providers/oauth2: fix end-session view not working, add tests
This commit is contained in:
parent
cba78b4de7
commit
2c2226610e
|
@ -33,6 +33,7 @@ from passbook.providers.oauth2.models import (
|
||||||
)
|
)
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
APPLICATION_SLUG = "grafana"
|
||||||
|
|
||||||
|
|
||||||
@skipUnless(platform.startswith("linux"), "requires local docker")
|
@skipUnless(platform.startswith("linux"), "requires local docker")
|
||||||
|
@ -69,6 +70,12 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
|
||||||
"GF_AUTH_GENERIC_OAUTH_API_URL": (
|
"GF_AUTH_GENERIC_OAUTH_API_URL": (
|
||||||
self.url("passbook_providers_oauth2:userinfo")
|
self.url("passbook_providers_oauth2:userinfo")
|
||||||
),
|
),
|
||||||
|
"GF_AUTH_SIGNOUT_REDIRECT_URL": (
|
||||||
|
self.url(
|
||||||
|
"passbook_providers_oauth2:end-session",
|
||||||
|
application_slug=APPLICATION_SLUG,
|
||||||
|
)
|
||||||
|
),
|
||||||
"GF_LOG_LEVEL": "debug",
|
"GF_LOG_LEVEL": "debug",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
@ -97,7 +104,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
|
||||||
)
|
)
|
||||||
provider.save()
|
provider.save()
|
||||||
Application.objects.create(
|
Application.objects.create(
|
||||||
name="Grafana", slug="grafana", provider=provider,
|
name="Grafana", slug=APPLICATION_SLUG, provider=provider,
|
||||||
)
|
)
|
||||||
|
|
||||||
self.driver.get("http://localhost:3000")
|
self.driver.get("http://localhost:3000")
|
||||||
|
@ -137,7 +144,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
|
||||||
)
|
)
|
||||||
provider.save()
|
provider.save()
|
||||||
Application.objects.create(
|
Application.objects.create(
|
||||||
name="Grafana", slug="grafana", provider=provider,
|
name="Grafana", slug=APPLICATION_SLUG, provider=provider,
|
||||||
)
|
)
|
||||||
|
|
||||||
self.driver.get("http://localhost:3000")
|
self.driver.get("http://localhost:3000")
|
||||||
|
@ -171,6 +178,72 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
|
||||||
USER().email,
|
USER().email,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_authorization_logout(self):
|
||||||
|
"""test OpenID Provider flow with logout"""
|
||||||
|
sleep(1)
|
||||||
|
# Bootstrap all needed objects
|
||||||
|
authorization_flow = Flow.objects.get(
|
||||||
|
slug="default-provider-authorization-implicit-consent"
|
||||||
|
)
|
||||||
|
provider = OAuth2Provider.objects.create(
|
||||||
|
name="grafana",
|
||||||
|
client_type=ClientTypes.CONFIDENTIAL,
|
||||||
|
client_id=self.client_id,
|
||||||
|
client_secret=self.client_secret,
|
||||||
|
rsa_key=CertificateKeyPair.objects.first(),
|
||||||
|
redirect_uris="http://localhost:3000/login/generic_oauth",
|
||||||
|
authorization_flow=authorization_flow,
|
||||||
|
response_type=ResponseTypes.CODE,
|
||||||
|
)
|
||||||
|
provider.property_mappings.set(
|
||||||
|
ScopeMapping.objects.filter(
|
||||||
|
scope_name__in=[SCOPE_OPENID, SCOPE_OPENID_EMAIL, SCOPE_OPENID_PROFILE]
|
||||||
|
)
|
||||||
|
)
|
||||||
|
provider.save()
|
||||||
|
Application.objects.create(
|
||||||
|
name="Grafana", slug=APPLICATION_SLUG, provider=provider,
|
||||||
|
)
|
||||||
|
|
||||||
|
self.driver.get("http://localhost:3000")
|
||||||
|
self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
|
||||||
|
self.driver.find_element(By.ID, "id_uid_field").click()
|
||||||
|
self.driver.find_element(By.ID, "id_uid_field").send_keys(USER().username)
|
||||||
|
self.driver.find_element(By.ID, "id_uid_field").send_keys(Keys.ENTER)
|
||||||
|
self.driver.find_element(By.ID, "id_password").send_keys(USER().username)
|
||||||
|
self.driver.find_element(By.ID, "id_password").send_keys(Keys.ENTER)
|
||||||
|
self.driver.find_element(By.XPATH, "//a[contains(@href, '/profile')]").click()
|
||||||
|
self.assertEqual(
|
||||||
|
self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
|
||||||
|
USER().name,
|
||||||
|
)
|
||||||
|
self.assertEqual(
|
||||||
|
