|
10 | 10 | from flask import session |
11 | 11 | from flask.helpers import make_response |
12 | 12 | from flask.helpers import send_from_directory |
| 13 | +from oidcservice.exception import OidcServiceError |
13 | 14 |
|
14 | 15 | import oidcrp |
15 | 16 |
|
@@ -90,49 +91,54 @@ def get_rp(op_hash): |
90 | 91 |
|
91 | 92 | def finalize(op_hash, request_args): |
92 | 93 | rp = get_rp(op_hash) |
93 | | - try: |
94 | | - session['client_id'] = rp.service_context.registration_response['client_id'] |
95 | | - except KeyError: |
96 | | - session['client_id'] = rp.service_context.client_id |
97 | 94 |
|
98 | | - session['state'] = request_args['state'] |
99 | | - try: |
100 | | - iss = rp.session_interface.get_iss(request_args['state']) |
101 | | - except KeyError: |
102 | | - return make_response('Unknown state', 400) |
| 95 | + if hasattr(rp, 'status_code') and rp.status_code != 200: |
| 96 | + logger.error(rp.response[0].decode()) |
| 97 | + return rp.response[0], rp.status_code |
103 | 98 |
|
104 | | - try: |
105 | | - session['session_state'] = request_args['session_state'] |
106 | | - except KeyError: |
107 | | - session['session_state'] = '' |
| 99 | + session['client_id'] = rp.service_context.registration_response.\ |
| 100 | + get('client_id', rp.service_context.client_id) |
| 101 | + |
| 102 | + session['state'] = request_args.get('state') |
| 103 | + |
| 104 | + if session['state']: |
| 105 | + iss = rp.session_interface.get_iss(session['state']) |
| 106 | + else: |
| 107 | + return make_response('Unknown state', 400) |
108 | 108 |
|
109 | 109 | logger.debug('Issuer: {}'.format(iss)) |
110 | | - res = current_app.rph.finalize(iss, request_args) |
111 | 110 |
|
112 | | - if 'userinfo' in res: |
| 111 | + try: |
| 112 | + res = current_app.rph.finalize(iss, request_args) |
| 113 | + except OidcServiceError as excp: |
| 114 | + # replay attack prevention, is that code was already used before |
| 115 | + return excp.__str__(), 403 |
| 116 | + except Exception as excp: |
| 117 | + raise excp |
| 118 | + |
| 119 | + if not 'userinfo' in res: |
| 120 | + return make_response(res['error'], 400) |
| 121 | + |
| 122 | + else: |
113 | 123 | endpoints = {} |
114 | 124 | for k, v in rp.service_context.provider_info.items(): |
115 | 125 | if k.endswith('_endpoint'): |
116 | 126 | endp = k.replace('_', ' ') |
117 | 127 | endp = endp.capitalize() |
118 | 128 | endpoints[endp] = v |
119 | 129 |
|
120 | | - try: |
121 | | - kwargs = { |
122 | | - 'check_session_iframe': rp.service_context.provider_info[ |
123 | | - 'check_session_iframe'] |
124 | | - } |
125 | | - except KeyError: |
126 | | - kwargs = {} |
| 130 | + kwargs = {} |
| 131 | + ses_iframe = rp.service_context.provider_info.\ |
| 132 | + get('check_session_iframe') |
| 133 | + if ses_iframe: |
| 134 | + kwargs = {'check_session_iframe': ses_iframe} |
127 | 135 |
|
128 | 136 | kwargs['logout_url'] = "{}/logout".format(rp.service_context.base_url) |
129 | 137 |
|
130 | 138 | return render_template('opresult.html', endpoints=endpoints, |
131 | 139 | userinfo=res['userinfo'], |
132 | 140 | access_token=res['token'], |
133 | 141 | **kwargs) |
134 | | - else: |
135 | | - return make_response(res['error'], 400) |
136 | 142 |
|
137 | 143 |
|
138 | 144 | @oidc_rp_views.route('/authz_cb/<op_hash>') |
|
0 commit comments