit warning log instead of raising exception when the
attribute is missing.

fix #5
---
 CHANGELOG.md                                  |  4 ++++
 src/authentication/rfl/authentication/ldap.py | 24 +++++++++++--------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cdaee0d..d3bb778 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,10 @@ and this project adheres to
     initializer with default values _posixGroup_ and _groupOfNames_ to define
     alternative LDAP group object classes (#6).
 
+### Changed
+- auth: Support absence of primary group attribute optional in LDAP user
+  entries (#5).
+
 ### Fixed
 - auth: Handle `UnicodeDecodeError` when loading JWT private key (#3).
 
diff --git a/src/authentication/rfl/authentication/ldap.py b/src/authentication/rfl/authentication/ldap.py
index 4080995..e3a0a25 100644
--- a/src/authentication/rfl/authentication/ldap.py
+++ b/src/authentication/rfl/authentication/ldap.py
@@ -136,11 +136,13 @@ def _get_user_info(
             ) from err
         try:
             gid = int(results[0][1][self.user_primary_group_attribute][0])
-        except KeyError as err:
-            raise LDAPAuthenticationError(
-                "Unable to extract user primary group with "
-                f"{self.user_primary_group_attribute} attribute from user entries"
-            ) from err
+        except KeyError:
+            logger.warning(
+                "Unable to extract user primary group with %s attribute from user "
+                "entry",
+                self.user_primary_group_attribute
+            )
+            gid = None
         return fullname, gid
 
     def _get_groups(
@@ -148,7 +150,7 @@ def _get_groups(
         connection: ldap.ldapobject.LDAPObject,
         user_name: str,
         user_dn: str,
-        gid: int,
+        gid: Optional[int],
     ) -> List[str]:
         """Return the list of groups whose provided user is member, including its
         primary group ID. This function supports both RFC 2307 (aka. NIS schema) and
@@ -159,17 +161,19 @@ def _get_groups(
         # In RFC 2307 bis schema, group members are declared with member attributes
         # (with full user dn as values).
         #
-        # In both cases, user primary group declared in user entry must not be forgiven.
+        # In both cases, user primary group declared in user entry (gid argument) must
+        # not be forgiven if defined.
         object_class_filter = "".join(
             [
                 f"(objectClass={object_class})"
                 for object_class in self.group_object_classes
             ]
         )
+        gid_filter = f"(gidNumber={gid})" if gid is not None else ""
         search_filter = (
             "(&"
             f"(|{object_class_filter})"
-            f"(|(memberUid={user_name})(member={user_dn})(gidNumber={gid})))"
+            f"(|(memberUid={user_name})(member={user_dn}){gid_filter}))"
         )
         try:
             results = connection.search_s(
@@ -190,9 +194,9 @@ def _get_groups(
         )
         if not len(results):
             logger.warning(
-                "Unable to find groups in LDAP for user %s or gidNumber %s",
+                "Unable to find groups in LDAP for user %s%s",
                 user_name,
-                gid,
+                f" or gidNumber {gid}" if gid is not None else "",
             )
         try:
             return [