def test_redirect_allowed_hosts(self):
req = self.factory.get('/',
data={'next': 'https://example.com/foo'},
secure=True)
next_url = views.get_next_url(req, 'next')
self.assertEqual(next_url, 'https://example.com/foo')
def get(self, request):
"""OIDC client authentication initialization HTTP endpoint"""
state = get_random_string(self.get_settings('OIDC_STATE_SIZE', 32))
redirect_field_name = self.get_settings('OIDC_REDIRECT_FIELD_NAME',
'next')
reverse_url = self.get_settings('OIDC_AUTHENTICATION_CALLBACK_URL',
'oidc_authentication_callback')
params = {
'response_type': 'code',
'scope': self.get_settings('OIDC_RP_SCOPES', 'openid email'),
'client_id': self.OIDC_RP_CLIENT_ID,
'redirect_uri': absolutify(request, reverse(reverse_url)),
# 'redirect_uri': 'https://acc.omslagroute.amsterdam.nl%s' % reverse(reverse_url),
'state': state,
}
params.update(self.get_extra_params(request))
if self.get_settings('OIDC_USE_NONCE', True):
nonce = get_random_string(self.get_settings('OIDC_NONCE_SIZE', 32))
params.update({'nonce': nonce})
request.session['oidc_nonce'] = nonce
request.session['oidc_state'] = state
request.session['oidc_login_next'] = get_next_url(
request, redirect_field_name)
query = urlencode(params)
redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT,
query=query)
return HttpResponseRedirect(redirect_url)
def get(self, request):
"""OIDC client authentication initialization HTTP endpoint.
This is based on the mozilla-django-oidc library
"""
state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32))
redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next')
params = {
'response_type': 'code',
'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'),
'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID,
'redirect_uri': absolutify(
request,
nonprefixed_url('phonebook:verify_identity_callback')
),
'state': state,
}
if import_from_settings('OIDC_USE_NONCE', True):
nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32))
params.update({
'nonce': nonce
})
request.session['oidc_verify_nonce'] = nonce
# Add parameter to disable silent authentication
params['tried_silent_auth'] = settings.OIDC_TRIED_SILENT_AUTH
request.session['oidc_verify_state'] = state
request.session['oidc_login_next'] = get_next_url(request, redirect_field_name)
query = urlencode(params)
redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query)
return HttpResponseRedirect(redirect_url)
def test_redirect_https_not_required(self):
req = self.factory.get('/',
data={'next': 'http://testserver/foo'},
secure=True)
next_url = views.get_next_url(req, 'next')
self.assertEqual(next_url, 'http://testserver/foo')
def test_https(self):
# If the request is for HTTPS and the next url is HTTPS, then that
# works with all Djangos.
req = self.factory.get(
'/',
data={'next': 'https://testserver/foo'},
secure=True,
)
self.assertEqual(req.is_secure(), True)
next_url = views.get_next_url(req, 'next')
self.assertEqual(next_url, 'https://testserver/foo')
# If the request is for HTTPS and the next url is HTTP, then that fails.
req = self.factory.get(
'/',
data={'next': 'http://testserver/foo'},
secure=True,
)
self.assertEqual(req.is_secure(), True)
next_url = views.get_next_url(req, 'next')
self.assertEqual(next_url, None)
def test_good_urls(self):
urls = [
'/',
'/foo',
'/foo?bar=baz',
'http://testserver/foo',
]
for url in urls:
req = self.build_request(next_url=url)
next_url = views.get_next_url(req, 'next')
self.assertEqual(next_url, url)
def get(self, request):
"""OIDC client authentication initialization HTTP endpoint.
This is based on the mozilla-django-oidc library
"""
state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32))
redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME',
'next')
params = {
'response_type':
'code',
'scope':
import_from_settings('OIDC_RP_SCOPES', 'openid email profile'),
'client_id':
self.OIDC_RP_VERIFICATION_CLIENT_ID,
'redirect_uri':
absolutify(request,
nonprefixed_url('phonebook:verify_identity_callback')),
'state':
state,
'prompt':
settings.OIDC_PROMPT
}
if import_from_settings('OIDC_USE_NONCE', True):
nonce = get_random_string(
import_from_settings('OIDC_NONCE_SIZE', 32))
params.update({'nonce': nonce})
request.session['oidc_verify_nonce'] = nonce
# Add parameter to disable silent authentication and the LDAP check for AUTO_VOUCH_DOMAINS
# This will allow users to verify AUTO_VOUCH_DOMAINS as contact identities
params['account_linking'] = settings.OIDC_ACCOUNT_LINKING
request.session['oidc_verify_state'] = state
request.session['oidc_login_next'] = get_next_url(
request, redirect_field_name)
query = urlencode(params)
redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT,
query=query)
return HttpResponseRedirect(redirect_url)
def test_bad_urls(self):
urls = [
'',
# NOTE(willkg): Test data taken from the Django is_safe_url tests.
'http://example.com',
'http:///example.com',
'https://example.com',
'ftp://example.com',
r'\\example.com',
r'\\\example.com',
r'/\\/example.com',
r'\\\example.com',
r'\\example.com',
r'\\//example.com',
r'/\/example.com',
r'\/example.com',
r'/\example.com',
'http:///example.com',
r'http:/\//example.com',
r'http:\/example.com',
r'http:/\example.com',
'javascript:alert("XSS")',
'\njavascript:alert(x)',
'\x08//example.com',
r'http://otherserver\@example.com',
r'http:\\testserver\@example.com',
r'http://testserver\me:[email protected]',
r'http://testserver\@example.com',
r'http:\\testserver\confirm\[email protected]',
'http:999999999',
'ftp:9999999999',
'\n',
]
for url in urls:
req = self.build_request(next_url=url)
next_url = views.get_next_url(req, 'next')
self.assertEqual(next_url, None)
def get(self, request):
"""OIDC client authentication initialization HTTP endpoint.
This is based on the mozilla-django-oidc library
"""
state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32))
redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next')
params = {
'response_type': 'code',
'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'),
'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID,
'redirect_uri': absolutify(
request,
nonprefixed_url('phonebook:verify_identity_callback')
),
'state': state,
'prompt': settings.OIDC_PROMPT
}
if import_from_settings('OIDC_USE_NONCE', True):
nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32))
params.update({
'nonce': nonce
})
request.session['oidc_verify_nonce'] = nonce
# Add parameter to disable silent authentication and the LDAP check for AUTO_VOUCH_DOMAINS
# This will allow users to verify AUTO_VOUCH_DOMAINS as contact identities
params['account_linking'] = settings.OIDC_ACCOUNT_LINKING
request.session['oidc_verify_state'] = state
request.session['oidc_login_next'] = get_next_url(request, redirect_field_name)
query = urlencode(params)
redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query)
return HttpResponseRedirect(redirect_url)
def test_non_next_param(self):
req = self.factory.get('/', data={'redirectto': '/foo'})
next_url = views.get_next_url(req, 'redirectto')
self.assertEqual(next_url, '/foo')
def test_no_param(self):
req = self.factory.get('/')
next_url = views.get_next_url(req, 'next')
self.assertEqual(next_url, None)
