Skip to content
This repository was archived by the owner on Jun 12, 2021. It is now read-only.

Commit 10f306d

Browse files
peppelinuxpeppelinux
committed
authorization endpoint lukwarm refactor
1 parent 088946d commit 10f306d

1 file changed

Lines changed: 32 additions & 35 deletions

File tree

src/oidcendpoint/oidc/authorization.py

Lines changed: 32 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@
3838
from oidcendpoint.user_authn.authn_context import pick_auth
3939
from oidcendpoint.user_info import SCOPE2CLAIMS
4040

41-
LOGGER = logging.getLogger(__name__)
41+
logger = logging.getLogger(__name__)
4242

4343
FORM_POST = """<html>
4444
<head>
@@ -71,7 +71,7 @@ def inputs(form_args):
7171

7272
def max_age(request):
7373
cn = verified_claim_name("request")
74-
return request.get(cn, {}).get("max_age") or request.get("max_age", 0)
74+
return request.get(cn, {}).get("max_age") or request.get("max_age", 0)
7575

7676

7777
def re_authenticate(request, authn):
@@ -108,7 +108,7 @@ def verify_uri(endpoint_context, request, uri_type, client_id=None):
108108
_cid = request.get("client_id", client_id)
109109

110110
if not _cid:
111-
LOGGER.error("No client id found")
111+
logger.error("No client id found")
112112
raise UnknownClient("No client_id provided")
113113

114114
_redirect_uri = unquote(request[uri_type])
@@ -185,23 +185,26 @@ def get_uri(endpoint_context, request, uri_type):
185185
:param uri_type: 'redirect_uri' or 'post_logout_redirect_uri'
186186
:return: redirect_uri
187187
"""
188+
uri = ""
189+
188190
if uri_type in request:
189191
verify_uri(endpoint_context, request, uri_type)
190192
uri = request[uri_type]
191193
else:
192-
try:
193-
_specs = endpoint_context.cdb[str(request["client_id"])][
194-
"{}s".format(uri_type)
195-
]
196-
except KeyError:
197-
raise ParameterError("Missing {} and none registered".format(uri_type))
198-
else:
194+
195+
uris = "{}s".format(uri_type)
196+
client_id = str(request["client_id"])
197+
if client_id in endpoint_context.cdb:
198+
_specs = endpoint_context.cdb[client_id].get(uris)
199+
if not _specs:
200+
raise ParameterError("Missing {} and none registered".format(uri_type))
201+
199202
if len(_specs) > 1:
200203
raise ParameterError(
201204
"Missing {} and more than one registered".format(uri_type)
202205
)
203-
else:
204-
uri = join_query(*_specs[0])
206+
207+
uri = join_query(*_specs[0])
205208

206209
return uri
207210

@@ -267,15 +270,15 @@ def create_authn_response(endpoint, request, sid):
267270
if "token" in rtype:
268271
_dic = _context.sdb.upgrade_to_token(issue_refresh=False, key=sid)
269272

270-
LOGGER.debug("_dic: %s" % sanitize(_dic))
273+
logger.debug("_dic: %s" % sanitize(_dic))
271274
for key, val in _dic.items():
272275
if key in aresp.parameters() and val is not None:
273276
aresp[key] = val
274277

275278
handled_response_type.append("token")
276279

277280
_access_token = aresp.get("access_token", None)
278-
281+
279282
if "id_token" in request["response_type"]:
280283
kwargs = {}
281284
if {"code", "id_token", "token"}.issubset(rtype):
@@ -291,7 +294,7 @@ def create_authn_response(endpoint, request, sid):
291294
try:
292295
id_token = _context.idtoken.make(request, _sinfo, **kwargs)
293296
except (JWEException, NoSuitableSigningKeys) as err:
294-
LOGGER.warning(str(err))
297+
logger.warning(str(err))
295298
resp = AuthorizationErrorResponse(
296299
error="invalid_request",
297300
error_description="Could not sign/encrypt id_token",
@@ -374,7 +377,7 @@ def _post_parse_request(self, request, client_id, endpoint_context, **kwargs):
374377
:return:
375378
"""
376379
if not request:
377-
LOGGER.debug("No AuthzRequest")
380+
logger.debug("No AuthzRequest")
378381
return AuthorizationErrorResponse(
379382
error="invalid_request", error_description="Can not parse AuthzRequest"
380383
)
@@ -383,7 +386,7 @@ def _post_parse_request(self, request, client_id, endpoint_context, **kwargs):
383386

