Canonical SSO provider

Merge lp:~facundo/canonical-identity-provider/trunk into lp:canonical-identity-provider/release

  1. trunk
  2. Merge into trunk
Proposed by Facundo Batista
Status: Merged
Approved by: Facundo Batista
Approved revision: no longer in the source branch.
Merge reported by: Ubuntu One Auto Pilot
Merged at revision: not available
Proposed branch: lp:~facundo/canonical-identity-provider/trunk
Merge into: lp:canonical-identity-provider/release
Diff against target: 70 lines (+28/-5)
2 files modified
src/identityprovider/tests/test_views_server.py (+21/-1)
src/identityprovider/views/server.py (+7/-4)
To merge this branch: bzr merge lp:~facundo/canonical-identity-provider/trunk
Reviewer Review Type Date Requested Status
Matias Bordese (community) Approve
Review via email: mp+299813@code.launchpad.net

Commit message

Don't crash if the macaroon's caveat_id doesn't validate ok.

Description of the change

Don't crash if the macaroon's caveat_id doesn't validate ok.

To post a comment you must log in.
Revision history for this message
Matias Bordese (matiasb) wrote :

LGTM, thanks

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/identityprovider/tests/test_views_server.py'
2--- src/identityprovider/tests/test_views_server.py 2016-07-07 01:20:50 +0000
3+++ src/identityprovider/tests/test_views_server.py 2016-07-12 15:42:04 +0000
4@@ -1,5 +1,5 @@
5 # -*- coding: utf-8 -*-
6-# Copyright 2010, 2012 Canonical Ltd. This software is licensed under
7+# Copyright 2010-2016 Canonical Ltd. This software is licensed under
8 # the GNU Affero General Public License version 3 (see the file
9 # LICENSE).
10
11@@ -234,6 +234,26 @@
12 sreg=['fullname'],
13 root_macaroon=root_macaroon, macaroon_key=macaroon_random_key)
14
15+ def test_handle_user_response_auto_auth_bad_discharge_macaroon(self):
16+ # update rp to auto authorize
17+ self.rpconfig.auto_authorize = True
18+ self.rpconfig.save()
19+
20+ self.client.login(username=self.email, password=DEFAULT_USER_PASSWORD)
21+ self.params.update({
22+ 'openid.ns.macaroon': MACAROON_NS,
23+ 'openid.macaroon.caveat_id': b'broken',
24+ })
25+ response = self.client.post(self.url, self.params)
26+ self.assertEqual(response.status_code, 302)
27+
28+ query = self.get_query(response)
29+ self.assertNotIn('openid.macaroon.discharge', query)
30+ openid_identity_url = quote_plus(self.request.build_absolute_uri(
31+ self.account.get_absolute_url()))
32+ self.assertEqual(query['openid.identity'], openid_identity_url)
33+ self.assertEqual(query['openid.claimed_id'], openid_identity_url)
34+
35 def _test_auto_auth(self, ax=None, sreg=None,
36 root_macaroon=None, macaroon_key=None):
37 # update rp to auto authorize
38
39=== modified file 'src/identityprovider/views/server.py'
40--- src/identityprovider/views/server.py 2016-06-24 23:04:37 +0000
41+++ src/identityprovider/views/server.py 2016-07-12 15:42:04 +0000
42@@ -1,4 +1,4 @@
43-# Copyright 2010, 2012 Canonical Ltd. This software is licensed under
44+# Copyright 2010-2016 Canonical Ltd. This software is licensed under
45 # the GNU Affero General Public License version 3 (see the file
46 # LICENSE).
47
48@@ -43,7 +43,7 @@
49 from openid.yadis.constants import YADIS_HEADER_NAME
50
51 from identityprovider import signed
52-from identityprovider.auth import build_discharge_macaroon
53+from identityprovider.auth import build_discharge_macaroon, ValidationError
54 from identityprovider.const import (
55 AX_DATA_FIELDS,
56 MACAROON_NS,
57@@ -771,8 +771,11 @@
58 form = MacaroonRequestForm(
59 request, macaroon_request, rpconfig, openid_request.trust_root)
60 if form.data_approved_for_request:
61- discharge_macaroon = build_discharge_macaroon(
62- request.user, macaroon_request.caveat_id)
63+ try:
64+ discharge_macaroon = build_discharge_macaroon(
65+ request.user, macaroon_request.caveat_id)
66+ except ValidationError:
67+ return
68 macaroon_response = MacaroonResponse.extractResponse(
69 macaroon_request, discharge_macaroon.serialize())
70 openid_response.addExtension(macaroon_response)