saml: don't crash logging unknown role uuids (#22826)

tests/test_saml_auth.py

@@ -16,6 +16,7 @@ from wcs.qommon.http_request import HTTPRequest
 from wcs.qommon.saml2 import Saml2Directory
 from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
 from wcs.qommon import sessions, x509utils
+from wcs.roles import Role
 
 from utilities import get_app, create_temporary_pub, clean_temporary_pub
 
@@ -147,6 +148,26 @@ def get_authn_response_msg(pub, ni_format=lasso.SAML2_NAME_IDENTIFIER_FORMAT_PER
         value.textChild = True
         login.assertion.addAttributeWithNode('verified_attributes',
                                              lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC, value)
+
+    if not login.assertion.attributeStatement:
+        login.assertion.attributeStatement = [lasso.Saml2AttributeStatement()]
+
+    # add two roles in role-slug attribute
+    role_slug_attribute = lasso.Saml2Attribute()
+    role_slug_attribute.name = 'role-slug'
+    role_slug_attribute.nameFormat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
+    role_uuids = []
+    for role_uuid in ('foo', 'bar'):
+        text_node = lasso.MiscTextNode.newWithString(role_uuid)
+        text_node.textChild = True
+        atv = lasso.Saml2AttributeValue()
+        atv.any = [text_node]
+        role_uuids.append(atv)
+    role_slug_attribute.attributeValue = role_uuids
+    attributes = list(login.assertion.attributeStatement[0].attribute)
+    attributes.append(role_slug_attribute)
+    login.assertion.attributeStatement[0].attribute = attributes
+
     login.buildAuthnResponseMsg()
     return login.msgBody
 
@@ -199,11 +220,20 @@ def test_assertion_consumer_unspecified(pub):
     assert req.response.headers['location'] == 'http://example.net'
     assert req.session.user is not None
 
-def test_assertion_consumer_existing_federation(pub):
+def test_assertion_consumer_existing_federation(pub, caplog):
     # setup an hobo profile
     from wcs.ctl.check_hobos import CmdCheckHobos
     CmdCheckHobos().update_profile(PROFILE, pub)
 
+    pub.cfg['debug'] = {'logger': True}
+    pub.write_cfg()
+    pub.set_config()
+
+    Role.wipe()
+    role = Role('Foo')
+    role.uuid = 'foo'
+    role.store()
+
     # 1st pass to generate a user
     pub.user_class.wipe()
     assert pub.user_class.count() == 0
@@ -216,6 +246,10 @@ def test_assertion_consumer_existing_federation(pub):
     assert user.verified_fields
     assert len(user.verified_fields) == 3
     assert user.form_data['_birthdate'].tm_year == 2000
+    assert user.roles == [role.id]  # bar uuid is ignored as unknown
+
+    assert ('enrolling user %s in Foo' % user.id) in [x.message for x in caplog.records]
+    assert 'role uuid bar is unknown' in [x.message for x in caplog.records]
 
     req = HTTPRequest(None, {
         'SERVER_NAME': 'example.net',

wcs/qommon/saml2.py

@@ -510,7 +510,7 @@ class Saml2Directory(Directory):
             for uuid in m['role-slug']:
                 role = Role.resolve(uuid)
                 if not role:
-                    logger.warn('role slug %s is unknown', slug)
+                    logger.warn('role uuid %s is unknown', uuid)
                     continue
                 role_ids.append(str(role.id))
                 names.append(role.name)