auth_fc: discard deprecated scopes (#71868)

This commit is contained in:
Paul Marillonnet 2022-11-30 11:15:12 +01:00
parent 8e6a95b6ce
commit d62d23203f
5 changed files with 22 additions and 9 deletions

View File

@ -63,8 +63,6 @@ class Migration(migrations.Migration):
('family_name', 'family name (family_name)'),
('email', 'email (email)'),
('preferred_username', 'usual family name (preferred_username)'),
('address', 'address (address)'),
('phone', 'phone (phone)'),
('identite_pivot', 'core id (identite_pivot)'),
('profile', 'profile (profile)'),
('birth', 'birth profile (birth)'),

View File

@ -40,8 +40,6 @@ SCOPE_CHOICES = [
('family_name', _('family name (family_name)')),
('email', _('email (email)')),
('preferred_username', _('usual family name (preferred_username)')),
('address', _('address (address)')),
('phone', _('phone (phone)')),
('identite_pivot', _('core id (identite_pivot)')),
('profile', _('profile (profile)')),
('birth', _('birth profile (birth)')),
@ -90,7 +88,7 @@ class FcAuthenticator(BaseAuthenticator):
def get_scopes_display(self):
scope_dict = {k: v for k, v in SCOPE_CHOICES}
return ', '.join(str(scope_dict[scope]) for scope in self.scopes)
return ', '.join(str(scope_dict[scope]) for scope in self.scopes if scope in scope_dict)
@property
def authorize_url(self):

View File

@ -259,7 +259,10 @@ class LoginOrLinkView(View):
return state, next_url
def make_authorization_request(self, request):
scope = ' '.join(set(['openid'] + self.authenticator.scopes))
supported_scopes = {key for key, _ in models.SCOPE_CHOICES}
scopes = set(self.authenticator.scopes).intersection(supported_scopes)
scopes.add('openid') # mandatory hence not appearing in FC authenticator list
scope = ' '.join(scopes)
nonce_seed, nonce, state = hash_chain(3)

View File

@ -326,14 +326,14 @@ def test_no_password_with_fc_account_can_reset_password(app, db, mailoutbox):
def test_login_with_missing_required_attributes(settings, app, franceconnect):
Attribute.objects.create(label='Title', name='title', required=True, user_editable=True, kind='title')
Attribute.objects.create(
label='Phone', name='phone', required=True, user_editable=True, kind='phone_number'
label='Birth country', name='birthcountry', required=True, user_editable=True, kind='string'
)
assert User.objects.count() == 0
assert models.FcAccount.objects.count() == 0
franceconnect.user_info['phone'] = '0102030405'
settings.A2_FC_USER_INFO_MAPPINGS = {'phone': {'ref': 'phone'}}
franceconnect.user_info['birthcountry'] = '99512' # Solomon Islands
settings.A2_FC_USER_INFO_MAPPINGS = {'birthcountry': {'ref': 'birthcountry'}}
response = app.get('/login/?service=portail&next=/idp/')
response = response.click(href='callback')

View File

@ -420,6 +420,9 @@ def test_authenticators_fc(app, superuser):
'scopes',
None,
]
assert 'phone' not in resp.pyquery('#id_scopes').html()
assert 'address' not in resp.pyquery('#id_scopes').html()
resp.form['platform'] = 'prod'
resp.form['client_id'] = '211286433e39cce01db448d80181bdfd005554b19cd51b3fe7943f6b3b86ab6k'
resp.form['client_secret'] = '211286433e39cce01db448d80181bdfd005554b19cd51b3fe7943f6b3b86ab6d'
@ -442,6 +445,17 @@ def test_authenticators_fc(app, superuser):
resp = app.get('/manage/authenticators/')
assert 'class="section disabled"' not in resp.text
provider.refresh_from_db()
provider.scopes.extend(['phone', 'address']) # deprecated scopes
provider.save()
resp = app.get(provider.get_absolute_url())
resp = resp.click('Edit')
resp.form.submit().follow()
provider.refresh_from_db()
assert 'phone' not in provider.scopes
assert 'address' not in provider.scopes
def test_authenticators_saml(app, superuser, ou1, ou2):
resp = login(app, superuser, path='/manage/authenticators/')