Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues/523 saml auth create email address objects #544

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Issues/523 saml auth create email address objects #544

wants to merge 5 commits into from

Conversation

kaushikaryan04
Copy link

Checklist

  • I have read the OpenWISP Contributing Guidelines.
  • I have manually tested the changes proposed in this pull request.
  • I have written new test cases for new code and/or updated existing tests for changes to existing code.
  • I have updated the documentation.

Reference to Existing Issue

Closes #523 .

Description of Changes

  • Check if the NameID is an email and use it as the user's email.
  • If NameID is not an email, check for the 'email' attribute in the SAML response.
  • Create an EmailAddress object using the retrieved email.

Screenshot

kaushikaryan04 and others added 2 commits July 28, 2024 01:19
@kaushikaryan04
[change] Saml-Authentication-creates-EmailAddress-Objects openwisp#523
cf028b2 
- Check if the NameID is an email and use it as the user's email.
- If NameID is not an email, check for the 'email' attribute in the SAML response.
- Create an EmailAddress object using the retrieved email.

Fixes openwisp#523
@kaushikaryan04
Merge branch 'openwisp:master' into issues/523-SAML-auth-create-email…
5935051 
…-address-objects
@coveralls
Copy link

coveralls commented Aug 6, 2024
edited
Loading

Coverage Status

coverage: 98.557% (-0.1%) from 98.655%
when pulling fe7e794 on kaushikaryan04:issues/523-SAML-auth-create-email-address-objects
into 0663ac3 on openwisp:master.

nemesifier
nemesifier requested changes Aug 6, 2024
View reviewed changes
Copy link
Member

@nemesifier nemesifier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for your patience @kaushikaryan04.
I've been super busy publishing the new unified documentation website of OpenWISP, now I am back reviewing PRs.

This looks almost ready to merge, but there's a bit of validation we have to do before saving data got from external sources to the DB.

Please see my comments below.

openwisp_radius/saml/views.py Outdated
email = session_info['ava'].get('email', [None])[0]
if email:
user.email = email
user.save()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Saving this information without validating it is dangerous.

Here we need to run full_clean() and catch any possible exception in case the email we get from the identity provider is invalid for some reason. If the email is invalid wont save/create, log a warning and skip, eg:

try:
    user.full_clean()
except ValidationError:
    logger.exception(f'Failed email validation for {user} during SAML user creation')
else:
    user.save()
    email_address = EmailAddress.objects.create(
       user=user, email=email, verified=True, primary=True
    )

Please add a new test for this error case, you can use mock or any other way to pass an invalid email and catch the validation error, there's similar tests in this and other modules you can base your test on, look for ValidationError in the test suites of the codebase.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem.The new unified documentation looks great. I will make the suggested changes.

openwisp_radius/saml/views.py Outdated
email_address = EmailAddress.objects.create(
user=user, email=email, verified=True, primary=True
)
email_address.save()
Copy link
Member

@nemesifier nemesifier Aug 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove (it's redundant, create() already peforms the save operation):

Suggested change
email_address.save()

@kaushikaryan04
[change] Implemented-suggested-changes openwisp#523
124db52 
-Added Validation for email
-If validation is failed we try to get email from attributes
-Added tests to see if Exception is raised when invalid mail is provided

Fixes openwisp#523
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nemesifier nemesifier Awaiting requested review from nemesifier

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
OpenWISP Contributor's Board
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[change] SAML should create EmailAddress objects
3 participants
@kaushikaryan04 @coveralls @nemesifier