Merge pull request #5424 from hypothesis/userid-principal-authclient

Explicitly add userid principal for AuthClient forwarded users

h/auth/util.py

@@ -160,11 +160,20 @@ def principals_for_auth_client_user(user, client):
     :type client: :py:class:`h.models.auth_client.AuthClient`
     :rtype: list
     """
+
+    # Other auth policies that extend Pyramid auth policies, e.g.
+    # ``Pyramid.authentication.CallbackAuthenticationPolicy``, automatically
+    # get a ``userid`` principal via its ``effective_principals`` method.
+    # But :py:class:`h.auth.policy.AuthClientPolicy` overrides ``effective_principals``
+    # with its own method, so the ``userid`` principal needs to be added explicitly here
+    # for forwarded users
+    userid_principals = [user.userid]
+
     user_principals = principals_for_user(user)
     client_principals = principals_for_auth_client(client)
     auth_client_principals = [role.AuthClientUser]
 
-    all_principals = user_principals + client_principals + auth_client_principals
+    all_principals = userid_principals + user_principals + client_principals + auth_client_principals
     distinct_principals = list(set(all_principals))
 
     return distinct_principals

tests/h/auth/util_test.py

@@ -183,6 +183,13 @@ def test_it_proxies_to_principals_for_auth_client(self, principals_for_auth_clie
 
         principals_for_auth_client.assert_called_once_with(auth_client)
 
+    def test_it_adds_the_userid_principal(self, factories, auth_client):
+        user = factories.User(authority=auth_client.authority)
+
+        principals = util.principals_for_auth_client_user(user, auth_client)
+
+        assert user.userid in principals
+
     def test_it_adds_the_authclientuser_role(self, factories, auth_client):
         user = factories.User(authority=auth_client.authority)