From 4029cbc9aa9696ae7689ce5ddaa79ccfe054948c Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Wed, 26 Jan 2022 22:15:47 +0100 Subject: [PATCH] misc: add journal event type for access-denied event on sso (#60679) --- src/authentic2/journal_event_types.py | 14 ++++++++++++++ src/authentic2/utils/misc.py | 1 + tests/test_idp_cas.py | 8 +++++++- tests/test_idp_saml2.py | 6 ++++++ 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/authentic2/journal_event_types.py b/src/authentic2/journal_event_types.py index 8634aa91..f92c4874 100644 --- a/src/authentic2/journal_event_types.py +++ b/src/authentic2/journal_event_types.py @@ -329,6 +329,20 @@ class UserServiceSSOUnauthorization(EventTypeWithService): return _('unauthorization of single sign on with "{service}"').format(service=service_name) +class UserServiceSSODenied(EventTypeWithService): + name = 'user.service.sso.denial' + label = _('was denied single-sign-on') + + @classmethod + def record(cls, user, session, service, **kwargs): + super().record(user=user, session=session, service=service, data=kwargs) + + @classmethod + def get_message(cls, event, context): + service_name = cls.get_service_name(event) + return _('was denied single sign on with "{service}"').format(service=service_name) + + class UserEmailChangeRequest(EventTypeDefinition): name = 'user.email.change.request' label = _('email change request') diff --git a/src/authentic2/utils/misc.py b/src/authentic2/utils/misc.py index 8cd6e871..c6608e6e 100644 --- a/src/authentic2/utils/misc.py +++ b/src/authentic2/utils/misc.py @@ -1082,6 +1082,7 @@ class ServiceAccessDenied(Exception): def unauthorized_view(request, service): context = {'callback_url': service.unauthorized_url or reverse('auth_homepage')} + request.journal.record('user.service.sso.denial', service=service) return render(request, 'authentic2/unauthorized.html', context=context) diff --git a/tests/test_idp_cas.py b/tests/test_idp_cas.py index 111f84aa..01ef0657 100644 --- a/tests/test_idp_cas.py +++ b/tests/test_idp_cas.py @@ -27,7 +27,7 @@ from authentic2.constants import AUTHENTICATION_EVENTS_SESSION_KEY, NONCE_FIELD_ from authentic2_idp_cas import constants from authentic2_idp_cas.models import Attribute, Service, Ticket -from .utils import Authentic2TestCase +from .utils import Authentic2TestCase, assert_event CAS_NAMESPACES = { 'cas': constants.CAS_NAMESPACE, @@ -138,6 +138,12 @@ class CasTests(Authentic2TestCase): follow=False, ) response = client.get(response.url) + assert_event( + 'user.service.sso.denial', + session=client.session, + user=self.user, + service=self.service, + ) self.assertIn('https://casclient.com/loser/', force_text(response.content)) def test_role_access_control_granted(self): diff --git a/tests/test_idp_saml2.py b/tests/test_idp_saml2.py index e9abce31..905205da 100644 --- a/tests/test_idp_saml2.py +++ b/tests/test_idp_saml2.py @@ -612,6 +612,12 @@ def test_sso_authorized_role_nok(app, idp, user): scenario.launch_authn_request() scenario.login(user=user) assert scenario.idp_response.pyquery('a[href="%s"]' % 'https://whatever.com/loser/').text() == 'Back' + utils.assert_event( + 'user.service.sso.denial', + session=app.session, + user=user, + service=scenario.sp.provider, + ) def test_sso_redirect_artifact_login_hints(app, user, keys): -- 2.34.1