Add changelog, extra test, bump version, default to None

JonasKs · JonasKs · commit 84c3a41fa148 · 2021-08-27T21:51:23.000+02:00
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,14 @@
 Changelog
 =========
 
+`1.9.0`_ - 2021-08-27
+---------------------
+
+**Features**
+
+* Add ``GUEST_USERNAME_CLAIM``, a setting that allow you to use a different username claim for guest users. @JonasKs and @Seykotron #166
+
+
 `1.8.1`_ - 2021-08-27
 ---------------------
 
@@ -261,6 +269,7 @@ Changelog
 
 * Initial release
 
+.. _1.9.0: https://github.com/snok/django-auth-adfs/compare/1.8.1...1.9.0
 .. _1.8.1: https://github.com/snok/django-auth-adfs/compare/1.8.0...1.8.1
 .. _1.8.0: https://github.com/snok/django-auth-adfs/compare/1.7.0...1.8.0
 .. _1.7.0: https://github.com/snok/django-auth-adfs/compare/1.6.1...1.7.0
diff --git a/django_auth_adfs/__init__.py b/django_auth_adfs/__init__.py
@@ -4,4 +4,4 @@
 Adding imports here will break setup.py
 """
 
-__version__ = '1.8.1'
+__version__ = '1.9.0'
diff --git a/django_auth_adfs/config.py b/django_auth_adfs/config.py
@@ -70,7 +70,7 @@ def __init__(self):
         self.TENANT_ID = None  # Required
         self.TIMEOUT = 5
         self.USERNAME_CLAIM = "winaccountname"
-        self.GUEST_USERNAME_CLAIM = "email"
+        self.GUEST_USERNAME_CLAIM = None
         self.JWT_LEEWAY = 0
         self.CUSTOM_FAILED_RESPONSE_VIEW = lambda request, error_message, status: render(
             request, 'django_auth_adfs/login_failed.html', {'error_message': error_message}, status=status
diff --git a/docs/settings_ref.rst b/docs/settings_ref.rst
@@ -262,6 +262,25 @@ example
    The group doesn't need to exist in Django for this to work. This will work as long as it's in the groups claim
    in the access token.
 
+GUEST_USERNAME_CLAIM
+--------------------
+* **Default**: ``None``
+* **Type**: ``string``
+
+When these criteria are met:
+
+1. A ``guest_username_claim`` is configured
+2. Token claims do not have the configured ``settings.USERNAME_CLAIM`` in it
+3. The ``settings.BLOCK_GUEST_USERS`` is set to ``False``
+4. The claims ``tid`` does not match ``settings.TENANT_ID``
+
+Then, the ``GUEST_USERNAME_CLAIM`` can be used to populate a username, when the ``USERNAME_CLAIM`` cannot be found in
+the claims.
+
+This can be useful when you want to use ``upn`` as a username claim for your own users,
+but some guest users (such as normal outlook users) don't have that claim.
+
+
 LOGIN_EXEMPT_URLS
 -----------------
 * **Default**: ``None``
@@ -423,13 +442,13 @@ The value of the claim must be a unique value. No 2 users should ever have the s
 .. NOTE::
    You can find the short name for the claims you configure in the ADFS management console underneath
    **ADFS** ➜ **Service** ➜ **Claim Descriptions**
-   
-   
+
+
 .. _version_setting:
 
 VERSION
 --------------
-* **Default**: ``v1.0`` 
+* **Default**: ``v1.0``
 * **Type**: ``string``
 
 Version of the Azure Active Directory endpoint version. By default it is set to ``v1.0``. At the time of writing this documentation, it can also be set to ``v2.0``. For new projects, ``v2.0`` is recommended. ``v1.0`` is kept as a default for backwards compatibility.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = 'django-auth-adfs'
-version = '1.8.1'  # Remember to also change __init__.py version
+version = '1.9.0'  # Remember to also change __init__.py version
 description = 'A Django authentication backend for Microsoft ADFS and AzureAD'
 authors = ['Joris Beckers <joris.beckers@gmail.com>']
 maintainers = ['Jonas Krüger Svensson <jonas-ks@hotmail.com>', 'Sondre Lillebø Gundersen <sondrelg@live.no>']
diff --git a/tests/test_drf_integration.py b/tests/test_drf_integration.py
@@ -115,6 +115,23 @@ def test_access_token_azure_guest_but_no_upn(self):
                         user, token = self.drf_auth_class.authenticate(request)
                         self.assertEqual(user.username, "john.doe@example.com")
 
+    @mock_adfs("azure")
+    def test_access_token_azure_guest_but_no_upn_but_no_guest_username_claim(self):
+        access_token_header = "Bearer {}".format(self.access_token_azure_guest_no_upn)
+        request = RequestFactory().get('/api', HTTP_AUTHORIZATION=access_token_header)
+        from django_auth_adfs.config import django_settings
+        settings = deepcopy(django_settings)
+        del settings.AUTH_ADFS["SERVER"]
+        settings.AUTH_ADFS["TENANT_ID"] = "dummy_tenant_id"
+        settings.AUTH_ADFS["GUEST_USERNAME_CLAIM"] = None  # <--- Set to None, should not be validated as OK
+        settings.AUTH_ADFS["BLOCK_GUEST_USERS"] = False
+        with patch("django_auth_adfs.config.django_settings", settings):
+            with patch('django_auth_adfs.backend.settings', Settings()):
+                with patch("django_auth_adfs.config.settings", Settings()):
+                    with patch("django_auth_adfs.backend.provider_config", ProviderConfig()):
+                        with self.assertRaises(exceptions.AuthenticationFailed):
+                            self.drf_auth_class.authenticate(request)
+
     @mock_adfs("2012")
     def test_access_token_exceptions(self):
         access_token_header = "Bearer non-existing-token"
