Canonical SSO provider

Merge ~silverdrake11/canonical-identity-provider:ax-verified-emails into canonical-identity-provider:master

Git
lp:~silverdrake11/canonical-identity-provider
ax-verified-emails
Merge into master

Proposed by Kevin Nasto on 2022-04-11

Status:	Merged
Approved by:	Daniel Manrique on 2022-04-13
Approved revision:	5c23068c8d3ef9cd7b670c025c577e62f6ba169a
Merge reported by:	Otto Co-Pilot
Merged at revision:	not available
Proposed branch:	~silverdrake11/canonical-identity-provider:ax-verified-emails
Merge into:	canonical-identity-provider:master
Diff against target:	183 lines (+93/-0) 5 files modified README (+2/-0) src/identityprovider/const.py (+3/-0) src/identityprovider/forms.py (+14/-0) src/identityprovider/tests/test_forms.py (+46/-0) src/identityprovider/tests/test_views_server.py (+28/-0)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
John Paraskevopoulos		Approve on 2022-04-13
Daniel Manrique (community)	2022-04-11	Approve on 2022-04-12
Review via email: mp+419248@code.launchpad.net

Commit message

This adds an ax attribute which can be requested during login via the ax uri (alias "extra_emails"). This attribute contains a comma separated list of additional verified email addresses not including the preferred one.

This is useful to get emails associated with an ubuntu login id. In Landscape we would want to prevent using notification emails not associated with the current ubuntu login. Also tie invitations to current ubuntu login, and verify emails in one interface.

Revision history for this message

Daniel Manrique (roadmr) wrote on 2022-04-12:

Looks good, a minor suggestion to simplify the _get_extra_emails method but it's optional.

review: Approve

~silverdrake11/canonical-identity-provider:ax-verified-emails updated on 2022-04-12

9f3b1f2... by Kevin Nasto on 2022-04-12: insert spaces for ui separating ax emails, unicode, list comprehension, linter errors

Revision history for this message

Kevin Nasto (silverdrake11) wrote on 2022-04-12:

> Looks good, a minor suggestion to simplify the _get_extra_emails method but
> it's optional.

Thanks for the heads up I fixed it

Revision history for this message

John Paraskevopoulos (quantifics) wrote on 2022-04-13:

From what I see this MP doesn't clash with the issues (and fixes) we faced in the Python 3 transition. Those issues were related to the way python and django were validating email addresses when sending emails. So since this is for extra form fields, there's no conflict.

LGTM as well

review: Approve

~silverdrake11/canonical-identity-provider:ax-verified-emails updated on 2022-04-13

5e856c0... by Kevin Nasto on 2022-04-13: Added readme instructions if common issue occurs with LXC
5c23068... by Kevin Nasto on 2022-04-13: REAME typo version

