entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 33 Releases Activity

auth_oidc: normalize unicode strings (#48174)

This commit is contained in:
Benjamin Dauvergne 2020-11-02 13:58:41 +01:00
parent 5d28c9034c
commit 8b89b7cadc
3 changed files with 29 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/authentic2_auth_oidc/apps.py
View File

@ -31,7 +31,7 @@ class Plugin(object):
data={'token': access_token, 'token_type': 'access_token'},
timeout=10)
except requests.RequestException as e:
logger.warning(u'failed to revoke access token from OIDC provider %s: %s',
logger.warning('failed to revoke access token from OIDC provider %s: %s',
provider.issuer, e)
return
try:
@ -41,10 +41,10 @@ class Plugin(object):
content = response.json()
except ValueError:
content = None
logger.warning(u'failed to revoke access token from OIDC provider %s: %s, %s',
logger.warning('failed to revoke access token from OIDC provider %s: %s, %s',
provider.issuer, e, content)
return
logger.info(u'revoked token from OIDC provider %s', provider.issuer)
logger.info('revoked token from OIDC provider %s', provider.issuer)
def redirect_logout_list(self, request, next=None):
from django.urls import reverse

42
src/authentic2_auth_oidc/backends.py
View File

@ -46,13 +46,13 @@ class OIDCBackend(ModelBackend):
id_token = utils.IDToken(id_token)
id_token.deserialize(provider)
except utils.IDTokenError as e:
logger.warning(u'auth_oidc: invalid id_token %s: %s', original_id_token, e)
logger.warning('auth_oidc: invalid id_token %s: %s', original_id_token, e)
return None
try:
provider = utils.get_provider_by_issuer(id_token.iss)
except models.OIDCProvider.DoesNotExist:
logger.warning(u'auth_oidc: unknown issuer "%s"', id_token.iss)
logger.warning('auth_oidc: unknown issuer "%s"', id_token.iss)
return None
key_or_keyset = None
@ -86,20 +86,20 @@ class OIDCBackend(ModelBackend):
jwt.claims
if isinstance(id_token.aud, six.text_type) and provider.client_id != id_token.aud:
logger.warning(u'auth_oidc: invalid id_token audience %s != provider client_id %s',
logger.warning('auth_oidc: invalid id_token audience %s != provider client_id %s',
id_token.aud, provider.client_id)
return None
if isinstance(id_token.aud, list):
if provider.client_id not in id_token.aud:
logger.warning(u'auth_oidc: invalid id_token audience %s != provider client_id %s',
logger.warning('auth_oidc: invalid id_token audience %s != provider client_id %s',
id_token.aud, provider.client_id)
return None
if len(id_token.aud) > 1 and 'azp' not in id_token:
logger.warning(u'auth_oidc: multiple audience and azp not set',
logger.warning('auth_oidc: multiple audience and azp not set',
id_token.aud, provider.client_id)
return None
if id_token.azp != provider.client_id:
logger.warning(u'auth_oidc: multiple audience and azp %r does not match client_id'
logger.warning('auth_oidc: multiple audience and azp %r does not match client_id'
' %r',
id_token.azp, provider.client_id)
return None
@ -131,7 +131,7 @@ class OIDCBackend(ModelBackend):
except User.DoesNotExist:
pass
else:
logger.info(u'auth_oidc: found user using UUID (=sub) "%s": %s', id_token.sub,
logger.info('auth_oidc: found user using UUID (=sub) "%s": %s', id_token.sub,
user)
else:
@ -142,7 +142,7 @@ class OIDCBackend(ModelBackend):
except User.DoesNotExist:
pass
else:
logger.info(u'auth_oidc: found user using with sub "%s": %s', id_token.sub, user)
logger.info('auth_oidc: found user using with sub "%s": %s', id_token.sub, user)
need_user_info = False
for claim_mapping in provider.claim_mappings.all():
need_user_info = need_user_info or not claim_mapping.idtoken_claim
@ -160,12 +160,12 @@ class OIDCBackend(ModelBackend):
