OpenID Connect RP support for customer accounts

2026-05-04 15:04:03 +00:00 · 2022-07-11 12:45:51 +02:00
parent e102a590ab
commit 7f5518dbf6
39 changed files with 1943 additions and 55 deletions
--- a/src/tests/control/test_customer.py
+++ b/src/tests/control/test_customer.py
@@ -31,6 +31,7 @@ from tests.base import extract_form_fields
 from pretix.base.models import (
    Item, Order, OrderPosition, Organizer, Team, User,
 )
+from pretix.base.models.customers import CustomerSSOProvider


@pytest.fixture
@@ -90,6 +91,16 @@ def admin_user(organizer):
    return u


+@pytest.fixture
+def provider(organizer):
+    return CustomerSSOProvider.objects.create(
+        organizer=organizer,
+        method="oidc",
+        name="OIDC OP",
+        configuration={}
+    )
+
+
@pytest.mark.django_db
 def test_list_of_customers(organizer, admin_user, client, customer):
    client.login(email='dummy@dummy.dummy', password='dummy')
@@ -125,6 +136,25 @@ def test_customer_update(organizer, admin_user, customer, client):
    assert customer.is_verified


+@pytest.mark.django_db
+def test_customer_update_email_not_allowed_for_sso_customers(organizer, admin_user, customer, client, provider):
+    customer.provider = provider
+    customer.save()
+    client.login(email='dummy@dummy.dummy', password='dummy')
+    resp = client.get('/control/organizer/dummy/customer/{}/edit'.format(customer.identifier))
+    doc = BeautifulSoup(resp.content, "lxml")
+    d = extract_form_fields(doc)
+    d['name_parts_0'] = 'John Doe'
+    d['email'] = 'customer@example.net'
+    d['external_identifier'] = 'aaaaaaa'
+    resp = client.post('/control/organizer/dummy/customer/{}/edit'.format(customer.identifier), d)
+    assert resp.status_code == 302
+    customer.refresh_from_db()
+    assert customer.name == 'John Doe'
+    assert customer.email == "john@example.org"
+    assert not customer.external_identifier
+
+
@pytest.mark.django_db
 def test_customer_anonymize(organizer, admin_user, customer, client, order):
    customer.is_active = True
--- a/src/tests/control/test_organizer.py
+++ b/src/tests/control/test_organizer.py
@@ -23,6 +23,7 @@ import datetime
 from smtplib import SMTPResponseException

 import pytest
+import responses
 from django.db import transaction
 from django.test.utils import override_settings
 from django_scopes import scopes_disabled
@@ -292,3 +293,41 @@ class OrganizerTest(SoupTest):
        self.orga1.settings.flush()
        assert "smtp_use_custom" not in self.orga1.settings._cache()
        assert "mail_from" not in self.orga1.settings._cache()
+
+    @responses.activate
+    def test_create_sso_provider(self):
+        conf = {
+            "authorization_endpoint": "https://example.com/authorize",
+            "token_endpoint": "https://example.com/token",
+            "userinfo_endpoint": "https://example.com/userinfo",
+            "response_types_supported": ["code"],
+            "response_modes_supported": ["query"],
+            "grant_types_supported": ["authorization_code"],
+            "scopes_supported": ["openid", "email", "profile"],
+            "claims_supported": ["email", "sub"]
+        }
+        responses.add(
+            responses.GET,
+            "https://example.com/provider/.well-known/openid-configuration",
+            json=conf
+        )
+        doc = self.post_doc(
+            '/control/organizer/%s/ssoprovider/add' % self.orga1.slug,
+            {
+                'name_0': 'OIDC',
+                'button_label_0': 'Log in with OIDC',
+                'method': 'oidc',
+                'config_oidc_base_url': 'https://example.com/provider',
+                'config_oidc_client_id': 'aaaa',
+                'config_oidc_client_secret': 'bbbb',
+                'config_oidc_scope': 'openid email',
+                'config_oidc_email_field': 'email',
+                'config_oidc_uid_field': 'sub',
+            },
+            follow=True
+        )
+        assert not doc.select('.has-error, .alert-danger')
+        with scopes_disabled():
+            p = self.orga1.sso_providers.get()
+            assert p.configuration['scope'] == 'openid email'
+            assert p.configuration['provider_config'] == conf
--- a/src/tests/control/test_permissions.py
+++ b/src/tests/control/test_permissions.py
@@ -204,6 +204,10 @@ organizer_urls = [
    'organizer/abc/webhook/add',
    'organizer/abc/webhook/1/edit',
    'organizer/abc/webhook/1/logs',
+    'organizer/abc/ssoproviders',
+    'organizer/abc/ssoprovider/add',
+    'organizer/abc/ssoprovider/1/edit',
+    'organizer/abc/ssoprovider/1/delete',
    'organizer/abc/customers',
    'organizer/abc/customer/add',
    'organizer/abc/customer/1/',
@@ -523,6 +527,10 @@ organizer_permission_urls = [
    ("can_change_organizer_settings", "organizer/dummy/membershiptype/add", 200),
    ("can_change_organizer_settings", "organizer/dummy/membershiptype/1/edit", 404),
    ("can_change_organizer_settings", "organizer/dummy/membershiptype/1/delete", 404),
+    ("can_change_organizer_settings", "organizer/dummy/ssoproviders", 200),
+    ("can_change_organizer_settings", "organizer/dummy/ssoprovider/add", 200),
+    ("can_change_organizer_settings", "organizer/dummy/ssoprovider/1/edit", 404),
+    ("can_change_organizer_settings", "organizer/dummy/ssoprovider/1/delete", 404),
    ("can_manage_customers", "organizer/dummy/customers", 200),
    ("can_manage_customers", "organizer/dummy/customer/ABC/edit", 404),
    ("can_manage_customers", "organizer/dummy/customer/ABC/anonymize", 404),