def test_auto_trust_for_domains_created_by_user(self):
"""
If a user is the creating_user of a domain, then their request should
not be blocked. A TrustedIdentityProvider relationship should
automatically be created between the domain and the user's
Identity Provider. Additionally, a success message should then
be added through django messages informing the user that the
domain now trusts the Identity Provider.
"""
# check that no trust exists yet
self.assertFalse(
TrustedIdentityProvider.objects.filter(
domain=self.domain_created_by_user.name,
identity_provider=self.idp,
).exists()
)
# check that the request is not blocked for a domain created by a user
self.assertFalse(
is_request_blocked_from_viewing_domain_due_to_sso(
self.request,
self.domain_created_by_user
)
)
# check that a trust now exists
trust = TrustedIdentityProvider.objects.get(
domain=self.domain_created_by_user.name,
identity_provider=self.idp,
)
self.assertTrue(trust.acknowledged_by, self.user.username)
# and that the request is still not blocked
self.assertFalse(
is_request_blocked_from_viewing_domain_due_to_sso(
self.request,
self.domain_created_by_user
)
)
# check that the catch comes from does_domain_trust_this_idp
self.assertTrue(self.idp.does_domain_trust_this_idp(
self.domain_created_by_user.name
))
# also check that a message was added to the request
messages = list(get_messages(self.request))
self.assertEqual(
str(messages[0]),
get_success_message_for_trusted_idp(
self.idp,
self.domain_created_by_user
)
)
def test_returns_false_if_request_is_not_using_sso(self):
"""
A request not using SSO should never be blocked by SSO requirements.
"""
request = RequestFactory().get('/sso/test')
self.assertFalse(
is_request_blocked_from_viewing_domain_due_to_sso(
request, self.domain))
request.session = {}
self.assertFalse(
is_request_blocked_from_viewing_domain_due_to_sso(
request, self.domain))
def test_returns_true_if_external_domain_does_not_trust_idp(self):
"""
If a domain not belonging to the Identity Provider owner does not
trust the Identity Provider, and the user is logged in with sso
under that Identity Provider, their request should be blocked.
"""
self.assertTrue(
is_request_blocked_from_viewing_domain_due_to_sso(
self.request, self.external_domain))
def test_returns_false_if_domain_belongs_to_idp_account_owner(self):
"""
If a domain has an active subscription owned by the account that
owns the Identity Provider the user has signed in with, the request
should not be blocked.
"""
self.assertFalse(
is_request_blocked_from_viewing_domain_due_to_sso(
self.request, self.domain))
def _inner(req, domain, *args, **kwargs):
user = req.user
domain_name, domain_obj = load_domain(req, domain)
def call_view(): return view_func(req, domain_name, *args, **kwargs)
if not domain_obj:
msg = _('The domain "{domain}" was not found.').format(domain=domain_name)
raise Http404(msg)
if not (user.is_authenticated and user.is_active):
if _is_public_custom_report(req.path, domain_name):
return call_view()
else:
login_url = reverse('domain_login', kwargs={'domain': domain_name})
return redirect_for_login_or_domain(req, login_url=login_url)
couch_user = _ensure_request_couch_user(req)
if not domain_obj.is_active:
return _inactive_domain_response(req, domain_name)
if domain_obj.is_snapshot:
if not hasattr(req, 'couch_user') or not req.couch_user.is_previewer():
raise Http404()
return call_view()
if couch_user.is_member_of(domain_obj, allow_mirroring=True):
if _is_missing_two_factor(view_func, req):
return TemplateResponse(request=req, template='two_factor/core/otp_required.html', status=403)
elif not _can_access_project_page(req):
return _redirect_to_project_access_upgrade(req)
elif (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet
and is_request_blocked_from_viewing_domain_due_to_sso(req, domain_obj)):
# Important! Make sure this is always the final check prior
# to returning call_view() below
return render_untrusted_identity_provider_for_domain_view(req, domain_obj)
else:
return call_view()
elif user.is_superuser:
if domain_obj.restrict_superusers and not _page_is_whitelisted(req.path, domain_obj.name):
from corehq.apps.hqwebapp.views import no_permissions
msg = "This project space restricts superuser access. You must request an invite to access it."
return no_permissions(req, message=msg)
if not _can_access_project_page(req):
return _redirect_to_project_access_upgrade(req)
if (ENTERPRISE_SSO.enabled_for_request(req) # safety check. next line was not formally QA'd yet
and is_request_using_sso(req)):
# We will not support SSO for superusers at this time
return HttpResponseForbidden(
"SSO support is not currently available for superusers."
)
return call_view()
elif couch_user.is_web_user() and domain_obj.allow_domain_requests:
from corehq.apps.users.views.web import DomainRequestView
return DomainRequestView.as_view()(req, *args, **kwargs)
else:
raise Http404
def test_returns_false_if_domain_trusts_identity_provider(self):
"""
If a domain trusts the Identity Provider that the requesting user is
signed in with, the request should not be blocked.
"""
TrustedIdentityProvider.objects.create(
domain=self.external_domain.name,
identity_provider=self.idp,
acknowledged_by='*****@*****.**')
self.assertFalse(
is_request_blocked_from_viewing_domain_due_to_sso(
self.request, self.external_domain))
def test_raises_error_if_request_uses_sso_but_user_does_not_have_idp(self):
"""
This should never be a state that we get into, and if we do there
is something seriously wrong that we need to look into ASAP.
`is_request_blocked_from_viewing_domain_due_to_sso` should raise
a `SingleSignOnError` if the request meets sso requirements, but the
signed in user does not map to an Identity Provider.
"""
self.request.user = self.user_without_idp
with self.assertRaises(SingleSignOnError):
self.assertFalse(
is_request_blocked_from_viewing_domain_due_to_sso(
self.request, self.domain))
