Add third-party auth implementation and tests

AUTHORS

@@ -141,3 +141,4 @@ William Desloge <william.desloge@ionis-group.com>
 Marco Re <mrc.re@tiscali.it>
 Jonas Jelten <jelten@in.tum.de>
 Christine Lytwynec <clytwynec@edx.org>
+John Cox <johncox@google.com>

common/djangoapps/student/views.py

@@ -16,6 +16,7 @@ from django.contrib.auth import logout, authenticate, login
 from django.contrib.auth.models import User, AnonymousUser
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.views import password_reset_confirm
+from django.contrib import messages
 from django.core.cache import cache
 from django.core.context_processors import csrf
 from django.core.mail import send_mail
@@ -85,6 +86,8 @@ from util.password_policy_validators import (
     validate_password_dictionary
 )
 
+from third_party_auth import pipeline, provider
+
 log = logging.getLogger("edx.student")
 AUDIT_LOG = logging.getLogger("audit")
 
@@ -363,11 +366,16 @@ def signin_user(request):
     context = {
         'course_id': request.GET.get('course_id'),
         'enrollment_action': request.GET.get('enrollment_action'),
+        # Bool injected into JS to submit form if we're inside a running third-
+        # party auth pipeline; distinct from the actual instance of the running
+        # pipeline, if any.
+        'pipeline_running': 'true' if pipeline.running(request) else 'false',
         'platform_name': microsite.get_value(
             'platform_name',
             settings.PLATFORM_NAME
         ),
     }
+
     return render_to_response('login.html', context)
 
 
@@ -385,17 +393,34 @@ def register_user(request, extra_context=None):
 
     context = {
         'course_id': request.GET.get('course_id'),
+        'email': '',
         'enrollment_action': request.GET.get('enrollment_action'),
+        'name': '',
+        'running_pipeline': None,
         'platform_name': microsite.get_value(
             'platform_name',
             settings.PLATFORM_NAME
         ),
+        'selected_provider': '',
+        'username': '',
     }
+
     if extra_context is not None:
         context.update(extra_context)
 
     if context.get("extauth_domain", '').startswith(external_auth.views.SHIBBOLETH_DOMAIN_PREFIX):
         return render_to_response('register-shib.html', context)
+
+    # If third-party auth is enabled, prepopulate the form with data from the
+    # selected provider.
+    if settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH') and pipeline.running(request):
+        running_pipeline = pipeline.get(request)
+        current_provider = provider.Registry.get_by_backend_name(running_pipeline.get('backend'))
+        overrides = current_provider.get_register_form_data(running_pipeline.get('kwargs'))
+        overrides['running_pipeline'] = running_pipeline
+        overrides['selected_provider'] = current_provider.NAME
+        context.update(overrides)
+
     return render_to_response('register.html', context)
 
 
@@ -532,8 +557,17 @@ def dashboard(request):
         'language_options': language_options,
         'current_language': current_language,
         'current_language_code': cur_lang_code,
+        'user': user,
+        'duplicate_provider': None,
+        'logout_url': reverse(logout_user),
+        'platform_name': settings.PLATFORM_NAME,
+        'provider_states': [],
     }
 
+    if settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH'):
+        context['duplicate_provider'] = pipeline.get_duplicate_provider(messages.get_messages(request))
+        context['provider_user_states'] = pipeline.get_provider_user_states(user)
+
     return render_to_response('dashboard.html', context)
 
 
@@ -690,6 +724,7 @@ def accounts_login(request):
             return external_auth.views.course_specific_login(request, course_id)
 
     context = {
+        'pipeline_running': 'false',
         'platform_name': settings.PLATFORM_NAME,
     }
     return render_to_response('login.html', context)
@@ -697,24 +732,62 @@ def accounts_login(request):
 
 # Need different levels of logging
 @ensure_csrf_cookie
-def login_user(request, error=""):
+def login_user(request, error=""):  # pylint: disable-msg=too-many-statements,unused-argument
     """AJAX request to log in the user."""
-    if 'email' not in request.POST or 'password' not in request.POST:
-        return JsonResponse({
-            "success": False,
-            "value": _('There was an error receiving your login information. Please email us.'),  # TODO: User error message
-        })  # TODO: this should be status code 400  # pylint: disable=fixme
 
-    email = request.POST['email']
-    password = request.POST['password']
-    try:
-        user = User.objects.get(email=email)
-    except User.DoesNotExist:
-        if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
-            AUDIT_LOG.warning(u"Login failed - Unknown user email")
-        else:
-            AUDIT_LOG.warning(u"Login failed - Unknown user email: {0}".format(email))
-        user = None
+    backend_name = None
+    email = None
+    password = None
+    redirect_url = None
+    response = None
+    running_pipeline = None
+    third_party_auth_requested = settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH') and pipeline.running(request)
+    third_party_auth_successful = False
+    trumped_by_first_party_auth = bool(request.POST.get('email')) or bool(request.POST.get('password'))
+    user = None
+
+    if third_party_auth_requested and not trumped_by_first_party_auth:
+        # The user has already authenticated via third-party auth and has not
+        # asked to do first party auth by supplying a username or password. We
+        # now want to put them through the same logging and cookie calculation
+        # logic as with first-party auth.
+        running_pipeline = pipeline.get(request)
+        username = running_pipeline['kwargs'].get('username')
+        backend_name = running_pipeline['backend']
+        requested_provider = provider.Registry.get_by_backend_name(backend_name)
+
+        try:
+            user = pipeline.get_authenticated_user(username, backend_name)
+            third_party_auth_successful = True
+        except User.DoesNotExist:
+            AUDIT_LOG.warning(
+                u'Login failed - user with username {username} has no social auth with backend_name {backend_name}'.format(
+                    username=username, backend_name=backend_name))
+            return JsonResponse({
+                "success": False,
+                # Translators: provider_name is the name of an external, third-party user authentication service (like
+                # Google or LinkedIn).
+                "value": _('There is no {platform_name} account associated with your {provider_name} account. Please use your {platform_name} credentials or pick another provider.').format(
+                    platform_name=settings.PLATFORM_NAME, provider_name=requested_provider.NAME)
+            })  # TODO: this should be a status code 401  # pylint: disable=fixme
+
+    else:
+
+        if 'email' not in request.POST or 'password' not in request.POST:
+            return JsonResponse({
+                "success": False,
+                "value": _('There was an error receiving your login information. Please email us.'),  # TODO: User error message
+            })  # TODO: this should be status code 400  # pylint: disable=fixme
+
+        email = request.POST['email']
+        password = request.POST['password']
+        try:
+            user = User.objects.get(email=email)
+        except User.DoesNotExist:
+            if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
+                AUDIT_LOG.warning(u"Login failed - Unknown user email")
+            else:
+                AUDIT_LOG.warning(u"Login failed - Unknown user email: {0}".format(email))
 
     # check if the user has a linked shibboleth account, if so, redirect the user to shib-login
     # This behavior is pretty much like what gmail does for shibboleth.  Try entering some @stanford.edu
@@ -753,14 +826,17 @@ def login_user(request, error=""):
     # username so that authentication is guaranteed to fail and we can take
     # advantage of the ratelimited backend
     username = user.username if user else ""
-    try:
-        user = authenticate(username=username, password=password, request=request)
-    # this occurs when there are too many attempts from the same IP address
-    except RateLimitException:
-        return JsonResponse({
-            "success": False,
-            "value": _('Too many failed login attempts. Try again later.'),
-        })  # TODO: this should be status code 429  # pylint: disable=fixme
+
+    if not third_party_auth_successful:
+        try:
+            user = authenticate(username=username, password=password, request=request)
+        # this occurs when there are too many attempts from the same IP address
+        except RateLimitException:
+            return JsonResponse({
+                "success": False,
+                "value": _('Too many failed login attempts. Try again later.'),
+            })  # TODO: this should be status code 429  # pylint: disable=fixme
+
     if user is None:
         # tick the failed login counters if the user exists in the database
         if user_found_by_email_lookup and LoginFailures.is_feature_enabled():
@@ -801,7 +877,9 @@ def login_user(request, error=""):
 
         redirect_url = try_change_enrollment(request)
 
