From 65e5a32250334f314bcee10d59803ff312b6e72f Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Mon, 31 Oct 2022 14:54:56 +0100 Subject: [PATCH] auth_saml: add name id policy format choices (#70750) --- .../migrations/0001_initial.py | 2 ++ src/authentic2_auth_saml/models.py | 23 ++++++++++++++++++- tests/test_manager_authenticators.py | 13 +++++++++++ 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/src/authentic2_auth_saml/migrations/0001_initial.py b/src/authentic2_auth_saml/migrations/0001_initial.py index cabaf4ddd..66ddeed63 100644 --- a/src/authentic2_auth_saml/migrations/0001_initial.py +++ b/src/authentic2_auth_saml/migrations/0001_initial.py @@ -5,6 +5,7 @@ import django.db.models.deletion from django.db import migrations, models import authentic2_auth_saml.models +from authentic2_auth_saml.models import NAME_ID_FORMAT_CHOICES class Migration(migrations.Migration): @@ -117,6 +118,7 @@ class Migration(migrations.Migration): help_text='The NameID format to request.', max_length=64, verbose_name='NameID policy format', + choices=NAME_ID_FORMAT_CHOICES, ), ), ( diff --git a/src/authentic2_auth_saml/models.py b/src/authentic2_auth_saml/models.py index 3ead57987..ce8113877 100644 --- a/src/authentic2_auth_saml/models.py +++ b/src/authentic2_auth_saml/models.py @@ -32,6 +32,23 @@ from authentic2.apps.authenticators.models import ( ) from authentic2.utils.misc import redirect_to_login +NAME_ID_FORMAT_CHOICES = ( + ('', _('None')), + ( + lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT, + _('Persistent (%s)') % lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT, + ), + ( + lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT, + _('Transient (%s)') % lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT, + ), + (lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL, _('Email (%s)') % lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL), + ( + lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED, + _('Unspecified (%s)') % lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED, + ), +) + def validate_metadata(metadata): try: @@ -88,7 +105,11 @@ class SAMLAuthenticator(BaseAuthenticator): default='{attributes[name_id_content]}@{realm}', ) name_id_policy_format = models.CharField( - _('NameID policy format'), max_length=64, help_text=_('The NameID format to request.'), blank=True + _('NameID policy format'), + max_length=64, + choices=NAME_ID_FORMAT_CHOICES, + help_text=_('The NameID format to request.'), + blank=True, ) name_id_policy_allow_create = models.BooleanField(_('NameID policy allow create'), default=True) force_authn = models.BooleanField( diff --git a/tests/test_manager_authenticators.py b/tests/test_manager_authenticators.py index bb6072dcf..e60b09e18 100644 --- a/tests/test_manager_authenticators.py +++ b/tests/test_manager_authenticators.py @@ -565,6 +565,19 @@ def test_authenticators_saml_no_name_display(app, superuser, ou1, ou2): assert 'SAML - idp1' in resp.text +def test_authenticators_saml_name_id_format_select(app, superuser): + authenticator = SAMLAuthenticator.objects.create(metadata_url='https://example.com/meta.xml', slug='idp1') + + resp = login(app, superuser, path='/manage/authenticators/%s/edit/' % authenticator.pk) + resp.form['name_id_policy_format'].select( + text='Persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)' + ) + resp.form.submit().follow() + + authenticator.refresh_from_db() + assert authenticator.name_id_policy_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' + + def test_authenticators_saml_attribute_lookup(app, superuser): authenticator = SAMLAuthenticator.objects.create(metadata='meta1.xml', slug='idp1') resp = login(app, superuser, path=authenticator.get_absolute_url()) -- 2.35.1