Proxmox/pve-access-control
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-access-control.git synced 2025-01-18 06:03:47 +03:00
Code Releases Activity

LDAP sync: build valid-target-attribute list on the fly to avoid coupling

Browse Source 
Build the set of valid target attributes on the fly by using the
existing ldap => ours mapping. This avoids that one needs to adapt
both lists when changing this, which even though it should be caught
on testing, is needlessly adding friction.

The is-known-target-attr check could never trigger as this was already
checked in the parent before even calling the verify method, so just
remove it.

Rename the `verify_sync_attribute` to `verify_sync_attribute_value` to
clarify that it really only checks the value of an attribute, not the
attribute (key) itself.

As a side-benefit, this also makes the code shorter and avoids a
permanent global variable using up (a tiny amount of) space.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2024-02-08 12:10:31 +01:00
parent cb93636b55
commit 7abb20a1ea
1 changed files with 5 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/PVE/Auth/LDAP.pm
View File

@ -166,22 +166,9 @@ sub options {
};
}
my $valid_sync_attributes = {
username => 1,
enable => 1,
expire => 1,
firstname => 1,
lastname => 1,
email => 1,
comment => 1,
keys => 1,
};
my sub verify_sync_attribute {
my sub verify_sync_attribute_value {
my ($attr, $value) = @_;
die "cannot map to invalid user sync attribute '$attr'\n" if !$valid_sync_attributes->{$attr};
# The attribute does not include the realm, so can't use PVE::Auth::Plugin::verify_username
if ($attr eq 'username') {
die "value '$value' does not look like a valid user name\n"
@ -297,11 +284,13 @@ sub get_users {
comment => 'comment',
keys => 'keys',
};
# build on the fly as this is small and only called once per realm in a ldap-sync anyway
my $valid_sync_attributes = map { $_ => 1 } values $ldap_attribute_map->%*;
foreach my $attr (PVE::Tools::split_list($config->{sync_attributes})) {
my ($ours, $ldap) = ($attr =~ m/^\s*(\w+)=(.*)\s*$/);
if (!$valid_sync_attributes->{$ours}) {
warn "bad 'sync_attributes': cannot map to invalid attribute '$ours'\n";
warn "skipping bad 'sync_attributes' entry '$ours' is not a valid target attribute\n";
next;
}
$ldap_attribute_map->{$ldap} = $ours;
@ -335,7 +324,7 @@ sub get_users {
foreach my $attr (keys %$user_attributes) {
if (my $ours = $ldap_attribute_map->{$attr}) {
my $value = $user_attributes->{$attr}->[0];
eval { verify_sync_attribute($ours, $value) };
eval { verify_sync_attribute_value($ours, $value) };
if (my $err = $@) {
warn "skipping attribute mapping '$attr'->'$ours' for user '$username' - $err";
next;