def test_server_authenticated_none(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA cons.response_type = "none" environ = BASE_ENVIRON location = cons.begin(environ, start_response) environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = location.split("?")[1] resp = server.authorization_endpoint(environ, start_response) sid = resp[0][len("<form>"):-len("</form>")] environ2 = create_return_form_env("user", "password", sid) resp2 = server.authenticated(environ2, start_response) assert len(resp2) == 1 txt = resp2[0] pos0 = txt.index("<title>") + len("<title>Redirecting to ") pos1 = txt.index("</title>") location = txt[pos0:pos1] print location assert location.startswith("http://localhost:8087/authz") query = location.split("?")[1] print query assert "token_type=Bearer" in query
def setup_consumer(self, session_db_factory): client_config = { "client_id": CLIENT_ID, "client_authn_method": CLIENT_AUTHN_METHOD, } self.consumer = Consumer(DictSessionBackend(), CONFIG, client_config, SERVER_INFO) self.consumer.keyjar = CLIKEYS self.consumer.redirect_uris = ["https://example.com/authz"] self.consumer.client_secret = "hemlig" self.consumer.secret_type = "basic" self.consumer.issuer = ISSUER_ID self.provider = Provider( ISSUER_ID, session_db_factory(ISSUER_ID), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=SRVKEYS, ) self.provider.baseurl = self.provider.name
def real_test_discover(self): c = Consumer(None, None) principal = "*****@*****.**" res = c.discover(principal) assert isinstance(res, ProviderConfigurationResponse) assert _eq( res.keys(), [ "registration_endpoint", "scopes_supported", "identifiers_supported", "token_endpoint", "flows_supported", "version", "userinfo_endpoint", "authorization_endpoint", "x509_url", "issuer", ], ) assert res.version == "3.0" # type: ignore assert _eq( res.flows_supported, # type: ignore [ "code", "token", "id_token", "code token", "code id_token", "id_token token", ], )
def test_server_authenticated_token(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA cons.config["response_type"] = ["token"] environ = BASE_ENVIRON location = cons.begin(environ, start_response) environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = location.split("?")[1] resp = server.authorization_endpoint(environ, start_response) sid = resp[0][len("<form>"):-len("</form>")] environ2 = create_return_form_env("user", "password", sid) resp2 = server.authenticated(environ2, start_response) assert len(resp2) == 1 txt = resp2[0] assert "access_token=" in txt assert "token_type=Bearer" in txt
def setup_class(self): self.consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG, CLIENT_CONFIG, SERVER_INFO) self.consumer.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"] } self.consumer.client_secret = CLIENT_SECRET
def test_client_register_token_b64(self): c = Consumer(None, None) c.redirect_uris = ["https://example.com/authz"] client_info = { "client_id": "clientid", "redirect_uris": ["https://example.com/authz"], } registration_token = ( "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6IC" "JlYjc1N2M3Yy00MWRlLTRmZDYtOTkwNy1hNGFiMDY1ZjEzMmEifQ.eyJqdGkiOiI2ZWY0MDZi" "MC02YzA3LTQ0NzctOWU1YS1hY2FiZjNiMWNiMjgiLCJleHAiOjAsIm5iZiI6MCwiaWF0Ijox" "NTczNzMxNjg5LCJpc3MiOiJodHRwczovL29wZW5pZC1wcm92aWRlci5leGFtcGxlLmNvbS9h" "dXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwczovL29wZW5pZC1wcm92aWRlci5leGFt" "cGxlLmNvbS9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJ0eXAiOiJJbml0aWFsQWNjZXNzVG9rZW4i" "fQ.0XTlit_JcxPZeIy8A4BzrHn1NvegVP7ws8KI0ySFex8") with responses.RequestsMock() as rsps: rsps.add( rsps.POST, "https://provider.example.com/registration/", json=client_info, ) c.register( "https://provider.example.com/registration/", registration_token=registration_token, ) header = rsps.calls[0].request.headers["Authorization"] assert header == "Bearer " + registration_token
def setup_userinfo_endpoint(self): cons = Consumer({}, CONSUMER_CONFIG, {"client_id": CLIENT_ID}, server_info=SERVER_INFO, ) cons.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]} cons.keyjar[""] = KC_RSA cons.client_secret = "drickyoughurt" state, location = cons.begin("openid", "token", path=TestConfiguration.get_instance().rp_base) resp = self.provider.authorization_endpoint( request=urlparse(location).query) # redirect atr = AuthorizationResponse().deserialize( urlparse(resp.message).fragment, "urlencoded") uir = UserInfoRequest(access_token=atr["access_token"], schema="openid") resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded()) responses.add( responses.POST, self.op_base + "userinfo", body=resp.message, status=200, content_type='application/json')
def test_provider_config(self): c = Consumer(None, None) mfos = MyFakeOICServer("http://example.com") mfos.keyjar = SRVKEYS c.http_request = mfos.http_request principal = "*****@*****.**" res = c.discover(principal) info = c.provider_config(res) assert isinstance(info, ProviderConfigurationResponse) assert _eq(info.keys(), ['registration_endpoint', 'jwks_uri', 'check_session_endpoint', 'refresh_session_endpoint', 'register_endpoint', 'subject_types_supported', 'token_endpoint_auth_methods_supported', 'id_token_signing_alg_values_supported', 'grant_types_supported', 'user_info_endpoint', 'claims_parameter_supported', 'request_parameter_supported', 'discovery_endpoint', 'issuer', 'authorization_endpoint', 'scopes_supported', 'require_request_uri_registration', 'identifiers_supported', 'token_endpoint', 'request_uri_parameter_supported', 'version', 'response_types_supported', 'end_session_endpoint', 'flows_supported']) assert info["end_session_endpoint"] == "http://example.com/end_session"
def setup_consumer(self, fake_oic_server, session_db_factory): client_id = "client_1" client_config = { "client_id": client_id, "client_authn_method": CLIENT_AUTHN_METHOD, # 'config': {} } self.consumer = Consumer(session_db_factory(SERVER_INFO["issuer"]), CONFIG, client_config, SERVER_INFO) self.consumer.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"] } self.consumer.client_secret = "abcdefghijklmnop" self.consumer.keyjar = CLIKEYS self.consumer.redirect_uris = ["https://example.com/cb"] self.consumer.authorization_endpoint = \ "http://example.com/authorization" self.consumer.token_endpoint = "http://example.com/token" self.consumer.userinfo_endpoint = "http://example.com/userinfo" self.consumer.client_secret = "hemlig" self.consumer.secret_type = "basic" mfos = fake_oic_server("http://localhost:8088") mfos.keyjar = SRVKEYS self.consumer.http_request = mfos.http_request
def test_provider_config(): c = Consumer(None, None) mfos = MyFakeOICServer("http://example.com") mfos.keyjar = SRVKEYS c.http_request = mfos.http_request principal = "*****@*****.**" res = c.discover(principal) info = c.provider_config(res) assert info.type() == "ProviderConfigurationResponse" print info.keys() assert _eq(info.keys(), [ 'registration_endpoint', 'jwks_uri', 'check_session_endpoint', 'refresh_session_endpoint', 'register_endpoint', 'subject_types_supported', 'token_endpoint_auth_methods_supported', 'id_token_signing_alg_values_supported', 'grant_types_supported', 'user_info_endpoint', 'claims_parameter_supported', 'request_parameter_supported', 'discovery_endpoint', 'issuer', 'authorization_endpoint', 'scopes_supported', 'require_request_uri_registration', 'identifiers_supported', 'token_endpoint', 'request_uri_parameter_supported', 'version', 'response_types_supported', 'end_session_endpoint', 'flows_supported' ]) assert info["end_session_endpoint"] == "http://example.com/end_session"
