Skip to content

Commit

Permalink
[project @ Consumer: require that op_endpoint be signed in id_res res…
Browse files Browse the repository at this point in the history 
…ponses]

Ignore-this: ed18f1a60982df1fcb457299069c74bc
  • Loading branch information
tailor committed Apr 20, 2009
1 parent dba285c commit a52e842
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 18 deletions.
3 changes: 2 additions & 1 deletion openid/consumer/consumer.py
View file
Expand Up @@ -822,7 +822,8 @@ def _idResCheckForFields(self, message):
require_sigs = {
OPENID2_NS: basic_sig_fields + ['response_nonce',
'claimed_id',
'assoc_handle',],
'assoc_handle',
'op_endpoint',],
OPENID1_NS: basic_sig_fields,
}

Expand Down
53 changes: 36 additions & 17 deletions openid/test/test_consumer.py
View file
Expand Up @@ -506,7 +506,7 @@ def setUp(self):
'assoc_handle': 'does not matter',
'sig': GOODSIG,
'response_nonce': mkNonce(),
'signed': 'identity,return_to,response_nonce,assoc_handle,claimed_id',
'signed': 'identity,return_to,response_nonce,assoc_handle,claimed_id,op_endpoint',
'claimed_id': claimed_id,
'op_endpoint': self.server_url,
'ns':OPENID2_NS,
Expand Down Expand Up @@ -534,7 +534,7 @@ def test_idResNoIdentity(self):
self.message.delArg(OPENID_NS, 'identity')
self.message.delArg(OPENID_NS, 'claimed_id')
self.endpoint.claimed_id = None
self.message.setArg(OPENID_NS, 'signed', 'return_to,response_nonce,assoc_handle')
self.message.setArg(OPENID_NS, 'signed', 'return_to,response_nonce,assoc_handle,op_endpoint')
r = self.consumer.complete(self.message, self.endpoint, None)
self.failUnlessSuccess(r)

Expand Down Expand Up @@ -767,7 +767,7 @@ def test(self):
'op_endpoint':'my favourite server',
'response_nonce':'use only once',
},
['return_to', 'response_nonce', 'assoc_handle'])
['return_to', 'response_nonce', 'assoc_handle', 'op_endpoint'])

test_openid2Success_identifiers = mkSuccessTest(
{'ns':OPENID2_NS,
Expand All @@ -780,9 +780,9 @@ def test(self):
'response_nonce':'use only once',
},
['return_to', 'response_nonce', 'identity',
'claimed_id', 'assoc_handle'])
'claimed_id', 'assoc_handle', 'op_endpoint'])

def mkFailureTest(openid_args, signed_list):
def mkMissingFieldTest(openid_args):
def test(self):
message = Message.fromOpenIDArgs(openid_args)
try:
Expand All @@ -793,35 +793,54 @@ def test(self):
self.fail('Expected an error, but none occurred')
return test

test_openid1Missing_returnToSig = mkFailureTest(
def mkMissingSignedTest(openid_args):
def test(self):
message = Message.fromOpenIDArgs(openid_args)
try:
self.consumer._idResCheckForFields(message)
except ProtocolError, why:
self.failUnless(why[0].endswith('not signed'))
else:
self.fail('Expected an error, but none occurred')
return test

test_openid1Missing_returnToSig = mkMissingSignedTest(
{'return_to':'return',
'assoc_handle':'assoc handle',
'sig':'a signature',
'identity':'someone',
},
['identity'])
'signed':'identity',
})

test_openid1Missing_identitySig = mkFailureTest(
test_openid1Missing_identitySig = mkMissingSignedTest(
{'return_to':'return',
'assoc_handle':'assoc handle',
'sig':'a signature',
'identity':'someone',
},
['return_to'])
'signed':'return_to'
})

test_openid1MissingReturnTo = mkFailureTest(
test_openid2Missing_opEndpointSig = mkMissingSignedTest(
{'ns':OPENID2_NS,
'return_to':'return',
'assoc_handle':'assoc handle',
'sig':'a signature',
'identity':'someone',
'op_endpoint':'the endpoint',
'signed':'return_to,identity,assoc_handle'
})

test_openid1MissingReturnTo = mkMissingFieldTest(
{'assoc_handle':'assoc handle',
'sig':'a signature',
'identity':'someone',
},
['return_to', 'identity'])
})

test_openid1MissingAssocHandle = mkFailureTest(
test_openid1MissingAssocHandle = mkMissingFieldTest(
{'return_to':'return',
'sig':'a signature',
'identity':'someone',
},
['return_to', 'identity'])
})

# XXX: I could go on...

Expand Down

0 comments on commit a52e842

Please sign in to comment.