From 2916e139ed09789ff3fb32d5bbf1ca7904a220fb Mon Sep 17 00:00:00 2001 From: Felicia Rosemond Date: Mon, 1 Apr 2024 08:18:27 -0400 Subject: [PATCH 1/3] IAM-1269 updated the _verified method to catch the deserialization error --- dashboard/oidc_auth.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/dashboard/oidc_auth.py b/dashboard/oidc_auth.py index e8abf4bd..8192df4e 100644 --- a/dashboard/oidc_auth.py +++ b/dashboard/oidc_auth.py @@ -2,6 +2,7 @@ import logging from josepy.jwk import JWK from josepy.jws import JWS +from josepy.error import JWSErrors """Class that governs all authentication with open id connect.""" from flask_pyoidc import OIDCAuthentication @@ -95,6 +96,10 @@ def _verified(self): self.jws_data["connection_name"] = self._get_connection_name(self.jws_data["connection"]) return True except UnicodeDecodeError: + logger.warning("UnicodeDecodeError: The jws {jws}".format(jws=self.jws)) + return False + except JWSErrors.DeserializationError: + logger.warning("DeserializationError jws {jws}".format(jws=self.jws)) return False def error_message(self): From f5b421bee105301800d3f0af4250af6b95cd647f Mon Sep 17 00:00:00 2001 From: Felicia Rosemond Date: Tue, 2 Apr 2024 13:21:37 -0400 Subject: [PATCH 2/3] IAM-1269 added blanket exception to catch all other errors in the _verified method --- dashboard/app.py | 1 - dashboard/oidc_auth.py | 8 ++++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/dashboard/app.py b/dashboard/app.py index 1bca22c9..f211e958 100644 --- a/dashboard/app.py +++ b/dashboard/app.py @@ -133,7 +133,6 @@ def forbidden(): jws = request.args.get("error").encode() token_verifier = oidc_auth.tokenVerification(jws=jws, public_key=app.config["FORBIDDEN_PAGE_PUBLIC_KEY"]) - """TODO: add code here to catch when the token is invalid""" token_verifier.verify return render_template("forbidden.html", token_verifier=token_verifier) diff --git a/dashboard/oidc_auth.py b/dashboard/oidc_auth.py index 8192df4e..56147a1d 100644 --- a/dashboard/oidc_auth.py +++ b/dashboard/oidc_auth.py @@ -1,5 +1,6 @@ import json import logging +import traceback from josepy.jwk import JWK from josepy.jws import JWS from josepy.error import JWSErrors @@ -101,6 +102,13 @@ def _verified(self): except JWSErrors.DeserializationError: logger.warning("DeserializationError jws {jws}".format(jws=self.jws)) return False + except Exception: # pylint: disable=broad-exception-caught + # This is a broad except to catch every error. It's not great but since we're + # in _validate, our job is to pass/fail everything, and letting code raise out + # of here blows up the website in front of customers. Let's do something better + # as a last-choice, maybe we need more exceptions caught above + logger.warning(traceback.format_exc()) + return False def error_message(self): error_code = self.error_code From 64dd5ad2e0226e7990f8f58c7c43b7a7c90be9b6 Mon Sep 17 00:00:00 2001 From: Felicia Rosemond Date: Tue, 2 Apr 2024 13:47:41 -0400 Subject: [PATCH 3/3] IAM-1269 added blanket exception to catch all other errors in the _verified method --- dashboard/oidc_auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dashboard/oidc_auth.py b/dashboard/oidc_auth.py index 56147a1d..8ae74cd9 100644 --- a/dashboard/oidc_auth.py +++ b/dashboard/oidc_auth.py @@ -107,7 +107,7 @@ def _verified(self): # in _validate, our job is to pass/fail everything, and letting code raise out # of here blows up the website in front of customers. Let's do something better # as a last-choice, maybe we need more exceptions caught above - logger.warning(traceback.format_exc()) + logger.warning("Unknown error occurred "+traceback.format_exc()) return False def error_message(self):