Restrict the collectivity selectors to collectivities linked to the certificate, if only one collectivity exists, set readonly (fixes #7651)

src/authentic2_pratic/backends.py

@@ -44,12 +44,14 @@ class PraticSSLBackend(BaseBackend):
 class PraticLoginPasswordSSLBackend(PraticLoginPasswordBackend):
     def authenticate(self, collectivity, username, password, ssl_info):
         user = super(PraticLoginPasswordSSLBackend, self).authenticate(collectivity, username, password)
-        if user:
-            col = user.collectivity
-            if col.certificate_issuer_dn and \
-                col.certificate_subject_dn and \
-                col.certificate_issuer_dn == ssl_info.issuer_dn and \
-                    col.certificate_subject_dn == ssl_info.subject_dn:
+        if collectivity not in list(ssl_info.collectivity):
+            return
+        try:
+            user = models.User.objects.select_related().get(collectivity=collectivity, uid=username)
+        except models.User.DoesNotExist:
+            pass
+        else:
+            if user.check_password(password):
                 return user
 
     def get_saml2_authn_context(self, **kwargs):

src/authentic2_pratic/forms.py

@@ -148,7 +148,10 @@ class AuthenticationForm(forms.Form):
         super(AuthenticationForm, self).__init__(*args, **kwargs)
         if request and hasattr(request, 'ssl_info') and request.ssl_info \
                 and request.ssl_info.collectivity:
-                    self.fields['collectivity'].initial = request.ssl_info.collectivity.pk
+            self.fields['collectivity'].queryset = request.ssl_info.collectivity
+            self.fields['collectivity'].initial = request.ssl_info.collectivity[0].pk
+            if len(request.ssl_info.collectivity) < 2:
+                self.fields['collectivity'].widget.attrs['readonly'] = 'readonly'
 
     def clean(self):
         collectivity = self.cleaned_data.get('collectivity')

src/authentic2_pratic/templates/authentic2_pratic/login.html

@@ -39,9 +39,13 @@
 
   {% if request.ssl_info and request.ssl_info.collectivity %}
     <p class="pratic-ssl-collectivity-auth">
-      {% blocktrans with collectivity=request.ssl_info.collectivity %}You are
-      authenticated with certificate of collectivity <em>{{collectivity}}.</em> It has
-      been pre-selected for you.{% endblocktrans %}
+      {% with collectivities=request.ssl_info.collectivity counter=collectivities|length %}
+        {% if counter < 2 %}
+          {% blocktrans with first=collectivities.0 %}You are authenticated with certificate of collectivity <em>{{ first }}.</em> It has been pre-selected for you.{% endblocktrans %}
+        {% else %}
+          {% blocktrans with all=collectivities|join:", " %}You are authenticated with certificate of collectivities <em>{{ all }}.</em> It has been pre-selected for you.{% endblocktrans %}
+        {% endif %}
+      {% endwith %}
     </p>
   {% endif %}
 

src/authentic2_pratic/utils.py

@@ -50,10 +50,7 @@ class SSLInfo(object):
         if self.issuer_dn and self.subject_dn:
             kwargs = dict(certificate_issuer_dn=self.issuer_dn,
                     certificate_subject_dn=self.subject_dn)
-            try:
-                self.__dict__['collectivity'] = models.Collectivity.objects.get(**kwargs)
-            except models.Collectivity.DoesNotExist:
-                self.__dict__['collectivity'] = None
+            self.__dict__['collectivity'] = models.Collectivity.objects.filter(**kwargs)
             self.__dict__['users'] = models.User.objects.filter(**kwargs).select_related()
         else:
             self.__dict__['collectivity'] = None