Merge lp:~roadmr/canonical-identity-provider/revert-r1586 into lp:canonical-identity-provider/release
- revert-r1586
- Merge into trunk
Proposed by
Daniel Manrique
| Status: | Merged |
|---|---|
| Approved by: | Daniel Manrique |
| Approved revision: | no longer in the source branch. |
| Merge reported by: | Otto Co-Pilot |
| Merged at revision: | not available |
| Proposed branch: | lp:~roadmr/canonical-identity-provider/revert-r1586 |
| Merge into: | lp:canonical-identity-provider/release |
| Diff against target: |
594 lines (+67/-234) 2 files modified
src/ubuntu_sso_saml/processors.py (+13/-38) src/ubuntu_sso_saml/tests/test_processors.py (+54/-196) |
| To merge this branch: | bzr merge lp:~roadmr/canonical-identity-provider/revert-r1586 |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Ricardo Kirkner (community) | Approve | ||
|
Review via email:
|
|||
Commit message
Revert r1586 because it broke non-Canonical logins to support.
Mechanical revert by bzr merge -r 1586..1585 ./
Description of the change
Revert r1586 because it broke non-Canonical logins to support.
Mechanical revert by bzr merge -r 1586..1585 ./
To post a comment you must log in.
Revision history for this message
| Ricardo Kirkner (ricardokirkner) : | # |
review:
Approve
Revision history for this message
| Otto Co-Pilot (otto-copilot) wrote : | # |
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
| 1 | === modified file 'src/ubuntu_sso_saml/processors.py' |
| 2 | --- src/ubuntu_sso_saml/processors.py 2017-11-10 23:02:24 +0000 |
| 3 | +++ src/ubuntu_sso_saml/processors.py 2017-12-04 16:27:44 +0000 |
| 4 | @@ -30,7 +30,7 @@ |
| 5 | user, _ = email.split('@') |
| 6 | return '.' in user and '+' not in user |
| 7 | |
| 8 | - def _get_preferred_email(self, account): |
| 9 | + def _get_canonical_email(self, account): |
| 10 | preferred = account.preferredemail.email |
| 11 | if (self._is_canonical_email(preferred) and |
| 12 | self._is_long_form_email(preferred)): |
| 13 | @@ -59,7 +59,7 @@ |
| 14 | if trust_root is not None: |
| 15 | rpconfig = OpenIDRPConfig.objects.for_url(trust_root) |
| 16 | if rpconfig is not None and rpconfig.prefer_canonical_email: |
| 17 | - canonical_email = self._get_preferred_email(account) |
| 18 | + canonical_email = self._get_canonical_email(account) |
| 19 | if canonical_email is not None: |
| 20 | preferred = canonical_email |
| 21 | |
| 22 | @@ -105,12 +105,12 @@ |
| 23 | 'saml_url', |
| 24 | 'https://saml.salesforce.com') |
| 25 | |
| 26 | - def _get_preferred_email(self, account): |
| 27 | + def _get_canonical_email(self, account): |
| 28 | """ |
| 29 | For the SalesForce portal, use email+portal@canonical.com. |
| 30 | """ |
| 31 | email = super(SalesForceAttributeProcessor, |
| 32 | - self)._get_preferred_email(account) |
| 33 | + self)._get_canonical_email(account) |
| 34 | if email is not None: |
| 35 | username, domain = email.split('@') |
| 36 | pattern = self._sp_config.get('email_pattern', |
| 37 | @@ -269,40 +269,15 @@ |
| 38 | acs_url = self._request_params.get('ACS_URL') |
| 39 | return get_config_for_acs(acs_url) |
| 40 | |
| 41 | - def _get_preferred_email(self, account): |
| 42 | - """Return the user's preferred email, with some overrides. |
| 43 | - |
| 44 | - Note we don't always honor the account's "preferred" address. |
| 45 | - |
| 46 | - From CanonicalOverrides, whichever matches first of: |
| 47 | - 1- If the account's preferred address is @canonical.com and in |
| 48 | - long-form, use that. |
| 49 | - 2- If the account has *any* long-form @canonical.com address, use that. |
| 50 | - 3- If the account's preferred e-mail is any @canonical.com, use that. |
| 51 | - (but note we don't override-prefer non-long-form @canonical.com) |
| 52 | - |
| 53 | - And from this method, if none of the previous ones matched: |
