From 72d0cbf9621ec752e37050d6b3755d7db88f2c16 Mon Sep 17 00:00:00 2001 From: Juha Louhiranta Date: Mon, 5 Aug 2024 14:58:46 +0300 Subject: [PATCH] feat: return kc_action_status from Keycloak on authentication kc_action_status is used to indicate e.g. whether a requested password change was successful or not. It will be returned from tunnistamo along with code and state to the callback url the same way keycloak does it. This should make a later transtition to keycloak (by dropping tunnistamo from the middle) not require extra work for any logic using kc_action_status. Upon login the kc_action_status is saved to the session from which it is then retrieved in TunnistamoAuthorizeEndpoint. Refs: HP-2491 --- tunnistamo/endpoints.py | 16 +++++++++ tunnistamo/settings.py | 3 ++ .../tests/test_tunnistamo_session_checks.py | 32 ++++++++++++++++++ users/pipeline.py | 15 +++++++++ users/tests/test_pipeline.py | 33 ++++++++++++++++++- 5 files changed, 98 insertions(+), 1 deletion(-) diff --git a/tunnistamo/endpoints.py b/tunnistamo/endpoints.py index ba37e85f..aa0ef0ee 100644 --- a/tunnistamo/endpoints.py +++ b/tunnistamo/endpoints.py @@ -33,6 +33,22 @@ def is_tunnistamo_session_active(self): class TunnistamoAuthorizeEndpoint(TunnistamoSessionEndpointMixin, AuthorizeEndpoint): + + def __init__(self, request): + super().__init__(request) + + if kc_value := self.request.session.get("kc_action_status"): + self.params["kc_action_status"] = kc_value + + def create_response_uri(self): + """Add the status of the Keycloak action the callback url.""" + uri = super().create_response_uri() + + if kc_value := self.params.get("kc_action_status"): + uri = add_params_to_url(uri, {"kc_action_status": kc_value}) + + return uri + def _get_tunnistamo_session(self): tunnistamo_session_id = self.request.session.get("tunnistamo_session_id") if not tunnistamo_session_id: diff --git a/tunnistamo/settings.py b/tunnistamo/settings.py index caba73dd..c648cfe0 100644 --- a/tunnistamo/settings.py +++ b/tunnistamo/settings.py @@ -514,6 +514,9 @@ # Add loa to Tunnistamo Session 'users.pipeline.add_loa_to_tunnistamo_session', + + # Save status of the Keycloak action to session + 'users.pipeline.save_kc_action_status_to_session', ) ALLOW_DUPLICATE_EMAILS = env("ALLOW_DUPLICATE_EMAILS") diff --git a/tunnistamo/tests/test_tunnistamo_session_checks.py b/tunnistamo/tests/test_tunnistamo_session_checks.py index 62eb7521..edfe5d27 100644 --- a/tunnistamo/tests/test_tunnistamo_session_checks.py +++ b/tunnistamo/tests/test_tunnistamo_session_checks.py @@ -58,6 +58,38 @@ def test_authorize_endpoint(user, response_type, ended): assert 'code=' in response['Location'] +@pytest.mark.django_db +def test_authorize_endpoint_redirect_url_contains_kc_action_status_parameter(user): + django_test_client = DjangoTestClient() + django_test_client.force_login(user) + oidc_client = create_oidc_clients_and_api() + + authorize_url = reverse("authorize") + + authorize_request_data = { + "client_id": oidc_client.client_id, + "redirect_uri": oidc_client.redirect_uris[0], + "scope": "openid profile", + "response_type": "code", + "response_mode": "form_post", + "nonce": get_random_string(12), + } + + # Add the expected parameters to the session which would be added in the social + # auth pipeline. + session = django_test_client.session + session.update({"kc_action_status": "success"}) + session.save() + + response = django_test_client.get( + authorize_url, authorize_request_data, follow=False + ) + + assert response.status_code == 302, response["Location"] + + assert "kc_action_status=success" in response["Location"] + + @pytest.mark.django_db @pytest.mark.parametrize('response_type', [ 'code', diff --git a/users/pipeline.py b/users/pipeline.py index 4481ca8c..f166ad60 100644 --- a/users/pipeline.py +++ b/users/pipeline.py @@ -337,3 +337,18 @@ def associate_between_helsinki_on_prem_ad_and_azure_ad(backend, details, user=No return { 'user': existing_social_auth.user, } + + +def save_kc_action_status_to_session(backend, strategy, *args, **kwargs): + """When a Keycloak action status is present save it to the session.""" + if isinstance(backend, (HelsinkiTunnus, HelsinkiTunnistus)) and ( + kc_action_status := strategy.request_data().get("kc_action_status") + ): + logger.debug( + f"kc_action_status {kc_action_status} in pipeline. Backend: {backend.name}." + ) + strategy.session_set("kc_action_status", kc_action_status) + else: + strategy.session_pop("kc_action_status") + + return diff --git a/users/tests/test_pipeline.py b/users/tests/test_pipeline.py index ac599898..c104f559 100644 --- a/users/tests/test_pipeline.py +++ b/users/tests/test_pipeline.py @@ -1,5 +1,8 @@ +from urllib.parse import urlencode + import pytest from django.contrib import auth +from django.contrib.sessions.middleware import SessionMiddleware from django.urls import reverse from django.utils.crypto import get_random_string from social_core.exceptions import AuthFailed @@ -7,7 +10,7 @@ from social_django.utils import load_backend, load_strategy from tunnistamo.tests.conftest import create_rsa_key, reload_social_django_utils -from users.pipeline import association_by_keycloak_uuid, update_ad_groups +from users.pipeline import association_by_keycloak_uuid, save_kc_action_status_to_session, update_ad_groups from users.tests.conftest import DummyFixedOidcBackend @@ -103,3 +106,31 @@ def test_association_by_keycloak_uuid(login_backend, existing_backend, user, exp assert pipeline_data == {"user": user} else: assert pipeline_data is None + + +@pytest.mark.parametrize( + "backend_name,expected", + ( + ("heltunnistussuomifi", "success"), + ("helsinki_tunnus", "success"), + ("helsinki_adfs", None), + ), + ids=repr, +) +def test_save_kc_action_status_to_session(backend_name, expected, rf): + uri = "{}?{}".format( + reverse("social:complete", kwargs={"backend": backend_name}), + urlencode( + { + "kc_action_status": "success", + } + ), + ) + request = rf.get(uri) + SessionMiddleware(get_response=lambda response: response).process_request(request) + strategy = load_strategy(request) + backend = load_backend(strategy, backend_name, uri) + + save_kc_action_status_to_session(backend, strategy) + + assert strategy.session_get("kc_action_status") == expected