auth_oidc: exclude disabled attributes in claim mapping form (#75474) #24
|
@ -78,7 +78,10 @@ def parse_id_token(encoded, provider):
|
||||||
|
|
||||||
def resolve_claim_mappings(provider, context, id_token=None, user_info=None):
|
def resolve_claim_mappings(provider, context, id_token=None, user_info=None):
|
||||||
mappings = []
|
mappings = []
|
||||||
|
disabled_attrs = Attribute.all_objects.filter(disabled=True).values_list('name', flat=True)
|
||||||
for claim_mapping in provider.claim_mappings.all():
|
for claim_mapping in provider.claim_mappings.all():
|
||||||
|
if claim_mapping.attribute in disabled_attrs:
|
||||||
|
continue
|
||||||
claim = claim_mapping.claim
|
claim = claim_mapping.claim
|
||||||
if id_token is None and user_info is None:
|
if id_token is None and user_info is None:
|
||||||
source = context
|
source = context
|
||||||
|
|
|
@ -25,6 +25,7 @@ from unittest import mock
|
||||||
|
|
||||||
import pytest
|
import pytest
|
||||||
from django.contrib.auth import get_user_model
|
from django.contrib.auth import get_user_model
|
||||||
|
from django.contrib.contenttypes.models import ContentType
|
||||||
from django.contrib.messages import constants as message_constants
|
from django.contrib.messages import constants as message_constants
|
||||||
from django.core.exceptions import ValidationError
|
from django.core.exceptions import ValidationError
|
||||||
from django.db import IntegrityError, transaction
|
from django.db import IntegrityError, transaction
|
||||||
|
@ -504,6 +505,17 @@ def test_login_autorun(oidc_provider, app, settings):
|
||||||
def test_sso(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
|
def test_sso(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
|
||||||
cassis = OrganizationalUnit.objects.create(name='Cassis', slug='cassis')
|
cassis = OrganizationalUnit.objects.create(name='Cassis', slug='cassis')
|
||||||
|
|
||||||
|
# a mapping defined for a later-deactivated attribute should be ignored
|
||||||
|
attr = Attribute.objects.create(kind='string', name='another_name', label='Another name')
|
||||||
|
OIDCClaimMapping.objects.create(
|
||||||
|
authenticator=oidc_provider,
|
||||||
|
claim='given_name',
|
||||||
|
required=False,
|
||||||
|
attribute='another_name',
|
||||||
|
)
|
||||||
|
attr.disabled = True
|
||||||
|
attr.save()
|
||||||
|
|
||||||
response = app.get('/admin/').maybe_follow()
|
response = app.get('/admin/').maybe_follow()
|
||||||
assert oidc_provider.name in response.text
|
assert oidc_provider.name in response.text
|
||||||
response = response.click(oidc_provider.name)
|
response = response.click(oidc_provider.name)
|
||||||
|
@ -609,6 +621,9 @@ def test_sso(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
|
||||||
assert user.attributes.last_name == 'Doe'
|
assert user.attributes.last_name == 'Doe'
|
||||||
assert AttributeValue.objects.filter(content='John', verified=True).count() == 1
|
assert AttributeValue.objects.filter(content='John', verified=True).count() == 1
|
||||||
assert AttributeValue.objects.filter(content='Doe', verified=False).count() == 1
|
assert AttributeValue.objects.filter(content='Doe', verified=False).count() == 1
|
||||||
|
assert not AttributeValue.objects.filter(
|
||||||
|
content_type=ContentType.objects.get_for_model(user), object_id=user.id, attribute=attr
|
||||||
|
)
|
||||||
assert last_authentication_event(session=app.session)['nonce'] == nonce
|
assert last_authentication_event(session=app.session)['nonce'] == nonce
|
||||||
|
|
||||||
with oidc_provider_mock(
|
with oidc_provider_mock(
|
||||||
|
|
|
@ -344,6 +344,22 @@ def test_authenticators_oidc_claims(app, superuser):
|
||||||
assert_event('authenticator.related_object.deletion', user=superuser, session=app.session)
|
assert_event('authenticator.related_object.deletion', user=superuser, session=app.session)
|
||||||
|
|
||||||
|
|
||||||
|
def test_authenticators_oidc_claims_disabled_attribute(app, superuser):
|
||||||
|
authenticator = OIDCProvider.objects.create(slug='idp1')
|
||||||
|
attr = Attribute.objects.create(kind='string', name='test_attribute', label='Test attribute')
|
||||||
|
|
||||||
|
resp = login(app, superuser, path=authenticator.get_absolute_url())
|
||||||
|
resp = resp.click('Add', href='claim')
|
||||||
|
assert resp.pyquery('select#id_attribute option[value=test_attribute]')
|
||||||
|
|
||||||
|
attr.disabled = True
|
||||||
|
attr.save()
|
||||||
|
|
||||||
|
resp = app.get(authenticator.get_absolute_url())
|
||||||
|
resp = resp.click('Add', href='claim')
|
||||||
|
assert not resp.pyquery('select#id_attribute option[value=test_attribute]')
|
||||||
|
|
||||||
|
|
||||||
def test_authenticators_oidc_add_role(app, superuser, role_ou1):
|
def test_authenticators_oidc_add_role(app, superuser, role_ou1):
|
||||||
authenticator = OIDCProvider.objects.create(slug='idp1')
|
authenticator = OIDCProvider.objects.create(slug='idp1')
|
||||||
resp = login(app, superuser, path=authenticator.get_absolute_url())
|
resp = login(app, superuser, path=authenticator.get_absolute_url())
|
||||||
|
|
Loading…
Reference in New Issue