Skip to content

providers/oauth2: launch url: if URL parsing fails, return no launch URL#5918

Merged
BeryJu merged 5 commits intomainfrom
oauth2-fix-launch-url-with-regex
Jun 9, 2023
Merged

providers/oauth2: launch url: if URL parsing fails, return no launch URL#5918
BeryJu merged 5 commits intomainfrom
oauth2-fix-launch-url-with-regex

Conversation

@rissson
Copy link
Member

@rissson rissson commented Jun 9, 2023

Details

With a redirect URI such as https://[\d\w]+.pr.test.goauthentik.io/source/oauth/callback/authentik/, parsing fails with:

Stacktrace 
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/asgiref/sync.py", line 472, in thread_handler
    raise exc_info[1]
  File "/usr/local/lib/python3.11/site-packages/django/core/handlers/base.py", line 253, in _get_response_async
    response = await wrapped_callback(
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/asgiref/sync.py", line 435, in __call__
    ret = await asyncio.wait_for(future, timeout=None)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/tasks.py", line 442, in wait_for
    return await fut
           ^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/asgiref/current_thread_executor.py", line 22, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/asgiref/sync.py", line 476, in thread_handler
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/sentry_sdk/integrations/django/views.py", line 84, in sentry_wrapped_callback
    return callback(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/views/decorators/csrf.py", line 55, in wrapped_view
    return view_func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/viewsets.py", line 125, in view
    return self.dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 509, in dispatch
    response = self.handle_exception(exc)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 469, in handle_exception
    self.raise_uncaught_exception(exc)
  File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
    raise exc
  File "/usr/local/lib/python3.11/site-packages/rest_framework/views.py", line 506, in dispatch
    response = handler(request, *args, **kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/core/api/applications.py", line 217, in list
    return self.get_paginated_response(serializer.data)
                                       ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/serializers.py", line 768, in data
    ret = super().data
          ^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/serializers.py", line 253, in data
    self._data = self.to_representation(self.instance)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/serializers.py", line 686, in to_representation
    return [
           ^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/serializers.py", line 687, in <listcomp>
    self.child.to_representation(item) for item in iterable
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/serializers.py", line 522, in to_representation
    ret[field.field_name] = field.to_representation(attribute)
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/rest_framework/fields.py", line 1838, in to_representation
    return method(value)
           ^^^^^^^^^^^^^
  File "/authentik/core/api/applications.py", line 66, in get_launch_url
    return app.get_launch_url(user)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/core/models.py", line 380, in get_launch_url
    url = provider.launch_url
          ^^^^^^^^^^^^^^^^^^^
  File "/authentik/providers/oauth2/models.py", line 254, in launch_url
    launch_url = urlparse(main_url)._replace(path="")
                 ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/urllib/parse.py", line 395, in urlparse
    splitresult = urlsplit(url, scheme, allow_fragments)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/urllib/parse.py", line 500, in urlsplit
    _check_bracketed_host(bracketed_host)
  File "/usr/local/lib/python3.11/urllib/parse.py", line 446, in _check_bracketed_host
    ip = ipaddress.ip_address(hostname) # Throws Value Error if not IPv6 or IPv4
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/ipaddress.py", line 54, in ip_address
    raise ValueError(f'{address!r} does not appear to be an IPv4 or IPv6 address')
builtins.ValueError: '\\d\\w' does not appear to be an IPv4 or IPv6 address

This is a dirty hack to simply return None (i.e. no launch URL found) if said parsing fails. Feel free to do it a different way

Changes

New Features

  • Adds feature which does x, y, and z.

Breaking Changes

  • Adds breaking change which causes <issue>.

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)
  • The translation files have been updated (make i18n-extract)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@rissson rissson requested a review from a team as a code owner June 9, 2023 15:51
@rissson rissson self-assigned this Jun 9, 2023
@netlify
Copy link

netlify bot commented Jun 9, 2023
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit f0d99fe
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/64837ce8403fd300080f9596

@codecov
Copy link

codecov bot commented Jun 9, 2023
edited
Loading

Codecov Report

Patch coverage: 61.12% and no project coverage change.

