auth_fc: discard deprecated scopes (#71868)
This commit is contained in:
parent
8e6a95b6ce
commit
d62d23203f
|
@ -63,8 +63,6 @@ class Migration(migrations.Migration):
|
|||
('family_name', 'family name (family_name)'),
|
||||
('email', 'email (email)'),
|
||||
('preferred_username', 'usual family name (preferred_username)'),
|
||||
('address', 'address (address)'),
|
||||
('phone', 'phone (phone)'),
|
||||
('identite_pivot', 'core id (identite_pivot)'),
|
||||
('profile', 'profile (profile)'),
|
||||
('birth', 'birth profile (birth)'),
|
||||
|
|
|
@ -40,8 +40,6 @@ SCOPE_CHOICES = [
|
|||
('family_name', _('family name (family_name)')),
|
||||
('email', _('email (email)')),
|
||||
('preferred_username', _('usual family name (preferred_username)')),
|
||||
('address', _('address (address)')),
|
||||
('phone', _('phone (phone)')),
|
||||
('identite_pivot', _('core id (identite_pivot)')),
|
||||
('profile', _('profile (profile)')),
|
||||
('birth', _('birth profile (birth)')),
|
||||
|
@ -90,7 +88,7 @@ class FcAuthenticator(BaseAuthenticator):
|
|||
|
||||
def get_scopes_display(self):
|
||||
scope_dict = {k: v for k, v in SCOPE_CHOICES}
|
||||
return ', '.join(str(scope_dict[scope]) for scope in self.scopes)
|
||||
return ', '.join(str(scope_dict[scope]) for scope in self.scopes if scope in scope_dict)
|
||||
|
||||
@property
|
||||
def authorize_url(self):
|
||||
|
|
|
@ -259,7 +259,10 @@ class LoginOrLinkView(View):
|
|||
return state, next_url
|
||||
|
||||
def make_authorization_request(self, request):
|
||||
scope = ' '.join(set(['openid'] + self.authenticator.scopes))
|
||||
supported_scopes = {key for key, _ in models.SCOPE_CHOICES}
|
||||
scopes = set(self.authenticator.scopes).intersection(supported_scopes)
|
||||
scopes.add('openid') # mandatory hence not appearing in FC authenticator list
|
||||
scope = ' '.join(scopes)
|
||||
|
||||
nonce_seed, nonce, state = hash_chain(3)
|
||||
|
||||
|
|
|
@ -326,14 +326,14 @@ def test_no_password_with_fc_account_can_reset_password(app, db, mailoutbox):
|
|||
def test_login_with_missing_required_attributes(settings, app, franceconnect):
|
||||
Attribute.objects.create(label='Title', name='title', required=True, user_editable=True, kind='title')
|
||||
Attribute.objects.create(
|
||||
label='Phone', name='phone', required=True, user_editable=True, kind='phone_number'
|
||||
label='Birth country', name='birthcountry', required=True, user_editable=True, kind='string'
|
||||
)
|
||||
|
||||
assert User.objects.count() == 0
|
||||
assert models.FcAccount.objects.count() == 0
|
||||
|
||||
franceconnect.user_info['phone'] = '0102030405'
|
||||
settings.A2_FC_USER_INFO_MAPPINGS = {'phone': {'ref': 'phone'}}
|
||||
franceconnect.user_info['birthcountry'] = '99512' # Solomon Islands
|
||||
settings.A2_FC_USER_INFO_MAPPINGS = {'birthcountry': {'ref': 'birthcountry'}}
|
||||
|
||||
response = app.get('/login/?service=portail&next=/idp/')
|
||||
response = response.click(href='callback')
|
||||
|
|
|
@ -420,6 +420,9 @@ def test_authenticators_fc(app, superuser):
|
|||
'scopes',
|
||||
None,
|
||||
]
|
||||
assert 'phone' not in resp.pyquery('#id_scopes').html()
|
||||
assert 'address' not in resp.pyquery('#id_scopes').html()
|
||||
|
||||
resp.form['platform'] = 'prod'
|
||||
resp.form['client_id'] = '211286433e39cce01db448d80181bdfd005554b19cd51b3fe7943f6b3b86ab6k'
|
||||
resp.form['client_secret'] = '211286433e39cce01db448d80181bdfd005554b19cd51b3fe7943f6b3b86ab6d'
|
||||
|
@ -442,6 +445,17 @@ def test_authenticators_fc(app, superuser):
|
|||
resp = app.get('/manage/authenticators/')
|
||||
assert 'class="section disabled"' not in resp.text
|
||||
|
||||
provider.refresh_from_db()
|
||||
provider.scopes.extend(['phone', 'address']) # deprecated scopes
|
||||
provider.save()
|
||||
|
||||
resp = app.get(provider.get_absolute_url())
|
||||
resp = resp.click('Edit')
|
||||
resp.form.submit().follow()
|
||||
provider.refresh_from_db()
|
||||
assert 'phone' not in provider.scopes
|
||||
assert 'address' not in provider.scopes
|
||||
|
||||
|
||||
def test_authenticators_saml(app, superuser, ou1, ou2):
|
||||
resp = login(app, superuser, path='/manage/authenticators/')
|
||||
|
|
Loading…
Reference in New Issue