From f2d052bff8bb57ead5ef1e840a458ec79fc6acd5 Mon Sep 17 00:00:00 2001
From: Mateusz Mandera <mateusz.mandera@zulip.com>
Date: Mon, 25 May 2020 13:48:28 +0200
Subject: [PATCH] tests: Flush session before a simulated cross-domain POST in
 saml tests.

This is important, because lack of this meant that the POST request in
our tests still had the old session, with various params stored in it.
This mechanism doesn't work in reality in SAML, so the backend uses
redis to store and recover the params from redis. Without flushing the
session, these tests would fail to catch some breakages in the
redis-based mechanism.
---
 zerver/tests/test_auth_backends.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/zerver/tests/test_auth_backends.py b/zerver/tests/test_auth_backends.py
index e1d751abd2..91b74249b9 100644
--- a/zerver/tests/test_auth_backends.py
+++ b/zerver/tests/test_auth_backends.py
@@ -1437,6 +1437,10 @@ class SAMLAuthBackendTest(SocialAuthBase):
         # a perfectly valid SAMLResponse for the purpose of these tests would be too complex,
         # and we simply use one loaded from a fixture file.
         with mock.patch.object(OneLogin_Saml2_Response, 'is_valid', return_value=True):
+            # We are simulating a cross-domain POST request here. Session is a Lax cookie, meaning
+            # it won't be sent by the browser in this request. To simulate that effect with the django
+            # test client, we flush the session before the request.
+            self.client.session.flush()
             result = self.client_post(self.AUTH_FINISH_URL, post_params, **headers)
 
         return result