Store essential SAML attrs by default

Signed-off-by: Rick Elrod <[email protected]>

Author: relrod

ansible_base/authentication/authenticator_plugins/saml.py

@@ -296,6 +296,24 @@ def extra_data(self, user, backend, response, *args, **kwargs):
         if "Group" in attrs:
             response["Group"] = attrs["Group"]
         data = super().extra_data(user, backend, response, *args, **kwargs)
+
+        # Ideally we would always have a DB instance
+        # But if something was mocked in a test or somehow a db_instance just wasn't past in we don't want to error here
+        if self.database_instance is None:
+            return data
+
+        # The fields we want in extra get embedded into the ENABLED_IDPS field so we need to get them out from there
+        idp_data = self.database_instance.configuration.get('ENABLED_IDPS', {}).get(idp_string, {})
+
+        # We are going to auto-include all of the fields like USER_FIRST_NAME, USER_EMAIL, etc.
+        for field, attr_name in SAMLConfiguration.settings_to_enabled_idps_fields.items():
+            if field in ('IDP_URL', 'IDP_X509_CERT', 'IDP_ENTITY_ID'):
+                continue
+
+            field_name = idp_data.get(attr_name, None)
+            if field_name in attrs:
+                data[field_name] = attrs[field_name]
+
         return data
 
     def get_user_groups(self, extra_groups=[]):

test_app/tests/authentication/authenticator_plugins/test_saml.py

@@ -1,3 +1,4 @@
+from types import SimpleNamespace
 from unittest import mock
 
 import pytest
@@ -213,6 +214,91 @@ def __init__(self):
     assert "mygroup" in rDict["Group"]
 
 
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "idp_fields,expected_results",
+    [
+        (
+            {
+                'attr_email': 'email',
+                'attr_groups': 'Groups',
+                'attr_username': 'username',
+                'attr_last_name': 'last_name',
+                'attr_first_name': 'first_name',
+                'attr_user_permanent_id': 'name_id',
+            },
+            {
+                'email': ['[email protected]'],
+                'last_name': ['Admin'],
+                'username': ['gateway_admin'],
+                'first_name': ['Gateway'],
+                'name_id': 'gateway_admin',
+            },
+        ),
+        (
+            {
+                'attr_email': 'not_email',
+                'attr_groups': 'Groups',
+                'attr_username': 'username',
+                'attr_last_name': 'last_name',
+                'attr_first_name': 'first_name',
+                'attr_user_permanent_id': 'name_id',
+            },
+            {
+                'last_name': ['Admin'],
+                'username': ['gateway_admin'],
+                'first_name': ['Gateway'],
+                'name_id': 'gateway_admin',
+            },
+        ),
+        (
+            {
+                'attr_username': 'username',
+                'attr_last_name': 'last_name',
+                'attr_first_name': 'first_name',
+                'attr_user_permanent_id': 'name_id',
+            },
+            {
+                'last_name': ['Admin'],
+                'username': ['gateway_admin'],
+                'first_name': ['Gateway'],
+                'name_id': 'gateway_admin',
+            },
+        ),
+    ],
+)
+def test_extra_data_default_attrs(idp_fields, expected_results):
+    from ansible_base.authentication.authenticator_plugins.saml import idp_string
+    from ansible_base.authentication.models import AuthenticatorUser
+
+    ap = AuthenticatorPlugin()
+    database_instance = SimpleNamespace()
+    enabled_idps = {
+        'ENABLED_IDPS': {
+            idp_string: idp_fields,
+        }
+    }
+    database_instance.configuration = enabled_idps
+    ap.database_instance = database_instance
+
+    response = {
+        'idp_name': 'IdP',
+        'attributes': {
+            'email': ['[email protected]'],
+            'last_name': ['Admin'],
+            'is_superuser': ['true'],
+            'username': ['gateway_admin'],
+            'first_name': ['Gateway'],
+            'Role': ['default-roles-gateway realm', 'manage-account', 'uma_authorization', 'view-profile', 'offline_access', 'manage-account-links'],
+            'name_id': 'gateway_admin',
+        },
+    }
+    au = AuthenticatorUser()
+    with mock.patch('social_core.backends.saml.SAMLAuth.extra_data', return_value={}):
+        results = ap.extra_data(None, 'IdP:gateway_admin', response, **{'social': au})
+        assert results == expected_results
+
+
 def test_saml_create_via_api_without_callback_url(admin_api_client, saml_configuration):
     del saml_configuration['CALLBACK_URL']