| 54 | - 4- If the account has a preferred email address, use that. |
| 55 | - |
| 56 | - Rules 3 and 4 overlap because 3 is a subset of 4 (if you don't have a |
| 57 | - long-form email address, we honor whichever address is preferred, |
| 58 | - canonical.com or not) |
| 59 | - |
| 60 | - """ |
| 61 | - # get possible @canonical.com address |
| 62 | - email = super(CanonicalProcessor, self)._get_preferred_email(account) |
| 63 | - if email is None: |
| 64 | - # user did not have a @canonical.com address |
| 65 | - email = account.preferredemail.email |
| 66 | + def _get_canonical_email(self, account): |
| 67 | + email = super(CanonicalProcessor, self)._get_canonical_email(account) |
| 68 | + if email is not None: |
| 69 | + sp_config = self.get_config() |
| 70 | + username, domain = email.split('@') |
| 71 | + email = sp_config.email_pattern.format( |
| 72 | + username=username, domain=domain) |
| 73 | return email |
| 74 | |
| 75 | - def _format_email(self, email): |
| 76 | - sp_config = self.get_config() |
| 77 | - username, domain = email.split('@') |
| 78 | - mangled_email = sp_config.email_pattern.format( |
| 79 | - username=username, domain=domain) |
| 80 | - return mangled_email |
| 81 | - |
| 82 | # saml2idp.base.Processor interface |
| 83 | |
| 84 | def _build_assertion(self): |
| 85 | @@ -333,11 +308,11 @@ |
| 86 | sp_config = self.get_config() |
| 87 | if sp_config is not None: |
| 88 | if sp_config.prefer_canonical_email: |
| 89 | - canonical_email = self._get_preferred_email(account) |
| 90 | + canonical_email = self._get_canonical_email(account) |
| 91 | if canonical_email is not None: |
| 92 | preferred = canonical_email |
| 93 | |
| 94 | - self._subject = self._format_email(preferred) |
| 95 | + self._subject = preferred |
| 96 | |
| 97 | def _format_assertion(self): |
| 98 | sp_config = self.get_config() |
| 99 | |
| 100 | === modified file 'src/ubuntu_sso_saml/tests/test_processors.py' |
| 101 | --- src/ubuntu_sso_saml/tests/test_processors.py 2017-11-21 23:11:27 +0000 |
| 102 | +++ src/ubuntu_sso_saml/tests/test_processors.py 2017-12-04 16:27:44 +0000 |
| 103 | @@ -129,16 +129,6 @@ |
| 104 | def get_request_data(self): |
| 105 | return self.REQUEST_DATA |
| 106 | |
| 107 | - def assert_email_in(self, email, response): |
| 108 | - # This is defined as an assertion to allow classes to override it |
| 109 | - # in order to check for possibly postprocessed e-mail. |
| 110 | - self.assertIn(email, response) |
| 111 | - |
| 112 | - def assert_email_not_in(self, email, response): |
| 113 | - # This is defined as an assertion to allow classes to override it |
| 114 | - # in order to check for possibly postprocessed e-mail. |
| 115 | - self.assertNotIn(email, response) |
| 116 | - |
| 117 | |
| 118 | class CanonicalProcessorBaseTestCase(BaseProcessorTestCase): |
| 119 | |
| 120 | @@ -239,7 +229,7 @@ |
| 121 | samlresponse = get_saml_response(response) |
| 122 | |
| 123 | # Assert: |
| 124 | - self.assert_email_in(self.login_email, samlresponse) |
| 125 | + self.assertIn(self.login_email, samlresponse) |
| 126 | |
| 127 | def test_user_has_different_preferred_email(self): |
| 128 | """ User's preferred email is not being passed as SAML identifier. """ |
| 129 | @@ -273,7 +263,7 @@ |
| 130 | samlresponse = get_saml_response(response) |
| 131 | |
| 132 | # Assert: |
| 133 | - self.assert_email_in(alternate_email, samlresponse) |
| 134 | + self.assertIn(alternate_email, samlresponse) |
| 135 | |
| 136 | def test_user_not_2f_but_no_rpconfig(self): |
| 137 | data = self.get_request_data() |
| 138 | @@ -326,7 +316,7 @@ |
| 139 | samlresponse = self.do_saml_request() |
| 140 | # verify @canonical.com email address is returned despite it's not the |
| 141 | # preferredemail |