def init_oic(self, provider_name): if provider_name not in PROVIDER_URL_MAP: raise ValueError('Invalid provider: %s', provider_name) provider = PROVIDER_URL_MAP[provider_name] self.scopes = ['openid', 'profile', 'email'] db = SessionStore(self.db) client = Consumer(db, consumer_config, client_config=client_config) client.allow['issuer_mismatch'] = True # Github does not support dynamically resolving OpenID configuration. if provider_name == PROVIDER_GITHUB: self.scopes = ['user:email', 'read:user'] client.provider_info = { 'authorization_endpoint': 'https://github.com/login/oauth/authorize', 'token_endpoint': 'https://github.com/login/oauth/access_token', } client.handle_provider_config(client.provider_info, 'GitHub') else: client.provider_info = client.provider_config(provider) providers = self.db.oic_registration.filter(None, {'issuer': provider}) assert len(providers) == 1 provider = self.db.oic_registration.getnode(providers[0]) client_reg = RegistrationResponse( client_id=provider['client_id'], client_secret=provider['client_secret']) client.store_registration_info(client_reg) return client
def test_discover(): c = Consumer(None, None) mfos = MyFakeOICServer(SRVKEYS, "http://example.com/") c.http_request = mfos.http_request principal = "*****@*****.**" res = c.discover(principal) assert res == "http://example.com/"
def test_discover(self, fake_oic_server): c = Consumer(None, None) mfos = fake_oic_server("https://*****:*****@example.com" res = c.discover(principal) assert res == "https://localhost:8088/"
def test_discover(self): c = Consumer(None, None) mfos = MyFakeOICServer("http://*****:*****@example.com" res = c.discover(principal) assert res == "http://localhost:8088/"
def test_discover_redirect(): c = Consumer(None, None) mfos = MyFakeOICServer(name="http://example.com/") c.http_request = mfos.http_request principal = "*****@*****.**" res = c.discover(principal) assert res == "http://example.net/providerconf"
def test_discover(): c = Consumer(None, None) mfos = MyFakeOICServer("http://*****:*****@example.com" res = c.discover(principal) assert res == "http://localhost:8088/"
def handle_authz_response(environ, start_response): _cli = Consumer(SESSION_DB, CONSUMER_CONFIG, CLIENT_CONFIG, SERVER_INFO) aresp, atr, idt = _cli.parse_authz(environ, start_response, DEVNULL()) print "ARESP: %s" % aresp print "ATR: %s" % atr print "IDT: %s" % idt print "GSess: %s" % _cli.grant kaka = http_util.cookie(CONSUMER_CONFIG["name"], _cli.state, _cli.seed, expire=360, path="/") resp = http_util.Response("Your will is registered", headers=[kaka]) return resp(environ, start_response)
def test_faulty_id_token_in_access_token_response(self): c = Consumer(None, None) c.keyjar.add_symmetric("", "TestPassword", ["sig"]) _info = {"access_token": "accessTok", "id_token": self._faulty_id_token(), "token_type": "Bearer"} _json = json.dumps(_info) with pytest.raises(BadSignature): c.parse_response(AccessTokenResponse, _json, sformat="json")
def test_server_authenticated(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA environ = BASE_ENVIRON location = cons.begin(environ, start_response) environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = location.split("?")[1] resp = server.authorization_endpoint(environ, start_response) sid = resp[0][len("<form>"):-len("</form>")] environ2 = create_return_form_env("user", "password", sid) resp2 = server.authenticated(environ2, start_response) print resp2[0] assert len(resp2) == 1 txt = resp2[0] pos0 = txt.index("<title>") + len("<title>Redirecting to ") pos1 = txt.index("</title>") location = txt[pos0:pos1] print location assert location.startswith("http://localhost:8087/authz") environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = location part = cons.parse_authz(environ, start_response) aresp = part[0] assert part[1] is None assert part[2] is None #aresp = client.parse_response(AuthorizationResponse, location, # format="urlencoded", # state="id-6da9ca0cc23959f5f33e8becd9b08cae") print aresp.keys() assert aresp.type() == "AuthorizationResponse" assert _eq(aresp.keys(), ['code', 'state', 'scope']) print cons.grant[cons.state].keys() assert _eq(cons.grant[cons.state].keys(), ['code', 'id_token', 'tokens', 'exp_in', 'grant_expiration_time', 'seed'])
