Projet

Général

Profil

0001-idp_oidc-ban-any-ou-based-authz-from-service-authz-p.patch

Paul Marillonnet, 01 août 2020 09:20

Télécharger (2,78 ko)

Voir les différences: 

Subject: [PATCH] idp_oidc: ban any ou-based authz from service authz page
 (#45650)


 src/authentic2/views.py | 10 ++++++++--
 tests/test_idp_oidc.py  |  6 ++++++
 2 files changed, 14 insertions(+), 2 deletions(-)
src/authentic2/views.py
23 23 
from ratelimit.utils import is_ratelimited
24 24 

  		




  25
  25
  
    
from django.conf import settings

  		




  
  26
  
    
from django.contrib.contenttypes.models import ContentType

  		




  26
  27
  
    
from django.shortcuts import render, get_object_or_404

  		




  27
  28
  
    
from django.template.loader import render_to_string

  		




  28
  29
  
    
from django.views.generic.edit import UpdateView, FormView

  		




  ......




  1285
  1286
  
    

  		




  1286
  1287
  
    
    def get_context_data(self, **kwargs):

  		




  1287
  1288
  
    
        from authentic2_idp_oidc.models import OIDCAuthorization

  		




  
  1289
  
    
        from authentic2_idp_oidc.models import OIDCClient

  		




  1288
  1290
  
    

  		




  1289
  1291
  
    
        context = super(AuthorizedOauthServicesView, self).get_context_data(**kwargs)

  		




  
  1292
  
    
        service_ct = ContentType.objects.get_for_model(OIDCClient)

  		




  1290
  1293
  
    
        context['authorized_oauth_services'] = OIDCAuthorization.objects.filter(

  		




  1291
  
  
    
            user=self.request.user)

  		




  
  1294
  
    
            user=self.request.user, client_ct=service_ct)

  		




  1292
  1295
  
    
        return context

  		




  1293
  1296
  
    

  		




  1294
  1297
  
    
    def post(self, request, *args, **kwargs):

  		




  1295
  1298
  
    
        from authentic2_idp_oidc.models import OIDCAuthorization

  		




  
  1299
  
    
        from authentic2_idp_oidc.models import OIDCClient

  		




  1296
  1300
  
    

  		




  1297
  
  
    
        qs = OIDCAuthorization.objects.filter(user=request.user)

  		




  
  1301
  
    
        service_ct = ContentType.objects.get_for_model(OIDCClient)

  		




  
  1302
  
    
        qs = OIDCAuthorization.objects.filter(

  		




  
  1303
  
    
            user=request.user, client_ct=service_ct)

  		




  1298
  1304
  
    
        auth_id = request.POST.get('auth_id')

  		




  1299
  1305
  
    
        if auth_id:

  		




  1300
  1306
  
    
            qs = qs.filter(id=auth_id)

  		












  

    
      tests/test_idp_oidc.py
    
  





  1624
  1624
  
    
    OIDCAuthorization.objects.create(

  		




  1625
  1625
  
    
        client=oidc_client, user=simple_user, scopes='openid profile email',

  		




  1626
  1626
  
    
        expired=now() + datetime.timedelta(days=2))

  		




  
  1627
  
    
    # create an ou-based authz that should not appear here

  		




  
  1628
  
    
    OU = get_ou_model()

  		




  
  1629
  
    
    ou = OU.objects.create(name='Ou1', slug='ou1')

  		




  
  1630
  
    
    OIDCAuthorization.objects.create(

  		




  
  1631
  
    
        client=ou1, user=simple_user, scopes='openid profile email',

  		




  
  1632
  
    
        expired=now() + datetite.timedelta(day=2))

  		




  1627
  1633
  
    

  		




  1628
  1634
  
    
    response = app.get(url, status=200)

  		




  1629
  1635
  
    
    assert "You have granted 3 services access to your account profile data."

  		




  1630
  
  
    
-