From 6a67ae18638c14d4b030f5a5b0bea5c725b282a4 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 15 Apr 2019 15:53:17 +0200
Subject: [PATCH 2/2] root: implement automatic tryauth (#12867)

---
 tests/test_saml_auth.py | 16 ++++++++++++++++
 wcs/root.py             | 30 +++++++++++++++++++++++++++++-
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/tests/test_saml_auth.py b/tests/test_saml_auth.py
index 75d0b7bb..80c1cc9f 100644
--- a/tests/test_saml_auth.py
+++ b/tests/test_saml_auth.py
@@ -479,3 +479,19 @@ def test_saml_idp_logout(pub):
     saml2.slo_idp(urlparse.urlparse(logout.msgUrl).query)
     assert req.response.headers['location'].startswith('http://sso.example.net/saml2/slo_return?SAMLResponse=')
     assert req.session is None
+
+
+def test_opened_session_cookie(pub):
+    app = get_app(pub)
+    app.set_cookie('A2_OPENED_SESSION', '1')
+    resp = app.get('/')
+    assert resp.status_int == 302
+    assert resp.location.startswith('http://example.net/login/?ReturnUrl=http%3A//example.net/')
+    assert 'PASSIVE_TRIED_COOKIE' in app.cookies
+
+
+def test_no_opened_session_cookie(pub):
+    app = get_app(pub)
+    resp = app.get('/')
+    assert resp.status_int == 200
+    assert 'PASSIVE_TRIED_COOKIE' not in app.cookies
diff --git a/wcs/root.py b/wcs/root.py
index e02fcb8d..1748d58b 100644
--- a/wcs/root.py
+++ b/wcs/root.py
@@ -339,7 +339,35 @@ class RootDirectory(Directory):
         except errors.TraversalError:
             pass
 
-        return forms.root.RootDirectory()._q_traverse(path)
+        output = forms.root.RootDirectory()._q_traverse(path)
+        return self.automatic_sso(output)
+
+    def automatic_sso(self, output):
+        request = get_request()
+        response = get_response()
+
+        OPENED_SESSION_COOKIE = 'A2_OPENED_SESSION'
+        PASSIVE_TRIED_COOKIE = 'PASSIVE_TRIED_COOKIE'
+        if OPENED_SESSION_COOKIE not in request.cookies and PASSIVE_TRIED_COOKIE in request.cookies:
+            response.expire_cookie(PASSIVE_TRIED_COOKIE)
+            return output
+        elif OPENED_SESSION_COOKIE in request.cookies and PASSIVE_TRIED_COOKIE not in request.cookies:
+            ident_methods = get_cfg('identification', {}).get('methods', [])
+            idps = get_cfg('idp', {})
+            if request.user:
+                return output
+            if len(idps) != 1:
+                return output
+            if ident_methods != ['idp']:
+                return output
+            response.set_cookie(PASSIVE_TRIED_COOKIE, '1')
+            url = request.get_url()
+            query = request.get_query()
+            if query:
+                url += '?' + query
+            return forms.root.tryauth(url)
+        else:
+            return output
 
     def _q_lookup(self, component):
         # is this a category ?
-- 
2.20.1