def create_provider(self): self.provider = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=KEYJAR) self.provider.baseurl = self.provider.name self.cons = Consumer({}, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) self.cons.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]} self.cons.keyjar[""] = KC_RSA
def test_faulty_id_token_in_access_token_response(): c = Consumer(None, None) c.keyjar.add_symmetric("", "TestPassword", ["sig"]) _info = {"access_token": "accessTok", "id_token": _faulty_id_token(), "token_type": "Bearer", "expires_in": 3600} _json = json.dumps(_info) try: resp = c.parse_response(AccessTokenResponse, _json, sformat="json") except BadSignature: pass else: assert False
def real_test_discover(self): c = Consumer(None, None) principal = "*****@*****.**" res = c.discover(principal) assert isinstance(res, ProviderConfigurationResponse) assert _eq(res.keys(), ['registration_endpoint', 'scopes_supported', 'identifiers_supported', 'token_endpoint', 'flows_supported', 'version', 'userinfo_endpoint', 'authorization_endpoint', 'x509_url', 'issuer']) assert res.version == "3.0" assert _eq(res.flows_supported, ['code', 'token', 'id_token', 'code token', 'code id_token', 'id_token token'])
def test_userinfo_endpoint(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO) cons.debug = True cons.client_secret = "drickyoughurt" cons.config["response_type"] = ["token"] cons.config["request_method"] = "parameter" cons.keyjar[""] = KC_RSA state, location = cons.begin("openid", "token", path="http://localhost:8087") resp = server.authorization_endpoint(request=location.split("?")[1]) line = resp.message path, query = line.split("#") # redirect atr = AuthorizationResponse().deserialize(query, "urlencoded") uir = UserInfoRequest(access_token=atr["access_token"], schema="openid") resp3 = server.userinfo_endpoint(request=uir.to_urlencoded()) ident = OpenIDSchema().deserialize(resp3.message, "json") print ident.keys() assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def setup_consumer(self, fake_oic_server, session_db_factory): client_id = "client_1" client_config = { "client_id": client_id, "client_authn_method": CLIENT_AUTHN_METHOD, # 'config': {} } self.consumer = Consumer(session_db_factory(SERVER_INFO["issuer"]), CONFIG, client_config, SERVER_INFO) self.consumer.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]} self.consumer.client_secret = "abcdefghijklmnop" self.consumer.keyjar = CLIKEYS self.consumer.redirect_uris = ["https://example.com/cb"] self.consumer.authorization_endpoint = \ "http://example.com/authorization" self.consumer.token_endpoint = "http://example.com/token" self.consumer.userinfo_endpoint = "http://example.com/userinfo" self.consumer.client_secret = "hemlig" self.consumer.secret_type = "basic" mfos = fake_oic_server("http://localhost:8088") mfos.keyjar = SRVKEYS self.consumer.http_request = mfos.http_request
def register(environ, start_response, logger, kaka=None): """ Initialize the OAuth2 flow """ _session_db = environ["oic.session_db"] _cc = environ["oic.client_config"] _conc = environ["oic.consumer.config"] _server_info = environ["oic.server.info"] # get the redirect to the authorization server endpoint _oac = Consumer(_session_db, _conc, _cc, _server_info) location = _oac.begin(environ, start_response, logger) logger.info("[1] %s" % (_oac.__dict__,)) resp = http_util.Redirect(location) return resp(environ, start_response)
def test_client_register(self, fake_oic_server): c = Consumer(None, None) c.application_type = "web" c.application_name = "My super service" c.redirect_uris = ["https://example.com/authz"] c.contact = ["*****@*****.**"] mfos = fake_oic_server("https://example.com") mfos.keyjar = SRVKEYS c.http_request = mfos.http_request location = c.discover("*****@*****.**") info = c.provider_config(location) c.register(info["registration_endpoint"]) assert c.client_id is not None assert c.client_secret is not None assert c.registration_expires > utc_time_sans_frac()
