Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Catch OIDC error #13078

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Catch OIDC error #13078

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
4ce2730
Catch OIDC error
dacook Jan 15, 2025
4c84fdf
Show more specific message for oauth errors
dacook Jan 21, 2025
a3f916f
[fixup] Sanitise content from external source
dacook Jan 21, 2025
00b78f4
[wip] Delete tokens when authentication fails
dacook Jan 22, 2025
ff3af2f
Apply suggestions from code review
dacook Jan 22, 2025
9497e77
Refactor
dacook Jan 22, 2025
ec85822
[wip] spec for clearing tokens
dacook Jan 22, 2025
c2dd1b2
try stubbing instead
dacook Feb 3, 2025
46ef03a
still no luck
dacook Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions app/controllers/admin/dfc_product_imports_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
self.class
end

def index

Check warning on line 13 in app/controllers/admin/dfc_product_imports_controller.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Assignment Branch Condition size for index is too high. [<11, 42, 4> 43.6/30]

Raw Output:
app/controllers/admin/dfc_product_imports_controller.rb:13:5: C: Metrics/AbcSize: Assignment Branch Condition size for index is too high. [<11, 42, 4> 43.6/30]

Check warning on line 13 in app/controllers/admin/dfc_product_imports_controller.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Method has too many lines. [29/25]

Raw Output:
app/controllers/admin/dfc_product_imports_controller.rb:13:5: C: Metrics/MethodLength: Method has too many lines. [29/25]
# The plan:
#
# * Fetch DFC catalog as JSON from URL.
Expand All @@ -35,6 +35,15 @@
end

@count = imported.compact.count
rescue Rack::OAuth2::Client::Error => e
flash[:error] = I18n.t(
'admin.dfc_product_imports.index.oauth_error_html',
message: helpers.sanitize(e.message),
oidc_settings_link: helpers.link_to(
I18n.t('spree.admin.tab.oidc_settings'), Rails.application.routes.url_helpers.admin_oidc_settings_path

Check warning on line 43 in app/controllers/admin/dfc_product_imports_controller.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Line is too long. [112/100]

Raw Output:
app/controllers/admin/dfc_product_imports_controller.rb:43:101: C: Layout/LineLength: Line is too long. [112/100]
)
).html_safe
redirect_to admin_product_import_path
rescue Faraday::Error,
Addressable::URI::InvalidURIError,
ActionController::ParameterMissing => e
Expand Down
1 change: 1 addition & 0 deletions config/locales/en.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -849,6 +849,7 @@ en:
index:
title: "Importing a DFC product catalog"
imported_products: "Imported products:"
oauth_error_html: "Authentication error: %{message}. See %{oidc_settings_link}"
enterprise_fees:
index:
title: "Enterprise Fees"
Expand Down
9 changes: 8 additions & 1 deletion engines/dfc_provider/app/services/dfc_request.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,8 @@
# It results in an empty config hash and we lose our config.
)
client = strategy.client
client.token_endpoint = strategy.config.token_endpoint
binding.pry

Check warning on line 75 in engines/dfc_provider/app/services/dfc_request.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Remove debugger entry point `binding.pry`.

Raw Output:
engines/dfc_provider/app/services/dfc_request.rb:75:5: W: Lint/Debugger: Remove debugger entry point `binding.pry`.
client.token_endpoint = strategy.config.token_endpoint # can't work out what's happening under the hood or how to stub it

Check warning on line 76 in engines/dfc_provider/app/services/dfc_request.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Line is too long. [126/100]

Raw Output:
engines/dfc_provider/app/services/dfc_request.rb:76:101: C: Layout/LineLength: Line is too long. [126/100]
client.refresh_token = @user.oidc_account.refresh_token

token = client.access_token!
Expand All @@ -81,5 +82,11 @@
token: token.access_token,
refresh_token: token.refresh_token
)
rescue Rack::OAuth2::Client::Error => e

Check warning on line 85 in engines/dfc_provider/app/services/dfc_request.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
`rescue` at 85, 4 is not aligned with `def refresh_access_token!` at 67, 2.

Raw Output:
engines/dfc_provider/app/services/dfc_request.rb:85:5: C: Layout/RescueEnsureAlignment: `rescue` at 85, 4 is not aligned with `def refresh_access_token!` at 67, 2.

Check warning on line 85 in engines/dfc_provider/app/services/dfc_request.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Useless assignment to variable - `e`.

