Permalink
Browse files

Fix handling of multiple levels of delegation.

  • Loading branch information...
1 parent 28d8ddf commit c0c0b8fab0a3207bbfbda634e77bc63744272f20 @rfk rfk committed Jul 16, 2012
Showing with 28 additions and 26 deletions.
  1. +3 −0 browserid/tests/support.py
  2. +6 −0 browserid/tests/test_verifiers.py
  3. +5 −7 browserid/tests/test_wellknown.py
  4. +14 −19 browserid/wellknown.py
@@ -61,6 +61,9 @@ def fetch_wellknown_file(hostname, verify=None):
if hostname == "redirect.org":
return {"authority": "delegated.org"}
+ if hostname == "redirect-twice.org":
+ return {"authority": "redirect.org"}
+
if hostname == "infinite.org":
return {"authority": "infinite.org"}
@@ -147,6 +147,12 @@ def test_delegated_primary(self):
self.assertTrue(self.verifier.verify(assertion))
@patch('browserid.wellknown.fetch_wellknown_file', fetch_wellknown_file)
+ def test_double_delegated_primary(self):
+ assertion = make_assertion("t@redirect-twice.org",
+ "http://persona.org", issuer="delegated.org")
+ self.assertTrue(self.verifier.verify(assertion))
+
+ @patch('browserid.wellknown.fetch_wellknown_file', fetch_wellknown_file)
def test_audience_verification(self):
# create an assertion with the audience set to http://persona.org for
@@ -98,12 +98,12 @@ def setUp(self):
def test_trusted_secondaries(self):
self.assertTrue(self.wellknown.is_issuer_valid('test.com', 'browserid.org'))
self.assertFalse(self.wellknown.is_issuer_valid('test.com',
- 'browserid.org', trusted_secondaries=[], max_hops=0))
+ 'browserid.org', trusted_secondaries=[], max_delegations=0))
def test_hostname_issuer(self):
self.assertTrue(self.wellknown.is_issuer_valid('test.com', 'test.com'))
self.assertFalse(self.wellknown.is_issuer_valid('abc.com', 'test.com',
- max_hops=0))
+ max_delegations=0))
@patch('browserid.wellknown.fetch_wellknown_file', patched_wellknown_file)
def test_delegated_primary(self):
@@ -112,12 +112,10 @@ def test_delegated_primary(self):
def test_disabled_delegated_primary(self):
self.assertFalse(self.wellknown.is_issuer_valid('redirect.org',
- 'delegated.org', max_hops=0))
+ 'delegated.org', max_delegations=0))
@patch('browserid.wellknown.fetch_wellknown_file', patched_wellknown_file)
def test_infinite_delegated_primary_recursion(self):
self.assertFalse(self.wellknown.is_issuer_valid('infinite.org', None))
- self.assertRaises(RuntimeError, self.wellknown.is_issuer_valid,
- 'infinite.org', None, max_hops=None)
-
-
+ self.assertFalse(self.wellknown.is_issuer_valid('infinite.org',
+ 'delegated.org'))
View
@@ -16,7 +16,7 @@
DEFAULT_TRUSTED_SECONDARIES = ("browserid.org", "diresworb.org",
"dev.diresworb.org")
WELL_KNOWN_URL = "/.well-known/browserid"
-DEFAULT_MAX_HOPS = 5
+DEFAULT_MAX_DELEGATIONS = 6
class WellKnownManager(object):
@@ -61,7 +61,7 @@ def fetch_wellknown_file(self, hostname):
return fetch_wellknown_file(hostname, verify=self.verify)
def is_issuer_valid(self, hostname, issuer, trusted_secondaries=None,
- max_hops=DEFAULT_MAX_HOPS):
+ max_delegations=DEFAULT_MAX_DELEGATIONS):
"""
This method allows you to check if a hostname is valid for an issuer.
@@ -70,8 +70,8 @@ def is_issuer_valid(self, hostname, issuer, trusted_secondaries=None,
* The hostname is in the list of trusted secondaries
* When the hostname delegates to the issuer
- You can disable the check for delegated primaries by setting max_hops
- to 0.
+ You can disable the check for delegated primaries by setting the
+ max_delegations to 0.
"""
if hostname == issuer:
return True
@@ -82,21 +82,16 @@ def is_issuer_valid(self, hostname, issuer, trusted_secondaries=None,
if issuer in trusted_secondaries:
return True
- if max_hops is not 0:
- def _is_issuer_valid(hostname, issuer, current_hop=1,
- max_hops=DEFAULT_MAX_HOPS):
- support = self[hostname]
-
- if 'authority' in support and support['authority'] == issuer:
- return True
-
- if max_hops is not None and current_hop >= max_hops:
- return False
-
- return _is_issuer_valid(hostname, issuer,
- current_hop + 1, max_hops)
-
- return _is_issuer_valid(hostname, issuer, max_hops=max_hops)
+ num_delegations = 0
+ while num_delegations < max_delegations:
+ support = self[hostname]
+ authority = support.get("authority")
+ if authority is None:
+ break
+ if authority == issuer:
+ return True
+ hostname = authority
+ num_delegations += 1
return False

0 comments on commit c0c0b8f

Please sign in to comment.