Merge lp:~jamestait/canonical-identity-provider/lp1169635 into lp:canonical-identity-provider/release

Proposed by James Tait
Status: Merged
Approved by: Ricardo Kirkner
Approved revision: no longer in the source branch.
Merged at revision: 806
Proposed branch: lp:~jamestait/canonical-identity-provider/lp1169635
Merge into: lp:canonical-identity-provider/release
Diff against target: 61 lines (+23/-6)
2 files modified
identityprovider/tests/test_views_server.py (+16/-4)
identityprovider/views/server.py (+7/-2)
To merge this branch: bzr merge lp:~jamestait/canonical-identity-provider/lp1169635
Reviewer Review Type Date Requested Status
Ricardo Kirkner (community) Approve
Review via email: mp+159358@code.launchpad.net

Commit message

Don't check whether the unsigned response would result in a form POST, because the signed response will be longer and may do even if the unsigned response wouldn't. Instead, check the signed response and the request mode.

Description of the change

This is a fix for the case where an unsigned OpenID response would be short
enough to allow a URL redirect to be used, but the signed response would be too
long and thus would result in an HTML form POST.

This is all to work around a shortcoming in the openid library. There is a fix
in openid trunk, but:

 a) it will probably break existing implementations and
 b) according to PyPi there hasn't been a release of the openid library in
    almost 3 years.

To post a comment you must log in.
Revision history for this message
Michael Foord (mfoord) wrote :

I would rather we didn't use shortened urls.

Revision history for this message
Ricardo Kirkner (ricardokirkner) wrote :

LGTM

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'identityprovider/tests/test_views_server.py'
2--- identityprovider/tests/test_views_server.py 2013-04-17 08:32:15 +0000
3+++ identityprovider/tests/test_views_server.py 2013-04-17 15:27:25 +0000
4@@ -193,13 +193,25 @@
5 'token_via_email')
6
7 def test_handle_user_response_auto_auth_large_response(self):
8- # update rp to auto authorize
9- self.rpconfig.auto_authorize = True
10- self.rpconfig.allowed_ax = 'fullname,email,account_verified'
11- self.rpconfig.save()
12 # Make sure we get a large response
13 self.account.displayname = 'a' * OPENID1_URL_LIMIT
14 self.account.save()
15+ self._test_auto_auth()
16+
17+ def test_handle_user_response_auto_auth_borderline_response(self):
18+ # Make a response that's small enough that it fits in a redirect before
19+ # signing, but large enough that it will need a POST after signing. We
20+ # might want to come up with a more robust method of determining the
21+ # required length, but this works for now.
22+ self.account.displayname = 'a' * (OPENID1_URL_LIMIT / 2)
23+ self.account.save()
24+ self._test_auto_auth()
25+
26+ def _test_auto_auth(self):
27+ # update rp to auto authorize
28+ self.rpconfig.auto_authorize = True
29+ self.rpconfig.allowed_ax = 'fullname,email,account_verified'
30+ self.rpconfig.save()
31
32 self.client.login(username=self.email, password=DEFAULT_USER_PASSWORD)
33 self.params.update({
34
35=== modified file 'identityprovider/views/server.py'
36--- identityprovider/views/server.py 2013-04-15 12:56:43 +0000
37+++ identityprovider/views/server.py 2013-04-17 15:27:25 +0000
38@@ -26,8 +26,9 @@
39 registerNamespaceAlias,
40 )
41 from openid.server.server import (
42+ BROWSER_REQUEST_MODES,
43+ ENCODE_URL,
44 CheckIDRequest,
45- ENCODE_URL,
46 ProtocolError,
47 Server,
48 )
49@@ -531,7 +532,11 @@
50 def _django_response(request, oresponse, auth_success=False, orequest=None):
51 """ Convert an OpenID response into a Django HttpResponse """
52 webresponse = _get_openid_server().encodeResponse(oresponse)
53- if oresponse.renderAsForm():
54+ # This is a workaround for the fact the the openid library returns bare
55+ # HTML form markup instead of a complete HTML document. See
56+ # https://github.com/openid/python-openid/pull/31/files which has been
57+ # merged, but not released.
58+ if webresponse.body and oresponse.request.mode in BROWSER_REQUEST_MODES:
59 response = HttpResponse(
60 oidutil.autoSubmitHTML(webresponse.body), mimetype='text/html')
61 else: