idp_oidc: ensure client is in an ou when authz is by ou (#47159)

This commit is contained in:
Paul Marillonnet 2020-09-30 10:06:57 +02:00
parent e52ebd5706
commit dbf6059678
2 changed files with 9 additions and 0 deletions

View File

@ -244,6 +244,10 @@ class OIDCClient(Service):
elif sector_identifier != hostname:
raise ValueError('all redirect_uri do not have the same hostname')
elif self.authorization_mode == self.AUTHORIZATION_MODE_BY_OU:
if not self.ou:
raise ValidationError(
_('OU-based authorization requires that the client be '
'within an OU.'))
sector_identifier = self.ou.slug
else:
raise NotImplementedError('unknown self.authorization_mode %s' % self.authorization_mode)

View File

@ -1618,6 +1618,11 @@ def test_oidc_client_clean():
redirect_uris='https://example.com/ https://example2.com/',
identifier_policy=OIDCClient.POLICY_PAIRWISE).clean()
with pytest.raises(ValidationError, match=r'within an OU'):
OIDCClient(
authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_OU,
ou=None).clean()
OIDCClient(
redirect_uris='https://example.com/ https://example2.com/',
sector_identifier_uri='https://example.com/').clean()