def _keyjar(self, keyjar=None, db_conf=None, conf=None, entity_id=''):
if keyjar is None:
_storage = None
if db_conf:
_cnf = get_storage_conf(db_conf, 'keyjar')
if _cnf:
_storage = storage_factory(_cnf)
if 'keys' in conf:
args = {k: v for k, v in conf["keys"].items() if k != "uri_path"}
args.update({'storage': _storage})
_keyjar = init_key_jar(**args)
else:
_keyjar = KeyJar(storage=_storage)
if 'jwks' in conf:
_keyjar.import_jwks(conf['jwks'], '')
if '' in _keyjar and entity_id:
# make sure I have the keys under my own name too (if I know it)
_keyjar.import_jwks_as_json(_keyjar.export_jwks_as_json(True, ''), entity_id)
_httpc_params = conf.get('httpc_params')
if _httpc_params:
_keyjar.httpc_params = _httpc_params
return _keyjar
else:
return keyjar
def _keyjar(self, keyjar=None, conf=None, entity_id=""):
if keyjar is None:
if "keys" in conf:
keys_args = {
k: v
for k, v in conf["keys"].items() if k != "uri_path"
}
_keyjar = init_key_jar(**keys_args)
elif "key_conf" in conf:
keys_args = {
k: v
for k, v in conf["key_conf"].items() if k != "uri_path"
}
_keyjar = init_key_jar(**keys_args)
else:
_keyjar = KeyJar()
if "jwks" in conf:
_keyjar.import_jwks(conf["jwks"], "")
if "" in _keyjar and entity_id:
# make sure I have the keys under my own name too (if I know it)
_keyjar.import_jwks_as_json(
_keyjar.export_jwks_as_json(True, ""), entity_id)
_httpc_params = conf.get("httpc_params")
if _httpc_params:
_keyjar.httpc_params = _httpc_params
return _keyjar
else:
return keyjar
def test_eval_chains():
target = 'https://foodle.uninett.no'
collector = DummyCollector(trusted_roots=ANCHOR,
httpd=Publisher(
os.path.join(BASE_PATH, 'base_data')),
root_dir=os.path.join(BASE_PATH, 'base_data'))
entity_statement = collector.get_entity_statement(target,
issuer=target,
subject=target)
_config = verify_self_signed_signature(entity_statement)
assert _config
tree = collector.collect_superiors(_config['iss'], entity_statement)
_node = {target: (entity_statement, tree)}
chains = branch2lists(_node)
key_jar = KeyJar()
key_jar.import_jwks_as_json(jwks, 'https://feide.no')
statements = [
eval_chain(c, key_jar, 'openid_relying_party') for c in chains
]
assert len(statements) == 1
statement = statements[0]
assert statement.fo == "https://feide.no"
assert set(statement.metadata.keys()) == {
'response_types', 'claims', 'contacts', 'application_type',
'redirect_uris', 'id_token_signing_alg_values_supported', 'jwks_uri'
}
def create(iss, sub, domain, root_dir):
kj = KeyJar()
iss_id = "https://{}".format(iss)
iss_jwks_file = os.path.join(root_dir, iss, "{}.jwks.json".format(iss))
kj.import_jwks_as_json(open(iss_jwks_file).read(), iss_id)
sub_id = "https://{}".format(sub)
sub_jwks_file = os.path.join(root_dir, iss, "{}.jwks.json".format(sub))
kj.import_jwks_as_json(open(sub_jwks_file).read(), sub_id)
metadata_file = os.path.join(root_dir, iss, "{}.metadata.json".format(sub))
if os.path.isfile(metadata_file):
metadata = json.loads(open(metadata_file).read())
else:
metadata = None
if metadata:
for typ, conf in metadata.items():
for key, val in conf.items():
if '<DOMAIN>' in val:
metadata[typ][key] = val.replace('<DOMAIN>', domain)
policy_file = os.path.join(root_dir, iss, "{}.policy.json".format(sub))
if os.path.isfile(policy_file):
policy = json.loads(open(policy_file).read())
else:
policy = None
authority_file = os.path.join(root_dir, iss, "{}.authority.json".format(sub))
if os.path.isfile(authority_file):
_auth = json.loads(open(authority_file).read())
for key, vals in _auth.items():
if '<DOMAIN>' in key:
_key = key.replace('<DOMAIN>', domain)
_vals = [v.replace('<DOMAIN>', domain) for v in vals]
del _auth[key]
_auth[_key] = _vals
_jwt = create_entity_statement(iss_id, sub_id, kj, metadata, policy, _auth)
else:
_jwt = create_entity_statement(iss_id, sub_id, kj, metadata, policy)
return _jwt
def test_collect():
jwks = open(
os.path.join(BASE_PATH, 'base_data', 'feide.no', 'feide.no',
'jwks.json')).read()
ANCHOR = {'https://feide.no': json.loads(jwks)}
KEYJAR = KeyJar()
KEYJAR.import_jwks_as_json(jwks, 'https://feide.no')
chain = []
_collector = Collector(trust_anchors=ANCHOR)
subject = "foodle.uninett.no"
with responses.RequestsMock() as rsps:
_msg = open(
os.path.join(BASE_PATH, 'base_data', subject, subject,
'jws')).read()
rsps.add(rsps.GET,
"https://foodle.uninett.no/.well-known/openid-federation",
body=_msg)
# Get the self-signed entity statement from a leaf
_self_signed = _collector.get_configuration_information(
"https://foodle.uninett.no")
chain.append(_self_signed)
_statement = verify_self_signed_signature(_self_signed)
assert _statement
authority = ""
while authority not in _collector.trusted_anchors:
authority = _statement['authority_hints'][0]
netloc = authority[8:]
with responses.RequestsMock() as rsps:
_msg = open(
os.path.join(BASE_PATH, 'base_data', netloc, netloc,
"jws")).read()
_url = "https://{}/.well-known/openid-federation".format(netloc)
rsps.add(rsps.GET, _url, body=_msg)
# Get the self-signed entity statement from a leaf
_self_signed = _collector.get_configuration_information(authority)
_statement = verify_self_signed_signature(_self_signed)
assert _statement
_api_endpoint = _statement['metadata']['federation_entity'][
'federation_api_endpoint']
with responses.RequestsMock() as rsps:
_msg = open(
os.path.join(BASE_PATH, 'base_data', netloc, subject,
"jws")).read()
_url = construct_entity_statement_query(
_api_endpoint, authority, "https://{}".format(subject))
rsps.add(rsps.GET, _url, body=_msg)
# Get the self-signed entity statement from a leaf
_signed_statement = _collector.get_entity_statement(
_api_endpoint, authority, "https://{}".format(subject))
chain.append(_signed_statement)
_jwt = factory(_signed_statement)
_statement = _jwt.jwt.payload()
subject = _statement['iss'][8:]
# Now I have the chain should be 3 items in it
assert len(chain) == 3
# verify the trust chain
chain.reverse()
verified_chain = verify_trust_chain(chain, KEYJAR)
# The result is the verified statements
assert len(verified_chain) == 3
# Check that the constraints are met
assert meets_restrictions(verified_chain)