def test_server_authenticated_token(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA location = cons.begin("openid", response_type="token", path="http://localhost:8087") resp = server.authorization_endpoint(request=location.split("?")[1]) txt = resp.message assert "access_token=" in txt assert "token_type=Bearer" in txt
def test_server_authenticated_none(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA location = cons.begin("openid", response_type="none", path="http://localhost:8087") resp = server.authorization_endpoint(request=location.split("?")[1]) assert resp.message.startswith("http://localhost:8087/authz") query_part = resp.message.split("?")[1] print query_part assert "state" in query_part
def test_userinfo_endpoint(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO) cons.debug = True cons.client_secret = "drickyoughurt" cons.config["response_type"] = ["token"] cons.config["request_method"] = "parameter" cons.keyjar[""] = KC_RSA location = cons.begin("openid", "token", path="http://localhost:8087") resp = server.authorization_endpoint(request=location.split("?")[1]) line = resp.message path, query = line.split("?") # redirect atr = AuthorizationResponse().deserialize(query, "urlencoded") uir = UserInfoRequest(access_token=atr["access_token"], schema="openid") resp3 = server.userinfo_endpoint(request=uir.to_urlencoded()) ident = OpenIDSchema().deserialize(resp3.message, "json") print ident.keys() assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email']) assert ident["sub"] == USERDB["username"]["sub"]
def test_faulty_id_token_in_access_token_response(): c = Consumer(None, None) c.keyjar.add_symmetric("", "TestPassword", ["sig"]) _info = { "access_token": "accessTok", "id_token": _faulty_id_token(), "token_type": "Bearer", "expires_in": 3600 } _json = json.dumps(_info) try: resp = c.parse_response(AccessTokenResponse, _json, sformat="json") except BadSignature: pass else: assert False
def test_client_register_token(self): c = Consumer(None, None) c.redirect_uris = ["https://example.com/authz"] client_info = { "client_id": "clientid", "redirect_uris": ["https://example.com/authz"] } with responses.RequestsMock() as rsps: rsps.add(rsps.POST, "https://provider.example.com/registration/", json=client_info) c.register("https://provider.example.com/registration/", registration_token="initial_registration_token") header = rsps.calls[0].request.headers['Authorization'] assert header == "Bearer aW5pdGlhbF9yZWdpc3RyYXRpb25fdG9rZW4="
def authz(environ, start_response, logger, kaka=None): """ This is where I am returned to after authentication at the Authorization service """ _session_db = environ["oic.session_db"] _cc = environ["oic.client_config"] _conc = environ["oic.consumer.config"] _server_info = environ["oic.server.info"] _log_info = logger.info try: _cli = Consumer(_session_db, _conc, _cc, _server_info) aresp, atr, idt = _cli.parse_authz(environ, start_response, logger) except (AuthzError, TokenError), err: resp = http_util.Unauthorized("%s" % err) return resp(environ, start_response)
def test_provider_config(): c = Consumer(None, None) mfos = MyFakeOICServer(SRVKEYS, "http://example.com/") c.http_request = mfos.http_request principal = "*****@*****.**" res = c.discover(principal) info = c.provider_config(res) assert info.type() == "ProviderConfigurationResponse" print info.keys() assert _eq(info.keys(), ['registration_endpoint', 'check_session_endpoint', 'refresh_session_endpoint', 'scopes_supported', 'identifiers_supported', 'token_endpoint', 'version', 'user_info_endpoint', 'end_session_endpoint', 'authorization_endpoint', 'flows_supported', 'issuer']) assert info["end_session_endpoint"] == "http://example.com/end_session"
