auth_saml: add name id policy format choices (#70750)

2022-10-31 14:54:56 +01:00 · 2022-10-31 14:54:56 +01:00 · 65e5a32250
parent 9670f4d857
commit 65e5a32250
3 changed files with 37 additions and 1 deletions
--- a/src/authentic2_auth_saml/migrations/0001_initial.py
+++ b/src/authentic2_auth_saml/migrations/0001_initial.py
@ -5,6 +5,7 @@ import django.db.models.deletion
 from django.db import migrations, models

 import authentic2_auth_saml.models
+from authentic2_auth_saml.models import NAME_ID_FORMAT_CHOICES


 class Migration(migrations.Migration):
@ -117,6 +118,7 @@ class Migration(migrations.Migration):
                        help_text='The NameID format to request.',
                        max_length=64,
                        verbose_name='NameID policy format',
+                        choices=NAME_ID_FORMAT_CHOICES,
                    ),
                ),
                (
--- a/src/authentic2_auth_saml/models.py
+++ b/src/authentic2_auth_saml/models.py
@ -32,6 +32,23 @@ from authentic2.apps.authenticators.models import (
 )
 from authentic2.utils.misc import redirect_to_login

+NAME_ID_FORMAT_CHOICES = (
+    ('', _('None')),
+    (
+        lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
+        _('Persistent (%s)') % lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
+    ),
+    (
+        lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT,
+        _('Transient (%s)') % lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT,
+    ),
+    (lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL, _('Email (%s)') % lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL),
+    (
+        lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
+        _('Unspecified (%s)') % lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
+    ),
+)
+

 def validate_metadata(metadata):
    try:
@ -88,7 +105,11 @@ class SAMLAuthenticator(BaseAuthenticator):
        default='{attributes[name_id_content]}@{realm}',
    )
    name_id_policy_format = models.CharField(
-        _('NameID policy format'), max_length=64, help_text=_('The NameID format to request.'), blank=True
+        _('NameID policy format'),
+        max_length=64,
+        choices=NAME_ID_FORMAT_CHOICES,
+        help_text=_('The NameID format to request.'),
+        blank=True,
    )
    name_id_policy_allow_create = models.BooleanField(_('NameID policy allow create'), default=True)
    force_authn = models.BooleanField(
--- a/tests/test_manager_authenticators.py
+++ b/tests/test_manager_authenticators.py
@ -565,6 +565,19 @@ def test_authenticators_saml_no_name_display(app, superuser, ou1, ou2):
    assert 'SAML - idp1' in resp.text


+def test_authenticators_saml_name_id_format_select(app, superuser):
+    authenticator = SAMLAuthenticator.objects.create(metadata_url='https://example.com/meta.xml', slug='idp1')
+
+    resp = login(app, superuser, path='/manage/authenticators/%s/edit/' % authenticator.pk)
+    resp.form['name_id_policy_format'].select(
+        text='Persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)'
+    )
+    resp.form.submit().follow()
+
+    authenticator.refresh_from_db()
+    assert authenticator.name_id_policy_format == 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent'
+
+
 def test_authenticators_saml_attribute_lookup(app, superuser):
    authenticator = SAMLAuthenticator.objects.create(metadata='meta1.xml', slug='idp1')
    resp = login(app, superuser, path=authenticator.get_absolute_url())