auth_oidc: disable local webkey json edition when fetched remotely (#83841)
gitea/authentic/pipeline/head This commit looks good
Details
gitea/authentic/pipeline/head This commit looks good
Details
This commit is contained in:
parent
57dd6b1a08
commit
5468f61029
|
@ -15,6 +15,7 @@
|
|||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
from django import forms
|
||||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
from authentic2.forms.widgets import DatalistTextInput, SelectAttributeWidget
|
||||
from authentic2.manager import fields as manager_fields
|
||||
|
@ -35,6 +36,9 @@ class OIDCProviderEditForm(forms.ModelForm):
|
|||
super().__init__(*args, **kwargs)
|
||||
self.fields['ou'].required = True
|
||||
self.fields['ou'].empty_label = None
|
||||
if self.instance.jwkset_url:
|
||||
self.fields['jwkset_json'].disabled = True
|
||||
self.fields['jwkset_json'].help_text = _('JSON is fetched from the WebKey Set URL')
|
||||
|
||||
|
||||
class OIDCProviderAdvancedForm(forms.ModelForm):
|
||||
|
|
|
@ -17,8 +17,10 @@
|
|||
import json
|
||||
|
||||
import pytest
|
||||
import responses
|
||||
from django import VERSION as DJ_VERSION
|
||||
from django.utils.html import escape
|
||||
from jwcrypto.jwk import JWK, JWKSet
|
||||
from webtest import Upload
|
||||
|
||||
from authentic2.a2_rbac.models import Role
|
||||
|
@ -219,6 +221,7 @@ def test_authenticators_password_export(app, superuser):
|
|||
|
||||
|
||||
@pytest.mark.freeze_time('2022-04-19 14:00')
|
||||
@responses.activate
|
||||
def test_authenticators_oidc(app, superuser, ou1, ou2):
|
||||
resp = login(app, superuser, path='/manage/authenticators/')
|
||||
|
||||
|
@ -282,6 +285,39 @@ def test_authenticators_oidc(app, superuser, ou1, ou2):
|
|||
)
|
||||
assert 'creation' in resp.text
|
||||
|
||||
jwkset_url = 'https://www.example.com/common/discovery/v3.0/keys'
|
||||
kid_rsa = '123'
|
||||
|
||||
def generate_remote_jwkset_json():
|
||||
key_rsa = JWK.generate(kty='RSA', size=512, kid=kid_rsa)
|
||||
jwkset = JWKSet()
|
||||
jwkset.add(key_rsa)
|
||||
return jwkset.export(as_dict=True)
|
||||
|
||||
responses.get(
|
||||
jwkset_url,
|
||||
json={
|
||||
'headers': {
|
||||
'content-type': 'application/json',
|
||||
},
|
||||
'status_code': 200,
|
||||
**generate_remote_jwkset_json(),
|
||||
},
|
||||
)
|
||||
|
||||
provider.refresh_from_db()
|
||||
provider.jwkset_url = jwkset_url
|
||||
provider.save()
|
||||
|
||||
resp = app.get('/manage/authenticators/%s/edit/' % provider.pk)
|
||||
assert resp.pyquery('input#id_jwkset_url')[0].value == jwkset_url
|
||||
assert 'disabled' in resp.pyquery('textarea#id_jwkset_json')[0].keys()
|
||||
assert '"kid": "123"' in resp.pyquery('textarea#id_jwkset_json')[0].text
|
||||
assert (
|
||||
resp.pyquery('div[aria-labelledby="id_jwkset_json_title"] div.hint')[0].text
|
||||
== 'JSON is fetched from the WebKey Set URL'
|
||||
)
|
||||
|
||||
resp = app.get('/manage/authenticators/')
|
||||
assert 'class="section disabled"' not in resp.text
|
||||
assert 'OIDC provider linked to https://oidc.example.com with scopes profile, email.' not in resp.text
|
||||
|
|
Loading…
Reference in New Issue