Merge pull request #1108 from maykinmedia/feature/2197-block-eherkenn…

…ing-for-zzp-and-openzaak

🥅 [#2197] Block eHerkenning login for ZZP if RSIN is required

src/eherkenning/tests/test_mock_views.py

@@ -108,8 +108,15 @@ def test_get_returns_valid_response(self):
         self.assertContains(response, reverse("login"))
         self.assertNoEHerkenningURLS(response)
 
-    @patch("open_inwoner.kvk.client.KvKClient.get_all_company_branches")
-    def test_post_redirects_and_authenticates(self, mock_kvk):
+    @patch(
+        "open_inwoner.kvk.signals.KvKClient.retrieve_rsin_with_kvk",
+        return_value="123456789",
+        autospec=True,
+    )
+    @patch("open_inwoner.kvk.client.KvKClient.get_all_company_branches", autospec=True)
+    def test_post_redirects_and_authenticates(
+        self, mock_kvk, mock_retrieve_rsin_with_kvk
+    ):
         mock_kvk.return_value = [
             {"kvkNummer": "29664887", "vestigingsnummer": "1234"},
             {"kvkNummer": "29664887", "vestigingsnummer": "5678"},

src/open_inwoner/accounts/eherkenning_urls.py

@@ -0,0 +1,16 @@
+from django.urls import path
+
+from digid_eherkenning_oidc_generics.eherkenning_urls import urlpatterns
+
+from .views import CustomEHerkenningOIDCAuthenticationCallbackView
+
+app_name = "eherkenning_oidc"
+
+
+urlpatterns = [
+    path(
+        "callback/",
+        CustomEHerkenningOIDCAuthenticationCallbackView.as_view(),
+        name="callback",
+    ),
+] + urlpatterns

src/open_inwoner/accounts/tests/test_auth.py

@@ -20,6 +20,7 @@
 from open_inwoner.haalcentraal.tests.mixins import HaalCentraalMixin
 from open_inwoner.kvk.branches import get_kvk_branch_number
 from open_inwoner.kvk.tests.factories import CertificateFactory
+from open_inwoner.openzaak.models import OpenZaakConfig
 
 from ...cms.collaborate.cms_apps import CollaborateApphook
 from ...cms.tests import cms_tools
@@ -34,6 +35,9 @@
     eHerkenningUserFactory,
 )
 
+RETURN_URL = "/"
+CANCEL_URL = reverse("login")
+
 
 @override_settings(ROOT_URLCONF="open_inwoner.cms.tests.urls")
 class DigiDRegistrationTest(AssertRedirectsMixin, HaalCentraalMixin, WebTest):
@@ -559,6 +563,46 @@ def test_eherkenning_fail_without_invite_redirects_to_login_page(self, m):
 
         self.assertRedirectsLogin(response, with_host=True)
 
+    @patch(
+        "open_inwoner.kvk.signals.KvKClient.retrieve_rsin_with_kvk",
+        return_value="",
+        autospec=True,
+    )
+    @patch(
+        "open_inwoner.accounts.views.auth.OpenZaakConfig.get_solo",
+        return_value=OpenZaakConfig(fetch_eherkenning_zaken_with_rsin=True),
+        autospec=True,
+    )
+    def test_login_as_eenmanszaak_blocked(
+        self, mock_oz_config, mock_retrieve_rsin_with_kvk
+    ):
+        url = reverse("eherkenning-mock:password")
+        params = {
+            "acs": f"http://testserver{reverse('eherkenning:acs')}",
+            "next": RETURN_URL,
+            "cancel": CANCEL_URL,
+        }
+        url = f"{url}?{urlencode(params)}"
+
+        data = {
+            "auth_name": "29664887",
+            "auth_pass": "company@localhost",
+        }
+
+        # post our password to the IDP
+        response = self.client.post(url, data, follow=False)
+
+        # it will redirect to our ACS
+        self.assertEqual(response.status_code, 302)
+        self.assertIn(reverse("eherkenning:acs"), response["Location"])
+
+        # follow the ACS redirect and get/create the user
+        response = self.client.get(response["Location"])
+
+        # User is logged out and redirected to login view
+        self.assertNotIn("_auth_user_id", self.app.session)
+        self.assertRedirectsLogin(response, with_host=True)
+
     @patch("eherkenning.validators.KVKValidator.__call__")
     def test_eherkenning_fail_without_invite_and_next_url_redirects_to_login_page(
         self, m
@@ -614,12 +658,24 @@ def test_eherkenning_fail_with_invite_redirects_to_register_page(self, m):
             f"http://testserver{reverse('django_registration_register')}?invite={invite.key}",
         )
 
-    @patch("open_inwoner.kvk.client.KvKClient.get_all_company_branches")
+    @patch(
+        "open_inwoner.kvk.signals.KvKClient.retrieve_rsin_with_kvk",
+        return_value="123456789",
+        autospec=True,
+    )
+    @patch(
+        "open_inwoner.kvk.client.KvKClient.get_all_company_branches",
+        autospec=True,
+    )
     @patch(
         "open_inwoner.kvk.models.KvKConfig.get_solo",
+        autospec=True,
     )
     def test_invite_url_not_in_session_after_successful_login(
-        self, mock_solo, mock_kvk
+        self,
+        mock_solo,
+        mock_kvk,
+        mock_retrieve_rsin_with_kvk,
     ):
         mock_kvk.return_value = [
             {"kvkNummer": "12345678", "vestigingsnummer": "1234"},
@@ -687,7 +743,7 @@ def test_redirect_flow_with_no_vestigingsnummer(self, mock_solo, mock_kvk):
         mock_solo.return_value.server_certificate = CertificateFactory()
 
         user = eHerkenningUserFactory.create(
-            kvk="12345678", email="user-12345678@localhost"
+            kvk="12345678", rsin="123456789", email="user-12345678@localhost"
         )
 
         url = reverse("eherkenning-mock:password")
@@ -1048,8 +1104,16 @@ def test_digid_user_success(self):
         self.assertEqual(users.first().email, "[email protected]")
         self.assertEqual(users.last().email, "[email protected]")
 
-    @patch("open_inwoner.kvk.client.KvKClient.get_all_company_branches")
-    def test_eherkenning_user_success(self, mock_kvk):
+    @patch(
+        "open_inwoner.kvk.signals.KvKClient.retrieve_rsin_with_kvk",
+        return_value="123456789",
+        autospec=True,
+    )
+    @patch(
+        "open_inwoner.kvk.client.KvKClient.get_all_company_branches",
+        autospec=True,
+    )
+    def test_eherkenning_user_success(self, mock_kvk, mock_retrieve_rsin_with_kvk):
         """Assert that eHerkenning users can register with duplicate emails"""
 
         mock_kvk.return_value = [
@@ -1068,6 +1132,7 @@ def test_eherkenning_user_success(self, mock_kvk):
         test_user = eHerkenningUserFactory.create(
             email="test@localhost",
             kvk="64819772",
+            rsin="123456789",
         )
 
         url = reverse("eherkenning-mock:password")