| 142 | - self.assert_email_in('first.last@canonical.com', samlresponse) |
| 143 | + self.assertIn('first.last@canonical.com', samlresponse) |
| 144 | self.assertNotEqual('first.last@canonical.com', preferred) |
| 145 | |
| 146 | def test_canonical_email_is_preferred_despite_case(self): |
| 147 | @@ -336,7 +326,7 @@ |
| 148 | samlresponse = self.do_saml_request() |
| 149 | # verify @canonical.com email address is returned despite it's not the |
| 150 | # preferredemail |
| 151 | - self.assert_email_in(email, samlresponse) |
| 152 | + self.assertIn(email, samlresponse) |
| 153 | self.assertNotEqual(email, preferred) |
| 154 | |
| 155 | def test_only_long_form_canonical_email_is_preferred(self): |
| 156 | @@ -353,8 +343,8 @@ |
| 157 | samlresponse = self.do_saml_request() |
| 158 | # verify @canonical.com email address is returned despite it's not the |
| 159 | # preferredemail |
| 160 | - self.assert_email_in('first.last@canonical.com', samlresponse) |
| 161 | - self.assert_email_not_in(email, samlresponse) |
| 162 | + self.assertIn('first.last@canonical.com', samlresponse) |
| 163 | + self.assertNotIn(email, samlresponse) |
| 164 | |
| 165 | def test_canonical_email_is_not_preferred(self): |
| 166 | self.setup_saml_sp(prefer_canonical_email=False) |
| 167 | @@ -362,7 +352,7 @@ |
| 168 | samlresponse = self.do_saml_request() |
| 169 | # verify @canonical.com email address is *not* returned despite because |
| 170 | # the flag was not set |
| 171 | - self.assert_email_in(preferred, samlresponse) |
| 172 | + self.assertIn(preferred, samlresponse) |
| 173 | self.assertNotEqual('first.last@canonical.com', preferred) |
| 174 | |
| 175 | def test_canonical_email_without_rpconfig(self): |
| 176 | @@ -374,7 +364,7 @@ |
| 177 | samlresponse = self.do_saml_request() |
| 178 | # verify @canonical.com email address is *not* returned despite because |
| 179 | # the flag was not set |
| 180 | - self.assert_email_in(preferred, samlresponse) |
| 181 | + self.assertIn(preferred, samlresponse) |
| 182 | self.assertNotEqual('first.last@canonical.com', preferred) |
| 183 | |
| 184 | def test_short_form_canonical_email_ignored(self): |
| 185 | @@ -397,7 +387,7 @@ |
| 186 | |
| 187 | samlresponse = self.do_saml_request() |
| 188 | # verify @canonical.com email address is *not* returned |
| 189 | - self.assert_email_in(preferred, samlresponse) |
| 190 | + self.assertIn(preferred, samlresponse) |
| 191 | self.assertNotEqual('first.last@canonical.com', preferred) |
| 192 | self.assertNotEqual('test@canonical.com', preferred) |
| 193 | |
| 194 | @@ -417,7 +407,7 @@ |
| 195 | username=preferred, password=DEFAULT_USER_PASSWORD) |
| 196 | |
| 197 | samlresponse = self.do_saml_request() |
| 198 | - self.assert_email_in(preferred, samlresponse) |
| 199 | + self.assertIn(preferred, samlresponse) |
| 200 | |
| 201 | def test_multiple_long_form_canonical_emails(self): |
| 202 | self.setup_saml_sp(prefer_canonical_email=True) |
| 203 | @@ -436,8 +426,8 @@ |
| 204 | samlresponse = self.do_saml_request() |
| 205 | # verify @canonical.com email address is returned despite it's not the |
| 206 | # preferredemail |
| 207 | - self.assert_email_in('other.name@canonical.com', samlresponse) |
| 208 | - self.assert_email_not_in('first.last@canonical.com', samlresponse) |
| 209 | + self.assertIn('other.name@canonical.com', samlresponse) |
| 210 | + self.assertNotIn('first.last@canonical.com', samlresponse) |
| 211 | |
| 212 | |
| 213 | class GoogleAppsAssertionCanonicalProcessorTestCase( |
| 214 | @@ -464,17 +454,6 @@ |
| 215 | REQUEST_DATA = salesforce.REQUEST_DATA |
| 216 | PROCESSOR = 'ubuntu_sso_saml.processors.SalesForceAttributeProcessor' |
| 217 | |
| 218 | - # These are used only for asserting the expected address appears in the |
