This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Improve error checking for OIDC/SAML mapping providers #8774
Merged
Merged
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
1bd814e
Add additional tests for OIDC with existing users.
clokep ab04e51
Rework this to not change behavior.
clokep f9524dd
Add a newsfragment.
clokep 8501613
Remove duplicated variable.
clokep 592bd12
Clarify tests a bit more.
clokep 9436837
Move the normalization to the mapper.
clokep 613eb4d
Add some basic SAML tests.
clokep 07ba01d
Please Python 3.5.
clokep edf350e
Update the newsfragment.
clokep ffafd99
Remove SAML tests since the Docker image cannot run them.
clokep 8d21b25
Add upgrade note and improve documentation.
clokep File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Add additional error checking for OpenID Connect and SAML mapping providers. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,7 +12,6 @@ | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
import json | ||
from urllib.parse import parse_qs, urlparse | ||
|
||
|
@@ -24,12 +23,8 @@ | |
from twisted.python.failure import Failure | ||
from twisted.web._newclient import ResponseDone | ||
|
||
from synapse.handlers.oidc_handler import ( | ||
MappingException, | ||
OidcError, | ||
OidcHandler, | ||
OidcMappingProvider, | ||
) | ||
from synapse.handlers.oidc_handler import OidcError, OidcHandler, OidcMappingProvider | ||
from synapse.handlers.sso import MappingException | ||
from synapse.types import UserID | ||
|
||
from tests.unittest import HomeserverTestCase, override_config | ||
|
@@ -132,14 +127,13 @@ def make_homeserver(self, reactor, clock): | |
|
||
config = self.default_config() | ||
config["public_baseurl"] = BASE_URL | ||
oidc_config = {} | ||
oidc_config["enabled"] = True | ||
oidc_config["client_id"] = CLIENT_ID | ||
oidc_config["client_secret"] = CLIENT_SECRET | ||
oidc_config["issuer"] = ISSUER | ||
oidc_config["scopes"] = SCOPES | ||
oidc_config["user_mapping_provider"] = { | ||
"module": __name__ + ".TestMappingProvider", | ||
oidc_config = { | ||
"enabled": True, | ||
"client_id": CLIENT_ID, | ||
"client_secret": CLIENT_SECRET, | ||
"issuer": ISSUER, | ||
"scopes": SCOPES, | ||
"user_mapping_provider": {"module": __name__ + ".TestMappingProvider"}, | ||
} | ||
|
||
# Update this config with what's in the default config so that | ||
|
@@ -705,18 +699,73 @@ def test_map_userinfo_to_user(self): | |
def test_map_userinfo_to_existing_user(self): | ||
"""Existing users can log in with OpenID Connect when allow_existing_users is True.""" | ||
store = self.hs.get_datastore() | ||
user4 = UserID.from_string("@test_user_4:test") | ||
user = UserID.from_string("@test_user:test") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There was no reason to start a |
||
self.get_success( | ||
store.register_user(user_id=user4.to_string(), password_hash=None) | ||
store.register_user(user_id=user.to_string(), password_hash=None) | ||
) | ||
userinfo = { | ||
"sub": "test4", | ||
"username": "test_user_4", | ||
"sub": "test", | ||
"username": "test_user", | ||
} | ||
token = {} | ||
mxid = self.get_success( | ||
self.handler._map_userinfo_to_user( | ||
userinfo, token, "user-agent", "10.10.10.10" | ||
) | ||
) | ||
self.assertEqual(mxid, "@test_user_4:test") | ||
self.assertEqual(mxid, "@test_user:test") | ||
|
||
# Register some non-exact matching cases. | ||
user2 = UserID.from_string("@TEST_user_2:test") | ||
self.get_success( | ||
store.register_user(user_id=user2.to_string(), password_hash=None) | ||
) | ||
user2_caps = UserID.from_string("@test_USER_2:test") | ||
self.get_success( | ||
store.register_user(user_id=user2_caps.to_string(), password_hash=None) | ||
) | ||
|
||
# Attempting to login without matching a name exactly is an error. | ||
userinfo = { | ||
"sub": "test2", | ||
"username": "TEST_USER_2", | ||
} | ||
e = self.get_failure( | ||
self.handler._map_userinfo_to_user( | ||
userinfo, token, "user-agent", "10.10.10.10" | ||
), | ||
MappingException, | ||
) | ||
self.assertTrue( | ||
str(e.value).startswith( | ||
"Attempted to login as '@TEST_USER_2:test' but it matches more than one user inexactly:" | ||
) | ||
) | ||
|
||
# Logging in when matching a name exactly should work. | ||
user2 = UserID.from_string("@TEST_USER_2:test") | ||
self.get_success( | ||
store.register_user(user_id=user2.to_string(), password_hash=None) | ||
) | ||
|
||
mxid = self.get_success( | ||
self.handler._map_userinfo_to_user( | ||
userinfo, token, "user-agent", "10.10.10.10" | ||
) | ||
) | ||
self.assertEqual(mxid, "@TEST_USER_2:test") | ||
|
||
def test_map_userinfo_to_invalid_localpart(self): | ||
"""If the mapping provider generates an invalid localpart it should be rejected.""" | ||
userinfo = { | ||
"sub": "test2", | ||
"username": "föö", | ||
} | ||
token = {} | ||
e = self.get_failure( | ||
self.handler._map_userinfo_to_user( | ||
userinfo, token, "user-agent", "10.10.10.10" | ||
), | ||
MappingException, | ||
) | ||
self.assertEqual(str(e.value), "localpart is invalid: föö") |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This got pushed into the mapping provider, which matches SAML and gives mapping providers a bit more control (e.g. the dot-replace vs. hex-encode options that SAML has).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that a change in the mapping provider API?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The SAML mapping provider (implicitly) must provide a valid localpart. I think this was kind of the assumption with the OIDC one as well, but I'm not sure. I failed to update the documentation to make this explicit for both of them, but I meant to! 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pushed some documentation improvements (and added something to
UPGRADE.rst
). I suspect not many people have their own mapping provider, but I'm not sure.