misc: allow login_hint parameter in login url (#76712)

2023-04-17 13:07:24 +02:00 · 2023-04-17 13:07:24 +02:00 · 170e728d3a
parent 0f7044e7a0
commit 170e728d3a
3 changed files with 25 additions and 3 deletions
--- a/mellon/utils.py
+++ b/mellon/utils.py
@ -357,3 +357,13 @@ def is_slo_supported(request, issuer):
        server.getFirstHttpMethod(server.providers[issuer], lasso.MD_PROTOCOL_TYPE_SINGLE_LOGOUT)
        != lasso.HTTP_METHOD_NONE
    )
+
+
+def get_login_hints_from_request(request):
+    request_login_hints = request.GET.getlist('login_hint')
+    login_hints = [
+        login_hint.strip()
+        for login_hint in request_login_hints
+        if login_hint.isascii() and login_hint.isprintable()
+    ]
+    return login_hints
--- a/mellon/views.py
+++ b/mellon/views.py
@ -591,13 +591,16 @@ class LoginView(ProfileMixin, LogMixin, View):

    def add_login_hints(self, idp, authn_request, request, next_url=None):
        login_hints = utils.get_setting(idp, 'LOGIN_HINTS', [])
-        hints = []
+        hints = set()
        for login_hint in login_hints:
            if login_hint == 'backoffice':
                if next_url and self.is_in_backoffice(request, next_url):
-                    hints.append('backoffice')
+                    hints.add('backoffice')
            if login_hint == 'always_backoffice':
-                hints.append('backoffice')
+                hints.add('backoffice')
+
+        for login_hint in utils.get_login_hints_from_request(request):
+            hints.add(login_hint)

        for hint in hints:
            node = ET.Element(LOGIN_HINT)
--- a/tests/test_sso_slo.py
+++ b/tests/test_sso_slo.py
@ -922,3 +922,12 @@ def test_sso_slo_update_of_new_fields(db, app, idp, caplog, sp_settings):
    caplog.clear()
    response = app.get(url)
    assert len(caplog.records) == 0, 'logout failed'
+
+
+def test_sso_slo_pass_login_hints_from_request(db, app, idp, caplog, sp_settings):
+    response = app.get(reverse('mellon_login') + '?next=/whatever/&login_hint=azure')
+    url, body, relay_state = idp.process_authn_request_redirect(response['Location'])
+    root = ET.fromstring(idp.request)
+    login_hints = root.findall('.//{https://www.entrouvert.com/}login-hint')
+    assert len(login_hints) == 1, 'missing login hint'
+    assert login_hints[0].text == 'azure', 'login hint is not azure'