signon: support people loggin adding identities while already logged in

else the auto_bind doesn't really bind anything.

Signed-off-by: Mattia Rizzolo <mattia@debian.org>

signon/middleware.py

@@ -85,14 +85,20 @@ class SignonMiddleware:
                 # An authenticated user is associated with the request, but
                 # it does not match the authorized user in the header.
                 self._remove_invalid_user(request)
-                return
-        else:
-            # We are seeing this user for the first time in this session.
-            # Set request.user and persist user in the session by logging the
-            # user in.
-            request.user = person
-            auth.login(request, person, backend="signon.middleware.SignonAuthBackend")
 
+            # Try to auto_bind identities if needed.
+            if getattr(settings, "SIGNON_AUTO_BIND", False):
+                self._signon_auto_bind(request)
+
+            return
+
+        # We are seeing this user for the first time in this session.
+        # Set request.user and persist user in the session by logging the
+        # user in.
+        request.user = person
+        auth.login(request, person, backend="signon.middleware.SignonAuthBackend")
+
+        # Try to auto_bind identities if needed.
         if getattr(settings, "SIGNON_AUTO_BIND", False) and request.user.is_authenticated:
             if any(x.person is None for x in request.signon_identities.values()):
                 self._signon_auto_bind(request)

signon/tests/test_authentication.py

@@ -194,8 +194,7 @@ class TestAuthentication(SignonFixtureMixin, TestCase):
             }
 
         with mock.patch("signon.middleware.SignonMiddleware._instantiate_identities", _instantiate_identities2):
-            with self.assertLogs():
-                response = client.get(reverse('signon:whoami'))
+            response = client.get(reverse('signon:whoami'))
 
         self.assertEqual(response.status_code, 200)
 
@@ -208,15 +207,28 @@ class TestAuthentication(SignonFixtureMixin, TestCase):
                 "debsso", person=self.user1, issuer="debsso", subject="dd@debian.org", audit_skip=True)
         self.identities.create(
                 "salsa", issuer="salsa", subject="1", audit_skip=True)
+        client = self.make_test_client(None)
 
-        def _instantiate_identities(_self, request):
+        # first log in with the working identity
+        def _instantiate_identities1(_self, request):
+            request.signon_identities = {
+                "debsso": self.identities.debsso,
+            }
+
+        with mock.patch("signon.middleware.SignonMiddleware._instantiate_identities", _instantiate_identities1):
+            response = client.get(reverse('signon:whoami'))
+
+        self.assertEqual(response.status_code, 200)
+        self.assertTrue(response.wsgi_request.user.is_authenticated)
+
+        # then try to log in with the extra identity
+        def _instantiate_identities2(_self, request):
             request.signon_identities = {
                 "debsso": self.identities.debsso,
                 "salsa": self.identities.salsa,
             }
 
-        with mock.patch("signon.middleware.SignonMiddleware._instantiate_identities", _instantiate_identities):
-            client = self.make_test_client(None)
+        with mock.patch("signon.middleware.SignonMiddleware._instantiate_identities", _instantiate_identities2):
             with self.assertLogs() as log:
                 response = client.get(reverse('signon:whoami'))
 
@@ -227,6 +239,7 @@ class TestAuthentication(SignonFixtureMixin, TestCase):
         self.assertEqual(response.status_code, 200)
 
         request = response.wsgi_request
+        self.assertTrue(request.user.is_authenticated)
         self.assertEqual(request.signon_identities, {
             "debsso": self.identities.debsso,
             "salsa": self.identities.salsa,
@@ -251,6 +264,7 @@ class TestAuthentication(SignonFixtureMixin, TestCase):
         # One unbound salsa account
         self.identities.create(
             "salsa2", issuer="salsa", subject="2", username="salsa2", audit_skip=True)
+        client = self.make_test_client(None)
 
         def _instantiate_identities(_self, request):
             request.signon_identities = {
@@ -259,7 +273,6 @@ class TestAuthentication(SignonFixtureMixin, TestCase):
             }
 
         with mock.patch("signon.middleware.SignonMiddleware._instantiate_identities", _instantiate_identities):
-            client = self.make_test_client(None)
             with self.assertLogs() as log:
                 response = client.get(reverse('signon:whoami'))