def test_auto_trust_for_domains_created_by_user(self): """ If a user is the creating_user of a domain, then their request should not be blocked. A TrustedIdentityProvider relationship should automatically be created between the domain and the user's Identity Provider. Additionally, a success message should then be added through django messages informing the user that the domain now trusts the Identity Provider. """ # check that no trust exists yet self.assertFalse( TrustedIdentityProvider.objects.filter( domain=self.domain_created_by_user.name, identity_provider=self.idp, ).exists() ) # check that the request is not blocked for a domain created by a user self.assertFalse( is_request_blocked_from_viewing_domain_due_to_sso( self.request, self.domain_created_by_user ) ) # check that a trust now exists trust = TrustedIdentityProvider.objects.get( domain=self.domain_created_by_user.name, identity_provider=self.idp, ) self.assertTrue(trust.acknowledged_by, self.user.username) # and that the request is still not blocked self.assertFalse( is_request_blocked_from_viewing_domain_due_to_sso( self.request, self.domain_created_by_user ) ) # check that the catch comes from does_domain_trust_this_idp self.assertTrue(self.idp.does_domain_trust_this_idp( self.domain_created_by_user.name )) # also check that a message was added to the request messages = list(get_messages(self.request)) self.assertEqual( str(messages[0]), get_success_message_for_trusted_idp( self.idp, self.domain_created_by_user ) )
def test_returns_false_if_request_is_not_using_sso(self): """ A request not using SSO should never be blocked by SSO requirements. """ request = RequestFactory().get('/sso/test') self.assertFalse( is_request_blocked_from_viewing_domain_due_to_sso( request, self.domain)) request.session = {} self.assertFalse( is_request_blocked_from_viewing_domain_due_to_sso( request, self.domain))
def test_returns_true_if_external_domain_does_not_trust_idp(self): """ If a domain not belonging to the Identity Provider owner does not trust the Identity Provider, and the user is logged in with sso under that Identity Provider, their request should be blocked. """ self.assertTrue( is_request_blocked_from_viewing_domain_due_to_sso( self.request, self.external_domain))
def test_returns_false_if_domain_belongs_to_idp_account_owner(self): """ If a domain has an active subscription owned by the account that owns the Identity Provider the user has signed in with, the request should not be blocked. """ self.assertFalse( is_request_blocked_from_viewing_domain_due_to_sso( self.request, self.domain))
def _inner(req, domain, *args, **kwargs): user = req.user domain_name, domain_obj = load_domain(req, domain) def call_view(): return view_func(req, domain_name, *args, **kwargs) if not domain_obj: msg = _('The domain "{domain}" was not found.').format(domain=domain_name) raise Http404(msg) if not (user.is_authenticated and user.is_active): if _is_public_custom_report(req.path, domain_name): return call_view() else: login_url = reverse('domain_login', kwargs={'domain': domain_name}) return redirect_for_login_or_domain(req, login_url=login_url) couch_user = _ensure_request_couch_user(req) if not domain_obj.is_active: return _inactive_domain_response(req, domain_name) if domain_obj.is_snapshot: if not hasattr(req, 'couch_user') or not req.couch_user.is_previewer(): raise Http404() return call_view() if couch_user.is_member_of(domain_obj, allow_mirroring=True): if _is_missing_two_factor(view_func, req): return TemplateResponse(request=req, template='two_factor/core/otp_required.html', status=403) elif not _can_access_project_page(req): return _redirect_to_project_access_upgrade(req) elif (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet and is_request_blocked_from_viewing_domain_due_to_sso(req, domain_obj)): # Important! Make sure this is always the final check prior # to returning call_view() below return render_untrusted_identity_provider_for_domain_view(req, domain_obj) else: return call_view() elif user.is_superuser: if domain_obj.restrict_superusers and not _page_is_whitelisted(req.path, domain_obj.name): from corehq.apps.hqwebapp.views import no_permissions msg = "This project space restricts superuser access. You must request an invite to access it." return no_permissions(req, message=msg) if not _can_access_project_page(req): return _redirect_to_project_access_upgrade(req) if (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet and is_request_using_sso(req)): # We will not support SSO for superusers at this time return HttpResponseForbidden( "SSO support is not currently available for superusers." ) return call_view() elif couch_user.is_web_user() and domain_obj.allow_domain_requests: from corehq.apps.users.views.web import DomainRequestView return DomainRequestView.as_view()(req, *args, **kwargs) else: raise Http404
def test_returns_false_if_domain_trusts_identity_provider(self): """ If a domain trusts the Identity Provider that the requesting user is signed in with, the request should not be blocked. """ TrustedIdentityProvider.objects.create( domain=self.external_domain.name, identity_provider=self.idp, acknowledged_by='*****@*****.**') self.assertFalse( is_request_blocked_from_viewing_domain_due_to_sso( self.request, self.external_domain))
def test_raises_error_if_request_uses_sso_but_user_does_not_have_idp(self): """ This should never be a state that we get into, and if we do there is something seriously wrong that we need to look into ASAP. `is_request_blocked_from_viewing_domain_due_to_sso` should raise a `SingleSignOnError` if the request meets sso requirements, but the signed in user does not map to an Identity Provider. """ self.request.user = self.user_without_idp with self.assertRaises(SingleSignOnError): self.assertFalse( is_request_blocked_from_viewing_domain_due_to_sso( self.request, self.domain))