def set_client_db(self, db=None):
if db is None and self.conf.get("client_db"):
_spec = self.conf.get("client_db")
_kwargs = _spec.get("kwargs", {})
self.cdb = importer(_spec["class"])(**_kwargs)
else:
self.cdb = {}
def set_jti_db(self, db=None):
if db is None and self.conf.get("jti_db"):
_spec = self.conf.get("jti_db")
_kwargs = _spec.get("kwargs", {})
self.jti_db = importer(_spec["class"])(**_kwargs)
else:
self.jti_db = db or InMemoryDataBase()
def build_signing_service(self, spec):
spec['kwargs']['base_path'] = os.path.join(self.wd, spec['kwargs']["base_path"])
if isinstance(spec["class"], str):
_instance = importer(spec["class"])(**spec['kwargs'])
else:
_instance = spec["class"](**spec['kwargs'])
return _instance
def do_add_on(self):
if self.conf.get("add_on"):
for spec in self.conf["add_on"].values():
if isinstance(spec["function"], str):
_func = importer(spec["function"])
else:
_func = spec["function"]
_func(self.endpoint, **spec["kwargs"])
def __init__(self, base_class=Message):
if isinstance(base_class, str):
self.base_class = importer(base_class)()
elif isinstance(base_class, Message):
self.base_class = base_class
elif type(base_class) == abc.ABCMeta:
self.base_class = base_class()
self.info = {}
def init_token_handler(ec, spec, typ):
try:
_cls = spec["class"]
except KeyError:
cls = DefaultToken
else:
cls = importer(_cls)
return cls(typ=typ, ec=ec, **spec)
def set_session_db(self, sso_db=None, db=None):
if sso_db is None and self.conf.get("sso_db"):
_spec = self.conf.get("sso_db")
_kwargs = _spec.get("kwargs", {})
_db = importer(_spec["class"])(**_kwargs)
sso_db = SSODb(_db)
else:
sso_db = sso_db or SSODb()
if db is None and self.conf.get("session_db"):
_spec = self.conf.get("session_db")
_kwargs = _spec.get("kwargs", {})
db = importer(_spec["class"])(**_kwargs)
self.do_session_db(sso_db, db)
# append userinfo db to the session db
self.do_userinfo()
logger.debug("Session DB: {}".format(self.sdb.__dict__))
def init_service(conf, endpoint_context=None):
kwargs = conf.get("kwargs", {})
if endpoint_context:
kwargs["endpoint_context"] = endpoint_context
if isinstance(conf["class"], str):
return importer(conf["class"])(**kwargs)
return conf["class"](**kwargs)
def init_user_info(conf, cwd):
kwargs = conf.get("kwargs", {})
if "db_file" in kwargs:
kwargs["db_file"] = os.path.join(cwd, kwargs["db_file"])
if isinstance(conf["class"], str):
return importer(conf["class"])(**kwargs)
return conf["class"](**kwargs)
def do_sub_func(self):
_conf = self.conf.get("sub_func", {})
for key, args in _conf.items():
if "class" in args:
self._sub_func[key] = init_service(args)
elif "function" in args:
if isinstance(args["function"], str):
self._sub_func[key] = importer(args["function"])
else:
self._sub_func[key] = args["function"]
def init_user_info(conf, cwd):
try:
kwargs = conf["kwargs"]
except KeyError:
kwargs = {}
if "db_file" in kwargs:
kwargs["db_file"] = os.path.join(cwd, kwargs["db_file"])
if isinstance(conf["class"], str):
return util.importer(conf["class"])(**kwargs)
else:
return conf["class"](**kwargs)
def init_service(conf, endpoint_context=None):
try:
kwargs = conf["kwargs"]
except KeyError:
kwargs = {}
if endpoint_context:
kwargs["endpoint_context"] = endpoint_context
if isinstance(conf["class"], str):
return util.importer(conf["class"])(**kwargs)
else:
return conf["class"](**kwargs)
def init_token_handler(ec, spec, typ):
try:
_cls = spec["class"]
except KeyError:
cls = DefaultToken
else:
cls = importer(_cls)
_kwargs = spec.get('kwargs')
if _kwargs is None:
if cls != DefaultToken:
warnings.warn(
"Token initialisation arguments should be grouped under 'kwargs'.",
DeprecationWarning,
stacklevel=2,
)
_kwargs = spec
return cls(typ=typ, ec=ec, **_kwargs)
def create_federation_entity(entity_id, httpc_params=None, **kwargs):
args = {"httpc_params": httpc_params}
for param in ['trusted_roots', 'authority_hints']:
try:
args[param] = load_json(kwargs[param])
except KeyError:
pass
for param in [
'entity_type', 'priority', 'opponent_entity_type',
'registration_type', 'cwd'
]:
try:
args[param] = kwargs[param]
except KeyError:
pass
_conf = {}
for _key in ['keys', 'db_conf', 'issuer']:
_value = kwargs.get(_key)
if _value:
_conf[_key] = _value
if _conf:
_conf['httpc_params'] = args['httpc_params']
args['config'] = _conf
federation_entity = FederationEntity(entity_id, **args)
add_ons = kwargs.get("add_on")
if add_ons:
for spec in add_ons.values():
if isinstance(spec["function"], str):
_func = importer(spec["function"])
else:
_func = spec["function"]
_func(federation_entity, **spec["kwargs"])
return federation_entity
def __init__(
self,
