Commit 940dbeda authored by Lukas Burgey's avatar Lukas Burgey
Browse files

Add more checks and tests to the upstream/userinfo endpoint

parent fd4c3bf7
......@@ -74,12 +74,48 @@ class UpstreamClientTest(BaseTestCase):
LOGGER.debug('response: %s %s', response, response.content)
self.assertEqual(response.status_code, 400)
def test_userinfo_bad_sub(self):
response = self._request_helper(
'/upstream/userinfo',
{
'userinfo': {
'sub': 'non-existent-sub', # this sub is invalid
},
},
)
LOGGER.debug('response: %s %s', response, response.content)
self.assertEqual(response.status_code, 400)
def test_userinfo_bad_iss(self):
response = self._request_helper(
'/upstream/userinfo',
{
'userinfo': {
'iss': 'bad issuer uri', # this issuer uri is invalid
},
},
)
LOGGER.debug('response: %s %s', response, response.content)
self.assertEqual(response.status_code, 400)
def test_userinfo_missing_sub(self):
response = self._request_helper(
'/upstream/userinfo',
{
'userinfo': {
'sub': 'non-existent-sub', # this sub is not valid
'iss': self.TEST_ISSUER,
},
},
)
LOGGER.debug('response: %s %s', response, response.content)
self.assertEqual(response.status_code, 400)
def test_userinfo_missing_issuer(self):
response = self._request_helper(
'/upstream/userinfo',
{
'userinfo': {
'sub': self.TEST_SUB,
},
},
)
......
......@@ -25,9 +25,9 @@ def _update_userinfo(userinfo, idp):
sub=userinfo.get('sub', ''),
idp=idp,
).update_userinfo(userinfo)
return HttpResponse("User updated", status=200)
return HttpResponse('User updated', status=200)
except User.DoesNotExist:
return HttpResponse("User does not exist", status=400)
return HttpResponse('User does not exist', status=400)
class AccessTokenView(APIView):
......@@ -61,12 +61,22 @@ class UserinfoView(APIView):
return HttpResponse("Missing field 'userinfo'", status=400)
if request.user.idp is None:
return HttpResponse("No IdP associated", status=500)
return HttpResponse('No IdP associated', status=500)
idp = request.user.idp
userinfo = request.data.get('userinfo', {})
if 'sub' not in userinfo:
return HttpResponse("The provided userinfo does not contain the mandatory 'sub' field", status=400)
if 'iss' not in userinfo:
return HttpResponse("The provided userinfo does not contain the mandatory 'iss' field", status=400)
iss = userinfo.get('iss')
if iss != idp.issuer_uri:
return HttpResponse("The value of the 'iss' field does not match the associated IdPs issuer URL", status=400)
return _update_userinfo(
request.data.get('userinfo', {}),
request.user.idp,
)
return _update_userinfo(userinfo, idp)
URLPATTERNS = [
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment