fm-orchestrator

Clone
Source Code
GIT

#1445 Raise Unathorized exception instead of general one whenever OIDC auth fails
Merged 4 years ago by vmaljulin. Opened 4 years ago by vmaljulin.
vmaljulin/fm-orchestrator FACTORY-3904  into  master

file modified
+7 -7 
@@ -121,10 +121,10 @@ 
 

  

      try:
 

          extended_data = _get_user_info(token)
 

-     except Exception as e:
 

-         error = "Cannot verify determine user groups:  %s" % str(e)
 

+     except Exception:
 

+         error = "OpenIDC auth error: Cannot determine the user's groups"
 

          log.exception(error)
 

-         raise Exception(error)
 

+         raise Unauthorized(error)
 

  

      username = data["username"]
 

      # If the user is part of the whitelist, then the group membership check is skipped
 
@@ -133,10 +133,10 @@ 
 

      else:
 

          try:
 

              groups = set(extended_data["groups"])
 

-         except Exception as e:
 

-             error = "Could not find groups in UserInfo from OIDC %s" % str(e)
 

-             log.exception(extended_data)
 

-             raise Exception(error)
 

+         except Exception:
 

+             error = "Could not find groups in UserInfo from OIDC"
 

+             log.exception("%s (extended_data: %s)", error, extended_data)
 

+             raise Unauthorized(error)
 

  

      return username, groups

file modified
+34 -1 
@@ -3,6 +3,7 @@ 
 

  from os import path, environ
 

  

  import pytest
 

+ import requests
 

  import mock
 

  from mock import patch, PropertyMock, Mock
 

  import kerberos
 
@@ -45,7 +46,7 @@ 
 

              mocked_get_token_info = {
 

                  "active": False,
 

                  "username": name,
 

-                 "scope": ("openid https://id.fedoraproject.org/scope/groups mbs-scope"),
 

+                 "scope": "openid https://id.fedoraproject.org/scope/groups mbs-scope"
 

              }
 

              get_token_info.return_value = mocked_get_token_info
 

  
@@ -63,6 +64,38 @@ 
 

                      module_build_service.auth.get_user(request)
 

                  assert str(cm.value) == "OIDC token invalid or expired."
 

  

+     @patch("module_build_service.auth._get_token_info")
 

+     @patch("module_build_service.auth._get_user_info")
 

+     def test_get_user_not_in_groups(self, get_user_info, get_token_info):
 

+         base_dir = path.abspath(path.dirname(__file__))
 

+         client_secrets = path.join(base_dir, "client_secrets.json")
 

+         with patch.dict(
 

+             "module_build_service.app.config",
 

+             {"OIDC_CLIENT_SECRETS": client_secrets, "OIDC_REQUIRED_SCOPE": "mbs-scope"},
 

+         ):
 

+             # https://www.youtube.com/watch?v=G-LtddOgUCE
 

+             name = "Joey Jo Jo Junior Shabadoo"
 

+             mocked_get_token_info = {
 

+                 "active": True,
 

+                 "username": name,
 

+                 "scope": "openid https://id.fedoraproject.org/scope/groups mbs-scope"
 

+             }
 

+             get_token_info.return_value = mocked_get_token_info
 

+ 

+             get_user_info.side_effect = requests.Timeout("It happens...")
 

+ 

+             headers = {"authorization": "Bearer foobar"}
 

+             request = mock.MagicMock()
 

+             request.headers.return_value = mock.MagicMock(spec_set=dict)
 

+             request.headers.__getitem__.side_effect = headers.__getitem__
 

+             request.headers.__setitem__.side_effect = headers.__setitem__
 

+             request.headers.__contains__.side_effect = headers.__contains__
 

+ 

+             with pytest.raises(module_build_service.errors.Unauthorized) as cm:
 

+                 with app.app_context():
 

+                     module_build_service.auth.get_user(request)
 

+                 assert str(cm.value) == "OpenIDC auth error: Cannot determine the user's groups"
 

+ 

      @pytest.mark.parametrize("allowed_users", (set(), {"Joey Jo Jo Junior Shabadoo"}))
 

      @patch.object(mbs_config.Config, "allowed_users", new_callable=PropertyMock)
 

      @patch("module_build_service.auth._get_token_info")

This fixes #1147

Could you make this log.exception(error) instead? Using log.exception will automatically show the traceback and the original error message, so there's no need to duplicate it.

Same as above

Could you please add a unit test?

rebased onto f2e28541d7d5fe92a7c6f5f2a516d2b8b6930dfd
4 years ago

Build #446 failed (commit: f2e28541d7d5fe92a7c6f5f2a516d2b8b6930dfd).
Rebase or make new commits to rebuild.

rebased onto da369152e616a6d950c0275600571fd8dcab49da
4 years ago

rebased onto 496517b8bd544e0e7bc682171048d90632c60aa3
4 years ago

Comments were addressed

Build #460 failed (commit: 496517b8bd544e0e7bc682171048d90632c60aa3).
Rebase or make new commits to rebuild.

rebased onto ee0b0f73ce896fae00c81614849f3f7511fda0b4
4 years ago

Build #462 failed (commit: ee0b0f73ce896fae00c81614849f3f7511fda0b4).
Rebase or make new commits to rebuild.

Could you remove these parentheses?

Please use double quotes to match the style guide

@vmaljulin a couple of minor style changes necessary. Otherwise it looks good. It can be merged afterwards.

rebased onto 5fdba78923440c4f42606d0050b02fde4e4e208e
4 years ago

rebased onto 2c02919
4 years ago

@vmaljulin a couple of minor style changes necessary. Otherwise it looks good. It can be merged afterwards.

Done

Pull-Request has been merged by vmaljulin
4 years ago
Metadata
None
No Tags
Flags
jenkins
success (100%)
Build #1146 successful (commit: 2c029198)
4 years ago
jenkins
success (100%)
Build #1145 successful (commit: 2c029198)
4 years ago
jenkins
success (100%)
Build #1138 successful (commit: ee0b0f73)
4 years ago
c3i-jenkins
failure
Build #462 failed (commit: ee0b0f73)
4 years ago
jenkins
failure
Build #1135 failed (commit: 496517b8)
4 years ago
jenkins
failure
Build #1134 failed (commit: 496517b8)
4 years ago
c3i-jenkins
failure
Build #460 failed (commit: 496517b8)
4 years ago
c3i-jenkins
failure
Build #446 failed (commit: f2e28541)
4 years ago
jenkins
failure
Build #1115 failed (commit: f2e28541)
4 years ago
jenkins
success (100%)
Build #1113 successful (commit: 74544279)
4 years ago
c3i-jenkins
success (100%)
Build #444 successful (commit: 74544279)
4 years ago
Changes Summary 2
+7 -7
file changed
module_build_service/auth.py
+34 -1
file changed
tests/test_auth.py
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.