idp_oidc: fix synchronization API calls when OIDC client use UUID identifier policy (fixes #25182)

2018-07-10 13:13:17 +02:00 · 2018-07-10 13:13:17 +02:00 · 2f0ae6bacf
parent 24c35c5ce8
commit 2f0ae6bacf
2 changed files with 33 additions and 3 deletions
--- a/src/authentic2_idp_oidc/apps.py
+++ b/src/authentic2_idp_oidc/apps.py
@ -98,10 +98,13 @@ class AppConfig(django.apps.AppConfig):
                return
            if method_name != 'synchronization':
                return
-            uuid_map = getattr(request, 'uuid_map', {})
+            if not hasattr(request, 'uuid_map'):
+                return
+            uuid_map = request.uuid_map
+
            unknown_uuids = data['unknown_uuids']
            new_unknown_uuids = []
            for u in unknown_uuids:
-	        new_unknown_uuids.append(uuid_map[u])
+                new_unknown_uuids.append(uuid_map[u])
            new_unknown_uuids.extend(request.unknown_uuids)
            data['unknown_uuids'] = new_unknown_uuids
--- a/tests/test_idp_oidc.py
+++ b/tests/test_idp_oidc.py
@ -12,8 +12,11 @@ import utils

 from django.core.urlresolvers import reverse
 from django.utils.timezone import now
+from django.contrib.auth import get_user_model

-from authentic2_idp_oidc.models import OIDCClient, OIDCAuthorization, OIDCCode, OIDCAccessToken, OIDCClaim
+User = get_user_model()
+
+from authentic2_idp_oidc.models import OIDCClient, OIDCAuthorization, OIDCCode
 from authentic2_idp_oidc.utils import make_sub
 from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.utils import make_url
@ -85,6 +88,9 @@ OIDC_CLIENT_PARAMS = [
        'frontchannel_logout_uri': 'https://example.com/southpark/logout/',
        'frontchannel_timeout': 3000,
    },
+    {
+        'identifier_policy': OIDCClient.POLICY_PAIRWISE_REVERSIBLE,
+    },
 ]


@ -869,3 +875,24 @@ def test_oidclient_claims_data_migration():
    executor.loader.build_graph()
    client = OIDCClient.objects.first()
    assert OIDCClaim.objects.filter(client=client.id).count() == 5
+
+
+def test_api_synchronization(app, oidc_client):
+    oidc_client.has_api_access = True
+    oidc_client.save()
+    users = [User.objects.create(username='user-%s' % i) for i in range(10)]
+    for user in users[5:]:
+        user.delete()
+    deleted_subs = set(make_sub(oidc_client, user) for user in users[5:])
+
+    app.authorization = ('Basic', (oidc_client.client_id, oidc_client.client_secret))
+    status = 200
+    if oidc_client.identifier_policy not in (OIDCClient.POLICY_PAIRWISE_REVERSIBLE, OIDCClient.POLICY_UUID):
+        status = 401
+    response = app.post_json('/api/users/synchronization/',
+                             params={
+                                 'known_uuids': [make_sub(oidc_client, user) for user in users]},
+                             status=status)
+    if status == 200:
+        assert response.json['result'] == 1
+        assert set(response.json['unknown_uuids']) == deleted_subs