From 8b89b7cadc2b9d4be99e61ffa1ea847e917c9128 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Mon, 2 Nov 2020 13:58:41 +0100 Subject: [PATCH] auth_oidc: normalize unicode strings (#48174) --- src/authentic2_auth_oidc/apps.py | 6 ++-- src/authentic2_auth_oidc/backends.py | 42 ++++++++++++++-------------- src/authentic2_auth_oidc/models.py | 11 ++++---- 3 files changed, 29 insertions(+), 30 deletions(-) diff --git a/src/authentic2_auth_oidc/apps.py b/src/authentic2_auth_oidc/apps.py index eefc2a901..6530470f5 100644 --- a/src/authentic2_auth_oidc/apps.py +++ b/src/authentic2_auth_oidc/apps.py @@ -31,7 +31,7 @@ class Plugin(object): data={'token': access_token, 'token_type': 'access_token'}, timeout=10) except requests.RequestException as e: - logger.warning(u'failed to revoke access token from OIDC provider %s: %s', + logger.warning('failed to revoke access token from OIDC provider %s: %s', provider.issuer, e) return try: @@ -41,10 +41,10 @@ class Plugin(object): content = response.json() except ValueError: content = None - logger.warning(u'failed to revoke access token from OIDC provider %s: %s, %s', + logger.warning('failed to revoke access token from OIDC provider %s: %s, %s', provider.issuer, e, content) return - logger.info(u'revoked token from OIDC provider %s', provider.issuer) + logger.info('revoked token from OIDC provider %s', provider.issuer) def redirect_logout_list(self, request, next=None): from django.urls import reverse diff --git a/src/authentic2_auth_oidc/backends.py b/src/authentic2_auth_oidc/backends.py index 07578dec4..d36660190 100644 --- a/src/authentic2_auth_oidc/backends.py +++ b/src/authentic2_auth_oidc/backends.py @@ -46,13 +46,13 @@ class OIDCBackend(ModelBackend): id_token = utils.IDToken(id_token) id_token.deserialize(provider) except utils.IDTokenError as e: - logger.warning(u'auth_oidc: invalid id_token %s: %s', original_id_token, e) + logger.warning('auth_oidc: invalid id_token %s: %s', original_id_token, e) return None try: provider = utils.get_provider_by_issuer(id_token.iss) except models.OIDCProvider.DoesNotExist: - logger.warning(u'auth_oidc: unknown issuer "%s"', id_token.iss) + logger.warning('auth_oidc: unknown issuer "%s"', id_token.iss) return None key_or_keyset = None @@ -86,20 +86,20 @@ class OIDCBackend(ModelBackend): jwt.claims if isinstance(id_token.aud, six.text_type) and provider.client_id != id_token.aud: - logger.warning(u'auth_oidc: invalid id_token audience %s != provider client_id %s', + logger.warning('auth_oidc: invalid id_token audience %s != provider client_id %s', id_token.aud, provider.client_id) return None if isinstance(id_token.aud, list): if provider.client_id not in id_token.aud: - logger.warning(u'auth_oidc: invalid id_token audience %s != provider client_id %s', + logger.warning('auth_oidc: invalid id_token audience %s != provider client_id %s', id_token.aud, provider.client_id) return None if len(id_token.aud) > 1 and 'azp' not in id_token: - logger.warning(u'auth_oidc: multiple audience and azp not set', + logger.warning('auth_oidc: multiple audience and azp not set', id_token.aud, provider.client_id) return None if id_token.azp != provider.client_id: - logger.warning(u'auth_oidc: multiple audience and azp %r does not match client_id' + logger.warning('auth_oidc: multiple audience and azp %r does not match client_id' ' %r', id_token.azp, provider.client_id) return None @@ -131,7 +131,7 @@ class OIDCBackend(ModelBackend): except User.DoesNotExist: pass else: - logger.info(u'auth_oidc: found user using UUID (=sub) "%s": %s', id_token.sub, + logger.info('auth_oidc: found user using UUID (=sub) "%s": %s', id_token.sub, user) else: @@ -142,7 +142,7 @@ class OIDCBackend(ModelBackend): except User.DoesNotExist: pass else: - logger.info(u'auth_oidc: found user using with sub "%s": %s', id_token.sub, user) + logger.info('auth_oidc: found user using with sub "%s": %s', id_token.sub, user) need_user_info = False for claim_mapping in