diff --git a/oidc_provider/lib/claims.py b/oidc_provider/lib/claims.py index d4af2ad..28c4602 100644 --- a/oidc_provider/lib/claims.py +++ b/oidc_provider/lib/claims.py @@ -6,11 +6,32 @@ from oidc_provider import settings STANDARD_CLAIMS = { - 'name': '', 'given_name': '', 'family_name': '', 'middle_name': '', 'nickname': '', - 'preferred_username': '', 'profile': '', 'picture': '', 'website': '', 'gender': '', - 'birthdate': '', 'zoneinfo': '', 'locale': '', 'updated_at': '', 'email': '', 'email_verified': '', - 'phone_number': '', 'phone_number_verified': '', 'address': { - 'formatted': '', 'street_address': '', 'locality': '', 'region': '', 'postal_code': '', 'country': '', }, + 'name': '', + 'given_name': '', + 'family_name': '', + 'middle_name': '', + 'nickname': '', + 'preferred_username': '', + 'profile': '', + 'picture': '', + 'website': '', + 'gender': '', + 'birthdate': '', + 'zoneinfo': '', + 'locale': '', + 'updated_at': '', + 'email': '', + 'email_verified': '', + 'phone_number': '', + 'phone_number_verified': '', + 'address': { + 'formatted': '', + 'street_address': '', + 'locality': '', + 'region': '', + 'postal_code': '', + 'country': '', + }, } @@ -99,14 +120,17 @@ class StandardScopeClaims(ScopeClaims): info_profile = ( _(u'Basic profile'), - _(u'Access to your basic information. Includes names, gender, birthdate and other information.'), + _(u'Access to your basic information. Includes names, gender, birthdate' + 'and other information.'), ) def scope_profile(self): dic = { 'name': self.userinfo.get('name'), - 'given_name': self.userinfo.get('given_name') or getattr(self.user, 'first_name', None), - 'family_name': self.userinfo.get('family_name') or getattr(self.user, 'last_name', None), + 'given_name': (self.userinfo.get('given_name') or + getattr(self.user, 'first_name', None)), + 'family_name': (self.userinfo.get('family_name') or + getattr(self.user, 'last_name', None)), 'middle_name': self.userinfo.get('middle_name'), 'nickname': self.userinfo.get('nickname') or getattr(self.user, 'username', None), 'preferred_username': self.userinfo.get('preferred_username'), diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py index 5a6b0af..f3afebd 100644 --- a/oidc_provider/lib/endpoints/token.py +++ b/oidc_provider/lib/endpoints/token.py @@ -64,7 +64,7 @@ class TokenEndpoint(object): try: user_pass = b64decode(b64_user_pass).decode('utf-8').split(':') client_id, client_secret = tuple(user_pass) - except: + except Exception: client_id = client_secret = '' else: client_id = self.request.POST.get('client_id', '') @@ -138,7 +138,8 @@ class TokenEndpoint(object): client=self.client) except Token.DoesNotExist: - logger.debug('[Token] Refresh token does not exist: %s', self.params['refresh_token']) + logger.debug( + '[Token] Refresh token does not exist: %s', self.params['refresh_token']) raise TokenError('invalid_grant') else: diff --git a/oidc_provider/lib/errors.py b/oidc_provider/lib/errors.py index 5cd07d1..22d8e9a 100644 --- a/oidc_provider/lib/errors.py +++ b/oidc_provider/lib/errors.py @@ -23,8 +23,7 @@ class UserAuthError(Exception): the Resource Owners credentials are not valid. """ error = 'access_denied' - description = 'The resource owner or authorization server denied ' \ - 'the request' + description = 'The resource owner or authorization server denied the request.' def create_dict(self): return { diff --git a/oidc_provider/lib/utils/common.py b/oidc_provider/lib/utils/common.py index 26b68af..870d3ee 100644 --- a/oidc_provider/lib/utils/common.py +++ b/oidc_provider/lib/utils/common.py @@ -1,16 +1,16 @@ from hashlib import sha224 import django +from django.http import HttpResponse + +from oidc_provider import settings + if django.VERSION >= (1, 11): from django.urls import reverse else: from django.core.urlresolvers import reverse -from django.http import HttpResponse - -from oidc_provider import settings - def redirect(uri): """ @@ -77,17 +77,20 @@ def