diff --git a/src/djangooidc/oidc.py b/src/djangooidc/oidc.py index 80915d740..6c942d6eb 100644 --- a/src/djangooidc/oidc.py +++ b/src/djangooidc/oidc.py @@ -85,7 +85,7 @@ class Client(oic.Client): def create_authn_request( self, session, - do_biometric_auth=False, + do_step_up_auth=False, extra_args=None, ): """Step 2: Construct a login URL at OP's domain and send the user to it.""" @@ -103,7 +103,7 @@ class Client(oic.Client): "nonce": session["nonce"], "redirect_uri": self.registration_response["redirect_uris"][0], } - if do_biometric_auth: + if do_step_up_auth: self._set_args_for_biometric_auth_request(session, request_args) else: request_args["acr_values"] = self.behaviour.get("acr_value") diff --git a/src/djangooidc/tests/test_views.py b/src/djangooidc/tests/test_views.py index 0ebd0ed0b..d002c71f6 100644 --- a/src/djangooidc/tests/test_views.py +++ b/src/djangooidc/tests/test_views.py @@ -184,7 +184,7 @@ class ViewsTest(TestCase): # patch that the request does not require step up auth # TEST # test the login callback url - with patch("djangooidc.views._requires_biometric_auth", return_value=False): + with patch("djangooidc.views._requires_step_up_auth", return_value=False): response = self.client.get(reverse("openid_login_callback")) # ASSERTIONS # assert the redirect url is the same as the 'next' value set in session @@ -224,7 +224,7 @@ class ViewsTest(TestCase): # mock that callback returns user_info; this is the expected behavior mock_client.callback.side_effect = self.user_info # patch that the request does not require step up auth - with patch("djangooidc.views._requires_biometric_auth", return_value=False): + with patch("djangooidc.views._requires_step_up_auth", return_value=False): with patch("djangooidc.views._initialize_client") as mock_init_client: with patch("djangooidc.views._client_is_none") as mock_client_is_none: # mock the client to initially be None @@ -252,7 +252,7 @@ class ViewsTest(TestCase): # mock that callback returns user_info; this is the expected behavior mock_client.callback.side_effect = self.user_info # patch that the request does not require step up auth - with patch("djangooidc.views._requires_biometric_auth", return_value=False), patch( + with patch("djangooidc.views._requires_step_up_auth", return_value=False), patch( "djangooidc.views._initialize_client" ) as mock_init_client: with patch("djangooidc.views._client_is_none", return_value=True): @@ -285,7 +285,7 @@ class ViewsTest(TestCase): # mock that callback returns user_info; this is the expected behavior mock_client.callback.side_effect = self.user_info # patch that the request does not require step up auth - with patch("djangooidc.views._requires_biometric_auth", return_value=False), patch( + with patch("djangooidc.views._requires_step_up_auth", return_value=False), patch( "djangooidc.views._initialize_client" ) as mock_init_client: with patch("djangooidc.views._client_is_none", return_value=True): @@ -319,7 +319,7 @@ class ViewsTest(TestCase): td, _ = TransitionDomain.objects.get_or_create(username="test@example.com", domain_name="test123.gov") # patch that the request does not require step up auth - with patch("djangooidc.views._requires_biometric_auth", return_value=False), patch( + with patch("djangooidc.views._requires_step_up_auth", return_value=False), patch( "djangooidc.views._initialize_client" ) as mock_init_client: with patch("djangooidc.views._client_is_none", return_value=True): @@ -353,7 +353,7 @@ class ViewsTest(TestCase): vip, _ = VerifiedByStaff.objects.get_or_create(email="test@example.com") # patch that the request does not require step up auth - with patch("djangooidc.views._requires_biometric_auth", return_value=False), patch( + with patch("djangooidc.views._requires_step_up_auth", return_value=False), patch( "djangooidc.views._initialize_client" ) as mock_init_client: with patch("djangooidc.views._client_is_none", return_value=True): @@ -374,7 +374,7 @@ class ViewsTest(TestCase): self.assertEqual(created_user.verification_type, User.VerificationTypeChoices.VERIFIED_BY_STAFF) def test_login_callback_no_step_up_auth(self, mock_client): - """Walk through login_callback when _requires_biometric_auth returns False + """Walk through login_callback when _requires_step_up_auth returns False and assert that we have a redirect to /""" with less_console_noise(): # SETUP @@ -386,7 +386,7 @@ class ViewsTest(TestCase): # patch that the request