entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 33 Releases Activity

misc: add journal event type for access-denied event on sso (#60679)

This commit is contained in:
Benjamin Dauvergne 2022-01-26 22:15:47 +01:00
parent 342ed7f2b9
commit 5607172c9b
5 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/authentic2/journal_event_types.py
View File

@ -329,6 +329,20 @@ class UserServiceSSOUnauthorization(EventTypeWithService):
return _('unauthorization of single sign on with "{service}"').format(service=service_name)
class UserServiceSSODenied(EventTypeWithService):
name = 'user.service.sso.denial'
label = _('was denied single-sign-on')
@classmethod
def record(cls, user, session, service, **kwargs):
super().record(user=user, session=session, service=service, data=kwargs)
@classmethod
def get_message(cls, event, context):
service_name = cls.get_service_name(event)
return _('was denied single sign on with "{service}"').format(service=service_name)
class UserEmailChangeRequest(EventTypeDefinition):
name = 'user.email.change.request'
label = _('email change request')

1
src/authentic2/utils/misc.py
View File

@ -1082,6 +1082,7 @@ class ServiceAccessDenied(Exception):
def unauthorized_view(request, service):
context = {'callback_url': service.unauthorized_url or reverse('auth_homepage')}
request.journal.record('user.service.sso.denial', service=service)
return render(request, 'authentic2/unauthorized.html', context=context)

8
tests/test_idp_cas.py
View File

@ -27,7 +27,7 @@ from authentic2.constants import AUTHENTICATION_EVENTS_SESSION_KEY, NONCE_FIELD_
from authentic2_idp_cas import constants
from authentic2_idp_cas.models import Attribute, Service, Ticket
from .utils import Authentic2TestCase
from .utils import Authentic2TestCase, assert_event
CAS_NAMESPACES = {
'cas': constants.CAS_NAMESPACE,
@ -138,6 +138,12 @@ class CasTests(Authentic2TestCase):
follow=False,
)
response = client.get(response.url)
assert_event(
'user.service.sso.denial',
session=client.session,
user=self.user,
service=self.service,
)
self.assertIn('https://casclient.com/loser/', force_text(response.content))
def test_role_access_control_granted(self):

6
tests/test_idp_saml2.py
View File

@ -612,6 +612,12 @@ def test_sso_authorized_role_nok(app, idp, user):
scenario.launch_authn_request()
scenario.login(user=user)
assert scenario.idp_response.pyquery('a[href="%s"]' % 'https://whatever.com/loser/').text() == 'Back'
utils.assert_event(
'user.service.sso.denial',
session=app.session,
user=user,
service=scenario.sp.provider,
)
def test_sso_redirect_artifact_login_hints(app, user, keys):

15
tests/test_manager_journal.py
View File

@ -268,6 +268,7 @@ def events(db, freezer):
)
make("user.service.sso.refusal", user=user, session=session1, service=service)
make("user.service.sso.denial", user=user, session=session1, service=service)
# verify we created at least one event for each type
assert set(Event.objects.values_list("type__name", flat=True)) == set(_registry)
@ -591,6 +592,12 @@ def test_global_journal(app, superuser, events):
'type': 'user.service.sso.refusal',
'user': 'Johnny doe',
},
{
'message': 'was denied single sign on with "service"',
'timestamp': 'Jan. 2, 2020, 9 p.m.',
'type': 'user.service.sso.denial',
'user': 'Johnny doe',
},
]
agent_page = response.click('agent', index=1)
@ -805,6 +812,12 @@ def test_user_journal(app, superuser, events):
'type': 'user.service.sso.refusal',
'user': 'Johnny doe',
},
{
'message': 'was denied single sign on with "service"',
'timestamp': 'Jan. 2, 2020, 9 p.m.',
'type': 'user.service.sso.denial',
'user': 'Johnny doe',
},
]
@ -1029,7 +1042,7 @@ def test_search(app, superuser, events):
response.form.set('search', 'session:1234')
response = response.form.submit()
assert len(response.pyquery('tbody tr')) == 12
assert len(response.pyquery('tbody tr')) == 13
assert all(
text_content(node) == 'Johnny doe'
for node in response.pyquery('tbody tr td.journal-list--user-column')