-        dog_stats_api.increment("common.student.successful_login")
+        if third_party_auth_successful:
+            redirect_url = pipeline.get_complete_url(backend_name)
+
         response = JsonResponse({
             "success": True,
             "redirect_url": redirect_url,
@@ -1027,16 +1105,20 @@ def _do_create_account(post_vars):
 
 
 @ensure_csrf_cookie
-def create_account(request, post_override=None):
+def create_account(request, post_override=None):  # pylint: disable-msg=too-many-statements
     """
     JSON call to create new edX account.
     Used by form in signup_modal.html, which is included into navigation.html
     """
-    js = {'success': False}
+    js = {'success': False}  # pylint: disable-msg=invalid-name
 
     post_vars = post_override if post_override else request.POST
     extra_fields = getattr(settings, 'REGISTRATION_EXTRA_FIELDS', {})
 
+    if settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH') and pipeline.running(request):
+        post_vars = dict(post_vars.items())
+        post_vars.update({'password': pipeline.make_random_password()})
+
     # if doing signup for an external authorization, then get email, password, name from the eamap
     # don't use the ones from the form, since the user could have hacked those
     # unless originally we didn't get a valid email or name from the external auth
@@ -1234,9 +1316,17 @@ def create_account(request, post_override=None):
             login_user.save()
             AUDIT_LOG.info(u"Login activated on extauth account - {0} ({1})".format(login_user.username, login_user.email))
 
+    dog_stats_api.increment("common.student.account_created")
+    redirect_url = try_change_enrollment(request)
+
+    # Resume the third-party-auth pipeline if necessary.
+    if settings.FEATURES.get('ENABLE_THIRD_PARTY_AUTH') and pipeline.running(request):
+        running_pipeline = pipeline.get(request)
+        redirect_url = pipeline.get_complete_url(running_pipeline['backend'])
+
     response = JsonResponse({
         'success': True,
-        'redirect_url': try_change_enrollment(request),
+        'redirect_url': redirect_url,
     })
 
     # set the login cookie for the edx marketing site

common/djangoapps/third_party_auth/middleware.py

+"""Middleware classes for third_party_auth."""
+
+from social.apps.django_app.middleware import SocialAuthExceptionMiddleware
+
+from . import pipeline
+
+
+class ExceptionMiddleware(SocialAuthExceptionMiddleware):
+    """Custom middleware that handles conditional redirection."""
+
+    def get_redirect_uri(self, request, exception):
+        # Safe because it's already been validated by
+        # pipeline.parse_query_params. If that pipeline step ever moves later
+        # in the pipeline stack, we'd need to validate this value because it
+        # would be an injection point for attacker data.
+        auth_entry = request.session.get(pipeline.AUTH_ENTRY_KEY)
+        # Fall back to django settings's SOCIAL_AUTH_LOGIN_ERROR_URL.
+        return '/' + auth_entry if auth_entry else super(ExceptionMiddleware, self).get_redirect_uri(request, exception)

common/djangoapps/third_party_auth/pipeline.py

-"""Auth pipeline definitions."""
+"""Auth pipeline definitions.
 
+Auth pipelines handle the process of authenticating a user. They involve a
+consumer system and a provider service. The general pattern is:
+
+    1. The consumer system exposes a URL endpoint that starts the process.
+    2. When a user visits that URL, the client system redirects the user to a
+       page served by the provider. The user authenticates with the provider.
+       The provider handles authentication failure however it wants.
+    3. On success, the provider POSTs to a URL endpoint on the consumer to
+       invoke the pipeline. It sends back an arbitrary payload of data about
+       the user.
+    4. The pipeline begins, executing each function in its stack. The stack is
+       defined on django's settings object's SOCIAL_AUTH_PIPELINE. This is done
+       in settings._set_global_settings.
+    5. Each pipeline function is variadic. Most pipeline functions are part of
+       the pythons-social-auth library; our extensions are defined below. The
+       pipeline is the same no matter what provider is used.
+    6. Pipeline functions can return a dict to add arguments to the function
+       invoked next. They can return None if this is not necessary.
+    7. Pipeline functions may be decorated with @partial.partial. This pauses
+       the pipeline and serializes its state onto the request's session. When
+       this is done they may redirect to other edX handlers to execute edX
+       account registration/sign in code.
+    8. In that code, redirecting to get_complete_url() resumes the pipeline.
+       This happens by hitting a handler exposed by the consumer system.
+    9. In this way, execution moves between the provider, the pipeline, and
+       arbitrary consumer system code.
+
+Gotcha alert!:
+
+Bear in mind that when pausing and resuming a pipeline function decorated with
+@partial.partial, execution resumes by re-invoking the decorated function
+instead of invoking the next function in the pipeline stack. For example, if
+you have a pipeline of
+
+    A
+    B
+    C
+
+with an implementation of
+
+    @partial.partial
+    def B(*args, **kwargs):
+        [...]
+
+B will be invoked twice: once when initially proceeding through the pipeline
+before it is paused, and once when other code finishes and the pipeline
+resumes. Consequently, many decorated functions will first invoke a predicate
+to determine if they are in their first or second execution (usually by
+checking side-effects from the first run).
+
+This is surprising but important behavior, since it allows a single function in
+the pipeline to consolidate all the operations needed to establish invariants
+rather than spreading them across two functions in the pipeline.
+
+See http://psa.matiasaguirre.net/docs/pipeline.html for more docs.
+"""
+
+import random
+import string  # pylint: disable-msg=deprecated-module
+
+from django.contrib.auth.models import User
+from django.core.urlresolvers import reverse
+from django.shortcuts import redirect
+from social.apps.django_app.default import models
+from social.exceptions import AuthException
 from social.pipeline import partial
 