does not require step up auth # TEST # test the login callback url - with patch("djangooidc.views._requires_biometric_auth", return_value=False): + with patch("djangooidc.views._requires_step_up_auth", return_value=False): response = self.client.get(reverse("openid_login_callback")) # ASSERTIONS # assert that redirect is to / when no 'next' is set @@ -403,7 +403,7 @@ class ViewsTest(TestCase): # Ensure that the CLIENT instance used in login_callback is the mock # patch _requires_step_up_auth to return True - with patch("djangooidc.views._requires_biometric_auth", return_value=True), patch( + with patch("djangooidc.views._requires_step_up_auth", return_value=True), patch( "djangooidc.views.CLIENT.create_authn_request" ) as mock_create_authn_request: # TEST @@ -411,7 +411,7 @@ class ViewsTest(TestCase): login_callback(request) # ASSERTIONS - # create_authn_request only gets called when _requires_biometric_auth is True. + # create_authn_request only gets called when _requires_step_up_auth is True. # The acr_value should be blank here self.assertEqual(request.session["acr_value"], "") self.assertEqual(request.session["needs_biometric_validation"], True) @@ -419,26 +419,26 @@ class ViewsTest(TestCase): # And create_authn_request was called again mock_create_authn_request.assert_called_once() - def test_login_callback_does_not_requires_biometric_auth(self, mock_client): - """Invoke login_callback passing it a request when _requires_biometric_auth returns False + def test_login_callback_does_not_requires_step_up_auth(self, mock_client): + """Invoke login_callback passing it a request when _requires_step_up_auth returns False and assert that session is not updated and create_authn_request (mock) is not called. - Possibly redundant with test_login_callback_requires_biometric_auth""" + Possibly redundant with test_login_callback_requires_step_up_auth""" with less_console_noise(): # MOCK # Create a mock request request = self.factory.get("/some-url") request.session = {"acr_value": ""} # Ensure that the CLIENT instance used in login_callback is the mock - # patch _requires_biometric_auth to return False - with patch("djangooidc.views._requires_biometric_auth", return_value=False), patch( + # patch _requires_step_up_auth to return False + with patch("djangooidc.views._requires_step_up_auth", return_value=False), patch( "djangooidc.views.CLIENT.create_authn_request", return_value=MagicMock() ) as mock_create_authn_request: # TEST # test the login callback login_callback(request) # ASSERTIONS - # create_authn_request only gets called when _requires_biometric_auth is True + # create_authn_request only gets called when _requires_step_up_auth is True # and it changes this acr_value in request.session # Assert that acr_value is NOT updated by testing that it is still an empty string self.assertEqual(request.session["acr_value"], "") @@ -454,7 +454,7 @@ class ViewsTest(TestCase): mock_client.callback.side_effect = self.user_info mock_auth.return_value = None # TEST - with patch("djangooidc.views._requires_biometric_auth", return_value=False): + with patch("djangooidc.views._requires_step_up_auth", return_value=False): response = self.client.get(reverse("openid_login_callback")) # ASSERTIONS self.assertEqual(response.status_code, 401) diff --git a/src/djangooidc/views.py b/src/djangooidc/views.py index deca09565..3eff7b9dc 100644 --- a/src/djangooidc/views.py +++ b/src/djangooidc/views.py @@ -97,12 +97,12 @@ def login_callback(request): # Tests for the presence of the vtm/vtr values in the userinfo object. # If they are there, then we can set a flag in our session for tracking purposes. - needs_biometric_validation = _requires_biometric_auth(userinfo) + needs_biometric_validation = _requires_step_up_auth(userinfo) request.session["needs_biometric_validation"] = needs_biometric_validation # Return a redirect request to a new auth url that does biometric validation if needs_biometric_validation: - return CLIENT.create_authn_request(request.session, do_biometric_auth=True) + return CLIENT.create_authn_request(request.session, do_step_up_auth=True) user = authenticate(request=request, **userinfo) if user: @@ -145,7 +145,7 @@ def login_callback(request): return error_page(request, err) -def _requires_biometric_auth(userinfo) -> bool: +def _requires_step_up_auth(userinfo) -> bool: """ Checks for the presence of the key 'vtm' and 'vtr' in the provided `userinfo` object.