Merge pull request #16 from y-temp4/fix-scope

keillera · web-flow · commit 041d74ebd86f · 2019-06-03T21:00:17.000+09:00
ALIS-3561: Fix scope
diff --git a/lambdas/http/authorization.py b/lambdas/http/authorization.py
@@ -41,7 +41,7 @@ def handler(event, context):
 
         # scopeの検証
         if not verify_scope_parameter(params['scope'][0]):
-            return response_builder(400, {"error_message": "invalid scope parameter. scope parameter must be 'openid read' or 'openid write'"})
+            return response_builder(400, {"error_message": "invalid scope parameter. scope parameter must be 'openid read' or 'openid read write'"})
 
         # authrazition API
         new_params = urllib.parse.urlencode(params, doseq=True)
diff --git a/lib/utils.py b/lib/utils.py
@@ -80,20 +80,10 @@ def verify_jwt_token(token):
 
 
 def verify_scope_parameter(scope_str):
-    # スペースで区切られた2つの値が指定されており、
-    # 一つはopenidでもう一つはreadかwriteが指定されていることをチェックする
-    scope_str = re.sub(r'^\s+', '', scope_str)
-    scope_str = re.sub(r'\s+$', '', scope_str)
-    scopes = re.split(r'\s+', scope_str)
-    if len(scopes) != 2:
-        return False
-    if not 'openid' in scopes:
-        return False
-    scopes.remove('openid')
-    if scopes[0] != 'read' and scopes[0] != 'write':
-        return False
-    return True
-
+    accept_scopes = ['openid read', 'openid read write']
+    if scope_str in accept_scopes:
+        return True
+    return False
 
 def verify_supported_media_type(headers):
     lower_headers = {}
diff --git a/tests/integration/test_authorization.py b/tests/integration/test_authorization.py
@@ -17,7 +17,7 @@ def __get_id_token(self):
                 )
         return result['AuthenticationResult']['IdToken']
 
-    def test_return_200(self, endpoint):
+    def test_return_200_scope_read(self, endpoint):
         id_token = self.__get_id_token()
         response = requests.post(
             endpoint + '/authorization',
@@ -39,6 +39,28 @@ def test_return_200(self, endpoint):
         assert response.status_code == 200
         assert 'redirect_uri' in data
 
+    def test_return_200_scope_write(self, endpoint):
+        id_token = self.__get_id_token()
+        response = requests.post(
+            endpoint + '/authorization',
+            headers={
+                'Authorization': f'Bearer {id_token}'
+            },
+            data={
+                'response_type': 'code',
+                'client_id': os.environ['TEST_AUTHLETE_SERVER_APP_CLIENT_ID'],
+                'redirect_uri': 'http://localhost',
+                'scope': 'openid read write',
+                'code_challenge': 'hcCb3gToI1GPZeS_SIYWvaNT_5u0GB1oqOGQJqRKMSE',
+                'code_challenge_method': 'S256',
+                'subject': 'fugafuga',
+                'sub': 'hogehgoe'
+            }
+        )
+        data = response.json()
+        assert response.status_code == 200
+        assert 'redirect_uri' in data
+
     def test_return_401_invalid_jwt(self, endpoint):
         id_token = 'xxxxxx'
         response = requests.post(
