From f1ed6c60bd68c5c003ed8555672c01122a87b9fb Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 27 Jul 2021 11:14:17 +0200
Subject: [PATCH] middleware: disable automatic passive authentication if
 ?noauth (#55854)

You can add ?noauth to an URL do disable passive authentication based on
an IdP set common domain cookie.
---
 mellon/middleware.py  |  3 +++
 tests/test_sso_slo.py | 10 +++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/mellon/middleware.py b/mellon/middleware.py
index fc84e89..5db67ac 100644
--- a/mellon/middleware.py
+++ b/mellon/middleware.py
@@ -37,6 +37,9 @@ class PassiveAuthenticationMiddleware(MiddlewareMixin):
         return response
 
     def process_view(self, request, view_func, view_args, view_kwargs):
+        # skip if explicitely asked in the query string
+        if 'no-passive-auth' in request.GET:
+            return
         # Skip AJAX requests
         if request.is_ajax():
             return
diff --git a/tests/test_sso_slo.py b/tests/test_sso_slo.py
index a109ae0..e7fd819 100644
--- a/tests/test_sso_slo.py
+++ b/tests/test_sso_slo.py
@@ -656,7 +656,7 @@ def test_sso_slo_pass_login_hints_backoffice(db, app, idp, caplog, sp_settings):
         assert login_hints[0].text == 'backoffice', 'login hint is not backoffice'
 
 
-def test_middleware_mixin_first_time(db, app, idp, caplog, settings):
+def test_passive_auth_middleware_ok(db, app, idp, caplog, settings):
     settings.MELLON_OPENED_SESSION_COOKIE_NAME = 'IDP_SESSION'
     assert 'MELLON_PASSIVE_TRIED' not in app.cookies
     # webtest-lint is against unicode
@@ -688,6 +688,14 @@ def test_middleware_mixin_first_time(db, app, idp, caplog, settings):
     assert 'MELLON_PASSIVE_TRIED' in app.cookies
 
 
+def test_passive_auth_middleware_no_passive_auth_parameter(db, app, idp, caplog, settings):
+    settings.MELLON_OPENED_SESSION_COOKIE_NAME = 'IDP_SESSION'
+    assert 'MELLON_PASSIVE_TRIED' not in app.cookies
+    # webtest-lint is against unicode
+    app.set_cookie(str('IDP_SESSION'), str('1'))
+    app.get('/?no-passive-auth', headers={'Accept': force_str('text/html')}, status=200)
+
+
 def test_sso_user_change(db, app, idp, caplog, sp_settings):
     response = app.get(reverse('mellon_login') + '?next=/whatever/')
     url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
-- 
2.32.0.rc0