def setup_consumer(self, session_db_factory): client_id = "client_1" client_config = { "client_id": client_id, "client_authn_method": CLIENT_AUTHN_METHOD, } self.consumer = Consumer(DictSessionBackend(), CONFIG, client_config, SERVER_INFO) self.consumer.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"] } self.consumer.keyjar = CLIKEYS self.consumer.redirect_uris = ["https://example.com/cb"] self.consumer.authorization_endpoint = "https://example.com/authorization" self.consumer.token_endpoint = "https://example.com/token" self.consumer.userinfo_endpoint = "https://example.com/userinfo" # type: ignore self.consumer.client_secret = "hemlig" self.consumer.secret_type = "basic"
def test_server_authenticated_1(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA location = cons.begin("openid", "code", path="http://localhost:8087") resp = server.authorization_endpoint(request=location.split("?")[1]) print resp aresp = cons.parse_response(AuthorizationResponse, location, sformat="urlencoded") print aresp.keys() assert aresp.type() == "AuthorizationResponse" assert _eq(aresp.keys(), ['request', 'state', 'redirect_uri', 'claims', 'response_type', 'client_id', 'scope'])
def setup_class(self): self.server = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=KEYJAR) self.cons = Consumer({}, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) self.cons.behaviour = {"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]} self.cons.debug = True self.cons.keyjar[""] = KC_RSA
def test_discover(self): c = Consumer(None, None) webfinger = { "subject": "acct:[email protected]", "links": [{ "rel": "http://openid.net/specs/connect/1.0/issuer", "href": "https://*****:*****@example.com" with responses.RequestsMock() as rsps: rsps.add( responses.GET, "https://example.com/.well-known/webfinger" "?resource=acct%3Afoo%40example.com&rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer", json=webfinger, ) res = c.discover(principal) assert res == "https://localhost:8088/"
def test_server_authenticated_2(): server = provider_init server.baseurl = server.name _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA location = cons.begin(scope="openid email claims_in_id_token", response_type="code id_token", path="http://localhost:8087") print location resp = server.authorization_endpoint(request=location.split("?")[1]) print resp.message part = cons.parse_authz(resp.message) print part aresp = part[0] assert part[1] is None assert part[2] is not None #aresp = cons.parse_response(AuthorizationResponse, location, # sformat="urlencoded") print aresp.keys() assert aresp.type() == "AuthorizationResponse" assert _eq(aresp.keys(), ['scope', 'state', 'code', 'id_token']) print cons.grant[cons.state].keys() assert _eq(cons.grant[cons.state].keys(), ['code', 'id_token', 'tokens', 'exp_in', 'grant_expiration_time', 'seed']) id_token = part[2] assert isinstance(id_token, IdToken) print id_token.keys() assert _eq(id_token.keys(), ['c_hash', 'sub', 'iss', 'acr', 'exp', 'iat', 'aud', 'nonce'])
def test_client_register(self): c = Consumer(None, None) c.redirect_uris = ["https://example.com/authz"] reg_resp = { "client_id": "some_client", "client_secret": "super_secret", "client_secret_expires_at": 123456789, "redirect_uris": ["https://example.com/authz"], } with responses.RequestsMock() as rsps: rsps.add(responses.POST, "https://example.com/register/", json=reg_resp) c.register("https://example.com/register/") assert json.loads(rsps.calls[0].request.body) == { "application_type": "web", "response_types": ["code"], "redirect_uris": ["https://example.com/authz"], "grant_types": ["authorization_code"], } assert c.client_id == "some_client" assert c.client_secret == "super_secret" assert c.registration_expires == 123456789
