0001-idp-saml2-use-sp-s-next-url-as-part-of-authn-display.patch

Paul Marillonnet, 16 juin 2022 10:43

Voir les différences: en ligne côte à côte

Subject: [PATCH] idp/saml2: use sp's next url as part of authn display
 conditions (#65643)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

    · requires django-mellon's ADD_AUTHNREQUEST_NEXT_URL_EXTENSION
      setting to True on the SP side.

 src/authentic2/idp/saml/saml2_endpoints.py | 10 +++++
 src/authentic2/utils/evaluate.py           |  2 +
 tests/test_idp_saml2.py                    | 43 ++++++++++++++++++++--
 tests/test_utils_evaluate.py               |  5 +++
 4 files changed, 57 insertions(+), 3 deletions(-)

     EO_NS = 'https://www.entrouvert.com/'
     LOGIN_HINT = '{%s}login-hint' % EO_NS
     NEXT_URL = '{%s}next_url' % EO_NS
     def get_login_hints_extension(profile):
-...
         return hints
     def get_next_url_extension(profile):
         for node in get_extensions(profile):
             if node.tag == NEXT_URL:
                 return node.text
     def sso_after_process_request(
         request,
         login,
-...
         if not passive and (user.is_anonymous or (force_authn and not did_auth)):
             logger.debug('login required')
             sp_next_url = get_next_url_extension(login)
             if sp_next_url:
                 request.session['sp_next_url'] = sp_next_url
             return need_login(request, login, nid_format)
         # No user is authenticated and passive is True, deny request

src/authentic2/utils/evaluate.py
314	314	if request:
315	315	ctx['headers'] = HTTPHeaders(request)
316	316	ctx['remote_addr'] = request.META.get('REMOTE_ADDR')
	317	if hasattr(request, 'session') and 'sp_next_url' in request.session:
	318	ctx['sp_next_url'] = request.session['sp_next_url']
317	319	ctx.update(kwargs)
318	320	return ctx

     from authentic2.constants import NONCE_FIELD_NAME
     from authentic2.custom_user.models import User
     from authentic2.idp.saml import saml2_endpoints
     from authentic2.idp.saml.saml2_endpoints import get_extensions, get_login_hints_extension
     from authentic2.idp.saml.saml2_endpoints import (
         get_extensions,
         get_login_hints_extension,
         get_next_url_extension,
+    )
     from authentic2.models import Attribute, Service
     from authentic2.saml import models as saml_models
     from authentic2.saml.models import SAMLAttribute
-...
             sp_name_qualifier=None,
             name_id_policy=True,
             login_hints=None,
             next_url=None,
         ):
             server = self.get_server()
             login = self.login = lasso.Login(server)
-...
                 request.nameIdPolicy = None
             request.extensions = lasso.Samlp2Extensions()
             # extension with unicode characters !! test dumping in saml2_endpoints and continue_sso
             request.extensions.any = (force_str('<extension xmlns="http://example.com/">éé</extension>'),)
             extensions = [
                 force_str('<extension xmlns="http://example.com/">éé</extension>'),
+            ]
             if login_hints:
                 request.extensions.any = (
                 extensions.append(
                     force_str(
                         '<login-hint xmlns="https://www.entrouvert.com/">%s</login-hint>' % ' '.join(login_hints)
                     ),
+                )
             if next_url:
                 extensions.append(
                     force_str('<eo:next_url xmlns:eo="https://www.entrouvert.com/">%s</eo:next_url>' % next_url),
+                )
             request.extensions.any = tuple(ext for ext in extensions)
             login.buildAuthnRequestMsg()
             url_parsed = urllib.parse.urlparse(login.msgUrl)
             assert url_parsed.path == reverse('a2-idp-saml-sso'), 'msgUrl should target the sso endpoint'
-...
         scenario.check_assertion(user=user)
     def test_sso_redirect_artifact_next_url(app, user, keys):
         scenario = Scenario(
             app,
             sp_kwargs=dict(binding='artifact', keys=keys),
             make_authn_request_kwargs={'next_url': '/foobar/'},
+        )
         scenario.launch_authn_request()
         assert app.session['sp_next_url'] == '/foobar/'
         scenario.login(user)
         scenario.handle_artifact_response()
         scenario.check_assertion(user=user)
     @pytest.fixture
     def add_attributes(rf):
         with mock.patch('authentic2.idp.saml.saml2_endpoints.get_attribute_definitions') as get_definitions:
-...
         assert login_hints == {'backoffice', 'saint-machin-truc', 'toto@example.com'}
     def test_get_next_url_extension(profile):
         assert get_next_url_extension(profile) is None
         extensions = [
             '<eo:next_url xmlns:eo="https://www.entrouvert.com/">/foobar/</eo:next_url>',
+        ]
         profile.request.extensions = lasso.Samlp2Extensions()
         profile.request.extensions.any = tuple(force_str(ext) for ext in extensions)
         sp_next_url = get_next_url_extension(profile)
         assert sp_next_url == '/foobar/'
     def test_make_edu_person_targeted_id(db, settings, rf):
         user = User.objects.create(username='a')
         provider = saml_models.LibertyProvider(entity_id='https://sp.com/')

tests/test_utils_evaluate.py
127	127	)
128	128	is False
129	129	)
	130
	131
	132	def test_sp_next_url():
	133	assert evaluate_condition('"foo" in sp_next_url', ctx={'sp_next_url': '/foobar'}) is True
	134	assert evaluate_condition('"baz" in sp_next_url', ctx={'sp_next_url': '/foobar'}) is False
130		-

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-idp-saml2-use-sp-s-next-url-as-part-of-authn-display.patch