Commit f14eeb5e authored by Lukas Burgey's avatar Lukas Burgey
Browse files

Add more checks to upstream endpoints

parent 6b1f38b8
......@@ -19,15 +19,25 @@ AUTHENTICATION_CLASSES = (BasicAuthentication,)
PERMISSION_CLASSES = (UpstreamOnly,)
# checks userinfo for validity and the updates the user accordingly
def _update_userinfo(userinfo, idp):
if 'iss' not in userinfo:
return HttpResponse("The provided userinfo does not contain the mandatory 'iss' field", status=400)
iss = userinfo.get('iss')
if iss != idp.issuer_uri:
return HttpResponse("The value of the 'iss' field does not match the associated IdPs issuer URL", status=400)
if 'sub' not in userinfo:
return HttpResponse("The provided userinfo does not contain the mandatory 'sub' field", status=400)
sub = userinfo.get('sub')
try:
User.objects.get(
sub=userinfo.get('sub', ''),
idp=idp,
).update_userinfo(userinfo)
User.objects.get(sub=sub, idp=idp).update_userinfo(userinfo)
return HttpResponse('User updated', status=200)
except User.DoesNotExist:
return HttpResponse('User does not exist', status=400)
return HttpResponse('User with subject does not exist', status=400)
class AccessTokenView(APIView):
......@@ -35,19 +45,22 @@ class AccessTokenView(APIView):
permission_classes = PERMISSION_CLASSES
def put(self, request):
if request.user.idp is None:
return HttpResponse('No IdP associated', status=500)
idp = request.user.idp
if 'at' not in request.data:
return HttpResponse("Missing field 'at'", status=400)
if request.user.idp is None:
return HttpResponse("No IdP associated", status=500)
at = request.data.get('at')
try:
userinfo = request.user.idp.get_userinfo(at)
return _update_userinfo(userinfo, request.user.idp)
userinfo = idp.get_userinfo(at)
return _update_userinfo(userinfo, idp)
except HTTPError:
return HttpResponse("Error retrieving userinfo using the access token", status=500)
return HttpResponse('Error retrieving userinfo using the access token', status=500)
# UserinfoView allows an upstream client to submit a plain userinfo for updating users
......@@ -57,24 +70,15 @@ class UserinfoView(APIView):
permission_classes = PERMISSION_CLASSES
def put(self, request):
if 'userinfo' not in request.data:
return HttpResponse("Missing field 'userinfo'", status=400)
if request.user.idp is None:
return HttpResponse('No IdP associated', status=500)
idp = request.user.idp
userinfo = request.data.get('userinfo', {})
if 'sub' not in userinfo:
return HttpResponse("The provided userinfo does not contain the mandatory 'sub' field", status=400)
if 'iss' not in userinfo:
return HttpResponse("The provided userinfo does not contain the mandatory 'iss' field", status=400)
if 'userinfo' not in request.data:
return HttpResponse("Missing field 'userinfo'", status=400)
iss = userinfo.get('iss')
if iss != idp.issuer_uri:
return HttpResponse("The value of the 'iss' field does not match the associated IdPs issuer URL", status=400)
userinfo = request.data.get('userinfo')
return _update_userinfo(userinfo, idp)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment