Beispiel #1
0
    def test_registration_uri_error(self):
        args = {
            "redirect_uris": [
                "https://client.example.org/callback",
                "https://client.example.org/callback2"
            ],
            "client_name":
            "My Example Client",
            "client_name#ja-Jpan-JP":
            "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method":
            "client_secret_basic",
            "scope":
            "read write dolphin",
            # invalid logo_uri
            "logo_uri":
            "https://client.example.org/logo.png",
            "jwks_uri":
            "https://client.example.org/my_public_keys.jwks"
        }

        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json())
        _resp = ClientRegistrationError().from_json(resp.message)

        assert "error" in _resp
        assert _resp["error"] == "invalid_client_metadata"
Beispiel #2
0
    def test_client_user_info_get(self):
        args = {
            "redirect_uris": [
                "https://client.example.org/callback",
                "https://client.example.org/callback2"
            ],
            "client_name":
            "My Example Client",
            "client_name#ja-Jpan-JP":
            "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method":
            "client_secret_basic",
            "scope":
            "read write dolphin",
        }
        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json())
        _resp = ClientInfoResponse().from_json(resp.message)

        resp = self.provider.client_info_endpoint(
            "GET",
            environ={
                "HTTP_AUTHORIZATION":
                "Bearer %s" % (_resp["registration_access_token"], )
            },
            query="client_id=%s" % _resp["client_id"],
            request=request.to_json())

        _resp_cir = ClientInfoResponse().from_json(resp.message)
        assert _resp == _resp_cir
Beispiel #3
0
    def test_client_registration_with_software_statement(self):
        jwks, keyjar, kidd = build_keyjar(KEYS)
        fed_operator = 'https://fedop.example.org'

        self.provider.keyjar[fed_operator] = keyjar['']
        ss = make_software_statement(keyjar, fed_operator, client_id='foxtrot')

        args = {
            "redirect_uris": [
                "https://client.example.org/callback",
                "https://client.example.org/callback2"
            ],
            "client_name":
            "XYZ Service B",
            "token_endpoint_auth_method":
            "client_secret_basic",
            "scope":
            "read write dolphin",
            'software_statement':
            ss
        }
        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json(),
                                                   environ={})
        cli_resp = ClientInfoResponse().from_json(resp.message)
        assert cli_resp
Beispiel #4
0
    def test_client_registration_delete(self):
        args = {
            "redirect_uris": ["https://client.example.org/callback",
                              "https://client.example.org/callback2"],
            "client_name": "My Example Client",
            "client_name#ja-Jpan-JP":
                "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method": "client_secret_basic",
            "scope": "read write dolphin",
        }
        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json(),
                                                   environ={})
        _resp = ClientInfoResponse().from_json(resp.message)
        resp = self.provider.client_info_endpoint(
            request=request.to_json(),
            environ={"HTTP_AUTHORIZATION": "Bearer %s" % (
                _resp["registration_access_token"],)},
            method="DELETE",
            query="client_id=%s" % _resp["client_id"])

        assert isinstance(resp, NoContent)

        # A read should fail
        resp = self.provider.client_info_endpoint(
            "",
            environ={"HTTP_AUTHORIZATION": "Bearer %s" % (
                _resp["registration_access_token"],)},
            query="client_id=%s" % _resp["client_id"])

        assert isinstance(resp, Unauthorized)
Beispiel #5
0
    def registration_endpoint(self, request, authn=None, **kwargs):
        try:
            reg_req = RegistrationRequest().deserialize(request, "json")
        except ValueError:
            reg_req = RegistrationRequest().deserialize(request)

        logger.debug("@registration_endpoint: {}".format(reg_req))
        self.events.store(EV_PROTOCOL_REQUEST, reg_req)

        if self.strict:
            resp = self.check_scheme(reg_req)
            if resp:
                return resp

        _response = provider.Provider.registration_endpoint(self,
                                                            request=request,
                                                            authn=authn,
                                                            **kwargs)

        logger.debug('registration response: {}'.format(_response.message))
        self.init_keys = []
        if "jwks_uri" in reg_req:
            if _response.status == "200 OK":
                # find the client id
                req_resp = ASConfigurationResponse().from_json(
                    _response.message)
                # for kb in self.keyjar[req_resp["client_id"]]:
                #     if kb.imp_jwks:
                #         self.trace.info("Client JWKS: {}".format(kb.imp_jwks))

        return _response
Beispiel #6
0
    def test_registration_endpoint(self):
        request = RegistrationRequest(client_name="myself",
                                      redirect_uris=["https://example.com/rp"])
        resp = self.provider.registration_endpoint(request=request.to_json())
        assert isinstance(resp, Response)
        data = json.loads(resp.message)
        assert data["client_name"] == "myself"
        assert _eq(data["redirect_uris"], ["https://example.com/rp"])

