0002-idp_oidc-add-more-freedom-for-matching-redirect_uri-.patch
src/authentic2_idp_oidc/models.py | ||
---|---|---|
17 | 17 |
import uuid |
18 | 18 |
from importlib import import_module |
19 | 19 | |
20 | ||
20 | 21 |
from django.db import models |
21 | 22 |
from django.core.validators import URLValidator |
22 | 23 |
from django.core.exceptions import ValidationError, ImproperlyConfigured |
... | ... | |
24 | 25 |
from django.conf import settings |
25 | 26 |
from django.utils import six |
26 | 27 |
from django.utils.timezone import now |
28 |
from django.utils.six.moves.urllib import parse as urlparse |
|
27 | 29 |
from django.contrib.contenttypes.fields import GenericForeignKey, GenericRelation |
28 | 30 | |
29 | 31 |
from authentic2.a2_rbac.models import OrganizationalUnit |
... | ... | |
171 | 173 |
def get_wanted_attributes(self): |
172 | 174 |
return self.oidcclaim_set.filter(name__isnull=False).values_list('value', flat=True) |
173 | 175 | |
176 |
def is_valid_redirect_uri(self, redirect_uri): |
|
177 |
parsed_uri = urlparse.urlparse(redirect_uri) |
|
178 |
for valid_redirect_uri in self.redirect_uris.split(): |
|
179 |
parsed_valid_uri = urlparse.urlparse(valid_redirect_uri) |
|
180 |
if parsed_uri.scheme != parsed_valid_uri.scheme: |
|
181 |
continue |
|
182 |
if parsed_valid_uri.netloc.startswith('*'): |
|
183 |
# globing on the left |
|
184 |
netloc = parsed_valid_uri.netloc.lstrip('*') |
|
185 |
if (parsed_uri.netloc != netloc |
|
186 |
and not parsed_uri.netloc.endswith('.' + netloc)): |
|
187 |
continue |
|
188 |
elif parsed_uri.netloc != parsed_valid_uri.netloc: |
|
189 |
continue |
|
190 |
if parsed_valid_uri.path.endswith('*'): |
|
191 |
path = parsed_valid_uri.path.rstrip('*').rstrip('/') |
|
192 |
if (parsed_uri.path.rstrip('/') != path |
|
193 |
and not parsed_uri.path.startswith(path + '/')): |
|
194 |
continue |
|
195 |
else: |
|
196 |
if parsed_uri.path.rstrip('/') != parsed_valid_uri.path.rstrip('/'): |
|
197 |
continue |
|
198 |
return True |
|
199 |
return False |
|
200 | ||
174 | 201 |
def __repr__(self): |
175 | 202 |
return ('<OIDCClient name:%r client_id:%r identifier_policy:%r>' % |
176 | 203 |
(self.name, self.client_id, self.get_identifier_policy_display())) |
src/authentic2_idp_oidc/views.py | ||
---|---|---|
115 | 115 |
redirect_uri, client_id) |
116 | 116 |
return redirect(request, 'auth_homepage') |
117 | 117 | |
118 |
if redirect_uri not in client.redirect_uris.split():
|
|
118 |
if not client.is_valid_redirect_uri(redirect_uri):
|
|
119 | 119 |
messages.warning(request, _('Authorization request is invalid')) |
120 | 120 |
logger.warning(u'idp_oidc: authorization request error, unknown redirect_uri redirect_uri=%r client_id=%r', |
121 | 121 |
redirect_uri, client_id) |
tests/test_idp_oidc.py | ||
---|---|---|
1100 | 1100 |
assert 'preferred_username' not in user_info |
1101 | 1101 |
assert 'given_name' not in user_info |
1102 | 1102 |
assert 'family_name' not in user_info |
1103 | ||
1104 | ||
1105 |
def test_client_is_valid_redirect_uri(): |
|
1106 |
client = OIDCClient(redirect_uris='''http://example.com |
|
1107 |
http://example2.com/ |
|
1108 |
http://example3.com/toto |
|
1109 |
http://*example4.com/ |
|
1110 |
http://example5.com/toto* |
|
1111 |
''') |
|
1112 |
assert client.is_valid_redirect_uri('http://example.com') |
|
1113 |
assert client.is_valid_redirect_uri('http://example.com/') |
|
1114 |
assert not client.is_valid_redirect_uri('http://coin.example.com/') |
|
1115 |
assert not client.is_valid_redirect_uri('http://example.com/toto/') |
|
1116 |
assert not client.is_valid_redirect_uri('http://coin.example.com') |
|
1117 |
assert client.is_valid_redirect_uri('http://example2.com') |
|
1118 |
assert client.is_valid_redirect_uri('http://example2.com/') |
|
1119 |
assert not client.is_valid_redirect_uri('http://example3.com/') |
|
1120 |
assert not client.is_valid_redirect_uri('http://example3.com') |
|
1121 |
assert client.is_valid_redirect_uri('http://example3.com/toto') |
|
1122 |
assert client.is_valid_redirect_uri('http://example3.com/toto/') |
|
1123 |
assert client.is_valid_redirect_uri('http://example4.com/') |
|
1124 |
assert client.is_valid_redirect_uri('http://example4.com') |
|
1125 |
assert client.is_valid_redirect_uri('http://coin.example4.com') |
|
1126 |
assert client.is_valid_redirect_uri('http://coin.example4.com/') |
|
1127 |
assert not client.is_valid_redirect_uri('http://coinexample4.com') |
|
1128 |
assert not client.is_valid_redirect_uri('http://coinexample4.com/') |
|
1129 |
assert client.is_valid_redirect_uri('http://example5.com/toto') |
|
1130 |
assert client.is_valid_redirect_uri('http://example5.com/toto/') |
|
1131 |
assert client.is_valid_redirect_uri('http://example5.com/toto/tata') |
|
1132 |
assert client.is_valid_redirect_uri('http://example5.com/toto/tata/') |
|
1133 |
assert not client.is_valid_redirect_uri('http://example5.com/tototata/') |
|
1134 |
assert not client.is_valid_redirect_uri('http://example5.com/tototata') |
|
1135 | ||
1103 |
- |