provider.claim_mappings.all(): need_user_info = need_user_info or not claim_mapping.idtoken_claim @@ -160,12 +160,12 @@ class OIDCBackend(ModelBackend): }) response.raise_for_status() except requests.RequestException as e: - logger.warning(u'auth_oidc: failed to retrieve user info %s', e) + logger.warning('auth_oidc: failed to retrieve user info %s', e) else: try: user_info = response.json() except ValueError as e: - logger.warning(u'auth_oidc: bad JSON in user info response, %s (%r)', e, + logger.warning('auth_oidc: bad JSON in user info response, %s (%r)', e, response.content) # check for required claims @@ -173,15 +173,15 @@ class OIDCBackend(ModelBackend): claim = claim_mapping.claim if claim_mapping.required: if '{{' in claim or '{%' in claim: - logger.warning(u'claim \'%r\' is templated, it cannot be set as required') + logger.warning('claim \'%r\' is templated, it cannot be set as required') elif claim_mapping.idtoken_claim and claim not in id_token: - logger.warning(u'auth_oidc: cannot create user missing required claim %r in ' - u'id_token (%r)', + logger.warning('auth_oidc: cannot create user missing required claim %r in ' + 'id_token (%r)', claim, id_token) return None elif not user_info or claim not in user_info: - logger.warning(u'auth_oidc: cannot create user missing required claim %r in ' - u'user_info (%r)', claim, user_info) + logger.warning('auth_oidc: cannot create user missing required claim %r in ' + 'user_info (%r)', claim, user_info) return None # map claims to attributes or user fields @@ -252,16 +252,16 @@ class OIDCBackend(ModelBackend): oidc_account.sub = id_token.sub oidc_account.save() else: - logger.warning(u'auth_oidc: cannot create user for sub %r as issuer %r does not' - u' allow it', id_token.sub, id_token.iss) + logger.warning('auth_oidc: cannot create user for sub %r as issuer %r does not' + ' allow it', id_token.sub, id_token.iss) return None if created: - logger.info(u'auth_oidc: created user %s for sub %s and issuer %s', + logger.info('auth_oidc: created user %s for sub %s and issuer %s', user, id_token.sub, id_token.iss) if linked: - logger.info(u'auth_oidc: linked user %s to sub %s and issuer %s', + logger.info('auth_oidc: linked user %s to sub %s and issuer %s', user, id_token.sub, id_token.iss) # legacy attributes @@ -269,7 +269,7 @@ class OIDCBackend(ModelBackend): if attribute not in ('username', 'first_name', 'last_name', 'email'): continue if getattr(user, attribute) != value: - logger.info(u'auth_oidc: set user %s attribute %s to value %s', + logger.info('auth_oidc: set user %s attribute %s to value %s', user, attribute, value) setattr(user, attribute, value) if attribute == 'email' and verified: @@ -277,7 +277,7 @@ class OIDCBackend(ModelBackend): save_user = True if user.ou != user_ou: - logger.info(u'auth_oidc: set user %s ou to %s', + logger.info('auth_oidc: set user %s ou to %s', user, user_ou) user.ou = user_ou save_user = True diff --git a/src/authentic2_auth_oidc/models.py b/src/authentic2_auth_oidc/models.py index 9e3a74b60..f8c76595f 100644 --- a/src/authentic2_auth_oidc/models.py +++ b/src/authentic2_auth_oidc/models.py @@ -225,13 +225,13 @@ class OIDCClaimMapping(models.Model): return (self.claim, self.attribute, self.verified, self.required) def __str__(self): - s = u'{0} -> {1}'.format(self.claim, self.attribute) + s = '{0} -> {1}'.format(self.claim, self.attribute) if self.verified: - s += u', verified' + s += ', verified' if self.required: - s += u', required' + s += ', required' if self.idtoken_claim: - s += u', idtoken' + s += ', idtoken' return s def __repr__(self): @@ -262,8 +262,7 @@ class OIDCAccount(models.Model): max_length=256) def __str__(self): - return u'{0} on {1} linked to {2}'.format(self.sub, self.provider and self.provider.issuer, - self.user) + return '{0} on {1} linked to {2}'.format(self.sub, self.provider and self.provider.issuer, self.user) def __repr__(self): return '' % (self.sub, self.provider and self.provider.issuer)