0010-auth_oidc-allow-adding-roles-on-login-53442.patch
src/authentic2_auth_oidc/backends.py | ||
---|---|---|
382 | 382 |
setattr(user.verified_attributes, attribute, value) |
383 | 383 |
else: |
384 | 384 |
setattr(user.attributes, attribute, value) |
385 | ||
386 |
for action in provider.add_role_actions.all(): |
|
387 |
if action.role not in user.roles.all(): |
|
388 |
logger.info('auth_oidc: adding role "%s" to user %s', action.role, user) |
|
389 |
user.roles.add(action.role) |
|
390 | ||
385 | 391 |
return user |
386 | 392 | |
387 | 393 |
def get_saml2_authn_context(self): |
src/authentic2_auth_oidc/models.py | ||
---|---|---|
26 | 26 |
from jwcrypto.jwk import InvalidJWKValue, JWKSet |
27 | 27 | |
28 | 28 |
from authentic2.a2_rbac.utils import get_default_ou |
29 |
from authentic2.apps.authenticators.models import AuthenticatorRelatedObjectBase, BaseAuthenticator |
|
29 |
from authentic2.apps.authenticators.models import ( |
|
30 |
AddRoleAction, |
|
31 |
AuthenticatorRelatedObjectBase, |
|
32 |
BaseAuthenticator, |
|
33 |
) |
|
30 | 34 |
from authentic2.utils.misc import make_url, redirect_to_login |
31 | 35 |
from authentic2.utils.template import validate_template |
32 | 36 | |
... | ... | |
136 | 140 |
def related_models(self): |
137 | 141 |
return { |
138 | 142 |
OIDCClaimMapping: self.claim_mappings.all(), |
143 |
AddRoleAction: self.add_role_actions.all(), |
|
139 | 144 |
} |
140 | 145 | |
141 | 146 |
@property |
tests/test_auth_oidc.py | ||
---|---|---|
1315 | 1315 |
): |
1316 | 1316 |
response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state}) |
1317 | 1317 |
assert User.objects.count() == 1 |
1318 | ||
1319 | ||
1320 |
def test_oidc_add_role(app, code, oidc_provider, oidc_provider_jwkset, simple_role): |
|
1321 |
oidc_provider.add_role_actions.create(role=simple_role) |
|
1322 | ||
1323 |
response = app.get('/').maybe_follow() |
|
1324 |
response = response.click(oidc_provider.name) |
|
1325 |
location = urllib.parse.urlparse(response.location) |
|
1326 |
query = QueryDict(location.query) |
|
1327 |
state = query['state'] |
|
1328 |
nonce = query['nonce'] |
|
1329 | ||
1330 |
with oidc_provider_mock( |
|
1331 |
oidc_provider, |
|
1332 |
oidc_provider_jwkset, |
|
1333 |
code, |
|
1334 |
nonce=nonce, |
|
1335 |
): |
|
1336 |
response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state}) |
|
1337 | ||
1338 |
user = User.objects.get() |
|
1339 |
assert simple_role in user.roles.all() |
tests/test_manager_authenticators.py | ||
---|---|---|
223 | 223 |
assert_event('authenticator.related_object.deletion', user=superuser, session=app.session) |
224 | 224 | |
225 | 225 | |
226 |
def test_authenticators_oidc_add_role(app, superuser, role_ou1): |
|
227 |
authenticator = OIDCProvider.objects.create(slug='idp1') |
|
228 |
resp = login(app, superuser, path=authenticator.get_absolute_url()) |
|
229 | ||
230 |
resp = resp.click('Add', href='role') |
|
231 |
resp.form['role'] = role_ou1.pk |
|
232 |
resp = resp.form.submit().follow() |
|
233 |
assert 'role_ou1' in resp.text |
|
234 | ||
235 | ||
226 | 236 |
def test_authenticators_fc(app, superuser): |
227 | 237 |
resp = login(app, superuser, path='/manage/authenticators/') |
228 | 238 | |
229 |
- |