saml: add login-hint extension on backoffice access (#42193)
This commit is contained in:
parent
82ea582a0f
commit
d4d4a682ab
|
@ -364,6 +364,29 @@ def test_saml_backoffice_redirect(pub):
|
|||
assert ':next_url>http://example.net/backoffice/<' in request.getOriginalXmlnode()
|
||||
|
||||
|
||||
def test_saml_login_hint(pub):
|
||||
resp = get_app(pub).get('/login/')
|
||||
assert resp.status_int == 302
|
||||
assert resp.location.startswith('http://sso.example.net/saml2/sso')
|
||||
request = lasso.Samlp2AuthnRequest()
|
||||
request.initFromQuery(urlparse.urlparse(resp.location).query)
|
||||
assert 'login-hint' not in request.getOriginalXmlnode()
|
||||
|
||||
resp = get_app(pub).get('/backoffice/')
|
||||
assert resp.status_int == 302
|
||||
assert resp.location.startswith('http://example.net/login/?next=')
|
||||
resp = resp.follow()
|
||||
assert resp.location.startswith('http://sso.example.net/saml2/sso')
|
||||
request = lasso.Samlp2AuthnRequest()
|
||||
request.initFromQuery(urlparse.urlparse(resp.location).query)
|
||||
assert ':login-hint>backoffice<' in request.getOriginalXmlnode()
|
||||
|
||||
resp = get_app(pub).get('http://example.net/login/?next=/backoffice/')
|
||||
request = lasso.Samlp2AuthnRequest()
|
||||
request.initFromQuery(urlparse.urlparse(resp.location).query)
|
||||
assert ':login-hint>backoffice<' in request.getOriginalXmlnode()
|
||||
|
||||
|
||||
def test_saml_register(pub):
|
||||
get_app(pub).get('/register/', status=404)
|
||||
pub.cfg['saml_identities'] = {'identity-creation': 'self'}
|
||||
|
|
|
@ -173,11 +173,20 @@ class Saml2Directory(Directory):
|
|||
login.msgRelayState = get_request().form.get('next')
|
||||
|
||||
next_url = login.msgRelayState or get_publisher().get_frontoffice_url()
|
||||
parsed_url = urlparse.urlparse(next_url)
|
||||
request = get_request()
|
||||
scheme = parsed_url.scheme or request.get_scheme()
|
||||
netloc = parsed_url.netloc or request.get_server()
|
||||
next_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
|
||||
parsed_url.fragment))
|
||||
samlp_extensions = '''<samlp:Extensions
|
||||
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||
xmlns:eo="https://www.entrouvert.com/">
|
||||
<eo:next_url>%s</eo:next_url>
|
||||
</samlp:Extensions>''' % escape(next_url)
|
||||
<eo:next_url>%s</eo:next_url>''' % escape(next_url)
|
||||
# set login-hint only if backoffice is accessed
|
||||
if next_url.startswith(get_publisher().get_backoffice_url()):
|
||||
samlp_extensions += '<eo:login-hint>backoffice</eo:login-hint>'
|
||||
samlp_extensions += '</samlp:Extensions>'
|
||||
# work around lasso bug https://dev.entrouvert.org/issues/23001
|
||||
if hasattr(lasso.Samlp2Extensions, 'any'):
|
||||
login.request.extensions = lasso.Node.newFromXmlNode(samlp_extensions)
|
||||
|
|
Loading…
Reference in New Issue