0001-auth_oidc-dont-stop-redirect-on-state-lost-47825.patch

Benjamin Dauvergne, 27 octobre 2020 17:09

Voir les différences: en ligne côte à côte

Subject: [PATCH 1/2] auth_oidc: dont stop redirect on state lost (#47825)

Next url is usually to a local view requiring login, so on state lost we
can just continue to original next_url and it will start a new login.

 src/authentic2_auth_oidc/views.py | 15 +++++++-----
 tests/test_auth_oidc.py           | 40 ++++++++++++++++++++++++++-----
 2 files changed, 43 insertions(+), 12 deletions(-)

         provider = get_provider(pk)
         scopes = set(provider.scopes.split()) | set(['openid'])
         state = str(uuid.uuid4())
         next_url = next_url or request.GET.get(REDIRECT_FIELD_NAME, '')
         if next_url and not good_next_url(request, next_url):
             next_url = None
         nonce = request.GET.get('nonce') or str(uuid.uuid4())
         display = set()
         prompt = set()
-...
             'scope': ' '.join(scopes),
             'response_type': 'code',
             'redirect_uri': request.build_absolute_uri(reverse('oidc-login-callback')),
             'state': state,
             'state': state if not next_url else state + ' ' + next_url,
             'nonce': nonce,
+        }
         if provider.claims_parameter_supported:
-...
         saved_state = request.session.setdefault('auth_oidc', {}).setdefault(state, {})
         saved_state['request'] = params
         saved_state['issuer'] = provider.issuer
         next_url = next_url or request.GET.get(REDIRECT_FIELD_NAME, '')
         if good_next_url(request, next_url):
         if next_url:
             saved_state['next_url'] = next_url
         request.session.modified = True  # necessary if auth_oidc already exists
         logger.debug('auth_oidc: sent request to authorization endpoint %r', params)
-...
         def get(self, request, *args, **kwargs):
             logger = logging.getLogger(__name__)
             code = request.GET.get('code')
             state = request.GET.get('state')
             raw_state = request.GET.get('state', '')
             state = raw_state.split(' ', 1)[0]
             oidc_state = self.oidc_state = request.session.get('auth_oidc', {}).get(state)
             if not state or not oidc_state or 'request' not in oidc_state:
                 messages.warning(request, _('Login with OpenIDConnect failed, state lost.'))
                 logger.warning('auth_oidc: state lost')
                 return redirect(request, settings.LOGIN_REDIRECT_URL)
                 state_next_url = raw_state.split(' ', 1)[1] if ' ' in raw_state else None
                 return redirect(request, state_next_url or settings.LOGIN_REDIRECT_URL)
             oidc_request = oidc_state.get('request')
             assert isinstance(oidc_request, dict), 'state is not properly initialized'
             nonce = oidc_request.get('nonce')

         assert location.netloc == endpoint.netloc
         assert location.path == endpoint.path
         query = check_simple_qs(urlparse.parse_qs(location.query))
         assert query['state'] in app.session['auth_oidc']
         state = query['state'].split()[0]
         assert state in app.session['auth_oidc']
         assert query['response_type'] == 'code'
         assert query['client_id'] == str(oidc_provider.client_id)
         assert query['scope'] == 'openid'
         assert query['redirect_uri'] == 'http://testserver' + reverse('oidc-login-callback')
         # get the nonce
         nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
         nonce = app.session['auth_oidc'][state]['request']['nonce']
         if oidc_provider.claims_parameter_supported:
             claims = json.loads(query['claims'])
-...
         response = response.click(oidc_provider.name)
         location = urlparse.urlparse(response.location)
         query = check_simple_qs(urlparse.parse_qs(location.query))
         nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
         state = query['state'].split()[0]
         nonce = app.session['auth_oidc'][state]['request']['nonce']
         # sub=john.doe, MUST not work
         with utils.check_log(caplog, 'cannot create user'):
-...
         response = response.click(oidc_provider.name)
         location = urlparse.urlparse(response.location)
         query = check_simple_qs(urlparse.parse_qs(location.query))
         nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
         state = query['state'].split()[0]
         nonce = app.session['auth_oidc'][state]['request']['nonce']
         # sub=john.doe
         with utils.check_log(caplog, 'auth_oidc: created user'):
-...
         response = response.click(oidc_provider_rsa.name)
         location = urlparse.urlparse(response.location)
         query = check_simple_qs(urlparse.parse_qs(location.query))
         nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
         state = query['state'].split()[0]
         nonce = app.session['auth_oidc'][state]['request']['nonce']
         # test invalid kid
         with utils.check_log(caplog, message='not in key set', levelname='WARNING'):
-...
         response = response.click(oidc_provider.name)
         location = urlparse.urlparse(response.location)
         query = check_simple_qs(urlparse.parse_qs(location.query))
         nonce = app.session['auth_oidc'][query['state']]['request']['nonce']
         state = query['state'].split()[0]
         nonce = app.session['auth_oidc'][state]['request']['nonce']
         with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, nonce=nonce):
             response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': query['state']}).maybe_follow()
-...
         assert user.last_name == 'DOE'
         # typo in template string, no rendering
         assert user.first_name == '{{ given_name'
     def test_lost_state(app, caplog, code, oidc_provider, oidc_provider_jwkset, hooks):
         response = app.get('/login/?next=/whatever/')
         assert oidc_provider.name in response.text
         response = response.click(oidc_provider.name)
         qs = urlparse.parse_qs(urlparse.urlparse(response.location).query)
         state = qs['state'][0]
         assert ' /whatever/' in state
         nonce = app.session['auth_oidc'][state.split()[0]]['request']['nonce']
         # reset the session to forget the state
         app.session.flush()
         caplog.clear()
         with oidc_provider_mock(oidc_provider, oidc_provider_jwkset, code, nonce=nonce):
             response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state})
         # not logged
         assert 'auth_oidc: state lost' == caplog.records[-1].message
         # event is recorded
         assert '_auth_user_id' not in app.session
         # we are automatically redirected to our destination
         assert response.location == '/whatever/'
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-auth_oidc-dont-stop-redirect-on-state-lost-47825.patch