Canonical SSO provider

Merge lp:~canonical-isd-hackers/canonical-identity-provider/auto_authorize_teams into lp:~canonical-isd-hackers/canonical-identity-provider/stable

  1. auto_authorize_teams
  2. Merge into stable
Proposed by Anthony Lenton
Status: Merged
Approved by: Ricardo Kirkner
Approved revision: no longer in the source branch.
Merged at revision: 119
Proposed branch: lp:~canonical-isd-hackers/canonical-identity-provider/auto_authorize_teams
Merge into: lp:~canonical-isd-hackers/canonical-identity-provider/stable
Diff against target: 146 lines (+87/-5)
3 files modified
identityprovider/tests/functional/openid_/per_version/test_openid_teams_auto_authorize.py (+58/-0)
identityprovider/tests/test_views_server.py (+19/-0)
identityprovider/views/server.py (+10/-5)
To merge this branch: bzr merge lp:~canonical-isd-hackers/canonical-identity-provider/auto_authorize_teams
Reviewer Review Type Date Requested Status
Ricardo Kirkner (community) Approve
Review via email: mp+68908@code.launchpad.net

Commit message

Make server report team membership to RPs that have auto_authorize=True, when the user signs in as part of the OpenID dance.

Description of the change

SSO was failing to report team membership to RPs that have auto_authorize=True, if the user signs in as part of the OpenID dance.

This branch fixes the issue in two lines, and adds a unittest and functional test to keep it from breaking again.

To post a comment you must log in.
Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote :

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'identityprovider/tests/functional/openid_/per_version/test_openid_teams_auto_authorize.py'
2--- identityprovider/tests/functional/openid_/per_version/test_openid_teams_auto_authorize.py 1970-01-01 00:00:00 +0000
3+++ identityprovider/tests/functional/openid_/per_version/test_openid_teams_auto_authorize.py 2011-07-22 20:53:26 +0000
4@@ -0,0 +1,58 @@
5+from openid.consumer.consumer import Consumer
6+from openid.store.memstore import MemoryStore
7+from openid.consumer.discover import OPENID_2_0_TYPE as PROTOCOL_URI
8+
9+from identityprovider.const import LAUNCHPAD_TEAMS_NS
10+from identityprovider.models import OpenIDRPConfig
11+
12+from ...openidhelpers import complete_from_browser, make_endpoint
13+from ...helpers import FunctionalTestCase
14+
15+
16+class OpenIDTeamsAutoAuthorizeTestCase(FunctionalTestCase):
17+
18+ def test(self):
19+ # = Interaction of Launchpad OpenID Teams with Auto-Authorize =
20+ # Check that teams work well when requested by an auto-authorized RP.
21+ OpenIDRPConfig.objects.all().delete()
22+ rpconfig = self.create_openid_rp_config(
23+ trust_root='http://launchpad.dev/',
24+ displayname='Test RP', description='A test RP',
25+ auto_authorize=True, can_query_any_team=True)
26+
27+ # First we'll set up the OpenID consumer:
28+ openid_store = MemoryStore()
29+ consumer = Consumer(session={}, store=openid_store)
30+
31+ # Now perform an OpenID authentication request, querying membership in
32+ # four team names:
33+ # * one that the user is a member of and is public
34+ # * one that the user is a member of, but is private
35+ # * one that does not exist
36+ # * one that does exist but the user is not a member of
37+
38+ endpoint = make_endpoint(
39+ PROTOCOL_URI, 'http://openid.launchpad.dev/+id/cCGE3LA')
40+ request = consumer.beginWithoutDiscovery(endpoint)
41+
42+ request.message.namespaces.addAlias(LAUNCHPAD_TEAMS_NS, 'lp')
43+ request.addExtensionArg(
44+ LAUNCHPAD_TEAMS_NS, 'query_membership',
45+ 'ubuntu-team,no-such-team,launchpad-beta-testers,myteam')
46+
47+ self.browser.open(request.redirectURL(
48+ 'http://launchpad.dev/', 'http://launchpad.dev/+openid-consumer'))
49+ self.browser.getControl(name='email').value = 'member@canonical.com'
50+ self.browser.getControl(name='password').value = 'test'
51+ self.browser.getControl(name='continue').click()
52+
53+ self.assertUrl('http://launchpad.dev/\+openid-consumer\?.*?')
54+
55+ info = complete_from_browser(consumer, self.browser)
56+
57+ self.assertEquals(info.status, 'success')
58+ self.assertEquals(info.getSigned(LAUNCHPAD_TEAMS_NS, 'is_member'),
59+ 'ubuntu-team,myteam')
60+
61+ # The response reveals that the user is a member of the ubuntu-team,
62+ # and myteam as it's allowed to query private teams too.
63
64=== modified file 'identityprovider/tests/test_views_server.py'
65--- identityprovider/tests/test_views_server.py 2011-07-19 14:33:08 +0000
66+++ identityprovider/tests/test_views_server.py 2011-07-22 20:53:26 +0000
67@@ -390,6 +390,25 @@
68 self.assertEqual(r.status_code, 200)
69 self.assertTemplateUsed(r, 'decide.html')
70
71+ def test_decide_team_membership_with_auto_authorize(self):
72+ # make sure rpconfig is set to auto authorize
73+ self.client.login(username='mark@example.com',
74+ password='test')
75+
76+ rpconfig = OpenIDRPConfig(trust_root='http://localhost/',
77+ auto_authorize=True)
78+ rpconfig.save()
79+
80+ param_overrides = {
81+ 'openid.lp.query_membership': 'ubuntu-team',
82+ }
83+ self._prepare_openid_token(param_overrides=param_overrides)
84+ r = self.client.post("/%s/+decide" % self.token)
85+ query = self.get_query(r)
86+ self.assertEqual(r.status_code, 302)
87+ self.assertEqual(query['openid.mode'], 'id_res')
88+ self.assertEqual(query['openid.lp.is_member'], 'ubuntu-team')
89+
90 def test_check_team_membership_multiple_openidrpsummary(self):
91 # create multiple matching OpenIDRPSummary objects
92 account = Account.objects.get_by_email(self.login_email)
93
94=== modified file 'identityprovider/views/server.py'
95--- identityprovider/views/server.py 2011-07-19 14:33:08 +0000
96+++ identityprovider/views/server.py 2011-07-22 20:53:26 +0000
97@@ -151,7 +151,8 @@
98 else:
99 oresponse = orequest.answer(True)
100 _add_sreg(request, orequest, oresponse)
101- _check_team_membership(request, orequest, oresponse)
102+ _check_team_membership(request, orequest, oresponse,
103+ immediate=True)
104 response = _django_response(request, oresponse, True)
105 else:
106 oresponse = orequest.answer(False)
107@@ -171,7 +172,7 @@
108 else:
109 oresponse = orequest.answer(True)
110 _add_sreg(request, orequest, oresponse)
111- _check_team_membership(request, orequest, oresponse)
112+ _check_team_membership(request, orequest, oresponse, immediate=True)
113 response = _django_response(request, oresponse, True)
114 elif (request.user.is_authenticated() and not
115 _is_identity_owner(request.user, orequest)):
116@@ -226,7 +227,7 @@
117 if request.user.is_authenticated():
118 if 'yes' in request.POST or (rpconfig is not None
119 and rpconfig.auto_authorize):
120- return _process_decide(request, orequest, True)
121+ return _process_decide(request, orequest, decision=True)
122 else:
123 sreg_request = SRegRequest.fromOpenIDRequest(orequest)
124 teams_request = TeamsRequest.fromOpenIDRequest(orequest)
125@@ -348,7 +349,7 @@
126 except:
127 return HttpResponse("Invalid OpenID transaction")
128 if request.user.is_authenticated():
129- return _process_decide(request, orequest, False)
130+ return _process_decide(request, orequest, decision=False)
131 else:
132 oresponse = orequest.answer(False, settings.SSO_PROVIDER_URL)
133 response = _django_response(request, oresponse)
134@@ -552,7 +553,11 @@
135 datetime.now(),
136 request.session.session_key)
137 _add_sreg(request, orequest, oresponse)
138- _check_team_membership(request, orequest, oresponse, False)
139+ # if there's no submitted POST data, this is an auto-authorized
140+ # (immediate) request
141+ immediate = not request.POST
142+ _check_team_membership(request, orequest, oresponse,
143+ immediate=immediate)
144 r = _django_response(request, oresponse, decision, orequest)
145 if r.content:
146 # Only user-visible content is generated from this view. Wrap

Subscribers

People subscribed via source and target branches