default_after_userlogin_hook(request, user, client): def default_after_end_session_hook( - request, id_token=None, post_logout_redirect_uri=None, state=None, client=None, next_page=None): + request, id_token=None, post_logout_redirect_uri=None, + state=None, client=None, next_page=None): """ Default function for setting OIDC_AFTER_END_SESSION_HOOK. :param request: Django request object :type request: django.http.HttpRequest - :param id_token: token passed by `id_token_hint` url query param - do NOT trust this param or validate token + :param id_token: token passed by `id_token_hint` url query param. + Do NOT trust this param or validate token :type id_token: str - :param post_logout_redirect_uri: redirect url from url query param - do NOT trust this param + :param post_logout_redirect_uri: redirect url from url query param. + Do NOT trust this param :type post_logout_redirect_uri: str :param state: state param from url query params @@ -124,5 +127,6 @@ def get_browser_state_or_default(request): """ Determine value to use as session state. """ - key = request.session.session_key or settings.get('OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY') + key = (request.session.session_key or + settings.get('OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY')) return sha224(key.encode('utf-8')).hexdigest() diff --git a/oidc_provider/tests/app/urls.py b/oidc_provider/tests/app/urls.py index d09fad1..e50bdfe 100644 --- a/oidc_provider/tests/app/urls.py +++ b/oidc_provider/tests/app/urls.py @@ -9,10 +9,10 @@ from django.views.generic import TemplateView urlpatterns = [ url(r'^$', TemplateView.as_view(template_name='home.html'), name='home'), - url(r'^accounts/login/$', auth_views.login, {'template_name': 'accounts/login.html'}, name='login'), - url(r'^accounts/logout/$', auth_views.logout, {'template_name': 'accounts/logout.html'}, name='logout'), - + url(r'^accounts/login/$', + auth_views.login, {'template_name': 'accounts/login.html'}, name='login'), + url(r'^accounts/logout/$', + auth_views.logout, {'template_name': 'accounts/logout.html'}, name='logout'), url(r'^openid/', include('oidc_provider.urls', namespace='oidc_provider')), - url(r'^admin/', admin.site.urls), ] diff --git a/oidc_provider/tests/app/utils.py b/oidc_provider/tests/app/utils.py index 4f824ec..c885e3c 100644 --- a/oidc_provider/tests/app/utils.py +++ b/oidc_provider/tests/app/utils.py @@ -15,7 +15,8 @@ from oidc_provider.models import ( FAKE_NONCE = 'cb584e44c43ed6bd0bc2d9c7e242837d' -FAKE_RANDOM_STRING = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(32)) +FAKE_RANDOM_STRING = ''.join( + random.choice(string.ascii_uppercase + string.digits) for _ in range(32)) FAKE_CODE_CHALLENGE = 'YlYXEqXuRm-Xgi2BOUiK50JW1KsGTX6F1TDnZSC8VTg' FAKE_CODE_VERIFIER = 'SmxGa0XueyNh5bDgTcSrqzAh2_FmXEqU8kDT6CuXicw' @@ -82,7 +83,7 @@ def is_code_valid(url, user, client): code = params['code'][0] code = Code.objects.get(code=code) is_code_ok = (code.client == client) and (code.user == user) - except: + except Exception: is_code_ok = False return is_code_ok @@ -118,7 +119,8 @@ def fake_idtoken_processing_hook(id_token, user): def fake_idtoken_processing_hook2(id_token, user): """ - Fake function for inserting some keys into token. Testing OIDC_IDTOKEN_PROCESSING_HOOK - tuple or list as param + Fake function for inserting some keys into token. + Testing OIDC_IDTOKEN_PROCESSING_HOOK - tuple or list as param """ id_token['test_idtoken_processing_hook2'] = FAKE_RANDOM_STRING id_token['test_idtoken_processing_hook_user_email2'] = user.email diff --git a/oidc_provider/tests/cases/test_end_session_endpoint.py b/oidc_provider/tests/cases/test_end_session_endpoint.py index 6125d19..50958d5 100644 --- a/oidc_provider/tests/cases/test_end_session_endpoint.py +++ b/oidc_provider/tests/cases/test_end_session_endpoint.py @@ -74,4 +74,4 @@ class EndSessionTestCase(TestCase): self.assertTrue(hook_function.called, 'OIDC_AFTER_END_SESSION_HOOK should be