})
response.raise_for_status()
except requests.RequestException as e:
logger.warning(u'auth_oidc: failed to retrieve user info %s', e)
logger.warning('auth_oidc: failed to retrieve user info %s', e)
else:
try:
user_info = response.json()
except ValueError as e:
logger.warning(u'auth_oidc: bad JSON in user info response, %s (%r)', e,
logger.warning('auth_oidc: bad JSON in user info response, %s (%r)', e,
response.content)
# check for required claims
@ -173,15 +173,15 @@ class OIDCBackend(ModelBackend):
claim = claim_mapping.claim
if claim_mapping.required:
if '{{' in claim or '{%' in claim:
logger.warning(u'claim \'%r\' is templated, it cannot be set as required')
logger.warning('claim \'%r\' is templated, it cannot be set as required')
elif claim_mapping.idtoken_claim and claim not in id_token:
logger.warning(u'auth_oidc: cannot create user missing required claim %r in '
u'id_token (%r)',
logger.warning('auth_oidc: cannot create user missing required claim %r in '
'id_token (%r)',
claim, id_token)
return None
elif not user_info or claim not in user_info:
logger.warning(u'auth_oidc: cannot create user missing required claim %r in '
u'user_info (%r)', claim, user_info)
logger.warning('auth_oidc: cannot create user missing required claim %r in '
'user_info (%r)', claim, user_info)
return None
# map claims to attributes or user fields
@ -252,16 +252,16 @@ class OIDCBackend(ModelBackend):
oidc_account.sub = id_token.sub
oidc_account.save()
else:
logger.warning(u'auth_oidc: cannot create user for sub %r as issuer %r does not'
u' allow it', id_token.sub, id_token.iss)
logger.warning('auth_oidc: cannot create user for sub %r as issuer %r does not'
' allow it', id_token.sub, id_token.iss)
return None
if created:
logger.info(u'auth_oidc: created user %s for sub %s and issuer %s',
logger.info('auth_oidc: created user %s for sub %s and issuer %s',
user, id_token.sub, id_token.iss)
if linked:
logger.info(u'auth_oidc: linked user %s to sub %s and issuer %s',
logger.info('auth_oidc: linked user %s to sub %s and issuer %s',
user, id_token.sub, id_token.iss)
# legacy attributes
@ -269,7 +269,7 @@ class OIDCBackend(ModelBackend):
if attribute not in ('username', 'first_name', 'last_name', 'email'):
continue
if getattr(user, attribute) != value:
logger.info(u'auth_oidc: set user %s attribute %s to value %s',
logger.info('auth_oidc: set user %s attribute %s to value %s',
user, attribute, value)
setattr(user, attribute, value)
if attribute == 'email' and verified:
@ -277,7 +277,7 @@ class OIDCBackend(ModelBackend):
save_user = True
if user.ou != user_ou:
logger.info(u'auth_oidc: set user %s ou to %s',
logger.info('auth_oidc: set user %s ou to %s',
user, user_ou)
user.ou = user_ou
save_user = True

11
src/authentic2_auth_oidc/models.py
View File

@ -225,13 +225,13 @@ class OIDCClaimMapping(models.Model):
return (self.claim, self.attribute, self.verified, self.required)
def __str__(self):
s = u'{0} -> {1}'.format(self.claim, self.attribute)
s = '{0} -> {1}'.format(self.claim, self.attribute)
if self.verified:
s += u', verified'
s += ', verified'
if self.required:
s += u', required'
s += ', required'
if self.idtoken_claim:
s += u', idtoken'
s += ', idtoken'
return s
def __repr__(self):
@ -262,8 +262,7 @@ class OIDCAccount(models.Model):
max_length=256)
def __str__(self):
return u'{0} on {1} linked to {2}'.format(self.sub, self.provider and self.provider.issuer,
self.user)
return '{0} on {1} linked to {2}'.format(self.sub, self.provider and self.provider.issuer, self.user)
def __repr__(self):
return '<OIDCAccount %r on %r>' % (self.sub, self.provider and self.provider.issuer)