def create_authorization_data_request(self, userid, ticket):
adr = AuthorizationDataRequest(
ticket=ticket, rpt=self.token[userid]["RPT"])
_aat = self.token[userid]["AAT"]["access_token"]
kwargs = {"headers": {"Authorization": "Bearer %s" % _aat},
"data": adr.to_json()}
return kwargs
def create_authorization_data_request(self, userid, ticket):
adr = AuthorizationDataRequest(
ticket=ticket, rpt=self.token[userid]["RPT"])
_aat = self.token[userid]["AAT"]["access_token"]
kwargs = {"headers": {"Authorization": "Bearer %s" % _aat},
"data": adr.to_json()}
return kwargs
def test_rpt_endpoint(self):
"""
A couple of things have to happen before any action can occur on
the rpt endpoint.
1. registration of Resource set
2. Registration of a permission request
3. Registration of an authorization
"""
# (1) register resource set
read_write = [SCOPES[s] for s in ['read', 'write']]
rsd = ResourceSetDescription(name='foo', scopes=read_write)
resp = self.uas.resource_set_registration_endpoint_(
"alice", RSR_PATH, method="POST", body=rsd.to_json(),
client_id="12345678")
rsid = StatusResponse().from_json(resp.message)['_id']
# (2) register a permission request
read_write = [SCOPES[s] for s in ['read', 'write']]
perm_reg = PermissionRegistrationRequest(resource_set_id=rsid,
scopes=read_write)
resp = self.uas.permission_registration_endpoint_(
owner="alice", request=perm_reg.to_json(), client_id="12345678")
assert isinstance(resp, Created)
ticket = json.loads(resp.message)['ticket']
# (3) registration of authorization
permission = {'resource_set_id': rsid, 'scopes': read_write,
'require': {'sub': 'roger'}}
adb = self.uas.get_adb("12345678")
adb.store_permission(permission, 'alice')
# Get an RPT. This should work
req = AuthorizationDataRequest(ticket=ticket)
resp = self.uas.rpt_endpoint_('roger', '12345678',
request=req.to_json())
assert resp
def rpt_endpoint_(self, entity, client_id, **kwargs):
"""
Registers an Authorization Description
:param entity: Who's on the other side
:param client_id: The UMA client
:return: A Response instance
"""
adb = self.get_adb(client_id)
adr = AuthorizationDataRequest().from_json(kwargs["request"])
rpt = adb.issue_rpt(adr['ticket'], {'sub': entity})
rsp = AuthorizationDataResponse(rpt=rpt)
return Response(rsp.to_json())
# Fake authentication event
authn_event = AuthnEvent(REQUESTOR,
identity.get('salt', ''),
authn_info="UserPassword",
time_stamp=int(time.time()))
areq = AuthorizationRequest(**request_args)
sid = authzsrv.sdb.create_authz_session(authn_event, areq)
grant = authzsrv.sdb[sid]["code"]
_uma_client.token[REQUESTOR] = {"AAT": authzsrv.sdb.upgrade_to_token(grant)}
# Get a RPT from the AS using the AAT as authentication and the ticket
# received in (3).
authn = "Bearer %s" % _uma_client.token[REQUESTOR]["AAT"]["access_token"]
request = AuthorizationDataRequest(ticket=ticket)
resp = authzsrv.rpt_endpoint(authn, request=request.to_json())
rtr = RPTResponse().from_json(resp.message)
_uma_client.token[REQUESTOR]["RPT"] = rtr["rpt"]
# Introspection of the RPT
pat = ressrv.permreg.get(RESOURCE_OWNER, "pat")["access_token"]
_rpt = _uma_client.token[REQUESTOR]["RPT"]
ir = IntrospectionRequest(token=_rpt)
request_args = {"access_token": pat}
ht_args = ressrv.client.client_authn_method["bearer_header"](ressrv).construct(
ir, request_args=request_args)
# Fake authentication event
authn_event = AuthnEvent(REQUESTOR, identity.get('salt', ''),
authn_info="UserPassword",
time_stamp=int(time.time()))
areq = AuthorizationRequest(**request_args)
sid = authzsrv.sdb.create_authz_session(authn_event, areq)
grant = authzsrv.sdb[sid]["code"]
_uma_client.token[REQUESTOR] = {"AAT": authzsrv.sdb.upgrade_to_token(grant)}
# >>> C->AS: UMA3.5.1 POST plain authz data request with
# permission ticket at RPT endpoint
authn = "Bearer %s" % _uma_client.token[REQUESTOR]["AAT"]["access_token"]
request = AuthorizationDataRequest(ticket=ticket)
# >>> AS->C: UMA3.5.3 Return success and RPT
resp = authzsrv.rpt_endpoint(authn, request=request.to_json())
rtr = RPTResponse().from_json(resp.message)
_uma_client.token[REQUESTOR]["RPT"] = rtr["rpt"]
# >>> C->RS: UMA3.1.2 Attempt resource access with RPT
# Introspection of the RPT
# >>> RS->AS: UMA3.4.2 POST to token introspection endpoint
pat = ressrv.rs_handler.token['PAT']
_rpt = _uma_client.token[REQUESTOR]["RPT"]
ir = IntrospectionRequest(token=_rpt)
def rpt_endpoint_(self, entity, client_id, **kwargs):
"""
Registers an Authorization Description
:param entity: Who's on the other side
:param client_id: The UMA client
:return: A Response instance
"""
adr = AuthorizationDataRequest().from_json(kwargs["request"])
# Get request permission that the resource server has registered
try:
prr_list = self.permission_requests.get_request(adr["ticket"])
except KeyError:
errmsg = ErrorResponse(error="invalid_ticket")
return BadRequest(errmsg.to_json(), content="application/json")
self.permission_requests.del_request(adr["ticket"])
try:
_rpt = adr["rpt"]
except KeyError:
_rpt = rndstr(32)
for prr in prr_list:
_rsid = prr["resource_set_id"]
# Verify that the scopes are defined for the resource set
owner = self.resource_set.rsid2oid[_rsid]
rsd = self.resource_set.read(owner, _rsid)
for scope in prr["scopes"]:
try:
assert scope in rsd["scopes"]
except AssertionError:
errmsg = ErrorResponse(
error="not_authorized",
error_description="Undefined scopes")
return BadRequest(errmsg.to_json(),
content="application/json")
# Is there any permissions registered by the owner, if so verify
# that it allows what is requested. Return what is allowed !
try:
allow_scopes, timestamp = self.permit.get_permit(
owner, entity, _rsid)
except KeyError: #
errmsg = ErrorResponse(error="not_authorized",
error_description="No permission given")
return BadRequest(errmsg.to_json(), content="application/json")
else:
_scopes = []
for scope in prr["scopes"]:
try:
assert scope in allow_scopes
except AssertionError:
pass
else:
_scopes.append(scope)
# bind _requester to specific RPT for this user
try:
self.eid2rpt[owner][entity] = _rpt
except KeyError:
self.eid2rpt[owner] = {entity: _rpt}
self.register_permission(owner, _rpt, _rsid, _scopes)
rsp = AuthorizationDataResponse(rpt=_rpt)
return Response(rsp.to_json())