UA 2779 | [django-oidc-provider] should address security warnings (#8)

kdallege · web-flow · commit 7689acadbfb1 · 2023-05-04T15:32:09.000-04:00
* it builds, tests pass, and I removed a couple bandit warnings of the Severity: High Confidence: High variety

* formatting fix in settings

* added the orm back into the version string in a PEP 440 compliant way.

* Implemented suggestions from the PR. Tests still pass
diff --git a/docs/conf.py b/docs/conf.py
@@ -62,7 +62,7 @@
 #
 # This is also used if you do content translation via gettext catalogs.
 # Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
 
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
diff --git a/example/app/settings.py b/example/app/settings.py
@@ -2,6 +2,7 @@
 import os
 BASE_DIR = os.path.dirname(os.path.dirname(__file__))
 
+DEFAULT_AUTO_FIELD = 'django.db.models.AutoField' 
 
 SECRET_KEY = 'c14d549c574e4d8cf162404ef0b04598'
 
diff --git a/example/app/urls.py b/example/app/urls.py
@@ -1,16 +1,13 @@
 from django.contrib.auth import views as auth_views
-try:
-    from django.urls import include, url
-except ImportError:
-    from django.conf.urls import include, url
+from django.urls import include, re_path
 from django.contrib import admin
 from django.views.generic import TemplateView
 
 
 urlpatterns = [
-    url(r'^$', TemplateView.as_view(template_name='home.html'), name='home'),
-    url(r'^accounts/login/$', auth_views.login, {'template_name': 'login.html'}, name='login'),
-    url(r'^accounts/logout/$', auth_views.logout, {'next_page': '/'}, name='logout'),
-    url(r'^', include('oidc_provider.urls', namespace='oidc_provider')),
-    url(r'^admin/', admin.site.urls),
+    re_path(r'^$', TemplateView.as_view(template_name='home.html'), name='home'),
+    re_path(r'^accounts/login/$', auth_views.LoginView.as_view(template_name='login.html'), name='login'),
+    re_path(r'^accounts/logout/$', auth_views.LogoutView.as_view(next_page='/'), name='logout'),
+    re_path(r'^', include('oidc_provider.urls', namespace='oidc_provider')),
+    re_path(r'^admin/', admin.site.urls),
 ]
diff --git a/example/requirements.txt b/example/requirements.txt
@@ -1,2 +1,2 @@
-django
-https://github.com/juanifioren/django-oidc-provider/archive/master.zip
+django==3.2.18
+../
diff --git a/oidc_provider/__init__.py b/oidc_provider/__init__.py
@@ -1,2 +0,0 @@
-
-default_app_config = 'oidc_provider.apps.OIDCProviderConfig'
diff --git a/oidc_provider/lib/endpoints/authorize.py b/oidc_provider/lib/endpoints/authorize.py
@@ -9,7 +9,7 @@
     from urlparse import urlsplit, parse_qs, urlunsplit
 except ImportError:
     from urllib.parse import urlsplit, parse_qs, urlunsplit, urlencode
-from uuid import uuid4
+from secrets import token_hex 
 
 from django.utils import timezone
 
@@ -206,7 +206,7 @@ def create_response_uri(self):
                     redirect_uri_parsed.scheme, redirect_uri_parsed.netloc)
 
                 # Create random salt.
-                salt = md5(uuid4().hex.encode()).hexdigest()
+                salt = token_hex()
 
                 # The generation of suitable Session State values is based
                 # on a salted cryptographic hash of Client ID, origin URL,
diff --git a/oidc_provider/models.py b/oidc_provider/models.py
@@ -264,4 +264,4 @@ def __unicode__(self):
 
     @property
     def kid(self):
-        return u'{0}'.format(md5(self.key.encode('utf-8')).hexdigest() if self.key else '')
+        return u'{0}'.format(md5(self.key.encode('utf-8'), usedforsecurity=False).hexdigest() if self.key else '')
diff --git a/oidc_provider/tests/app/urls.py b/oidc_provider/tests/app/urls.py
@@ -1,18 +1,15 @@
 from django.contrib.auth import views as auth_views
-try:
-    from django.urls import include, url
-except ImportError:
-    from django.conf.urls import include, url
+from django.urls import re_path, include
 from django.contrib import admin
 from django.views.generic import TemplateView
 
 
 urlpatterns = [
-    url(r'^$', TemplateView.as_view(template_name='home.html'), name='home'),
-    url(r'^accounts/login/$',
+    re_path(r'^$', TemplateView.as_view(template_name='home.html'), name='home'),
+    re_path(r'^accounts/login/$',
         auth_views.LoginView.as_view(template_name='accounts/login.html'), name='login'),
-    url(r'^accounts/logout/$',
+    re_path(r'^accounts/logout/$',
         auth_views.LogoutView.as_view(template_name='accounts/logout.html'), name='logout'),
-    url(r'^openid/', include('oidc_provider.urls', namespace='oidc_provider')),
-    url(r'^admin/', admin.site.urls),
+    re_path(r'^openid/', include('oidc_provider.urls', namespace='oidc_provider')),
+    re_path(r'^admin/', admin.site.urls),
 ]
diff --git a/oidc_provider/tests/cases/test_authorize_endpoint.py b/oidc_provider/tests/cases/test_authorize_endpoint.py
@@ -276,20 +276,18 @@ def test_response_uri_is_properly_constructed(self):
         parsed = urlsplit(response['Location'])
         params = parse_qs(parsed.query or parsed.fragment)
         state = params['state'][0]
-        self.assertEquals(self.state, state, msg="State returned is invalid or missing")
+        assert self.state == state, "State returned is invalid or missing"
 
         is_code_ok = is_code_valid(url=response['Location'],
                                    user=self.user,
                                    client=self.client)
-        self.assertTrue(is_code_ok, msg='Code returned is invalid or missing')
+        assert is_code_ok, 'Code returned is invalid or missing'
 
-        self.assertEquals(
-            set(params.keys()), {'state', 'code'},
-            msg='More than state or code appended as query params')
+        assert set(params.keys()) == {'state', 'code'}, \
+            'More than state or code appended as query params'
 
-        self.assertTrue(
-            response['Location'].startswith(self.client.default_redirect_uri),
-            msg='Different redirect_uri returned')
+        assert response['Location'].startswith(self.client.default_redirect_uri), \
+            'Different redirect_uri returned'
 
     def test_unknown_redirect_uris_are_rejected(self):
         """
@@ -395,7 +393,7 @@ def test_prompt_login_parameter(self, logout_function):
 
         response = self._auth_request('get', data, is_user_authenticated=True)
         self.assertIn(settings.get('OIDC_LOGIN_URL'), response['Location'])
-        self.assertTrue(logout_function.called_once())
+        logout_function.assert_called_once()
         self.assertNotIn(
             quote('prompt=login'),
             response['Location'],
@@ -662,7 +660,7 @@ def test_public_client_implicit_auto_approval(self):
 
         response = self._auth_request('get', data, is_user_authenticated=True)
         response_text = response.content.decode('utf-8')
-        self.assertEquals(response_text, '')
+        assert response_text == ''
         components = urlsplit(response['Location'])
         fragment = parse_qs(components[4])
         self.assertIn('access_token', fragment)
diff --git a/oidc_provider/tests/cases/test_claims.py b/oidc_provider/tests/cases/test_claims.py
@@ -1,7 +1,6 @@
 from __future__ import unicode_literals
 
 from django.test import TestCase
-from django.utils.six import text_type
 from django.utils.translation import override as override_language
 
 from oidc_provider.lib.claims import ScopeClaims, StandardScopeClaims, STANDARD_CLAIMS
@@ -49,19 +48,16 @@ def test_clean_dic(self):
             'phone_number': '',
         }
         clean_dict = self.scopeClaims._clean_dic(dict_to_clean)
-        self.assertEquals(
-            clean_dict,
-            {
-                'family_name': 'Doe',
-                'given_name': 'John',
-                'name': 'John Doe',
-                'email': u'johndoe@example.com'
-            }
-        )
+        assert clean_dict == {
+            'family_name': 'Doe',
+            'given_name': 'John',
+            'name': 'John Doe',
+            'email': u'johndoe@example.com',
+        }
 
     def test_locale(self):
         with override_language('fr'):
-            self.assertEqual(text_type(StandardScopeClaims.info_profile[0]), 'Profil de base')
+            assert str(StandardScopeClaims.info_profile[0]) == 'Profil de base'
 
     def test_scopeclaims_class_inheritance(self):
         # Generate example class that will be used for `OIDC_EXTRA_SCOPE_CLAIMS` setting.
diff --git a/oidc_provider/tests/cases/test_commands.py b/oidc_provider/tests/cases/test_commands.py
@@ -1,7 +1,6 @@
+from io import StringIO
 from django.core.management import call_command
 from django.test import TestCase
-from django.utils.six import StringIO
-
 
 class CommandsTest(TestCase):
 
diff --git a/oidc_provider/tests/cases/test_introspection_endpoint.py b/oidc_provider/tests/cases/test_introspection_endpoint.py
@@ -6,7 +6,7 @@
     from urllib.parse import urlencode
 except ImportError:
     from urllib import urlencode
-from django.utils.encoding import force_text
+from django.utils.encoding import force_str
 from django.core.management import call_command
 from django.test import TestCase, RequestFactory, override_settings
 from django.utils import timezone
@@ -44,8 +44,8 @@ def setUp(self):
         self.token.save()
 
     def _assert_inactive(self, response):
-        self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(force_text(response.content), {'active': False})
+        assert response.status_code == 200
+        self.assertJSONEqual(force_str(response.content), {'active': False})
 
     def _assert_active(self, response, **kwargs):
         self.assertEqual(response.status_code, 200)
@@ -59,7 +59,7 @@ def _assert_active(self, response, **kwargs):
             'iss': 'http://localhost:8000/openid',
         }
         expected_content.update(kwargs)
-        self.assertJSONEqual(force_text(response.content), expected_content)
+        self.assertJSONEqual(force_str(response.content), expected_content)
 
     def _make_request(self, **kwargs):
         url = reverse('oidc_provider:token-introspection')
@@ -126,7 +126,7 @@ def test_valid_client_grant_token_without_aud_validation(self):
         self.resource.save()
         response = self._make_request()
         self.assertEqual(response.status_code, 200)
-        self.assertJSONEqual(force_text(response.content), {
+        self.assertJSONEqual(force_str(response.content), {
             'active': True,
             'client_id': self.client.client_id,
         })
diff --git a/oidc_provider/tests/cases/test_middleware.py b/oidc_provider/tests/cases/test_middleware.py
@@ -1,7 +1,4 @@
-try:
-    from django.urls import url
-except ImportError:
-    from django.conf.urls import url
+from django.urls import re_path
 from django.test import TestCase, override_settings
 from django.views.generic import View
 from mock import mock
@@ -11,7 +8,7 @@ class StubbedViews:
     class SampleView(View):
         pass
 
-    urlpatterns = [url('^test/', SampleView.as_view())]
+    urlpatterns = [re_path('^test/', SampleView.as_view())]
 
 
 MW_CLASSES = ('django.contrib.sessions.middleware.SessionMiddleware',
diff --git a/oidc_provider/tests/cases/test_settings.py b/oidc_provider/tests/cases/test_settings.py
@@ -16,7 +16,7 @@ def test_override_templates(self):
 
     def test_unauthenticated_session_management_key_has_default(self):
         key = settings.get('OIDC_UNAUTHENTICATED_SESSION_MANAGEMENT_KEY')
-        self.assertRegexpMatches(key, r'[a-zA-Z0-9]+')
+        self.assertRegex(key, r'[a-zA-Z0-9]+')
         self.assertGreater(len(key), 50)
 
     def test_unauthenticated_session_management_key_has_constant_value(self):
diff --git a/oidc_provider/urls.py b/oidc_provider/urls.py
@@ -1,7 +1,4 @@
-try:
-    from django.urls import url
-except ImportError:
-    from django.conf.urls import url
+from django.urls import re_path 
 from django.views.decorators.csrf import csrf_exempt
 
