middleware: forbid provisionning without authentication (#65814)

2022-05-31 17:48:01 +02:00 · 2022-05-31 17:48:01 +02:00 · 1700420a1e
parent 43dafc0889
commit 1700420a1e
2 changed files with 57 additions and 1 deletions
--- a/hobo/provisionning/middleware.py
+++ b/hobo/provisionning/middleware.py
@ -39,9 +39,12 @@ class ProvisionningMiddleware(MiddlewareMixin, NotificationProcessing):
            self.hobo_specific_setup()

        try:
-            PublikAuthentication().authenticate(request)
+            user_auth_tuple = PublikAuthentication().authenticate(request)
        except PublikAuthenticationFailed:
            return HttpResponseForbidden()
+        if user_auth_tuple is None:
+            return HttpResponseForbidden()
+
        try:
            notification = json.loads(force_text(request.body))
        except ValueError:
--- a/tests/test_provisionning_middleware.py
+++ b/tests/test_provisionning_middleware.py
@ -0,0 +1,53 @@
+from django.contrib.auth import get_user_model
+
+from hobo.signature import sign_url
+
+
+def test_provisionning(app, db, settings):
+    settings.HOBO_ANONYMOUS_SERVICE_USER_CLASS = 'hobo.rest_authentication.AnonymousAdminServiceUser'
+    settings.KNOWN_SERVICES = {
+        'chrono': {
+            'foobar': {
+                'title': 'Foo',
+                'url': 'https://chrono.example.invalid/',
+                'verif_orig': 'chrono.example.invalid',
+                'secret': 'xxx',
+                'provisionning-url': 'https://chrono.example.invalid/__provision__/',
+            }
+        },
+        'hobo': {
+            'hobo': {
+                'title': 'Hobo',
+                'url': 'https://hobo.example.invalid/',
+                'verif_orig': 'hobo.example.invalid',
+                'secret': 'xxx',
+                'provisionning-url': 'https://hobo.example.invalid/__provision__/',
+            }
+        },
+    }
+    notification = {
+        '@type': 'provision',
+        'issuer': 'http://idp.example.net/idp/saml/metadata',
+        'objects': {
+            '@type': 'user',
+            'data': [
+                {
+                    'uuid': 'a' * 32,
+                    'first_name': 'John',
+                    'last_name': 'Doe',
+                    'email': 'john.doe@example.net',
+                    'is_superuser': True,
+                    'roles': [],
+                }
+            ],
+        },
+    }
+    User = get_user_model()
+    assert User.objects.count() == 0
+    resp = app.put_json('/__provision__/', notification, status=403)
+    assert User.objects.count() == 0
+    resp = app.put_json(
+        sign_url('/__provision__/?orig=%s' % 'hobo.example.invalid', 'xxx'), notification, status=200
+    )
+    assert User.objects.count() == 1
+    assert User.objects.get(email='john.doe@example.net')