Projet

Général

Profil

0001-idp_oidc-add-iss-and-sid-parameter-to-frontchannel_l.patch

Benjamin Dauvergne, 20 mai 2022 09:59

Télécharger (4,02 ko)

Voir les différences:

Subject: [PATCH] idp_oidc: add iss and sid parameter to
 frontchannel_logout_uri (#65475)

 src/authentic2_idp_oidc/utils.py |  7 ++++---
 tests/idp_oidc/test_misc.py      | 20 +++++++++++++++++---
 2 files changed, 21 insertions(+), 6 deletions(-)
src/authentic2_idp_oidc/utils.py
30 30
from authentic2 import hooks
31 31
from authentic2.attributes_ng.engine import get_attributes
32 32
from authentic2.utils import crypto
33
from authentic2.utils.misc import make_url
33 34
from authentic2.utils.template import Template
34 35

  
35 36
from . import app_settings
......
294 295
    oidc_sessions = request.session.setdefault('oidc_sessions', {})
295 296
    if not client.frontchannel_logout_uri:
296 297
        return
297
    uri = client.frontchannel_logout_uri
298
    sid = get_session_id(request, client)
299
    iss = get_issuer(request)
300
    uri = make_url(client.frontchannel_logout_uri, params={'iss': iss, 'sid': sid}, resolve=False)
298 301
    oidc_session = {
299 302
        'frontchannel_logout_uri': uri,
300 303
        'frontchannel_timeout': client.frontchannel_timeout,
301 304
        'name': client.name,
302
        'sid': get_session_id(request, client),
303
        'iss': get_issuer(request),
304 305
    }
305 306
    if oidc_sessions.get(uri) == oidc_session:
306 307
        # already present
tests/idp_oidc/test_misc.py
19 19
import functools
20 20
import json
21 21
import urllib.parse
22
from unittest import mock
22 23

  
23 24
import pytest
24 25
from django.contrib.auth import get_user_model
......
40 41
from authentic2.utils.misc import good_next_url, make_url
41 42
from authentic2_auth_oidc.utils import parse_timestamp
42 43
from authentic2_idp_oidc.models import OIDCAccessToken, OIDCAuthorization, OIDCClaim, OIDCClient, OIDCCode
43
from authentic2_idp_oidc.utils import base64url, get_first_ec_sig_key, get_first_rsa_sig_key, make_sub
44
from authentic2_idp_oidc.utils import (
45
    base64url,
46
    get_first_ec_sig_key,
47
    get_first_rsa_sig_key,
48
    get_session_id,
49
    make_sub,
50
)
44 51

  
45 52
from .. import utils
46 53
from .conftest import bearer_authentication_headers, client_authentication_headers
......
202 209
@pytest.mark.parametrize('do_not_ask_again', [(True,), (False,)])
203 210
@pytest.mark.parametrize('login_first', [(True,), (False,)])
204 211
def test_authorization_code_sso(
205
    login_first, do_not_ask_again, oidc_client, oidc_settings, simple_user, app, caplog
212
    login_first, do_not_ask_again, oidc_client, oidc_settings, simple_user, app, caplog, rf
206 213
):
207 214
    redirect_uri = oidc_client.redirect_uris.split()[0]
208 215
    params = {
......
398 405
        response = app.get(make_url('account_management'))
399 406
        response = response.click('Logout')
400 407
        if oidc_client.frontchannel_logout_uri:
401
            iframes = response.pyquery('iframe[src="https://example.com/southpark/logout/"]')
408
            iframes = response.pyquery('iframe[src^="https://example.com/southpark/logout/"]')
402 409
            assert iframes
410
            src = iframes.attr('src')
411
            assert '?' in src
412
            src_qd = QueryDict(src.split('?', 1)[1])
413
            assert 'iss' in src_qd and src_qd['iss'] == 'http://testserver/'
414
            assert 'sid' in src_qd and src_qd['sid'] == get_session_id(
415
                mock.Mock(session=app.session), oidc_client
416
            )
403 417
            if oidc_client.frontchannel_timeout:
404 418
                assert iframes.attr('onload').endswith(', %d)' % oidc_client.frontchannel_timeout)
405 419
            else:
406
-