api: allow signed queries that do not specify email or NameID (#7156)

2015-05-06 11:08:41 +02:00 · 2015-05-06 11:08:41 +02:00 · 4e78b42ae5
parent 1e200cd30c
commit 4e78b42ae5
3 changed files with 18 additions and 7 deletions
--- a/tests/test_api.py
+++ b/tests/test_api.py
@ -65,8 +65,8 @@ def test_user_page_redirect():
    assert output.headers.get('location') == 'http://example.net/myspace/'

 def test_user_page_error_when_json_and_no_user():
-    output = get_app(pub).get('/user?format=json')
-    assert output.body == '???'
+    output = get_app(pub).get('/user?format=json', status=403)
+    assert output.json['err_desc'] == 'no user specified'

 def test_get_user_from_api_query_string_error_missing_orig():
    output = get_app(pub).get('/user?format=json&signature=xxx', status=403)
@ -106,7 +106,20 @@ def test_get_user_from_api_query_string_error_missing_email():
                    query, 
                    hashlib.sha1).digest()))
    output = get_app(pub).get('/user?%s&signature=%s' % (query, signature), status=403)
-    assert output.json['err_desc'] == 'missing email or NameID fields'
+    assert output.json['err_desc'] == 'no user specified'
+
+def test_get_user_from_api_query_string_error_missing_email_valid_endpoint():
+    # check it's ok to sign an URL without specifiying an user if the endpoint
+    # works fine without user.
+    timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
+    query = 'format=json&orig=coucou&algo=sha1&timestamp=' + timestamp
+    signature = urllib.quote(
+            base64.b64encode(
+                hmac.new('1234',
+                    query,
+                    hashlib.sha1).digest()))
+    output = get_app(pub).get('/categories?%s&signature=%s' % (query, signature))
+    assert output.json == {'data': []}

 def test_get_user_from_api_query_string_error_success_sha1(local_user):
    timestamp = datetime.datetime.utcnow().isoformat()[:19] + 'Z'
--- a/wcs/api.py
+++ b/wcs/api.py
@ -69,9 +69,7 @@ def get_user_from_api_query_string():
    # Signature is good. Now looking for the user, by email/NameID.
    # If email or NameID exist but are empty, return None
    user = None
-    if not ('email' in get_request().form or 'NameID' in get_request().form):
-        raise AccessForbiddenError('missing email or NameID fields')
-    elif get_request().form.get('email'):
+    if get_request().form.get('email'):
        email = get_request().form.get('email')
        if not isinstance(email, basestring):
            raise AccessForbiddenError('multiple email field')
--- a/wcs/root.py
+++ b/wcs/root.py
@ -292,7 +292,7 @@ class RootDirectory(Directory):
        get_response().set_content_type('application/json')
        user = get_user_from_api_query_string() or get_request().user
        if not user:
-            return errors.AccessForbiddenError()
+            raise errors.AccessForbiddenError('no user specified')
        user_info = user.get_substitution_variables(prefix='')
        del user_info['user']
        user_info['user_roles'] = []