Merge

rohe · rohe · commit 30250dc40e41 · 2019-12-10T15:38:09.000+01:00
diff --git a/flask_rp/application.py b/flask_rp/application.py
@@ -1,4 +1,5 @@
 import os
+import re
 
 from cryptojwt import KeyJar
 from cryptojwt.key_jar import init_key_jar
@@ -23,16 +24,15 @@ def init_oidc_rp_handler(app):
     if rp_keys_conf:
         _kj = init_key_jar(**rp_keys_conf)
         _path = rp_keys_conf['public_path']
-        if _path.startswith('./'):
-            _path = _path[2:]
-        elif _path.startswith('/'):
-            _path = _path[1:]
+        # replaces ./ and / from the begin of the string
+        _path = re.sub('^(.)/', '', _path)
     else:
         _kj = KeyJar()
         _path = ''
     _kj.verify_ssl = verify_ssl
 
-    rph = RPHandler(base_url=app.config.get('BASEURL'), hash_seed=hash_seed,
+    rph = RPHandler(base_url=app.config.get('BASEURL'),
+                    hash_seed=hash_seed,
                     keyjar=_kj, jwks_path=_path,
                     client_configs=app.config.get('CLIENTS'),
                     services=app.config.get('SERVICES'),
diff --git a/flask_rp/views.py b/flask_rp/views.py
@@ -10,6 +10,7 @@
 from flask import session
 from flask.helpers import make_response
 from flask.helpers import send_from_directory
+from oidcservice.exception import OidcServiceError
 
 import oidcrp
 
@@ -91,21 +92,31 @@ def get_rp(op_hash):
 def finalize(op_hash, request_args):
     rp = get_rp(op_hash)
 
-    try:
-        session['client_id'] = rp.service_context.registration_response['client_id']
-    except KeyError:
-        session['client_id'] = rp.service_context.client_id
+    if hasattr(rp, 'status_code') and rp.status_code != 200:
+        logger.error(rp.response[0].decode())
+        return rp.response[0], rp.status_code
 
-    session['state'] = request_args['state']
-    try:
-        iss = rp.session_interface.get_iss(request_args['state'])
-    except KeyError:
+    session['client_id'] = rp.service_context.registration_response.\
+                            get('client_id', rp.service_context.client_id)
+
+    session['state'] = request_args.get('state')
+
+    if session['state']:
+        iss = rp.session_interface.get_iss(session['state'])
+    else:
         return make_response('Unknown state', 400)
 
     session['session_state'] = request_args.get('session_state', '')
 
     logger.debug('Issuer: {}'.format(iss))
-    res = current_app.rph.finalize(iss, request_args)
+
+    try:
+        res = current_app.rph.finalize(iss, request_args)
+    except OidcServiceError as excp:
+        # replay attack prevention, is that code was already used before
+        return excp.__str__(), 403
+    except Exception as excp:
+        raise excp
 
     if 'userinfo' in res:
         endpoints = {}
