#206 Warn and proceed if we can't query the groups list via openidc UserInfo
Merged 10 months ago by ralph. Opened 10 months ago by otaylor.
otaylor/odcs userinfo-failure  into  master

file modified
+7 -2

@@ -203,8 +203,13 @@ 

      }

      r = requests.get(conf.auth_openidc_userinfo_uri, headers=headers)

      if r.status_code != 200:

-         raise Unauthorized('Cannot get user information from {0} endpoint.'.format(

-             conf.auth_openidc_userinfo_uri))

+         # In Fedora, the manually created service tokens can't be used with the UserInfo

+         # endpoint. We treat this as an empty response - and hence an empty group list. An empty

+         # group list only makes our authorization checks more strict, so it should be safe

+         # to proceed and check the user.

+         log.warning("Failed to query group information - UserInfo endpoint failed with status=%d",

+                     r.status_code)

+         return {}

  

      return r.json()

  

file modified
+22

@@ -261,6 +261,28 @@ 

              self.assertEqual(self.user.id, flask.g.user.id)

              self.assertEqual(['admins', 'testers'], sorted(flask.g.groups))

  

+     @patch('odcs.server.auth.requests.get')

+     def test_user_info_failure(self, get):

+         # If the user_info endpoint errors out, we continue to authenticate

+         # based only on the user (which we have from the token), ignoring groups.

+         get.return_value.status_code = 400

+ 

+         environ_base = {

+             'REMOTE_USER': self.user.username,

+             'OIDC_access_token': '39283',

+             'OIDC_CLAIM_iss': 'https://iddev.fedorainfracloud.org/openidc/',

+             'OIDC_CLAIM_scope': 'openid https://id.fedoraproject.org/scope/groups '

+                                 'https://pagure.io/odcs/new-compose '

+                                 'https://pagure.io/odcs/renew-compose '

+                                 'https://pagure.io/odcs/delete-compose',

+         }

+ 

+         with app.test_request_context(environ_base=environ_base):

+             load_openidc_user(flask.request)

+ 

+             self.assertEqual(self.user.id, flask.g.user.id)

+             self.assertEqual([], sorted(flask.g.groups))

+ 

      def test_401_if_remote_user_not_present(self):

          environ_base = {

              # Missing REMOTE_USER here

In Fedora, the manually created service tokens can't be used with the UserInfo
endpoint. Treat this as an empty response - and hence an empty group list. An empty
group list only makes our authorization checks more strict, so it should be safe
to proceed and check the user.

Pull-Request has been merged by ralph

10 months ago