♻️ [#1902/1903] Hash BSN when generating email for DigiD OIDC users

tasks: * https://taiga.maykinmedia.nl/project/open-inwoner/task/1902 * https://taiga.maykinmedia.nl/project/open-inwoner/task/1903
maykinmedia · Dec 7, 2023 · 002caf6 · 002caf6
1 parent 52222bc
commit 002caf6
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 10 deletions.
diff --git a/src/digid_eherkenning_oidc_generics/backends.py b/src/digid_eherkenning_oidc_generics/backends.py
@@ -1,17 +1,14 @@
 import logging
 
-from django.contrib.auth.models import AnonymousUser
-from django.core.exceptions import SuspiciousOperation
 from django.urls import reverse_lazy
 
 from mozilla_django_oidc_db.backends import (
     OIDCAuthenticationBackend as _OIDCAuthenticationBackend,
 )
-from requests.exceptions import HTTPError, RequestException
 
 from open_inwoner.accounts.choices import LoginTypeChoices
+from open_inwoner.utils.hash import generate_email_from_string
 
-from .constants import DIGID_OIDC_AUTH_SESSION_KEY, EHERKENNING_OIDC_AUTH_SESSION_KEY
 from .mixins import SoloConfigDigiDMixin, SoloConfigEHerkenningMixin
 
 logger = logging.getLogger(__name__)
@@ -49,7 +46,9 @@ def create_user(self, claims):
 
         user = self.UserModel.objects.create_user(
             **{
-                self.UserModel.USERNAME_FIELD: "user-{}@localhost".format(unique_id),
+                self.UserModel.USERNAME_FIELD: generate_email_from_string(
+                    unique_id, domain="localhost"
+                ),
                 identifier_claim_name: unique_id,
                 "login_type": self.login_type,
             }

diff --git a/src/open_inwoner/accounts/tests/test_oidc_views.py b/src/open_inwoner/accounts/tests/test_oidc_views.py
@@ -1,3 +1,4 @@
+from hashlib import md5
 from unittest.mock import patch
 
 from django.contrib.auth import get_user_model
@@ -316,7 +317,11 @@ def test_new_user_is_created_when_new_bsn(
         new_user = User.objects.get(bsn="000000000")
 
         mock_brp.assert_called_with(new_user)
-        self.assertEqual(new_user.email, "user-000000000@localhost")
+        salt = "generate_email_from_bsn"
+        hashed_bsn = md5(
+            (salt + "000000000").encode(), usedforsecurity=False
+        ).hexdigest()
+        self.assertEqual(new_user.email, f"{hashed_bsn}@localhost")
         self.assertEqual(new_user.login_type, LoginTypeChoices.digid)
 
     @patch(
@@ -520,7 +525,11 @@ def test_new_user_is_created_when_new_kvk(
         new_user = User.objects.get(kvk="00000000")
 
         mock_retrieve_rsin_with_kvk.assert_called_with("00000000")
-        self.assertEqual(new_user.email, "user-00000000@localhost")
+        salt = "generate_email_from_bsn"
+        hashed_bsn = md5(
+            (salt + "00000000").encode(), usedforsecurity=False
+        ).hexdigest()
+        self.assertEqual(new_user.email, f"{hashed_bsn}@localhost")
         self.assertEqual(new_user.rsin, "123456789")
         self.assertEqual(new_user.login_type, LoginTypeChoices.eherkenning)
 

diff --git a/src/open_inwoner/utils/hash.py b/src/open_inwoner/utils/hash.py
@@ -1,12 +1,14 @@
 from hashlib import md5, sha256
+from typing import Optional
 
 
-def generate_email_from_string(value: str) -> str:
+def generate_email_from_string(
+    value: str, domain: Optional[str] = "example.org"
+) -> str:
     """generate email address based on string"""
     salt = "generate_email_from_bsn"
     hashed_bsn = md5((salt + value).encode(), usedforsecurity=False).hexdigest()
-
-    return f"{hashed_bsn}@example.org"
+    return f"{hashed_bsn}@{domain}"
 
 
 def create_sha256_hash(val, salt=None):