-
-
Notifications
You must be signed in to change notification settings - Fork 433
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[18.0][MIG] auth_saml: Migration to 18.0
- Loading branch information
Showing
7 changed files
with
130 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -125,7 +125,7 @@ def test__compute_sp_metadata_url__provider_has_sp_baseurl(self): | |
{"p": self.saml_provider.id, "d": self.env.cr.dbname} | ||
) | ||
expected_url = urllib.parse.urljoin( | ||
"http://example.com", f"/auth_saml/metadata?{expected_qs}" | ||
"http://example.com", (f"/auth_saml/metadata?{expected_qs}") | ||
) | ||
# Assert that sp_metadata_url is set correctly | ||
self.assertEqual(self.saml_provider.sp_metadata_url, expected_url) | ||
|
@@ -200,7 +200,10 @@ def test_login_no_saml(self): | |
|
||
# Try to log in with a non-existing SAML token | ||
with self.assertRaises(AccessDenied): | ||
self.authenticate(user="[email protected]", password="test_saml_token") | ||
self.user._check_credentials( | ||
{"type": "password", "password": "test_saml_token"}, | ||
{"interactive": True}, | ||
) | ||
|
||
redirect_url = self.saml_provider._get_auth_request() | ||
self.assertIn("http://localhost:8000/sso/redirect?SAMLRequest=", redirect_url) | ||
|
@@ -254,7 +257,10 @@ def test_login_with_saml(self): | |
|
||
# We should not be able to log in with the wrong token | ||
with self.assertRaises(AccessDenied): | ||
self.authenticate(user="[email protected]", password=f"{token}-WRONG") | ||
self.user._check_credentials( | ||
{"type": "password", "password": "WRONG_TOKEN"}, | ||
{"interactive": True}, | ||
) | ||
|
||
# User should now be able to log in with the token | ||
self.authenticate(user="[email protected]", password=token) | ||
|
@@ -268,8 +274,9 @@ def test_disallow_user_password_when_changing_ir_config_parameter(self): | |
).value = "False" | ||
# The password should be blank and the user should not be able to connect | ||
with self.assertRaises(AccessDenied): | ||
self.authenticate( | ||
user="[email protected]", password="NesTNSte9340D720te>/-A" | ||
self.user._check_credentials( | ||
{"type": "password", "password": "NesTNSte9340D720te>/-A"}, | ||
{"interactive": True}, | ||
) | ||
|
||
def test_disallow_user_password_new_user(self): | ||
|
@@ -332,18 +339,19 @@ def test_disallow_user_password_no_password_set(self): | |
with self.assertRaises(ValidationError): | ||
user.password = "new password" | ||
|
||
def test_disallow_user_password(self): | ||
def test_disallow_user_password_on_option_disable(self): | ||
"""Test that existing user password is deleted when adding an SAML provider when | ||
the disallow option is set.""" | ||
self.authenticate(user="[email protected]", password="Lu,ums-7vRU>0i]=YDLa") | ||
# change the option | ||
self.browse_ref( | ||
"auth_saml.allow_saml_uid_and_internal_password" | ||
).value = "False" | ||
# Test that existing user password is deleted when adding an SAML provider | ||
self.authenticate(user="[email protected]", password="Lu,ums-7vRU>0i]=YDLa") | ||
self.add_provider_to_user() | ||
with self.assertRaises(AccessDenied): | ||
self.authenticate(user="[email protected]", password="Lu,ums-7vRU>0i]=YDLa") | ||
self.user._check_credentials( | ||
{"type": "password", "password": "Lu,ums-7vRU>0i]=YDLa"}, | ||
{"interactive": True}, | ||
) | ||
|
||
def test_disallow_user_admin_can_have_password(self): | ||
"""Test that admin can have its password set | ||
|
@@ -417,6 +425,42 @@ def test_disallow_user_password_when_changing_settings(self): | |
).execute() | ||
|
||
with self.assertRaises(AccessDenied): | ||
self.authenticate( | ||
user="[email protected]", password="NesTNSte9340D720te>/-A" | ||
self.user._check_credentials( | ||
{"type": "password", "password": "NesTNSte9340D720te>/-A"}, | ||
{"interactive": True}, | ||
) | ||
|
||
def test_saml_metadata_invalid_provider(self): | ||
"""Accessing SAML metadata with an invalid provider ID should return 404.""" | ||
response = self.url_open( | ||
f"/auth_saml/metadata?p=999999&d={self.env.cr.dbname}" | ||
) | ||
self.assertEqual(response.status_code, 404) | ||
self.assertIn("Unknown provider", response.text) | ||
|
||
def test_saml_metadata_missing_parameters(self): | ||
"""Accessing the SAML metadata endpoint without params should return 404.""" | ||
response = self.url_open("/auth_saml/metadata") | ||
self.assertEqual(response.status_code, 404) | ||
self.assertIn("Missing parameters", response.text) | ||
|
||
def test_saml_metadata_invalid_provider(self): | ||
"""Accessing SAML metadata with an invalid provider ID should return 404.""" | ||
response = self.url_open( | ||
"/auth_saml/metadata?p=999999&d=%s" % self.env.cr.dbname | ||
) | ||
self.assertEqual(response.status_code, 404) | ||
self.assertIn("Unknown provider", response.text) | ||
|
||
def test_saml_provider_deactivation(self): | ||
"""A deactivated SAML provider should not be usable for authentication.""" | ||
self.saml_provider.active = False | ||
|
||
redirect_url = self.saml_provider._get_auth_request() | ||
response = self.idp.fake_login(redirect_url) | ||
unpacked_response = response._unpack() | ||
|
||
with self.assertRaises(AccessDenied): | ||
self.env["res.users"].sudo().auth_saml( | ||
self.saml_provider.id, unpacked_response.get("SAMLResponse"), None | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters