#173 Check requires_valid_token on API calls
Merged 4 years ago by puiterwijk. Opened 4 years ago by puiterwijk.
puiterwijk/ipsilon oidc-sane-error-on-noauth  into  master

@@ -207,6 +207,9 @@ 

              # Bearer token

              token = post_args['access_token']

              self._handle_token_authentication(token)

+         if self.requires_valid_token and not self.api_token:

+             self.error('No token provided in call that requires one')

+             raise APIError(403, 'no_token_provided')

  

      def require_scope(self, scope):

          if scope not in self.api_scopes:

file modified
+25
@@ -372,6 +372,31 @@ 

          sys.exit(1)

      print " SUCCESS"

  

+     print "openidc: Checking user info ...",

+     try:

+         # Testing user info without token

+         r = requests.post('https://127.0.0.10:45080/idp1/openidc/UserInfo')

+         if r.status_code != 403:

+             raise Exception('No 403 provided with token-less request')

+ 

+         # Testing valid token

+         r = requests.post('https://127.0.0.10:45080/idp1/openidc/UserInfo',

+                           data={'access_token': token['access_token']})

+         r.raise_for_status()

+         info = r.json()

+         if 'sub' not in info:

+             raise Exception('No sub claim provided')

+         h = hashlib.sha256()

+         h.update('127.0.0.11')

+         h.update(user)

+         h.update('testcase')

+         if info['sub'] != h.hexdigest():

+             raise Exception('Sub claim invalid')

+     except ValueError, e:

+         print >> sys.stderr, " ERROR: %s" % repr(e)

+         sys.exit(1)

+     print " SUCCESS"

+ 

      print "openidc: Access second SP Protected Area ...",

      try:

          page = sess.fetch_page(idpname, 'https://127.0.0.12:45082/sp/')

Without this fix, Ipsilon will actually return 500 on requests that require an API token but were not provided one, because self.api_token is None.

2 new commits added

  • Add UserInfo test
  • Actually check requires_valid_token in API calls
4 years ago

Commit 6bdbfaf fixes this pull-request

Pull-Request has been merged by puiterwijk@redhat.com

4 years ago