        _resp = ClientInfoResponse().from_json(resp.message)
        assert "client_id" in _resp
Beispiel #7
0
    def test_registration_endpoint(self):
        request = RegistrationRequest(
            client_name="myself",
            redirect_uris=["https://example.com/rp"],
            grant_type=['authorization_code', 'implicit'])
        resp = self.provider.registration_endpoint(request=request.to_json())
        assert isinstance(resp, Response)
        data = json.loads(resp.message)
        assert data["client_name"] == "myself"
        assert _eq(data["redirect_uris"], ["https://example.com/rp"])

        _resp = ClientInfoResponse().from_json(resp.message)
        assert "client_id" in _resp
Beispiel #8
0
    def registration_endpoint(self, **kwargs):
        """

        :param request: The request
        :param authn: Client authentication information
        :param kwargs: extra keyword arguments
        :return: A Response instance
        """

        _request = RegistrationRequest().deserialize(kwargs['request'], "json")
        try:
            _request.verify(keyjar=self.keyjar)
        except InvalidRedirectUri as err:
            msg = ClientRegistrationError(error="invalid_redirect_uri",
                                          error_description="%s" % err)
            return BadRequest(msg.to_json(), content="application/json")
        except (MissingPage, VerificationError) as err:
            msg = ClientRegistrationError(error="invalid_client_metadata",
                                          error_description="%s" % err)
            return BadRequest(msg.to_json(), content="application/json")

        # authenticated client
        if self.authn_at_registration:
            try:
                _ = self.verify_client(kwargs['environ'], _request,
                                       self.authn_at_registration)
            except (AuthnFailure, UnknownAssertionType):
                return Unauthorized()

        client_restrictions = {}
        if 'parsed_software_statement' in _request:
            for ss in _request['parsed_software_statement']:
                client_restrictions.update(self.consume_software_statement(ss))
            del _request['software_statement']
            del _request['parsed_software_statement']

        try:
            client_id = self.create_new_client(_request, client_restrictions)
        except CapabilitiesMisMatch as err:
            msg = ClientRegistrationError(error="invalid_client_metadata",
                                          error_description="%s" % err)
            return BadRequest(msg.to_json(), content="application/json")
        except RestrictionError as err:
            msg = ClientRegistrationError(error="invalid_client_metadata",
                                          error_description="%s" % err)
            return BadRequest(msg.to_json(), content="application/json")

        return self.client_info(client_id)
Beispiel #9
0
    def test_client_registration_update(self):
        args = {
            "redirect_uris": ["https://client.example.org/callback",
                              "https://client.example.org/callback2"],
            "client_name": "My Example Client",
            "client_name#ja-Jpan-JP":
                "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method": "client_secret_basic",
            "scope": "read write dolphin",
        }
        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json(),
                                                   environ={})
        _resp = ClientInfoResponse().from_json(resp.message)

        update = {
            "client_id": _resp["client_id"],
            "client_secret": _resp["client_secret"],
            "redirect_uris": ["https://client.example.org/callback",
                              "https://client.example.org/alt"],
            "scope": "read write dolphin",
            "grant_types": ["authorization_code", "refresh_token"],
            "token_endpoint_auth_method": "client_secret_basic",
            "jwks_uri": "https://client.example.org/my_public_keys.jwks",
            "client_name": "My New Example",
            "client_name#fr": "Mon Nouvel Exemple",
        }
        update_req = RegistrationRequest(**update)
        resp = self.provider.client_info_endpoint(
            request=update_req.to_json(),
            environ={"HTTP_AUTHORIZATION": "Bearer %s" % (
                _resp["registration_access_token"],)},
            method="PUT",
            query="client_id=%s" % _resp["client_id"])

        _resp_up = ClientInfoResponse().from_json(resp.message)
        assert _resp_up["client_id"] == update["client_id"]
        assert _resp_up["client_secret"] == update["client_secret"]
        assert _resp_up["redirect_uris"] == update["redirect_uris"]
        assert _resp_up["scope"] == update["scope"].split()
        assert _resp_up["grant_types"] == update["grant_types"]
        assert _resp_up["token_endpoint_auth_method"] == update[
            "token_endpoint_auth_method"]
        assert _resp_up["jwks_uri"] == update["jwks_uri"]
        assert _resp_up["client_name"] == update["client_name"]
        assert _resp_up["client_name#fr"] == update["client_name#fr"]
Beispiel #10
0
    def test_client_registration_utf_8_client_name(self):
        args = {
            "redirect_uris": ["https://client.example.org/callback",
                              "https://client.example.org/callback2"],
            "client_name": "My Example Client",
            "client_name#ja-Jpan-JP":
                "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method": "client_secret_basic",
            "scope": "read write dolphin",
        }

        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json())
        _resp = ClientInfoResponse().from_json(resp.message)

        assert _resp[
                   "client_name#ja-Jpan-JP"] == "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D"
        assert _resp["client_name"] == "My Example Client"
Beispiel #11
0
    def test_registration_uri_error(self):
        args = {
            "redirect_uris": ["https://client.example.org/callback",
                              "https://client.example.org/callback2"],
            "client_name": "My Example Client",
            "client_name#ja-Jpan-JP":
                "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method": "client_secret_basic",
            "scope": "read write dolphin",
            # invalid logo_uri
            "logo_uri": "https://client.example.org/logo.png",
            "jwks_uri": "https://client.example.org/my_public_keys.jwks"
        }

        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json())
        _resp = ClientRegistrationError().from_json(resp.message)

        assert "error" in _resp
        assert _resp["error"] == "invalid_client_metadata"
Beispiel #12
0
    def test_client_registration_with_software_statement(self):
        jwks, keyjar, kidd = build_keyjar(KEYS)
        fed_operator = 'https://fedop.example.org'

        self.provider.keyjar[fed_operator] = keyjar['']
        ss = make_software_statement(keyjar, fed_operator, client_id='foxtrot')

        args = {
            "redirect_uris": ["https://client.example.org/callback",
                              "https://client.example.org/callback2"],
            "client_name": "XYZ Service B",
            "token_endpoint_auth_method": "client_secret_basic",
            "scope": "read write dolphin",
            'software_statement': ss
        }
        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json(),
                                                   environ={})
        cli_resp = ClientInfoResponse().from_json(resp.message)
        assert cli_resp
Beispiel #13
0
    def test_client_registration_delete(self):
        args = {
            "redirect_uris": [
                "https://client.example.org/callback",
                "https://client.example.org/callback2"
            ],
            "client_name":
            "My Example Client",
            "client_name#ja-Jpan-JP":
            "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method":
            "client_secret_basic",
            "scope":
            "read write dolphin",
        }
        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json(),
                                                   environ={})
        _resp = ClientInfoResponse().from_json(resp.message)
        resp = self.provider.client_info_endpoint(
            request=request.to_json(),
            environ={
                "HTTP_AUTHORIZATION":
                "Bearer %s" % (_resp["registration_access_token"], )
            },
            method="DELETE",
            query="client_id=%s" % _resp["client_id"])

        assert isinstance(resp, NoContent)

        # A read should fail
        resp = self.provider.client_info_endpoint(
            "",
            environ={
                "HTTP_AUTHORIZATION":
                "Bearer %s" % (_resp["registration_access_token"], )
            },
            query="client_id=%s" % _resp["client_id"])

        assert isinstance(resp, Unauthorized)
Beispiel #14
0
    def test_client_registration_utf_8_client_name(self):
        args = {
            "redirect_uris": [
                "https://client.example.org/callback",
                "https://client.example.org/callback2"
            ],
            "client_name":
            "My Example Client",
            "client_name#ja-Jpan-JP":
            "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method":
            "client_secret_basic",
            "scope":
            "read write dolphin",
        }

        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json())
        _resp = ClientInfoResponse().from_json(resp.message)

        assert _resp[
            "client_name#ja-Jpan-JP"] == "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D"
        assert _resp["client_name"] == "My Example Client"
Beispiel #15
0
    def test_client_user_info_get(self):
        args = {
            "redirect_uris": ["https://client.example.org/callback",
                              "https://client.example.org/callback2"],
            "client_name": "My Example Client",
            "client_name#ja-Jpan-JP":
                "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method": "client_secret_basic",
            "scope": "read write dolphin",
        }
        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json())
        _resp = ClientInfoResponse().from_json(resp.message)

        resp = self.provider.client_info_endpoint(
            "GET",
            environ={"HTTP_AUTHORIZATION": "Bearer %s" % (
                _resp["registration_access_token"],)},
            query="client_id=%s" % _resp["client_id"],
            request=request.to_json())