| 219 | - # final saml response. They contain the mangling (+portal, .hr) because |
| 220 | - # our assert_email_in doesn't apply that, and also because the e-mail |
| 221 | - # pattern doesn't change so we know it a priori. |
| 222 | - long_form_canonical_email = 'first.last+portal@canonical.com' |
| 223 | - long_form_canonical_email_uppercase = 'FIRST.LAST+portal@CANONICAL.COM' |
| 224 | - short_form_canonical_email = "test+portal@canonical.com" |
| 225 | - alternative_canonical_email = "other.name+portal@canonical.com" |
| 226 | - short_form_canonical_email_custom_pattern = "test@hr.canonical.com" |
| 227 | - long_form_canonical_email_custom_pattern = "first.last@hr.canonical.com" |
| 228 | - |
| 229 | def setUp(self, *args, **kwargs): |
| 230 | super(SalesForcePortalAssertionTestCase, self).setUp(*args, **kwargs) |
| 231 | target = 'https://somesite.salesforce.com/%(target)s' |
| 232 | @@ -503,23 +482,23 @@ |
| 233 | self.setup_saml_sp(prefer_canonical_email=True) |
| 234 | preferred = self.setup_saml_emails() |
| 235 | samlresponse = self.do_saml_request() |
| 236 | - self.assert_email_in(self.long_form_canonical_email, samlresponse) |
| 237 | + self.assertIn('first.last+portal@canonical.com', samlresponse) |
| 238 | self.assertNotEqual('first.last+portal@canonical.com', preferred) |
| 239 | |
| 240 | def test_canonical_email_is_preferred_despite_case(self): |
| 241 | email = 'FIRST.LAST@CANONICAL.COM' |
| 242 | + portal_email = 'FIRST.LAST+portal@CANONICAL.COM' |
| 243 | self.setup_saml_sp(prefer_canonical_email=True) |
| 244 | preferred = self.setup_saml_emails(email=email) |
| 245 | samlresponse = self.do_saml_request() |
| 246 | # verify @canonical.com email address is returned despite it's not the |
| 247 | # preferredemail |
| 248 | - self.assert_email_in( |
| 249 | - self.long_form_canonical_email_uppercase, samlresponse) |
| 250 | - self.assertNotEqual( |
| 251 | - self.long_form_canonical_email_uppercase, preferred) |
| 252 | + self.assertIn(portal_email, samlresponse) |
| 253 | + self.assertNotEqual(portal_email, preferred) |
| 254 | |
| 255 | def test_only_long_form_canonical_email_is_preferred(self): |
| 256 | email = self.login_email |
| 257 | + portal_email = 'first.last+portal@canonical.com' |
| 258 | # add non-preferred long form email address |
| 259 | EmailAddress.objects.create( |
| 260 | account=self.account, email='first.last+alias@canonical.com', |
| 261 | @@ -532,32 +511,28 @@ |
| 262 | samlresponse = self.do_saml_request() |
| 263 | # verify @canonical.com email address is returned despite it's not the |
| 264 | # preferredemail |
| 265 | - self.assert_email_in(self.long_form_canonical_email, samlresponse) |
| 266 | - self.assertNotEqual(self.long_form_canonical_email, preferred) |
| 267 | + self.assertIn(portal_email, samlresponse) |
| 268 | + self.assertNotEqual(portal_email, preferred) |
| 269 | |
| 270 | def test_non_canonical_email(self): |
| 271 | - samlresponse = self._test_non_canonical_email() |
| 272 | + # prepare account for SAML |
| 273 | + account = self.factory.make_account() |
| 274 | + preferred = account.preferredemail.email |
| 275 | + self.factory.add_account_to_team(account, self.saml2team) |
| 276 | + self.setup_saml_sp(prefer_canonical_email=True) |
| 277 | + |
| 278 | + # make sure account has only one email |
| 279 | + assert account.emailaddress_set.count() == 1 |
| 280 | + # and it's not a @canonical.com one |
| 281 | + assert '@canonical.com' not in preferred |
| 282 | + |
| 283 | + assert self.client.login( |
| 284 | + username=preferred, password=DEFAULT_USER_PASSWORD) |
| 285 | + |
| 286 | + samlresponse = self.do_saml_request() |
| 287 | + self.assertIn(preferred, samlresponse) |
| 288 | self.assertNotIn('+portal@', samlresponse) |
| 289 | |
| 290 | - def _test_non_canonical_email(self): |
