Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Add a test for wrong user returned by SSO
Browse files Browse the repository at this point in the history
  • Loading branch information
richvdh committed Jan 13, 2021
1 parent 4200319 commit 26d1033
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions tests/rest/client/v2_alpha/test_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -457,3 +457,30 @@ def test_offers_both_flows_for_upgraded_user(self):
self.assertIn({"stages": ["m.login.password"]}, flows)
self.assertIn({"stages": ["m.login.sso"]}, flows)
self.assertEqual(len(flows), 2)

@skip_unless(HAS_OIDC, "requires OIDC")
@override_config({"oidc_config": TEST_OIDC_CONFIG})
def test_ui_auth_fails_for_incorrect_sso_user(self):
"""If the user tries to authenticate with the wrong SSO user, they get an error
"""
# log the user in
login_resp = self.helper.login_via_oidc(UserID.from_string(self.user).localpart)
self.assertEqual(login_resp["user_id"], self.user)

# start a UI Auth flow by attempting to delete a device
channel = self.delete_device(self.user_tok, self.device_id, 401)

flows = channel.json_body["flows"]
self.assertIn({"stages": ["m.login.sso"]}, flows)
session_id = channel.json_body["session"]

# do the OIDC auth, but auth as the wrong user
channel = self.helper.auth_via_oidc("wrong_user", ui_auth_session_id=session_id)

# that should return a failure message
self.assertSubstring("We were unable to validate", channel.text_body)

# ... and the delete op should now fail with a 403
self.delete_device(
self.user_tok, self.device_id, 403, body={"auth": {"session": session_id}}
)

0 comments on commit 26d1033

Please sign in to comment.