+from . import provider
+
+
+AUTH_ENTRY_KEY = 'auth_entry'
+AUTH_ENTRY_DASHBOARD = 'dashboard'
+AUTH_ENTRY_LOGIN = 'login'
+AUTH_ENTRY_REGISTER = 'register'
+_AUTH_ENTRY_CHOICES = frozenset([
+    AUTH_ENTRY_DASHBOARD,
+    AUTH_ENTRY_LOGIN,
+    AUTH_ENTRY_REGISTER
+])
+_DEFAULT_RANDOM_PASSWORD_LENGTH = 12
+_PASSWORD_CHARSET = string.letters + string.digits
+
+
+class AuthEntryError(AuthException):
+    """Raised when auth_entry is missing or invalid on URLs.
+
+    auth_entry tells us whether the auth flow was initiated to register a new
+    user (in which case it has the value of AUTH_ENTRY_REGISTER) or log in an
+    existing user (in which case it has the value of AUTH_ENTRY_LOGIN).
+
+    This is necessary because the edX code we hook into the pipeline to
+    redirect to the existing auth flows needs to know what case we are in in
+    order to format its output correctly (for example, the register code is
+    invoked earlier than the login code, and it needs to know if the login flow
+    was requested to dispatch correctly).
+    """
+
+
+class ProviderUserState(object):
+    """Object representing the provider state (attached or not) for a user.
+
+    This is intended only for use when rendering templates. See for example
+    lms/templates/dashboard.html.
+    """
+
+    def __init__(self, enabled_provider, user, state):
+        # Boolean. Whether the user has an account associated with the provider
+        self.has_account = state
+        # provider.BaseProvider child. Callers must verify that the provider is
+        # enabled.
+        self.provider = enabled_provider
+        # django.contrib.auth.models.User.
+        self.user = user
+
+    def get_unlink_form_name(self):
+        """Gets the name used in HTML forms that unlink a provider account."""
+        return self.provider.NAME + '_unlink_form'
+
+
+def get(request):
+    """Gets the running pipeline from the passed request."""
+    return request.session.get('partial_pipeline')
+
+
+def get_authenticated_user(username, backend_name):
+    """Gets a saved user authenticated by a particular backend.
+
+    Between pipeline steps User objects are not saved. We need to reconstitute
+    the user and set its .backend, which is ordinarily monkey-patched on by
+    Django during authenticate(), so it will function like a user returned by
+    authenticate().
+
+    Args:
+        username: string. Username of user to get.
+        backend_name: string. The name of the third-party auth backend from
+            the running pipeline.
+
+    Returns:
+        User if user is found and has a social auth from the passed
+        backend_name.
+
+    Raises:
+        User.DoesNotExist: if no user matching user is found, or the matching
+        user has no social auth associated with the given backend.
+        AssertionError: if the user is not authenticated.
+    """
+    user = models.DjangoStorage.user.user_model().objects.get(username=username)
+    match = models.DjangoStorage.user.get_social_auth_for_user(user, provider=backend_name)
+
+    if not match:
+        raise User.DoesNotExist
+
+    user.backend = provider.Registry.get_by_backend_name(backend_name).get_authentication_backend()
+    return user
+
+
+def _get_enabled_provider_by_name(provider_name):
+    """Gets an enabled provider by its NAME member or throws."""
+    enabled_provider = provider.Registry.get(provider_name)
+
+    if not enabled_provider:
+        raise ValueError('Provider %s not enabled' % provider_name)
+
+    return enabled_provider
+
+
+def _get_url(view_name, backend_name, auth_entry=None):
+    """Creates a URL to hook into social auth endpoints."""
+    kwargs = {'backend': backend_name}
+    url = reverse(view_name, kwargs=kwargs)
+
+    if auth_entry:
+        url += '?%s=%s' % (AUTH_ENTRY_KEY, auth_entry)
+
+    return url
+
+
+def get_complete_url(backend_name):
+    """Gets URL for the endpoint that returns control to the auth pipeline.
+
+    Args:
+        backend_name: string. Name of the python-social-auth backend from the
+            currently-running pipeline.
+
+    Returns:
+        String. URL that finishes the auth pipeline for a provider.
+
+    Raises:
+        ValueError: if no provider is enabled with the given backend_name.
+    """
+    enabled_provider = provider.Registry.get_by_backend_name(backend_name)
+
+    if not enabled_provider:
+        raise ValueError('Provider with backend %s not enabled' % backend_name)
+
+    return _get_url('social:complete', backend_name)
+
+
+def get_disconnect_url(provider_name):
+    """Gets URL for the endpoint that starts the disconnect pipeline.
+
+    Args:
+        provider_name: string. Name of the provider.BaseProvider child you want
+            to disconnect from.
+
+    Returns:
+        String. URL that starts the disconnection pipeline.
+
+    Raises:
+        ValueError: if no provider is enabled with the given backend_name.
+    """
+    enabled_provider = _get_enabled_provider_by_name(provider_name)
+    return _get_url('social:disconnect', enabled_provider.BACKEND_CLASS.name)
+
+
+def get_login_url(provider_name, auth_entry):
+    """Gets the login URL for the endpoint that kicks off auth with a provider.
+
+    Args:
+        provider_name: string. The name of the provider.Provider that has been
+            enabled.
+        auth_entry: string. Query argument specifying the desired entry point
+            for the auth pipeline. Used by the pipeline for later branching.
+            Must be one of _AUTH_ENTRY_CHOICES.
+
+    Returns:
+        String. URL that starts the auth pipeline for a provider.
+
+    Raises:
+        ValueError: if no provider is enabled with the given provider_name.
+    """
+    assert auth_entry in _AUTH_ENTRY_CHOICES
+    enabled_provider = _get_enabled_provider_by_name(provider_name)
+    return _get_url('social:begin', enabled_provider.BACKEND_CLASS.name, auth_entry=auth_entry)
+
+
+def get_duplicate_provider(messages):
+    """Gets provider from message about social account already in use.
+
+    python-social-auth's exception middleware uses the messages module to
+    record details about duplicate account associations. It records exactly one
+    message there is a request to associate a social account S with an edX
+    account E if S is already associated with an edX account E'.
+
+    Returns:
+        provider.BaseProvider child instance. The provider of the duplicate
+        account, or None if there is no duplicate (and hence no error).
+    """
+    social_auth_messages = [m for m in messages if m.extra_tags.startswith('social-auth')]
+
+    if not social_auth_messages:
+        return
+
+    assert len(social_auth_messages) == 1
+    return provider.Registry.get_by_backend_name(social_auth_messages[0].extra_tags.split()[1])
+
+
+def get_provider_user_states(user):
+    """Gets list of states of provider-user combinations.
+
+    Args:
+        django.contrib.auth.User. The user to get states for.
+
+    Returns:
+        List of ProviderUserState. The list of states of a user's account with
+            each enabled provider.
+    """
+    states = []
+    found_user_backends = [
+        social_auth.provider for social_auth in models.DjangoStorage.user.get_social_auth_for_user(user)
+    ]
+
+    for enabled_provider in provider.Registry.enabled():
+        states.append(
+            ProviderUserState(enabled_provider, user, enabled_provider.BACKEND_CLASS.name in found_user_backends)
+        )
+
+    return states
+
+
+def make_random_password(length=None, choice_fn=random.SystemRandom().choice):
+    """Makes a random password.
+
+    When a user creates an account via a social provider, we need to create a
+    placeholder password for them to satisfy the ORM's consistency and
+    validation requirements. Users don't know (and hence cannot sign in with)
+    this password; that's OK because they can always use the reset password
+    flow to set it to a known value.
+
+    Args:
+        choice_fn: function or method. Takes an iterable and returns a random
+            element.
+        length: int. Number of chars in the returned value. None to use default.
+
+    Returns:
+        String. The resulting password.
+    """
+    length = length if length is not None else _DEFAULT_RANDOM_PASSWORD_LENGTH
+    return ''.join(choice_fn(_PASSWORD_CHARSET) for _ in xrange(length))
+
+
+def running(request):
+    """Returns True iff request is running a third-party auth pipeline."""
+    return request.session.get('partial_pipeline') is not None  # Avoid False for {}.
+
+
+# Pipeline functions.
+# Signatures are set by python-social-auth; prepending 'unused_' causes
+# TypeError on dispatch to the auth backend's authenticate().
+# pylint: disable-msg=unused-argument
+
+
+def parse_query_params(strategy, response, *args, **kwargs):
+    """Reads whitelisted query params, transforms them into pipeline args."""
+    auth_entry = strategy.session.get(AUTH_ENTRY_KEY)
+
+    if not (auth_entry and auth_entry in _AUTH_ENTRY_CHOICES):
+        raise AuthEntryError(strategy.backend, 'auth_entry missing or invalid')
+
+    return {
+        # Whether the auth pipeline entered from /dashboard.
+        'is_dashboard': auth_entry == AUTH_ENTRY_DASHBOARD,
+        # Whether the auth pipeline entered from /login.
+        'is_login': auth_entry == AUTH_ENTRY_LOGIN,
+        # Whether the auth pipeline entered from /register.
+        'is_register': auth_entry == AUTH_ENTRY_REGISTER,
+    }
+
 
