authentic2_idp_oidc: verify next url againts clients redirect_uris (#48739)
This commit is contained in:
parent
1a995c8c8a
commit
ed055e0892
|
@ -156,3 +156,7 @@ class AppConfig(django.apps.AppConfig):
|
|||
qs = qs.distinct()
|
||||
|
||||
return qs
|
||||
|
||||
def a2_hook_good_next_url(self, next_url):
|
||||
from .utils import good_next_url
|
||||
return good_next_url(next_url)
|
||||
|
|
|
@ -31,6 +31,7 @@ from django.utils.six.moves.urllib import parse as urlparse
|
|||
from authentic2 import hooks, crypto
|
||||
from authentic2.attributes_ng.engine import get_attributes
|
||||
from authentic2.utils.template import Template
|
||||
from authentic2.decorators import GlobalCache
|
||||
|
||||
from . import app_settings
|
||||
|
||||
|
@ -251,3 +252,15 @@ def add_oidc_session(request, client):
|
|||
oidc_sessions[uri] = oidc_session
|
||||
# force session save
|
||||
request.session.modified = True
|
||||
|
||||
|
||||
@GlobalCache(timeout=60)
|
||||
def good_next_url(next_url):
|
||||
from authentic2.utils import same_origin
|
||||
from .models import OIDCClient
|
||||
|
||||
for oidc_client in OIDCClient.objects.all():
|
||||
for url in oidc_client.redirect_uris.split():
|
||||
if same_origin(url, next_url):
|
||||
return True
|
||||
return None
|
||||
|
|
|
@ -43,7 +43,7 @@ from authentic2_idp_oidc.utils import get_first_rsa_sig_key
|
|||
from authentic2_idp_oidc.utils import get_first_ec_sig_key
|
||||
from authentic2_idp_oidc.utils import make_sub
|
||||
from authentic2.a2_rbac.utils import get_default_ou
|
||||
from authentic2.utils import make_url
|
||||
from authentic2.utils import make_url, good_next_url
|
||||
from authentic2_auth_oidc.utils import parse_timestamp
|
||||
from django_rbac.utils import get_ou_model
|
||||
from django_rbac.utils import get_role_model
|
||||
|
@ -1689,3 +1689,10 @@ def test_oidc_authorized_oauth_services_view(app, oidc_client, simple_user):
|
|||
'button', {'class': 'authorized-oauth-services--revoke-button'})) == 1
|
||||
assert OIDCAuthorization.objects.filter(
|
||||
client_ct=ContentType.objects.get_for_model(OU)).count() == 0
|
||||
|
||||
|
||||
def test_oidc_good_next_url_hook(app, oidc_client):
|
||||
from django.test.client import RequestFactory
|
||||
rf = RequestFactory()
|
||||
request = rf.get('/')
|
||||
assert good_next_url(request, 'https://example.com/')
|
||||
|
|
Loading…
Reference in New Issue