providers/oauth2: improve error handling for invalid regular expressions
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
6460245d5e
commit
8c9748e4a0
|
@ -78,6 +78,28 @@ class TestAuthorize(OAuthTestCase):
|
||||||
)
|
)
|
||||||
OAuthAuthorizationParams.from_request(request)
|
OAuthAuthorizationParams.from_request(request)
|
||||||
|
|
||||||
|
def test_invalid_redirect_uri_regex(self):
|
||||||
|
"""test missing/invalid redirect URI"""
|
||||||
|
OAuth2Provider.objects.create(
|
||||||
|
name="test",
|
||||||
|
client_id="test",
|
||||||
|
authorization_flow=create_test_flow(),
|
||||||
|
redirect_uris="*",
|
||||||
|
)
|
||||||
|
with self.assertRaises(RedirectUriError):
|
||||||
|
request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
|
||||||
|
OAuthAuthorizationParams.from_request(request)
|
||||||
|
with self.assertRaises(RedirectUriError):
|
||||||
|
request = self.factory.get(
|
||||||
|
"/",
|
||||||
|
data={
|
||||||
|
"response_type": "code",
|
||||||
|
"client_id": "test",
|
||||||
|
"redirect_uri": "http://localhost",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
OAuthAuthorizationParams.from_request(request)
|
||||||
|
|
||||||
def test_empty_redirect_uri(self):
|
def test_empty_redirect_uri(self):
|
||||||
"""test empty redirect URI (configure in provider)"""
|
"""test empty redirect URI (configure in provider)"""
|
||||||
OAuth2Provider.objects.create(
|
OAuth2Provider.objects.create(
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
"""authentik OAuth2 Authorization views"""
|
"""authentik OAuth2 Authorization views"""
|
||||||
from dataclasses import dataclass, field
|
from dataclasses import dataclass, field
|
||||||
from datetime import timedelta
|
from datetime import timedelta
|
||||||
|
from re import error as RegexError
|
||||||
from re import fullmatch
|
from re import fullmatch
|
||||||
from typing import Optional
|
from typing import Optional
|
||||||
from urllib.parse import parse_qs, urlencode, urlparse, urlsplit, urlunsplit
|
from urllib.parse import parse_qs, urlencode, urlparse, urlsplit, urlunsplit
|
||||||
|
@ -184,6 +185,7 @@ class OAuthAuthorizationParams:
|
||||||
self.provider.save()
|
self.provider.save()
|
||||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
allowed_redirect_urls = self.provider.redirect_uris.split()
|
||||||
|
|
||||||
|
try:
|
||||||
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
|
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
|
||||||
LOGGER.warning(
|
LOGGER.warning(
|
||||||
"Invalid redirect uri",
|
"Invalid redirect uri",
|
||||||
|
@ -191,6 +193,9 @@ class OAuthAuthorizationParams:
|
||||||
excepted=allowed_redirect_urls,
|
excepted=allowed_redirect_urls,
|
||||||
)
|
)
|
||||||
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
||||||
|
except RegexError as exc:
|
||||||
|
LOGGER.warning("Invalid regular expression configured", exc=exc)
|
||||||
|
raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
|
||||||
if self.request:
|
if self.request:
|
||||||
raise AuthorizeError(
|
raise AuthorizeError(
|
||||||
self.redirect_uri, "request_not_supported", self.grant_type, self.state
|
self.redirect_uri, "request_not_supported", self.grant_type, self.state
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
from base64 import urlsafe_b64encode
|
from base64 import urlsafe_b64encode
|
||||||
from dataclasses import InitVar, dataclass
|
from dataclasses import InitVar, dataclass
|
||||||
from hashlib import sha256
|
from hashlib import sha256
|
||||||
|
from re import error as RegexError
|
||||||
from re import fullmatch
|
from re import fullmatch
|
||||||
from typing import Any, Optional
|
from typing import Any, Optional
|
||||||
|
|
||||||
|
@ -149,6 +150,7 @@ class TokenParams:
|
||||||
allowed_redirect_urls = self.provider.redirect_uris.split()
|
allowed_redirect_urls = self.provider.redirect_uris.split()
|
||||||
# At this point, no provider should have a blank redirect_uri, in case they do
|
# At this point, no provider should have a blank redirect_uri, in case they do
|
||||||
# this will check an empty array and raise an error
|
# this will check an empty array and raise an error
|
||||||
|
try:
|
||||||
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
|
if not any(fullmatch(x, self.redirect_uri) for x in allowed_redirect_urls):
|
||||||
LOGGER.warning(
|
LOGGER.warning(
|
||||||
"Invalid redirect uri",
|
"Invalid redirect uri",
|
||||||
|
@ -156,6 +158,9 @@ class TokenParams:
|
||||||
excepted=allowed_redirect_urls,
|
excepted=allowed_redirect_urls,
|
||||||
)
|
)
|
||||||
raise TokenError("invalid_client")
|
raise TokenError("invalid_client")
|
||||||
|
except RegexError as exc:
|
||||||
|
LOGGER.warning("Invalid regular expression configured", exc=exc)
|
||||||
|
raise TokenError("invalid_client")
|
||||||
|
|
||||||
try:
|
try:
|
||||||
self.authorization_code = AuthorizationCode.objects.get(code=raw_code)
|
self.authorization_code = AuthorizationCode.objects.get(code=raw_code)
|
||||||
|
|
Reference in a new issue