Small fixes

GeorgianaElena · GeorgianaElena · commit 00b0880852d1 · 2023-05-02T13:25:16.000+03:00
diff --git a/oauthenticator/cilogon.py b/oauthenticator/cilogon.py
@@ -299,7 +299,7 @@ def user_info_to_username(self, user_info):
             action = username_derivation.get("action")
 
             if action == "strip_idp_domain":
-                username = username.split("@")[0]
+                username = username.split("@", 1)[0]
             elif action == "prefix":
                 prefix = username_derivation["prefix"]
                 username = f"{prefix}:{username}"
@@ -335,7 +335,7 @@ async def check_allowed(self, username, auth_model):
                     f"Trying to login from an identity provider that was not allowed {selected_idp}",
                 )
                 raise web.HTTPError(
-                    500,
+                    403,
                     "Trying to login using an identity provider that was not allowed",
                 )
 
@@ -355,7 +355,7 @@ async def check_allowed(self, username, auth_model):
                     username_with_domain = self._get_username_from_claim_list(
                         user_info, username_claims
                     )
-                    user_domain = username_with_domain.split("@")[1]
+                    user_domain = username_with_domain.split("@", 1)[1]
                     if user_domain in allowed_domains:
                         return True
                     else:
diff --git a/oauthenticator/globus.py b/oauthenticator/globus.py
@@ -274,6 +274,19 @@ async def check_allowed(self, username, auth_model):
                 auth_model["admin"] = True
                 return True
 
+        if self.identity_provider:
+            user_info = auth_model["auth_state"][self.user_auth_state_key]
+            domain = user_info.get(self.username_claim).split('@', 1)[-1]
+            if domain != self.identity_provider:
+                self.log.error(
+                    f"Trying to login from an identity provider that was not allowed {domain}",
+                )
+                raise HTTPError(
+                    403,
+                    f"This site is restricted to {self.identity_provider} accounts. "
+                    "Please link your account at app.globus.org/account.",
+                )
+
         # if allowed_users or allowed_globus_groups is configured, we deny users not part of either
         if self.allowed_users or self.allowed_globus_groups:
             if username in self.allowed_users:
@@ -320,14 +333,7 @@ def user_info_to_username(self, user_info):
 
         # It's possible for identity provider domains to be namespaced
         # https://docs.globus.org/api/auth/specification/#identity_provider_namespaces # noqa
-        username, domain = user_info.get(self.username_claim).split('@', 1)
-        if self.identity_provider and domain != self.identity_provider:
-            raise HTTPError(
-                403,
-                f"This site is restricted to {self.identity_provider} accounts. "
-                "Please link your account at app.globus.org/account.",
-            )
-        return username
+        return user_info.get(self.username_claim).split('@')[0]
 
     def get_default_headers(self):
         return {"Accept": "application/json", "User-Agent": "JupyterHub"}
