Project

General

Profile

0001-CAS-fix-checking-user-service-access-before-redirect.patch

Benjamin Renard, 22 May 2024 05:58 PM

Download (4.09 KB)

View differences:

Subject: [PATCH] CAS: fix checking user service access before redirecting him
 (#90766)

License: MIT
 src/authentic2_idp_cas/views.py |  5 ++++
 tests/test_idp_cas.py           | 48 +++++++++++++++++++++++++++++++--
 2 files changed, 51 insertions(+), 2 deletions(-)
src/authentic2_idp_cas/views.py
169 169
        if self.must_authenticate(request, renew, gateway):
170 170
            st.save()
171 171
            return self.authenticate(request, st)
172

  
173
        # if user not authorized, a ServiceAccessDenied exception
174
        # is raised and handled by ServiceAccessMiddleware
175
        model.authorize(request.user)
176

  
172 177
        self.validate_ticket(request, st)
173 178
        if st.valid():
174 179
            st.save()
tests/test_idp_cas.py
119 119
        )
120 120
        self.assertRedirectsComplex(response, self.URL)
121 121

  
122
    def test_role_access_control_denied(self):
122
    def test_role_access_control_denied_on_continue(self):
123 123
        client = Client()
124 124
        service = self.service
125 125
        service.add_authorized_role(self.authorized_service)
......
146 146
        )
147 147
        self.assertIn('https://casclient.com/loser/', force_str(response.content))
148 148

  
149
    def test_role_access_control_granted(self):
149
    def test_role_access_control_granted_on_continue(self):
150 150
        client = Client()
151 151
        service = self.service
152 152
        service.add_authorized_role(self.authorized_service)
......
170 170
            '/idp/cas/validate', {constants.TICKET_PARAM: ticket_id, constants.SERVICE_PARAM: self.URL}
171 171
        )
172 172

  
173
    def test_role_access_control_granted_on_login(self):
174
        client = Client()
175
        # Firstly, connect
176
        client.get('/login/')
177
        client.post(
178
            '/login/',
179
            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
180
            follow=False,
181
        )
182
        service = self.service
183
        service.add_authorized_role(self.authorized_service)
184
        User.objects.get(username=self.LOGIN).roles.add(self.authorized_service)
185
        assert service.authorized_roles.exists() is True
186
        response = client.get('/idp/cas/login', {constants.SERVICE_PARAM: self.URL})
187
        location = response['Location']
188
        client = Client()
189
        ticket_id = urllib.parse.parse_qs(location.split('?')[1])[constants.TICKET_PARAM][0]
190
        response = client.get(
191
            '/idp/cas/validate', {constants.TICKET_PARAM: ticket_id, constants.SERVICE_PARAM: self.URL}
192
        )
193

  
194
    def test_role_access_control_denied_on_login(self):
195
        client = Client()
196
        # Firstly, connect
197
        client.get('/login/')
198
        client.post(
199
            '/login/',
200
            {'login-password-submit': '', 'username': self.LOGIN, 'password': self.PASSWORD},
201
            follow=False,
202
        )
203
        service = self.service
204
        service.add_authorized_role(self.authorized_service)
205
        service.unauthorized_url = 'https://casclient.com/loser/'
206
        service.save()
207
        assert service.authorized_roles.exists() is True
208
        response = client.get('/idp/cas/login', {constants.SERVICE_PARAM: self.URL})
209
        assert_event(
210
            'user.service.sso.denial',
211
            session=client.session,
212
            user=self.user,
213
            service=self.service,
214
        )
215
        self.assertIn('https://casclient.com/loser/', force_str(response.content))
216

  
173 217
    def test_login_validate(self):
174 218
        response = self.client.get('/idp/cas/login', {constants.SERVICE_PARAM: self.URL})
175 219
        self.assertEqual(response.status_code, 302)
176
-