0002-idp_oidc-never-use-an-invalid-redirect_uri-fixes-280.patch

Benjamin Dauvergne, 15 novembre 2018 09:44

Voir les différences: en ligne côte à côte

Subject: [PATCH 2/2] idp_oidc: never use an invalid redirect_uri (fixes
 #28029)

Check of "redirect_uri" move earlier during authorization request
processing. For any redirect_uri check failure errors are only shown to
the end user and redirect_uri is never used to redirect to the
requesting RP.

 src/authentic2_idp_oidc/views.py | 22 +++++++++------
 tests/test_idp_oidc.py           | 46 +++++++++++++++++++-------------
 2 files changed, 41 insertions(+), 27 deletions(-)

             client_id = request.GET['client_id']
             redirect_uri = request.GET['redirect_uri']
         except KeyError as k:
             return HttpResponseBadRequest('invalid request: missing parameter %s' % k.args[0],
                                           content_type='text/plain')
             messages.warning(request, _('Authorization request is invalid'))
             logger.warning(u'idp_oidc: authorization request error, missing %s', k.args[0])
             return redirect(request, 'auth_homepage')
         try:
             client = models.OIDCClient.objects.get(client_id=client_id)
         except models.OIDCClient.DoesNotExist:
             return HttpResponseBadRequest('invalid request: unknown client_id', content_type='text/plain')
             messages.warning(request, _('Authorization request is invalid'))
             logger.warning(u'idp_oidc: authorization request error, unknown client_id redirect_uri=%r client_id=%r',
                            redirect_uri, client_id)
             return redirect(request, 'auth_homepage')
         if redirect_uri not in client.redirect_uris.split():
             messages.warning(request, _('Authorization request is invalid'))
             logger.warning(u'idp_oidc: authorization request error, unknown redirect_uri redirect_uri=%r client_id=%r',
                            redirect_uri, client_id)
             return redirect(request, 'auth_homepage')
         fragment = client.authorization_flow == client.FLOW_IMPLICIT
         state = request.GET.get('state')
-...
                                            state=state,
                                            fragment=fragment)
         if redirect_uri not in client.redirect_uris.split():
             return authorization_error(request, redirect_uri, 'invalid_request',
                                        error_description='unauthorized redirect_uri',
                                        state=state,
                                        fragment=fragment)
         if client.authorization_flow == client.FLOW_AUTHORIZATION_CODE:
             if response_type != 'code':
                 return authorization_error(request, redirect_uri, 'unsupported_response_type',

         else:
             raise NotImplementedError
         # client_id
         # missing client_id
         authorize_url = make_url('oidc-authorize', params={})
         response = app.get(authorize_url, status=400)
         assert 'missing parameter \'client_id\'' in response.content
         response = app.get(authorize_url, status=302)
         assert urlparse.urlparse(response['Location']).path  == '/'
         response = response.maybe_follow()
         assert 'Authorization request is invalid' in response
         # redirect_uri
         # missing redirect_uri
         authorize_url = make_url('oidc-authorize', params={
             'client_id': oidc_client.client_id,
         })
         response = app.get(authorize_url, status=400)
         assert 'missing parameter \'redirect_uri\'' in response.content
         response = app.get(authorize_url, status=302)
         assert urlparse.urlparse(response['Location']).path == '/'
         response = response.maybe_follow()
         assert 'Authorization request is invalid' in response
         # invalid client_id
         authorize_url = make_url('oidc-authorize', params={
-...
             'redirect_uri': redirect_uri,
         })
         response = app.get(authorize_url, status=400)
         assert 'unknown client_id' in response.content
         response = app.get(authorize_url, status=302)
         assert urlparse.urlparse(response['Location']).path == '/'
         response = response.maybe_follow()
         assert 'Authorization request is invalid' in response
         # invalid redirect_uri
         authorize_url = make_url('oidc-authorize', params={
             'client_id': oidc_client.client_id,
             'redirect_uri': 'xxx',
             'response_type': 'code',
             'scope': 'openid',
         })
         response = app.get(authorize_url, status=302)
         assert urlparse.urlparse(response['Location']).path == '/'
         response = response.maybe_follow()
         assert 'Authorization request is invalid' in response
         # missing response_type
         authorize_url = make_url('oidc-authorize', params={
-...
         response = app.get(authorize_url)
         assert_oidc_error(response, 'invalid_request', 'max_age is not', fragment=fragment)
         # invalid redirect_uri
         authorize_url = make_url('oidc-authorize', params={
             'client_id': oidc_client.client_id,
             'redirect_uri': 'xxx',
             'response_type': 'code',
             'scope': 'openid',
         })
         response = app.get(authorize_url)
         assert_oidc_error(response, 'invalid_request', 'unauthorized redirect_uri', fragment=fragment)
         # unsupported response_type
         authorize_url = make_url('oidc-authorize', params={
             'client_id': oidc_client.client_id,
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0002-idp_oidc-never-use-an-invalid-redirect_uri-fixes-280.patch