Reduced OpenID log noise
* added a base class for all openid exceptions * moved invalid assoc exception from 500 to 400 * fixed bug on openid mememto request Change-Id: I82d7c2077f1bd507b37ad3561fea924fb87d5353
This commit is contained in:
parent
d343be293a
commit
76c37b61e6
|
@ -125,7 +125,7 @@ final class OAuth2ProviderController extends Controller
|
|||
'errors.400',
|
||||
array
|
||||
(
|
||||
'error_code' => "Generic Error",
|
||||
'error_code' => "Bad Request",
|
||||
'error_description' => "Generic Error"
|
||||
),
|
||||
400
|
||||
|
|
|
@ -15,7 +15,10 @@
|
|||
use App\Http\Controllers\Controller;
|
||||
use Exception;
|
||||
use Illuminate\Support\Facades\Input;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
use Illuminate\Support\Facades\Response;
|
||||
use OpenId\Exceptions\InvalidOpenIdMessageException;
|
||||
use OpenId\Exceptions\OpenIdBaseException;
|
||||
use OpenId\Helpers\OpenIdErrorMessages;
|
||||
use OpenId\IOpenIdProtocol;
|
||||
use OpenId\OpenIdMessage;
|
||||
|
@ -55,22 +58,50 @@ class OpenIdProviderController extends Controller
|
|||
*/
|
||||
public function endpoint()
|
||||
{
|
||||
$msg = new OpenIdMessage(Input::all());
|
||||
try {
|
||||
$msg = new OpenIdMessage(Input::all());
|
||||
|
||||
if ($this->memento_service->exists()) {
|
||||
$msg = OpenIdMessage::buildFromMemento($this->memento_service->load());
|
||||
if (!$msg->isValid() && $this->memento_service->exists()) {
|
||||
$msg = OpenIdMessage::buildFromMemento($this->memento_service->load());
|
||||
}
|
||||
|
||||
if (!$msg->isValid())
|
||||
throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdMessage);
|
||||
|
||||
//get response and manage it taking in consideration its type (direct or indirect)
|
||||
$response = $this->openid_protocol->handleOpenIdMessage($msg);
|
||||
|
||||
if ($response instanceof OpenIdResponse) {
|
||||
$strategy = OpenIdResponseStrategyFactoryMethod::buildStrategy($response);
|
||||
return $strategy->handle($response);
|
||||
}
|
||||
return $response;
|
||||
}
|
||||
|
||||
if (!$msg->isValid())
|
||||
throw new InvalidOpenIdMessageException(OpenIdErrorMessages::InvalidOpenIdMessage);
|
||||
|
||||
//get response and manage it taking in consideration its type (direct or indirect)
|
||||
$response = $this->openid_protocol->handleOpenIdMessage($msg);
|
||||
|
||||
if ($response instanceof OpenIdResponse) {
|
||||
$strategy = OpenIdResponseStrategyFactoryMethod::buildStrategy($response);
|
||||
return $strategy->handle($response);
|
||||
catch(OpenIdBaseException $ex1){
|
||||
Log::warning($ex1);
|
||||
return Response::view
|
||||
(
|
||||
'errors.400',
|
||||
array
|
||||
(
|
||||
'error_code' => "Bad Request",
|
||||
'error_description' => $ex1->getMessage()
|
||||
),
|
||||
400
|
||||
);
|
||||
}
|
||||
catch(Exception $ex){
|
||||
Log::error($ex);
|
||||
return Response::view
|
||||
(
|
||||
'errors.400',
|
||||
array
|
||||
(
|
||||
'error_code' => "Bad Request",
|
||||
'error_description' => "Generic Error"
|
||||
),
|
||||
400
|
||||
);
|
||||
}
|
||||
return $response;
|
||||
}
|
||||
}
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class InvalidAssociation
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidAssociation extends Exception {
|
||||
class InvalidAssociation extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class InvalidAssociationTypeException
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidAssociationTypeException extends Exception {
|
||||
class InvalidAssociationTypeException extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class InvalidDHParam
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidDHParam extends Exception {
|
||||
class InvalidDHParam extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class InvalidKVFormat
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidKVFormat extends Exception {
|
||||
class InvalidKVFormat extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class InvalidNonce
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidNonce extends Exception {
|
||||
class InvalidNonce extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -11,23 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Copyright 2016 OpenStack Foundation
