misc: avoid passive SSO for api/backoffice/login URLs (#73670) #73
|
|
@ -705,3 +705,40 @@ def test_expired_opened_session_cookie_menu_json(pub):
|
|||
# access to a restricted page with no session on the idp or passive sso already tried
|
||||
app.set_cookie('IDP_OPENED_SESSION', '3')
|
||||
app.get('/backoffice/menu.json', status=302)
|
||||
|
||||
|
||||
def test_opened_session_backoffice_url(pub):
|
||||
app = get_app(pub)
|
||||
app.get('/') # init pub, set app_dir, etc.
|
||||
|
||||
pub.site_options.set('options', 'idp_session_cookie_name', 'IDP_OPENED_SESSION')
|
||||
with open(os.path.join(pub.app_dir, 'site-options.cfg'), 'w') as fd:
|
||||
pub.site_options.write(fd)
|
||||
|
||||
app.set_cookie('IDP_OPENED_SESSION', '1')
|
||||
|
||||
# do not go through passive SSO
|
||||
resp = app.get('/backoffice/studio/')
|
||||
assert not urllib.parse.parse_qs(urllib.parse.urlparse(resp.location).query).get('IsPassive')
|
||||
|
||||
# simulate a saml login
|
||||
user = pub.user_class()
|
||||
user.is_admin = True
|
||||
user.store()
|
||||
request = mock.Mock()
|
||||
request.get_environ.return_value = '1.1.1.1'
|
||||
with mock.patch('quixote.session.get_request', return_value=request), mock.patch(
|
||||
'wcs.qommon.saml2', return_value=mock.Mock(cookies={'IDP_OPENED_SESSION': '2'})
|
||||
):
|
||||
session = get_session_manager().session_class(id=None)
|
||||
session.set_user(user.id)
|
||||
session.opened_session_value = '1'
|
||||
session.id = 'abcd'
|
||||
session.store()
|
||||
app.set_cookie(pub.config.session_cookie_name, session.id)
|
||||
|
||||
# if IDP_OPENED_SESSION is modified, then passive authentication is tried
|
||||
app.set_cookie('IDP_OPENED_SESSION', '2')
|
||||
resp = app.get('/backoffice/studio/')
|
||||
assert resp.status_int == 302
|
||||
assert urllib.parse.parse_qs(urllib.parse.urlparse(resp.location).query).get('IsPassive')
|
||||
|
|
|
|||
|
|
@ -286,7 +286,7 @@ class RootDirectory(Directory):
|
|||
self.forced_language = False
|
||||
self.feed_substitution_parts()
|
||||
|
||||
output = self.try_passive_sso()
|
||||
output = self.try_passive_sso(path)
|
||||
if output:
|
||||
return output
|
||||
|
||||
|
|
@ -309,7 +309,7 @@ class RootDirectory(Directory):
|
|||
|
||||
return root.RootDirectory()._q_traverse(path)
|
||||
|
||||
def try_passive_sso(self):
|
||||
def try_passive_sso(self, path):
|
||||
publisher = get_publisher()
|
||||
idp_session_cookie_name = publisher.get_site_option('idp_session_cookie_name')
|
||||
passive_tried_cookie_name = '%s-passive-auth-tried' % publisher.config.session_cookie_name
|
||||
|
|
@ -343,6 +343,9 @@ class RootDirectory(Directory):
|
|||
else:
|
||||
# already logged, stop here.
|
||||
return
|
||||
elif path and path[0] in ('api', 'backoffice', 'login'):
|
||||
# do not start passive SSO for API or backoffice or login URLs
|
||||
return
|
||||
if idp_session_cookie_name not in cookies or cookies.get(idp_session_cookie_name) == cookies.get(
|
||||
passive_tried_cookie_name
|
||||
):
|
||||
|
|
|
|||
Loading…
Reference in New Issue