wf/roles: sign URL just before call IdP webservice (#22144)
This commit is contained in:
parent
0e8f33c05e
commit
7340516696
|
@ -500,6 +500,7 @@ def test_roles_idp(pub):
|
|||
assert http_post_request.call_count == 1
|
||||
assert http_post_request.call_args[0][0].startswith(
|
||||
'http://idp.example.net/api/roles/bar1/members/xxx/')
|
||||
assert 'signature=' in http_post_request.call_args[0][0]
|
||||
|
||||
user.roles = None
|
||||
user.store()
|
||||
|
@ -523,6 +524,7 @@ def test_roles_idp(pub):
|
|||
assert http_delete_request.call_count == 1
|
||||
assert http_delete_request.call_args[0][0].startswith(
|
||||
'http://idp.example.net/api/roles/bar1/members/xxx/')
|
||||
assert 'signature=' in http_delete_request.call_args[0][0]
|
||||
|
||||
def test_anonymise(pub):
|
||||
# build a backoffice field
|
||||
|
|
|
@ -36,6 +36,10 @@ def roles_ws_url(role_uuid, user_uuid):
|
|||
base_url = entity_id.split('idp/saml2/metadata')[0]
|
||||
url = urlparse.urljoin(base_url, '/api/roles/%s/members/%s/' % (urllib.quote(role_uuid),
|
||||
urllib.quote(user_uuid)))
|
||||
return url
|
||||
|
||||
|
||||
def sign_ws_url(url):
|
||||
secret, orig = get_secret_and_orig(url)
|
||||
url += '?orig=%s' % orig
|
||||
return sign_url(url, secret)
|
||||
|
@ -98,7 +102,8 @@ class AddRoleWorkflowStatusItem(WorkflowStatusItem):
|
|||
get_publisher().notify_of_exception(sys.exc_info(), context='[ROLES]')
|
||||
return
|
||||
def after_job(job):
|
||||
response, status, data, auth_header = http_post_request(url)
|
||||
signed_url = sign_ws_url(url)
|
||||
response, status, data, auth_header = http_post_request(signed_url)
|
||||
if status != 201:
|
||||
get_logger().error('failed to add role %r to user %r',
|
||||
role, user)
|
||||
|
@ -157,7 +162,8 @@ class RemoveRoleWorkflowStatusItem(WorkflowStatusItem):
|
|||
get_publisher().notify_of_exception(sys.exc_info(), context='[ROLES]')
|
||||
return
|
||||
def after_job(job):
|
||||
response, status, data, auth_header = http_delete_request(url)
|
||||
signed_url = sign_ws_url(url)
|
||||
response, status, data, auth_header = http_delete_request(signed_url)
|
||||
if status != 200:
|
||||
get_logger().error('failed to remove role %r from user %r',
|
||||
role, user)
|
||||
|
|
Loading…
Reference in New Issue