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**//**
|
||||
* Class InvalidOpenIdAuthenticationRequestMode
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidOpenIdAuthenticationRequestMode extends Exception {
|
||||
class InvalidOpenIdAuthenticationRequestMode extends OpenIdBaseException {
|
||||
public function __construct($message = "")
|
||||
{
|
||||
$message = "Invalid OpenId Authentication Request Mode : " . $message;
|
||||
|
|
|
@ -21,6 +21,6 @@ class InvalidOpenIdMessageException extends Exception {
|
|||
public function __construct($message = "")
|
||||
{
|
||||
$message = "Invalid OpenId Message : " . $message;
|
||||
parent::__construct($message, 0, null);
|
||||
parent::__construct($message, 400, null);
|
||||
}
|
||||
}
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class InvalidOpenIdMessageMode
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidOpenIdMessageMode extends Exception {
|
||||
class InvalidOpenIdMessageMode extends OpenIdBaseException {
|
||||
public function __construct($message = "")
|
||||
{
|
||||
$message = "Invalid OpenId Message Mode : " . $message;
|
||||
|
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class InvalidRequestContextException
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidRequestContextException extends Exception {
|
||||
class InvalidRequestContextException extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class InvalidSessionTypeException
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class InvalidSessionTypeException extends Exception {
|
||||
class InvalidSessionTypeException extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
<?php namespace OpenId\Exceptions;
|
||||
/**
|
||||
* Copyright 2017 OpenStack Foundation
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
class OpenIdBaseException extends Exception
|
||||
{
|
||||
|
||||
}
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class OpenIdCryptoException
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class OpenIdCryptoException extends Exception {
|
||||
class OpenIdCryptoException extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -11,12 +11,11 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
/**
|
||||
* Class OpenIdInvalidRealmException
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class OpenIdInvalidRealmException extends Exception {
|
||||
class OpenIdInvalidRealmException extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -11,12 +11,12 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
|
||||
/**
|
||||
* Class ReplayAttackException
|
||||
* @package OpenId\Exceptions
|
||||
*/
|
||||
class ReplayAttackException extends Exception {
|
||||
class ReplayAttackException extends OpenIdBaseException {
|
||||
|
||||
public function __construct($message = "")
|
||||
{
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
use OpenId\Exceptions\InvalidAssociation;
|
||||
use OpenId\Exceptions\InvalidAssociationTypeException;
|
||||
use OpenId\Exceptions\InvalidOpenIdAuthenticationRequestMode;
|
||||
use OpenId\Exceptions\InvalidOpenIdMessageException;
|
||||
|
@ -194,7 +195,16 @@ final class OpenIdAuthenticationRequestHandler extends OpenIdMessageHandler
|
|||
$this->log_service->warning_msg("current request: ".$this->current_request);;
|
||||
}
|
||||
return new OpenIdIndirectGenericErrorResponse($inv_msg_ex->getMessage(), null, null, $this->current_request);
|
||||
} catch (Exception $ex) {
|
||||
}
|
||||
catch(InvalidAssociation $inv_assoc_ex){
|
||||
$this->checkpoint_service->trackException($inv_assoc_ex);
|
||||
$this->log_service->warning($inv_assoc_ex);
|
||||
if (!is_null($this->current_request)) {
|
||||
$this->log_service->warning_msg("current request: ".$this->current_request);;
|
||||
}
|
||||
return new OpenIdIndirectGenericErrorResponse($inv_assoc_ex->getMessage(), null, null, $this->current_request);
|
||||
}
|
||||
catch (Exception $ex) {
|
||||
$this->checkpoint_service->trackException($ex);
|
||||
$this->log_service->error($ex);
|
||||
if (!is_null($this->current_request)) {
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
* limitations under the License.
