From c7a1fb67d015da2725d734ebe315c333101f3478 Mon Sep 17 00:00:00 2001
From: John Westcott IV <john.westcott.iv@redhat.com>
Date: Wed, 23 Feb 2022 09:35:11 -0500
Subject: [PATCH] SAML superuse/auditor now searching all fields in a list
 instead of just the first

---
 awx/sso/pipeline.py                       |  9 +++++++--
 awx/sso/tests/functional/test_pipeline.py | 14 ++++++++++++--
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/awx/sso/pipeline.py b/awx/sso/pipeline.py
index 13549861bb..3a63391fe8 100644
--- a/awx/sso/pipeline.py
+++ b/awx/sso/pipeline.py
@@ -263,9 +263,14 @@ def _check_flag(user, flag, attributes, user_flags_settings):
         if user_flags_settings.get(is_value_key, None):
             # If so, check and see if the value of the attr matches the required value
             attribute_value = attributes.get(attr_setting, None)
+            attribute_matches = False
             if isinstance(attribute_value, (list, tuple)):
-                attribute_value = attribute_value[0]
-            if attribute_value == user_flags_settings.get(is_value_key):
+                if user_flags_settings.get(is_value_key) in attribute_value:
+                    attribute_matches = True
+            elif attribute_value == user_flags_settings.get(is_value_key):
+                attribute_matches = True
+
+            if attribute_matches:
                 logger.debug("Giving %s %s from attribute %s with matching value" % (user.username, flag, attr_setting))
                 new_flag = True
             # if they don't match make sure that new_flag is false
diff --git a/awx/sso/tests/functional/test_pipeline.py b/awx/sso/tests/functional/test_pipeline.py
index 6ed084a9d7..7954ac11f3 100644
--- a/awx/sso/tests/functional/test_pipeline.py
+++ b/awx/sso/tests/functional/test_pipeline.py
@@ -447,6 +447,16 @@ class TestSAMLUserFlags:
                 {'is_superuser_role': 'test-role-1', 'is_superuser_attr': 'is_superuser', 'is_superuser_value': 'true'},
                 (True, True),
             ),
+            # In this test case we will validate that a single attribute (instead of a list) still works
+            (
+                {'is_superuser_attr': 'name_id', 'is_superuser_value': 'test_id'},
+                (True, True),
+            ),
+            # This will be a negative test for a single atrribute
+            (
+                {'is_superuser_attr': 'name_id', 'is_superuser_value': 'junk'},
+                (False, False),
+            ),
         ],
     )
     def test__check_flag(self, user_flags_settings, expected):
@@ -457,10 +467,10 @@ class TestSAMLUserFlags:
         attributes = {
             'email': ['noone@nowhere.com'],
             'last_name': ['Westcott'],
-            'is_superuser': ['true'],
+            'is_superuser': ['something', 'else', 'true'],
             'username': ['test_id'],
             'first_name': ['John'],
-            'Role': ['test-role-1'],
+            'Role': ['test-role-1', 'something', 'different'],
             'name_id': 'test_id',
         }