From 16631b921f8310336d60283d73cc4428fd695651 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Fri, 3 May 2019 15:55:23 +0200 Subject: [PATCH] utils: add function get_authentication_events (#32780) --- src/authentic2/utils.py | 15 +++++++++++---- src/authentic2_idp_oidc/views.py | 4 ++-- tests/test_utils.py | 18 +++++++++++++++++- 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/src/authentic2/utils.py b/src/authentic2/utils.py index baf20d8f..4b097293 100644 --- a/src/authentic2/utils.py +++ b/src/authentic2/utils.py @@ -381,15 +381,14 @@ def record_authentication_event(request, how, nonce=None): def find_authentication_event(request, nonce): '''Find an authentication event occurring during this session and matching this nonce.''' - authentication_events = request.session.get(constants.AUTHENTICATION_EVENTS_SESSION_KEY, []) - for event in authentication_events: + for event in get_authentication_events(request=request): if event.get('nonce') == nonce: return event return None -def last_authentication_event(session): - authentication_events = session.get(constants.AUTHENTICATION_EVENTS_SESSION_KEY, []) +def last_authentication_event(request=None, session=None): + authentication_events = get_authentication_events(request=request, session=None) if authentication_events: return authentication_events[-1] return None @@ -1119,3 +1118,11 @@ def lazy_label(default, func): ''' return encoding.force_text(func() or default) lazy_label = allow_lazy(lazy_label, six.text_type) + + +def get_authentication_events(request=None, session=None): + if request is not None and session is None: + session = getattr(request, 'session', None) + if session is not None: + return session.get(constants.AUTHENTICATION_EVENTS_SESSION_KEY, []) + return [] diff --git a/src/authentic2_idp_oidc/views.py b/src/authentic2_idp_oidc/views.py index af3242b3..f3121596 100644 --- a/src/authentic2_idp_oidc/views.py +++ b/src/authentic2_idp_oidc/views.py @@ -188,7 +188,7 @@ def authorize(request, *args, **kwargs): # is raised and handled by ServiceAccessMiddleware client.authorize(request.user) - last_auth = last_authentication_event(request.session) + last_auth = last_authentication_event(request=request) if max_age is not None and time.time() - last_auth['when'] >= max_age: if 'none' in prompt: return authorization_error(request, redirect_uri, 'login_required', @@ -392,7 +392,7 @@ def token(request, *args, **kwargs): expired=oidc_code.created + datetime.timedelta(seconds=expires_in)) start = now() acr = '0' - if (oidc_code.nonce is not None and last_authentication_event(oidc_code.session).get('nonce') == + if (oidc_code.nonce is not None and last_authentication_event(session=oidc_code.session).get('nonce') == oidc_code.nonce): acr = '1' # prefill id_token with user info diff --git a/tests/test_utils.py b/tests/test_utils.py index 8146c850..ddc78fcb 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -1,4 +1,8 @@ -from authentic2.utils import good_next_url, same_origin, select_next_url, user_can_change_password +from django.contrib.auth import authenticate +from django.contrib.auth.middleware import AuthenticationMiddleware +from django.contrib.sessions.middleware import SessionMiddleware + +from authentic2.utils import good_next_url, same_origin, select_next_url, user_can_change_password, login, get_authentication_events def test_good_next_url(rf, settings): @@ -52,3 +56,15 @@ def test_user_can_change_password(simple_user, settings): assert user_can_change_password(user=simple_user) is True settings.A2_REGISTRATION_CAN_CHANGE_PASSWORD = False assert user_can_change_password(user=simple_user) is False + + +def test_get_authentication_events_hows(rf, simple_user): + user = authenticate(username=simple_user.username, password=simple_user.username) + request = rf.get('/login/') + middleware = SessionMiddleware() + middleware.process_request(request) + middleware = AuthenticationMiddleware() + middleware.process_request(request) + assert 'password' not in [ev['how'] for ev in get_authentication_events(request)] + login(request, user, 'password') + assert 'password' in [ev['how'] for ev in get_authentication_events(request)] -- 2.20.1