local auth flag is expected as part of post body

In the authenticate_user endpoint, the local auth flag is expected as part of the body - but existing logic was expecting it as a query parameter. This change addresses that,and also changes the order of operations so that local auth takes precedence over any ldap checks. This gives us minimum degree of testability of local auth option in our current pedant environment. Finally this change tightens handling of 'local'. Under opscode-account if "local" was present and non-false it was assumed 'true'. Now it must explicitly be 'true' for it to be accepted.
chef-boneyard · Nov 14, 2014 · 37887e4 · 37887e4
1 parent 5c52f73
commit 37887e4
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 14 deletions.
diff --git a/src/oc_chef_wm_authenticate_user.erl b/src/oc_chef_wm_authenticate_user.erl
@@ -81,8 +81,9 @@ process_post(Req, #base_state{chef_db_context = Ctx,
                               resource_state = #user_state{user_data = UserData}} = State) ->
     Name = chef_user:username_from_ejson(UserData),
     Password = ej:get({<<"password">>}, UserData),
+    LocalOverride = ej:get({<<"local">>}, UserData),
     User = chef_db:fetch(#chef_user{username = Name}, Ctx),
-    AuthType = oc_chef_wm_authn_ldap:auth_method(Req),
+    AuthType = oc_chef_wm_authn_ldap:auth_method(LocalOverride),
     case verify_user(Name, Password, AuthType, User, State) of
         {false, Code} ->
             {{halt, Code}, chef_wm_util:set_json_body(Req, auth_fail_message(Code)), State};

diff --git a/src/oc_chef_wm_authn_ldap.erl b/src/oc_chef_wm_authn_ldap.erl
@@ -25,21 +25,18 @@
 %% Determines auth method to use for this request based on
 %% configuration and any override present in the request data.
 -spec auth_method(term()) -> ldap | local.
-auth_method(Req) ->
-    auth_method(envy:get(oc_chef_wm, ldap, list), Req).
-
-auth_method(undefined, _Req) ->
+auth_method(true) ->
     local;
-auth_method(Config, Req) when is_list(Config) ->
-    auth_method_for_request(proplists:get_value(host, Config), Req).
+auth_method(_LocalOverride) ->
+    auth_method_for_config(envy:get(oc_chef_wm, ldap, list)).
 
-auth_method_for_request(undefined, _Req) ->
-    local;
-auth_method_for_request(_HostValue, Req) ->
-    case wrq:get_qs_value("local", Req) of
-        undefined -> ldap;
-        _X ->        local
-    end.
+auth_method_for_config(Config) when is_list(Config) ->
+    case proplists:get_value(host, Config) of
+        undefined -> local;
+        _ -> ldap
+    end;
+auth_method_for_config(_Other) ->
+    local.
 
 
 %% Open a direct connection to a configure LDAP server and authenticate the user