+ Authentication via the REMOTE_USER header is + disabled in `/etc/zulip/settings.py`. +
+ {% endif %} + {% if remoteuser_error_remote_user_header_missing %} ++ The REMOTE_USER header is not set. +
+ {% endif %}After making your changes, remember to restart the Zulip server.
diff --git a/zerver/tests/test_auth_backends.py b/zerver/tests/test_auth_backends.py index 133fb449a6..8264e7adb5 100644 --- a/zerver/tests/test_auth_backends.py +++ b/zerver/tests/test_auth_backends.py @@ -2225,7 +2225,10 @@ class TestZulipRemoteUserBackend(ZulipTestCase): def test_login_failure(self) -> None: email = self.example_email("hamlet") result = self.client_post('/accounts/login/sso/', REMOTE_USER=email) - self.assert_json_error(result, "This authentication backend is disabled.") + self.assertEqual(result.status_code, 302) + + result = self.client_get(result["Location"]) + self.assert_in_response("Authentication via the REMOTE_USER header is", result) self.assert_logged_in_user_id(None) def test_login_failure_due_to_nonexisting_user(self) -> None: @@ -2245,7 +2248,10 @@ class TestZulipRemoteUserBackend(ZulipTestCase): def test_login_failure_due_to_missing_field(self) -> None: with self.settings(AUTHENTICATION_BACKENDS=('zproject.backends.ZulipRemoteUserBackend',)): result = self.client_post('/accounts/login/sso/') - self.assert_json_error_contains(result, "No REMOTE_USER set.", 400) + self.assertEqual(result.status_code, 302) + + result = self.client_get(result["Location"]) + self.assert_in_response("The REMOTE_USER header is not set.", result) def test_login_failure_due_to_wrong_subdomain(self) -> None: email = self.example_email("hamlet") diff --git a/zerver/views/auth.py b/zerver/views/auth.py index 71c3207b24..444e80c43c 100644 --- a/zerver/views/auth.py +++ b/zerver/views/auth.py @@ -260,14 +260,12 @@ def remote_user_sso(request: HttpRequest, realm = None if not auth_enabled_helper([ZulipRemoteUserBackend.auth_backend_name], realm): - raise JsonableError(_("This authentication backend is disabled.")) + return redirect_to_config_error("remoteuser/backend_disabled") try: remote_user = request.META["REMOTE_USER"] except KeyError: - # TODO: Arguably the JsonableError values here should be - # full-page HTML configuration errors instead. - raise JsonableError(_("No REMOTE_USER set.")) + return redirect_to_config_error("remoteuser/remote_user_header_missing") # Django invokes authenticate methods by matching arguments, and this # authentication flow will not invoke LDAP authentication because of diff --git a/zproject/urls.py b/zproject/urls.py index f896d069af..d25fba498b 100644 --- a/zproject/urls.py +++ b/zproject/urls.py @@ -585,6 +585,12 @@ i18n_urls = [ url(r'^config-error/saml$', TemplateView.as_view( template_name='zerver/config_error.html',), {'saml_error': True},), + url(r'^config-error/remoteuser/backend_disabled$', TemplateView.as_view( + template_name='zerver/config_error.html',), + {'remoteuser_error_backend_disabled': True},), + url(r'^config-error/remoteuser/remote_user_header_missing$', TemplateView.as_view( + template_name='zerver/config_error.html',), + {'remoteuser_error_remote_user_header_missing': True},), ] # Make a copy of i18n_urls so that they appear without prefix for english