Beispiel #1
0
    def parse_federation_registration_response(self, resp, **kwargs):
        """
        Receives a dynamic client registration response,

        :param resp: An entity statement instance
        :return: A set of metadata claims
        """
        _sc = self.service_context
        _fe = _sc.federation_entity

        # Can not collect trust chain. Have to verify the signed JWT with keys I have

        kj = self.service_context.federation_entity.keyjar
        _jwt = factory(resp)
        entity_statement = _jwt.verify_compact(resp,
                                               keys=kj.get_jwt_verify_keys(
                                                   _jwt.jwt))

        _trust_anchor_id = self.get_trust_anchor_id(entity_statement)

        chosen = None
        for op_statement in _fe.op_statements:
            if op_statement.fo == _trust_anchor_id:
                chosen = op_statement
                break

        if not chosen:
            raise ValueError('No matching federation operator')

        # based on the Federation ID, conclude which OP config to use
        op_claims = chosen.metadata
        # _sc.trust_path = (chosen.fo, _fe.op_paths[statement.fo][0])
        _sc.provider_info = self.response_cls(**op_claims)

        # To create RPs metadata collect the trust chains
        tree = {}
        for ah in _fe.authority_hints:
            tree[ah] = _fe.collector.collect_intermediate(_fe.entity_id, ah)

        _node = {_fe.entity_id: (resp, tree)}
        chains = branch2lists(_node)

        # Get the policies
        policy_chains_tup = [
            eval_policy_chain(c, _fe.keyjar, _fe.entity_type) for c in chains
        ]
        _policy = combine_policy(
            policy_chains_tup[0][1],
            entity_statement['metadata_policy'][_fe.entity_type])
        logger.debug("Combined policy: {}".format(_policy))
        _uev = unverified_entity_statement(kwargs["request_body"])
        logger.debug("Registration request: {}".format(_uev))
        _query = _uev["metadata"][_fe.entity_type]
        _sc.registration_response = apply_policy(_query, _policy)
        return _sc.registration_response
Beispiel #2
0
def map_configuration_to_preference(provider_configuration, client_preference):
    """
    Given a provider configuration and client registration attribute
    preferences initiate a ClientRegistration class.

    :param provider_configuration: A ProviderConfigurationResponse
    :param client_preference: An dictionary with client preferences
    :return: A ClientRegistration instance
    """
    _allowed = translate_configuration(provider_configuration)
    args = apply_policy(client_preference, _allowed)

    return list_to_singleton(args, RegistrationRequest)
Beispiel #3
0
def eval_chain(chain, key_jar, entity_type, apply_policies=True):
    """

    :param chain: A chain of entity statements
    :param key_jar: A :py:class:`cryptojwt.key_jar.KeyJar` instance
    :param entity_type: Which type of metadata you want returned
    :param apply_policies: Apply policies to the metadata or not
    :returns: A TrustChain instances
    """
    logger.debug("Evaluate trust chain")
    ves = verify_trust_chain(chain, key_jar)

    if not ves:
        return None

    tp_exp = trust_chain_expires_at(ves)

    statement = TrustChain(exp=tp_exp, verified_chain=ves)

    if apply_policies:
        if len(ves) > 1:
            # Combine the metadata policies from the trust root and all intermediates
            combined_policy = gather_policies(ves[:-1], entity_type)
            logger.debug("Combined policy: %s", combined_policy)
            try:
                metadata = ves[-1]['metadata'][entity_type]
            except KeyError:
                statement.metadata = None
            else:
                # apply the combined metadata policies on the metadata
                statement.metadata = apply_policy(metadata, combined_policy)
                logger.debug("After applied policy: %s", statement.metadata)
                statement.combined_policy = combined_policy
        else:
            statement.metadata = ves[0]["metadata"][entity_type]
            statement.combined_policy = {}
    else:
        # accept what ever is in the statement provided by the leaf entity
        statement.metadata = ves[-1]

    iss_path = [x['iss'] for x in ves]
    statement.anchor = iss_path[0]

    iss_path.reverse()

    statement.iss_path = iss_path
    return statement
Beispiel #4
0
def test_apply_policies():
    comb_policy = combine_policy(FED1, ORG1)
    res = apply_policy(RP, comb_policy)

    assert set(res.keys()) == set(RES1.keys())

    for claim, value in res.items():
        if isinstance(value, list):
            if isinstance(RES1[claim], list):
                assert set(value) == set(RES1[claim])
            else:
                assert set(value) == {RES1[claim]}
        else:
            if isinstance(RES1[claim], list):
                assert {value} == set(RES1[claim])
            else:
                assert value == RES1[claim]
Beispiel #5
0
    def parse_federation_registration_response(self, resp, **kwargs):
        """
        Receives a dynamic client registration response,

        :param resp: An entity statement instance
        :return: A set of metadata claims
        """
        _context = self.client_get("service_context")
        _fe = _context.federation_entity
        _fe_ctx = _fe.context
        # Can not collect trust chain. Have to verify the signed JWT with keys I have

        kj = _fe_ctx.keyjar
        _jwt = factory(resp)
        entity_statement = _jwt.verify_compact(resp, keys=kj.get_jwt_verify_keys(_jwt.jwt))

        _trust_anchor_id = self.get_trust_anchor_id(entity_statement)

        logger.debug("trust_anchor_id: {}".format(_trust_anchor_id))
        chosen = None
        for op_statement in _fe_ctx.op_statements:
            if op_statement.anchor == _trust_anchor_id:
                chosen = op_statement
                break

        if not chosen:
            raise ValueError('No matching federation operator')

        # based on the Federation ID, conclude which OP config to use
        op_claims = chosen.metadata
        logger.debug("OP claims: {}".format(op_claims))
        # _sc.trust_path = (chosen.anchor, _fe.op_paths[statement.anchor][0])
        _context.provider_info = ProviderConfigurationResponse(**op_claims)

        # To create RPs metadata collect the trust chains
        tree = {}
        for ah in _fe_ctx.authority_hints:
            tree[ah] = _fe.collector.collect_intermediate(_fe_ctx.entity_id, ah)

        _node = {_fe_ctx.entity_id: (resp, tree)}
        chains = branch2lists(_node)
        logger.debug("%d chains", len(chains))
        logger.debug("Evaluate policy chains")
        # Get the policies
        policy_chains_tup = [eval_policy_chain(c, _fe_ctx.keyjar, _fe_ctx.entity_type) for c in chains]
        # Weed out unusable chains
        policy_chains_tup = [pct for pct in policy_chains_tup if pct is not None]
        # Should leave me with one. The one ending in the chosen trust anchor.
        policy_chains_tup = [pct for pct in policy_chains_tup if pct[0] == _trust_anchor_id]

        if policy_chains_tup == []:
            logger.warning("No chain that ends in chosen trust anchor (%s)", _trust_anchor_id)
            raise ValueError("No trust chain that ends in chosen trust anchor (%s)",
                             _trust_anchor_id)

        _policy = combine_policy(policy_chains_tup[0][1],
                                 entity_statement['metadata_policy'][_fe_ctx.entity_type])
        logger.debug("Effective policy: {}".format(_policy))
        _req = kwargs.get("request")
        if _req is None:
            _req = kwargs.get("request_body")
        _uev = unverified_entity_statement(_req)
        logger.debug("Registration request: {}".format(_uev))
        _query = _uev["metadata"][_fe_ctx.entity_type]
        _resp = apply_policy(_query, _policy)
        _context.set("registration_response", _resp)
        return _resp