0002-idp_oidc-add-more-freedom-for-matching-redirect_uri-.patch

Benjamin Dauvergne, 21 juin 2019 19:51

Voir les différences: en ligne côte à côte

Subject: [PATCH 2/2] idp_oidc: add more freedom for matching redirect_uri
 (#33516)

 src/authentic2_idp_oidc/models.py | 27 +++++++++++++++++++++++++
 src/authentic2_idp_oidc/views.py  |  2 +-
 tests/test_idp_oidc.py            | 33 +++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+), 1 deletion(-)

     import uuid
     from importlib import import_module
     from django.db import models
     from django.core.validators import URLValidator
     from django.core.exceptions import ValidationError, ImproperlyConfigured
-...
     from django.conf import settings
     from django.utils import six
     from django.utils.timezone import now
     from django.utils.six.moves.urllib import parse as urlparse
     from django.contrib.contenttypes.fields import GenericForeignKey, GenericRelation
     from authentic2.a2_rbac.models import OrganizationalUnit
-...
         def get_wanted_attributes(self):
             return self.oidcclaim_set.filter(name__isnull=False).values_list('value', flat=True)
         def is_valid_redirect_uri(self, redirect_uri):
             parsed_uri = urlparse.urlparse(redirect_uri)
             for valid_redirect_uri in self.redirect_uris.split():
                 parsed_valid_uri = urlparse.urlparse(valid_redirect_uri)
                 if parsed_uri.scheme != parsed_valid_uri.scheme:
                     continue
                 if parsed_valid_uri.netloc.startswith('*'):
                     # globing on the left
                     netloc = parsed_valid_uri.netloc.lstrip('*')
                     if (parsed_uri.netloc != netloc
                             and not parsed_uri.netloc.endswith('.' + netloc)):
                         continue
                 elif parsed_uri.netloc != parsed_valid_uri.netloc:
                     continue
                 if parsed_valid_uri.path.endswith('*'):
                     path = parsed_valid_uri.path.rstrip('*').rstrip('/')
                     if (parsed_uri.path.rstrip('/') != path
                             and not parsed_uri.path.startswith(path + '/')):
                         continue
                 else:
                     if parsed_uri.path.rstrip('/') != parsed_valid_uri.path.rstrip('/'):
                         continue
                 return True
             return False
         def __repr__(self):
             return ('<OIDCClient name:%r client_id:%r identifier_policy:%r>' %
                     (self.name, self.client_id, self.get_identifier_policy_display()))

                            redirect_uri, client_id)
             return redirect(request, 'auth_homepage')
         if redirect_uri not in client.redirect_uris.split():
         if not client.is_valid_redirect_uri(redirect_uri):
             messages.warning(request, _('Authorization request is invalid'))
             logger.warning(u'idp_oidc: authorization request error, unknown redirect_uri redirect_uri=%r client_id=%r',
                            redirect_uri, client_id)

         assert 'preferred_username' not in user_info
         assert 'given_name' not in user_info
         assert 'family_name' not in user_info
     def test_client_is_valid_redirect_uri():
         client = OIDCClient(redirect_uris='''http://example.com
     http://example2.com/
     http://example3.com/toto
     http://*example4.com/
     http://example5.com/toto*
     ''')
         assert client.is_valid_redirect_uri('http://example.com')
         assert client.is_valid_redirect_uri('http://example.com/')
         assert not client.is_valid_redirect_uri('http://coin.example.com/')
         assert not client.is_valid_redirect_uri('http://example.com/toto/')
         assert not client.is_valid_redirect_uri('http://coin.example.com')
         assert client.is_valid_redirect_uri('http://example2.com')
         assert client.is_valid_redirect_uri('http://example2.com/')
         assert not client.is_valid_redirect_uri('http://example3.com/')
         assert not client.is_valid_redirect_uri('http://example3.com')
         assert client.is_valid_redirect_uri('http://example3.com/toto')
         assert client.is_valid_redirect_uri('http://example3.com/toto/')
         assert client.is_valid_redirect_uri('http://example4.com/')
         assert client.is_valid_redirect_uri('http://example4.com')
         assert client.is_valid_redirect_uri('http://coin.example4.com')
         assert client.is_valid_redirect_uri('http://coin.example4.com/')
         assert not client.is_valid_redirect_uri('http://coinexample4.com')
         assert not client.is_valid_redirect_uri('http://coinexample4.com/')
         assert client.is_valid_redirect_uri('http://example5.com/toto')
         assert client.is_valid_redirect_uri('http://example5.com/toto/')
         assert client.is_valid_redirect_uri('http://example5.com/toto/tata')
         assert client.is_valid_redirect_uri('http://example5.com/toto/tata/')
         assert not client.is_valid_redirect_uri('http://example5.com/tototata/')
         assert not client.is_valid_redirect_uri('http://example5.com/tototata')
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0002-idp_oidc-add-more-freedom-for-matching-redirect_uri-.patch