def setup_userinfo_endpoint(self): cons = Consumer( {}, CONSUMER_CONFIG, {"client_id": CLIENT_ID}, server_info=SERVER_INFO, ) cons.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"] } cons.keyjar[""] = KC_RSA cons.client_secret = "drickyoughurt" state, location = cons.begin( "openid", "token", path=TestConfiguration.get_instance().rp_base) resp = self.provider.authorization_endpoint( request=urlparse(location).query) # redirect atr = AuthorizationResponse().deserialize( urlparse(resp.message).fragment, "urlencoded") uir = UserInfoRequest(access_token=atr["access_token"], schema="openid") resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded()) responses.add(responses.POST, self.op_base + "userinfo", body=resp.message, status=200, content_type='application/json')
def test_server_authenticated_1(): server = provider_init _session_db = {} cons = Consumer( _session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA state, location = cons.begin("openid", "code", path="http://localhost:8087") resp = server.authorization_endpoint(request=location.split("?")[1]) print resp aresp = cons.parse_response(AuthorizationResponse, location, sformat="urlencoded") print aresp.keys() assert aresp.type() == "AuthorizationResponse" assert _eq(aresp.keys(), [ 'request', 'state', 'redirect_uri', 'claims', 'response_type', 'client_id', 'scope' ])
def test_client_register(self, fake_oic_server): c = Consumer(None, None) c.redirect_uris = ["https://example.com/authz"] mfos = fake_oic_server("https://example.com") mfos.keyjar = SRVKEYS c.http_request = mfos.http_request # type: ignore # FIXME: Replace with responses location = c.discover("*****@*****.**") info = c.provider_config(location) c.register(info["registration_endpoint"]) assert c.client_id is not None assert c.client_secret is not None assert c.registration_expires > utc_time_sans_frac()
def test_server_authenticated_none(): server = provider_init _session_db = {} cons = Consumer( _session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA _state, location = cons.begin("openid", response_type="none", path="http://localhost:8087") resp = server.authorization_endpoint(request=location.split("?")[1]) assert resp.message.startswith("http://localhost:8087/authz") query_part = resp.message.split("?")[1] print query_part assert "state" in query_part
def test_server_authenticated_token(): server = provider_init _session_db = {} cons = Consumer( _session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA _state, location = cons.begin("openid", response_type="token", path="http://localhost:8087") resp = server.authorization_endpoint(request=location.split("?")[1]) txt = resp.message assert "access_token=" in txt assert "token_type=Bearer" in txt
def create_provider(self): self.provider = Provider(SERVER_INFO["issuer"], SessionDB(SERVER_INFO["issuer"]), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=KEYJAR) self.provider.baseurl = self.provider.name self.cons = Consumer({}, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) self.cons.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]} self.cons.keyjar[""] = KC_RSA
def test_server_authenticated_1(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA environ = BASE_ENVIRON location = cons.begin(environ, start_response) environ = BASE_ENVIRON.copy() environ["QUERY_STRING"] = location.split("?")[1] _ = server.authorization_endpoint(environ, start_response) #sid = resp[0][len("FORM with "):] environ2 = create_return_form_env("user", "password", "abcd") resp2 = server.authenticated(environ2, start_response) print resp2 assert resp2 == ['<html>Could not find session</html>']
def create_provider(self, session_db_factory): self.provider = Provider( SERVER_INFO["issuer"], session_db_factory(SERVER_INFO["issuer"]), self.CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=KEYJAR, ) self.provider.baseurl = self.provider.name self.provider.logout_verify_url = "https://127.0.0.1/logout_verify.html" self.cons = Consumer( DictSessionBackend(), CONSUMER_CONFIG.copy(), CLIENT_CONFIG, server_info=SERVER_INFO, ) self.cons.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"] } self.cons.keyjar[""] = KC_RSA self.cons.keyjar.import_jwks(self.provider.keyjar.export_jwks(), self.cons.issuer) self.cons2 = Consumer({}, CONSUMER_CONFIG.copy(), CLIENT_CONFIG_2, server_info=SERVER_INFO) self.cons2.behaviour = { "request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"] } self.cons2.keyjar[""] = KC_RSA
