Merge pull request #22472 from edx/hasnain-naveed/ENT-2505

ENT-2505 | By passing the check for forcing the login by third auth when user is…
2019-12-18 11:35:18 -05:00
parent 597c5d5f15 ece5e48f1c
commit aa111fbc66
2 changed files with 81 additions and 30 deletions
--- a/openedx/core/djangoapps/user_authn/views/login.py
+++ b/openedx/core/djangoapps/user_authn/views/login.py
@@ -181,7 +181,7 @@ def _log_and_raise_inactive_user_auth_error(unauthenticated_user):
    raise AuthFailedError(_generate_not_activated_message(unauthenticated_user))


-def _authenticate_first_party(request, unauthenticated_user):
+def _authenticate_first_party(request, unauthenticated_user, third_party_auth_requested):
    """
    Use Django authentication on the given request, using rate limiting if configured
    """
@@ -190,7 +190,11 @@ def _authenticate_first_party(request, unauthenticated_user):
    # to fail and we can take advantage of the ratelimited backend
    username = unauthenticated_user.username if unauthenticated_user else ""

-    _check_user_auth_flow(request.site, unauthenticated_user)
+    # First time when a user login through third_party_auth account then user needs to link
+    # third_party account with the platform account by login through email and password that's
+    # why we need to by-pass this check when user is already authenticated by third_party_auth.
+    if not third_party_auth_requested:
+        _check_user_auth_flow(request.site, unauthenticated_user)

    try:
        password = normalize_password(request.POST['password'])
@@ -403,7 +407,7 @@ def login_user(request):
        possibly_authenticated_user = user

        if not is_user_third_party_authenticated:
-            possibly_authenticated_user = _authenticate_first_party(request, user)
+            possibly_authenticated_user = _authenticate_first_party(request, user, third_party_auth_requested)
            if possibly_authenticated_user and password_policy_compliance.should_enforce_compliance_on_login():
                # Important: This call must be made AFTER the user was successfully authenticated.
                _enforce_password_policy_compliance(request, possibly_authenticated_user)
--- a/openedx/core/djangoapps/user_authn/views/tests/test_login.py
+++ b/openedx/core/djangoapps/user_authn/views/tests/test_login.py
@@ -555,76 +555,123 @@ class LoginTest(SiteMixin, CacheIsolationTestCase):
            'whitelisted': False,
            'allowed_domain': 'edx.org',
            'user_domain': 'edx.org',
-            'success': True
+            'success': True,
+            'is_third_party_authenticated': False
        },
        {
            'switch_enabled': False,
            'whitelisted': True,
            'allowed_domain': 'edx.org',
            'user_domain': 'edx.org',
-            'success': True
+            'success': True,
+            'is_third_party_authenticated': False
        },
        {
            'switch_enabled': True,
            'whitelisted': False,
            'allowed_domain': 'edx.org',
            'user_domain': 'edx.org',
-            'success': False
+            'success': False,
+            'is_third_party_authenticated': False
        },
        {
            'switch_enabled': True,
            'whitelisted': False,
            'allowed_domain': 'fake.org',
            'user_domain': 'edx.org',
-            'success': True
+            'success': True,
+            'is_third_party_authenticated': False
        },
        {
            'switch_enabled': True,
            'whitelisted': True,
            'allowed_domain': 'edx.org',
            'user_domain': 'edx.org',
-            'success': True
+            'success': True,
+            'is_third_party_authenticated': False
        },
        {
            'switch_enabled': True,
            'whitelisted': False,
            'allowed_domain': 'batman.gotham',
            'user_domain': 'batman.gotham',
-            'success': False
+            'success': False,
+            'is_third_party_authenticated': False
+        },
+        {
+            'switch_enabled': True,
+            'whitelisted': True,
+            'allowed_domain': 'edx.org',
+            'user_domain': 'edx.org',
+            'success': True,
+            'is_third_party_authenticated': True
+        },
+        {
+            'switch_enabled': False,
+            'whitelisted': False,
+            'allowed_domain': 'edx.org',
+            'user_domain': 'fake.org',
+            'success': True,
+            'is_third_party_authenticated': True
        },
    )
    @ddt.unpack
-    def test_login_for_user_auth_flow(self, switch_enabled, whitelisted, allowed_domain, user_domain, success):
+    def test_login_for_user_auth_flow(
+        self,
+        switch_enabled,
+        whitelisted,
+        allowed_domain,
+        user_domain,
+        success,
+        is_third_party_authenticated
+    ):
        """
        Verify that `login._check_user_auth_flow` works as expected.
        """
+        provider = 'Google'
        username = 'batman'
        user_email = '{username}@{domain}'.format(username=username, domain=user_domain)
        user = self._create_user(username, user_email)
-
-        provider = 'Google'
-        site = self.set_up_site(allowed_domain, {
+        default_site_configuration_values = {
            'SITE_NAME': allowed_domain,
            'THIRD_PARTY_AUTH_ONLY_DOMAIN': allowed_domain,
-            'THIRD_PARTY_AUTH_ONLY_PROVIDER': provider
-        })
-
-        if whitelisted:
-            AllowedAuthUser.objects.create(site=site, email=user.email)
-        else:
-            AllowedAuthUser.objects.filter(site=site, email=user.email).delete()
+            'THIRD_PARTY_AUTH_ONLY_PROVIDER': provider,
+        }

        with ENABLE_LOGIN_USING_THIRDPARTY_AUTH_ONLY.override(switch_enabled):
-            value = None if success else u'As an {0} user, You must login with your {0} {1} account.'.format(
-                allowed_domain,
-                provider
-            )
-            response, __ = self._login_response(user.email, self.password)
-            self._assert_response(
-                response,
-                success=success,
-                value=value,
-            )
+            if not is_third_party_authenticated:
+                site = self.set_up_site(allowed_domain, default_site_configuration_values)
+
+                if whitelisted:
+                    AllowedAuthUser.objects.create(site=site, email=user.email)
+                else:
+                    AllowedAuthUser.objects.filter(site=site, email=user.email).delete()
+
+                value = None if success else u'As an {0} user, You must login with your {0} {1} account.'.format(
+                    allowed_domain,
+                    provider
+                )
+                response, __ = self._login_response(user.email, self.password)
+                self._assert_response(
+                    response,
+                    success=success,
+                    value=value,
+                )
+            else:
+                default_site_configuration_values.update({'ENABLE_THIRD_PARTY_AUTH': True})
+                self.set_up_site(allowed_domain, default_site_configuration_values)
+                with patch('openedx.core.djangoapps.user_authn.views.login.pipeline'):
+                    with patch(
+                        'openedx.core.djangoapps.user_authn.views.login._check_user_auth_flow'
+                    ) as mock_check_user_auth_flow:
+                        # user is already authenticated by third_party_auth then
+                        # we should by-pass _check_user_auth_flow function
+                        response, __ = self._login_response(user.email, self.password)
+                        self._assert_response(
+                            response,
+                            success=success
+                        )
+                        self.assertFalse(mock_check_user_auth_flow.called)


@ddt.ddt