0001-saml2-only-allow-local-URLs-as-redirections-43279.patch
tests/test_saml_auth.py | ||
---|---|---|
18 | 18 |
from wcs.qommon.saml2 import Saml2Directory |
19 | 19 |
from wcs.qommon.ident.idp import MethodAdminDirectory, AdminIDPDir |
20 | 20 |
from wcs.qommon import sessions, x509utils |
21 |
from wcs.qommon.errors import RequestError |
|
21 | 22 |
from wcs.roles import Role |
22 | 23 | |
23 | 24 |
from utilities import get_app, create_temporary_pub, clean_temporary_pub |
... | ... | |
303 | 304 | |
304 | 305 |
def test_assertion_consumer_full_url_redirect_after_url(pub): |
305 | 306 |
req = get_assertion_consumer_request(pub) |
306 |
req.form['RelayState'] = 'http://example.org/foobar/?test=ok'
|
|
307 |
req.form['RelayState'] = 'http://example.net/foobar/?test=ok'
|
|
307 | 308 |
saml2 = Saml2Directory() |
308 | 309 |
saml_response_body = req.form['SAMLResponse'] |
309 | 310 |
body = saml2.assertionConsumerPost() |
310 | 311 |
assert req.response.status_code == 303 |
311 |
assert req.response.headers['location'] == 'http://example.org/foobar/?test=ok' |
|
312 |
assert req.response.headers['location'] == 'http://example.net/foobar/?test=ok' |
|
313 | ||
314 | ||
315 |
def test_assertion_consumer_external_url_redirect_after_url(pub): |
|
316 |
req = get_assertion_consumer_request(pub) |
|
317 |
req.form['RelayState'] = 'http://example.org/foobar/?test=ok' |
|
318 |
saml2 = Saml2Directory() |
|
319 |
saml_response_body = req.form['SAMLResponse'] |
|
320 |
with pytest.raises(RequestError): |
|
321 |
body = saml2.assertionConsumerPost() |
|
312 | 322 | |
313 | 323 | |
314 | 324 |
def test_saml_login_page(pub): |
wcs/qommon/saml2.py | ||
---|---|---|
355 | 355 |
netloc = parsed_url.netloc or request.get_server() |
356 | 356 |
after_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query, |
357 | 357 |
parsed_url.fragment)) |
358 |
if not (after_url.startswith(get_publisher().get_backoffice_url()) or |
|
359 |
after_url.startswith(get_publisher().get_frontoffice_url())): |
|
360 |
raise errors.RequestError() |
|
358 | 361 |
else: |
359 | 362 |
after_url = get_publisher().get_frontoffice_url() |
360 | 363 |
response.set_status(303) |
361 |
- |