provision username from proxy_authz

SURFscz · May 10, 2023 · 93dfc64 · 93dfc64
1 parent ea391af
commit 93dfc64
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/server/api/user_saml.py b/server/api/user_saml.py
@@ -60,7 +60,8 @@ def status_to_string(status):
 
 
 # See https://github.com/SURFscz/SBS/issues/152
-def _perform_sram_login(uid, service, service_entity_id, home_organisation_uid, schac_home_organisation, issuer_id,
+def _perform_sram_login(uid, service, service_entity_id, user_email, home_organisation_uid, schac_home_organisation, \
+    issuer_id,
                         require_2fa=True):
     logger = ctx_logger("user_api")
 
@@ -69,7 +70,7 @@ def _perform_sram_login(uid, service, service_entity_id, home_organisation_uid,
     user = User.query.filter(User.uid == uid).first()
     if not user:
         logger.debug("Creating new user in sram_login")
-        user = User(uid=uid, external_id=str(uuid.uuid4()), created_by="system", updated_by="system")
+        user = User(uid=uid, email=user_email, external_id=str(uuid.uuid4()), created_by="system", updated_by="system")
 
     if home_organisation_uid:
         user.home_organisation_uid = home_organisation_uid
@@ -224,6 +225,7 @@ def proxy_authz():
     uid = json_dict["user_id"]
     service_entity_id = json_dict["service_id"]
     issuer_id = json_dict["issuer_id"]
+    user_email = json_dict.get("user_email", None)
     # These are optional; they are only used to check for logins that should do SSID-SFO
     # If the proxy doesn't send these, we can safely assume the user shouldn't be sent to SSID
     home_organisation_uid = json_dict.get("uid", None)
@@ -236,8 +238,8 @@ def proxy_authz():
     user = User.query.filter(User.uid == uid).first()
 
     if service_entity_id.lower() == current_app.app_config.oidc.sram_service_entity_id.lower():
-        return _perform_sram_login(uid, service, service_entity_id, home_organisation_uid, schac_home_organisation,
-                                   issuer_id)
+        return _perform_sram_login(uid, service, service_entity_id, user_email, home_organisation_uid,
+                                   schac_home_organisation, issuer_id)
 
     def not_authorized_func(service_name, status):
         base_url = current_app.app_config.base_url

diff --git a/server/test/api/test_user_saml.py b/server/test/api/test_user_saml.py
@@ -137,12 +137,14 @@ def test_proxy_authz_mfa_sbs_totp_new_user(self):
                               "service_id": self.app.app_config.oidc.sram_service_entity_id,
                               "issuer_id": "idp",
                               "uid": "sarah",
+                              "user_email": "[email protected]",
                               "homeorganization": "example.com"})
         self.assertEqual(res["status"]["result"], "interrupt")
 
         new_user = User.query.filter(User.uid == "urn:new_user").one()
         self.assertEqual("example.com", new_user.schac_home_organisation)
         self.assertEqual("sarah", new_user.home_organisation_uid)
+        self.assertEqual("[email protected]", new_user.email)
 
     def test_proxy_authz_mfa_sbs_totp_sso(self):
         self.login_user_2fa("urn:sarah")