| 52 |
52 |
assert response.pyquery('button[name="login-saml-1"]')
|
| 53 |
53 |
|
| 54 |
54 |
|
| 55 |
|
def test_provision_attributes(db, caplog, simple_role):
|
|
55 |
def test_provision_attributes(db, caplog):
|
| 56 |
56 |
from authentic2_auth_saml.adapters import AuthenticAdapter
|
| 57 |
57 |
|
| 58 |
58 |
adapter = AuthenticAdapter()
|
| ... | ... | |
| 79 |
79 |
{
|
| 80 |
80 |
'attribute': 'first_name',
|
| 81 |
81 |
'saml_attribute': 'first_name',
|
| 82 |
|
},
|
| 83 |
|
{
|
| 84 |
|
'action': 'toggle-role',
|
| 85 |
|
'role': {
|
| 86 |
|
'name': simple_role.name,
|
| 87 |
|
'ou': {
|
| 88 |
|
'name': simple_role.ou.name,
|
| 89 |
|
},
|
| 90 |
|
},
|
| 91 |
|
'condition': "roles == 'A'",
|
| 92 |
82 |
}
|
| 93 |
83 |
]
|
| 94 |
84 |
}
|
| ... | ... | |
| 106 |
96 |
assert user.email == 'john.doe@example.com'
|
| 107 |
97 |
assert user.attributes.title == 'Mr.'
|
| 108 |
98 |
assert user.first_name == 'John'
|
|
99 |
user.delete()
|
|
100 |
|
|
101 |
# on missing mandatory attribute, no user is created
|
|
102 |
del saml_attributes['mail']
|
|
103 |
assert adapter.lookup_user(idp, saml_attributes) is None
|
|
104 |
|
|
105 |
# simulate no attribute value
|
|
106 |
saml_attributes['first_name'] = []
|
|
107 |
mapping = {
|
|
108 |
'attribute': 'first_name',
|
|
109 |
'saml_attribute': 'first_name',
|
|
110 |
}
|
|
111 |
with pytest.raises(MappingError, match='no value for first_name'):
|
|
112 |
adapter.action_set_attribute(user, idp, saml_attributes, mapping)
|
|
113 |
|
|
114 |
|
|
115 |
@pytest.mark.parametrize('action_name', ['add-role', 'toggle-role'])
|
|
116 |
def test_provision_add_role(db, simple_role, action_name):
|
|
117 |
from authentic2_auth_saml.adapters import AuthenticAdapter
|
|
118 |
|
|
119 |
adapter = AuthenticAdapter()
|
|
120 |
User = get_user_model()
|
|
121 |
user = User.objects.create()
|
|
122 |
idp = {
|
|
123 |
'A2_ATTRIBUTE_MAPPING': [
|
|
124 |
{
|
|
125 |
'action': action_name,
|
|
126 |
'role': {
|
|
127 |
'name': simple_role.name,
|
|
128 |
'ou': {
|
|
129 |
'name': simple_role.ou.name,
|
|
130 |
},
|
|
131 |
},
|
|
132 |
'condition': "roles == 'A'",
|
|
133 |
}
|
|
134 |
]
|
|
135 |
}
|
|
136 |
|
|
137 |
saml_attributes = {
|
|
138 |
'issuer': 'https://idp.com/',
|
|
139 |
'name_id_content': 'xxx',
|
|
140 |
'name_id_format': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
|
|
141 |
}
|
|
142 |
user = adapter.lookup_user(idp, saml_attributes)
|
|
143 |
user.refresh_from_db()
|
| 109 |
144 |
assert simple_role not in user.roles.all()
|
| 110 |
145 |
user.delete()
|
| 111 |
146 |
|
| 112 |
147 |
# if a toggle-role is mandatory, failure to evaluate condition block user creation
|
| 113 |
|
assert idp['A2_ATTRIBUTE_MAPPING'][-1]['action'] == 'toggle-role'
|
|
148 |
assert idp['A2_ATTRIBUTE_MAPPING'][-1]['action'] == action_name
|
| 114 |
149 |
idp['A2_ATTRIBUTE_MAPPING'][-1]['mandatory'] = True
|
| 115 |
150 |
assert adapter.lookup_user(idp, saml_attributes) is None
|
| 116 |
151 |
|
| ... | ... | |
| 130 |
165 |
# condition failed, so role should be removed
|
| 131 |
166 |
assert simple_role not in user.roles.all()
|
| 132 |
167 |
|
| 133 |
|
user.delete()
|
| 134 |
|
|
| 135 |
|
# on missing mandatory attribute, no user is created
|
| 136 |
|
del saml_attributes['mail']
|
| 137 |
|
assert adapter.lookup_user(idp, saml_attributes) is None
|
| 138 |
|
|
| 139 |
|
# simulate no attribute value
|
| 140 |
|
saml_attributes['first_name'] = []
|
| 141 |
|
mapping = {
|
| 142 |
|
'attribute': 'first_name',
|
| 143 |
|
'saml_attribute': 'first_name',
|
| 144 |
|
}
|
| 145 |
|
with pytest.raises(MappingError, match='no value for first_name'):
|
| 146 |
|
adapter.action_set_attribute(user, idp, saml_attributes, mapping)
|
| 147 |
|
|
| 148 |
|
|
| 149 |
168 |
|
| 150 |
169 |
def test_login_with_conditionnal_authenticators(db, app, settings, caplog):
|
| 151 |
170 |
|
| 152 |
|
-
|