| 291 | - # prepare account for SAML |
| 292 | - account = self.factory.make_account() |
| 293 | - preferred = account.preferredemail.email |
| 294 | - self.factory.add_account_to_team(account, self.saml2team) |
| 295 | - self.setup_saml_sp(prefer_canonical_email=True) |
| 296 | - |
| 297 | - # make sure account has only one email |
| 298 | - assert account.emailaddress_set.count() == 1 |
| 299 | - # and it's not a @canonical.com one |
| 300 | - assert '@canonical.com' not in preferred |
| 301 | - |
| 302 | - assert self.client.login( |
| 303 | - username=preferred, password=DEFAULT_USER_PASSWORD) |
| 304 | - |
| 305 | - samlresponse = self.do_saml_request() |
| 306 | - self.assert_email_in(preferred, samlresponse) |
| 307 | - return samlresponse |
| 308 | - |
| 309 | def test_multiple_long_form_canonical_emails(self): |
| 310 | self.setup_saml_sp(prefer_canonical_email=True) |
| 311 | self.setup_saml_emails() |
| 312 | @@ -575,9 +550,8 @@ |
| 313 | samlresponse = self.do_saml_request() |
| 314 | # verify @canonical.com email address is returned despite it's not the |
| 315 | # preferredemail |
| 316 | - self.assert_email_in(self.alternative_canonical_email, samlresponse) |
| 317 | - self.assert_email_not_in( |
| 318 | - 'first.last+portal@canonical.com', samlresponse) |
| 319 | + self.assertIn('other.name+portal@canonical.com', samlresponse) |
| 320 | + self.assertNotIn('first.last+portal@canonical.com', samlresponse) |
| 321 | |
| 322 | def test_portal_deeplink(self): |
| 323 | """Unable to produce a valid Portal Assertion. |
| 324 | @@ -611,7 +585,7 @@ |
| 325 | port_val = port_attr[0].find('attributevalue') |
| 326 | |
| 327 | # Assert: |
| 328 | - self.assert_email_in(self.login_email, samlresponse) |
| 329 | + self.assertIn(self.login_email, samlresponse) |
| 330 | self.assertEqual(relaystate, |
| 331 | 'https://somesite.salesforce.com/SOMETARGETID') |
| 332 | self.assertEqual(org_val.text, 'SAMPLE_ORG_ID') |
| 333 | @@ -653,7 +627,7 @@ |
| 334 | assert len(port_attr) == 0 |
| 335 | |
| 336 | # Assert: |
| 337 | - self.assert_email_in(self.login_email, samlresponse) |
| 338 | + self.assertIn(self.login_email, samlresponse) |
| 339 | self.assertEqual(relaystate, |
| 340 | 'https://somesite.salesforce.com/SOMETARGETID') |
| 341 | self.assertEqual(org_val.text, 'SAMPLE_ORG_ID') |
| 342 | @@ -678,8 +652,7 @@ |
| 343 | |
| 344 | samlresponse = self.do_saml_request() |
| 345 | # make sure the login email was transformed |
| 346 | - self.assert_email_in( |
| 347 | - self.long_form_canonical_email_custom_pattern, samlresponse) |
| 348 | + self.assertIn('first.last@hr.canonical.com', samlresponse) |
| 349 | |
| 350 | def test_custom_email_pattern_with_short_form_canonical_email(self): |
| 351 | # patch remote config |
| 352 | @@ -706,8 +679,7 @@ |
| 353 | |
| 354 | samlresponse = self.do_saml_request() |
| 355 | # make sure the login email was transformed |
| 356 | - self.assert_email_in( |
| 357 | - self.short_form_canonical_email_custom_pattern, samlresponse) |
| 358 | + self.assertIn('test@hr.canonical.com', samlresponse) |
| 359 | |
| 360 | def make_saml_request(self, acs_url=None, saml_url=None): |
| 361 | saml_request = self.REQUEST_DATA['SAMLRequest'] |
| 362 | @@ -776,15 +748,6 @@ |
| 363 | class SalesForcePortalAssertionCanonicalProcessorTestCase( |
| 364 | CanonicalProcessorBaseTestCase, SalesForcePortalAssertionTestCase): |
| 365 | |
| 366 | - # The e-mail addresses to verify don't need the e-mail pattern pre-applied |
| 367 | - # because it's applied consistently and checked by assert_email_in. |
| 368 | - long_form_canonical_email = 'first.last@canonical.com' |
| 369 | - long_form_canonical_email_uppercase = 'FIRST.LAST@CANONICAL.COM' |
| 370 | - short_form_canonical_email = "test@canonical.com" |