self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute(
|
||||||
|
"value"
|
||||||
|
),
|
||||||
|
USER().name,
|
||||||
|
)
|
||||||
|
self.assertEqual(
|
||||||
|
self.driver.find_element(
|
||||||
|
By.CSS_SELECTOR, "input[name=email]"
|
||||||
|
).get_attribute("value"),
|
||||||
|
USER().email,
|
||||||
|
)
|
||||||
|
self.assertEqual(
|
||||||
|
self.driver.find_element(
|
||||||
|
By.CSS_SELECTOR, "input[name=login]"
|
||||||
|
).get_attribute("value"),
|
||||||
|
USER().email,
|
||||||
|
)
|
||||||
|
self.driver.find_element(By.CSS_SELECTOR, "[href='/logout']").click()
|
||||||
|
self.wait_for_url(
|
||||||
|
self.url(
|
||||||
|
"passbook_providers_oauth2:end-session",
|
||||||
|
application_slug=APPLICATION_SLUG,
|
||||||
|
)
|
||||||
|
)
|
||||||
|
self.driver.find_element(By.ID, "logout").click()
|
||||||
|
|
||||||
def test_authorization_consent_explicit(self):
|
def test_authorization_consent_explicit(self):
|
||||||
"""test OpenID Provider flow (default authorization flow with explicit consent)"""
|
"""test OpenID Provider flow (default authorization flow with explicit consent)"""
|
||||||
sleep(1)
|
sleep(1)
|
||||||
|
@ -195,7 +268,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
|
||||||
)
|
)
|
||||||
provider.save()
|
provider.save()
|
||||||
app = Application.objects.create(
|
app = Application.objects.create(
|
||||||
name="Grafana", slug="grafana", provider=provider,
|
name="Grafana", slug=APPLICATION_SLUG, provider=provider,
|
||||||
)
|
)
|
||||||
|
|
||||||
self.driver.get("http://localhost:3000")
|
self.driver.get("http://localhost:3000")
|
||||||
|
@ -271,7 +344,7 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
|
||||||
)
|
)
|
||||||
provider.save()
|
provider.save()
|
||||||
app = Application.objects.create(
|
app = Application.objects.create(
|
||||||
name="Grafana", slug="grafana", provider=provider,
|
name="Grafana", slug=APPLICATION_SLUG, provider=provider,
|
||||||
)
|
)
|
||||||
|
|
||||||
negative_policy = ExpressionPolicy.objects.create(
|
negative_policy = ExpressionPolicy.objects.create(
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
{% extends 'login/base_full.html' %}
|
||||||
|
|
||||||
|
{% load static %}
|
||||||
|
{% load i18n %}
|
||||||
|
{% load passbook_utils %}
|
||||||
|
|
||||||
|
{% block title %}
|
||||||
|
{% trans 'End session' %}
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block card_title %}
|
||||||
|
{% blocktrans with application=application.name %}
|
||||||
|
You've logged out of {{ application }}.
|
||||||
|
{% endblocktrans %}
|
||||||
|
{% endblock %}
|
||||||
|
|
||||||
|
{% block card %}
|
||||||
|
<form method="POST" class="pf-c-form">
|
||||||
|
{% if message %}
|
||||||
|
<h3>{% trans message %}</h3>
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
<a id="pb-back-home" href="{% url 'passbook_core:overview' %}" class="pf-c-button pf-m-primary">{% trans 'Go back to passbook' %}</a>
|
||||||
|
|
||||||
|
<a id="logout" href="{% url 'passbook_flows:default-invalidation' %}" class="pf-c-button pf-m-secondary">{% trans 'Log out of passbook' %}</a>
|
||||||
|
|
||||||
|
{% if application.get_launch_url %}
|
||||||
|
<a href="{{ application.get_launch_url }}" class="pf-c-button pf-m-secondary">
|
||||||
|
{% blocktrans with application=application.name %}
|
||||||
|
Log back into {{ application }}
|
||||||
|
{% endblocktrans %}
|
||||||
|
</a>
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
</form>
|
||||||
|
{% endblock %}
|
|
@ -20,12 +20,16 @@ urlpatterns = [
|
||||||
csrf_exempt(protected_resource_view([SCOPE_OPENID])(UserInfoView.as_view())),
|
csrf_exempt(protected_resource_view([SCOPE_OPENID])(UserInfoView.as_view())),
|
||||||
name="userinfo",
|
name="userinfo",
|
||||||
),
|
),
|
||||||
path("end-session/", EndSessionView.as_view(), name="end-session",),
|
|
||||||
path(
|
path(
|
||||||
"introspect/",
|
"introspect/",
|
||||||
csrf_exempt(TokenIntrospectionView.as_view()),
|
csrf_exempt(TokenIntrospectionView.as_view()),
