BB2-4326: Throw 404 when non-UUID passed to authorize endpoint (#1440)

* BB2-4326: Throw 404 if invalid uuid passed to authorize endpoint

* Clean up tests

Author: JamesDemeryNava

apps/dot_ext/tests/test_authorization.py

@@ -13,6 +13,7 @@
 from django.test import Client
 from unittest.mock import patch, MagicMock
 from urllib.parse import parse_qs, urlencode, urlparse
+import uuid
 from waffle.testutils import override_switch
 
 from apps.test import BaseApiTest
@@ -1123,3 +1124,37 @@ def test_permission_denied_raised_for_refresh_token_app_not_in_flag(
 
         with self.assertRaises(AccessDeniedTokenCustomError):
             view_instance.validate_v3_token_call(request)
+
+    def test_invalid_uuid_authorize_call(self):
+        """BB2-4326: Ensure a 404 is thrown if a non-UUID is passed to an authorize endpoint
+        """
+        auth_uri_v1 = reverse("oauth2_provider:authorize-instance", args=['jolokia'])
+        auth_uri_v2 = reverse("oauth2_provider_v2:authorize-instance-v2", args=['jolokia'])
+        auth_uri_v3 = reverse("oauth2_provider_v3:authorize-instance-v3", args=['jolokia'])
+
+        response_v1 = self.client.get(auth_uri_v1)
+        response_v2 = self.client.get(auth_uri_v2)
+        response_v3 = self.client.get(auth_uri_v3)
+
+        assert response_v1.status_code == HTTPStatus.NOT_FOUND
+        assert response_v2.status_code == HTTPStatus.NOT_FOUND
+        assert response_v3.status_code == HTTPStatus.NOT_FOUND
+
+    @override_switch('v3_endpoints', active=True)
+    def test_valid_uuid_authorize_call(self):
+        """BB2-4326: Ensure a 302 is thrown if a valid UUID is passed to an authorize endpoint
+        """
+        auth_uri_v1 = reverse("oauth2_provider:authorize-instance", args=[uuid.uuid4()])
+        auth_uri_v2 = reverse("oauth2_provider_v2:authorize-instance-v2", args=[uuid.uuid4()])
+        auth_uri_v3 = reverse("oauth2_provider_v3:authorize-instance-v3", args=[uuid.uuid4()])
+
+        response_v1 = self.client.get(auth_uri_v1)
+        response_v2 = self.client.get(auth_uri_v2)
+        response_v3 = self.client.get(auth_uri_v3)
+
+        assert response_v1.status_code == HTTPStatus.FOUND
+        assert response_v2.status_code == HTTPStatus.FOUND
+        # The behavior is different for v3, as we check v3 authorize calls to see if the application is in
+        # the v3_early_adopter flag (part of BB2-4250). Because all of the mocks are not included in this test
+        # such that the authorize call will return a 302 for v3, v3 in this test throws a 403
+        assert response_v3.status_code == HTTPStatus.FORBIDDEN

apps/dot_ext/views/authorization.py

@@ -30,6 +30,7 @@
 from oauthlib.oauth2 import AccessDeniedError
 from oauthlib.oauth2.rfc6749.errors import InvalidClientError, InvalidGrantError, InvalidRequestError
 from urllib.parse import urlparse, parse_qs
+import uuid
 import html
 from apps.dot_ext.scopes import CapabilitiesScopes
 import apps.logging.request_logger as bb2logging
@@ -395,7 +396,20 @@ def __init__(self, version):
         self.version = version
         super().__init__(version=version)
 
+    def is_valid_uuid(self, value: str) -> bool:
+        try:
+            uuid.UUID(str(value))
+            return True
+        except ValueError:
+            return False
+
     def dispatch(self, request, uuid, *args, **kwargs):
+        # BB2-4326: If we do not receive a valid uuid in the authorize call, throw a 404
+        if not self.is_valid_uuid(uuid):
+            return JsonResponse(
+                {'status_code': 404, 'message': 'Not found.'},
+                status=404,
+            )
 
         # Get auth_uuid to set again after super() return. It gets cleared out otherwise.
         auth_flow_dict = get_session_auth_flow_trace(request)