From 28260d01a2cb11fc73da885dd9481f7daf58364d Mon Sep 17 00:00:00 2001 From: Paul Schilling Date: Tue, 10 Dec 2024 11:46:13 +0100 Subject: [PATCH 1/2] [#2932] Update eHerkenning OIDC flow: get & store vestigingsnummer - When logging in with eHerkenning via OIDC, get the vestigingsnummer from the OIDC claim (if present) and store in session --- src/eherkenning/backends.py | 2 + src/eherkenning/mock/backends.py | 2 + src/open_inwoner/accounts/backends.py | 41 +++++++++++- .../accounts/tests/test_oidc_views.py | 63 +++++++++++++++++++ src/open_inwoner/kvk/views.py | 1 + 5 files changed, 107 insertions(+), 2 deletions(-) diff --git a/src/eherkenning/backends.py b/src/eherkenning/backends.py index dad3997527..b29a1d2788 100644 --- a/src/eherkenning/backends.py +++ b/src/eherkenning/backends.py @@ -12,6 +12,8 @@ class eHerkenningBackend(_eHerkenningBackend): Custom backend to identify users based on the KvK number instead of RSIN """ + # TODO: get vestigingsnummer from saml_response + def get_or_create_user(self, request, saml_response, saml_attributes): kvk = self.get_kvk_number(saml_attributes) if kvk == "": diff --git a/src/eherkenning/mock/backends.py b/src/eherkenning/mock/backends.py index ad7a3b3866..c076ecfe86 100644 --- a/src/eherkenning/mock/backends.py +++ b/src/eherkenning/mock/backends.py @@ -22,6 +22,8 @@ class eHerkenningBackend(BaseBackend): } ) + # TODO: update mock to test retrieval/storage of vestigingsnummer + def get_or_create_user(self, request, kvk): created = False try: diff --git a/src/open_inwoner/accounts/backends.py b/src/open_inwoner/accounts/backends.py index c1bb8e2fc6..8023470e33 100644 --- a/src/open_inwoner/accounts/backends.py +++ b/src/open_inwoner/accounts/backends.py @@ -5,16 +5,21 @@ from django.contrib.auth import get_user_model from django.contrib.auth.backends import ModelBackend from django.contrib.auth.hashers import check_password +from django.contrib.auth.models import AbstractUser +from django.core.exceptions import SuspiciousOperation from django.urls import reverse, reverse_lazy from axes.backends import AxesBackend from digid_eherkenning.oidc.backends import BaseBackend from mozilla_django_oidc_db.backends import OIDCAuthenticationBackend from mozilla_django_oidc_db.config import dynamic_setting +from mozilla_django_oidc_db.typing import JSONObject from oath import accept_totp from open_inwoner.configurations.models import SiteConfiguration +from open_inwoner.kvk.branches import KVK_BRANCH_SESSION_VARIABLE from open_inwoner.utils.hash import generate_email_from_string +from open_inwoner.utils.views import LogMixin from .choices import LoginTypeChoices from .models import OpenIDDigiDConfig, OpenIDEHerkenningConfig @@ -147,7 +152,7 @@ def filter_users_by_claims(self, claims): return self.UserModel.objects.filter(**{"oidc_id__iexact": unique_id}) -class DigiDEHerkenningOIDCBackend(BaseBackend): +class DigiDEHerkenningOIDCBackend(LogMixin, BaseBackend): OIP_UNIQUE_ID_USER_FIELDNAME = dynamic_setting[Literal["bsn", "kvk"]]() OIP_LOGIN_TYPE = dynamic_setting[LoginTypeChoices]() @@ -158,6 +163,26 @@ def _check_candidate_backend(self) -> bool: OpenIDEHerkenningConfig, ) + def _store_vestigingsnummer_in_session(self, claims: JSONObject): + """Get company vestigingsnummer from OIDC claims & store in session""" + + eherkenning_config = self.config_class.get_solo() + + branch_number_claim = eherkenning_config.branch_number_claim[0] + if not (vestigingsnummer := claims.get(branch_number_claim)): + return + + self.request.session[KVK_BRANCH_SESSION_VARIABLE] = vestigingsnummer + self.request.session.save() + + identifier_claim = eherkenning_config.identifier_type_claim[0] + kvk_or_rsin = claims.get(identifier_claim) + + self.log_system_action( + f"Vestigingsnummer {vestigingsnummer} retrieved from IdP for " + f"eHerkenning user (KVK/RSIN: {kvk_or_rsin})" + ) + def filter_users_by_claims(self, claims): """Return all users matching the specified subject.""" unique_id = self._extract_username(claims) @@ -169,7 +194,11 @@ def filter_users_by_claims(self, claims): ) def create_user(self, claims): - """Return object for a newly created user account.""" + """ + Return object for a newly created user account. + + Get vestigingsnummer from OIDC claims & store in session + """ unique_id = self._extract_username(claims) @@ -185,4 +214,12 @@ def create_user(self, claims): } ) + if self.config_class is OpenIDEHerkenningConfig: + self._store_vestigingsnummer_in_session(claims) + return user + + def update_user(self, user: AbstractUser, claims: JSONObject): + if self.config_class is OpenIDEHerkenningConfig: + self._store_vestigingsnummer_in_session(claims) + return super().update_user(user, claims) diff --git a/src/open_inwoner/accounts/tests/test_oidc_views.py b/src/open_inwoner/accounts/tests/test_oidc_views.py index 3453c6a4d9..5ee704b635 100644 --- a/src/open_inwoner/accounts/tests/test_oidc_views.py +++ b/src/open_inwoner/accounts/tests/test_oidc_views.py @@ -1828,3 +1828,66 @@ def test_redirect_after_login_no_registration_and_no_branch_selection( profile_response = self.app.get(profile_response.url) self.assertEqual(profile_response.status_code, 200) + + @patch("open_inwoner.kvk.client.KvKClient.get_all_company_branches") + @patch("open_inwoner.utils.context_processors.SiteConfiguration") + @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.get_userinfo") + @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.store_tokens") + @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.verify_token") + @patch("mozilla_django_oidc_db.backends.OIDCAuthenticationBackend.get_token") + @patch( + "open_inwoner.accounts.models.OpenIDEHerkenningConfig.get_solo", + return_value=OpenIDEHerkenningConfig( + id=1, + enabled=True, + legal_subject_claim=["kvk"], + oidc_op_authorization_endpoint="http://idp.local/auth", + ), + ) + def test_redirect_after_login_branch_already_selected( + self, + mock_get_solo, + mock_get_token, + mock_verify_token, + mock_store_tokens, + mock_get_userinfo, + mock_siteconfig, + mock_kvk, + ): + """ + KVK branch selection should be skipped if KVK_BRANCH_SESSION_VARIABLE is present in session + """ + user = eHerkenningUserFactory.create(kvk="12345678", rsin="123456789") + mock_get_userinfo.return_value = { + "sub": "some_username", + "kvk": "12345678", + "urn:etoegang:1.9:ServiceRestriction:Vestigingsnr": "123456789000", + } + mock_siteconfig.return_value = SiteConfiguration(id=1, eherkenning_enabled=True) + mock_kvk.return_value = [ + {"kvkNummer": "12345678"}, + {"kvkNummer": "87654321"}, + ] + + self.assertEqual(User.objects.count(), 1) + + redirect_url = reverse("profile:detail") + + callback_response = perform_oidc_login( + self.app, "eherkenning", redirect_url=redirect_url + ) + + user = User.objects.get() + + self.assertEqual(user.pk, int(self.app.session.get("_auth_user_id"))) + self.assertEqual(user.kvk, "12345678") + self.assertEqual( + self.app.session.get(KVK_BRANCH_SESSION_VARIABLE), "123456789000" + ) + + self.assertRedirects( + callback_response, reverse("profile:detail"), fetch_redirect_response=False + ) + + response = self.app.get(callback_response.url) + self.assertEqual(response.status_code, 200) diff --git a/src/open_inwoner/kvk/views.py b/src/open_inwoner/kvk/views.py index 846a3f7589..bf2bc57b15 100644 --- a/src/open_inwoner/kvk/views.py +++ b/src/open_inwoner/kvk/views.py @@ -59,6 +59,7 @@ def get(self, request, *args, **kwargs): return HttpResponse(_("Unauthorized"), status=401) redirect = self.get_redirect() + context = super().get_context_data() form = context["form"] From fcb4c6bc462a9d10b4283bec3d309b26781e3294 Mon Sep 17 00:00:00 2001 From: Paul Schilling Date: Wed, 11 Dec 2024 11:10:15 +0100 Subject: [PATCH 2/2] [#2932] Update eHerkenning SAML flow: get & store vestigingsnummer --- src/eherkenning/backends.py | 12 +++++++++++- src/eherkenning/mock/backends.py | 2 -- src/open_inwoner/accounts/backends.py | 1 - src/open_inwoner/kvk/views.py | 1 - 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/eherkenning/backends.py b/src/eherkenning/backends.py index b29a1d2788..4af05c57be 100644 --- a/src/eherkenning/backends.py +++ b/src/eherkenning/backends.py @@ -4,6 +4,8 @@ from digid_eherkenning.exceptions import eHerkenningError from digid_eherkenning.utils import get_client_ip +from open_inwoner.kvk.branches import KVK_BRANCH_SESSION_VARIABLE + UserModel = get_user_model() @@ -12,7 +14,11 @@ class eHerkenningBackend(_eHerkenningBackend): Custom backend to identify users based on the KvK number instead of RSIN """ - # TODO: get vestigingsnummer from saml_response + def get_company_branch_number(self, attributes): + company_branch_number = attributes.get( + "urn:etoegang:1.9:ServiceRestriction:Vestigingsnr", None + ) + return company_branch_number def get_or_create_user(self, request, saml_response, saml_attributes): kvk = self.get_kvk_number(saml_attributes) @@ -28,6 +34,10 @@ def get_or_create_user(self, request, saml_response, saml_attributes): user = UserModel.eherkenning_objects.eherkenning_create(kvk) created = True + if vestigingsnummer := self.get_company_branch_number(saml_attributes): + self.request.session[KVK_BRANCH_SESSION_VARIABLE] = vestigingsnummer + self.request.session.save() + success_message = self.error_messages["login_success"] % { "user": str(user), "user_info": " (new account)" if created else "", diff --git a/src/eherkenning/mock/backends.py b/src/eherkenning/mock/backends.py index c076ecfe86..ad7a3b3866 100644 --- a/src/eherkenning/mock/backends.py +++ b/src/eherkenning/mock/backends.py @@ -22,8 +22,6 @@ class eHerkenningBackend(BaseBackend): } ) - # TODO: update mock to test retrieval/storage of vestigingsnummer - def get_or_create_user(self, request, kvk): created = False try: diff --git a/src/open_inwoner/accounts/backends.py b/src/open_inwoner/accounts/backends.py index 8023470e33..7fdca450af 100644 --- a/src/open_inwoner/accounts/backends.py +++ b/src/open_inwoner/accounts/backends.py @@ -6,7 +6,6 @@ from django.contrib.auth.backends import ModelBackend from django.contrib.auth.hashers import check_password from django.contrib.auth.models import AbstractUser -from django.core.exceptions import SuspiciousOperation from django.urls import reverse, reverse_lazy from axes.backends import AxesBackend diff --git a/src/open_inwoner/kvk/views.py b/src/open_inwoner/kvk/views.py index bf2bc57b15..846a3f7589 100644 --- a/src/open_inwoner/kvk/views.py +++ b/src/open_inwoner/kvk/views.py @@ -59,7 +59,6 @@ def get(self, request, *args, **kwargs): return HttpResponse(_("Unauthorized"), status=401) redirect = self.get_redirect() - context = super().get_context_data() form = context["form"]