refactor get_authn_for_action to also return authn params

SUNET · Jun 17, 2024 · 662e7f8 · 662e7f8
1 parent 4be6a98
commit 662e7f8
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 13 deletions.
diff --git a/src/eduid/webapp/common/authn/utils.py b/src/eduid/webapp/common/authn/utils.py
@@ -2,13 +2,13 @@
 import logging
 import os.path
 import sys
-from typing import Optional, Sequence
+from typing import Optional, Sequence, Tuple
 
 from saml2 import server
 from saml2.config import SPConfig
 from saml2.typing import SAMLHttpArgs
 
-from eduid.common.config.base import EduIDBaseAppConfig, FrontendAction, FrontendActionMixin
+from eduid.common.config.base import EduIDBaseAppConfig, FrontendAction, FrontendActionMixin, AuthnParameters
 from eduid.common.config.exceptions import BadConfiguration
 from eduid.common.misc.timeutil import utc_now
 from eduid.common.utils import urlappend
@@ -109,7 +109,9 @@ def init_pysaml2(cfgfile: str) -> server.Server:
         sys.path = old_path
 
 
-def get_authn_for_action(config: FrontendActionMixin, frontend_action: FrontendAction) -> Optional[SP_AuthnRequest]:
+def get_authn_for_action(
+    config: FrontendActionMixin, frontend_action: FrontendAction
+) -> Tuple[Optional[SP_AuthnRequest], AuthnParameters]:
     authn_params = config.frontend_action_authn_parameters.get(frontend_action)
     if authn_params is None:
         raise BadConfiguration(f"No authn parameters for frontend action {frontend_action}")
@@ -120,20 +122,20 @@ def get_authn_for_action(config: FrontendActionMixin, frontend_action: FrontendA
         # check for old login actions until we remove them
         if not authn and authn_params.allow_login_auth:
             authn = session.authn.sp.get_authn_for_frontend_action(FrontendAction.OLD_LOGIN)
-    return authn
+    return authn, authn_params
 
 
 def validate_authn_for_action(
     config: FrontendActionMixin,
     frontend_action: FrontendAction,
     credential_used: Optional[Credential] = None,
 ) -> AuthnActionStatus:
-    """ """
-    authn_params = config.frontend_action_authn_parameters.get(frontend_action)
-    if authn_params is None:
-        raise BadConfiguration(f"No authn parameters for frontend action {frontend_action}")
+    """
+    Validate the authentication for the given frontend action.
+    """
 
-    authn = get_authn_for_action(config=config, frontend_action=frontend_action)
+    logger.debug(f"Validating authentication for frontend action {frontend_action}")
+    authn, authn_params = get_authn_for_action(config=config, frontend_action=frontend_action)
 
     if not authn or not authn.authn_instant:
         logger.info("No authentication found")

diff --git a/src/eduid/webapp/security/views/change_password.py b/src/eduid/webapp/security/views/change_password.py
@@ -62,7 +62,7 @@ def change_password_view(user: User, new_password: str, old_password: Optional[s
     if _need_reauthn:
         return _need_reauthn
 
-    authn = get_authn_for_action(config=current_app.conf, frontend_action=frontend_action)
+    authn, _ = get_authn_for_action(config=current_app.conf, frontend_action=frontend_action)
     assert authn is not None  # please mypy (if authn was None we would have returned with _need_reauthn above)
     current_app.logger.debug(f"change_password called with authn {authn}")
 

diff --git a/src/eduid/webapp/security/views/security.py b/src/eduid/webapp/security/views/security.py
@@ -72,7 +72,7 @@ def terminate_account(user: User):
     if _need_reauthn:
         return _need_reauthn
 
-    authn = get_authn_for_action(config=current_app.conf, frontend_action=frontend_action)
+    authn, _ = get_authn_for_action(config=current_app.conf, frontend_action=frontend_action)
     assert authn is not None  # please mypy (if authn was None we would have returned with _need_reauthn above)
     current_app.logger.debug(f"terminate_account called with authn {authn}")
 
@@ -184,7 +184,7 @@ def remove_identities(user: User, identity_type: str) -> FluxData:
     if _need_reauthn:
         return _need_reauthn
 
-    authn = get_authn_for_action(config=current_app.conf, frontend_action=frontend_action)
+    authn, _ = get_authn_for_action(config=current_app.conf, frontend_action=frontend_action)
     assert authn is not None  # please mypy (if authn was None we would have returned with _need_reauthn above)
 
     try:
@@ -206,6 +206,9 @@ def remove_identities(user: User, identity_type: str) -> FluxData:
 
     current_app.logger.debug(f"identities AFTER: {security_user.identities}")
     current_app.stats.count(name=f"remove_{_type}_identity")
+
+    authn.consumed = True
+
     return success_response(
         payload=dict(identities=security_user.identities.to_frontend_format()),
         message=SecurityMsg.rm_success,

diff --git a/src/eduid/webapp/security/views/webauthn.py b/src/eduid/webapp/security/views/webauthn.py
@@ -246,7 +246,7 @@ def remove(user: User, credential_key: str) -> FluxData:
     if _need_reauthn:
         return _need_reauthn
 
-    authn = get_authn_for_action(config=current_app.conf, frontend_action=frontend_action)
+    authn, _ = get_authn_for_action(config=current_app.conf, frontend_action=frontend_action)
     assert authn is not None  # please mypy (if authn was None we would have returned with _need_reauthn above)
     current_app.logger.debug(f"terminate_account called with authn {authn}")