Merge pull request #250 from consideRatio/pr/validate

refactor: put validation logic in traitlets validation functions
jupyterhub · Sep 14, 2024 · db5b738 · db5b738
2 parents ec73b93 + 085ef72
commit db5b738
Showing 1 changed file with 16 additions and 10 deletions.
diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
@@ -4,7 +4,7 @@
 from jupyterhub.auth import Authenticator
 from ldap3.utils.conv import escape_filter_chars
 from tornado import gen
-from traitlets import Bool, Int, List, Unicode, Union
+from traitlets import Bool, Int, List, Unicode, Union, validate
 
 
 class LDAPAuthenticator(Authenticator):
@@ -65,6 +65,19 @@ def _server_port_default(self):
         """,
     )
 
+    @validate("bind_dn_template")
+    def _validate_bind_dn_template(self, proposal):
+        """
+        Ensure a List[str] is set, filtered from empty string elements.
+        """
+        rv = []
+        if isinstance(proposal.value, str):
+            rv = [proposal.value]
+        if "" in rv:
+            self.log.warning("Ignoring blank 'bind_dn_template' entry!")
+            rv = [e for e in rv if e]
+        return rv
+
     allowed_groups = List(
         config=True,
         allow_none=True,
@@ -353,18 +366,14 @@ def authenticate(self, handler, data):
             self.log.warning("username:%s Login denied for blank password", username)
             return None
 
-        # bind_dn_template should be of type List[str]
-        bind_dn_template = self.bind_dn_template
-        if isinstance(bind_dn_template, str):
-            bind_dn_template = [bind_dn_template]
-
         # sanity check
-        if not self.lookup_dn and not bind_dn_template:
+        if not self.lookup_dn and not self.bind_dn_template:
             self.log.warning(
                 "Login not allowed, please configure 'lookup_dn' or 'bind_dn_template'."
             )
             return None
 
+        bind_dn_template = self.bind_dn_template
         if self.lookup_dn:
             username, resolved_dn = self.resolve_username(username)
             if not username:
@@ -377,9 +386,6 @@ def authenticate(self, handler, data):
 
         is_bound = False
         for dn in bind_dn_template:
-            if not dn:
-                self.log.warning("Ignoring blank 'bind_dn_template' entry!")
-                continue
             userdn = dn.format(username=username)
             if self.escape_userdn:
                 userdn = escape_filter_chars(userdn)