def test_proxy_callback_allowed(self):
"""
When a proxy callback is configured, ``proxy_callback_allowed()``
should return ``True`` if the pgturl matches the pattern and
``False`` otherwise.
"""
self.assertTrue(proxy_callback_allowed('https://www.example.com', 'https://www.example.com'))
self.assertFalse(proxy_callback_allowed('https://www.example.com', 'https://www.example.org'))
self.assertFalse(proxy_callback_allowed('http://example.org', 'http://example.org'))
def test_proxy_callback_allowed(self):
"""
When a proxy callback is configured, ``proxy_callback_allowed()``
should return ``True`` if the pgturl matches the pattern and
``False`` otherwise.
"""
self.assertTrue(
proxy_callback_allowed('https://www.example.com',
'https://www.example.com'))
self.assertFalse(
proxy_callback_allowed('https://www.example.com',
'https://www.example.org'))
self.assertFalse(
proxy_callback_allowed('http://example.org', 'http://example.org'))
def validate_callback(self, service, pgturl, pgtid, pgtiou):
"""Verify the provided proxy callback URL."""
if not proxy_allowed(service):
raise UnauthorizedServiceProxy("%s is not authorized to use proxy authentication" % service)
if not is_scheme_https(pgturl):
raise InvalidProxyCallback("Proxy callback %s is not HTTPS" % pgturl)
if not proxy_callback_allowed(service, pgturl):
raise InvalidProxyCallback("%s is not an authorized proxy callback URL" % pgturl)
# Verify that the SSL certificate is valid
verify = os.environ.get('REQUESTS_CA_BUNDLE', True)
try:
requests.get(pgturl, verify=verify, timeout=5)
except requests.exceptions.SSLError:
raise InvalidProxyCallback("SSL certificate validation failed for proxy callback %s" % pgturl)
except requests.exceptions.RequestException as e:
raise InvalidProxyCallback(e)
# Callback certificate appears valid, so send the ticket strings
pgturl = add_query_params(pgturl, {'pgtId': pgtid, 'pgtIou': pgtiou})
try:
response = requests.get(pgturl, verify=verify, timeout=5)
except requests.exceptions.RequestException as e:
raise InvalidProxyCallback(e)
try:
response.raise_for_status()
except requests.exceptions.HTTPError as e:
raise InvalidProxyCallback("Proxy callback %s returned %s" % (pgturl, e))
def validate_callback(self, service, pgturl, pgtid, pgtiou):
"""Verify the provided proxy callback URL."""
if not proxy_allowed(service):
raise UnauthorizedServiceProxy("%s is not authorized to use proxy authentication" % service)
if not is_scheme_https(pgturl):
raise InvalidProxyCallback("Proxy callback %s is not HTTPS" % pgturl)
if not proxy_callback_allowed(service, pgturl):
raise InvalidProxyCallback("%s is not an authorized proxy callback URL" % pgturl)
# Verify that the SSL certificate is valid
verify = os.environ.get('REQUESTS_CA_BUNDLE', True)
try:
requests.get(pgturl, verify=verify, timeout=5)
except requests.exceptions.SSLError:
raise InvalidProxyCallback("SSL certificate validation failed for proxy callback %s" % pgturl)
except requests.exceptions.RequestException as e:
raise InvalidProxyCallback(e)
# Callback certificate appears valid, so send the ticket strings
pgturl = add_query_params(pgturl, {'pgtId': pgtid, 'pgtIou': pgtiou})
try:
response = requests.get(pgturl, verify=verify, timeout=5)
except requests.exceptions.RequestException as e:
raise InvalidProxyCallback(e)
try:
response.raise_for_status()
except requests.exceptions.HTTPError as e:
raise InvalidProxyCallback("Proxy callback %s returned %s" % (pgturl, e))
def handle(self, **options):
service = options['service']
pgturl = options['pgturl']
if service_allowed(service):
self.stdout.write('Valid Service: %s' % service)
self.stdout.write('Proxy Allowed: %s' % proxy_allowed(service))
if pgturl:
self.stdout.write('Proxy Callback Allowed: %s' %
proxy_callback_allowed(service, pgturl))
self.stdout.write('Logout Allowed: %s' % logout_allowed(service))
self.stdout.write('Logout URL: %s' % get_logout_url(service))
self.stdout.write('Callbacks: %s' % get_callbacks(service))
else:
self.stdout.write(self.style.ERROR('Invalid Service: %s' %
service))
def handle(self, **options):
self.service = options['service']
self.pgturl = options['pgturl']
self.verbosity = options['verbosity']
if service_allowed(self.service):
try:
self.stdout.write(self.style.SUCCESS("Valid service: %s" % self.service))
except AttributeError:
# Django 1.8 does not have the "Success" style
self.stdout.write(self.style.SQL_FIELD("Valid service: %s" % self.service))
if self.verbosity >= 1:
self.format_output('Proxy allowed', proxy_allowed(self.service))
if self.pgturl:
self.format_output('Proxy callback allowed', proxy_callback_allowed(self.service, self.pgturl))
self.format_output('Logout allowed', logout_allowed(self.service))
self.format_output('Logout URL', get_logout_url(self.service))
self.format_output('Callbacks', ', '.join(get_callbacks(self.service)))
if self.verbosity >= 2:
self.format_output('Backend', get_backend_path(self.service))
else:
self.stdout.write(self.style.ERROR("Invalid service: %s" % self.service))
def validate_callback(self, service, pgturl, pgtid, pgtiou):
"""Verify the provided proxy callback URL."""
if not proxy_allowed(service):
raise UnauthorizedServiceProxy(
"%s is not authorized to use proxy authentication" % service)
if not is_scheme_https(pgturl):
raise InvalidProxyCallback("Proxy callback %s is not HTTPS" %
pgturl)
if not proxy_callback_allowed(service, pgturl):
raise InvalidProxyCallback(
"%s is not an authorized proxy callback URL" % pgturl)
# Check the proxy callback URL and SSL certificate
pgturl_params = add_query_params(pgturl, {
'pgtId': pgtid,
'pgtIou': pgtiou
})
verify = os.environ.get('REQUESTS_CA_BUNDLE', True)
try:
r = requests.get(pgturl_params, verify=verify, timeout=3.0)
except requests.exceptions.SSLError:
msg = "SSL cert validation failed for proxy callback %s" % pgturl
raise InvalidProxyCallback(msg)
except requests.exceptions.ConnectionError:
msg = "Error connecting to proxy callback %s" % pgturl
raise InvalidProxyCallback(msg)
except requests.exceptions.Timeout:
msg = "Timeout connecting to proxy callback %s" % pgturl
raise InvalidProxyCallback(msg)
# Check the returned HTTP status code
try:
r.raise_for_status()
except requests.exceptions.HTTPError as e:
msg = "Proxy callback %s returned %s" % (pgturl, e)
raise InvalidProxyCallback(msg)
