def associate_by_email_if_oauth(auth_entry, backend, details, user, strategy, *args, **kwargs):
"""
This pipeline step associates the current social auth with the user with the
same email address in the database. It defers to the social library's associate_by_email
implementation, which verifies that only a single database user is associated with the email.
This association is done ONLY if the user entered the pipeline belongs to Oauth provider and
`ENABLE_REQUIRE_THIRD_PARTY_AUTH` is enabled.
"""
if is_require_third_party_auth_enabled() and is_oauth_provider(backend.name, **kwargs):
association_response, user_is_active = get_associated_user_by_email_response(
backend, details, user, *args, **kwargs)
if user_is_active:
return association_response
def associate_by_email_if_login_api(auth_entry, backend, details, user, current_partial=None, *args, **kwargs): # lint-amnesty, pylint: disable=keyword-arg-before-vararg
"""
This pipeline step associates the current social auth with the user with the
same email address in the database. It defers to the social library's associate_by_email
implementation, which verifies that only a single database user is associated with the email.
This association is done ONLY if the user entered the pipeline through a LOGIN API.
"""
if auth_entry == AUTH_ENTRY_LOGIN_API:
# Temporary custom attribute to help ensure there is no usage.
set_custom_attribute('deprecated_auth_entry_login_api', True)
association_response, user_is_active = get_associated_user_by_email_response(
backend, details, user, *args, **kwargs)
if user_is_active:
return association_response
def associate_by_email_if_enterprise_user():
"""
If the learner arriving via SAML is already linked to the enterprise customer linked to the same IdP,
they should not be prompted for their edX password.
"""
try:
enterprise_customer_user = is_enterprise_customer_user(
current_provider.provider_id, current_user)
logger.info(
'[Multiple_SSO_SAML_Accounts_Association_to_User] Enterprise user verification:'
'User Email: {email}, User ID: {user_id}, Provider ID: {provider_id},'
' is_enterprise_customer_user: {enterprise_customer_user}'.
format(
email=current_user.email,
user_id=current_user.id,
provider_id=current_provider.provider_id,
enterprise_customer_user=enterprise_customer_user,
))
if enterprise_customer_user:
# this is python social auth pipeline default method to automatically associate social accounts
# if the email already matches a user account.
association_response, user_is_active = get_associated_user_by_email_response(
backend, details, user, *args, **kwargs)
if not user_is_active:
logger.info(
'[Multiple_SSO_SAML_Accounts_Association_to_User] User association account is not'
' active: User Email: {email}, User ID: {user_id}, Provider ID: {provider_id},'
' is_enterprise_customer_user: {enterprise_customer_user}'
.format(
email=current_user.email,
user_id=current_user.id,
provider_id=current_provider.provider_id,
enterprise_customer_user=enterprise_customer_user))
return None
return association_response
except Exception as ex: # pylint: disable=broad-except
logger.exception(
'[Multiple_SSO_SAML_Accounts_Association_to_User] Error in'
' saml multiple accounts association: User ID: %s, User Email: %s:,'
'Provider ID: %s, Exception: %s', current_user.id,
current_user.email, current_provider.provider_id, ex)
def test_get_associated_user_by_email_response(self, user, user_is_active):
"""
Tests if an association response is returned for a user
"""
with mock.patch(
'common.djangoapps.third_party_auth.utils.associate_by_email',
side_effect=lambda _b, _d, u, *_a, **_k: {'user': u} if u else None,
):
mock_user = MagicMock(return_value=user)
mock_user.is_active = user_is_active
association_response, user_is_active_resonse = get_associated_user_by_email_response(
backend=None, details=None, user=mock_user)
if association_response:
self.assertEqual(association_response['user'](), user)
self.assertEqual(user_is_active_resonse, user_is_active)
else:
self.assertIsNone(association_response)
self.assertFalse(user_is_active_resonse)