| 371 | - alternative_canonical_email = "other.name@canonical.com" |
| 372 | - short_form_canonical_email_custom_pattern = "test@canonical.com" |
| 373 | - long_form_canonical_email_custom_pattern = "first.last@canonical.com" |
| 374 | - |
| 375 | def setup_saml_sp(self, **kwargs): |
| 376 | # define a default value for the email pattern if none is given |
| 377 | kwargs.setdefault('email_pattern', '{username}+portal@{domain}') |
| 378 | @@ -804,38 +767,6 @@ |
| 379 | SalesForcePortalAssertionCanonicalProcessorTestCase, |
| 380 | self).setup_saml_sp(**kwargs) |
| 381 | |
| 382 | - def assert_email_in(self, email, response): |
| 383 | - # Since this uses CanonicalProcessor, the email_pattern is applied |
| 384 | - # to all users, @canonical.com or not. |
| 385 | - |
| 386 | - # We always use the same remote. |
| 387 | - # This logic replicates what the CanonicalProcessor has in |
| 388 | - # _format_email. |
| 389 | - pattern = saml2idp_metadata.SAML2IDP_REMOTES['foobar']['email_pattern'] |
| 390 | - username, domain = email.split('@') |
| 391 | - mangled_email = pattern.format( |
| 392 | - username=username, domain=domain) |
| 393 | - |
| 394 | - self.assertIn(mangled_email, response) |
| 395 | - |
| 396 | - def assert_email_not_in(self, email, response): |
| 397 | - # Since this uses CanonicalProcessor, the email_pattern is applied |
| 398 | - # to all users, @canonical.com or not. |
| 399 | - |
| 400 | - # We always use the same remote. |
| 401 | - # This logic replicates what the CanonicalProcessor has in |
| 402 | - # _format_email. |
| 403 | - pattern = saml2idp_metadata.SAML2IDP_REMOTES['foobar']['email_pattern'] |
| 404 | - username, domain = email.split('@') |
| 405 | - mangled_email = pattern.format( |
| 406 | - username=username, domain=domain) |
| 407 | - |
| 408 | - self.assertNotIn(mangled_email, response) |
| 409 | - |
| 410 | - def test_non_canonical_email(self): |
| 411 | - self._test_non_canonical_email() |
| 412 | - # No need to check for absence of +portal@ |
| 413 | - |
| 414 | |
| 415 | class ExpensifyAssertionTestCase(GoogleAppsAssertionTestCase): |
| 416 | """Test SAML Assertions for an Expensify Service Point.""" |
| 417 | @@ -1268,7 +1199,7 @@ |
| 418 | self.assertNotIn('<saml:AudienceRestriction>', samlresponse) |
| 419 | |
| 420 | def assert_saml_response_email(self, samlresponse, email): |
| 421 | - self.assert_email_in(email, samlresponse) |
| 422 | + self.assertIn(email, samlresponse) |
| 423 | |
| 424 | def get_request_data(self, compressed=True): |
| 425 | data = dict(**self.REQUEST_DATA) |
| 426 | @@ -1353,39 +1284,6 @@ |
| 427 | self.assert_saml_response_email( |
| 428 | samlresponse, 'first.last+test@canonical.com') |
| 429 | |
| 430 | - def test_email_pattern_applied_canonical_email(self): |
| 431 | - # This simply tests application of the pattern for @canonical.com |
| 432 | - # addresses. This account has two of those. |
| 433 | - self.setup_saml_sp(email_pattern='{username}+test@{domain}', |
| 434 | - prefer_canonical_email=True, enabled=True) |
| 435 | - self.setup_saml_emails(email="first.last@canonical.com") |
| 436 | - |
| 437 | - samlresponse = self.do_saml_request() |
| 438 | - self.assert_successful_saml_response(samlresponse) |
| 439 | - self.assert_saml_response_email( |
| 440 | - samlresponse, 'first.last+test@canonical.com') |
| 441 | - |
| 442 | - def test_email_pattern_applied_non_canonical_email_only(self): |
| 443 | - # Tests application of the pattern for non-@canonical.com. |
| 444 | - # This account has 2 addresses, we also indirectly check that |
| 445 | - # when no @canonical.com addresses exist, the preferred one |
| 446 | - # is used. Scenario 4 of _get_preferred_email. |
| 447 | - self.setup_saml_sp(email_pattern='{username}+test@{domain}', |