 from oidc_provider import (
@@ -11,18 +8,18 @@
 
 app_name = 'oidc_provider'
 urlpatterns = [
-    url(r'^authorize/?$', views.AuthorizeView.as_view(), name='authorize'),
-    url(r'^token/?$', csrf_exempt(views.TokenView.as_view()), name='token'),
-    url(r'^userinfo/?$', csrf_exempt(views.userinfo), name='userinfo'),
-    url(r'^end-session/?$', views.EndSessionView.as_view(), name='end-session'),
-    url(r'^\.well-known/openid-configuration/?$', views.ProviderInfoView.as_view(),
+    re_path(r'^authorize/?$', views.AuthorizeView.as_view(), name='authorize'),
+    re_path(r'^token/?$', csrf_exempt(views.TokenView.as_view()), name='token'),
+    re_path(r'^userinfo/?$', csrf_exempt(views.userinfo), name='userinfo'),
+    re_path(r'^end-session/?$', views.EndSessionView.as_view(), name='end-session'),
+    re_path(r'^\.well-known/openid-configuration/?$', views.ProviderInfoView.as_view(),
         name='provider-info'),
-    url(r'^introspect/?$', views.TokenIntrospectionView.as_view(), name='token-introspection'),
-    url(r'^jwks/?$', views.JwksView.as_view(), name='jwks'),
+    re_path(r'^introspect/?$', views.TokenIntrospectionView.as_view(), name='token-introspection'),
+    re_path(r'^jwks/?$', views.JwksView.as_view(), name='jwks'),
 ]
 
 if settings.get('OIDC_SESSION_MANAGEMENT_ENABLE'):
     urlpatterns += [
-        url(r'^check-session-iframe/?$', views.CheckSessionIframeView.as_view(),
+        re_path(r'^check-session-iframe/?$', views.CheckSessionIframeView.as_view(),
             name='check-session-iframe'),
     ]
diff --git a/oidc_provider/version.py b/oidc_provider/version.py
@@ -1 +1 @@
-__version__ = '0.7.0-orm.1'
+__version__ = '0.7.1+orm'
diff --git a/requirements.txt b/requirements.txt
@@ -1,13 +1,11 @@
-certifi==2018.4.16
-chardet==3.0.4
-Django==1.11
-future==0.16.0
-idna==2.6
-mock==2.0.0
-pbr==4.0.2
-pycryptodomex==3.6.1
-pyjwkest==1.4.0
-pytz==2018.4
-requests==2.18.4
-six==1.11.0
-urllib3==1.22
+certifi>=2022.12.7
+chardet>=5.1.0
+Django==3.2.18
+idna>=3
+mock>=5
+pbr>=5
+pycryptodome>=3.17
+pyjwkest>=1.4.0
+pytz>=2023.3
+requests>=2.29.0
+urllib3>=1.26.15
diff --git a/tox.ini b/tox.ini
@@ -1,31 +1,29 @@
 [tox]
 envlist=
     docs,
-    py27-django{111},
-    py35-django{111,20,21},
-    py36-django{111,20,21},
+    py310-django{32}
 
 [testenv]
 changedir=
     oidc_provider
 deps =
     mock
-    psycopg2
-    pytest==3.6.4
-    pytest-django
-    pytest-flake8
-    pytest-cov
-    django111: django>=1.11,<1.12
-    django20: django>=2.0,<2.1
-    django21: django>=2.1,<2.2
+    psycopg2-binary
+    pytest==7.2.2
+    pytest-flake8==1.0.7,
+    pytest-cov==4.0.0
+    pytest-dotenv==0.5.2
+    pytest-django==4.5.2
+    pytest-xdist==3.2.1
+    django32: django==3.2.18
 
 commands =
-    pytest --flake8 --cov=oidc_provider {posargs}
+    pytest --cov=oidc_provider {posargs}
 
 [testenv:docs]
-basepython = python2.7
+basepython = python3.10
 changedir = docs
-whitelist_externals =
+allowlist_externals =
     mkdir
 deps =
     sphinx

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@`
`62`	`62`	`#`
`63`	`63`	`# This is also used if you do content translation via gettext catalogs.`
`64`	`64`	`# Usually you set "language" from the command line for these cases.`
`65`		`-language = None`
	`65`	`+language = 'en'`
`66`	`66`
`67`	`67`	`# There are two options for replacing \|today\|: either, you set today to some`
`68`	`68`	`# non-false value, then it is used:`
-Original file line number
+Diff line change
@@ @@ -1,2 +1,2 @@ @@
 -django
 -https://github.com/juanifioren/django-oidc-provider/archive/master.zip
 +django==3.2.18
 +../
Original file line number	Diff line number	Diff line change
`@@ -1,2 +0,0 @@`
`1`		`-`
`2`		`-default_app_config = 'oidc_provider.apps.OIDCProviderConfig'`