auth_oidc: normalize unicode strings (#48174)
This commit is contained in:
parent
5d28c9034c
commit
8b89b7cadc
|
@ -31,7 +31,7 @@ class Plugin(object):
|
|||
data={'token': access_token, 'token_type': 'access_token'},
|
||||
timeout=10)
|
||||
except requests.RequestException as e:
|
||||
logger.warning(u'failed to revoke access token from OIDC provider %s: %s',
|
||||
logger.warning('failed to revoke access token from OIDC provider %s: %s',
|
||||
provider.issuer, e)
|
||||
return
|
||||
try:
|
||||
|
@ -41,10 +41,10 @@ class Plugin(object):
|
|||
content = response.json()
|
||||
except ValueError:
|
||||
content = None
|
||||
logger.warning(u'failed to revoke access token from OIDC provider %s: %s, %s',
|
||||
logger.warning('failed to revoke access token from OIDC provider %s: %s, %s',
|
||||
provider.issuer, e, content)
|
||||
return
|
||||
logger.info(u'revoked token from OIDC provider %s', provider.issuer)
|
||||
logger.info('revoked token from OIDC provider %s', provider.issuer)
|
||||
|
||||
def redirect_logout_list(self, request, next=None):
|
||||
from django.urls import reverse
|
||||
|
|
|
@ -46,13 +46,13 @@ class OIDCBackend(ModelBackend):
|
|||
id_token = utils.IDToken(id_token)
|
||||
id_token.deserialize(provider)
|
||||
except utils.IDTokenError as e:
|
||||
logger.warning(u'auth_oidc: invalid id_token %s: %s', original_id_token, e)
|
||||
logger.warning('auth_oidc: invalid id_token %s: %s', original_id_token, e)
|
||||
return None
|
||||
|
||||
try:
|
||||
provider = utils.get_provider_by_issuer(id_token.iss)
|
||||
except models.OIDCProvider.DoesNotExist:
|
||||
logger.warning(u'auth_oidc: unknown issuer "%s"', id_token.iss)
|
||||
logger.warning('auth_oidc: unknown issuer "%s"', id_token.iss)
|
||||
return None
|
||||
|
||||
key_or_keyset = None
|
||||
|
@ -86,20 +86,20 @@ class OIDCBackend(ModelBackend):
|
|||
jwt.claims
|
||||
|
||||
if isinstance(id_token.aud, six.text_type) and provider.client_id != id_token.aud:
|
||||
logger.warning(u'auth_oidc: invalid id_token audience %s != provider client_id %s',
|
||||
logger.warning('auth_oidc: invalid id_token audience %s != provider client_id %s',
|
||||
id_token.aud, provider.client_id)
|
||||
return None
|
||||
if isinstance(id_token.aud, list):
|
||||
if provider.client_id not in id_token.aud:
|
||||
logger.warning(u'auth_oidc: invalid id_token audience %s != provider client_id %s',
|
||||
logger.warning('auth_oidc: invalid id_token audience %s != provider client_id %s',
|
||||
id_token.aud, provider.client_id)
|
||||
return None
|
||||
if len(id_token.aud) > 1 and 'azp' not in id_token:
|
||||
logger.warning(u'auth_oidc: multiple audience and azp not set',
|
||||
logger.warning('auth_oidc: multiple audience and azp not set',
|
||||
id_token.aud, provider.client_id)
|
||||
return None
|
||||
if id_token.azp != provider.client_id:
|
||||
logger.warning(u'auth_oidc: multiple audience and azp %r does not match client_id'
|
||||
logger.warning('auth_oidc: multiple audience and azp %r does not match client_id'
|
||||
' %r',
|
||||
id_token.azp, provider.client_id)
|
||||
return None
|
||||
|
@ -131,7 +131,7 @@ class OIDCBackend(ModelBackend):
|
|||
except User.DoesNotExist:
|
||||
pass
|
||||
else:
|
||||
logger.info(u'auth_oidc: found user using UUID (=sub) "%s": %s', id_token.sub,
|
||||
logger.info('auth_oidc: found user using UUID (=sub) "%s": %s', id_token.sub,
|
||||
user)
|
||||
|
||||
else:
|
||||
|
@ -142,7 +142,7 @@ class OIDCBackend(ModelBackend):
|
|||
except User.DoesNotExist:
|
||||
pass
|
||||
else:
|
||||
logger.info(u'auth_oidc: found user using with sub "%s": %s', id_token.sub, user)
|
||||
logger.info('auth_oidc: found user using with sub "%s": %s', id_token.sub, user)
|
||||
need_user_info = False
|
||||
for claim_mapping in provider.claim_mappings.all():
|
||||
need_user_info = need_user_info or not claim_mapping.idtoken_claim
|
||||
|
@ -160,12 +160,12 @@ class OIDCBackend(ModelBackend):
|
|||
})
|
||||
response.raise_for_status()
|
||||
except requests.RequestException as e:
|
||||
logger.warning(u'auth_oidc: failed to retrieve user info %s', e)
|
||||