conf,
keyjar=None,
client_db=None,
session_db=None,
cwd="",
cookie_dealer=None,
httpc=None,
cookie_name=None,
jwks_uri_path=None,
):
self.conf = conf
self.keyjar = keyjar or KeyJar()
self.cwd = cwd
# client database
self.cdb = client_db or {}
try:
self.seed = bytes(conf["seed"], "utf-8")
except KeyError:
self.seed = bytes(rndstr(16), "utf-8")
# Default values, to be changed below depending on configuration
self.endpoint = {}
self.issuer = ""
self.httpc = httpc or requests
self.verify_ssl = True
self.jwks_uri = None
self.sso_ttl = 14400 # 4h
self.symkey = rndstr(24)
self.id_token_schema = IdToken
self.endpoint_to_authn_method = {}
self.cookie_dealer = cookie_dealer
self.login_hint_lookup = None
if cookie_name:
self.cookie_name = cookie_name
elif "cookie_name" in conf:
self.cookie_name = conf["cookie_name"]
else:
self.cookie_name = {
"session": "oidcop",
"register": "oidc_op_rp",
"session_management": "sman",
}
for param in [
"verify_ssl",
"issuer",
"sso_ttl",
"symkey",
"client_authn",
"id_token_schema",
]:
try:
setattr(self, param, conf[param])
except KeyError:
pass
try:
self.template_handler = conf["template_handler"]
except KeyError:
try:
loader = conf["template_loader"]
except KeyError:
template_dir = conf["template_dir"]
loader = Environment(loader=FileSystemLoader(template_dir),
autoescape=True)
self.template_handler = Jinja2TemplateHandler(loader)
self.setup = {}
if not jwks_uri_path:
try:
jwks_uri_path = conf["jwks"]["uri_path"]
except KeyError:
pass
try:
if self.issuer.endswith("/"):
self.jwks_uri = "{}{}".format(self.issuer, jwks_uri_path)
else:
self.jwks_uri = "{}/{}".format(self.issuer, jwks_uri_path)
except KeyError:
self.jwks_uri = ""
if self.keyjar is None or self.keyjar.owners() == []:
args = {k: v for k, v in conf["jwks"].items() if k != "uri_path"}
self.keyjar = init_key_jar(**args)
try:
_conf = conf["cookie_dealer"]
except KeyError:
pass
else:
if self.cookie_dealer: # already defined
raise ValueError("Cookie Dealer already defined")
self.cookie_dealer = init_service(_conf)
try:
_conf = conf["sub_func"]
except KeyError:
sub_func = None
else:
sub_func = {}
for key, args in _conf.items():
if "class" in args:
sub_func[key] = init_service(args)
elif "function" in args:
if isinstance(args["function"], str):
sub_func[key] = util.importer(args["function"])
else:
sub_func[key] = args["function"]
if session_db:
self.sdb = session_db
else:
try:
_th_args = conf["token_handler_args"]
except KeyError:
# create 3 keys
keydef = [
{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "code"
},
{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "token"
},
{
"type": "oct",
"bytes": "24",
"use": ["enc"],
"kid": "refresh"
},
]
jwks_def = {
"private_path": "private/token_jwks.json",
"key_defs": keydef,
"read_only": False,
}
_th_args = {"jwks_def": jwks_def}
for typ, tid in [("code", 600), ("token", 3600),
("refresh", 86400)]:
_th_args[typ] = {"lifetime": tid}
self.sdb = create_session_db(self,
_th_args,
db=None,
sso_db=SSODb(),
sub_func=sub_func)
self.endpoint = build_endpoints(
conf["endpoint"],
endpoint_context=self,
client_authn_method=CLIENT_AUTHN_METHOD,
issuer=conf["issuer"],
)
try:
_cap = conf["capabilities"]
except KeyError:
_cap = {}
for endpoint, endpoint_instance in self.endpoint.items():
if endpoint_instance.provider_info:
_cap.update(endpoint_instance.provider_info)
if endpoint in ["webfinger", "provider_info"]:
continue
_cap[endpoint_instance.endpoint_name] = "{}".format(
endpoint_instance.endpoint_path)
try:
authz_spec = conf["authz"]
except KeyError:
self.authz = authz.Implicit(self)
else:
self.authz = init_service(authz_spec, self)
try:
_authn = conf["authentication"]
except KeyError:
self.authn_broker = None
else:
self.authn_broker = populate_authn_broker(_authn, self,
self.template_handler)
try:
_conf = conf["id_token"]
except KeyError:
self.idtoken = IDToken(self)
else:
self.idtoken = init_service(_conf, self)
try:
_conf = conf["userinfo"]
except KeyError:
pass
else:
self.userinfo = init_user_info(_conf, self.cwd)
self.sdb.userinfo = self.userinfo
try:
_conf = conf["login_hint_lookup"]
except KeyError:
pass
else:
self.login_hint_lookup = init_service(_conf)
if self.userinfo:
self.login_hint_lookup.user_info = self.userinfo
try:
_conf = conf["login_hint2acrs"]
except KeyError:
self.login_hint2acrs = None
else:
self.login_hint2acrs = init_service(_conf)
self.provider_info = self.create_providerinfo(_cap)
# which signing/encryption algorithms to use in what context
self.jwx_def = {}
# special type of logging
self.events = None
# client registration access tokens
self.registration_access_token = {}
