From a8ac6d3be7bfd8f7bfacb406cda22efc41b79f0b Mon Sep 17 00:00:00 2001
From: Michel Jouvin <jouvin@ijclab.in2p3.fr>
Date: Mon, 4 Jan 2021 20:52:26 +0100
Subject: [PATCH] LDAP identity provider: add an option to create identity from
 auth_info rather than from LDAP

- Config parameter is accepted_users=all
- Allow to support non local (LDAP) users when using a Shibboleth auth provider
---
 flask_multipass/providers/ldap/providers.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/flask_multipass/providers/ldap/providers.py b/flask_multipass/providers/ldap/providers.py
index f8a34a1..45346d4 100644
--- a/flask_multipass/providers/ldap/providers.py
+++ b/flask_multipass/providers/ldap/providers.py
@@ -162,6 +162,11 @@ def __init__(self, *args, **kwargs):
         self._attributes = list(
             convert_app_data(self.settings['mapping'], {}, self.settings['identity_info_keys']).values())
         self._attributes.append(self.ldap_settings['uid'])
+        accepted_users = self.settings.setdefault('accepted_users', 'local').lower()
+        if accepted_users == 'all':
+            self.id_from_auth = True
+        else:
+            self.id_from_auth = False
 
     @property
     def supports_get_identity_groups(self):
@@ -182,7 +187,16 @@ def _search_groups(self, search_filter):  # pragma: no cover
         return search(self.ldap_settings['group_base'], search_filter, attributes=[self.ldap_settings['gid']])
 
     def get_identity_from_auth(self, auth_info):  # pragma: no cover
-        return self._get_identity(auth_info.data.pop('identifier'))
+        identifier = auth_info.data.pop('identifier')
+        if not identifier:
+            raise IdentityRetrievalFailed('Identifier missing in auth provider response', provider=self)
+        # Try to get identity attributes from LDAP. If self.id_from_auth=True, and
+        # the user is not found in LDAP, use the auth_info attributes to create the identity:
+        # useful when using a Shibboleth auth provider to authenticate local and non local users.
+        identity = self._get_identity(identifier)
+        if identity is None and self.id_from_auth:
+            identity = IdentityInfo(self, identifier=identifier, **auth_info.data)
+        return identity
 
     def refresh_identity(self, identifier, multipass_data):  # pragma: no cover
         return self._get_identity(identifier)