SSO discovery revisited #1080
SSO discovery revisited #1080
Conversation
| """ | ||
| Only throttle unauthenticated requests. | ||
| """ | ||
| if view.is_unprivileged_query(request, view.kwargs[u'username']): |
There was a problem hiding this comment.
Maybe the throttle should be in place to privileged queries as well? The issue I see right now is that a someone can just create a regular user account and get past the throttle. So this should either check for staff users or throttle all queries
There was a problem hiding this comment.
I didn't want to mess to much with existing queries. The current definition of an "unprivileged" query is one where a non-staff user is requesting information about someone else, or an unauthenticated user is requesting any information. The primary purpose of the throttle is to keep people from using this endpoint to scrape information about a broad number of users. The scenario you present would allow the user to request information about themselves all day long, but they would still be throttled trying to get everyone else's information. I think a general-purpose throttle on api usage is not what we need here, and would be better implemented as part of a general site policy.
There was a problem hiding this comment.
Fair enough! I think I misunderstood something here. Your approach seems entirely reasonable.
lms/envs/aws.py
Outdated
| @@ -668,7 +668,7 @@ | |||
| ORA2_FILE_PREFIX = ENV_TOKENS.get("ORA2_FILE_PREFIX", ORA2_FILE_PREFIX) | |||
|
|
|||
| ##### ACCOUNT LOCKOUT DEFAULT PARAMETERS ##### | |||
| MAX_FAILED_LOGIN_ATTEMPTS_ALLOWED = ENV_TOKENS.get("MAX_FAILED_LOGIN_ATTEMPTS_ALLOWED", 5) | |||
| MAX_FAILED_LOGIN_ATTEMPTS_ALLOWED = ENV_TOKENS.https://www.google.com/l?q=logging+service&oq=logging+service&aqs=chrome..69i57j0l5.7484j1j4&sourceid=chrome&ie=UTF-8get("MAX_FAILED_LOGIN_ATTEMPTS_ALLOWED", 5) | |||
There was a problem hiding this comment.
Yep. My middle mouse button does double duty as paster and trackpoint scroll, so sometimes it pastes things when I'm trying to scroll. Glad it was just a google search. :D
| """ | ||
| Return True if a non-superuser requests information about another user. | ||
| """ | ||
| if request.user.username != username: |
There was a problem hiding this comment.
This will also need adjustment to check if the request user email matches the requested email.
f1bc614 to
58a65fc
Compare
|
@xitij2000 This is ready for another review. |
| with patch.object(ThirdPartyAuthProviderApiPermission, 'has_permission', return_value=token_permission): | ||
| response = self.client.get(url) | ||
| self.assertEqual(response.status_code, expect) | ||
|
|
There was a problem hiding this comment.
Have you removed these tests on purpose? Is that needed?
| @@ -142,7 +142,9 @@ def is_unprivileged_query(self, request, username): | |||
| """ | |||
| Return True if a non-superuser requests information about another user. | |||
| """ | |||
| if request.user.username != username: | |||
| # AnonymousUser does not have an email attribute, so fall back to something | |||
| # that will never comapre equal to username. | |||
|
|
||
|
|
||
| PROVIDER_PATTERN = r'(?P<provider_id>[\w.+-]+)(?:\:(?P<idp_slug>[\w.+-]+))?' | ||
|
|
||
| urlpatterns = patterns( | ||
| '', | ||
| url(r'^v0/users/(?P<identifier>[^/]+)/providers/$', ProviderView.as_view(), name='third_party_auth_providers_api'), | ||
| url( | ||
| r'^v0/users/{username_pattern}$'.format(username_pattern=settings.USERNAME_PATTERN), |
There was a problem hiding this comment.
Will need to support email pattern here as well.
There was a problem hiding this comment.
I think this is covered by the existing pattern. Note that @, ., and + are all included:
From lms/envs/common.py
USERNAME_REGEX_PARTIAL = r'[\w .@_+-]+'
USERNAME_PATTERN = r'(?P<username>{regex})'.format(regex=USERNAME_REGEX_PARTIAL)There was a problem hiding this comment.
Hmm. I thought it was configurable, but it doesn't seem to be, so I guess it's OK.
|
Issues addressed. Tests are running again. |
abd7b54 to
1e7e7f0
Compare
a43daf8 to
1e7e7f0
Compare
|
@jcdyer I think there is just one very minor PEP8 fix left. |
1e7e7f0 to
90f0394
Compare
|
Fixed and squashed. Will merge after CI finishes. |
Make SSO provider discovery use the same endpoint as the existing request. Gate unprivileged rquests with a setting. Revises work done in #1047.
JIRA tickets: Fixes OC-4285
Discussions: See OC-4285
Dependencies: None
Screenshots:
Sandbox URL: TBD - sandbox is being provisioned.
Merge deadline: ?
Testing instructions:
Author notes and concerns:
Reviewers
FYI: @bradenmacdonald
Settings