 @partial.partial
-def step(*args, **kwargs):
-    """Fake pipeline step; just throws loudly for now."""
-    raise NotImplementedError('%s, %s' % (args, kwargs))
+def redirect_to_supplementary_form(strategy, details, response, uid, is_dashboard=None, is_login=None, is_register=None, user=None, *args, **kwargs):
+    """Dispatches user to views outside the pipeline if necessary."""
+
+    # We're deliberately verbose here to make it clear what the intended
+    # dispatch behavior is for the three pipeline entry points, given the
+    # current state of the pipeline. Keep in mind the pipeline is re-entrant
+    # and values will change on repeated invocations (for example, the first
+    # time through the login flow the user will be None so we dispatch to the
+    # login form; the second time it will have a value so we continue to the
+    # next pipeline step directly).
+    #
+    # It is important that we always execute the entire pipeline. Even if
+    # behavior appears correct without executing a step, it means important
+    # invariants have been violated and future misbehavior is likely.
+
+    if is_dashboard:
+        return
+
+    if is_login and user is None:
+        return redirect('/login', name='signin_user')
+
+    if is_register and user is None:
+        return redirect('/register', name='register_user')

common/djangoapps/third_party_auth/provider.py

@@ -4,6 +4,10 @@ Loaded by Django's settings mechanism. Consequently, this module must not
 invoke the Django armature.
 """
 
+from social.backends import google, linkedin
+
+_DEFAULT_ICON_CLASS = 'icon-signin'
+
 
 class BaseProvider(object):
     """Abstract base class for third-party auth providers.
@@ -12,22 +16,96 @@ class BaseProvider(object):
     in the provider Registry.
     """
 
-    # String. Dot-delimited module.Class. The name of the backend
-    # implementation to load.
-    AUTHENTICATION_BACKEND = None
+    # Class. The provider's backing social.backends.base.BaseAuth child.
+    BACKEND_CLASS = None
+    # String. Name of the FontAwesome glyph to use for sign in buttons (or the
+    # name of a user-supplied custom glyph that is present at runtime).
+    ICON_CLASS = _DEFAULT_ICON_CLASS
     # String. User-facing name of the provider. Must be unique across all
-    # enabled providers.
+    # enabled providers. Will be presented in the UI.
     NAME = None
-
     # Dict of string -> object. Settings that will be merged into Django's
     # settings instance. In most cases the value will be None, since real
     # values are merged from .json files (foo.auth.json; foo.env.json) onto the
     # settings instance during application initialization.
     SETTINGS = {}
 
+    @classmethod
+    def get_authentication_backend(cls):
+        """Gets associated Django settings.AUTHENTICATION_BACKEND string."""
+        return '%s.%s' % (cls.BACKEND_CLASS.__module__, cls.BACKEND_CLASS.__name__)
+
+    @classmethod
+    def get_email(cls, unused_provider_details):
+        """Gets user's email address.
+
+        Provider responses can contain arbitrary data. This method can be
+        overridden to extract an email address from the provider details
+        extracted by the social_details pipeline step.
+
+        Args:
+            unused_provider_details: dict of string -> string. Data about the
+                user passed back by the provider.
+
+        Returns:
+            String or None. The user's email address, if any.
+        """
+        return None
+
+    @classmethod
+    def get_name(cls, unused_provider_details):
+        """Gets user's name.
+
+        Provider responses can contain arbitrary data. This method can be
+        overridden to extract a full name for a user from the provider details
+        extracted by the social_details pipeline step.
+
+        Args:
+            unused_provider_details: dict of string -> string. Data about the
+                user passed back by the provider.
+
+        Returns:
+            String or None. The user's full name, if any.
+        """
+        return None
+
+    @classmethod
+    def get_register_form_data(cls, pipeline_kwargs):
+        """Gets dict of data to display on the register form.
+
+        common.djangoapps.student.views.register_user uses this to populate the
+        new account creation form with values supplied by the user's chosen
+        provider, preventing duplicate data entry.
+
+        Args:
+            pipeline_kwargs: dict of string -> object. Keyword arguments
+                accumulated by the pipeline thus far.
+
+        Returns:
+            Dict of string -> string. Keys are names of form fields; values are
+            values for that field. Where there is no value, the empty string
+            must be used.
+        """
+        # Details about the user sent back from the provider.
+        details = pipeline_kwargs.get('details')
+
+        # Get the username separately to take advantage of the de-duping logic
+        # built into the pipeline. The provider cannot de-dupe because it can't
+        # check the state of taken usernames in our system. Note that there is
+        # technically a data race between the creation of this value and the
+        # creation of the user object, so it is still possible for users to get
+        # an error on submit.
+        suggested_username = pipeline_kwargs.get('username')
+
+        return {
+            'email': cls.get_email(details) or '',
+            'name': cls.get_name(details) or '',
+            'username': suggested_username,
+        }
+
     @classmethod
     def merge_onto(cls, settings):
-        """Merge class-level settings onto a django `settings` module."""
+        """Merge class-level settings onto a django settings module."""
         for key, value in cls.SETTINGS.iteritems():
             setattr(settings, key, value)
 
@@ -35,30 +113,41 @@ class BaseProvider(object):
 class GoogleOauth2(BaseProvider):
     """Provider for Google's Oauth2 auth system."""
 
-    AUTHENTICATION_BACKEND = 'social.backends.google.GoogleOAuth2'
+    BACKEND_CLASS = google.GoogleOAuth2
+    ICON_CLASS = 'icon-google-plus'
     NAME = 'Google'
     SETTINGS = {
         'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY': None,
         'SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET': None,
     }
 
+    @classmethod
+    def get_email(cls, provider_details):
+        return provider_details.get('email')
+
+    @classmethod
+    def get_name(cls, provider_details):
+        return provider_details.get('fullname')
+
 
 class LinkedInOauth2(BaseProvider):
     """Provider for LinkedIn's Oauth2 auth system."""
 
-    AUTHENTICATION_BACKEND = 'social.backends.linkedin.LinkedinOAuth2'
+    BACKEND_CLASS = linkedin.LinkedinOAuth2
+    ICON_CLASS = 'icon-linkedin'
     NAME = 'LinkedIn'
     SETTINGS = {
         'SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY': None,
         'SOCIAL_AUTH_LINKEDIN_OAUTH2_SECRET': None,
     }
 
+    @classmethod
+    def get_email(cls, provider_details):
+        return provider_details.get('email')
 
-class MozillaPersona(BaseProvider):
-    """Provider for Mozilla's Persona auth system."""
-
-    AUTHENTICATION_BACKEND = 'social.backends.persona.PersonaAuth'
-    NAME = 'Mozilla Persona'
+    @classmethod
+    def get_name(cls, provider_details):
+        return provider_details.get('fullname')
 
 
 class Registry(object):
@@ -84,7 +173,7 @@ class Registry(object):
 
     @classmethod
     def _enable(cls, provider):
-        """Enables a single `provider`."""
+        """Enables a single provider."""
         if provider.NAME in cls._ENABLED:
             raise ValueError('Provider %s already enabled' % provider.NAME)
         cls._ENABLED[provider.NAME] = provider
@@ -93,10 +182,17 @@ class Registry(object):
     def configure_once(cls, provider_names):
         """Configures providers.
 
