From 37582fba818d75bbfc013e9cd4d35ddfb6f88583 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Feb 11 2017 09:01:16 +0000
Subject: [PATCH 1/2] Actually check requires_valid_token in API calls


This change will make sure that if a token is not provided in a call
that requires API tokens, we return a sane error message.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

---

diff --git a/ipsilon/providers/openidc/api.py b/ipsilon/providers/openidc/api.py
index 66c5802..222347b 100644
--- a/ipsilon/providers/openidc/api.py
+++ b/ipsilon/providers/openidc/api.py
@@ -207,6 +207,9 @@ class APIRequest(ProviderPageBase):
             # Bearer token
             token = post_args['access_token']
             self._handle_token_authentication(token)
+        if self.requires_valid_token and not self.api_token:
+            self.error('No token provided in call that requires one')
+            raise APIError(403, 'no_token_provided')
 
     def require_scope(self, scope):
         if scope not in self.api_scopes:

From 6d5f572e0087816b753a276604e983d29e516afd Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Feb 11 2017 09:29:46 +0000
Subject: [PATCH 2/2] Add UserInfo test


Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>

---

diff --git a/tests/openidc.py b/tests/openidc.py
index e4215ba..2cdcb69 100755
--- a/tests/openidc.py
+++ b/tests/openidc.py
@@ -372,6 +372,31 @@ if __name__ == '__main__':
         sys.exit(1)
     print " SUCCESS"
 
+    print "openidc: Checking user info ...",
+    try:
+        # Testing user info without token
+        r = requests.post('https://127.0.0.10:45080/idp1/openidc/UserInfo')
+        if r.status_code != 403:
+            raise Exception('No 403 provided with token-less request')
+
+        # Testing valid token
+        r = requests.post('https://127.0.0.10:45080/idp1/openidc/UserInfo',
+                          data={'access_token': token['access_token']})
+        r.raise_for_status()
+        info = r.json()
+        if 'sub' not in info:
+            raise Exception('No sub claim provided')
+        h = hashlib.sha256()
+        h.update('127.0.0.11')
+        h.update(user)
+        h.update('testcase')
+        if info['sub'] != h.hexdigest():
+            raise Exception('Sub claim invalid')
+    except ValueError, e:
+        print >> sys.stderr, " ERROR: %s" % repr(e)
+        sys.exit(1)
+    print " SUCCESS"
+
     print "openidc: Access second SP Protected Area ...",
     try:
         page = sess.fetch_page(idpname, 'https://127.0.0.12:45082/sp/')