Projet

Général

Profil

0010-auth_oidc-allow-adding-roles-on-login-53442.patch

Valentin Deniaud, 21 septembre 2022 12:47

Télécharger (4,12 ko)

Voir les différences:

Subject: [PATCH 10/10] auth_oidc: allow adding roles on login (#53442)

 src/authentic2_auth_oidc/backends.py |  6 ++++++
 src/authentic2_auth_oidc/models.py   |  7 ++++++-
 tests/test_auth_oidc.py              | 22 ++++++++++++++++++++++
 tests/test_manager_authenticators.py | 10 ++++++++++
 4 files changed, 44 insertions(+), 1 deletion(-)
src/authentic2_auth_oidc/backends.py
382 382
                setattr(user.verified_attributes, attribute, value)
383 383
            else:
384 384
                setattr(user.attributes, attribute, value)
385

  
386
        for action in provider.add_role_actions.all():
387
            if action.role not in user.roles.all():
388
                logger.info('auth_oidc: adding role "%s" to user %s', action.role, user)
389
                user.roles.add(action.role)
390

  
385 391
        return user
386 392

  
387 393
    def get_saml2_authn_context(self):
src/authentic2_auth_oidc/models.py
26 26
from jwcrypto.jwk import InvalidJWKValue, JWKSet
27 27

  
28 28
from authentic2.a2_rbac.utils import get_default_ou
29
from authentic2.apps.authenticators.models import AuthenticatorRelatedObjectBase, BaseAuthenticator
29
from authentic2.apps.authenticators.models import (
30
    AddRoleAction,
31
    AuthenticatorRelatedObjectBase,
32
    BaseAuthenticator,
33
)
30 34
from authentic2.utils.misc import make_url, redirect_to_login
31 35
from authentic2.utils.template import validate_template
32 36

  
......
136 140
    def related_models(self):
137 141
        return {
138 142
            OIDCClaimMapping: self.claim_mappings.all(),
143
            AddRoleAction: self.add_role_actions.all(),
139 144
        }
140 145

  
141 146
    @property
tests/test_auth_oidc.py
1315 1315
        ):
1316 1316
            response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
1317 1317
        assert User.objects.count() == 1
1318

  
1319

  
1320
def test_oidc_add_role(app, code, oidc_provider, oidc_provider_jwkset, simple_role):
1321
    oidc_provider.add_role_actions.create(role=simple_role)
1322

  
1323
    response = app.get('/').maybe_follow()
1324
    response = response.click(oidc_provider.name)
1325
    location = urllib.parse.urlparse(response.location)
1326
    query = QueryDict(location.query)
1327
    state = query['state']
1328
    nonce = query['nonce']
1329

  
1330
    with oidc_provider_mock(
1331
        oidc_provider,
1332
        oidc_provider_jwkset,
1333
        code,
1334
        nonce=nonce,
1335
    ):
1336
        response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
1337

  
1338
    user = User.objects.get()
1339
    assert simple_role in user.roles.all()
tests/test_manager_authenticators.py
223 223
    assert_event('authenticator.related_object.deletion', user=superuser, session=app.session)
224 224

  
225 225

  
226
def test_authenticators_oidc_add_role(app, superuser, role_ou1):
227
    authenticator = OIDCProvider.objects.create(slug='idp1')
228
    resp = login(app, superuser, path=authenticator.get_absolute_url())
229

  
230
    resp = resp.click('Add', href='role')
231
    resp.form['role'] = role_ou1.pk
232
    resp = resp.form.submit().follow()
233
    assert 'role_ou1' in resp.text
234

  
235

  
226 236
def test_authenticators_fc(app, superuser):
227 237
    resp = login(app, superuser, path='/manage/authenticators/')
228 238

  
229
-