|
||||
**/
|
||||
use Exception;
|
||||
use OpenId\Exceptions\InvalidAssociation;
|
||||
use OpenId\Exceptions\InvalidAssociationTypeException;
|
||||
use OpenId\Exceptions\InvalidNonce;
|
||||
use OpenId\Exceptions\InvalidOpenIdMessageException;
|
||||
|
@ -169,19 +170,28 @@ final class OpenIdCheckAuthenticationRequestHandler extends OpenIdMessageHandler
|
|||
return $response;
|
||||
} catch (InvalidNonce $inv_nonce_ex) {
|
||||
$this->checkpoint_service->trackException($inv_nonce_ex);
|
||||
$this->log_service->error($inv_nonce_ex);
|
||||
$this->log_service->warning($inv_nonce_ex);
|
||||
$response = new OpenIdDirectGenericErrorResponse($inv_nonce_ex->getMessage());
|
||||
if(!is_null($this->current_request))
|
||||
$this->log_service->warning_msg("current request: ".$this->current_request);
|
||||
return $response;
|
||||
} catch (InvalidOpenIdMessageException $inv_msg_ex) {
|
||||
$this->checkpoint_service->trackException($inv_msg_ex);
|
||||
$this->log_service->error($inv_msg_ex);
|
||||
$this->log_service->warning($inv_msg_ex);
|
||||
$response = new OpenIdDirectGenericErrorResponse($inv_msg_ex->getMessage());
|
||||
if(!is_null($this->current_request))
|
||||
$this->log_service->warning_msg("current request: ".$this->current_request);
|
||||
return $response;
|
||||
} catch (Exception $ex) {
|
||||
}
|
||||
catch(InvalidAssociation $inv_assoc_ex){
|
||||
$this->checkpoint_service->trackException($inv_assoc_ex);
|
||||
$this->log_service->warning($inv_assoc_ex);
|
||||
$response = new OpenIdDirectGenericErrorResponse($inv_assoc_ex->getMessage());
|
||||
if(!is_null($this->current_request))
|
||||
$this->log_service->warning_msg("current request: ".$this->current_request);
|
||||
return $response;
|
||||
}
|
||||
catch (Exception $ex) {
|
||||
$this->checkpoint_service->trackException($ex);
|
||||
$this->log_service->error($ex);
|
||||
if(!is_null($this->current_request))
|
||||
|
|
|
@ -1199,4 +1199,65 @@ class OpenIdProtocolTest extends OpenStackIDBaseTest
|
|||
$this->assertTrue(strpos($content, 'http://specs.openid.net/auth/2.0/server') !== false);
|
||||
}
|
||||
|
||||
public function testInvalidRequestK()
|
||||
{
|
||||
$params = [];
|
||||
|
||||
$response = $this->action("POST", "OpenId\OpenIdProviderController@endpoint", $params);
|
||||
|
||||
$this->assertResponseStatus(400);
|
||||
|
||||
}
|
||||
|
||||
public function testInvalidAssociation()
|
||||
{
|
||||
//set login info
|
||||
|
||||
$params = array(
|
||||
OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS) => OpenIdProtocol::OpenID2MessageType,
|
||||
OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode) => OpenIdProtocol::SetupMode,
|
||||
OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Realm) => "https://www.newsite.com/",
|
||||
OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo) => "https://www.newsite.com/return_to/",
|
||||
OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Identity) => "http://specs.openid.net/auth/2.0/identifier_select",
|
||||
OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ClaimedId) => "http://specs.openid.net/auth/2.0/identifier_select",
|
||||
);
|
||||
|
||||
$response = $this->action("POST", "OpenId\OpenIdProviderController@endpoint", $params);
|
||||
|
||||
$this->assertResponseStatus(302);
|
||||
|
||||
$url = $response->getTargetUrl();
|
||||
|
||||
// post consent response ...
|
||||
|
||||
$consent_response = $this->call('POST', $url, array
|
||||
(
|
||||
'trust' => array('AllowOnce'),
|
||||
'_token' => Session::token()
|
||||
)
|
||||
);
|
||||
|
||||
$this->assertResponseStatus(302);
|
||||
|
||||
$auth_response = $this->action("GET", "OpenId\OpenIdProviderController@endpoint",
|
||||
array(),
|
||||
array(),
|
||||
array(),
|
||||
array());
|
||||
|
||||
$this->assertResponseStatus(302);
|
||||
|
||||
$openid_response = $this->parseOpenIdResponse($auth_response->getTargetUrl());
|
||||
|
||||
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_Mode)]));
|
||||
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_NS)]));
|
||||
$this->assertTrue(isset($openid_response[OpenIdProtocol::param(OpenIdProtocol::OpenIDProtocol_ReturnTo)]));
|
||||
|
||||
//http://openid.net/specs/openid-authentication-2_0.html#check_auth
|
||||
$params = $this->prepareCheckAuthenticationParams($openid_response);
|
||||
$params['openid.assoc_handle'] = "FAKE";
|
||||
$response = $this->action("POST", "OpenId\OpenIdProviderController@endpoint", $params);
|
||||
$openid_response = $this->getOpenIdResponseLineBreak($response->getContent());
|
||||
$this->assertResponseStatus(400);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue