only request account_verified if there are valid schemes registered for the endpoint

be4ab878 · Ricardo Kirkner · 8e831f3b · be4ab878 · be4ab878
Commit be4ab878 authored Jun 18, 2013 by Ricardo Kirkner
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 19 deletions

django_openid_auth/tests/test_views.py
+19 -12

django_openid_auth/views.py
+18 -7

No files found.
--- a/django_openid_auth/tests/test_views.py
+++ b/django_openid_auth/tests/test_views.py
@@ -153,7 +153,7 @@ class DummyDjangoRequest(object):
    def build_absolute_uri(self):
        return self.META['SCRIPT_NAME'] + self.request_path
    def _combined_request(self):
        request = {}
        request.update(self.POST)
@@ -430,7 +430,7 @@ class RelyingPartyTests(TestCase):
        settings.OPENID_PHYSICAL_MULTIFACTOR_REQUIRED = True
        preferred_auth = pape.AUTH_MULTI_FACTOR_PHYSICAL
        self.provider.type_uris.append(pape.ns_uri)
        openid_req = {'openid_identifier': 'http://example.com/identity',
               'next': '/getuser/'}
        response = self.client.post('/openid/login/', openid_req)
@@ -480,7 +480,7 @@ class RelyingPartyTests(TestCase):
        query = self.parse_query_string(response.request['QUERY_STRING'])
        self.assertTrue('openid.pape.auth_policies' in query)
-        self.assertEqual(query['openid.pape.auth_policies'], 
+        self.assertEqual(query['openid.pape.auth_policies'],
                quote_plus(preferred_auth))
        response = self.client.get('/getuser/')
@@ -509,7 +509,7 @@ class RelyingPartyTests(TestCase):
        Consumer.complete = mock_complete
        user = User.objects.create_user('testuser', 'test@example.com')
-        useropenid = UserOpenID(    
+        useropenid = UserOpenID(
            user=user,
            claimed_id='http://example.com/identity',
            display_id='http://example.com/identity',
@@ -565,7 +565,7 @@ class RelyingPartyTests(TestCase):
        Consumer.complete = mock_complete
        user = User.objects.create_user('testuser', 'test@example.com')
-        useropenid = UserOpenID(    
+        useropenid = UserOpenID(
            user=user,
            claimed_id='http://example.com/identity',
            display_id='http://example.com/identity',
@@ -965,7 +965,7 @@ class RelyingPartyTests(TestCase):
           self.assertTrue(isinstance(exception, (RequiredAttributeNotReturned, MissingUsernameViolation)))
           return HttpResponse('Test Failure Override', status=200)
        settings.OPENID_RENDER_FAILURE = mock_login_failure_handler
        # Posting in an identity URL begins the authentication request:
        response = self.client.post('/openid/login/',
            {'openid_identifier': 'http://example.com/identity',
@@ -983,7 +983,7 @@ class RelyingPartyTests(TestCase):
                           'email': 'foo@example.com'})
        openid_response.addExtension(sreg_response)
        response = self.complete(openid_response)
        # Status code should be 200, since we over-rode the login_failure handler
        self.assertEquals(200, response.status_code)
        self.assertContains(response, 'Test Failure Override')
@@ -1062,7 +1062,7 @@ class RelyingPartyTests(TestCase):
                           'email': 'foo@example.com'})
        openid_response.addExtension(sreg_response)
        response = self.complete(openid_response)
        # Status code should be 200, since we over-rode the login_failure handler
        self.assertEquals(200, response.status_code)
        self.assertContains(response, 'Test Failure Override')
@@ -1164,7 +1164,8 @@ class RelyingPartyTests(TestCase):
        self.assertEqual(['email', 'language'], sreg_request.required)
        self.assertEqual(['fullname', 'nickname'], sreg_request.optional)
-    def check_login_attribute_exchange(self, validation_type, is_verified):
+    def check_login_attribute_exchange(self, validation_type, is_verified,
+                                       request_account_verified=True):
        settings.OPENID_UPDATE_DETAILS_FROM_SREG = True
        user = User.objects.create_user('testuser', 'someone@example.com')
        useropenid = UserOpenID(
@@ -1208,8 +1209,10 @@ class RelyingPartyTests(TestCase):
        self.assertTrue(fetch_request.has_key(
                'http://schema.openid.net/namePerson/friendly'))
        # Account verification:
-        self.assertTrue(fetch_request.has_key(
+        self.assertEqual(
-                'http://ns.login.ubuntu.com/2013/validation/account'))
+            fetch_request.has_key(
+                'http://ns.login.ubuntu.com/2013/validation/account'),
+            request_account_verified)
        # Build up a response including AX data.
        openid_response = openid_request.answer(True)
@@ -1261,6 +1264,10 @@ class RelyingPartyTests(TestCase):
        }
        self.check_login_attribute_exchange(None, is_verified=False)
+    def test_login_attribute_exchange_without_account_verified(self):
+        self.check_login_attribute_exchange(None, is_verified=False,
+                                            request_account_verified=False)
    def test_login_attribute_exchange_unrecognised_validation(self):
        settings.OPENID_VALID_VERIFICATION_SCHEMES = {
            self.provider.endpoint_url: ('token_via_email',),
@@ -1449,7 +1456,7 @@ class RelyingPartyTests(TestCase):
        self.assertTrue(self.signal_handler_called)
        openid_login_complete.disconnect(login_callback)
 class HelperFunctionsTest(TestCase):
    def test_sanitise_redirect_url(self):
        settings.ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS = [

