Skip to content

Issues/523 saml auth create email address objects #544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nemesifier merged 4 commits into from
Nov 21, 2024
Merged

Issues/523 saml auth create email address objects #544

nemesifier merged 4 commits into from
Nov 21, 2024

Conversation

@kaushikaryan04
Copy link
Contributor

@kaushikaryan04 kaushikaryan04 commented Jul 27, 2024

Checklist

  • I have read the OpenWISP Contributing Guidelines.
  • I have manually tested the changes proposed in this pull request.
  • I have written new test cases for new code and/or updated existing tests for changes to existing code.
  • I have updated the documentation.

Reference to Existing Issue

Closes #523 .

Description of Changes

  • Check if the NameID is an email and use it as the user's email.
  • If NameID is not an email, check for the 'email' attribute in the SAML response.
  • Create an EmailAddress object using the retrieved email.

Screenshot

@coveralls
Copy link

coveralls commented Aug 6, 2024
edited
Loading

Coverage Status

coverage: 98.648% (+0.003%) from 98.645%
when pulling 05f17e9 on kaushikaryan04:issues/523-SAML-auth-create-email-address-objects
into dc8580f on openwisp:master.

nemesifier
nemesifier requested changes Aug 6, 2024
View reviewed changes
Copy link
Member

@nemesifier nemesifier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for your patience @kaushikaryan04.
I've been super busy publishing the new unified documentation website of OpenWISP, now I am back reviewing PRs.

This looks almost ready to merge, but there's a bit of validation we have to do before saving data got from external sources to the DB.

Please see my comments below.

openwisp_radius/saml/views.py Outdated
email = session_info['ava'].get('email', [None])[0]
if email:
user.email = email
user.save()
Copy link
Member

@nemesifier nemesifier Aug 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Saving this information without validating it is dangerous.

Here we need to run full_clean() and catch any possible exception in case the email we get from the identity provider is invalid for some reason. If the email is invalid wont save/create, log a warning and skip, eg:

try:
    user.full_clean()
except ValidationError:
    logger.exception(f'Failed email validation for {user} during SAML user creation')
else:
    user.save()
    email_address = EmailAddress.objects.create(
       user=user, email=email, verified=True, primary=True
    )

Please add a new test for this error case, you can use mock or any other way to pass an invalid email and catch the validation error, there's similar tests in this and other modules you can base your test on, look for ValidationError in the test suites of the codebase.

Copy link
Contributor Author

@kaushikaryan04 kaushikaryan04 Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem.The new unified documentation looks great. I will make the suggested changes.

openwisp_radius/saml/views.py Outdated
email_address = EmailAddress.objects.create(
user=user, email=email, verified=True, primary=True
)
email_address.save()
Copy link
Member

@nemesifier nemesifier Aug 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove (it's redundant, create() already peforms the save operation):

Suggested change
email_address.save()

pandafy
pandafy requested changes Nov 21, 2024
View reviewed changes
openwisp_radius/saml/views.py Outdated
try:
user.registered_user
except ObjectDoesNotExist:
email = None
Copy link
Member

@pandafy pandafy Nov 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of retrieving the email address from the SAML request, can we use the user.email field to get the email address? The field should get automatically populated by djangosaml2 using attribute mapping. Then, we can create the EmailAddress object with that value.

@pandafy pandafy force-pushed the issues/523-SAML-auth-create-email-address-objects branch 4 times, most recently from 78031d2 to b1b6fb6 Compare November 21, 2024 16:56
kaushikaryan04 and others added 3 commits November 22, 2024 00:34
@kaushikaryan04 @pandafy
[change] Saml-Authentication-creates-EmailAddress-Objects openwisp#523
e0946e0 
- Check if the NameID is an email and use it as the user's email.
- If NameID is not an email, check for the 'email' attribute in the SAML response.
- Create an EmailAddress object using the retrieved email.

Fixes openwisp#523
@kaushikaryan04 @pandafy
[change] Implemented-suggested-changes openwisp#523
5a98a78 
-Added Validation for email
-If validation is failed we try to get email from attributes
-Added tests to see if Exception is raised when invalid mail is provided

Fixes openwisp#523
@pandafy
[fix] Simplified implementation
4054392
@pandafy pandafy force-pushed the issues/523-SAML-auth-create-email-address-objects branch from b1b6fb6 to 4054392 Compare November 21, 2024 19:07
@pandafy pandafy added this to the 1.1.0 release milestone Nov 21, 2024
nemesifier
nemesifier previously approved these changes Nov 21, 2024
View reviewed changes
@nemesifier
Copy link
Member

nemesifier commented Nov 21, 2024

Follow up:

@nemesifier nemesifier merged commit 87a93aa into openwisp:master Nov 21, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pandafy pandafy pandafy requested changes

@nemesifier nemesifier nemesifier approved these changes

Assignees

No one assigned

Labels

None yet

Projects

OpenWISP Contributor's Board
Status: Done

Milestone

1.1.0 release

Development

Successfully merging this pull request may close these issues.

[change] SAML should create EmailAddress objects

4 participants

@kaushikaryan04 @coveralls @nemesifier @pandafy