From d5c4badef2fb6e0732f6d0c1171a19d7293bf85d Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Thu, 27 Oct 2022 16:27:48 +0200 Subject: [PATCH] auth_saml: add name id policy format choices (#70750) --- .../migrations/0001_initial.py | 3 +++ src/authentic2_auth_saml/models.py | 15 ++++++++++++++- tests/test_manager_authenticators.py | 11 +++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/src/authentic2_auth_saml/migrations/0001_initial.py b/src/authentic2_auth_saml/migrations/0001_initial.py index 5186c1209..a612b3551 100644 --- a/src/authentic2_auth_saml/migrations/0001_initial.py +++ b/src/authentic2_auth_saml/migrations/0001_initial.py @@ -4,6 +4,8 @@ import django.contrib.postgres.fields.jsonb import django.db.models.deletion from django.db import migrations, models +from authentic2_auth_saml.models import NAME_ID_FORMAT_CHOICES + class Migration(migrations.Migration): @@ -108,6 +110,7 @@ class Migration(migrations.Migration): help_text='The NameID format to request.', max_length=64, verbose_name='NameID policy format', + choices=NAME_ID_FORMAT_CHOICES, ), ), ( diff --git a/src/authentic2_auth_saml/models.py b/src/authentic2_auth_saml/models.py index a5d22fb64..9b1609f8b 100644 --- a/src/authentic2_auth_saml/models.py +++ b/src/authentic2_auth_saml/models.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . +import lasso from django.conf import settings from django.contrib.postgres.fields import JSONField from django.core.exceptions import ValidationError @@ -27,6 +28,14 @@ from authentic2.apps.authenticators.models import ( ) from authentic2.utils.misc import redirect_to_login +NAME_ID_FORMAT_CHOICES = ( + ('', _('None')), + (lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT, _('Persistent')), + (lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT, _('Transient')), + (lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL, _('Email')), + (lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED, _('UUID')), +) + class SAMLAuthenticator(BaseAuthenticator): metadata_url = models.URLField(_('Metadata URL'), max_length=300, blank=True) @@ -75,7 +84,11 @@ class SAMLAuthenticator(BaseAuthenticator): default='{attributes[name_id_content]}@{realm}', ) name_id_policy_format = models.CharField( - _('NameID policy format'), max_length=64, help_text=_('The NameID format to request.'), blank=True + _('NameID policy format'), + max_length=64, + choices=NAME_ID_FORMAT_CHOICES, + help_text=_('The NameID format to request.'), + blank=True, ) name_id_policy_allow_create = models.BooleanField(_('NameID policy allow create'), default=True) force_authn = models.BooleanField( diff --git a/tests/test_manager_authenticators.py b/tests/test_manager_authenticators.py index 0c59e8da7..9fd58307e 100644 --- a/tests/test_manager_authenticators.py +++ b/tests/test_manager_authenticators.py @@ -501,6 +501,17 @@ def test_authenticators_saml_no_name_display(app, superuser, ou1, ou2): assert 'SAML - idp1' in resp.text +def test_authenticators_saml_name_id_format_select(app, superuser): + authenticator = SAMLAuthenticator.objects.create(metadata='meta1.xml', slug='idp1') + + resp = login(app, superuser, path='/manage/authenticators/%s/edit/' % authenticator.pk) + resp.form['name_id_policy_format'].select(text='Persistent') + resp.form.submit().follow() + + authenticator.refresh_from_db() + assert authenticator.name_id_policy_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' + + def test_authenticators_saml_attribute_lookup(app, superuser): authenticator = SAMLAuthenticator.objects.create(metadata='meta1.xml', slug='idp1') resp = login(app, superuser, path=authenticator.get_absolute_url()) -- 2.35.1