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Online Services

Christina A Reitbauer

Kevin Nasto

Sang nyoman trimayasa

Ubuntu One hackers

 diff --git a/README b/README
 index c7bf2ed..bf67ddb 100644
 --- a/README
 +++ b/README
@@ -65,6 +65,8 @@ you can e.g. ``git clone`` from Launchpad without problems)::
  From now on, instructions will assume you're inside the sso-xenial container,
  unless otherwise noted.
++Important note. If you have issues with accessing the network in the LXC container and you are running 21.10 or greater as your host system. For example ``Temporary failure resolving 'archive.ubuntu.com'``. Then you are impacted by this issue https://github.com/lxc/lxd/issues/9413 Follow the instructions there to update your grub config to fix it. Otherwise use Multipass.
++
 . Get the code
  .. note::
 diff --git a/src/identityprovider/const.py b/src/identityprovider/const.py
 index 44756d0..be9e055 100644
 --- a/src/identityprovider/const.py
 +++ b/src/identityprovider/const.py
@@ -32,6 +32,7 @@ AX_URI_EMAIL = 'http://axschema.org/contact/email'
  AX_URI_TIMEZONE = 'http://axschema.org/timezone'
  AX_URI_LANGUAGE = 'http://axschema.org/language/pref'
  AX_URI_ACCOUNT_VERIFIED = 'http://ns.login.ubuntu.com/2013/validation/account'
++AX_URI_EXTRA_EMAILS = 'http://ns.login.ubuntu.com/2022/emails'
  AX_DATA_FIELDS = NamespaceMap()
  AX_DATA_FIELDS.addAlias(AX_URI_FULL_NAME, 'fullname')
@@ -40,6 +41,7 @@ AX_DATA_FIELDS.addAlias(AX_URI_EMAIL, 'email')
  AX_DATA_FIELDS.addAlias(AX_URI_TIMEZONE, 'timezone')
  AX_DATA_FIELDS.addAlias(AX_URI_LANGUAGE, 'language')
  AX_DATA_FIELDS.addAlias(AX_URI_ACCOUNT_VERIFIED, 'account_verified')
++AX_DATA_FIELDS.addAlias(AX_URI_EXTRA_EMAILS, 'extra_emails')
  AX_DATA_LABELS = {
      'fullname': 'Full name',
@@ -48,6 +50,7 @@ AX_DATA_LABELS = {
      'timezone': 'Time zone',
      'language': 'Preferred language',
      'account_verified': 'Account verified',
++    'extra_emails': 'Additional emails',
+ }
  MACAROON_NS = 'http://ns.login.ubuntu.com/2016/openid-macaroon'
 diff --git a/src/identityprovider/forms.py b/src/identityprovider/forms.py
 index 61ab346..cc8c21b 100644
 --- a/src/identityprovider/forms.py
 +++ b/src/identityprovider/forms.py
@@ -550,6 +550,17 @@ class UserAttribsRequestForm(Form):
          self.label_suffix = ''
          self._init_fields(self.data)
++    def _get_extra_emails(self):
++        '''
++        Get verified emails for ax field but filter out preferred one since
++        we already have it, keeping the user facing UI clean
++        '''
++        user = self.request.user
++        preferred = user.preferredemail.email
++        verified_emails = user.verified_emails()
++        emails = [e.email for e in verified_emails if e.email != preferred]
++        return emails
++
      def _split_and_filter_requested_attributes(self):
          # Merge the requested attributes from sreg_request and ax_request and
          # filter out any that we don't recognise or that aren't allowed by our
@@ -595,6 +606,9 @@ class UserAttribsRequestForm(Form):
          else:
              values['language'] = translation.get_language_from_request(
                  self.request)
++        extra_emails = self._get_extra_emails()
++        if extra_emails:  # Comma and space delimited for UI readability
++            values['extra_emails'] = u', '.join(extra_emails)
          values['account_verified'] = (
              'token_via_email' if user.is_verified else 'no')
          logger.debug('user attrib values = %s', str(values))
 diff --git a/src/identityprovider/tests/test_forms.py b/src/identityprovider/tests/test_forms.py
 index 4bcf04c..2c03604 100644
 --- a/src/identityprovider/tests/test_forms.py
 +++ b/src/identityprovider/tests/test_forms.py
@@ -23,6 +23,7 @@ from openid.extensions.sreg import SRegRequest
  from identityprovider.const import (
      AX_URI_ACCOUNT_VERIFIED,
      AX_URI_EMAIL,
++    AX_URI_EXTRA_EMAILS,
      AX_URI_FULL_NAME,
      AX_URI_LANGUAGE,
+ )
@@ -988,6 +989,51 @@ class UserAttribsRequestFormTest(SSOBaseTestCase):
          self.assertIn('fullname', form.data_approved_for_request)
          self.assertNotIn('email', form.data_approved_for_request)
++    def test_ax_extra_emails_field(self):
++        '''
++        Basic test of the additional emails field. Test that emails show up
++        correctly in the form and preferred does not
++        '''
