saml: Change which IdPs are returned to get_external_method_dicts.

If queried without a realm, get_external_method_dicts should only
have IdPs that can be used on all realms.
This commit is contained in:
Mateusz Mandera 2020-04-18 15:47:41 +02:00 committed by Tim Abbott
parent b29ccdf51c
commit 62c0ab3f9d
2 changed files with 9 additions and 4 deletions

View File

@ -2514,14 +2514,16 @@ class ExternalMethodDictsTests(ZulipTestCase):
): ):
# Calling get_external_method_dicts without a realm returns all methods configured on the server: # Calling get_external_method_dicts without a realm returns all methods configured on the server:
external_auth_methods = get_external_method_dicts() external_auth_methods = get_external_method_dicts()
self.assert_length(external_auth_methods, 3) # 2 IdP + a dict for github auth # 1 IdP enabled for all realms + a dict for github auth
self.assertEqual(set([external_auth_methods[0]['name'], external_auth_methods[1]['name']]), self.assert_length(external_auth_methods, 2)
set(['saml:test_idp', 'saml:test_idp2'])) self.assertEqual([external_auth_methods[0]['name'], external_auth_methods[1]['name']],
['saml:test_idp', 'github'])
external_auth_methods = get_external_method_dicts(get_realm("zulip")) external_auth_methods = get_external_method_dicts(get_realm("zulip"))
# Only test_idp enabled for the zulip realm, + github auth. # Only test_idp enabled for the zulip realm, + github auth.
self.assert_length(external_auth_methods, 2) self.assert_length(external_auth_methods, 2)
self.assertEqual(external_auth_methods[0]['name'], 'saml:test_idp') self.assertEqual([external_auth_methods[0]['name'], external_auth_methods[1]['name']],
['saml:test_idp', 'github'])
external_auth_methods = get_external_method_dicts(get_realm("zephyr")) external_auth_methods = get_external_method_dicts(get_realm("zephyr"))
# Both idps enabled for the zephyr realm, + github auth. # Both idps enabled for the zephyr realm, + github auth.

View File

@ -1558,6 +1558,9 @@ class SAMLAuthBackend(SocialAuthMixin, SAMLAuth):
for idp_name, idp_dict in settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.items(): for idp_name, idp_dict in settings.SOCIAL_AUTH_SAML_ENABLED_IDPS.items():
if realm and not cls.validate_idp_for_subdomain(idp_name, realm.subdomain): if realm and not cls.validate_idp_for_subdomain(idp_name, realm.subdomain):
continue continue
if realm is None and 'limit_to_subdomains' in idp_dict:
# If queried without a realm, only return IdPs that can be used on all realms.
continue
saml_dict = dict( saml_dict = dict(
name='saml:{}'.format(idp_name), name='saml:{}'.format(idp_name),