called') self.assertTrue( hook_function.call_count == 1, - 'OIDC_AFTER_END_SESSION_HOOK should be called once but was {}'.format(hook_function.call_count)) + 'OIDC_AFTER_END_SESSION_HOOK should be called once') diff --git a/oidc_provider/tests/cases/test_userinfo_endpoint.py b/oidc_provider/tests/cases/test_userinfo_endpoint.py index 1c41cc0..4be59a8 100644 --- a/oidc_provider/tests/cases/test_userinfo_endpoint.py +++ b/oidc_provider/tests/cases/test_userinfo_endpoint.py @@ -148,4 +148,5 @@ class UserInfoTestCase(TestCase): response_dic = json.loads(response.content.decode('utf-8')) self.assertIn('address', response_dic, msg='"address" claim should be in response.') - self.assertIn('country', response_dic['address'], msg='"country" claim should be in response.') + self.assertIn( + 'country', response_dic['address'], msg='"country" claim should be in response.') diff --git a/oidc_provider/views.py b/oidc_provider/views.py index c82b428..7a19bcc 100644 --- a/oidc_provider/views.py +++ b/oidc_provider/views.py @@ -73,7 +73,9 @@ class AuthorizeView(View): if 'login' in authorize.params['prompt']: if 'none' in authorize.params['prompt']: - raise AuthorizeError(authorize.params['redirect_uri'], 'login_required', authorize.grant_type) + raise AuthorizeError( + authorize.params['redirect_uri'], 'login_required', + authorize.grant_type) else: django_user_logout(request) next_page = self.strip_prompt_login(request.get_full_path()) @@ -83,13 +85,16 @@ class AuthorizeView(View): # TODO: see how we can support multiple accounts for the end-user. if 'none' in authorize.params['prompt']: raise AuthorizeError( - authorize.params['redirect_uri'], 'account_selection_required', authorize.grant_type) + authorize.params['redirect_uri'], 'account_selection_required', + authorize.grant_type) else: django_user_logout(request) - return redirect_to_login(request.get_full_path(), settings.get('OIDC_LOGIN_URL')) + return redirect_to_login( + request.get_full_path(), settings.get('OIDC_LOGIN_URL')) if {'none', 'consent'}.issubset(authorize.params['prompt']): - raise AuthorizeError(authorize.params['redirect_uri'], 'consent_required', authorize.grant_type) + raise AuthorizeError( + authorize.params['redirect_uri'], 'consent_required', authorize.grant_type) implicit_flow_resp_types = {'id_token', 'id_token token'} allow_skipping_consent = ( @@ -109,7 +114,8 @@ class AuthorizeView(View): return redirect(authorize.create_response_uri()) if 'none' in authorize.params['prompt']: - raise AuthorizeError(authorize.params['redirect_uri'], 'consent_required', authorize.grant_type) + raise AuthorizeError( + authorize.params['redirect_uri'], 'consent_required', authorize.grant_type) # Generate hidden inputs for the form. context = { @@ -132,7 +138,8 @@ class AuthorizeView(View): return render(request, OIDC_TEMPLATES['authorize'], context) else: if 'none' in authorize.params['prompt']: - raise AuthorizeError(authorize.params['redirect_uri'], 'login_required', authorize.grant_type) + raise AuthorizeError( + authorize.params['redirect_uri'], 'login_required', authorize.grant_type) if 'login' in authorize.params['prompt']: next_page = self.strip_prompt_login(request.get_full_path()) return redirect_to_login(next_page, settings.get('OIDC_LOGIN_URL')) @@ -162,14 +169,16 @@ class AuthorizeView(View): if not request.POST.get('allow'): signals.user_decline_consent.send( - self.__class__, user=request.user, client=authorize.client, scope=authorize.params['scope']) + self.__class__, user=request.user, + client=authorize.client, scope=authorize.params['scope']) raise AuthorizeError(authorize.params['redirect_uri'], 'access_denied', authorize.grant_type) signals.user_accept_consent.send( - self.__class__, user=request.user, client=authorize.client, scope=authorize.params['scope']) + self.__class__, user=request.user, client=authorize.client, + scope=authorize.params['scope']) # Save the user consent given to the client. authorize.set_client_user_consent()