Display an error message on bad response from identity provider in federate mode. fix #7.

If the identity provider CAS do not return an XML document as specified on ticket validation, an XML parsing error is raised. We now catch it and display a message to the user.
2016-07-29 16:35:21 +02:00 · 2016-07-29 16:35:21 +02:00 · 34118833bf
parent 2cc31ce5f5
commit 34118833bf
2 changed files with 54 additions and 23 deletions
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@ -183,7 +183,8 @@ class FederateAuthLoginLogoutTestCase(
        """
            The federated view should redirect to /login if the provider is unknown or not provided,
            try to fetch a new ticket if the provided ticket validation fail
-            (network error or bad ticket)
+            (network error or bad ticket), redirect to /login with a error message if identity
+            provider CAS return a bad response (invalid XML document)
        """
        good_provider = "example.com"
        bad_provider = "exemple.fr"
@ -229,6 +230,18 @@ class FederateAuthLoginLogoutTestCase(
            'http://testserver' if django.VERSION < (1, 9) else ""
        ))

+        # test CAS avaible but return a bad XML doc, should redirect to /login with a error message
+        # use "example.net" as it is CASv3
+        tests_utils.HttpParamsHandler.run(8082)
+        response = client.get("/federate/%s" % "example.net", {'ticket': utils.gen_st()})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response["Location"], "%s/login" % (
+            'http://testserver' if django.VERSION < (1, 9) else ""
+        ))
+        response = client.get("/login")
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(b"Invalid response from your identity provider CAS", response.content)
+
    def test_auth_federate_slo(self):
        """test that SLO receive from backend CAS log out the users"""
        # get tickets and connected clients
--- a/cas_server/views.py
+++ b/cas_server/views.py
@ -312,31 +312,49 @@ class FederateAuth(View):
                return HttpResponseRedirect(auth.get_login_url())
            else:
                ticket = request.GET['ticket']
-                # if the ticket validation succeed
-                if auth.verify_ticket(ticket):
-                    logger.info(
-                        "Got a valid ticket for %s from %s" % (
-                            auth.username,
-                            auth.provider.server_url
+                try:
+                    # if the ticket validation succeed
+                    if auth.verify_ticket(ticket):
+                        logger.info(
+                            "Got a valid ticket for %s from %s" % (
+                                auth.username,
+                                auth.provider.server_url
+                            )
                        )
-                    )
-                    params = utils.copy_params(request.GET, ignore={"ticket"})
-                    request.session["federate_username"] = auth.federated_username
-                    request.session["federate_ticket"] = ticket
-                    auth.register_slo(auth.federated_username, request.session.session_key, ticket)
-                    # redirect to the the login page for the user to become authenticated
-                    # thanks to the `federate_username` and `federate_ticket` session parameters
-                    url = utils.reverse_params("cas_server:login", params)
-                    return HttpResponseRedirect(url)
-                # else redirect to the identity provider CAS login page
-                else:
-                    logger.info(
-                        "Got a invalid ticket for %s from %s. Retrying to authenticate" % (
-                            auth.username,
-                            auth.provider.server_url
+                        params = utils.copy_params(request.GET, ignore={"ticket"})
+                        request.session["federate_username"] = auth.federated_username
+                        request.session["federate_ticket"] = ticket
+                        auth.register_slo(
+                            auth.federated_username,
+                            request.session.session_key,
+                            ticket
                        )
+                        # redirect to the the login page for the user to become authenticated
+                        # thanks to the `federate_username` and `federate_ticket` session parameters
+                        url = utils.reverse_params("cas_server:login", params)
+                        return HttpResponseRedirect(url)
+                    # else redirect to the identity provider CAS login page
+                    else:
+                        logger.info(
+                            "Got a invalid ticket for %s from %s. Retrying to authenticate" % (
+                                auth.username,
+                                auth.provider.server_url
+                            )
+                        )
+                        return HttpResponseRedirect(auth.get_login_url())
+                # both xml.etree.ElementTree and lxml.etree exceptions inherit from SyntaxError
+                except SyntaxError as error:
+                    messages.add_message(
+                        request,
+                        messages.ERROR,
+                        _(
+                            u"Invalid response from your identity provider CAS upon "
+                            u"ticket %s validation: %r"
+                        ) % (ticket, error)
                    )
-                    return HttpResponseRedirect(auth.get_login_url())
+                    response = redirect("cas_server:login")
+                    response.delete_cookie("_remember_provider")
+                    return response
        except FederatedIendityProvider.DoesNotExist:
            logger.warning("Identity provider suffix %s not found" % provider)
            # if the identity provider is not found, redirect to the login page