Merge branch 'master' into loganbertram/BB2-3484-scope-incident-fix

Author: loganbertram

README.md

@@ -167,4 +167,4 @@ by their respective authors.
 License
 -------
 
-This project is free and open source software under the Apache 2 license. See LICENSE for more information.
+This project is free and open source software under the Apache 2 license. See LICENSE for more information.

apps/dot_ext/tests/test_authorization.py

@@ -578,6 +578,61 @@ def test_dag_expiration_exists(self):
         expiration_date_string = strftime('%Y-%m-%d %H:%M:%SZ', expiration_date.timetuple())
         self.assertEqual(tkn["access_grant_expiration"][:-4], expiration_date_string[:-4])
 
+    def test_revoke_endpoint(self):
+        redirect_uri = 'http://localhost'
+        # create a user
+        self._create_user('anna', '123456')
+        capability_a = self._create_capability('Capability A', [])
+        capability_b = self._create_capability('Capability B', [])
+        # create an application and add capabilities
+        application = self._create_application(
+            'an app',
+            grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            client_type=Application.CLIENT_CONFIDENTIAL,
+            redirect_uris=redirect_uri)
+        application.scope.add(capability_a, capability_b)
+        # user logs in
+        request = HttpRequest()
+        self.client.login(request=request, username='anna', password='123456')
+        # post the authorization form with only one scope selected
+        payload = {
+            'client_id': application.client_id,
+            'response_type': 'code',
+            'redirect_uri': redirect_uri,
+            'scope': ['capability-a'],
+            'expires_in': 86400,
+            'allow': True,
+        }
+        response = self.client.post(reverse('oauth2_provider:authorize'), data=payload)
+        self.client.logout()
+        self.assertEqual(response.status_code, 302)
+        # now extract the authorization code and use it to request an access_token
+        query_dict = parse_qs(urlparse(response['Location']).query)
+        authorization_code = query_dict.pop('code')
+        token_request_data = {
+            'grant_type': 'authorization_code',
+            'code': authorization_code,
+            'redirect_uri': redirect_uri,
+            'client_id': application.client_id,
+            'client_secret': application.client_secret_plain,
+        }
+        c = Client()
+        response = c.post('/v1/o/token/', data=token_request_data)
+        self.assertEqual(response.status_code, 200)
+        # extract token and use it to make a revoke request
+        tkn = response.json()['access_token']
+        revoke_request_data = f"token={tkn}&client_id={application.client_id}&client_secret={application.client_secret_plain}"
+        content_type = "application/x-www-form-urlencoded"
+        c = Client()
+        rev_response = c.post('/v1/o/revoke/', data=revoke_request_data, content_type=content_type)
+        self.assertEqual(rev_response.status_code, 200)
+        # check DAG deletion
+        dags_count = DataAccessGrant.objects.count()
+        self.assertEqual(dags_count, 0)
+        # check token deletion
+        tkn_count = AccessToken.objects.filter(token=tkn).count()
+        self.assertEqual(tkn_count, 0)
+
     def test_refresh_with_revoked_token(self):
         redirect_uri = 'http://localhost'
         # create a user

apps/dot_ext/urls.py

@@ -15,6 +15,7 @@
     ),
     path("token/", views.TokenView.as_view(), name="token"),
     path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token"),
+    path("revoke/", views.RevokeView.as_view(), name="revoke"),
     path("introspect/", views.IntrospectTokenView.as_view(), name="introspect"),
 ]
 

apps/dot_ext/v2/urls.py

@@ -15,6 +15,7 @@
     ),
     path("token/", views.TokenView.as_view(), name="token-v2"),
     path("revoke_token/", views.RevokeTokenView.as_view(), name="revoke-token-v2"),
+    path("revoke/", views.RevokeView.as_view(), name="revoke-v2"),
     path("introspect/", views.IntrospectTokenView.as_view(), name="introspect-v2"),
 ]
 

apps/dot_ext/views/__init__.py

@@ -1,2 +1,2 @@
 from .application import ApplicationRegistration, ApplicationUpdate, ApplicationDelete  # NOQA
-from .authorization import AuthorizationView, ApprovalView, TokenView, RevokeTokenView, IntrospectTokenView  # NOQA
+from .authorization import AuthorizationView, ApprovalView, TokenView, RevokeTokenView, RevokeView, IntrospectTokenView  # NOQA

apps/dot_ext/views/authorization.py

@@ -23,7 +23,7 @@
 from oauth2_provider.models import get_application_model
 from oauthlib.oauth2.rfc6749.errors import InvalidClientError, InvalidGrantError
 from urllib.parse import urlparse, parse_qs
-
+import html
 from apps.dot_ext.scopes import CapabilitiesScopes
 import apps.logging.request_logger as bb2logging
 
@@ -121,12 +121,12 @@ def sensitive_info_check(self, request):
     def get_template_names(self):
         flag = get_waffle_flag_model().get("limit_data_access")
         if waffle.switch_is_active('require-scopes'):
-            if flag.rollout or (flag.id is not None and flag.is_active_for_user(self.application.user)):
+            if flag.rollout or (flag.id is not None and self.application and flag.is_active_for_user(self.application.user)):
                 return ["design_system/new_authorize_v2.html"]
             else:
                 return ["design_system/authorize_v2.html"]
         else:
-            if flag.rollout or (flag.id is not None and flag.is_active_for_user(self.user)):
+            if flag.rollout or (flag.id is not None and self.user and flag.is_active_for_user(self.user)):
                 return ["design_system/new_authorize_v2.html"]
             else:
                 return ["design_system/authorize.html"]
@@ -362,6 +362,40 @@ def post(self, request, *args, **kwargs):
         return super().post(request, args, kwargs)
 
