sources/ldap: improve error handling for property mappings

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-07-21 23:26:33 +02:00 · 2021-07-21 23:26:33 +02:00 · a3abbcec6a
parent 70e000d327
commit a3abbcec6a
2 changed files with 34 additions and 0 deletions
--- a/authentik/sources/ldap/sync/base.py
+++ b/authentik/sources/ldap/sync/base.py
@ -5,6 +5,7 @@ from django.db.models.query import QuerySet
 from structlog.stdlib import BoundLogger, get_logger

 from authentik.core.exceptions import PropertyMappingExpressionException
+from authentik.events.models import Event, EventAction
 from authentik.sources.ldap.auth import LDAP_DISTINGUISHED_NAME
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource

@ -83,6 +84,11 @@ class BaseLDAPSynchronizer:
                else:
                    properties[object_field] = self._flatten(value)
            except PropertyMappingExpressionException as exc:
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=f"Failed to evaluate property-mapping: {str(exc)}",
+                    mapping=mapping,
+                ).save()
                self._logger.warning(
                    "Mapping failed to evaluate", exc=exc, mapping=mapping
                )
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@ -5,6 +5,7 @@ from django.db.models import Q
 from django.test import TestCase

 from authentik.core.models import Group, User
+from authentik.events.models import Event, EventAction
 from authentik.managed.manager import ObjectManager
 from authentik.providers.oauth2.generators import generate_client_secret
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
@ -31,6 +32,33 @@ class LDAPSyncTests(TestCase):
            additional_group_dn="ou=groups",
        )

+    def test_sync_error(self):
+        """Test user sync"""
+        self.source.property_mappings.set(
+            LDAPPropertyMapping.objects.filter(
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/ms")
+            )
+        )
+        mapping = LDAPPropertyMapping.objects.create(
+            name="name",
+            object_field="name",
+            expression="q",
+        )
+        self.source.property_mappings.set([mapping])
+        self.source.save()
+        connection = PropertyMock(return_value=mock_ad_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync()
+            self.assertFalse(User.objects.filter(username="user0_sn").exists())
+            self.assertFalse(User.objects.filter(username="user1_sn").exists())
+        events = Event.objects.filter(
+            action=EventAction.CONFIGURATION_ERROR,
+            context__message="Failed to evaluate property-mapping: name 'q' is not defined"
+        )
+        self.assertTrue(events.exists())
+
    def test_sync_users_ad(self):
        """Test user sync"""
        self.source.property_mappings.set(