idp_oidc: fix synchronization API calls when OIDC client use UUID identifier policy (fixes #25182)
This commit is contained in:
parent
24c35c5ce8
commit
2f0ae6bacf
|
@ -98,10 +98,13 @@ class AppConfig(django.apps.AppConfig):
|
||||||
return
|
return
|
||||||
if method_name != 'synchronization':
|
if method_name != 'synchronization':
|
||||||
return
|
return
|
||||||
uuid_map = getattr(request, 'uuid_map', {})
|
if not hasattr(request, 'uuid_map'):
|
||||||
|
return
|
||||||
|
uuid_map = request.uuid_map
|
||||||
|
|
||||||
unknown_uuids = data['unknown_uuids']
|
unknown_uuids = data['unknown_uuids']
|
||||||
new_unknown_uuids = []
|
new_unknown_uuids = []
|
||||||
for u in unknown_uuids:
|
for u in unknown_uuids:
|
||||||
new_unknown_uuids.append(uuid_map[u])
|
new_unknown_uuids.append(uuid_map[u])
|
||||||
new_unknown_uuids.extend(request.unknown_uuids)
|
new_unknown_uuids.extend(request.unknown_uuids)
|
||||||
data['unknown_uuids'] = new_unknown_uuids
|
data['unknown_uuids'] = new_unknown_uuids
|
||||||
|
|
|
@ -12,8 +12,11 @@ import utils
|
||||||
|
|
||||||
from django.core.urlresolvers import reverse
|
from django.core.urlresolvers import reverse
|
||||||
from django.utils.timezone import now
|
from django.utils.timezone import now
|
||||||
|
from django.contrib.auth import get_user_model
|
||||||
|
|
||||||
from authentic2_idp_oidc.models import OIDCClient, OIDCAuthorization, OIDCCode, OIDCAccessToken, OIDCClaim
|
User = get_user_model()
|
||||||
|
|
||||||
|
from authentic2_idp_oidc.models import OIDCClient, OIDCAuthorization, OIDCCode
|
||||||
from authentic2_idp_oidc.utils import make_sub
|
from authentic2_idp_oidc.utils import make_sub
|
||||||
from authentic2.a2_rbac.utils import get_default_ou
|
from authentic2.a2_rbac.utils import get_default_ou
|
||||||
from authentic2.utils import make_url
|
from authentic2.utils import make_url
|
||||||
|
@ -85,6 +88,9 @@ OIDC_CLIENT_PARAMS = [
|
||||||
'frontchannel_logout_uri': 'https://example.com/southpark/logout/',
|
'frontchannel_logout_uri': 'https://example.com/southpark/logout/',
|
||||||
'frontchannel_timeout': 3000,
|
'frontchannel_timeout': 3000,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
'identifier_policy': OIDCClient.POLICY_PAIRWISE_REVERSIBLE,
|
||||||
|
},
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -869,3 +875,24 @@ def test_oidclient_claims_data_migration():
|
||||||
executor.loader.build_graph()
|
executor.loader.build_graph()
|
||||||
client = OIDCClient.objects.first()
|
client = OIDCClient.objects.first()
|
||||||
assert OIDCClaim.objects.filter(client=client.id).count() == 5
|
assert OIDCClaim.objects.filter(client=client.id).count() == 5
|
||||||
|
|
||||||
|
|
||||||
|
def test_api_synchronization(app, oidc_client):
|
||||||
|
oidc_client.has_api_access = True
|
||||||
|
oidc_client.save()
|
||||||
|
users = [User.objects.create(username='user-%s' % i) for i in range(10)]
|
||||||
|
for user in users[5:]:
|
||||||
|
user.delete()
|
||||||
|
deleted_subs = set(make_sub(oidc_client, user) for user in users[5:])
|
||||||
|
|
||||||
|
app.authorization = ('Basic', (oidc_client.client_id, oidc_client.client_secret))
|
||||||
|
status = 200
|
||||||
|
if oidc_client.identifier_policy not in (OIDCClient.POLICY_PAIRWISE_REVERSIBLE, OIDCClient.POLICY_UUID):
|
||||||
|
status = 401
|
||||||
|
response = app.post_json('/api/users/synchronization/',
|
||||||
|
params={
|
||||||
|
'known_uuids': [make_sub(oidc_client, user) for user in users]},
|
||||||
|
status=status)
|
||||||
|
if status == 200:
|
||||||
|
assert response.json['result'] == 1
|
||||||
|
assert set(response.json['unknown_uuids']) == deleted_subs
|
||||||
|
|
Loading…
Reference in New Issue