Merge pull request #283 from consideRatio/pr/validate-on-startup

Validate config on startup when possible (allowed_groups, lookup_dn, bind_dn_template)
jupyterhub · Sep 23, 2024 · cea8616 · cea8616
2 parents 6d2c7ce + 7d62e1c
commit cea8616
Showing 1 changed file with 18 additions and 12 deletions.
diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
@@ -155,6 +155,14 @@ def _validate_bind_dn_template(self, proposal):
             rv = [e for e in rv if e]
         return rv
 
+    @observe("lookup_dn", "bind_dn_template")
+    def _require_either_lookup_dn_or_bind_dn_template(self, change):
+        if not self.lookup_dn and not self.bind_dn_template:
+            raise ValueError(
+                "LDAPAuthenticator requires either lookup_dn or "
+                "bind_dn_template to be configured"
+            )
+
     allowed_groups = List(
         config=True,
         allow_none=True,
@@ -192,6 +200,16 @@ def _validate_bind_dn_template(self, proposal):
         help="List of attributes to be searched",
     )
 
+    @observe("allowed_groups", "group_search_filter", "group_attributes")
+    def _ensure_allowed_groups_requirements(self, change):
+        if not self.allowed_groups:
+            return
+        if not self.group_search_filter or not self.group_attributes:
+            raise ValueError(
+                "LDAPAuthenticator.allowed_groups requires both "
+                "group_search_filter and group_attributes to be configured"
+            )
+
     valid_username_regex = Unicode(
         r"^[a-z][.a-z0-9_-]*$",
         config=True,
@@ -541,13 +559,6 @@ async def authenticate(self, handler, data):
             )
             return None
 
-        # sanity check
-        if not self.lookup_dn and not self.bind_dn_template:
-            self.log.warning(
-                "Login not allowed, please configure 'lookup_dn' or 'bind_dn_template'."
-            )
-            return None
-
         bind_dn_template = self.bind_dn_template
         resolved_username = login_username
         if self.lookup_dn:
@@ -606,11 +617,6 @@ async def authenticate(self, handler, data):
 
         ldap_groups = []
         if self.allowed_groups:
-            if not self.group_search_filter or not self.group_attributes:
-                self.log.warning(
-                    "Missing group_search_filter or group_attributes. Both are required."
-                )
-                return None
             self.log.debug("username:%s Using dn %s", resolved_username, userdn)
             for group in self.allowed_groups:
                 found = conn.search(