384387
_cinfo = endpoint_context.cdb.get(client_id)
385388
if not _cinfo:
386-
LOGGER.error(
389+
logger.error(
387390
"Client ID ({}) not in client database".format(request["client_id"])
388391
)
389392
return AuthorizationErrorResponse(
@@ -414,7 +417,7 @@ def pick_authn_method(self, request, redirect_uri, acr=None, **kwargs):
414417
auth_id = kwargs.get("auth_method_id")
415418
if auth_id:
416419
return self.endpoint_context.authn_broker[auth_id]
417-
420+
418421
if acr:
419422
res = self.endpoint_context.authn_broker.pick(acr)
420423
else:
@@ -462,7 +465,7 @@ def setup_auth(self, request, redirect_uri,
462465
identity = None
463466
_ts = 0
464467
except ToOld:
465-
LOGGER.info("Too old authentication")
468+
logger.info("Too old authentication")
466469
identity = None
467470
_ts = 0
468471
else:
@@ -474,22 +477,16 @@ def setup_auth(self, request, redirect_uri,
474477
else:
475478
identity = json.loads(as_unicode(_id))
476479

477-
try:
478-
session = self.endpoint_context.sdb[identity["sid"]]
479-
except KeyError:
480+
session = self.endpoint_context.sdb[identity.get("sid")]
481+
if not session or "revoked" in session:
480482
identity = None
481-
else:
482-
if session is None:
483-
identity = None
484-
elif "revoked" in session:
485-
identity = None
486483

487484
authn_args = authn_args_gather(request, authn_class_ref,
488485
cinfo, **kwargs)
489486

490487
# To authenticate or Not
491488
if identity is None: # No!
492-
LOGGER.info("No active authentication")
489+
logger.info("No active authentication")
493490
if "prompt" in request and "none" in request["prompt"]:
494491
# Need to authenticate but not allowed
495492
return {
@@ -500,7 +497,7 @@ def setup_auth(self, request, redirect_uri,
500497
else:
501498
return {"function": authn, "args": authn_args}
502499
else:
503-
LOGGER.info("Active authentication")
500+
logger.info("Active authentication")
504501
if re_authenticate(request, authn):
505502
# demand re-authentication
506503
return {"function": authn, "args": authn_args}
@@ -516,7 +513,7 @@ def setup_auth(self, request, redirect_uri,
516513
sids[-1]
517514
).uid
518515
):
519-
LOGGER.debug("Wanted to be someone else!")
516+
logger.debug("Wanted to be someone else!")
520517
if "prompt" in request and "none" in request["prompt"]:
521518
# Need to authenticate but not allowed
522519
return {
@@ -610,7 +607,7 @@ def post_authentication(self, user, request, sid, **kwargs):
610607
response_info, "server_error", "{}".format(err.args)
611608
)
612609

613-
LOGGER.debug("response type: %s" % request["response_type"])
610+
logger.debug("response type: %s" % request["response_type"])
614611

615612
if self.endpoint_context.sdb.is_session_revoked(sid):
616613
return self.error_response(
@@ -694,7 +691,7 @@ def authz_part2(self, user, authn_event, request, **kwargs):
694691

695692
opbs = session_cookie[ec.cookie_name["session_management"]]
696693

697-
LOGGER.debug("compute_session_state: client_id=%s, origin=%s, opbs=%s, salt=%s",
694+
logger.debug("compute_session_state: client_id=%s, origin=%s, opbs=%s, salt=%s",
698695
request["client_id"], resp_info["return_uri"], opbs.value, salt)
699696

700697
_session_state = compute_session_state(
@@ -753,8 +750,8 @@ def process_request(self, request_info=None, **kwargs):
753750

754751
_function = info.get("function")
755752
if not _function:
756-
LOGGER.debug("- authenticated -")
757-
LOGGER.debug("AREQ keys: %s" % request_info.keys())
753+
logger.debug("- authenticated -")
754+
logger.debug("AREQ keys: %s" % request_info.keys())
758755
res = self.authz_part2(
759756
info["user"], info["authn_event"],
760757
request_info, cookie=cookie
@@ -768,5 +765,5 @@ def process_request(self, request_info=None, **kwargs):
768765
"return_uri": request_info["redirect_uri"],
769766
}
770767
except Exception as err:
771-
LOGGER.exception(err)
768+
logger.exception(err)
772769
return {"http_response": "Internal error: {}".format(err)}

0 commit comments

Comments
 (0)