idp_oidc: ensure client is in an ou when authz is by ou (#47159)
This commit is contained in:
parent
e52ebd5706
commit
dbf6059678
|
@ -244,6 +244,10 @@ class OIDCClient(Service):
|
|||
elif sector_identifier != hostname:
|
||||
raise ValueError('all redirect_uri do not have the same hostname')
|
||||
elif self.authorization_mode == self.AUTHORIZATION_MODE_BY_OU:
|
||||
if not self.ou:
|
||||
raise ValidationError(
|
||||
_('OU-based authorization requires that the client be '
|
||||
'within an OU.'))
|
||||
sector_identifier = self.ou.slug
|
||||
else:
|
||||
raise NotImplementedError('unknown self.authorization_mode %s' % self.authorization_mode)
|
||||
|
|
|
@ -1618,6 +1618,11 @@ def test_oidc_client_clean():
|
|||
redirect_uris='https://example.com/ https://example2.com/',
|
||||
identifier_policy=OIDCClient.POLICY_PAIRWISE).clean()
|
||||
|
||||
with pytest.raises(ValidationError, match=r'within an OU'):
|
||||
OIDCClient(
|
||||
authorization_mode=OIDCClient.AUTHORIZATION_MODE_BY_OU,
|
||||
ou=None).clean()
|
||||
|
||||
OIDCClient(
|
||||
redirect_uris='https://example.com/ https://example2.com/',
|
||||
sector_identifier_uri='https://example.com/').clean()
|
||||
|
|
Loading…
Reference in New Issue