def test_redirect_allowed_hosts(self): req = self.factory.get('/', data={'next': 'https://example.com/foo'}, secure=True) next_url = views.get_next_url(req, 'next') self.assertEqual(next_url, 'https://example.com/foo')
def get(self, request): """OIDC client authentication initialization HTTP endpoint""" state = get_random_string(self.get_settings('OIDC_STATE_SIZE', 32)) redirect_field_name = self.get_settings('OIDC_REDIRECT_FIELD_NAME', 'next') reverse_url = self.get_settings('OIDC_AUTHENTICATION_CALLBACK_URL', 'oidc_authentication_callback') params = { 'response_type': 'code', 'scope': self.get_settings('OIDC_RP_SCOPES', 'openid email'), 'client_id': self.OIDC_RP_CLIENT_ID, 'redirect_uri': absolutify(request, reverse(reverse_url)), # 'redirect_uri': 'https://acc.omslagroute.amsterdam.nl%s' % reverse(reverse_url), 'state': state, } params.update(self.get_extra_params(request)) if self.get_settings('OIDC_USE_NONCE', True): nonce = get_random_string(self.get_settings('OIDC_NONCE_SIZE', 32)) params.update({'nonce': nonce}) request.session['oidc_nonce'] = nonce request.session['oidc_state'] = state request.session['oidc_login_next'] = get_next_url( request, redirect_field_name) query = urlencode(params) redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query) return HttpResponseRedirect(redirect_url)
def get(self, request): """OIDC client authentication initialization HTTP endpoint. This is based on the mozilla-django-oidc library """ state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32)) redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next') params = { 'response_type': 'code', 'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'), 'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID, 'redirect_uri': absolutify( request, nonprefixed_url('phonebook:verify_identity_callback') ), 'state': state, } if import_from_settings('OIDC_USE_NONCE', True): nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32)) params.update({ 'nonce': nonce }) request.session['oidc_verify_nonce'] = nonce # Add parameter to disable silent authentication params['tried_silent_auth'] = settings.OIDC_TRIED_SILENT_AUTH request.session['oidc_verify_state'] = state request.session['oidc_login_next'] = get_next_url(request, redirect_field_name) query = urlencode(params) redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query) return HttpResponseRedirect(redirect_url)
def test_redirect_https_not_required(self): req = self.factory.get('/', data={'next': 'http://testserver/foo'}, secure=True) next_url = views.get_next_url(req, 'next') self.assertEqual(next_url, 'http://testserver/foo')
def test_https(self): # If the request is for HTTPS and the next url is HTTPS, then that # works with all Djangos. req = self.factory.get( '/', data={'next': 'https://testserver/foo'}, secure=True, ) self.assertEqual(req.is_secure(), True) next_url = views.get_next_url(req, 'next') self.assertEqual(next_url, 'https://testserver/foo') # If the request is for HTTPS and the next url is HTTP, then that fails. req = self.factory.get( '/', data={'next': 'http://testserver/foo'}, secure=True, ) self.assertEqual(req.is_secure(), True) next_url = views.get_next_url(req, 'next') self.assertEqual(next_url, None)
def test_good_urls(self): urls = [ '/', '/foo', '/foo?bar=baz', 'http://testserver/foo', ] for url in urls: req = self.build_request(next_url=url) next_url = views.get_next_url(req, 'next') self.assertEqual(next_url, url)
def get(self, request): """OIDC client authentication initialization HTTP endpoint. This is based on the mozilla-django-oidc library """ state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32)) redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next') params = { 'response_type': 'code', 'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email profile'), 'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID, 'redirect_uri': absolutify(request, nonprefixed_url('phonebook:verify_identity_callback')), 'state': state, 'prompt': settings.OIDC_PROMPT } if import_from_settings('OIDC_USE_NONCE', True): nonce = get_random_string( import_from_settings('OIDC_NONCE_SIZE', 32)) params.update({'nonce': nonce}) request.session['oidc_verify_nonce'] = nonce # Add parameter to disable silent authentication and the LDAP check for AUTO_VOUCH_DOMAINS # This will allow users to verify AUTO_VOUCH_DOMAINS as contact identities params['account_linking'] = settings.OIDC_ACCOUNT_LINKING request.session['oidc_verify_state'] = state request.session['oidc_login_next'] = get_next_url( request, redirect_field_name) query = urlencode(params) redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query) return HttpResponseRedirect(redirect_url)
def test_bad_urls(self): urls = [ '', # NOTE(willkg): Test data taken from the Django is_safe_url tests. 'http://example.com', 'http:///example.com', 'https://example.com', 'ftp://example.com', r'\\example.com', r'\\\example.com', r'/\\/example.com', r'\\\example.com', r'\\example.com', r'\\//example.com', r'/\/example.com', r'\/example.com', r'/\example.com', 'http:///example.com', r'http:/\//example.com', r'http:\/example.com', r'http:/\example.com', 'javascript:alert("XSS")', '\njavascript:alert(x)', '\x08//example.com', r'http://otherserver\@example.com', r'http:\\testserver\@example.com', r'http://testserver\me:[email protected]', r'http://testserver\@example.com', r'http:\\testserver\confirm\[email protected]', 'http:999999999', 'ftp:9999999999', '\n', ] for url in urls: req = self.build_request(next_url=url) next_url = views.get_next_url(req, 'next') self.assertEqual(next_url, None)
def get(self, request): """OIDC client authentication initialization HTTP endpoint. This is based on the mozilla-django-oidc library """ state = get_random_string(import_from_settings('OIDC_STATE_SIZE', 32)) redirect_field_name = import_from_settings('OIDC_REDIRECT_FIELD_NAME', 'next') params = { 'response_type': 'code', 'scope': import_from_settings('OIDC_RP_SCOPES', 'openid email'), 'client_id': self.OIDC_RP_VERIFICATION_CLIENT_ID, 'redirect_uri': absolutify( request, nonprefixed_url('phonebook:verify_identity_callback') ), 'state': state, 'prompt': settings.OIDC_PROMPT } if import_from_settings('OIDC_USE_NONCE', True): nonce = get_random_string(import_from_settings('OIDC_NONCE_SIZE', 32)) params.update({ 'nonce': nonce }) request.session['oidc_verify_nonce'] = nonce # Add parameter to disable silent authentication and the LDAP check for AUTO_VOUCH_DOMAINS # This will allow users to verify AUTO_VOUCH_DOMAINS as contact identities params['account_linking'] = settings.OIDC_ACCOUNT_LINKING request.session['oidc_verify_state'] = state request.session['oidc_login_next'] = get_next_url(request, redirect_field_name) query = urlencode(params) redirect_url = '{url}?{query}'.format(url=self.OIDC_OP_AUTH_ENDPOINT, query=query) return HttpResponseRedirect(redirect_url)
def test_non_next_param(self): req = self.factory.get('/', data={'redirectto': '/foo'}) next_url = views.get_next_url(req, 'redirectto') self.assertEqual(next_url, '/foo')
def test_no_param(self): req = self.factory.get('/') next_url = views.get_next_url(req, 'next') self.assertEqual(next_url, None)