 
+@method_decorator(csrf_exempt, name="dispatch")
+class RevokeView(DotRevokeTokenView):
+
+    @method_decorator(sensitive_post_parameters("password"))
+    def post(self, request, *args, **kwargs):
+        at_model = get_access_token_model()
+        try:
+            app = validate_app_is_active(request)
+        except (InvalidClientError, InvalidGrantError) as error:
+            return json_response_from_oauth2_error(error)
+
+        tkn = request.POST.get('token')
+        if tkn is not None:
+            escaped_tkn = html.escape(tkn)
+        else:
+            escaped_tkn = ""
+
+        try:
+            token = at_model.objects.get(token=tkn)
+        except at_model.DoesNotExist:
+            log.debug(f"Token {escaped_tkn} was not found.")
+
+        try:
+            dag = DataAccessGrant.objects.get(
+                beneficiary=token.user,
+                application=app
+            )
+            dag.delete()
+        except Exception:
+            log.debug(f"DAG lookup failed for token {escaped_tkn}.")
+
+        return super().post(request, args, kwargs)
+
+
 @method_decorator(csrf_exempt, name="dispatch")
 class IntrospectTokenView(DotIntrospectTokenView):
 

apps/fhir/bluebutton/utils.py

@@ -636,12 +636,16 @@ def build_oauth_resource(request, v2=False, format_type="json"):
         <extension url="authorize">
             <valueUri>%s</valueUri>
         </extension>
+        <extension url="revoke">
+            <valueUri>%s</valueUri>
+        </extension>
     </extension>
 
 </security>
         """ % (
             endpoints["token_endpoint"],
             endpoints["authorization_endpoint"],
+            endpoints["revocation_endpoint"],
         )
 
     else:  # json
@@ -680,6 +684,7 @@ def build_oauth_resource(request, v2=False, format_type="json"):
                         "url": "authorize",
                         "valueUri": endpoints["authorization_endpoint"],
                     },
+                    {"url": "revoke", "valueUri": endpoints["revocation_endpoint"]},
                 ],
             }
         ]

apps/logging/sensitive_logging_filters.py

@@ -0,0 +1,51 @@
+import re
+import logging
+import logging.config
+
+MBI_WITH_HYPHEN_PATTERN = r"""\b
+    [1-9](?![SLOIBZsloibz])[A-Za-z](?![SLOIBZsloibz)])[A-Za-z\d]\d
+    -(?![SLOIBZsloibz])[A-Za-z](?![SLOIBZsloibz])[A-Za-z\d]\d
+    -((?![SLOIBZsloibz])[A-Za-z]){2}\d{2}
+    \b
+    """
+
+MBI_WITHOUT_HYPHEN_PATTERN = r"""\b
+    [1-9](?![SLOIBZsloibz])[A-Za-z](?![SLOIBZsloibz)])[A-Za-z\d]\d
+    (?![SLOIBZsloibz])[A-Za-z](?![SLOIBZsloibz])[A-Za-z\d]\d
+    ((?![SLOIBZsloibzd])[A-Za-z]){2}\d{2}
+    \b"""
+
+MBI_PATTERN = f'({MBI_WITH_HYPHEN_PATTERN}|{MBI_WITHOUT_HYPHEN_PATTERN})'
+SENSITIVE_DATA_FILTER = "sensitive_data_filter"
+
+
+def mask_if_has_mbi(text):
+    return re.sub(MBI_PATTERN, '***MBI***', str(text), flags=re.VERBOSE)
+
+
+def mask_mbi(value_to_mask):
+    if isinstance(value_to_mask, str):
+        return mask_if_has_mbi(value_to_mask)
+
+    if isinstance(value_to_mask, tuple):
+        return tuple([mask_if_has_mbi(arg) for arg in value_to_mask])
+
+    if isinstance(value_to_mask, list):
+        return [mask_if_has_mbi(arg) for arg in value_to_mask]
+
+    if isinstance(value_to_mask, dict):
+        for key, value in value_to_mask.items():
+            value_to_mask[key] = mask_mbi(value)
+
+    return value_to_mask
+
+
+class SensitiveDataFilter(logging.Filter):
+
+    def filter(self, record):
+        try:
+            record.args = mask_mbi(record.args)
+            record.msg = mask_mbi(record.msg)
+            return True
+        except Exception:
+            pass

apps/wellknown/views/openid.py

@@ -61,6 +61,7 @@ def build_endpoint_info(data=OrderedDict(), v2=False, issuer=""):
     data["issuer"] = issuer
     data["authorization_endpoint"] = issuer + \
         reverse('oauth2_provider:authorize' if not v2 else 'oauth2_provider_v2:authorize-v2')
+    data["revocation_endpoint"] = issuer + reverse('oauth2_provider:revoke')
     data["token_endpoint"] = issuer + \
         reverse('oauth2_provider:token' if not v2 else 'oauth2_provider_v2:token-v2')
     data["userinfo_endpoint"] = issuer + \

hhs_oauth_server/settings/base.py

@@ -1,4 +1,5 @@
 import os
+from apps.logging.sensitive_logging_filters import SENSITIVE_DATA_FILTER, SensitiveDataFilter
 import dj_database_url
 import socket
 import datetime
@@ -377,6 +378,12 @@
             "console": {
                 "class": "logging.StreamHandler",
                 "formatter": "verbose",
+                "filters": [SENSITIVE_DATA_FILTER],
+            }
+        },
+        "filters": {
+            "sensitive_data_filter": {
+                "()": SensitiveDataFilter,
             }
         },
         "loggers": {
@@ -421,6 +428,10 @@
                 "handlers": ["console"],
                 "level": "INFO",
             },
+            'django': {
+                'handlers': ['console'],
+                'level': 'INFO',
+            },
         },
     },
 )