Commit 4d65de55 authored by Sofia Papagiannaki's avatar Sofia Papagiannaki
Browse files

astakos: Fix view requests for objects whose name contains /

Astakos erroneously made assumptions about the requested redirect_uri format.
This is not anyway desirable and it was also responsible for view failures
under certain circumstances.
This fix implements a clearer check for the requested redirect_uri without
any assumption about the redirect_uri format.

Refs: #4776
parent 48f7d024
......@@ -32,7 +32,6 @@
# or implied, of GRNET S.A.
import datetime
import urlparse
from django.db import models
from django.utils.translation import ugettext_lazy as _
......@@ -87,15 +86,12 @@ class Client(models.Model):
return self.redirecturl_set.get().url
def redirect_uri_is_valid(self, uri):
# ignore user specific uri part
parts = list(urlparse.urlsplit(uri))
path = parts[2]
pieces = path.rsplit('/', 3)
parts[2] = '/'.join(pieces[:-3]) if len(pieces) > 3 else path
uri = urlparse.urlunsplit(parts)
# TODO: handle trailing slashes
return self.redirecturl_set.filter(url=uri).count() > 0
for redirect_uri in self.redirecturl_set.values_list('url', flat=True):
if uri == redirect_uri:
return True
elif uri.startswith(redirect_uri.rstrip('/') + '/'):
return True
return False
def get_id(self):
return self.identifier
......
......@@ -377,6 +377,25 @@ class TestOA2(TestCase, URLAssertionsMixin):
self.assertEqual(code4.state, 'csrfstate')
self.assertEqual(code4.redirect_uri, self.client3_redirect_uri)
params['redirect_uri'] = '%s/more' % self.client3_redirect_uri
self.client.set_credentials('client3', 'secret')
r = self.client.authorize_code('client3', urlparams=params)
self.assertEqual(r.status_code, 302)
self.assertCount(AuthorizationCode, 5)
# redirect is valid
redirect5 = self.get_redirect_url(r)
self.assertParam(redirect5, "code")
self.assertParamEqual(redirect5, "state", 'csrfstate')
self.assertNoParam(redirect5, "extra_param")
self.assertHost(redirect5, "server3.com")
self.assertPath(redirect5, "/handle_code/more")
code4 = AuthorizationCode.objects.get(code=redirect5.params['code'][0])
self.assertEqual(code4.state, 'csrfstate')
self.assertEqual(code4.redirect_uri,
'%s/more' % self.client3_redirect_uri)
def test_get_token(self):
# invalid method
r = self.client.get(self.client.token_url)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment