0001-auth_oidc-provide-a-less-scary-displayed-error-messa.patch
| src/authentic2_auth_oidc/views.py | ||
|---|---|---|
| 313 | 313 |
error = request.GET['error'] |
| 314 | 314 |
error_dict = self.errors.get(error, {})
|
| 315 | 315 |
level = error_dict.get('level', logging.WARNING)
|
| 316 |
error_description = request.GET.get('error_description', error_dict.get('error_description'))
|
|
| 316 |
remote_error_description = request.GET.get('error_description')
|
|
| 317 |
local_error_description = error_dict.get('error_description')
|
|
| 318 |
error_description = remote_error_description or local_error_description |
|
| 317 | 319 |
error_url = request.GET.get('error_url')
|
| 318 | 320 | |
| 319 | 321 |
log_msg = 'auth_oidc: error received ' |
| ... | ... | |
| 325 | 327 |
log_msg += ' see %s' % error_url |
| 326 | 328 |
logger.log(level, log_msg) |
| 327 | 329 | |
| 328 |
if error_description: |
|
| 330 |
message_params = {
|
|
| 331 |
'request_id': request.request_id, |
|
| 332 |
'provider_name': provider and provider.name, |
|
| 333 |
'error': error, |
|
| 334 |
} |
|
| 335 |
if provider: |
|
| 336 |
message = _( |
|
| 337 |
'Login with %(provider_name)s failed, please try again later and/or report ' |
|
| 338 |
'%(request_id)s to an administrator (%(error)s)' |
|
| 339 |
) |
|
| 340 |
else: |
|
| 341 |
message = _( |
|
| 342 |
'Login with OpenID Connect failed, please try again later and/or report %s to an ' |
|
| 343 |
'administrator. (%(error)s)' |
|
| 344 |
) |
|
| 345 | ||
| 346 |
messages.warning(request, local_error_description or message % message_params) |
|
| 347 |
if remote_error_description: # log a more precise error description for debugging purposes |
|
| 329 | 348 |
message = _('%(error_description)s (%(error)s)') % {
|
| 330 |
'error_description': error_description, |
|
| 349 |
'error_description': remote_error_description,
|
|
| 331 | 350 |
'error': error, |
| 332 | 351 |
} |
| 333 |
messages.add_message(request, level, message) |
|
| 334 |
else: # unexpected error code |
|
| 335 |
message_params = {
|
|
| 336 |
'request_id': request.request_id, |
|
| 337 |
'provider_name': provider and provider.name, |
|
| 338 |
'error': error, |
|
| 339 |
} |
|
| 340 |
if provider: |
|
| 341 |
message = _( |
|
| 342 |
'Login with %(provider_name)s failed, report %(request_id)s to an administrator (%(error)s)' |
|
| 343 |
) |
|
| 344 |
else: |
|
| 345 |
message = _('Login with OpenID Connect failed, report %s to an administrator. (%(error)s)')
|
|
| 346 | ||
| 347 |
messages.warning(request, message % message_params) |
|
| 352 |
messages.debug(request, message) |
|
| 348 | 353 |
return self.continue_to_next_url(request) |
| 349 | 354 | |
| 350 | 355 | |
| tests/test_auth_oidc.py | ||
|---|---|---|
| 25 | 25 | |
| 26 | 26 |
import pytest |
| 27 | 27 |
from django.contrib.auth import get_user_model |
| 28 |
from django.contrib.messages import constants as message_constants |
|
| 28 | 29 |
from django.core.exceptions import ValidationError |
| 29 | 30 |
from django.db import IntegrityError, transaction |
| 30 | 31 |
from django.http import QueryDict |
| 32 |
from django.test.utils import override_settings |
|
| 31 | 33 |
from django.urls import reverse |
| 32 | 34 |
from django.utils.encoding import force_str |
| 33 | 35 |
from django.utils.timezone import now, utc |
| ... | ... | |
| 1154 | 1156 | |
| 1155 | 1157 |
assert 'denied by you or the identity provider' in caplog.records[-1].message |
| 1156 | 1158 |
assert caplog.records[-1].levelname == 'INFO' |
| 1157 |
assert 'denied by you or the identity provider' in response.pyquery('.info').text()
|
|
| 1158 |
assert 'access_denied' in response |
|
| 1159 |
assert 'denied by you or the identity provider' in response.pyquery('.warning').text()
|
|
| 1160 |
assert 'access_denied' not in response # error code not logged in UI anymore |
|
| 1161 | ||
| 1162 |
response = app.get( |
|
| 1163 |
login_callback_url(oidc_provider), |
|
| 1164 |
params={
|
|
| 1165 |
'error': 'access_denied', |
|
| 1166 |
'error_description': 'some OP technical error message', |
|
| 1167 |
'state': state, |
|
| 1168 |
}, |
|
| 1169 |
) |
|
| 1170 |
response = response.maybe_follow() |
|
| 1171 |
assert 'denied by you or the identity provider' not in caplog.records[-1].message |
|
| 1172 |
assert 'some OP technical error message' in caplog.records[-1].message |
|
| 1173 | ||
| 1174 |
with override_settings(MESSAGE_LEVEL=message_constants.DEBUG): |
|
| 1175 |
response = app.get( |
|
| 1176 |
login_callback_url(oidc_provider), |
|
| 1177 |
params={
|
|
| 1178 |
'error': 'access_denied', |
|
| 1179 |
'error_description': 'some OP technical error message', |
|
| 1180 |
'state': state, |
|
| 1181 |
}, |
|
| 1182 |
) |
|
| 1183 | ||
| 1184 |
response = response.maybe_follow() |
|
| 1185 |
assert 'denied by you or the identity provider' in response.pyquery('.warning').text()
|
|
| 1186 |
assert 'some OP technical error message (access_denied)' in response.pyquery('.debug').text()
|
|
| 1159 | 1187 | |
| 1160 | 1188 | |
| 1161 | 1189 |
def test_error_other(app, caplog, oidc_provider_jwkset): |
| 1162 |
- |
|