saml: don't crash logging unknown role uuids (#22826)
This commit is contained in:
parent
03123e9742
commit
bf1d616c0f
|
@ -16,6 +16,7 @@ from wcs.qommon.http_request import HTTPRequest
|
|||
from wcs.qommon.saml2 import Saml2Directory
|
||||
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir
|
||||
from wcs.qommon import sessions, x509utils
|
||||
from wcs.roles import Role
|
||||
|
||||
from utilities import get_app, create_temporary_pub, clean_temporary_pub
|
||||
|
||||
|
@ -147,6 +148,26 @@ def get_authn_response_msg(pub, ni_format=lasso.SAML2_NAME_IDENTIFIER_FORMAT_PER
|
|||
value.textChild = True
|
||||
login.assertion.addAttributeWithNode('verified_attributes',
|
||||
lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC, value)
|
||||
|
||||
if not login.assertion.attributeStatement:
|
||||
login.assertion.attributeStatement = [lasso.Saml2AttributeStatement()]
|
||||
|
||||
# add two roles in role-slug attribute
|
||||
role_slug_attribute = lasso.Saml2Attribute()
|
||||
role_slug_attribute.name = 'role-slug'
|
||||
role_slug_attribute.nameFormat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
|
||||
role_uuids = []
|
||||
for role_uuid in ('foo', 'bar'):
|
||||
text_node = lasso.MiscTextNode.newWithString(role_uuid)
|
||||
text_node.textChild = True
|
||||
atv = lasso.Saml2AttributeValue()
|
||||
atv.any = [text_node]
|
||||
role_uuids.append(atv)
|
||||
role_slug_attribute.attributeValue = role_uuids
|
||||
attributes = list(login.assertion.attributeStatement[0].attribute)
|
||||
attributes.append(role_slug_attribute)
|
||||
login.assertion.attributeStatement[0].attribute = attributes
|
||||
|
||||
login.buildAuthnResponseMsg()
|
||||
return login.msgBody
|
||||
|
||||
|
@ -199,11 +220,20 @@ def test_assertion_consumer_unspecified(pub):
|
|||
assert req.response.headers['location'] == 'http://example.net'
|
||||
assert req.session.user is not None
|
||||
|
||||
def test_assertion_consumer_existing_federation(pub):
|
||||
def test_assertion_consumer_existing_federation(pub, caplog):
|
||||
# setup an hobo profile
|
||||
from wcs.ctl.check_hobos import CmdCheckHobos
|
||||
CmdCheckHobos().update_profile(PROFILE, pub)
|
||||
|
||||
pub.cfg['debug'] = {'logger': True}
|
||||
pub.write_cfg()
|
||||
pub.set_config()
|
||||
|
||||
Role.wipe()
|
||||
role = Role('Foo')
|
||||
role.uuid = 'foo'
|
||||
role.store()
|
||||
|
||||
# 1st pass to generate a user
|
||||
pub.user_class.wipe()
|
||||
assert pub.user_class.count() == 0
|
||||
|
@ -216,6 +246,10 @@ def test_assertion_consumer_existing_federation(pub):
|
|||
assert user.verified_fields
|
||||
assert len(user.verified_fields) == 3
|
||||
assert user.form_data['_birthdate'].tm_year == 2000
|
||||
assert user.roles == [role.id] # bar uuid is ignored as unknown
|
||||
|
||||
assert ('enrolling user %s in Foo' % user.id) in [x.message for x in caplog.records]
|
||||
assert 'role uuid bar is unknown' in [x.message for x in caplog.records]
|
||||
|
||||
req = HTTPRequest(None, {
|
||||
'SERVER_NAME': 'example.net',
|
||||
|
|
|
@ -510,7 +510,7 @@ class Saml2Directory(Directory):
|
|||
for uuid in m['role-slug']:
|
||||
role = Role.resolve(uuid)
|
||||
if not role:
|
||||
logger.warn('role slug %s is unknown', slug)
|
||||
logger.warn('role uuid %s is unknown', uuid)
|
||||
continue
|
||||
role_ids.append(str(role.id))
|
||||
names.append(role.name)
|
||||
|
|
Loading…
Reference in New Issue