logger.warning('auth_oidc: failed to retrieve user info %s', e)
|
||||
else:
|
||||
try:
|
||||
user_info = response.json()
|
||||
except ValueError as e:
|
||||
logger.warning(u'auth_oidc: bad JSON in user info response, %s (%r)', e,
|
||||
logger.warning('auth_oidc: bad JSON in user info response, %s (%r)', e,
|
||||
response.content)
|
||||
|
||||
# check for required claims
|
||||
|
@ -173,15 +173,15 @@ class OIDCBackend(ModelBackend):
|
|||
claim = claim_mapping.claim
|
||||
if claim_mapping.required:
|
||||
if '{{' in claim or '{%' in claim:
|
||||
logger.warning(u'claim \'%r\' is templated, it cannot be set as required')
|
||||
logger.warning('claim \'%r\' is templated, it cannot be set as required')
|
||||
elif claim_mapping.idtoken_claim and claim not in id_token:
|
||||
logger.warning(u'auth_oidc: cannot create user missing required claim %r in '
|
||||
u'id_token (%r)',
|
||||
logger.warning('auth_oidc: cannot create user missing required claim %r in '
|
||||
'id_token (%r)',
|
||||
claim, id_token)
|
||||
return None
|
||||
elif not user_info or claim not in user_info:
|
||||
logger.warning(u'auth_oidc: cannot create user missing required claim %r in '
|
||||
u'user_info (%r)', claim, user_info)
|
||||
logger.warning('auth_oidc: cannot create user missing required claim %r in '
|
||||
'user_info (%r)', claim, user_info)
|
||||
return None
|
||||
|
||||
# map claims to attributes or user fields
|
||||
|
@ -252,16 +252,16 @@ class OIDCBackend(ModelBackend):
|
|||
oidc_account.sub = id_token.sub
|
||||
oidc_account.save()
|
||||
else:
|
||||
logger.warning(u'auth_oidc: cannot create user for sub %r as issuer %r does not'
|
||||
u' allow it', id_token.sub, id_token.iss)
|
||||
logger.warning('auth_oidc: cannot create user for sub %r as issuer %r does not'
|
||||
' allow it', id_token.sub, id_token.iss)
|
||||
return None
|
||||
|
||||
if created:
|
||||
logger.info(u'auth_oidc: created user %s for sub %s and issuer %s',
|
||||
logger.info('auth_oidc: created user %s for sub %s and issuer %s',
|
||||
user, id_token.sub, id_token.iss)
|
||||
|
||||
if linked:
|
||||
logger.info(u'auth_oidc: linked user %s to sub %s and issuer %s',
|
||||
logger.info('auth_oidc: linked user %s to sub %s and issuer %s',
|
||||
user, id_token.sub, id_token.iss)
|
||||
|
||||
# legacy attributes
|
||||
|
@ -269,7 +269,7 @@ class OIDCBackend(ModelBackend):
|
|||
if attribute not in ('username', 'first_name', 'last_name', 'email'):
|
||||
continue
|
||||
if getattr(user, attribute) != value:
|
||||
logger.info(u'auth_oidc: set user %s attribute %s to value %s',
|
||||
logger.info('auth_oidc: set user %s attribute %s to value %s',
|
||||
user, attribute, value)
|
||||
setattr(user, attribute, value)
|
||||
if attribute == 'email' and verified:
|
||||
|
@ -277,7 +277,7 @@ class OIDCBackend(ModelBackend):
|
|||
save_user = True
|
||||
|
||||
if user.ou != user_ou:
|
||||
logger.info(u'auth_oidc: set user %s ou to %s',
|
||||
logger.info('auth_oidc: set user %s ou to %s',
|
||||
user, user_ou)
|
||||
user.ou = user_ou
|
||||
save_user = True
|
||||
|
|
|
@ -225,13 +225,13 @@ class OIDCClaimMapping(models.Model):
|
|||
return (self.claim, self.attribute, self.verified, self.required)
|
||||
|
||||
def __str__(self):
|
||||
s = u'{0} -> {1}'.format(self.claim, self.attribute)
|
||||
s = '{0} -> {1}'.format(self.claim, self.attribute)
|
||||
if self.verified:
|
||||
s += u', verified'
|
||||
s += ', verified'
|
||||
if self.required:
|
||||
s += u', required'
|
||||
s += ', required'
|
||||
if self.idtoken_claim:
|
||||
s += u', idtoken'
|
||||
s += ', idtoken'
|
||||
return s
|
||||
|
||||
def __repr__(self):
|
||||
|
@ -262,8 +262,7 @@ class OIDCAccount(models.Model):
|
|||
max_length=256)
|
||||
|
||||
def __str__(self):
|
||||
return u'{0} on {1} linked to {2}'.format(self.sub, self.provider and self.provider.issuer,
|
||||
self.user)
|
||||
return '{0} on {1} linked to {2}'.format(self.sub, self.provider and self.provider.issuer, self.user)
|
||||
|
||||
def __repr__(self):
|
||||
return '<OIDCAccount %r on %r>' % (self.sub, self.provider and self.provider.issuer)
|
||||
|
|
Loading…
Reference in New Issue