fix: do never link users with organisation identities

This is the first step to really resolve this issue. This fix prevents organisation Identities to be linked with keycloak users. This could potentially lead to a situation, where a user can make a keycloak account with their email address, but then be unable to login to mySAGW, if the Email is already set on an organisation Identity, due to the unique constraint on the email field. Probable next step is to remove this constraint and enforce uniqueness of emails of non-organisation Identities on application level.
adfinis · Jan 23, 2025 · 528cc8b · 528cc8b
1 parent b9b00e2
commit 528cc8b
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 1 deletion.
diff --git a/api/mysagw/oidc_auth/models.py b/api/mysagw/oidc_auth/models.py
@@ -3,6 +3,7 @@
 from django.conf import settings
 from django.db import IntegrityError, transaction
 from django.db.models import Q
+from rest_framework.exceptions import ValidationError
 
 from mysagw.identity.models import Identity
 
@@ -87,8 +88,13 @@ def _update_or_create_identity(self):
             settings.OIDC_MONITORING_CLIENT_USERNAME,
         ]:
             return None
+        if Identity.objects.filter(
+            is_organisation=True, email__iexact=self.email
+        ).exists():
+            msg = "Can't create Identity, because there is already an organisation with this email address."
+            raise ValidationError(msg)
         try:
-            identity = Identity.objects.get(
+            identity = Identity.objects.filter(is_organisation=False).get(
                 Q(idp_id=self.id) | Q(email__iexact=self.email),
             )
             # we only want to save if necessary in order to prevent adding historical

diff --git a/api/mysagw/oidc_auth/tests/test_authentication.py b/api/mysagw/oidc_auth/tests/test_authentication.py
@@ -4,10 +4,12 @@
 
 import pytest
 from django.core.cache import cache
+from django.urls import reverse
 from mozilla_django_oidc.contrib.drf import OIDCAuthentication
 from requests.exceptions import HTTPError
 from rest_framework import exceptions, status
 from rest_framework.exceptions import AuthenticationFailed
+from rest_framework.test import APIClient
 from simple_history.models import HistoricalRecords
 
 from mysagw.identity.models import Identity
@@ -245,3 +247,42 @@ def test_authentication_idp_missing_claim(
     request = rf.get("/openid", HTTP_AUTHORIZATION="Bearer Token")
     with pytest.raises(AuthenticationFailed):
         OIDCAuthentication().authenticate(request)
+
+
+@pytest.mark.parametrize(
+    "identity__is_organisation,identity__organisation_name,identity__email",
+    [
+        (True, "org name", "[email protected]"),
+    ],
+)
+def test_authentication_email_already_used(
+    db, rf, requests_mock, settings, get_claims, identity
+):
+    idp_id = str(uuid4())
+    claims = get_claims(
+        id_claim=idp_id,
+        email_claim="[email protected]",
+        first_name_claim="Winston",
+        last_name_claim="Smith",
+        salutation_claim="neutral",
+        title_claim=None,
+    )
+    assert Identity.objects.count() == 1
+
+    requests_mock.get(settings.OIDC_OP_USER_ENDPOINT, text=json.dumps(claims))
+
+    url = reverse("me")
+
+    client = APIClient()
+    response = client.get(url, HTTP_AUTHORIZATION="Bearer Token")
+    assert response.status_code == status.HTTP_400_BAD_REQUEST
+    assert response.json() == {
+        "errors": [
+            {
+                "detail": "Can't create Identity, because there is already an organisation with this email address.",
+                "status": "400",
+                "source": {"pointer": "/data"},
+                "code": "invalid",
+            }
+        ]
+    }