-        Takes `provider_names`, a list of string.
+        Args:
+            provider_names: list of string. The providers to configure.
+
+        Raises:
+            ValueError: if the registry has already been configured, or if any
+            of the passed provider_names does not have a corresponding
+            BaseProvider child implementation.
         """
         if cls._CONFIGURED:
             raise ValueError('Provider registry already configured')
+
         # Flip the bit eagerly -- configure() should not be re-callable if one
         # _enable call fails.
         cls._CONFIGURED = True
@@ -114,10 +210,27 @@ class Registry(object):
 
     @classmethod
     def get(cls, provider_name):
-        """Gets provider named `provider_name` string if enabled, else None."""
+        """Gets provider named provider_name string if enabled, else None."""
         cls._check_configured()
         return cls._ENABLED.get(provider_name)
 
+    @classmethod
+    def get_by_backend_name(cls, backend_name):
+        """Gets provider (or None) by backend name.
+
+        Args:
+            backend_name: string. The python-social-auth
+                backends.base.BaseAuth.name (for example, 'google-oauth2') to
+                try and get a provider for.
+
+        Raises:
+            RuntimeError: if the registry has not been configured.
+        """
+        cls._check_configured()
+        for enabled in cls._ENABLED.values():
+            if enabled.BACKEND_CLASS.name == backend_name:
+                return enabled
+
     @classmethod
     def _reset(cls):
         """Returns the registry to an unconfigured state; for tests only."""

common/djangoapps/third_party_auth/settings.py

@@ -46,8 +46,15 @@ If true, it:
 from . import provider
 
 
+_FIELDS_STORED_IN_SESSION = ['auth_entry']
+_MIDDLEWARE_CLASSES = (
+    'third_party_auth.middleware.ExceptionMiddleware',
+)
+_SOCIAL_AUTH_LOGIN_REDIRECT_URL = '/dashboard'
+
+
 def _merge_auth_info(django_settings, auth_info):
-    """Merge `auth_info` dict onto `django_settings` module."""
+    """Merge auth_info dict onto django_settings module."""
     enabled_provider_names = []
     to_merge = []
 
@@ -66,39 +73,77 @@ def _merge_auth_info(django_settings, auth_info):
 
 def _set_global_settings(django_settings):
     """Set provider-independent settings."""
+
+    # Whitelisted URL query parameters retrained in the pipeline session.
+    # Params not in this whitelist will be silently dropped.
+    django_settings.FIELDS_STORED_IN_SESSION = _FIELDS_STORED_IN_SESSION
+
     # Register and configure python-social-auth with Django.
     django_settings.INSTALLED_APPS += (
         'social.apps.django_app.default',
         'third_party_auth',
     )
-    django_settings.TEMPLATE_CONTEXT_PROCESSORS += (
-        'social.apps.django_app.context_processors.backends',
-        'social.apps.django_app.context_processors.login_redirect',
-    )
+
+    # Inject exception middleware to make redirects fire.
+    django_settings.MIDDLEWARE_CLASSES += _MIDDLEWARE_CLASSES
+
+    # Where to send the user if there's an error during social authentication
+    # and we cannot send them to a more specific URL
+    # (see middleware.ExceptionMiddleware).
+    django_settings.SOCIAL_AUTH_LOGIN_ERROR_URL = '/'
+
+    # Where to send the user once social authentication is successful.
+    django_settings.SOCIAL_AUTH_LOGIN_REDIRECT_URL = _SOCIAL_AUTH_LOGIN_REDIRECT_URL
+
     # Inject our customized auth pipeline. All auth backends must work with
     # this pipeline.
     django_settings.SOCIAL_AUTH_PIPELINE = (
-        'third_party_auth.pipeline.step',
+        'third_party_auth.pipeline.parse_query_params',
+        'social.pipeline.social_auth.social_details',
+        'social.pipeline.social_auth.social_uid',
+        'social.pipeline.social_auth.auth_allowed',
+        'social.pipeline.social_auth.social_user',
+        'social.pipeline.user.get_username',
+        'third_party_auth.pipeline.redirect_to_supplementary_form',
+        'social.pipeline.user.create_user',
+        'social.pipeline.social_auth.associate_user',
+        'social.pipeline.social_auth.load_extra_data',
+        'social.pipeline.user.user_details',
+    )
+
+    # We let the user specify their email address during signup.
+    django_settings.SOCIAL_AUTH_PROTECTED_USER_FIELDS = ['email']
+
+    # Disable exceptions by default for prod so you get redirect behavior
+    # instead of a Django error page. During development you may want to
+    # enable this when you want to get stack traces rather than redirections.
+    django_settings.SOCIAL_AUTH_RAISE_EXCEPTIONS = False
+
+    # Context processors required under Django.
+    django_settings.SOCIAL_AUTH_UUID_LENGTH = 4
+    django_settings.TEMPLATE_CONTEXT_PROCESSORS += (
+        'social.apps.django_app.context_processors.backends',
+        'social.apps.django_app.context_processors.login_redirect',
     )
 
 
 def _set_provider_settings(django_settings, enabled_providers, auth_info):
-    """Set provider-specific settings."""
+    """Sets provider-specific settings."""
     # Must prepend here so we get called first.
     django_settings.AUTHENTICATION_BACKENDS = (
-        tuple(enabled_provider.AUTHENTICATION_BACKEND for enabled_provider in enabled_providers) +
+        tuple(enabled_provider.get_authentication_backend() for enabled_provider in enabled_providers) +
         django_settings.AUTHENTICATION_BACKENDS)
 
     # Merge settings from provider classes, and configure all placeholders.
     for enabled_provider in enabled_providers:
         enabled_provider.merge_onto(django_settings)
 
-    # Merge settings from <deployment>.auth.json.
+    # Merge settings from <deployment>.auth.json, overwriting placeholders.
     _merge_auth_info(django_settings, auth_info)
 
 
 def apply_settings(auth_info, django_settings):
-    """Apply settings from `auth_info` dict to `django_settings` module."""
+    """Applies settings from auth_info dict to django_settings module."""
     provider_names = auth_info.keys()
     provider.Registry.configure_once(provider_names)
     enabled_providers = provider.Registry.enabled()

common/djangoapps/third_party_auth/tests/specs/test_google.py

+"""Integration tests for Google providers."""
+
+from third_party_auth import provider
+from third_party_auth.tests.specs import base
+
+
+class GoogleOauth2IntegrationTest(base.Oauth2IntegrationTest):
+    """Integration tests for provider.GoogleOauth2."""
+
+    PROVIDER_CLASS = provider.GoogleOauth2
+    PROVIDER_SETTINGS = {
+        'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY': 'google_oauth2_key',
+        'SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET': 'google_oauth2_secret',
+    }
+    TOKEN_RESPONSE_DATA = {
+        'access_token': 'access_token_value',
+        'expires_in': 'expires_in_value',
+        'id_token': 'id_token_value',
+        'token_type': 'token_type_value',
+    }
+    USER_RESPONSE_DATA = {
+        'email': 'email_value@example.com',
+        'family_name': 'family_name_value',
+        'given_name': 'given_name_value',
+        'id': 'id_value',
+        'link': 'link_value',
+        'locale': 'locale_value',
+        'name': 'name_value',
+        'picture': 'picture_value',
+        'verified_email': 'verified_email_value',
+    }
+
+    def get_username(self):
+        return self.get_response_data().get('email').split('@')[0]

common/djangoapps/third_party_auth/tests/specs/test_linkedin.py

+"""Integration tests for LinkedIn providers."""
+
+from third_party_auth import provider
+from third_party_auth.tests.specs import base
+
+
+class LinkedInOauth2IntegrationTest(base.Oauth2IntegrationTest):
+    """Integration tests for provider.LinkedInOauth2."""
+
+    PROVIDER_CLASS = provider.LinkedInOauth2
+    PROVIDER_SETTINGS = {
+        'SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY': 'linkedin_oauth2_key',
+        'SOCIAL_AUTH_LINKEDIN_OAUTH2_SECRET': 'linkedin_oauth2_secret',
+    }
+    TOKEN_RESPONSE_DATA = {
+        'access_token': 'access_token_value',
+        'expires_in': 'expires_in_value',
+    }
+    USER_RESPONSE_DATA = {
+        'lastName': 'lastName_value',
+        'id': 'id_value',
+        'firstName': 'firstName_value',
+    }
+
+    def get_username(self):
+        response_data = self.get_response_data()
+        return response_data.get('firstName') + response_data.get('lastName')

common/djangoapps/third_party_auth/tests/test_pipeline.py

+"""Unit tests for third_party_auth/pipeline.py."""
+
+import random
+
+from third_party_auth import pipeline, provider
+from third_party_auth.tests import testutil
+
+
+# Allow tests access to protected methods (or module-protected methods) under
+# test. pylint: disable-msg=protected-access
+
+
+class MakeRandomPasswordTest(testutil.TestCase):
+    """Tests formation of random placeholder passwords."""
+
+    def setUp(self):
+        super(MakeRandomPasswordTest, self).setUp()
+        self.seed = 1
+
+    def test_default_args(self):
+        self.assertEqual(pipeline._DEFAULT_RANDOM_PASSWORD_LENGTH, len(pipeline.make_random_password()))
+
+    def test_probably_only_uses_charset(self):
+        # This is ultimately probablistic since we could randomly select a good character 100000 consecutive times.
+        for char in pipeline.make_random_password(length=100000):
+            self.assertIn(char, pipeline._PASSWORD_CHARSET)
+
+    def test_pseudorandomly_picks_chars_from_charset(self):
+        random_instance = random.Random(self.seed)
+        expected = ''.join(
+            random_instance.choice(pipeline._PASSWORD_CHARSET)
+            for _ in xrange(pipeline._DEFAULT_RANDOM_PASSWORD_LENGTH))
+        random_instance.seed(self.seed)
+        self.assertEqual(expected, pipeline.make_random_password(choice_fn=random_instance.choice))
+
+
+class ProviderUserStateTestCase(testutil.TestCase):
+    """Tests ProviderUserState behavior."""
+
+    def test_get_unlink_form_name(self):
+        state = pipeline.ProviderUserState(provider.GoogleOauth2, object(), False)
+        self.assertEqual(provider.GoogleOauth2.NAME + '_unlink_form', state.get_unlink_form_name())

common/djangoapps/third_party_auth/tests/test_pipeline_integration.py

+"""Integration tests for pipeline.py."""
+
+import unittest
+
+from django.conf import settings
+from django import test
+from django.contrib.auth import models
+
+from third_party_auth import pipeline, provider
+from third_party_auth.tests import testutil
+from social.apps.django_app.default import models as social_models
+
+
+# Get Django User model by reference from python-social-auth. Not a type
+# constant, pylint.
+User = social_models.DjangoStorage.user.user_model()  # pylint: disable-msg=invalid-name
+
+
+class TestCase(testutil.TestCase, test.TestCase):
+    """Base test case."""
+
+    def setUp(self):
+        super(TestCase, self).setUp()
+        self.enabled_provider_name = provider.GoogleOauth2.NAME
+        provider.Registry.configure_once([self.enabled_provider_name])
+        self.enabled_provider = provider.Registry.get(self.enabled_provider_name)
+
+
+@unittest.skipUnless(
+    testutil.AUTH_FEATURES_KEY in settings.FEATURES, testutil.AUTH_FEATURES_KEY + ' not in settings.FEATURES')
+class GetAuthenticatedUserTestCase(TestCase):
+    """Tests for get_authenticated_user."""
+
+    def setUp(self):
+        super(GetAuthenticatedUserTestCase, self).setUp()
+        self.user = social_models.DjangoStorage.user.create_user(username='username', password='password')
+
+    def get_by_username(self, username):
+        """Gets a User by username."""
+        return social_models.DjangoStorage.user.user_model().objects.get(username=username)
+
+    def test_raises_does_not_exist_if_user_missing(self):
+        with self.assertRaises(models.User.DoesNotExist):
+            pipeline.get_authenticated_user('new_' + self.user.username, 'backend')
+
+    def test_raises_does_not_exist_if_user_found_but_no_association(self):
+        backend_name = 'backend'
+
+        self.assertIsNotNone(self.get_by_username(self.user.username))
+        self.assertIsNone(provider.Registry.get_by_backend_name(backend_name))
+
+        with self.assertRaises(models.User.DoesNotExist):
+            pipeline.get_authenticated_user(self.user.username, 'backend')
+
+    def test_raises_does_not_exist_if_user_and_association_found_but_no_match(self):
+        self.assertIsNotNone(self.get_by_username(self.user.username))
+        social_models.DjangoStorage.user.create_social_auth(
+            self.user, 'uid', 'other_' + self.enabled_provider.BACKEND_CLASS.name)
+
+        with self.assertRaises(models.User.DoesNotExist):
+            pipeline.get_authenticated_user(self.user.username, self.enabled_provider.BACKEND_CLASS.name)
+
+    def test_returns_user_with_is_authenticated_and_backend_set_if_match(self):
+        social_models.DjangoStorage.user.create_social_auth(self.user, 'uid', self.enabled_provider.BACKEND_CLASS.name)
+        user = pipeline.get_authenticated_user(self.user.username, self.enabled_provider.BACKEND_CLASS.name)
+
+        self.assertEqual(self.user, user)
+        self.assertEqual(self.enabled_provider.get_authentication_backend(), user.backend)
+
+
+@unittest.skipUnless(
+    testutil.AUTH_FEATURES_KEY in settings.FEATURES, testutil.AUTH_FEATURES_KEY + ' not in settings.FEATURES')
+class GetProviderUserStatesTestCase(testutil.TestCase, test.TestCase):
+    """Tests generation of ProviderUserStates."""
+
+    def setUp(self):
+        super(GetProviderUserStatesTestCase, self).setUp()
+        self.user = social_models.DjangoStorage.user.create_user(username='username', password='password')
+
+    def test_returns_empty_list_if_no_enabled_providers(self):
+        provider.Registry.configure_once([])
+        self.assertEquals([], pipeline.get_provider_user_states(self.user))
+
+    def test_state_not_returned_for_disabled_provider(self):
+        disabled_provider = provider.GoogleOauth2
+        enabled_provider = provider.LinkedInOauth2
+        provider.Registry.configure_once([enabled_provider.NAME])
+        social_models.DjangoStorage.user.create_social_auth(self.user, 'uid', disabled_provider.BACKEND_CLASS.name)
+        states = pipeline.get_provider_user_states(self.user)
+
+        self.assertEqual(1, len(states))
+        self.assertNotIn(disabled_provider, (state.provider for state in states))
+
+    def test_states_for_enabled_providers_user_has_accounts_associated_with(self):
+        provider.Registry.configure_once([provider.GoogleOauth2.NAME, provider.LinkedInOauth2.NAME])
+        social_models.DjangoStorage.user.create_social_auth(self.user, 'uid', provider.GoogleOauth2.BACKEND_CLASS.name)
+        social_models.DjangoStorage.user.create_social_auth(
+            self.user, 'uid', provider.LinkedInOauth2.BACKEND_CLASS.name)
+        states = pipeline.get_provider_user_states(self.user)
+
+        self.assertEqual(2, len(states))
+
+        google_state = [state for state in states if state.provider == provider.GoogleOauth2][0]
+        linkedin_state = [state for state in states if state.provider == provider.LinkedInOauth2][0]
+
+        self.assertTrue(google_state.has_account)
+        self.assertEqual(provider.GoogleOauth2, google_state.provider)
+        self.assertEqual(self.user, google_state.user)
+
+        self.assertTrue(linkedin_state.has_account)
+        self.assertEqual(provider.LinkedInOauth2, linkedin_state.provider)
+        self.assertEqual(self.user, linkedin_state.user)
+
+    def test_states_for_enabled_providers_user_has_no_account_associated_with(self):
+        provider.Registry.configure_once([provider.GoogleOauth2.NAME, provider.LinkedInOauth2.NAME])
+        states = pipeline.get_provider_user_states(self.user)
+
+        self.assertEqual([], [x for x in social_models.DjangoStorage.user.objects.all()])
+        self.assertEqual(2, len(states))
+
+        google_state = [state for state in states if state.provider == provider.GoogleOauth2][0]
+        linkedin_state = [state for state in states if state.provider == provider.LinkedInOauth2][0]
+
+        self.assertFalse(google_state.has_account)
+        self.assertEqual(provider.GoogleOauth2, google_state.provider)
+        self.assertEqual(self.user, google_state.user)
+
+        self.assertFalse(linkedin_state.has_account)
+        self.assertEqual(provider.LinkedInOauth2, linkedin_state.provider)
+        self.assertEqual(self.user, linkedin_state.user)
+
+
+@unittest.skipUnless(
+    testutil.AUTH_FEATURES_KEY in settings.FEATURES, testutil.AUTH_FEATURES_KEY + ' not in settings.FEATURES')
+class UrlFormationTestCase(TestCase):
+    """Tests formation of URLs for pipeline hook points."""
+
+    def test_complete_url_raises_value_error_if_provider_not_enabled(self):
+        provider_name = 'not_enabled'
+
+        self.assertIsNone(provider.Registry.get(provider_name))
+
+        with self.assertRaises(ValueError):
+            pipeline.get_complete_url(provider_name)
+
+    def test_complete_url_returns_expected_format(self):
+        complete_url = pipeline.get_complete_url(self.enabled_provider.BACKEND_CLASS.name)
+
+        self.assertTrue(complete_url.startswith('/auth/complete'))
+        self.assertIn(self.enabled_provider.BACKEND_CLASS.name, complete_url)
+
+    def test_disconnect_url_raises_value_error_if_provider_not_enabled(self):
+        provider_name = 'not_enabled'
+
+        self.assertIsNone(provider.Registry.get(provider_name))
+
+        with self.assertRaises(ValueError):
+            pipeline.get_disconnect_url(provider_name)
+
+    def test_disconnect_url_returns_expected_format(self):
+        disconnect_url = pipeline.get_disconnect_url(self.enabled_provider.NAME)
+
+        self.assertTrue(disconnect_url.startswith('/auth/disconnect'))
+        self.assertIn(self.enabled_provider.BACKEND_CLASS.name, disconnect_url)
+
+    def test_login_url_raises_value_error_if_provider_not_enabled(self):
+        provider_name = 'not_enabled'
+
+        self.assertIsNone(provider.Registry.get(provider_name))
+
+        with self.assertRaises(ValueError):
+            pipeline.get_login_url(provider_name, pipeline.AUTH_ENTRY_LOGIN)
+
+    def test_login_url_returns_expected_format(self):
+        login_url = pipeline.get_login_url(self.enabled_provider.NAME, pipeline.AUTH_ENTRY_LOGIN)
+
+        self.assertTrue(login_url.startswith('/auth/login'))
+        self.assertIn(self.enabled_provider.BACKEND_CLASS.name, login_url)
+        self.assertTrue(login_url.endswith(pipeline.AUTH_ENTRY_LOGIN))

