summary refs log tree commit diff
path: root/tests/handlers/test_oidc.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Put OIDC callback URI under /_synapse/client. (#9288)Richard van der Hoff2021-02-011-9/+6
|
* Improve styling and wording of SSO redirect confirm template (#9272)Richard van der Hoff2021-02-011-10/+14
|
* Land support for multiple OIDC providers (#9110)Richard van der Hoff2021-01-151-2/+2
| | | | | | | | | | | | | | | | | | | | | | | This is the final step for supporting multiple OIDC providers concurrently. First of all, we reorganise the config so that you can specify a list of OIDC providers, instead of a single one. Before: oidc_config: enabled: true issuer: "https://oidc_provider" # etc After: oidc_providers: - idp_id: prov1 issuer: "https://oidc_provider" - idp_id: prov2 issuer: "https://another_oidc_provider" The old format is still grandfathered in. With that done, it's then simply a matter of having OidcHandler instantiate a new OidcProvider for each configured provider.
* Improve UsernamePickerTestCase (#9112)Richard van der Hoff2021-01-151-118/+2
| | | | | * make the OIDC bits of the test work at a higher level - via the REST api instead of poking the OIDCHandler directly. * Move it to test_login.py, where I think it fits better.
* Store an IdP ID in the OIDC session (#9109)Richard van der Hoff2021-01-151-1/+2
| | | | | Again in preparation for handling more than one OIDC provider, add a new caveat to the macaroon used as an OIDC session cookie, which remembers which OIDC provider we are talking to. In future, when we get a callback, we'll need it to make sure we talk to the right IdP. As part of this, I'm adding an idp_id and idp_name field to the OIDC configuration object. They aren't yet documented, and we'll just use the old values by default.
* Split OidcProvider out of OidcHandler (#9107)Richard van der Hoff2021-01-141-45/+48
| | | | | | | The idea here is that we will have an instance of OidcProvider for each configured IdP, with OidcHandler just doing the marshalling of them. For now it's still hardcoded with a single provider.
* Preparatory refactors of OidcHandler (#9067)Richard van der Hoff2021-01-131-24/+37
| | | | | | | | Some light refactoring of OidcHandler, in preparation for bigger things: * remove inheritance from deprecated BaseHandler * add an object to hold the things that go into a session cookie * factor out a separate class for manipulating said cookies
* Remove SynapseRequest.get_user_agent (#9069)Richard van der Hoff2021-01-121-2/+1
| | | | | | | | | | | SynapseRequest is in danger of becoming a bit of a dumping-ground for "useful stuff relating to Requests", which isn't really its intention (its purpose is to override render, finished and connectionLost to set up the LoggingContext and write the right entries to the request log). Putting utility functions inside SynapseRequest means that lots of our code ends up requiring a SynapseRequest when there is nothing synapse-specific about the Request at all, and any old twisted.web.iweb.IRequest will do. This increases code coupling and makes testing more difficult. In short: move get_user_agent out to a utility function.
* Skip unit tests which require optional dependencies (#9031)Richard van der Hoff2021-01-071-1/+18
| | | If we are lacking an optional dependency, skip the tests that rely on it.
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-1/+142
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Make `_make_callback_with_userinfo` asyncRichard van der Hoff2020-12-151-68/+83
| | | | | | ... so that we can test its behaviour when it raises. Also pull it out to the top level so that I can use it from other test classes.
* Remove spurious mocking of complete_sso_loginRichard van der Hoff2020-12-151-2/+0
| | | | The tests that need this all do it already.
* Test `get_extra_attributes` fallbackRichard van der Hoff2020-12-151-11/+21
| | | | | despite the warnings saying "don't implement get_extra_attributes", we had implemented it, so the tests weren't doing what we thought they were.
* Preparatory refactoring of the SamlHandlerTestCase (#8938)Richard van der Hoff2020-12-151-11/+1
| | | | | | | | | | | | | * move simple_async_mock to test_utils ... so that it can be re-used * Remove references to `SamlHandler._map_saml_response_to_user` from tests This method is going away, so we can no longer use it as a test point. Instead, factor out a higher-level method which takes a SAML object, and verify correct behaviour by mocking out `AuthHandler.complete_sso_login`. * changelog
* Preparatory refactoring of the OidcHandlerTestCase (#8911)Richard van der Hoff2020-12-141-141/+145
| | | | | | | | | | | | | | | | | | | | | | | * Remove references to handler._auth_handler (and replace them with hs.get_auth_handler) * Factor out a utility function for building Requests * Remove mocks of `OidcHandler._map_userinfo_to_user` This method is going away, so mocking it out is no longer a valid approach. Instead, we mock out lower-level methods (eg _remote_id_from_userinfo), or simply allow the regular implementation to proceed and update the expectations accordingly. * Remove references to `OidcHandler._map_userinfo_to_user` from tests This method is going away, so we can no longer use it as a test point. Instead we build mock "callback" requests which we pass into `handle_oidc_callback`, and verify correct behaviour by mocking out `AuthHandler.complete_sso_login`.
* Merge tag 'v1.24.0rc2' into developPatrick Cloke2020-12-041-2/+1
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.24.0rc2 (2020-12-04) ============================== Bugfixes -------- - Fix a regression in v1.24.0rc1 which failed to allow SAML mapping providers which were unable to redirect users to an additional page. ([\#8878](https://github.com/matrix-org/synapse/issues/8878)) Internal Changes ---------------- - Add support for the `prometheus_client` newer than 0.9.0. Contributed by Jordan Bancino. ([\#8875](https://github.com/matrix-org/synapse/issues/8875))
| * Fix a regression that mapping providers should be able to redirect users. ↵Patrick Cloke2020-12-041-2/+1
| | | | | | | | | | (#8878) This was broken in #8801.
* | Factor out FakeResponse from test_oidcRichard van der Hoff2020-12-021-16/+1
|/
* Fix a regression when grandfathering SAML users. (#8855)Patrick Cloke2020-12-021-0/+8
| | | | | | This was broken in #8801 when abstracting code shared with OIDC. After this change both SAML and OIDC have a concept of grandfathering users, but with different implementations.
* Add basic SAML tests for mapping users. (#8800)Patrick Cloke2020-12-021-17/+17
|
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-1/+87
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Improve error checking for OIDC/SAML mapping providers (#8774)Patrick Cloke2020-11-191-20/+69
| | | | | | Checks that the localpart returned by mapping providers for SAML and OIDC are valid before registering new users. Extends the OIDC tests for existing users and invalid data.
* Abstract shared SSO code. (#8765)Patrick Cloke2020-11-171-7/+7
| | | De-duplicates code between the SAML and OIDC implementations.
* Fix handling of User-Agent headers with bad utf-8. (#8632)Erik Johnston2020-10-231-6/+18
|
* Add config option for always using "userinfo endpoint" for OIDC (#7658)BBBSnowball2020-10-011-2/+8
| | | This allows for connecting to certain IdPs, e.g. GitLab.
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-301-55/+105
|
* Allow existing users to login via OpenID Connect. (#8345)Tdxdxoz2020-09-251-0/+35
| | | | | | | Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
* Ensure that the OpenID Connect remote ID is a string. (#8190)Patrick Cloke2020-08-281-2/+39
|
* Allow denying or shadow banning registrations via the spam checker (#8034)Patrick Cloke2020-08-201-3/+15
|
* Support UI Authentication for OpenID Connect accounts (#7457)Patrick Cloke2020-05-151-5/+10
|
* Implement OpenID Connect-based login (#7256)Quentin Gliech2020-05-081-0/+565