Comparison is base (5873855) 92.62% compared to head (f0d99fe) 92.62%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5918      +/-   ##
==========================================
- Coverage   92.62%   92.62%   -0.00%     
==========================================
  Files         549      549              
  Lines       26326    26340      +14     
==========================================
+ Hits        24383    24394      +11     
- Misses       1943     1946       +3
Flag Coverage Δ
e2e 51.95% <38.89%> (+0.06%) ⬆️
integration 26.47% <11.12%> (-<0.01%) ⬇️
unit 89.43% <38.89%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
authentik/providers/oauth2/tests/test_api.py 87.88% <50.00%> (-12.12%) ⬇️
authentik/providers/oauth2/models.py 94.74% <62.50%> (-1.32%) ⬇️
authentik/core/models.py 92.62% <100.00%> (ø)

... and 6 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@rissson
Copy link
Member Author

rissson commented Jun 9, 2023

Also, this prevents the dashboard from loading, as well as the applications list in the admin interface

@rissson
Copy link
Member Author

rissson commented Jun 9, 2023

For reference, this broke with the change from python 3.11.3 to 3.11.4, with python/cpython#104349

@rissson
providers/oauth2: launch url: if URL parsing fails, return no launch URL
d11a2b5 
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
@rissson rissson force-pushed the oauth2-fix-launch-url-with-regex branch from 21efb3e to d11a2b5 Compare June 9, 2023 18:12
@github-actions
Copy link
Contributor

github-actions bot commented Jun 9, 2023
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-oauth2-fix-launch-url-with-regex-1686339390-f0d99fe
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

For arm64, use these values:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-oauth2-fix-launch-url-with-regex-1686339390-f0d99fe-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-oauth2-fix-launch-url-with-regex-1686339390-f0d99fe

For arm64, use these values:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-oauth2-fix-launch-url-with-regex-1686339390-f0d99fe-arm64

Afterwards, run the upgrade commands from the latest release notes.

BeryJu added 2 commits June 9, 2023 20:50
@BeryJu
add test
dbfec08 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
only get provider launch URL when no url is set
3a07120 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
rissson
rissson commented Jun 9, 2023
View reviewed changes
BeryJu added 2 commits June 9, 2023 21:11
@BeryJu
only catch value error
9a5871f 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
format
f0d99fe 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu merged commit 0041cf8 into main Jun 9, 2023
@BeryJu BeryJu deleted the oauth2-fix-launch-url-with-regex branch June 9, 2023 19:56
kensternberg-authentik added a commit that referenced this pull request Jun 12, 2023
@kensternberg-authentik
Merge branch 'main' into 5165-password-strength-indicator
a75c943 
* main: (23 commits)
  web: bump API Client version (#5935)
  sources/ldap: add support for cert based auth (#5850)
  ci: replace status with state for auto-deployment
  ci: don't write CI status to file
  ci: add workflow to automatically update next branch (#5921)
  providers/ldap: fix Outpost provider listing excluding backchannel providers (#5933)
  root: revert to use secret_key for JWT signing (#5934)
  sources/ldap: fix duplicate bind when authenticating user directly to… (#5927)
  web: bump core-js from 3.30.2 to 3.31.0 in /web (#5928)
  core: bump pytest from 7.3.1 to 7.3.2 (#5929)
  web: bump @rollup/plugin-commonjs from 25.0.0 to 25.0.1 in /web (#5931)
  web: bump @formatjs/intl-listformat from 7.3.0 to 7.4.0 in /web (#5932)
  core: bump github.com/go-ldap/ldap/v3 from 3.4.4 to 3.4.5 (#5930)
  website/integrations: Fix header in dokuwiki instructions (#5926)
  providers/oauth2: launch url: if URL parsing fails, return no launch URL (#5918)
  web: bump @babel/core from 7.22.1 to 7.22.5 in /web (#5909)
  web: bump @babel/plugin-proposal-decorators from 7.22.3 to 7.22.5 in /web (#5910)
  web: bump @babel/preset-typescript from 7.21.5 to 7.22.5 in /web (#5912)
  web: bump @babel/preset-env from 7.22.4 to 7.22.5 in /web (#5915)
  core: bump requests-mock from 1.10.0 to 1.11.0 (#5911)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BeryJu BeryJu BeryJu approved these changes

Assignees

@rissson rissson

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rissson @BeryJu