From ce6e3bf8950b7e58f63cff0ebd23a4462844b57d Mon Sep 17 00:00:00 2001
From: Komal Thareja <kthare10@renci.org>
Date: Mon, 26 Feb 2024 14:15:03 -0500
Subject: [PATCH] use sub for ldap queries always to take into account email
 changes

---
 fabricauthenticator/__init__.py            |  2 +-
 fabricauthenticator/fabricauthenticator.py | 27 ++++++++++++++--------
 pyproject.toml                             |  2 +-
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/fabricauthenticator/__init__.py b/fabricauthenticator/__init__.py
index 6f4fa58..72837bd 100644
--- a/fabricauthenticator/__init__.py
+++ b/fabricauthenticator/__init__.py
@@ -1 +1 @@
-__version__ = '1.3'
+__version__ = '1.3.1'
diff --git a/fabricauthenticator/fabricauthenticator.py b/fabricauthenticator/fabricauthenticator.py
index fc5d8c0..27fa07e 100644
--- a/fabricauthenticator/fabricauthenticator.py
+++ b/fabricauthenticator/fabricauthenticator.py
@@ -150,11 +150,11 @@ def get_ldap_attributes(email, sub) -> Union[entry.Entry, None]:
         ldap_user = os.getenv('LDAP_USER', '')
         ldap_password = os.getenv('LDAP_PASSWORD', '')
         ldap_search_base = os.getenv('LDAP_SEARCH_BASE', '')
-        # Always search on email if available
-        if email is not None:
-            ldap_search_filter = '(mail=' + email + ')'
-        else:
+        # Always search on sub if available
+        if sub is not None:
             ldap_search_filter = '(uid=' + sub + ')'
+        else:
+            ldap_search_filter = '(mail=' + email + ')'
         conn = Connection(server, ldap_user, ldap_password, auto_bind=True)
         profile_found = conn.search(ldap_search_base,
                                     ldap_search_filter,
@@ -177,20 +177,27 @@ def check_username_claim(self, claimlist, resp_json):
         https://fabric-testbed.atlassian.net/browse/FIP-715
         https://fabric-testbed.atlassian.net/browse/FIP-724
         """
+        # HACK for handling email aliases; always determine the email from LDAP by querying on sub
         username = None
-        for claim in claimlist:
-            username = resp_json.get(claim)
-            if username:
-                return username
+        #for claim in claimlist:
+        #    username = resp_json.get(claim)
+        #    if username:
+        #        return username
 
         # Hack when user claims only has sub
         email = resp_json.get("email")
         sub = resp_json.get("sub")
         if sub is not None:
-            attributelist = self.get_ldap_attributes(email, sub)
+            attributelist = self.get_ldap_attributes(None, sub)
             if attributelist is not None:
                 self.log.info(f"attributelist acquired for determining user name. {attributelist}")
-                username = str(attributelist['mail'])
+                if len(attributelist['mail']) == 1:
+                    username = str(attributelist['mail'])
+                else:
+                    if email is None or email not in attributelist['mail']:
+                        username = str(attributelist['mail'][0])
+                    else:
+                        username = email
 
         if not username:
             if len(claimlist) < 2:
diff --git a/pyproject.toml b/pyproject.toml
index b9fd4c8..b181ce6 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -18,7 +18,7 @@ keywords = ["Swagger", "Fabric OAuth Authenticator"]
 requires-python = '>=3.7'
 dependencies = [
     "jupyterhub>=1.0",
-    "oauthenticator",
+    "oauthenticator==15.1.0",
     "ldap3"
     ]