From a3abbcec6a9c95545ccf8f88e28e2c907a4a3146 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 21 Jul 2021 23:26:33 +0200
Subject: [PATCH] sources/ldap: improve error handling for property mappings

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/sources/ldap/sync/base.py       |  6 +++++
 authentik/sources/ldap/tests/test_sync.py | 28 +++++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/authentik/sources/ldap/sync/base.py b/authentik/sources/ldap/sync/base.py
index b5c4d27ee..6870c899b 100644
--- a/authentik/sources/ldap/sync/base.py
+++ b/authentik/sources/ldap/sync/base.py
@@ -5,6 +5,7 @@ from django.db.models.query import QuerySet
 from structlog.stdlib import BoundLogger, get_logger
 
 from authentik.core.exceptions import PropertyMappingExpressionException
+from authentik.events.models import Event, EventAction
 from authentik.sources.ldap.auth import LDAP_DISTINGUISHED_NAME
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
 
@@ -83,6 +84,11 @@ class BaseLDAPSynchronizer:
                 else:
                     properties[object_field] = self._flatten(value)
             except PropertyMappingExpressionException as exc:
+                Event.new(
+                    EventAction.CONFIGURATION_ERROR,
+                    message=f"Failed to evaluate property-mapping: {str(exc)}",
+                    mapping=mapping,
+                ).save()
                 self._logger.warning(
                     "Mapping failed to evaluate", exc=exc, mapping=mapping
                 )
diff --git a/authentik/sources/ldap/tests/test_sync.py b/authentik/sources/ldap/tests/test_sync.py
index 02e18dc47..8672a5317 100644
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@@ -5,6 +5,7 @@ from django.db.models import Q
 from django.test import TestCase
 
 from authentik.core.models import Group, User
+from authentik.events.models import Event, EventAction
 from authentik.managed.manager import ObjectManager
 from authentik.providers.oauth2.generators import generate_client_secret
 from authentik.sources.ldap.models import LDAPPropertyMapping, LDAPSource
@@ -31,6 +32,33 @@ class LDAPSyncTests(TestCase):
             additional_group_dn="ou=groups",
         )
 
+    def test_sync_error(self):
+        """Test user sync"""
+        self.source.property_mappings.set(
+            LDAPPropertyMapping.objects.filter(
+                Q(managed__startswith="goauthentik.io/sources/ldap/default")
+                | Q(managed__startswith="goauthentik.io/sources/ldap/ms")
+            )
+        )
+        mapping = LDAPPropertyMapping.objects.create(
+            name="name",
+            object_field="name",
+            expression="q",
+        )
+        self.source.property_mappings.set([mapping])
+        self.source.save()
+        connection = PropertyMock(return_value=mock_ad_connection(LDAP_PASSWORD))
+        with patch("authentik.sources.ldap.models.LDAPSource.connection", connection):
+            user_sync = UserLDAPSynchronizer(self.source)
+            user_sync.sync()
+            self.assertFalse(User.objects.filter(username="user0_sn").exists())
+            self.assertFalse(User.objects.filter(username="user1_sn").exists())
+        events = Event.objects.filter(
+            action=EventAction.CONFIGURATION_ERROR,
+            context__message="Failed to evaluate property-mapping: name 'q' is not defined"
+        )
+        self.assertTrue(events.exists())
+
     def test_sync_users_ad(self):
         """Test user sync"""
         self.source.property_mappings.set(