Raw Output:
engines/dfc_provider/app/services/dfc_request.rb:85:43: W: Lint/UselessAssignment: Useless assignment to variable - `e`.
@user.oidc_account.update!(
token: nil,
refresh_token: nil
)
raise
end
end
80 changes: 58 additions & 22 deletions engines/dfc_provider/spec/services/dfc_request_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,27 +63,63 @@
# The absence of errors makes this test pass.
end

it "refreshes the access token and retrieves the FDC catalog", vcr: true do
# A refresh is only attempted if the token is stale.
account.uid = "testdfc@protonmail.com"
account.refresh_token = ENV.fetch("OPENID_REFRESH_TOKEN")
account.updated_at = 1.day.ago

response = nil
expect {
response = api.call(
"https://env-0105831.jcloud-ver-jpe.ik-server.com/api/dfc/Enterprises/test-hodmedod/SuppliedProducts"
)
}.to change {
account.token
}.and change {
account.refresh_token
}

json = JSON.parse(response)

graph = DfcIo.import(json)
products = graph.select { |s| s.semanticType == "dfc-b:SuppliedProduct" }
expect(products).to be_present
describe "refreshing token when stale" do
before do
account.uid = "testdfc@protonmail.com"
account.refresh_token = ENV.fetch("OPENID_REFRESH_TOKEN")
account.updated_at = 1.day.ago
end

it "refreshes the access token and retrieves the FDC catalog", vcr: true do
response = nil
expect {
response = api.call(
"https://env-0105831.jcloud-ver-jpe.ik-server.com/api/dfc/Enterprises/test-hodmedod/SuppliedProducts"
)
}.to change {
account.token
}.and change {
account.refresh_token
}

json = JSON.parse(response)

graph = DfcIo.import(json)
products = graph.select { |s| s.semanticType == "dfc-b:SuppliedProduct" }
expect(products).to be_present
end

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mkllnk I've had a go at speccing this, but in order to test that it clears the tokens, we need to set tokens first.

I've copied secret vars from Bitwarden and am able to make these requests, but the test session isn't active and results in the error "invalid_grant :: Session not active" (the exact error I'm trying to test!)

Am I doing things the long way round? Let me know if you see a better way.

Otherwise, can you please help me to refresh the session? Then hopefully the below spec will work..

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wouldn't use VCR for this because the spec then depends on the state of your session. The one in Bitwarden is probably outdated. Use webmock. And you got the right error response to fill your example already.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback. I had another go, but I can't seem to set up the right context for this case to work.

Maybe it's not worth trying to make the spec. What if we merge this without a spec, and see if it solves the errors?

context "with account tokens" do
before do
stub_request(:get, "http://example.net/api").
to_return(status: 401)

# allow_any_instance_of(OpenIDConnect::Client).to receive(:config).and_return(double(token_endpoint: ""))

Check warning on line 97 in engines/dfc_provider/spec/services/dfc_request_spec.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Line is too long. [113/100]

Raw Output:
engines/dfc_provider/spec/services/dfc_request_spec.rb:97:101: C: Layout/LineLength: Line is too long. [113/100]
stub_request(:get, "https://login.lescommuns.org/auth/realms/data-food-consortium/.well-known/openid-configuration").
to_return(status: 200, body: {token_endpoint: "/token"}.to_json)

Check warning on line 99 in engines/dfc_provider/spec/services/dfc_request_spec.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Space inside { missing.

Raw Output:
engines/dfc_provider/spec/services/dfc_request_spec.rb:99:40: C: Layout/SpaceInsideHashLiteralBraces: Space inside { missing.

Check warning on line 99 in engines/dfc_provider/spec/services/dfc_request_spec.rb

View workflow job for this annotation

GitHub Actions / runner / rubocop 

[rubocop] reported by reviewdog 🐶
Space inside } missing.

Raw Output:
engines/dfc_provider/spec/services/dfc_request_spec.rb:99:65: C: Layout/SpaceInsideHashLiteralBraces: Space inside } missing.


account.refresh_token = ENV.fetch("OPENID_REFRESH_TOKEN")
account.token = "anything"
end

it "clears the token if authentication fails" do
allow_any_instance_of(OpenIDConnect::Client).to receive(:access_token!).and_raise(
Rack::OAuth2::Client::Error.new(
1, { error: "invalid_grant", error_description: "session not active" }
)
)

expect {
api.call(
"http://example.net/api"
)
}.to change {
account.token
}.to(nil).and change {
account.refresh_token
}.to(nil)
end
end
end
end
47 changes: 47 additions & 0 deletions spec/fixtures/vcr_cassettes/DFC_Product_Import/shows_oauth_error_message.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 24 additions & 0 deletions spec/system/admin/dfc_product_import_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,30 @@
expect(product.image).to be_present
end

it "shows oauth error message", vcr: true do
allow_any_instance_of(DfcRequest).to receive(:refresh_access_token!).and_raise(
Rack::OAuth2::Client::Error.new(
1, { error: "invalid_grant", error_description: "session not active" }
)
)
dacook marked this conversation as resolved.
Show resolved Hide resolved

user.update!(oidc_account: build(:testdfc_account))

visit admin_product_import_path

select enterprise.name, from: "Enterprise"
url = "https://env-0105831.jcloud-ver-jpe.ik-server.com/api/dfc/Enterprises/test-hodmedod/SuppliedProducts"
fill_in "catalog_url", with: url

click_button "Import"

within ".flash" do
expect(page).to have_content "invalid_grant"
expect(page).to have_content "session not active"
expect(page).to have_link "OIDC Settings"
end
end

it "fails gracefully" do
user.oidc_account.update!(
uid: "anonymous@example.net",
Expand Down
Loading