Merge pull request #10634 from jvlcek/bz_1342082_ext_auth_groups

Update the user when there are no matching groups
ManageIQ · Aug 24, 2016 · 426e642 · 426e642
2 parents fd7242e + 7b439c1
commit 426e642
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/app/models/authenticator.rb b/app/models/authenticator.rb
@@ -117,18 +117,19 @@ def authorize(taskid, username, *args)
           userid = userid_for(identity, username)
           user   = User.find_by_userid(userid) || User.new(:userid => userid)
           update_user_attributes(user, username, identity)
+          user.miq_groups = matching_groups
 
           if matching_groups.empty?
             msg = "Authentication failed for userid #{user.userid}, unable to match user's group membership to an EVM role"
             AuditEvent.failure(audit.merge(:message => msg))
             _log.warn("#{msg}")
             task.error(msg)
             task.state_finished
+            user.save! unless user.new_record?
             return nil
           end
 
           user.lastlogon = Time.now.utc
-          user.miq_groups = matching_groups
           user.save!
 
           _log.info("Authorized User: [#{user.userid}]")

diff --git a/spec/models/authenticator_spec.rb b/spec/models/authenticator_spec.rb
@@ -14,4 +14,27 @@
       expect(Authenticator.for({:mode => 'httpd'}, 'admin')).to be_a(Authenticator::Database)
     end
   end
+
+  describe '#authorize' do
+    let(:authenticator) { Authenticator::Httpd.new({}) }
+    let(:user) { FactoryGirl.create(:user_with_group) }
+    let(:task) { FactoryGirl.create(:miq_task) }
+    let(:groups) { FactoryGirl.create_list(:miq_group, 2) }
+
+    it 'Updates the user groups when no matching groups' do
+      expect(authenticator).to receive(:find_external_identity)
+        .and_return([{:username => user.userid, :fullname => user.name}, []])
+
+      authenticator.authorize(task.id, user.userid)
+      expect(user.reload.miq_groups).to be_empty
+    end
+
+    it 'Updates the user groups' do
+      expect(authenticator).to receive(:find_external_identity)
+        .and_return([{:username => user.userid, :fullname => user.name}, groups.collect(&:name)])
+
+      authenticator.authorize(task.id, user.userid)
+      expect(user.reload.miq_groups).to match_array(groups)
+    end
+  end
 end