0001-idp_oidc-adapt-error-message-for-expired-codes-67277.patch

Benjamin Dauvergne, 27 juillet 2022 17:56

Voir les différences: en ligne côte à côte

Subject: [PATCH] idp_oidc: adapt error message for expired codes (#67277)

 src/authentic2_idp_oidc/views.py |  7 ++++---
 tests/idp_oidc/test_misc.py      | 36 +++++++++++++++++++++-----------
 2 files changed, 28 insertions(+), 15 deletions(-)

         code = request.POST.get('code')
         if not code:
             raise MissingParameter('code', client=client)
         oidc_code_qs = models.OIDCCode.objects.filter(expired__gte=now()).select_related()
         try:
             oidc_code = models.OIDCCode.objects.select_related().get(uuid=code)
             oidc_code = oidc_code_qs.get(uuid=code)
         except models.OIDCCode.DoesNotExist:
             raise InvalidGrant(_('Code is unknown.'), client=client)
             raise InvalidGrant(_('Code is unknown or has expired.'), client=client)
         if oidc_code.client != client:
             raise InvalidGrant(_('Code was issued to a different client.'), client=client)
         if not oidc_code.is_valid():
             raise InvalidGrant(_('Code has expired, user is disconnected or session was lost.'), client=client)
             raise InvalidGrant(_('User is disconnected or session was lost.'), client=client)
         redirect_uri = request.POST.get('redirect_uri')
         if oidc_code.redirect_uri != redirect_uri:
             raise InvalidGrant(_('Redirect_uri does not match the code.'), client=client)

     @pytest.mark.parametrize('oidc_client', OIDC_CLIENT_PARAMS, indirect=True)
     def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app, make_client):
     def test_invalid_request(oidc_client, caplog, oidc_settings, simple_user, app, make_client, app_factory):
         redirect_uri = oidc_client.redirect_uris.split()[0]
         if oidc_client.authorization_flow == oidc_client.FLOW_AUTHORIZATION_CODE:
             fragment = False
-...
         # check expired codes
         if oidc_client.authorization_flow == oidc_client.FLOW_AUTHORIZATION_CODE:
             rp_app = app_factory()
             assert OIDCCode.objects.count() == 1
             oidc_code = OIDCCode.objects.get()
             assert oidc_code.is_valid()
-...
                 'grant_type': 'authorization_code',
                 'redirect_uri': oidc_client.redirect_uris.split()[0],
+            }
             response = app.post(
             response = rp_app.post(
                 token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
+            )
             assert response.json['error'] == 'invalid_request'
-...
             params['code'] = code
             # wrong redirect_uri
             response = app.post(
             response = rp_app.post(
                 token_url,
                 params=dict(params, redirect_uri='https://example.com/'),
                 headers=client_authentication_headers(oidc_client),
-...
             assert response.json['client_id'] == '1234'
             # unknown code
             response = app.post(
             response = rp_app.post(
                 token_url,
                 params=dict(params, code='xyz'),
                 headers=client_authentication_headers(oidc_client),
-...
+            )
             assert 'error' in response.json
             assert response.json['error'] == 'invalid_grant'
             assert response.json['error_description'] == 'Code is unknown.'
             assert response.json['error_description'] == 'Code is unknown or has expired.'
             assert response.json['client_id'] == '1234'
             # code from another client
             other_client = make_client(app, params={'slug': 'other', 'name': 'other', 'client_id': 'abcd'})
             other_client = make_client(rp_app, params={'slug': 'other', 'name': 'other', 'client_id': 'abcd'})
             other_oidc_code = OIDCCode.objects.create(
                 client=other_client,
                 user=oidc_code.user,
-...
                 auth_time=now(),
                 session_key=oidc_code.session_key,
+            )
             response = app.post(
             response = rp_app.post(
                 token_url,
                 params=dict(params, code=other_oidc_code.uuid),
                 headers=client_authentication_headers(oidc_client),
-...
             other_oidc_code.delete()
             other_client.delete()
             # simulate expired session
             from django.contrib.sessions.models import Session
             session = Session.objects.get(session_key=oidc_code.session_key)
             Session.objects.filter(pk=session.pk).delete()
             response = rp_app.post(
                 token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
+            )
             assert 'error' in response.json
             assert response.json['error'] == 'invalid_grant'
             assert response.json['error_description'] == 'User is disconnected or session was lost.'
             assert response.json['client_id'] == '1234'
             session.save()
             # make code expire
             oidc_code.expired = now() - datetime.timedelta(seconds=120)
             assert not oidc_code.is_valid()
             oidc_code.save()
             # expired code
             response = app.post(
             response = rp_app.post(
                 token_url, params=params, headers=client_authentication_headers(oidc_client), status=400
+            )
             assert 'error' in response.json
             assert response.json['error'] == 'invalid_grant'
             assert (
                 response.json['error_description']
                 == 'Code has expired, user is disconnected or session was lost.'
+            )
             assert response.json['error_description'] == 'Code is unknown or has expired.'
             assert response.json['client_id'] == '1234'
         # invalid logout
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-idp_oidc-adapt-error-message-for-expired-codes-67277.patch