From 27d92545cf3acaa928d6b7a8c2d0c0eb07017c8c Mon Sep 17 00:00:00 2001
From: Paul Marillonnet <pmarillonnet@entrouvert.com>
Date: Mon, 28 Mar 2022 15:52:51 +0200
Subject: [PATCH] hooks: bypass idp_oidc_modify_user_info when user profile is
 supplied (#63263)

---
 src/authentic2_cut/apps.py |  4 ++-
 tests/test_hooks.py        | 53 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/src/authentic2_cut/apps.py b/src/authentic2_cut/apps.py
index 052d75e..ada2325 100644
--- a/src/authentic2_cut/apps.py
+++ b/src/authentic2_cut/apps.py
@@ -514,7 +514,9 @@ class AppConfig(django.apps.AppConfig):
                 queryset = queryset.filter(ou__slug='usagers')
             return queryset
 
-    def a2_hook_idp_oidc_modify_user_info(self, client, user, scope_set, user_info):
+    def a2_hook_idp_oidc_modify_user_info(self, client, user, scope_set, user_info, profile=None):
+        if profile:
+            return
         sub = user_info['sub']
         user_info.clear()
         user_info['sub'] = sub
diff --git a/tests/test_hooks.py b/tests/test_hooks.py
index a02e00f..7f53f92 100644
--- a/tests/test_hooks.py
+++ b/tests/test_hooks.py
@@ -1,5 +1,7 @@
+from authentic2.custom_user.models import Profile, ProfileType
 from authentic2.manager.tables import UserTable
 from authentic2.manager.user_views import UsersView
+from django.contrib.auth import get_user_model
 from utils import login
 
 from authentic2_cut.apps import AppConfig
@@ -31,3 +33,54 @@ def test_a2_hook_manager_modify_table(db, rf, admin, monkeypatch, app):
     response = login(app, admin, '/manage/users/')
     assert 'get_full_name' not in response.html
     assert len(response.pyquery.find('thead').find('tr').children()) == 5
+
+
+def test_a2_hook_idp_oidc_modify_user_info(db, rf, app):
+    class DummyModule:
+        __path__ = [
+            './dummy',
+        ]
+
+    dummy = DummyModule()
+    User = get_user_model()
+    user = User.objects.create(email='john.doe@example.org', first_name='John', last_name='Doe')
+    app_config = AppConfig('authentic2_cut', dummy)
+    client = None  # unused in hook
+    scope_set = {'email', 'profile', 'openid', 'crown'}
+    user_info = {
+        'sub': 'abc',
+        'email': 'abc@ad.dre.ss',
+        'first_name': 'Original first name',
+        'last_name': 'Original last name',
+    }
+
+    # firt attempt without profile, user_info is modified by the hook
+    app_config.a2_hook_idp_oidc_modify_user_info(client, user, scope_set, user_info, profile=None)
+    assert user_info['email'] == 'john.doe@example.org'
+    assert user_info['first_name'] == 'John'
+    assert user_info['given_name'] == 'John'
+    assert user_info['last_name'] == 'Doe'
+    assert user_info['family_name'] == 'Doe'
+
+    profile_type = ProfileType.objects.create(
+        name="Mandataire",
+        slug="mandataire",
+    )
+    profile = Profile.objects.create(
+        profile_type=profile_type,
+        user=user,
+        identifier='abc',
+        email='mandataire-abc',
+    )
+    user_info = {
+        'sub': 'abc',
+        'email': 'abc@ad.dre.ss',
+        'first_name': 'Original first name',
+        'last_name': 'Original last name',
+    }
+
+    # second attempt with profile, whose presence is detected by the hook, thus bypassed
+    app_config.a2_hook_idp_oidc_modify_user_info(client, user, scope_set, user_info, profile=profile)
+    assert user_info['email'] == 'abc@ad.dre.ss'
+    assert user_info['first_name'] == 'Original first name'
+    assert user_info['last_name'] == 'Original last name'