flows: planner error handling (#4812)

* handle FlowNonApplicableException everywhere Signed-off-by: Jens Langhammer <jens@goauthentik.io> * make flow planner check authentication when no pending user is in planning context Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add mailhog to e2e test services, remove local docker requirement Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-28 15:18:29 +01:00
parent 6f2f4f4aa3
commit 20e971f5ce
15 changed files with 109 additions and 108 deletions
--- a/authentik/providers/oauth2/views/device_init.py
+++ b/authentik/providers/oauth2/views/device_init.py
@ -10,6 +10,7 @@ from structlog.stdlib import get_logger

 from authentik.core.models import Application
 from authentik.flows.challenge import Challenge, ChallengeResponse, ChallengeTypes
+from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, PLAN_CONTEXT_SSO, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
@ -57,19 +58,23 @@ def validate_code(code: int, request: HttpRequest) -> Optional[HttpResponse]:
    scope_descriptions = UserInfoView().get_scope_descriptions(token.scope)
    planner = FlowPlanner(token.provider.authorization_flow)
    planner.allow_empty_flows = True
-    plan = planner.plan(
-        request,
-        {
-            PLAN_CONTEXT_SSO: True,
-            PLAN_CONTEXT_APPLICATION: app,
-            # OAuth2 related params
-            PLAN_CONTEXT_DEVICE: token,
-            # Consent related params
-            PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
-            % {"application": app.name},
-            PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
-        },
-    )
+    try:
+        plan = planner.plan(
+            request,
+            {
+                PLAN_CONTEXT_SSO: True,
+                PLAN_CONTEXT_APPLICATION: app,
+                # OAuth2 related params
+                PLAN_CONTEXT_DEVICE: token,
+                # Consent related params
+                PLAN_CONTEXT_CONSENT_HEADER: _("You're about to sign into %(application)s.")
+                % {"application": app.name},
+                PLAN_CONTEXT_CONSENT_PERMISSIONS: scope_descriptions,
+            },
+        )
+    except FlowNonApplicableException:
+        LOGGER.warning("Flow not applicable to user")
+        return None
    plan.insert_stage(in_memory_stage(OAuthDeviceCodeFinishStage))
    request.session[SESSION_KEY_PLAN] = plan
    return redirect_with_qs(
@ -97,7 +102,11 @@ class DeviceEntryView(View):
        # Regardless, we start the planner and return to it
        planner = FlowPlanner(device_flow)
        planner.allow_empty_flows = True
-        plan = planner.plan(self.request)
+        try:
+            plan = planner.plan(self.request)
+        except FlowNonApplicableException:
+            LOGGER.warning("Flow not applicable to user")
+            return HttpResponse(status=404)
        plan.append_stage(in_memory_stage(OAuthDeviceCodeStage))

        self.request.session[SESSION_KEY_PLAN] = plan