astakos: Fix view requests for objects whose name contains /

Astakos erroneously made assumptions about the requested redirect_uri format. This is not anyway desirable and it was also responsible for view failures under certain circumstances. This fix implements a clearer check for the requested redirect_uri without any assumption about the redirect_uri format. Refs: #4776

astakos: Fix view requests for objects whose name contains /
Astakos erroneously made assumptions about the requested redirect_uri format. This is not anyway desirable and it was also responsible for view failures under certain circumstances. This fix implements a clearer check for the requested redirect_uri without any assumption about the redirect_uri format. Refs: #4776
4d65de55 · Sofia Papagiannaki · 48f7d024 · 4d65de55 · 4d65de55
Commit 4d65de55 authored Dec 18, 2013 by Sofia Papagiannaki
--- a/snf-astakos-app/astakos/oa2/models.py
+++ b/snf-astakos-app/astakos/oa2/models.py
@@ -32,7 +32,6 @@
 # or implied, of GRNET S.A.

 import datetime
-import urlparse

 from django.db import models
 from django.utils.translation import ugettext_lazy as _
@@ -87,15 +86,12 @@ class Client(models.Model):
        return self.redirecturl_set.get().url

    def redirect_uri_is_valid(self, uri):
-        # ignore user specific uri part
-        parts = list(urlparse.urlsplit(uri))
-        path = parts[2]
-        pieces = path.rsplit('/', 3)
-        parts[2] = '/'.join(pieces[:-3]) if len(pieces) > 3 else path
-        uri = urlparse.urlunsplit(parts)
-
-        # TODO: handle trailing slashes
-        return self.redirecturl_set.filter(url=uri).count() > 0
+        for redirect_uri in self.redirecturl_set.values_list('url', flat=True):
+            if uri == redirect_uri:
+                return True
+            elif uri.startswith(redirect_uri.rstrip('/') + '/'):
+                return True
+        return False

    def get_id(self):
        return self.identifier

--- a/snf-astakos-app/astakos/oa2/tests/djangobackend.py
+++ b/snf-astakos-app/astakos/oa2/tests/djangobackend.py
@@ -377,6 +377,25 @@ class TestOA2(TestCase, URLAssertionsMixin):
        self.assertEqual(code4.state, 'csrfstate')
        self.assertEqual(code4.redirect_uri, self.client3_redirect_uri)

+        params['redirect_uri'] = '%s/more' % self.client3_redirect_uri
+        self.client.set_credentials('client3', 'secret')
+        r = self.client.authorize_code('client3', urlparams=params)
+        self.assertEqual(r.status_code, 302)
+        self.assertCount(AuthorizationCode, 5)
+
+        # redirect is valid
+        redirect5 = self.get_redirect_url(r)
+        self.assertParam(redirect5, "code")
+        self.assertParamEqual(redirect5, "state", 'csrfstate')
+        self.assertNoParam(redirect5, "extra_param")
+        self.assertHost(redirect5, "server3.com")
+        self.assertPath(redirect5, "/handle_code/more")
+
+        code4 = AuthorizationCode.objects.get(code=redirect5.params['code'][0])
+        self.assertEqual(code4.state, 'csrfstate')
+        self.assertEqual(code4.redirect_uri,
+                         '%s/more' % self.client3_redirect_uri)
+
    def test_get_token(self):
        # invalid method
        r = self.client.get(self.client.token_url)