common/djangoapps/third_party_auth/tests/test_provider.py

-"""
-Test configuration of providers.
-"""
+"""Unit tests for provider.py."""
 
 from third_party_auth import provider
 from third_party_auth.tests import testutil
@@ -10,8 +8,7 @@ class RegistryTest(testutil.TestCase):
     """Tests registry discovery and operation."""
 
     # Allow access to protected methods (or module-protected methods) under
-    # test.
-    # pylint: disable-msg=protected-access
+    # test. pylint: disable-msg=protected-access
 
     def test_calling_configure_once_twice_raises_value_error(self):
         provider.Registry.configure_once([provider.GoogleOauth2.NAME])
@@ -68,4 +65,18 @@ class RegistryTest(testutil.TestCase):
 
     def test_get_returns_none_if_provider_not_enabled(self):
         provider.Registry.configure_once([])
-        self.assertIsNone(provider.Registry.get(provider.MozillaPersona.NAME))
+        self.assertIsNone(provider.Registry.get(provider.LinkedInOauth2.NAME))
+
+    def test_get_by_backend_name_raises_runtime_error_if_not_configured(self):
+        with self.assertRaisesRegexp(RuntimeError, '^.*not configured$'):
+            provider.Registry.get_by_backend_name('')
+
+    def test_get_by_backend_name_returns_enabled_provider(self):
+        provider.Registry.configure_once([provider.GoogleOauth2.NAME])
+        self.assertIs(
+            provider.GoogleOauth2,
+            provider.Registry.get_by_backend_name(provider.GoogleOauth2.BACKEND_CLASS.name))
+
+    def test_get_by_backend_name_returns_none_if_provider_not_enabled(self):
+        provider.Registry.configure_once([])
+        self.assertIsNone(provider.Registry.get_by_backend_name(provider.GoogleOauth2.BACKEND_CLASS.name))

common/djangoapps/third_party_auth/tests/test_settings.py

-"""
-Unit tests for settings code.
-"""
+"""Unit tests for settings.py."""
 
-from third_party_auth import provider
-from third_party_auth import settings
+from third_party_auth import provider, settings
 from third_party_auth.tests import testutil
 
 
 _ORIGINAL_AUTHENTICATION_BACKENDS = ('first_authentication_backend',)
 _ORIGINAL_INSTALLED_APPS = ('first_installed_app',)
+_ORIGINAL_MIDDLEWARE_CLASSES = ('first_middleware_class',)
 _ORIGINAL_TEMPLATE_CONTEXT_PROCESSORS = ('first_template_context_preprocessor',)
 _SETTINGS_MAP = {
     'AUTHENTICATION_BACKENDS': _ORIGINAL_AUTHENTICATION_BACKENDS,
     'INSTALLED_APPS': _ORIGINAL_INSTALLED_APPS,
+    'MIDDLEWARE_CLASSES': _ORIGINAL_MIDDLEWARE_CLASSES,
     'TEMPLATE_CONTEXT_PROCESSORS': _ORIGINAL_TEMPLATE_CONTEXT_PROCESSORS,
 }
 
@@ -20,6 +19,8 @@ _SETTINGS_MAP = {
 class SettingsUnitTest(testutil.TestCase):
     """Unit tests for settings management code."""
 
+    # Allow access to protected methods (or module-protected methods) under
+    # test. pylint: disable-msg=protected-access
     # Suppress sprurious no-member warning on fakes.
     # pylint: disable-msg=no-member
 
@@ -27,6 +28,15 @@ class SettingsUnitTest(testutil.TestCase):
         super(SettingsUnitTest, self).setUp()
         self.settings = testutil.FakeDjangoSettings(_SETTINGS_MAP)
 
+    def test_apply_settings_adds_exception_middleware(self):
+        settings.apply_settings({}, self.settings)
+        for middleware_name in settings._MIDDLEWARE_CLASSES:
+            self.assertIn(middleware_name, self.settings.MIDDLEWARE_CLASSES)
+
+    def test_apply_settings_adds_fields_stored_in_session(self):
+        settings.apply_settings({}, self.settings)
+        self.assertEqual(settings._FIELDS_STORED_IN_SESSION, self.settings.FIELDS_STORED_IN_SESSION)
+
     def test_apply_settings_adds_third_party_auth_to_installed_apps(self):
         settings.apply_settings({}, self.settings)
         self.assertIn('third_party_auth', self.settings.INSTALLED_APPS)
@@ -50,9 +60,9 @@ class SettingsUnitTest(testutil.TestCase):
 
     def test_apply_settings_prepends_auth_backends(self):
         self.assertEqual(_ORIGINAL_AUTHENTICATION_BACKENDS, self.settings.AUTHENTICATION_BACKENDS)
-        settings.apply_settings({provider.GoogleOauth2.NAME: {}, provider.MozillaPersona.NAME: {}}, self.settings)
+        settings.apply_settings({provider.GoogleOauth2.NAME: {}, provider.LinkedInOauth2.NAME: {}}, self.settings)
         self.assertEqual((
-            provider.GoogleOauth2.AUTHENTICATION_BACKEND, provider.MozillaPersona.AUTHENTICATION_BACKEND) +
+            provider.GoogleOauth2.get_authentication_backend(), provider.LinkedInOauth2.get_authentication_backend()) +
             _ORIGINAL_AUTHENTICATION_BACKENDS,
             self.settings.AUTHENTICATION_BACKENDS)
 
@@ -66,3 +76,9 @@ class SettingsUnitTest(testutil.TestCase):
         }
         with self.assertRaisesRegexp(ValueError, '^.*not initialized$'):
             settings.apply_settings(auth_info, self.settings)
+
+    def test_apply_settings_turns_off_raising_social_exceptions(self):
+        # Guard against submitting a conf change that's convenient in dev but
+        # bad in prod.
+        settings.apply_settings({}, self.settings)
+        self.assertFalse(self.settings.SOCIAL_AUTH_RAISE_EXCEPTIONS)

common/djangoapps/third_party_auth/tests/test_settings_integration.py

-"""
-Integration tests for settings code.
-"""
-
-import mock
-import unittest
+"""Integration tests for settings.py."""
 
 from django.conf import settings
 
@@ -11,29 +6,22 @@ from third_party_auth import provider
 from third_party_auth import settings as auth_settings
 from third_party_auth.tests import testutil
 
-_AUTH_FEATURES_KEY = 'ENABLE_THIRD_PARTY_AUTH'
-
 
 class SettingsIntegrationTest(testutil.TestCase):
-    """Integration tests of auth settings pipeline."""
+    """Integration tests of auth settings pipeline.
 
-    @unittest.skipUnless(_AUTH_FEATURES_KEY in settings.FEATURES, _AUTH_FEATURES_KEY + ' not in settings.FEATURES')
-    def test_enable_third_party_auth_is_disabled_by_default(self):
-        self.assertIs(False, settings.FEATURES.get(_AUTH_FEATURES_KEY))
+    Note that ENABLE_THIRD_PARTY_AUTH is True in lms/envs/test.py and False in
+    cms/envs/test.py. This implicitly gives us coverage of the full settings
+    mechanism with both values, so we do not have explicit test methods as they
+    are superfluous.
+    """
 
-    @mock.patch.dict(settings.FEATURES, {'ENABLE_THIRD_PARTY_AUTH': True})
     def test_can_enable_google_oauth2(self):
         auth_settings.apply_settings({'Google': {'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY': 'google_key'}}, settings)
         self.assertEqual([provider.GoogleOauth2], provider.Registry.enabled())
         self.assertEqual('google_key', settings.SOCIAL_AUTH_GOOGLE_OAUTH2_KEY)
 
-    @mock.patch.dict(settings.FEATURES, {'ENABLE_THIRD_PARTY_AUTH': True})
     def test_can_enable_linkedin_oauth2(self):
         auth_settings.apply_settings({'LinkedIn': {'SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY': 'linkedin_key'}}, settings)
         self.assertEqual([provider.LinkedInOauth2], provider.Registry.enabled())
         self.assertEqual('linkedin_key', settings.SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY)
-
-    @mock.patch.dict(settings.FEATURES, {'ENABLE_THIRD_PARTY_ATUH': True})
-    def test_can_enable_mozilla_persona(self):
-        auth_settings.apply_settings({'Mozilla Persona': {}}, settings)
-        self.assertEqual([provider.MozillaPersona], provider.Registry.enabled())

common/djangoapps/third_party_auth/tests/testutil.py

@@ -9,11 +9,14 @@ import unittest
 from third_party_auth import provider
 
 
+AUTH_FEATURES_KEY = 'ENABLE_THIRD_PARTY_AUTH'
+
+
 class FakeDjangoSettings(object):
     """A fake for Django settings."""
 
     def __init__(self, mappings):
-        """Initializes the fake from `mappings`, a dict."""
+        """Initializes the fake from mappings dict."""
         for key, value in mappings.iteritems():
             setattr(self, key, value)
 

common/djangoapps/third_party_auth/urls.py

@@ -2,6 +2,8 @@
 
 from django.conf.urls import include, patterns, url
 
+
 urlpatterns = patterns(
-    '', url(r'^auth/', include('social.apps.django_app.urls', namespace='social')),
+    '',
+    url(r'^auth/', include('social.apps.django_app.urls', namespace='social')),
 )

lms/envs/test.py

@@ -180,6 +180,9 @@ SECRET_KEY = '85920908f28904ed733fe576320db18cabd7b6cd'
 # hide ratelimit warnings while running tests
 filterwarnings('ignore', message='No request passed to the backend, unable to rate-limit')
 
+######### Third-party auth ##########
+FEATURES['ENABLE_THIRD_PARTY_AUTH'] = True
+
 ################################## OPENID #####################################
 FEATURES['AUTH_USE_OPENID'] = True
 FEATURES['AUTH_USE_OPENID_PROVIDER'] = True

lms/static/sass/multicourse/_account.scss

@@ -450,6 +450,20 @@
     }
   }
 
+  // forms - third-party auth
+  .form-third-party-auth {
+    margin-bottom: $baseline;
+
+    button {
+      margin-right: $baseline;
+
+      .icon {
+        color: inherit;
+        margin-right: $baseline/2;
+      }
+    }
+  }
+
   // forms - messages/status
   .status {
     @include box-sizing(border-box);

lms/static/sass/multicourse/_dashboard.scss

@@ -130,6 +130,23 @@
             white-space: nowrap;
             text-overflow: ellipsis;
             overflow: hidden;
+
+            .third-party-auth {
+              color: inherit;
+              font-weight: inherit;
+
+              .control {
+                float: right;
+              }
+
+              .icon {
+                margin-top: 4px;
+              }
+
+              .provider {
+                display: inline;
+              }
+            }
           }
         }
       }