|
@@ -257,7 +257,7 @@ class LoginRestServletTestCase(unittest.HomeserverTestCase):
|
|
|
self.assertEquals(channel.code, 200, channel.result)
|
|
|
|
|
|
|
|
|
-class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
|
|
|
+class CASTestCase(unittest.HomeserverTestCase):
|
|
|
|
|
|
servlets = [
|
|
|
login.register_servlets,
|
|
@@ -274,6 +274,9 @@ class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
|
|
|
"service_url": "https://matrix.goodserver.com:8448",
|
|
|
}
|
|
|
|
|
|
+ cas_user_id = "username"
|
|
|
+ self.user_id = "@%s:test" % cas_user_id
|
|
|
+
|
|
|
async def get_raw(uri, args):
|
|
|
"""Return an example response payload from a call to the `/proxyValidate`
|
|
|
endpoint of a CAS server, copied from
|
|
@@ -282,10 +285,11 @@ class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
|
|
|
This needs to be returned by an async function (as opposed to set as the
|
|
|
mock's return value) because the corresponding Synapse code awaits on it.
|
|
|
"""
|
|
|
- return """
|
|
|
+ return (
|
|
|
+ """
|
|
|
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
|
|
|
<cas:authenticationSuccess>
|
|
|
- <cas:user>username</cas:user>
|
|
|
+ <cas:user>%s</cas:user>
|
|
|
<cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket>
|
|
|
<cas:proxies>
|
|
|
<cas:proxy>https://proxy2/pgtUrl</cas:proxy>
|
|
@@ -294,6 +298,8 @@ class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
|
|
|
</cas:authenticationSuccess>
|
|
|
</cas:serviceResponse>
|
|
|
"""
|
|
|
+ % cas_user_id
|
|
|
+ )
|
|
|
|
|
|
mocked_http_client = Mock(spec=["get_raw"])
|
|
|
mocked_http_client.get_raw.side_effect = get_raw
|
|
@@ -304,6 +310,9 @@ class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
|
|
|
|
|
|
return self.hs
|
|
|
|
|
|
+ def prepare(self, reactor, clock, hs):
|
|
|
+ self.deactivate_account_handler = hs.get_deactivate_account_handler()
|
|
|
+
|
|
|
def test_cas_redirect_confirm(self):
|
|
|
"""Tests that the SSO login flow serves a confirmation page before redirecting a
|
|
|
user to the redirect URL.
|
|
@@ -370,3 +379,30 @@ class CASRedirectConfirmTestCase(unittest.HomeserverTestCase):
|
|
|
self.assertEqual(channel.code, 302)
|
|
|
location_headers = channel.headers.getRawHeaders("Location")
|
|
|
self.assertEqual(location_headers[0][: len(redirect_url)], redirect_url)
|
|
|
+
|
|
|
+ @override_config({"sso": {"client_whitelist": ["https://legit-site.com/"]}})
|
|
|
+ def test_deactivated_user(self):
|
|
|
+ """Logging in as a deactivated account should error."""
|
|
|
+ redirect_url = "https://legit-site.com/"
|
|
|
+
|
|
|
+ # First login (to create the user).
|
|
|
+ self._test_redirect(redirect_url)
|
|
|
+
|
|
|
+ # Deactivate the account.
|
|
|
+ self.get_success(
|
|
|
+ self.deactivate_account_handler.deactivate_account(self.user_id, False)
|
|
|
+ )
|
|
|
+
|
|
|
+ # Request the CAS ticket.
|
|
|
+ cas_ticket_url = (
|
|
|
+ "/_matrix/client/r0/login/cas/ticket?redirectUrl=%s&ticket=ticket"
|
|
|
+ % (urllib.parse.quote(redirect_url))
|
|
|
+ )
|
|
|
+
|
|
|
+ # Get Synapse to call the fake CAS and serve the template.
|
|
|
+ request, channel = self.make_request("GET", cas_ticket_url)
|
|
|
+ self.render(request)
|
|
|
+
|
|
|
+ # Because the user is deactivated they are served an error template.
|
|
|
+ self.assertEqual(channel.code, 403)
|
|
|
+ self.assertIn(b"SSO account deactivated", channel.result["body"])
|