From 075042999258a524a34f5835ac5a9f4aa73c2510 Mon Sep 17 00:00:00 2001
From: Andy Clayton <aclayton@conserviscorp.com>
Date: Tue, 3 Jul 2018 13:17:10 -0500
Subject: [PATCH 1/2] fix settings to support falsy valued overrides

Up until recently there were settings with truthy defaults but with no
need to be set to a false value. That changed with
OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE. Now there is a setting that
has both a true default and a meaningful false value, and without this
fix that setting cannot be changed making it not much of a setting at
all.
---
 oidc_provider/settings.py                  | 3 ++-
 oidc_provider/tests/cases/test_settings.py | 4 ++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/oidc_provider/settings.py b/oidc_provider/settings.py
index 1fddbfa..6d0607e 100644
--- a/oidc_provider/settings.py
+++ b/oidc_provider/settings.py
@@ -203,7 +203,8 @@ def get(name, import_str=False):
         default_value.update(value)
         value = default_value
     else:
-        value = value or default_value
+        if value is None:
+            value = default_value
         value = import_from_str(value) if import_str else value
 
     return value
diff --git a/oidc_provider/tests/cases/test_settings.py b/oidc_provider/tests/cases/test_settings.py
index e8c252a..00510bf 100644
--- a/oidc_provider/tests/cases/test_settings.py
+++ b/oidc_provider/tests/cases/test_settings.py
@@ -23,3 +23,7 @@ class SettingsTest(TestCase):
         key1 = settings.get('OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY')
         key2 = settings.get('OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY')
         self.assertEqual(key1, key2)
+
+    @override_settings(OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE=False)
+    def test_can_override_with_false_value(self):
+        self.assertFalse(settings.get('OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE'))

From 6900e637abdac4c88d21e596a63c077f757027bd Mon Sep 17 00:00:00 2001
From: Andy Clayton <aclayton@conserviscorp.com>
Date: Tue, 3 Jul 2018 13:37:14 -0500
Subject: [PATCH 2/2] add OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE test

Missing test exposed as part of 0750429 bug fix.
---
 .../cases/test_introspection_endpoint.py      | 44 ++++++++++---------
 1 file changed, 23 insertions(+), 21 deletions(-)

diff --git a/oidc_provider/tests/cases/test_introspection_endpoint.py b/oidc_provider/tests/cases/test_introspection_endpoint.py
index 99eab9a..b2d1aba 100644
--- a/oidc_provider/tests/cases/test_introspection_endpoint.py
+++ b/oidc_provider/tests/cases/test_introspection_endpoint.py
@@ -46,6 +46,20 @@ class IntrospectionTestCase(TestCase):
         self.assertEqual(response.status_code, 200)
         self.assertJSONEqual(force_text(response.content), {'active': False})
 
+    def _assert_active(self, response, **kwargs):
+        self.assertEqual(response.status_code, 200)
+        expected_content = {
+            'active': True,
+            'aud': self.resource.client_id,
+            'client_id': self.client.client_id,
+            'sub': str(self.user.pk),
+            'iat': int(self.now),
+            'exp': int(self.now + 600),
+            'iss': 'http://localhost:8000/openid',
+        }
+        expected_content.update(kwargs)
+        self.assertJSONEqual(force_text(response.content), expected_content)
+
     def _make_request(self, **kwargs):
         url = reverse('oidc_provider:token-introspection')
         data = {
@@ -89,28 +103,16 @@ class IntrospectionTestCase(TestCase):
 
     def test_valid_request_returns_default_properties(self):
         response = self._make_request()
-        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(force_text(response.content), {
-            'active': True,
-            'aud': self.resource.client_id,
-            'client_id': self.client.client_id,
-            'sub': str(self.user.pk),
-            'iat': int(self.now),
-            'exp': int(self.now + 600),
-            'iss': 'http://localhost:8000/openid',
-        })
+        self._assert_active(response)
 
     @override_settings(OIDC_INTROSPECTION_PROCESSING_HOOK='oidc_provider.tests.app.utils.fake_introspection_processing_hook')  # NOQA
     def test_custom_introspection_hook_called_on_valid_request(self):
         response = self._make_request()
-        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(force_text(response.content), {
-            'active': True,
-            'aud': self.resource.client_id,
-            'client_id': self.client.client_id,
-            'sub': str(self.user.pk),
-            'iat': int(self.now),
-            'exp': int(self.now + 600),
-            'iss': 'http://localhost:8000/openid',
-            'test_introspection_processing_hook': FAKE_RANDOM_STRING
-        })
+        self._assert_active(response, test_introspection_processing_hook=FAKE_RANDOM_STRING)
+
+    @override_settings(OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE=False)
+    def test_disable_audience_validation(self):
+        self.resource.scope = ['token_introspection']
+        self.resource.save()
+        response = self._make_request()
+        self._assert_active(response)