| 448 | - prefer_canonical_email=True, enabled=True) |
| 449 | - self.login_email = 'first.last@bazquux.com' |
| 450 | - EmailAddress.objects.create( |
| 451 | - account=self.account, email=self.login_email, |
| 452 | - status=EmailStatus.PREFERRED) |
| 453 | - # Set up an additional non-canonical address |
| 454 | - self.setup_saml_emails(email="first.last@foobar.com") |
| 455 | - |
| 456 | - samlresponse = self.do_saml_request() |
| 457 | - self.assert_successful_saml_response(samlresponse) |
| 458 | - # Must get the preferred non-canonical email with the email_pattern |
| 459 | - # applied |
| 460 | - self.assert_saml_response_email( |
| 461 | - samlresponse, 'first.last+test@bazquux.com') |
| 462 | - |
| 463 | def test_disabled_db_spconfig_falls_back_to_settings(self): |
| 464 | # make sure there is an "old/custom" processor handling this request |
| 465 | self.ACS_URL = google_apps.GOOGLE_APPS_ACS |
| 466 | @@ -1418,34 +1316,13 @@ |
| 467 | response = client.post('/+saml', data=data, follow=False) |
| 468 | self.assertEqual(response.status_code, 302) |
| 469 | |
| 470 | - def test_long_canonical_email_is_used_when_preferred(self): |
| 471 | - # This account has 2 addresses, both @canonical.com, with the |
| 472 | - # long-form one being preferred. |
| 473 | - # This is scenario 1 of _get_preferred_email. |
| 474 | - self.setup_saml_sp(prefer_canonical_email=True) |
| 475 | - self.setup_saml_emails() |
| 476 | - # Flip preferredness |
| 477 | - short_email = EmailAddress.objects.get( |
| 478 | - account=self.account, email='test@canonical.com') |
| 479 | - short_email.status = EmailStatus.VALIDATED |
| 480 | - short_email.save() |
| 481 | - long_email = EmailAddress.objects.get( |
| 482 | - account=self.account, email='first.last@canonical.com') |
| 483 | - long_email.status = EmailStatus.PREFERRED |
| 484 | - long_email.save() |
| 485 | - samlresponse = self.do_saml_request() |
| 486 | - self.assert_email_in('first.last@canonical.com', samlresponse) |
| 487 | - |
| 488 | def test_canonical_email_is_preferred(self): |
| 489 | - # This account has 2 addresses, both @canonical.com. The short |
| 490 | - # one is marked as preferred, the long-form one is not. |
| 491 | - # This is scenario 2 of _get_preferred_email. |
| 492 | self.setup_saml_sp(prefer_canonical_email=True) |
| 493 | preferred = self.setup_saml_emails() |
| 494 | samlresponse = self.do_saml_request() |
| 495 | - # verify long-form@canonical.com email address is returned despite it's |
| 496 | - # not the preferredemail |
| 497 | - self.assert_email_in('first.last@canonical.com', samlresponse) |
| 498 | + # verify @canonical.com email address is returned despite it's not the |
| 499 | + # preferredemail |
| 500 | + self.assertIn('first.last@canonical.com', samlresponse) |
| 501 | self.assertNotEqual('first.last@canonical.com', preferred) |
| 502 | |
| 503 | def test_canonical_email_is_preferred_despite_case(self): |
| 504 | @@ -1455,7 +1332,7 @@ |
| 505 | samlresponse = self.do_saml_request() |
| 506 | # verify @canonical.com email address is returned despite it's not the |
| 507 | # preferredemail |
| 508 | - self.assert_email_in(email, samlresponse) |
| 509 | + self.assertIn(email, samlresponse) |
| 510 | self.assertNotEqual(email, preferred) |
| 511 | |
| 512 | def test_only_long_form_canonical_email_is_preferred(self): |
| 513 | @@ -1472,8 +1349,8 @@ |
| 514 | samlresponse = self.do_saml_request() |
| 515 | # verify @canonical.com email address is returned despite it's not the |
| 516 | # preferredemail |
| 517 | - self.assert_email_in('first.last@canonical.com', samlresponse) |
| 518 | - self.assert_email_not_in(email, samlresponse) |
| 519 | + self.assertIn('first.last@canonical.com', samlresponse) |
| 520 | + self.assertNotIn(email, samlresponse) |
