From a5c701cd84e5b204f77b452ad592fde6f9879ae8 Mon Sep 17 00:00:00 2001
From: Art Lukyanchyk <artiom.lukyanchyk@hs-hannover.de>
Date: Fri, 27 Oct 2017 11:00:03 +0200
Subject: [PATCH] Update README.md regarding groups. Remove unuser RDN
 extraction.

---
 README.md             |  9 +++++++++
 ssoauth/auth_utils.py | 12 +-----------
 2 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 6e9b518..d00760c 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,15 @@ The code snippet above disables the actual SSO. If you need it:
   - change `DO_YOU_WANT_SSO` to True
   - see the SSO configuration section
 
+
+#### Groups
+To receive groups over SSO you need a mapping. You can manage group mapping with `group_mapping` management command. Example:
+    
+    group_mapping add myproject_superusers "CN=MyProjectSuperusers,OU=Foo,OU=Bar,DC=fh-h,DC=de"
+
+*Groups are not mapped automatically. Because automatic mapping can pose security risks. Imagine auto-mapping that expects group with name "Superusers"; an intruder could create a new group with this name under any path they own and/or create an alias/reference and receive superuser permissions in your project.* 
+
+
 #### Production setup
 
 ```python
diff --git a/ssoauth/auth_utils.py b/ssoauth/auth_utils.py
index 0fbef01..c6bd5c8 100644
--- a/ssoauth/auth_utils.py
+++ b/ssoauth/auth_utils.py
@@ -10,9 +10,6 @@ import functools
 import re
 
 
-EXTRACT_RDN = re.compile(r"^\w+=(\w+),.+$", re.IGNORECASE)  # RDN is in the first regex group
-
-
 def _validate_username(username):
     assert isinstance(username, str)
     assert username.islower()
@@ -96,13 +93,6 @@ def update_user_data(user, surname=None, forename=None, email=None):
     user.save()
 
 
-def extract_rdn(dn):
-    """ Extracts group name from the DN. """
-    match = EXTRACT_RDN.search(dn)
-    assert match, "Received something weird instead of a DN: {group_dn}".format(**locals())
-    return match.group(1)
-
-
 def set_user_groups(user, group_dn_list):
     """ Updates groups for the user. """
     # using Q to create ignore-case DN lookup since DS is case insensitive
@@ -118,7 +108,7 @@ def set_user_groups(user, group_dn_list):
         assert set(user.groups.all()) == set(groups)  # dunno how relation.set() behaves, better safe than sorry
         logger.info("Groups for {user} are updated to: {groups}".format(user=user, groups=", ".join(g.name for g in groups)))
     logger.debug("User {user} has {g_n} group(s) based on {dn_n} DN(s): {g_names}".format(
-        user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups), dn_n=len(group_dn_list)))
+        user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups) or "(none)", dn_n=len(group_dn_list)))
 
 
 def cleanup_direct_permissions(user):
-- 
GitLab