--- a/django_openid_auth/views.py
+++ b/django_openid_auth/views.py
@@ -169,7 +169,6 @@ def login_begin(request, template_name='openid/login.html',
                    redirect_field_name: redirect_to
                    }, context_instance=RequestContext(request))
-    error = None
    consumer = make_consumer(request)
    try:
        openid_request = consumer.begin(openid_url)
@@ -180,7 +179,8 @@ def login_begin(request, template_name='openid/login.html',
    # Request some user details.  If the provider advertises support
    # for attribute exchange, use that.
-    if openid_request.endpoint.supportsType(ax.AXMessage.ns_uri):
+    endpoint = openid_request.endpoint
+    if endpoint.supportsType(ax.AXMessage.ns_uri):
        fetch_request = ax.FetchRequest()
        # We mark all the attributes as required, since Google ignores
        # optional attributes.  We request both the full name and
@@ -198,10 +198,21 @@ def login_begin(request, template_name='openid/login.html',
                ('http://schema.openid.net/contact/email', 'old_email'),
                ('http://schema.openid.net/namePerson', 'old_fullname'),
                ('http://schema.openid.net/namePerson/friendly',
-                 'old_nickname'),
+                 'old_nickname')]:
-                ('http://ns.login.ubuntu.com/2013/validation/account',
-                 'account_verified')]:
            fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True))
+        # conditionally require account_verified attribute
+        verification_scheme_map = getattr(
+            settings, 'OPENID_VALID_VERIFICATION_SCHEMES', {})
+        valid_schemes = verification_scheme_map.get(
+            endpoint.server_url, verification_scheme_map.get(None, ()))
+        if valid_schemes:
+            # there are valid schemes configured for this endpoint, so
+            # request account_verified status
+            fetch_request.add(ax.AttrInfo(
+                'http://ns.login.ubuntu.com/2013/validation/account',
+                alias='account_verified', required=True))
        openid_request.addExtension(fetch_request)
    else:
        sreg_required_fields = []
@@ -216,7 +227,7 @@ def login_begin(request, template_name='openid/login.html',
        openid_request.addExtension(
            sreg.SRegRequest(optional=sreg_optional_fields,
                required=sreg_required_fields))
    if getattr(settings, 'OPENID_PHYSICAL_MULTIFACTOR_REQUIRED', False):
        preferred_auth = [
            pape.AUTH_MULTI_FACTOR_PHYSICAL,
@@ -273,7 +284,7 @@ def login_complete(request, redirect_field_name=REDIRECT_FIELD_NAME,
            user = authenticate(openid_response=openid_response)
        except DjangoOpenIDException, e:
            return render_failure(request, e.message, exception=e)
        if user is not None:
            if user.is_active:
                auth_login(request, user)