        _resp_cir = ClientInfoResponse().from_json(resp.message)
        assert _resp == _resp_cir
Beispiel #16
0
_jws = JWS(sign_jwks, alg="RS256")
keys = im_keyjar.keys_by_alg_and_usage('', 'RS256', 'sig')
signed_jwks = _jws.sign_compact(keys)

print(70 * "-")
print('signed_jwks_uri content')
print(70 * "-")
print_lines(signed_jwks)

# -----------------------------------------------------------------------------
# Create client registration request
# -----------------------------------------------------------------------------

rr = RegistrationRequest(jwks_uri='https://example.com/rp/jwks',
                         software_statements=[sost],
                         signed_jwks_uri='https://example.com/rp/signed_jwks',
                         response_types=['code'],
                         id_token_signed_response_alg='SHA-256',
                         signing_key=signed_intermediate)

_jws = JWS(rr.to_json(), alg='RS256')
keys = a_keyjar.keys_by_alg_and_usage('', 'RS384', 'sig')
signed_reg_req = _jws.sign_compact(keys)

rr['signed_metadata'] = signed_reg_req

print(70 * "-")
print('Client registration request')
print(70 * "-")
print_lines(
    json.dumps(rr.to_dict(), sort_keys=True, indent=2, separators=(',', ': ')))
Beispiel #17
0
keys = im_keyjar.keys_by_alg_and_usage("", "RS256", "sig")
signed_jwks = _jws.sign_compact(keys)

print(70 * "-")
print("signed_jwks_uri content")
print(70 * "-")
print_lines(signed_jwks)

# -----------------------------------------------------------------------------
# Create client registration request
# -----------------------------------------------------------------------------

rr = RegistrationRequest(
    jwks_uri="https://example.com/rp/jwks",
    software_statements=[sost],
    signed_jwks_uri="https://example.com/rp/signed_jwks",
    response_types=["code"],
    id_token_signed_response_alg="SHA-256",
    signing_key=signed_intermediate,
)

_jws = JWS(rr.to_json(), alg="RS256")
keys = a_keyjar.keys_by_alg_and_usage("", "RS384", "sig")
signed_reg_req = _jws.sign_compact(keys)

rr["signed_metadata"] = signed_reg_req

print(70 * "-")
print("Client registration request")
print(70 * "-")
print_lines(json.dumps(rr.to_dict(), sort_keys=True, indent=2, separators=(",", ": ")))
Beispiel #18
0
    def test_client_registration_update(self):
        args = {
            "redirect_uris": [
                "https://client.example.org/callback",
                "https://client.example.org/callback2"
            ],
            "client_name":
            "My Example Client",
            "client_name#ja-Jpan-JP":
            "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
            "token_endpoint_auth_method":
            "client_secret_basic",
            "scope":
            "read write dolphin",
        }
        request = RegistrationRequest(**args)
        resp = self.provider.registration_endpoint(request=request.to_json(),
                                                   environ={})
        _resp = ClientInfoResponse().from_json(resp.message)

        update = {
            "client_id":
            _resp["client_id"],
            "client_secret":
            _resp["client_secret"],
            "redirect_uris": [
                "https://client.example.org/callback",
                "https://client.example.org/alt"
            ],
            "scope":
            "read write dolphin",
            "grant_types": ["authorization_code", "refresh_token"],
            "token_endpoint_auth_method":
            "client_secret_basic",
            "jwks_uri":
            "https://client.example.org/my_public_keys.jwks",
            "client_name":
            "My New Example",
            "client_name#fr":
            "Mon Nouvel Exemple",
        }
        update_req = RegistrationRequest(**update)
        resp = self.provider.client_info_endpoint(
            request=update_req.to_json(),
            environ={
                "HTTP_AUTHORIZATION":
                "Bearer %s" % (_resp["registration_access_token"], )
            },
            method="PUT",
            query="client_id=%s" % _resp["client_id"])

        _resp_up = ClientInfoResponse().from_json(resp.message)
        assert _resp_up["client_id"] == update["client_id"]
        assert _resp_up["client_secret"] == update["client_secret"]
        assert _resp_up["redirect_uris"] == update["redirect_uris"]
        assert _resp_up["scope"] == update["scope"].split()
        assert _resp_up["grant_types"] == update["grant_types"]
        assert _resp_up["token_endpoint_auth_method"] == update[
            "token_endpoint_auth_method"]
        assert _resp_up["jwks_uri"] == update["jwks_uri"]
        assert _resp_up["client_name"] == update["client_name"]
        assert _resp_up["client_name#fr"] == update["client_name#fr"]