|
||||||
name="token-introspection",
|
name="token-introspection",
|
||||||
),
|
),
|
||||||
|
path(
|
||||||
|
"<slug:application_slug>/end-session/",
|
||||||
|
EndSessionView.as_view(),
|
||||||
|
name="end-session",
|
||||||
|
),
|
||||||
path("<slug:application_slug>/jwks/", JWKSView.as_view(), name="jwks"),
|
path("<slug:application_slug>/jwks/", JWKSView.as_view(), name="jwks"),
|
||||||
path(
|
path(
|
||||||
"<slug:application_slug>/.well-known/openid-configuration",
|
"<slug:application_slug>/.well-known/openid-configuration",
|
||||||
|
|
|
@ -32,7 +32,10 @@ class ProviderInfoView(View):
|
||||||
reverse("passbook_providers_oauth2:userinfo")
|
reverse("passbook_providers_oauth2:userinfo")
|
||||||
),
|
),
|
||||||
"end_session_endpoint": self.request.build_absolute_uri(
|
"end_session_endpoint": self.request.build_absolute_uri(
|
||||||
reverse("passbook_providers_oauth2:end-session")
|
reverse(
|
||||||
|
"passbook_providers_oauth2:end-session",
|
||||||
|
kwargs={"application_slug": provider.application.slug},
|
||||||
|
)
|
||||||
),
|
),
|
||||||
"introspection_endpoint": self.request.build_absolute_uri(
|
"introspection_endpoint": self.request.build_absolute_uri(
|
||||||
reverse("passbook_providers_oauth2:token-introspection")
|
reverse("passbook_providers_oauth2:token-introspection")
|
||||||
|
|
|
@ -1,45 +1,22 @@
|
||||||
"""passbook OAuth2 Session Views"""
|
"""passbook OAuth2 Session Views"""
|
||||||
from urllib.parse import parse_qs, urlencode, urlsplit, urlunsplit
|
from typing import Any, Dict
|
||||||
|
|
||||||
from django.contrib.auth.views import LogoutView
|
|
||||||
from django.http import HttpRequest, HttpResponse
|
|
||||||
from django.shortcuts import get_object_or_404
|
from django.shortcuts import get_object_or_404
|
||||||
|
from django.views.generic.base import TemplateView
|
||||||
|
|
||||||
from passbook.core.models import Application
|
from passbook.core.models import Application
|
||||||
from passbook.providers.oauth2.models import OAuth2Provider
|
|
||||||
from passbook.providers.oauth2.utils import client_id_from_id_token
|
|
||||||
|
|
||||||
|
|
||||||
class EndSessionView(LogoutView):
|
class EndSessionView(TemplateView):
|
||||||
"""Allow the client to end the Session"""
|
"""Allow the client to end the Session"""
|
||||||
|
|
||||||
def dispatch(
|
template_name = "providers/oauth2/end_session.html"
|
||||||
self, request: HttpRequest, application_slug: str, *args, **kwargs
|
|
||||||
) -> HttpResponse:
|
|
||||||
|
|
||||||
application = get_object_or_404(Application, slug=application_slug)
|
def get_context_data(self, **kwargs: Any) -> Dict[str, Any]:
|
||||||
provider: OAuth2Provider = get_object_or_404(
|
context = super().get_context_data(**kwargs)
|
||||||
OAuth2Provider, pk=application.provider_id
|
|
||||||
|
context["application"] = get_object_or_404(
|
||||||
|
Application, slug=self.kwargs["application_slug"]
|
||||||
)
|
)
|
||||||
|
|
||||||
id_token_hint = request.GET.get("id_token_hint", "")
|
return context
|
||||||
post_logout_redirect_uri = request.GET.get("post_logout_redirect_uri", "")
|
|
||||||
state = request.GET.get("state", "")
|
|
||||||
|
|
||||||
if id_token_hint:
|
|
||||||
client_id = client_id_from_id_token(id_token_hint)
|
|
||||||
try:
|
|
||||||
provider = OAuth2Provider.objects.get(client_id=client_id)
|
|
||||||
if post_logout_redirect_uri in provider.post_logout_redirect_uris:
|
|
||||||
if state:
|
|
||||||
uri = urlsplit(post_logout_redirect_uri)
|
|
||||||
query_params = parse_qs(uri.query)
|
|
||||||
query_params["state"] = state
|
|
||||||
uri = uri._replace(query=urlencode(query_params, doseq=True))
|
|
||||||
self.next_page = urlunsplit(uri)
|
|
||||||
else:
|
|
||||||
self.next_page = post_logout_redirect_uri
|
|
||||||
except OAuth2Provider.DoesNotExist:
|
|
||||||
pass
|
|
||||||
|
|
||||||
return super().dispatch(request, *args, **kwargs)
|
|
||||||
|
|
Reference in a new issue