BLUEBUTTON-448 Allow Applications to have custom redirect schemes (#638)

whytheplatypus · web-flow · commit d6fd7da4565f · 2018-09-10T13:40:32.000-04:00
* Allow Applications to have custom redirect schemes

- Allows applications to define any uri scheme for redirects

* Allow custom redirect_uri schemes from Admin
diff --git a/apps/dot_ext/models.py b/apps/dot_ext/models.py
@@ -3,6 +3,7 @@
 import logging
 import uuid
 from datetime import datetime
+from urllib.parse import urlparse
 
 from django.utils.dateparse import parse_duration
 from django.core.urlresolvers import reverse
@@ -14,8 +15,6 @@
 from oauth2_provider.models import AbstractApplication
 from django.conf import settings
 
-from apps.dot_ext.validators import validate_uris
-
 logger = logging.getLogger('hhs_server.%s' % __name__)
 
 
@@ -30,7 +29,7 @@ class Application(AbstractApplication):
                                   help_text="This is typically a homepage for the application.")
     help_text = _('Allowed redirect URIs. Space or new line separated.')
     redirect_uris = models.TextField(help_text=help_text,
-                                     validators=[validate_uris], blank=True)
+                                     blank=True)
     logo_uri = models.CharField(
         default="", blank=True, max_length=512, verbose_name="Logo URI")
     tos_uri = models.CharField(
@@ -69,6 +68,14 @@ def allow_scopes(self, scopes):
     def get_absolute_url(self):
         return reverse('oauth2_provider:detail', args=[str(self.id)])
 
+    def get_allowed_schemes(self):
+        allowed_schemes = []
+        redirect_uris = self.redirect_uris.strip().split()
+        for uri in redirect_uris:
+            scheme = urlparse(uri).scheme
+            allowed_schemes.append(scheme)
+        return allowed_schemes
+
     def save(self, commit=True, **kwargs):
         if commit:
             # Write the TOS that the app developer agreed to.
diff --git a/apps/dot_ext/tests/test_authorization.py b/apps/dot_ext/tests/test_authorization.py
@@ -0,0 +1,73 @@
+from oauth2_provider.compat import parse_qs, urlparse
+from django.core.urlresolvers import reverse
+
+from apps.test import BaseApiTest
+from ..models import Application
+
+
+class TestAuthorizeWithCustomScheme(BaseApiTest):
+    def test_post_with_valid_non_standard_scheme(self):
+        redirect_uri = 'com.custom.bluebutton://example.it'
+        # create a user
+        self._create_user('anna', '123456')
+        capability_a = self._create_capability('Capability A', [])
+        capability_b = self._create_capability('Capability B', [])
+        # create an application and add capabilities
+        application = self._create_application(
+            'an app',
+            grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            redirect_uris=redirect_uri)
+        application.scope.add(capability_a, capability_b)
+        # user logs in
+        self.client.login(username='anna', password='123456')
+        # post the authorization form with only one scope selected
+        payload = {
+            'client_id': application.client_id,
+            'response_type': 'code',
+            'redirect_uri': redirect_uri,
+            'scope': ['capability-a'],
+            'expires_in': 86400,
+            'allow': True,
+        }
+        response = self.client.post(reverse('oauth2_provider:authorize'), data=payload)
+
+        self.assertEqual(response.status_code, 302)
+        # now extract the authorization code and use it to request an access_token
+        query_dict = parse_qs(urlparse(response['Location']).query)
+        authorization_code = query_dict.pop('code')
+        token_request_data = {
+            'grant_type': 'authorization_code',
+            'code': authorization_code,
+            'redirect_uri': redirect_uri,
+            'client_id': application.client_id,
+        }
+        response = self.client.post(reverse('oauth2_provider:token'), data=token_request_data)
+        self.assertEqual(response.status_code, 200)
+
+    def test_post_with_invalid_non_standard_scheme(self):
+        redirect_uri = 'com.custom.bluebutton://example.it'
+        bad_redirect_uri = 'com.custom.bad://example.it'
+        # create a user
+        self._create_user('anna', '123456')
+        capability_a = self._create_capability('Capability A', [])
+        capability_b = self._create_capability('Capability B', [])
+        # create an application and add capabilities
+        application = self._create_application(
+            'an app',
+            grant_type=Application.GRANT_AUTHORIZATION_CODE,
+            redirect_uris=redirect_uri)
+        application.scope.add(capability_a, capability_b)
+        # user logs in
+        self.client.login(username='anna', password='123456')
+        # post the authorization form with only one scope selected
+        payload = {
+            'client_id': application.client_id,
+            'response_type': 'code',
+            'redirect_uri': bad_redirect_uri,
+            'scope': ['capability-a'],
+            'expires_in': 86400,
+            'allow': True,
+        }
+        response = self.client.post(reverse('oauth2_provider:authorize'), data=payload)
+
+        self.assertEqual(response.status_code, 400)
diff --git a/apps/dot_ext/validators.py b/apps/dot_ext/validators.py
@@ -17,7 +17,7 @@ def __call__(self, value):
         scheme, netloc, path, query, fragment = urlsplit(value)
 
         if scheme.lower() not in self.allowed_schemes:
-            raise ValidationError('Invalid Redirect URI scheme: %s' % scheme.lower())
+            raise ValidationError('Invalid Redirect URI scheme: %s, Must be one of %s' % (scheme.lower(), self.allowed_schemes))
 
 
 def validate_uris(value):