++        hello_email = u'helloÑ@example.com'  # Test unicode char as well
++        world_email = u'world@example.com'
++        self.factory.make_email_for_account(email=hello_email,
++                                            account=self.test_user)
++        self.factory.make_email_for_account(email=world_email,
++                                            account=self.test_user)
++        self.rpconfig.allowed_user_attribs = 'email,extra_emails'
++        ax_request = FetchRequest()
++        ax_request.add(
++            AttrInfo(AX_URI_EXTRA_EMAILS, alias='extra_emails', required=True))
++        ax_request.add(
++            AttrInfo(AX_URI_EMAIL, alias='email', required=True))
++        form = UserAttribsRequestForm(
++            request=self._get_request_with_post_args(), sreg_request=None,
++            ax_request=ax_request, rpconfig=self.rpconfig)
++        form_data = form.data_approved_for_request
++        self.assertIn('extra_emails', form_data)
++        self.assertIn('email', form_data)
++        extra_emails = set(form_data['extra_emails'].split(', '))
++        self.assertEqual(len(extra_emails), 2)
++        self.assertIn(hello_email, extra_emails)
++        self.assertIn(world_email, extra_emails)
++
++    def test_ax_extra_emails_field_empty(self):
++        '''
++        Test that field does not show up if there are no extra emails
++        '''
++        self.rpconfig.allowed_user_attribs = 'email,extra_emails'
++        ax_request = FetchRequest()
++        ax_request.add(
++            AttrInfo(AX_URI_EXTRA_EMAILS, alias='extra_emails', required=True))
++        ax_request.add(
++            AttrInfo(AX_URI_EMAIL, alias='email', required=True))
++        form = UserAttribsRequestForm(
++            request=self._get_request_with_post_args(), sreg_request=None,
++            ax_request=ax_request, rpconfig=self.rpconfig)
++        form_data = form.data_approved_for_request
++        self.assertNotIn('extra_emails', form_data)
++        self.assertIn('email', form_data)
++
      def test_ax_required_fields_for_trusted_site(self):
          """The server should always return values for required fields to
          trusted sites, regardless of the state of the checkbox in the UI.
 diff --git a/src/identityprovider/tests/test_views_server.py b/src/identityprovider/tests/test_views_server.py
 index 29a8b5a..3b01834 100644
 --- a/src/identityprovider/tests/test_views_server.py
 +++ b/src/identityprovider/tests/test_views_server.py
@@ -44,6 +44,7 @@ from identityprovider.const import (
      AX_DATA_FIELDS,
      AX_URI_ACCOUNT_VERIFIED,
      AX_URI_EMAIL,
++    AX_URI_EXTRA_EMAILS,
      AX_URI_FULL_NAME,
      AX_URI_LANGUAGE,
      MACAROON_NS,
@@ -1021,6 +1022,33 @@ class DecideTestCase(DecideBaseTestCase):
          self.assertContains(response, "Email address")
          self.assertContains(response, "Account verified")
++    def test_list_of_details_extra_emails_present(self):
++        '''
++        Ensure that the extra emails field gets displayed correctly
++        '''
++        self.factory.make_email_for_account(email="hello@world.com",
++                                            account=self.account)
++
++        # create a trusted rpconfig
++        rpconfig = OpenIDRPConfig(
++            trust_root='http://localhost/',
++            allowed_user_attribs='email,extra_emails',
++            description="Some description",
++        )
++        rpconfig.save()
++        param_overrides = {
++            'openid.ns.ax': AXMessage.ns_uri,
++            'openid.ax.mode': FetchRequest.mode,
++            'openid.ax.type.extra_emails': AX_URI_EXTRA_EMAILS,
++            'openid.ax.type.email': AX_URI_EMAIL,
++            'openid.ax.required': 'email,extra_emails',
++        }
++        self._prepare_openid_token(param_overrides=param_overrides)
++        response = self.client.get('/%s/+decide' % self.token)
++        self.assertContains(response, "Additional emails")
++        self.assertContains(response, "Email address")
++        self.assertContains(response, "hello@world.com")
++
      def _test_state_of_checkboxes_and_data_formats(
              self, dom, field, label=None, value=None, required=False,
              disabled=False, checked=False):

Canonical SSO provider

Merge ~silverdrake11/canonical-identity-provider:ax-verified-emails into canonical-identity-provider:master

Commit message

Description of the change

Preview Diff

Subscribers