From ffe6efa0baf4fa967d8dae7669673f711300dc40 Mon Sep 17 00:00:00 2001
From: Jan Kaluza <jkaluza@redhat.com>
Date: Sep 21 2017 06:04:10 +0000
Subject: Fix #61 - Raise ValueError instead of assert in the ldap auth code


---

diff --git a/server/odcs/server/auth.py b/server/odcs/server/auth.py
index d09af85..bbb381d 100644
--- a/server/odcs/server/auth.py
+++ b/server/odcs/server/auth.py
@@ -38,6 +38,26 @@ from odcs.server.models import User
 from odcs.server.models import commit_on_success
 
 
+def _validate_kerberos_config():
+    """
+    Validates the kerberos configuration and raises ValueError in case of
+    error.
+    """
+    errors = []
+    if not conf.auth_ldap_server:
+        errors.append("kerberos authentication enabled with no LDAP server configured, "
+                      "check AUTH_LDAP_SERVER in your config.")
+
+    if not conf.auth_ldap_group_base:
+        errors.append("kerberos authentication enabled with no LDAP group base configured, "
+                      "check AUTH_LDAP_GROUP_BASE in your config.")
+
+    if errors:
+        for error in errors:
+            log.exception(error)
+        raise ValueError("Invalid configuration for kerberos authentication.")
+
+
 @commit_on_success
 def load_krb_user_from_request(request):
     """Load Kerberos user from current request
@@ -68,14 +88,8 @@ def load_krb_user_from_request(request):
 
 
 def query_ldap_groups(uid):
-    ldap_server = conf.auth_ldap_server
-    assert ldap_server, 'LDAP server must be configured in advance.'
-
-    group_base = conf.auth_ldap_group_base
-    assert group_base, 'Group base must be configured in advance.'
-
-    client = ldap.initialize(ldap_server)
-    groups = client.search_s(group_base,
+    client = ldap.initialize(conf.auth_ldap_server)
+    groups = client.search_s(conf.auth_ldap_group_base,
                              ldap.SCOPE_ONELEVEL,
                              attrlist=['cn', 'gidNumber'],
                              filterstr='memberUid={0}'.format(uid))
@@ -148,6 +162,7 @@ def init_auth(login_manager, backend):
         # authentication module in Apache.
         return
     if backend == 'kerberos':
+        _validate_kerberos_config()
         global load_krb_user_from_request
         load_krb_user_from_request = login_manager.request_loader(
             load_krb_user_from_request)
diff --git a/server/tests/test_auth.py b/server/tests/test_auth.py
index fe40a5d..462005b 100644
--- a/server/tests/test_auth.py
+++ b/server/tests/test_auth.py
@@ -245,3 +245,13 @@ class TestInitAuth(unittest.TestCase):
         self.assertRaises(ValueError, init_auth, self.login_manager, 'xxx')
         self.assertRaises(ValueError, init_auth, self.login_manager, '')
         self.assertRaises(ValueError, init_auth, self.login_manager, None)
+
+    def test_init_auth_no_ldap_server(self):
+        with patch.object(odcs.server.auth.conf, 'auth_ldap_server', ''):
+            self.assertRaises(ValueError, init_auth, self.login_manager,
+                              'kerberos')
+
+    def test_init_auths_no_ldap_group_base(self):
+        with patch.object(odcs.server.auth.conf, 'auth_ldap_group_base', ''):
+            self.assertRaises(ValueError, init_auth, self.login_manager,
+                              'kerberos')