local-openid-path-based-fix (#1332)

* use the backend url config for the well-known endpoint since request.host_url will not know about the path w/ burnettk

* attempting to fix run precommit in ci w/ burnettk

* fix constraints location w/ burnettk

* fix correct stanza w/ burnettk

---------

Co-authored-by: jasquat <jasquat@users.noreply.github.com>
This commit is contained in:
jasquat 2024-04-03 20:16:22 +00:00 committed by GitHub
parent 6a4e575429
commit 12e7cecd97
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 25 additions and 12 deletions

View File

@ -124,9 +124,8 @@ jobs:
- name: Install pip and poetry - name: Install pip and poetry
run: | run: |
pwd pwd
ls ls -al
pip install --constraint=../.github/workflows/constraints.txt pip poetry pip install --constraint=../.github/workflows/constraints.txt pip poetry
pip install --upgrade setuptools # https://stackoverflow.com/a/77364602/6090676
pip --version pip --version
poetry --version poetry --version
@ -221,8 +220,9 @@ jobs:
- name: Install Poetry - name: Install Poetry
run: | run: |
pwd pwd
ls ls -al
pipx install --pip-args=--constraint=.github/workflows/constraints.txt poetry pip --version
pip install --constraint=.github/workflows/constraints.txt pip poetry
poetry --version poetry --version
- name: Poetry Install - name: Poetry Install
run: poetry install run: poetry install
@ -269,9 +269,8 @@ jobs:
- name: Install pip and poetry - name: Install pip and poetry
run: | run: |
pwd pwd
ls ls -al
pip install --constraint=../.github/workflows/constraints.txt pip poetry pip install --constraint=../.github/workflows/constraints.txt pip poetry
pip install --upgrade setuptools # https://stackoverflow.com/a/77364602/6090676
pip --version pip --version
poetry --version poetry --version

View File

@ -20,6 +20,9 @@ def version_info() -> Response:
return make_response(get_version_info_data(), 200) return make_response(get_version_info_data(), 200)
# this is just to see what the protocol is, primarily. if the site is running on https in the browser, but this says "http://something.example.com",
# that might be bad, and might require some server configuration to make sure flask knows it is running on https.
# if using path based routing, the path will probably not be returned from this endpoint.
def url_info() -> Response: def url_info() -> Response:
return make_response({"url": request.url, "cache": AuthenticationService.ENDPOINT_CACHE}, 200) return make_response({"url": request.url, "cache": AuthenticationService.ENDPOINT_CACHE}, 200)

View File

@ -40,7 +40,9 @@ def well_known() -> dict:
These urls can be very different from one openid impl to the next, this is just a small subset. These urls can be very different from one openid impl to the next, this is just a small subset.
""" """
host_url = request.host_url.strip("/")
# using or instead of setting a default so we can set the env var to None in tests and this will still work
host_url = current_app.config.get("SPIFFWORKFLOW_BACKEND_URL") or request.host_url.strip("/")
return { return {
"issuer": f"{host_url}/openid", "issuer": f"{host_url}/openid",
"authorization_endpoint": f"{host_url}{url_for('openid.auth')}", "authorization_endpoint": f"{host_url}{url_for('openid.auth')}",
@ -108,7 +110,8 @@ def token() -> Response | dict:
authorization = base64.b64decode(authorization).decode("utf-8") authorization = base64.b64decode(authorization).decode("utf-8")
client_id = authorization.split(":") client_id = authorization.split(":")
base_url = request.host_url + "openid" host_url = current_app.config.get("SPIFFWORKFLOW_BACKEND_URL", request.host_url.strip("/"))
base_url = f"{host_url}/openid"
private_key = OpenIdConfigsForDevOnly.private_key private_key = OpenIdConfigsForDevOnly.private_key
id_token = jwt.encode( id_token = jwt.encode(

View File

@ -7,7 +7,7 @@ from flask.testing import FlaskClient
from tests.spiffworkflow_backend.helpers.base_test import BaseTest from tests.spiffworkflow_backend.helpers.base_test import BaseTest
class TestFlaskOpenId(BaseTest): class TestOpenidBlueprint(BaseTest):
"""An integrated Open ID that responds to openID requests. """An integrated Open ID that responds to openID requests.
By referencing a build in YAML file. Useful for By referencing a build in YAML file. Useful for
@ -23,9 +23,17 @@ class TestFlaskOpenId(BaseTest):
"""Test discovery endpoints.""" """Test discovery endpoints."""
response = client.get("/openid/.well-known/openid-configuration") response = client.get("/openid/.well-known/openid-configuration")
discovered_urls = response.json discovered_urls = response.json
assert "http://localhost/openid" == discovered_urls["issuer"] assert "http://localhost:7000/openid" == discovered_urls["issuer"]
assert "http://localhost/openid/auth" == discovered_urls["authorization_endpoint"] assert "http://localhost:7000/openid/auth" == discovered_urls["authorization_endpoint"]
assert "http://localhost/openid/token" == discovered_urls["token_endpoint"] assert "http://localhost:7000/openid/token" == discovered_urls["token_endpoint"]
with self.app_config_mock(app, "SPIFFWORKFLOW_BACKEND_URL", None):
response = client.get("/openid/.well-known/openid-configuration")
discovered_urls = response.json
# in unit tests, request.host_url will not have the port but it will have it in actual localhost flask server
assert "http://localhost/openid" == discovered_urls["issuer"]
assert "http://localhost/openid/auth" == discovered_urls["authorization_endpoint"]
assert "http://localhost/openid/token" == discovered_urls["token_endpoint"]
def test_get_login_page( def test_get_login_page(
self, self,