From 590dc442beee3020491a1554674f4f8238ee06c1 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 22 Jun 2015 16:50:29 +0200
Subject: [PATCH] Restrict the collectivity selectors to collectivities linked
 to the certificate, if only one collectivity exists, set readonly (fixes
 #7651)

---
 src/authentic2_pratic/backends.py                  | 14 ++++++++------
 src/authentic2_pratic/forms.py                     |  5 ++++-
 .../templates/authentic2_pratic/login.html         | 10 +++++++---
 src/authentic2_pratic/utils.py                     |  5 +----
 4 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/src/authentic2_pratic/backends.py b/src/authentic2_pratic/backends.py
index 4642fc8..2ad2c3d 100644
--- a/src/authentic2_pratic/backends.py
+++ b/src/authentic2_pratic/backends.py
@@ -44,12 +44,14 @@ class PraticSSLBackend(BaseBackend):
 class PraticLoginPasswordSSLBackend(PraticLoginPasswordBackend):
     def authenticate(self, collectivity, username, password, ssl_info):
         user = super(PraticLoginPasswordSSLBackend, self).authenticate(collectivity, username, password)
-        if user:
-            col = user.collectivity
-            if col.certificate_issuer_dn and \
-                col.certificate_subject_dn and \
-                col.certificate_issuer_dn == ssl_info.issuer_dn and \
-                    col.certificate_subject_dn == ssl_info.subject_dn:
+        if collectivity not in list(ssl_info.collectivity):
+            return
+        try:
+            user = models.User.objects.select_related().get(collectivity=collectivity, uid=username)
+        except models.User.DoesNotExist:
+            pass
+        else:
+            if user.check_password(password):
                 return user
 
     def get_saml2_authn_context(self, **kwargs):
diff --git a/src/authentic2_pratic/forms.py b/src/authentic2_pratic/forms.py
index b486d6d..bc58ab8 100644
--- a/src/authentic2_pratic/forms.py
+++ b/src/authentic2_pratic/forms.py
@@ -148,7 +148,10 @@ class AuthenticationForm(forms.Form):
         super(AuthenticationForm, self).__init__(*args, **kwargs)
         if request and hasattr(request, 'ssl_info') and request.ssl_info \
                 and request.ssl_info.collectivity:
-                    self.fields['collectivity'].initial = request.ssl_info.collectivity.pk
+            self.fields['collectivity'].queryset = request.ssl_info.collectivity
+            self.fields['collectivity'].initial = request.ssl_info.collectivity[0].pk
+            if len(request.ssl_info.collectivity) < 2:
+                self.fields['collectivity'].widget.attrs['readonly'] = 'readonly'
 
     def clean(self):
         collectivity = self.cleaned_data.get('collectivity')
diff --git a/src/authentic2_pratic/templates/authentic2_pratic/login.html b/src/authentic2_pratic/templates/authentic2_pratic/login.html
index c546649..21c4435 100644
--- a/src/authentic2_pratic/templates/authentic2_pratic/login.html
+++ b/src/authentic2_pratic/templates/authentic2_pratic/login.html
@@ -39,9 +39,13 @@
 
   {% if request.ssl_info and request.ssl_info.collectivity %}
     <p class="pratic-ssl-collectivity-auth">
-      {% blocktrans with collectivity=request.ssl_info.collectivity %}You are
-      authenticated with certificate of collectivity <em>{{collectivity}}.</em> It has
-      been pre-selected for you.{% endblocktrans %}
+      {% with collectivities=request.ssl_info.collectivity counter=collectivities|length %}
+        {% if counter < 2 %}
+          {% blocktrans with first=collectivities.0 %}You are authenticated with certificate of collectivity <em>{{ first }}.</em> It has been pre-selected for you.{% endblocktrans %}
+        {% else %}
+          {% blocktrans with all=collectivities|join:", " %}You are authenticated with certificate of collectivities <em>{{ all }}.</em> It has been pre-selected for you.{% endblocktrans %}
+        {% endif %}
+      {% endwith %}
     </p>
   {% endif %}
 
diff --git a/src/authentic2_pratic/utils.py b/src/authentic2_pratic/utils.py
index c6aaa0a..cb3e4f5 100644
--- a/src/authentic2_pratic/utils.py
+++ b/src/authentic2_pratic/utils.py
@@ -50,10 +50,7 @@ class SSLInfo(object):
         if self.issuer_dn and self.subject_dn:
             kwargs = dict(certificate_issuer_dn=self.issuer_dn,
                     certificate_subject_dn=self.subject_dn)
-            try:
-                self.__dict__['collectivity'] = models.Collectivity.objects.get(**kwargs)
-            except models.Collectivity.DoesNotExist:
-                self.__dict__['collectivity'] = None
+            self.__dict__['collectivity'] = models.Collectivity.objects.filter(**kwargs)
             self.__dict__['users'] = models.User.objects.filter(**kwargs).select_related()
         else:
             self.__dict__['collectivity'] = None