misc: add journal event type for access-denied event on sso (#60679)
This commit is contained in:
parent
342ed7f2b9
commit
5607172c9b
|
@ -329,6 +329,20 @@ class UserServiceSSOUnauthorization(EventTypeWithService):
|
|||
return _('unauthorization of single sign on with "{service}"').format(service=service_name)
|
||||
|
||||
|
||||
class UserServiceSSODenied(EventTypeWithService):
|
||||
name = 'user.service.sso.denial'
|
||||
label = _('was denied single-sign-on')
|
||||
|
||||
@classmethod
|
||||
def record(cls, user, session, service, **kwargs):
|
||||
super().record(user=user, session=session, service=service, data=kwargs)
|
||||
|
||||
@classmethod
|
||||
def get_message(cls, event, context):
|
||||
service_name = cls.get_service_name(event)
|
||||
return _('was denied single sign on with "{service}"').format(service=service_name)
|
||||
|
||||
|
||||
class UserEmailChangeRequest(EventTypeDefinition):
|
||||
name = 'user.email.change.request'
|
||||
label = _('email change request')
|
||||
|
|
|
@ -1082,6 +1082,7 @@ class ServiceAccessDenied(Exception):
|
|||
|
||||
def unauthorized_view(request, service):
|
||||
context = {'callback_url': service.unauthorized_url or reverse('auth_homepage')}
|
||||
request.journal.record('user.service.sso.denial', service=service)
|
||||
return render(request, 'authentic2/unauthorized.html', context=context)
|
||||
|
||||
|
||||
|
|
|
@ -27,7 +27,7 @@ from authentic2.constants import AUTHENTICATION_EVENTS_SESSION_KEY, NONCE_FIELD_
|
|||
from authentic2_idp_cas import constants
|
||||
from authentic2_idp_cas.models import Attribute, Service, Ticket
|
||||
|
||||
from .utils import Authentic2TestCase
|
||||
from .utils import Authentic2TestCase, assert_event
|
||||
|
||||
CAS_NAMESPACES = {
|
||||
'cas': constants.CAS_NAMESPACE,
|
||||
|
@ -138,6 +138,12 @@ class CasTests(Authentic2TestCase):
|
|||
follow=False,
|
||||
)
|
||||
response = client.get(response.url)
|
||||
assert_event(
|
||||
'user.service.sso.denial',
|
||||
session=client.session,
|
||||
user=self.user,
|
||||
service=self.service,
|
||||
)
|
||||
self.assertIn('https://casclient.com/loser/', force_text(response.content))
|
||||
|
||||
def test_role_access_control_granted(self):
|
||||
|
|
|
@ -612,6 +612,12 @@ def test_sso_authorized_role_nok(app, idp, user):
|
|||
scenario.launch_authn_request()
|
||||
scenario.login(user=user)
|
||||
assert scenario.idp_response.pyquery('a[href="%s"]' % 'https://whatever.com/loser/').text() == 'Back'
|
||||
utils.assert_event(
|
||||
'user.service.sso.denial',
|
||||
session=app.session,
|
||||
user=user,
|
||||
service=scenario.sp.provider,
|
||||
)
|
||||
|
||||
|
||||
def test_sso_redirect_artifact_login_hints(app, user, keys):
|
||||
|
|
|
@ -268,6 +268,7 @@ def events(db, freezer):
|
|||
)
|
||||
|
||||
make("user.service.sso.refusal", user=user, session=session1, service=service)
|
||||
make("user.service.sso.denial", user=user, session=session1, service=service)
|
||||
|
||||
# verify we created at least one event for each type
|
||||
assert set(Event.objects.values_list("type__name", flat=True)) == set(_registry)
|
||||
|
@ -591,6 +592,12 @@ def test_global_journal(app, superuser, events):
|
|||
'type': 'user.service.sso.refusal',
|
||||
'user': 'Johnny doe',
|
||||
},
|
||||
{
|
||||
'message': 'was denied single sign on with "service"',
|
||||
'timestamp': 'Jan. 2, 2020, 9 p.m.',
|
||||
'type': 'user.service.sso.denial',
|
||||
'user': 'Johnny doe',
|
||||
},
|
||||
]
|
||||
|
||||
agent_page = response.click('agent', index=1)
|
||||
|
@ -805,6 +812,12 @@ def test_user_journal(app, superuser, events):
|
|||
'type': 'user.service.sso.refusal',
|
||||
'user': 'Johnny doe',
|
||||
},
|
||||
{
|
||||
'message': 'was denied single sign on with "service"',
|
||||
'timestamp': 'Jan. 2, 2020, 9 p.m.',
|
||||
'type': 'user.service.sso.denial',
|
||||
'user': 'Johnny doe',
|
||||
},
|
||||
]
|
||||
|
||||
|
||||
|
@ -1029,7 +1042,7 @@ def test_search(app, superuser, events):
|
|||
|
||||
response.form.set('search', 'session:1234')
|
||||
response = response.form.submit()
|
||||
assert len(response.pyquery('tbody tr')) == 12
|
||||
assert len(response.pyquery('tbody tr')) == 13
|
||||
assert all(
|
||||
text_content(node) == 'Johnny doe'
|
||||
for node in response.pyquery('tbody tr td.journal-list--user-column')
|
||||
|
|
Loading…
Reference in New Issue