saml: always retry user creation when detecting duplicates on sso (#75777)

2023-03-24 12:02:08 +01:00 · 2023-03-24 12:02:08 +01:00 · 0bc7330bcd
parent b9d1ffa6a3
commit 0bc7330bcd
2 changed files with 57 additions and 0 deletions
--- a/tests/test_saml_auth.py
+++ b/tests/test_saml_auth.py
@ -3,6 +3,7 @@ import http.cookies
 import io
 import os
 import shutil
+import threading
 import urllib.parse
 import uuid

@ -24,6 +25,7 @@ from wcs.qommon.http_request import HTTPRequest
 from wcs.qommon.ident.idp import MethodAdminDirectory
 from wcs.qommon.misc import get_lasso_server
 from wcs.qommon.saml2 import Saml2Directory, SOAPException
+from wcs.sql import cleanup_connection

 from .test_fc_auth import get_session
 from .test_hobo_notify import PROFILE
@ -835,3 +837,28 @@ def test_opened_session_backoffice_url(pub):
    resp = app.get('/backoffice/studio/')
    assert resp.status_int == 302
    assert urllib.parse.parse_qs(urllib.parse.urlparse(resp.location).query).get('IsPassive')
+
+
+def test_sso_provisionning_concurrency(pub):
+    concurrency = 10
+
+    directory = Saml2Directory()
+    login = mock.Mock()
+    login.identity.dump.return_value = ''
+
+    for i in range(3):
+        pub.user_class.wipe()
+        b = threading.Barrier(concurrency)
+
+        def thread_function(b):
+            b.wait()
+            directory.get_or_create_user_by_name_id(login, 'abcd')
+            cleanup_connection()
+
+        threads = [threading.Thread(target=thread_function, args=[b]) for i in range(concurrency)]
+        for thread in threads:
+            thread.start()
+        for thread in threads:
+            thread.join()
+
+        assert pub.user_class.count() == 1
--- a/wcs/qommon/saml2.py
+++ b/wcs/qommon/saml2.py
@ -15,6 +15,7 @@
 # along with this program; if not, see <http://www.gnu.org/licenses/>.

 import os
+import random
 import time
 import urllib.parse
 from xml.sax.saxutils import escape
@ -539,6 +540,35 @@ class Saml2Directory(Directory):
        if save:
            user.store()

+    def get_or_create_user_by_name_id(self, login, ni, retry=0):
+        user_class = get_publisher().user_class
+
+        if retry > 3:
+            raise Exception('user lookup on sso failed after %s tries.' % retry)
+        if retry > 0:
+            time.sleep(random.random() * 2 * retry)
+
+        users = sorted(
+            user_class.get_users_with_name_identifier(ni), key=lambda u: (u.last_seen or 0, -int(u.id))
+        )
+        if users:
+            # if multiple users, use the more recently used or the younger
+            user = users[-1]
+        else:
+            user = get_publisher().user_class(ni)
+            user.name_identifiers = [ni]
+            if login.identity:
+                user.lasso_dump = login.identity.dump()
+            user.store()
+
+            others = user_class.get_users_with_name_identifier(ni)
+            # there is an user mapping to the same id with a younger id:
+            # try again.
+            if len(others) > 1:
+                user.remove_self()
+                return self.get_or_create_user_by_name_id(login, ni, retry=retry + 1)
+        return user
+
    def lookup_user(self, session, login):
        if not login.nameIdentifier or not login.nameIdentifier.content:
            return None