saml: add login-hint extension on backoffice access (#42193)

2020-05-26 14:09:33 +02:00 · 2020-05-26 14:09:33 +02:00 · d4d4a682ab
parent 82ea582a0f
commit d4d4a682ab
2 changed files with 34 additions and 2 deletions
--- a/tests/test_saml_auth.py
+++ b/tests/test_saml_auth.py
@ -364,6 +364,29 @@ def test_saml_backoffice_redirect(pub):
    assert ':next_url>http://example.net/backoffice/<' in request.getOriginalXmlnode()


+def test_saml_login_hint(pub):
+    resp = get_app(pub).get('/login/')
+    assert resp.status_int == 302
+    assert resp.location.startswith('http://sso.example.net/saml2/sso')
+    request = lasso.Samlp2AuthnRequest()
+    request.initFromQuery(urlparse.urlparse(resp.location).query)
+    assert 'login-hint' not in request.getOriginalXmlnode()
+
+    resp = get_app(pub).get('/backoffice/')
+    assert resp.status_int == 302
+    assert resp.location.startswith('http://example.net/login/?next=')
+    resp = resp.follow()
+    assert resp.location.startswith('http://sso.example.net/saml2/sso')
+    request = lasso.Samlp2AuthnRequest()
+    request.initFromQuery(urlparse.urlparse(resp.location).query)
+    assert ':login-hint>backoffice<' in request.getOriginalXmlnode()
+
+    resp = get_app(pub).get('http://example.net/login/?next=/backoffice/')
+    request = lasso.Samlp2AuthnRequest()
+    request.initFromQuery(urlparse.urlparse(resp.location).query)
+    assert ':login-hint>backoffice<' in request.getOriginalXmlnode()
+
+
 def test_saml_register(pub):
    get_app(pub).get('/register/', status=404)
    pub.cfg['saml_identities'] = {'identity-creation': 'self'}
--- a/wcs/qommon/saml2.py
+++ b/wcs/qommon/saml2.py
@ -173,11 +173,20 @@ class Saml2Directory(Directory):
            login.msgRelayState = get_request().form.get('next')

        next_url = login.msgRelayState or get_publisher().get_frontoffice_url()
+        parsed_url = urlparse.urlparse(next_url)
+        request = get_request()
+        scheme = parsed_url.scheme or request.get_scheme()
+        netloc = parsed_url.netloc or request.get_server()
+        next_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
+                                         parsed_url.fragment))
        samlp_extensions = '''<samlp:Extensions
                        xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        xmlns:eo="https://www.entrouvert.com/">
-                      <eo:next_url>%s</eo:next_url>
-                   </samlp:Extensions>''' % escape(next_url)
+                      <eo:next_url>%s</eo:next_url>''' % escape(next_url)
+        # set login-hint only if backoffice is accessed
+        if next_url.startswith(get_publisher().get_backoffice_url()):
+            samlp_extensions += '<eo:login-hint>backoffice</eo:login-hint>'
+        samlp_extensions += '</samlp:Extensions>'
        # work around lasso bug https://dev.entrouvert.org/issues/23001
        if hasattr(lasso.Samlp2Extensions, 'any'):
            login.request.extensions = lasso.Node.newFromXmlNode(samlp_extensions)