0001-idp_oidc-fix-profile-suffix-during-sub-generation-62.patch

Paul Marillonnet, 16 mars 2022 12:13

Voir les différences: en ligne côte à côte

Subject: [PATCH] idp_oidc: fix profile suffix during sub generation (#62702)

 src/authentic2_idp_oidc/apps.py      |  4 +--
 src/authentic2_idp_oidc/utils.py     |  7 ++--
 tests/idp_oidc/test_user_profiles.py | 48 +++++++++++++++++++++++++++-
 3 files changed, 54 insertions(+), 5 deletions(-)

             sub = smart_bytes(view.kwargs[lookup_url_kwarg])
             decrypted = utils.reverse_pairwise_sub(client, sub)
             if decrypted:
                 view.kwargs[lookup_url_kwarg] = uuid.UUID(bytes=decrypted.split(b'#')[0]).hex
                 view.kwargs[lookup_url_kwarg] = uuid.UUID(bytes=decrypted).hex
         def a2_hook_api_modify_serializer_after_validation(self, view, serializer):
             import uuid
-...
             for u in serializer.validated_data['known_uuids']:
                 decrypted = utils.reverse_pairwise_sub(client, smart_bytes(u))
                 if decrypted:
                     new_known_uuid = uuid.UUID(bytes=decrypted.split(b'#')[0]).hex
                     new_known_uuid = uuid.UUID(bytes=decrypted).hex
                     new_known_uuids.append(new_known_uuid)
                     uuid_map[new_known_uuid] = u
                 else:

             sector_identifier,
+        ]
         if profile and client.perform_sub_profile_substitution:
             cipher_args[1] += b'#%s' % str(profile.id).encode()
             # add user-chosen profile identifier information
             cipher_args[1] += b'#profile-id:%s' % str(profile.id).encode()
         return crypto.aes_base64url_deterministic_encrypt(*cipher_args).decode('utf-8')
     def reverse_pairwise_sub(client, sub):
         sector_identifier = client.get_sector_identifier()
         try:
             return crypto.aes_base64url_deterministic_decrypt(
             reversed_id = crypto.aes_base64url_deterministic_decrypt(
                 settings.SECRET_KEY.encode('utf-8'), sub, sector_identifier
+            )
             # strip any suffix from original 16-byte-long uuid
             return reversed_id[:16]
         except crypto.DecryptionError:
             return None

     import base64
     import json
     import urllib.parse
     from uuid import UUID
     import pytest
     from django.contrib.auth import get_user_model
-...
     from authentic2.custom_user.models import Profile, ProfileType
     from authentic2.utils.misc import make_url
     from authentic2_idp_oidc.models import OIDCAccessToken, OIDCCode
     from authentic2_idp_oidc.utils import get_jwkset, make_sub
     from authentic2_idp_oidc.utils import get_jwkset, make_pairwise_sub, make_sub, reverse_pairwise_sub
     from .. import utils
     from .conftest import client_authentication_headers
-...
         claims = json.loads(jwt.claims)
         assert claims['sub'] != make_sub(oidc_client, profile_user)
         assert claims['sub'] == make_sub(oidc_client, profile_user, profile=profile_user.profiles.first())
     def test_full_sub_reversibility(app, oidc_client, profile_settings):
         from django.utils.encoding import smart_bytes
         oidc_client.idtoken_algo = oidc_client.ALGO_EC
         oidc_client.activate_user_profiles = True
         oidc_client.perform_sub_profile_substitution = True
         oidc_client.identifier_policy = oidc_client.POLICY_PAIRWISE_REVERSIBLE
         oidc_client.save()
         profile_type_manager = ProfileType.objects.create(
             name='One Manager Type',
             slug='one-manager-type',
+        )
         # first with no profiles
         for i in range(10):
             user = User.objects.create(
                 first_name='john-%s' % i,
                 last_name='doe',
                 email='john.doe.%s@example.org' % i,
+            )
             sub = make_pairwise_sub(oidc_client, user, profile=None)
             uuid = reverse_pairwise_sub(oidc_client, smart_bytes(sub))
             assert uuid == UUID(user.uuid).bytes
         # then adding user profile information
         for i in range(100):
             user = User.objects.create(
                 first_name='john-%s' % i,
                 last_name='doe',
                 email='john.doe.%s@example.org' % i,
+            )
             profile = Profile.objects.create(
                 user=user,
                 profile_type=profile_type_manager,
                 identifier='manager %s' % i,
                 email='manager-%s@example.org' % i,
+            )
             sub_with_profile = make_pairwise_sub(oidc_client, user, profile=profile)
             sub_without_profile = make_pairwise_sub(oidc_client, user, profile=None)
             uuid_with_profile = reverse_pairwise_sub(oidc_client, smart_bytes(sub_with_profile))
             uuid_without_profile = reverse_pairwise_sub(oidc_client, smart_bytes(sub_without_profile))
             assert sub_with_profile != sub_without_profile
             assert uuid_with_profile == uuid_without_profile
             assert uuid_with_profile == UUID(user.uuid).bytes
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-idp_oidc-fix-profile-suffix-during-sub-generation-62.patch