From 8a3ead6780167deced4a844bff5a60076a366999 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 10 Jul 2018 13:13:17 +0200
Subject: [PATCH] idp_oidc: fix synchronization API calls when OIDC client use
 UUID identifier policy (fixes #25182)

---
 src/authentic2_idp_oidc/apps.py |  7 +++++--
 tests/test_idp_oidc.py          | 29 ++++++++++++++++++++++++++++-
 2 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/src/authentic2_idp_oidc/apps.py b/src/authentic2_idp_oidc/apps.py
index af4373cb..c3c56367 100644
--- a/src/authentic2_idp_oidc/apps.py
+++ b/src/authentic2_idp_oidc/apps.py
@@ -98,10 +98,13 @@ class AppConfig(django.apps.AppConfig):
                 return
             if method_name != 'synchronization':
                 return
-            uuid_map = getattr(request, 'uuid_map', {})
+            if not hasattr(request, 'uuid_map'):
+                return
+            uuid_map = request.uuid_map
+
             unknown_uuids = data['unknown_uuids']
             new_unknown_uuids = []
             for u in unknown_uuids:
-	        new_unknown_uuids.append(uuid_map[u])
+                new_unknown_uuids.append(uuid_map[u])
             new_unknown_uuids.extend(request.unknown_uuids)
             data['unknown_uuids'] = new_unknown_uuids
diff --git a/tests/test_idp_oidc.py b/tests/test_idp_oidc.py
index 26ae9054..3d5bcc5a 100644
--- a/tests/test_idp_oidc.py
+++ b/tests/test_idp_oidc.py
@@ -12,8 +12,11 @@ import utils
 
 from django.core.urlresolvers import reverse
 from django.utils.timezone import now
+from django.contrib.auth import get_user_model
 
-from authentic2_idp_oidc.models import OIDCClient, OIDCAuthorization, OIDCCode, OIDCAccessToken, OIDCClaim
+User = get_user_model()
+
+from authentic2_idp_oidc.models import OIDCClient, OIDCAuthorization, OIDCCode
 from authentic2_idp_oidc.utils import make_sub
 from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.utils import make_url
@@ -85,6 +88,9 @@ OIDC_CLIENT_PARAMS = [
         'frontchannel_logout_uri': 'https://example.com/southpark/logout/',
         'frontchannel_timeout': 3000,
     },
+    {
+        'identifier_policy': OIDCClient.POLICY_PAIRWISE_REVERSIBLE,
+    },
 ]
 
 
@@ -869,3 +875,24 @@ def test_oidclient_claims_data_migration():
     executor.loader.build_graph()
     client = OIDCClient.objects.first()
     assert OIDCClaim.objects.filter(client=client.id).count() == 5
+
+
+def test_api_synchronization(app, oidc_client):
+    oidc_client.has_api_access = True
+    oidc_client.save()
+    users = [User.objects.create(username='user-%s' % i) for i in range(10)]
+    for user in users[5:]:
+        user.delete()
+    deleted_subs = set(make_sub(oidc_client, user) for user in users[5:])
+
+    app.authorization = ('Basic', (oidc_client.client_id, oidc_client.client_secret))
+    status = 200
+    if oidc_client.identifier_policy not in (OIDCClient.POLICY_PAIRWISE_REVERSIBLE, OIDCClient.POLICY_UUID):
+        status = 401
+    response = app.post_json('/api/users/synchronization/',
+                             params={
+                                 'known_uuids': [make_sub(oidc_client, user) for user in users]},
+                             status=status)
+    if status == 200:
+        assert response.json['result'] == 1
+        assert set(response.json['unknown_uuids']) == deleted_subs
-- 
2.18.0