Raise Unathorized exception instead of general one whenever OIDC auth fails

This fixes #1147
2026-04-05 03:38:12 +08:00 · 2019-09-30 14:02:34 +02:00
parent 689d949a48
commit 2c0291987f
2 changed files with 41 additions and 8 deletions
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -121,10 +121,10 @@ def get_user_oidc(request):

    try:
        extended_data = _get_user_info(token)
-    except Exception as e:
-        error = "Cannot verify determine user groups:  %s" % str(e)
+    except Exception:
+        error = "OpenIDC auth error: Cannot determine the user's groups"
        log.exception(error)
-        raise Exception(error)
+        raise Unauthorized(error)

    username = data["username"]
    # If the user is part of the whitelist, then the group membership check is skipped
@@ -133,10 +133,10 @@ def get_user_oidc(request):
    else:
        try:
            groups = set(extended_data["groups"])
-        except Exception as e:
-            error = "Could not find groups in UserInfo from OIDC %s" % str(e)
-            log.exception(extended_data)
-            raise Exception(error)
+        except Exception:
+            error = "Could not find groups in UserInfo from OIDC"
+            log.exception("%s (extended_data: %s)", error, extended_data)
+            raise Unauthorized(error)

    return username, groups

--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -3,6 +3,7 @@
 from os import path, environ

 import pytest
+import requests
 import mock
 from mock import patch, PropertyMock, Mock
 import kerberos
@@ -45,7 +46,7 @@ class TestAuthModule:
            mocked_get_token_info = {
                "active": False,
                "username": name,
-                "scope": ("openid https://id.fedoraproject.org/scope/groups mbs-scope"),
+                "scope": "openid https://id.fedoraproject.org/scope/groups mbs-scope"
            }
            get_token_info.return_value = mocked_get_token_info

@@ -63,6 +64,38 @@ class TestAuthModule:
                    module_build_service.auth.get_user(request)
                assert str(cm.value) == "OIDC token invalid or expired."

+    @patch("module_build_service.auth._get_token_info")
+    @patch("module_build_service.auth._get_user_info")
+    def test_get_user_not_in_groups(self, get_user_info, get_token_info):
+        base_dir = path.abspath(path.dirname(__file__))
+        client_secrets = path.join(base_dir, "client_secrets.json")
+        with patch.dict(
+            "module_build_service.app.config",
+            {"OIDC_CLIENT_SECRETS": client_secrets, "OIDC_REQUIRED_SCOPE": "mbs-scope"},
+        ):
+            # https://www.youtube.com/watch?v=G-LtddOgUCE
+            name = "Joey Jo Jo Junior Shabadoo"
+            mocked_get_token_info = {
+                "active": True,
+                "username": name,
+                "scope": "openid https://id.fedoraproject.org/scope/groups mbs-scope"
+            }
+            get_token_info.return_value = mocked_get_token_info
+
+            get_user_info.side_effect = requests.Timeout("It happens...")
+
+            headers = {"authorization": "Bearer foobar"}
+            request = mock.MagicMock()
+            request.headers.return_value = mock.MagicMock(spec_set=dict)
+            request.headers.__getitem__.side_effect = headers.__getitem__
+            request.headers.__setitem__.side_effect = headers.__setitem__
+            request.headers.__contains__.side_effect = headers.__contains__
+
+            with pytest.raises(module_build_service.errors.Unauthorized) as cm:
+                with app.app_context():
+                    module_build_service.auth.get_user(request)
+                assert str(cm.value) == "OpenIDC auth error: Cannot determine the user's groups"
+
    @pytest.mark.parametrize("allowed_users", (set(), {"Joey Jo Jo Junior Shabadoo"}))
    @patch.object(mbs_config.Config, "allowed_users", new_callable=PropertyMock)
    @patch("module_build_service.auth._get_token_info")