| 521 | |
| 522 | def test_canonical_email_is_not_preferred(self): |
| 523 | self.setup_saml_sp(prefer_canonical_email=False) |
| 524 | @@ -1481,7 +1358,7 @@ |
| 525 | samlresponse = self.do_saml_request() |
| 526 | # verify @canonical.com email address is *not* returned despite because |
| 527 | # the flag was not set |
| 528 | - self.assert_email_in(preferred, samlresponse) |
| 529 | + self.assertIn(preferred, samlresponse) |
| 530 | self.assertNotEqual('first.last@canonical.com', preferred) |
| 531 | |
| 532 | def test_non_preferred_short_form_canonical_email_ignored(self): |
| 533 | @@ -1504,7 +1381,7 @@ |
| 534 | |
| 535 | samlresponse = self.do_saml_request() |
| 536 | # verify @canonical.com email address is *not* returned |
| 537 | - self.assert_email_in(preferred, samlresponse) |
| 538 | + self.assertIn(preferred, samlresponse) |
| 539 | self.assertNotEqual('first.last@canonical.com', preferred) |
| 540 | self.assertNotEqual('test@canonical.com', preferred) |
| 541 | |
| 542 | @@ -1528,31 +1405,12 @@ |
| 543 | |
| 544 | samlresponse = self.do_saml_request() |
| 545 | # verify @canonical.com email address is *not* returned |
| 546 | - self.assert_email_in(preferred, samlresponse) |
| 547 | + self.assertIn(preferred, samlresponse) |
| 548 | self.assertEqual('test@canonical.com', preferred) |
| 549 | self.assertNotEqual('first.last@canonical.com', preferred) |
| 550 | self.assertNotEqual('foo@foo.com', preferred) |
| 551 | |
| 552 | - def test_short_form_canonical_email_used_if_preferred(self): |
| 553 | - # This covers scenario 3 of _get_preferred_email. If the account has a |
| 554 | - # @canonical.com preferred address and no long-form @canonical.com, we |
| 555 | - # use the preferred @canonical.com address. |
| 556 | - # make sure the short email is the preferred address |
| 557 | - self.setup_saml_sp(prefer_canonical_email=True) |
| 558 | - preferred = self.setup_saml_emails('short@canonical.com') |
| 559 | - assert preferred == 'test@canonical.com' |
| 560 | - # Now the account has: |
| 561 | - # test@canonical.com PREFERRED, created by default by test setup |
| 562 | - # short@canonical.com VALIDATED |
| 563 | - |
| 564 | - samlresponse = self.do_saml_request() |
| 565 | - self.assert_email_in('test@canonical.com', samlresponse) |
| 566 | - self.assert_email_not_in('short@canonical.com', samlresponse) |
| 567 | - |
| 568 | def test_non_canonical_email(self): |
| 569 | - # This covers scenario 4 of _get_preferred_email. If the account |
| 570 | - # has no @canonical.com address, we return whichever one |
| 571 | - # is marked as preferred. |
| 572 | # prepare account for SAML |
| 573 | account = self.factory.make_account() |
| 574 | preferred = account.preferredemail.email |
| 575 | @@ -1568,7 +1426,7 @@ |
| 576 | username=preferred, password=DEFAULT_USER_PASSWORD) |
| 577 | |
| 578 | samlresponse = self.do_saml_request() |
| 579 | - self.assert_email_in(preferred, samlresponse) |
| 580 | + self.assertIn(preferred, samlresponse) |
| 581 | |
| 582 | def test_multiple_long_form_canonical_emails(self): |
| 583 | self.setup_saml_sp(prefer_canonical_email=True) |
| 584 | @@ -1587,8 +1445,8 @@ |
| 585 | samlresponse = self.do_saml_request() |
| 586 | # verify @canonical.com email address is returned despite it's not the |
| 587 | # preferredemail |
| 588 | - self.assert_email_in('other.name@canonical.com', samlresponse) |
| 589 | - self.assert_email_not_in('first.last@canonical.com', samlresponse) |
| 590 | + self.assertIn('other.name@canonical.com', samlresponse) |
| 591 | + self.assertNotIn('first.last@canonical.com', samlresponse) |
| 592 | |
| 593 | def test_validate_bogus_acs_domain(self): |
| 594 | self.setup_saml_sp(acs_domain='bogus.domain') |
Running landing tests failed
https:/