Launchpad itself

Merge lp:~salgado/launchpad/bug-530738 into lp:launchpad

  1. bug-530738
  2. Merge into devel
Proposed by Guilherme Salgado
Status: Merged
Merged at revision: not available
Proposed branch: lp:~salgado/launchpad/bug-530738
Merge into: lp:launchpad
Diff against target: 58 lines (+27/-3)
2 files modified
lib/canonical/launchpad/webapp/login.py (+2/-3)
lib/canonical/launchpad/webapp/tests/test_login.py (+25/-0)
To merge this branch: bzr merge lp:~salgado/launchpad/bug-530738
Reviewer Review Type Date Requested Status
Francis J. Lacoste (community) release-critical Approve
Brad Crittenden (community) code Approve
Review via email: mp+20452@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Guilherme Salgado (salgado) wrote :

We're currently passing the application URL as the realm when starting
an OpenID authentication. That means when you login on, say,
bugs.lp.net, the provider will be told that the realm is bugs.lp.net,
but that's not really true as the authentication is valid for all of
launchpad.net. That is also how the spec says the realm should be used:

  A realm is designed to give the end user an indication of the scope
  of the authentication request.
  (http://openid.net/specs/openid-authentication-2_0.html#realms)

This branch fixes that by always using the mainsite's root URL as the
realm (aka trust root).

Revision history for this message
Brad Crittenden (bac) wrote :

Looks great Salgado. I'm surprised this bug has been around so long. Good catch.

review: Approve (code)
Revision history for this message
Francis J. Lacoste (flacoste) :
review: Approve (release-critical)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'lib/canonical/launchpad/webapp/login.py'
--- lib/canonical/launchpad/webapp/login.py 2010-03-01 19:25:42 +0000
+++ lib/canonical/launchpad/webapp/login.py 2010-03-02 15:19:14 +0000
@@ -186,7 +186,6 @@
186 self.openid_request.addExtension(186 self.openid_request.addExtension(
187 sreg.SRegRequest(optional=['email', 'fullname']))187 sreg.SRegRequest(optional=['email', 'fullname']))
188188
189 trust_root = self.request.getApplicationURL()
190 assert not self.openid_request.shouldSendRedirect(), (189 assert not self.openid_request.shouldSendRedirect(), (
191 "Our fixed OpenID server should not need us to redirect.")190 "Our fixed OpenID server should not need us to redirect.")
192 # Once the user authenticates with the OpenID provider they will be191 # Once the user authenticates with the OpenID provider they will be
@@ -196,8 +195,8 @@
196 # '+login' bit). To do that we encode that URL as a query arg in the195 # '+login' bit). To do that we encode that URL as a query arg in the
197 # return_to URL passed to the OpenID Provider196 # return_to URL passed to the OpenID Provider
198 starting_url = urllib.urlencode([('starting_url', self.starting_url)])197 starting_url = urllib.urlencode([('starting_url', self.starting_url)])
199 return_to = urlappend(198 trust_root = allvhosts.configs['mainsite'].rooturl
200 self.request.getApplicationURL(), '+openid-callback')199 return_to = urlappend(trust_root, '+openid-callback')
201 return_to = "%s?%s" % (return_to, starting_url)200 return_to = "%s?%s" % (return_to, starting_url)
202 form_html = self.openid_request.htmlMarkup(trust_root, return_to)201 form_html = self.openid_request.htmlMarkup(trust_root, return_to)
203202
204203
=== modified file 'lib/canonical/launchpad/webapp/tests/test_login.py'
--- lib/canonical/launchpad/webapp/tests/test_login.py 2010-03-01 19:25:42 +0000
+++ lib/canonical/launchpad/webapp/tests/test_login.py 2010-03-02 15:19:14 +0000
@@ -352,6 +352,31 @@
352 sorted(sreg_extension.allRequestedFields()))352 sorted(sreg_extension.allRequestedFields()))
353353
354354
355class TestOpenIDRealm(TestCaseWithFactory):
356 # The realm (aka trust_root) specified by the RP is "designed to give the
357 # end user an indication of the scope of the authentication request", so
358 # for us the realm will always be the root URL of the mainsite.
359 layer = AppServerLayer
360
361 def test_realm_for_mainsite(self):
362 browser = Browser()
363 browser.open('http://launchpad.dev:8085/+login')
364 # At this point browser.contents contains a hidden form which would've
365 # been auto-submitted if we had in-browser JS support, but since we
366 # don't we can easily inspect what's in the form.
367 self.assertEquals('http://launchpad.dev:8085/',
368 browser.getControl(name='openid.realm').value)
369
370 def test_realm_for_vhosts(self):
371 browser = Browser()
372 browser.open('http://bugs.launchpad.dev:8085/+login')
373 # At this point browser.contents contains a hidden form which would've
374 # been auto-submitted if we had in-browser JS support, but since we
375 # don't we can easily inspect what's in the form.
376 self.assertEquals('http://launchpad.dev:8085/',
377 browser.getControl(name='openid.realm').value)
378
379
355def test_suite():380def test_suite():
356 suite = unittest.TestSuite()381 suite = unittest.TestSuite()
357 suite.addTest(unittest.TestLoader().loadTestsFromName(__name__))382 suite.addTest(unittest.TestLoader().loadTestsFromName(__name__))