def test_verify_uri_qp_match(self):
_ec = self.endpoint.server_get("endpoint_context")
_ec.cdb["client_id"] = {"redirect_uris": [("https://rp.example.com/cb", {"foo": ["bar"]})]}
request = {"redirect_uri": "https://rp.example.com/cb?foo=bar"}
verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_wrong_uri_type(self):
_context = self.endpoint.server_get("endpoint_context")
_context.cdb["client_id"] = {"redirect_uris": [("https://rp.example.com/cb", {})]}
request = {"redirect_uri": "https://rp.example.com/cb?foo=bob"}
with pytest.raises(ValueError):
verify_uri(_context, request, "post_logout_redirect_uri", "client_id")
def test_verify_uri_unregistered(self):
_ec = self.endpoint.server_get("endpoint_context")
_ec.cdb["client_id"] = {"redirect_uris": [("https://rp.example.com/auth_cb", {})]}
request = {"redirect_uri": "https://rp.example.com/cb"}
with pytest.raises(RedirectURIError):
verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_qp_missing_val(self):
_ec = self.endpoint.server_get("endpoint_context")
_ec.cdb["client_id"] = {
"redirect_uris": [("https://rp.example.com/cb", {"foo": ["bar", "low"]})]
}
request = {"redirect_uri": "https://rp.example.com/cb?foo=bar"}
with pytest.raises(ValueError):
verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_none_registered(self):
_context = self.endpoint.server_get("endpoint_context")
_context.cdb["client_id"] = {
"post_logout_redirect_uri": [("https://rp.example.com/plrc", {})]
}
request = {"redirect_uri": "https://rp.example.com/cb"}
with pytest.raises(ValueError):
verify_uri(_context, request, "redirect_uri", "client_id")
def test_verify_uri_qp_mismatch(self):
_context = self.endpoint.server_get("endpoint_context")
_context.cdb["client_id"] = {
"redirect_uris": [("https://rp.example.com/cb", {"foo": ["bar"]})]
}
request = {"redirect_uri": "https://rp.example.com/cb?foo=bob"}
with pytest.raises(ValueError):
verify_uri(_context, request, "redirect_uri", "client_id")
request = {"redirect_uri": "https://rp.example.com/cb?foo=bar&foo=kex"}
with pytest.raises(ValueError):
verify_uri(_context, request, "redirect_uri", "client_id")
request = {"redirect_uri": "https://rp.example.com/cb"}
with pytest.raises(ValueError):
verify_uri(_context, request, "redirect_uri", "client_id")
request = {"redirect_uri": "https://rp.example.com/cb?foo=bar&level=low"}
with pytest.raises(ValueError):
verify_uri(_context, request, "redirect_uri", "client_id")
def process_request(
self,
request: Optional[Union[Message, dict]] = None,
http_info: Optional[dict] = None,
**kwargs
):
"""
Perform user logout
:param request:
:param http_info:
:param kwargs:
:return:
"""
_context = self.server_get("endpoint_context")
_mngr = _context.session_manager
if "post_logout_redirect_uri" in request:
if "id_token_hint" not in request:
raise InvalidRequest("If post_logout_redirect_uri then id_token_hint is a MUST")
_cookies = http_info.get("cookie")
_session_info = None
if _cookies:
_cookie_name = _context.cookie_handler.name["session"]
try:
_cookie_infos = _context.cookie_handler.parse_cookie(
cookies=_cookies, name=_cookie_name
)
except VerificationError:
raise InvalidRequest("Cookie error")
if _cookie_infos:
# value is a JSON document
_cookie_info = json.loads(_cookie_infos[0]["value"])
logger.debug("Cookie info: {}".format(_cookie_info))
try:
_session_info = _mngr.get_session_info(_cookie_info["sid"], grant=True)
except KeyError:
raise ValueError("Can't find any corresponding session")
if _session_info is None:
logger.debug("No relevant cookie")
raise ValueError("Missing cookie")
if "id_token_hint" in request and _session_info:
_id_token = request[verified_claim_name("id_token_hint")]
logger.debug("ID token hint: {}".format(_id_token))
_aud = _id_token["aud"]
if _session_info["client_id"] not in _aud:
raise ValueError("Client ID doesn't match")
if _id_token["sub"] != _session_info["grant"].sub:
raise ValueError("Sub doesn't match")
else:
_aud = []
# _context.cdb[_session_info["client_id"]]
# verify that the post_logout_redirect_uri if present are among the ones
# registered
try:
_uri = request["post_logout_redirect_uri"]
except KeyError:
if _context.issuer.endswith("/"):
_uri = "{}{}".format(_context.issuer, self.kwargs["post_logout_uri_path"])
else:
_uri = "{}/{}".format(_context.issuer, self.kwargs["post_logout_uri_path"])
plur = False
else:
plur = True
verify_uri(
_context, request, "post_logout_redirect_uri", client_id=_session_info["client_id"],
)
payload = {
"sid": _session_info["session_id"],
}
# redirect user to OP logout verification page
if plur and "state" in request:
_uri = "{}?{}".format(_uri, urlencode({"state": request["state"]}))
payload["state"] = request["state"]
payload["redirect_uri"] = _uri
logger.debug("JWS payload: {}".format(payload))
# From me to me
_jws = JWT(
_context.keyjar,
iss=_context.issuer,
lifetime=86400,
sign_alg=self.kwargs["signing_alg"],
)
sjwt = _jws.pack(payload=payload, recv=_context.issuer)
location = "{}?{}".format(self.kwargs["logout_verify_url"], urlencode({"sjwt": sjwt}))
return {"redirect_location": location}
def test_verify_uri_noregistered(self):
_ec = self.endpoint.server_get("endpoint_context")
request = {"redirect_uri": "https://rp.example.com/cb"}
with pytest.raises(KeyError):
verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_fragment(self):
_ec = self.endpoint.server_get("endpoint_context")
_ec.cdb["client_id"] = {"redirect_uri": ["https://rp.example.com/auth_cb"]}
request = {"redirect_uri": "https://rp.example.com/cb#foobar"}
with pytest.raises(URIError):
verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_unknown_client(self):
request = {"redirect_uri": "https://rp.example.com/cb"}
with pytest.raises(UnknownClient):
verify_uri(self.endpoint.server_get("endpoint_context"), request, "redirect_uri")