def test_complete_secret_auth(): consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG, CLIENT_CONFIG, SERVER_INFO) mfos = MyFakeOICServer("http://localhost:8088") mfos.keyjar = SRVKEYS consumer.http_request = mfos.http_request consumer.redirect_uris = ["http://example.com/authz"] _state = "state0" consumer.nonce = rndstr() consumer.client_secret = "hemlig" consumer.secret_type = "basic" del consumer.config["password"] args = { "client_id": consumer.client_id, "response_type": "code", "scope": ["openid"], } result = consumer.do_authorization_request(state=_state, request_args=args) assert result.status_code == 302 assert result.headers["location"].startswith(consumer.redirect_uris[0]) _, query = result.headers["location"].split("?") consumer.parse_response(AuthorizationResponse, info=query, sformat="urlencoded") resp = consumer.complete(_state) print resp assert resp.type() == "AccessTokenResponse" print resp.keys() assert _eq(resp.keys(), ['token_type', 'state', 'access_token', 'scope', 'expires_in', 'refresh_token']) assert resp["state"] == _state
def test_provider_config(): c = Consumer(None, None) mfos = MyFakeOICServer("http://example.com") mfos.keyjar = SRVKEYS c.http_request = mfos.http_request principal = "*****@*****.**" res = c.discover(principal) info = c.provider_config(res) assert info.type() == "ProviderConfigurationResponse" print info.keys() assert _eq(info.keys(), ['registration_endpoint', u'check_session_endpoint', u'refresh_session_endpoint', 'scopes_supported', 'subject_types_supported', 'token_endpoint_auth_methods_supported', 'id_token_signing_alg_values_supported', u'flows_supported', 'version', u'identifiers_supported', u'user_info_endpoint', 'response_types_supported', 'end_session_endpoint', 'authorization_endpoint', u'discovery_endpoint', 'token_endpoint', 'x509_url', 'issuer']) assert info["end_session_endpoint"] == "http://example.com/end_session"
def test_server_authenticated(): server = provider_init _session_db = {} cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA location = cons.begin("openid", "code", path="http://localhost:8087") QUERY_STRING = location.split("?")[1] print QUERY_STRING resp = server.authorization_endpoint(request=QUERY_STRING) print resp.message assert resp.message.startswith("http://localhost:8087/authz") part = cons.parse_authz(query=location) aresp = part[0] assert part[1] is None assert part[2] is None #aresp = client.parse_response(AuthorizationResponse, location, # format="urlencoded", # state="id-6da9ca0cc23959f5f33e8becd9b08cae") print aresp.keys() assert aresp.type() == "AuthorizationResponse" assert _eq(aresp.keys(), ['request', 'state', 'redirect_uri', 'response_type', 'client_id', 'claims', 'scope']) print cons.grant[cons.state].keys() assert _eq(cons.grant[cons.state].keys(), ['tokens', 'id_token', 'exp_in', 'seed', 'grant_expiration_time'])
def test_client_register_token(self): c = Consumer(None, None) c.application_type = "web" c.application_name = "My super service" c.redirect_uris = ["https://example.com/authz"] c.contact = ["*****@*****.**"] client_info = {"client_id": "clientid", "redirect_uris": ["https://example.com/authz"]} with responses.RequestsMock() as rsps: rsps.add(rsps.POST, "https://provider.example.com/registration/", json=client_info) c.register("https://provider.example.com/registration/", registration_token="initial_registration_token") header = rsps.calls[0].request.headers['Authorization'].decode() assert header == "Bearer aW5pdGlhbF9yZWdpc3RyYXRpb25fdG9rZW4="
def init_oic(self): self.scopes = ["openid","profile","email"] db = SessionStore(self.db) client = Consumer(db, consumer_config, client_config=client_config) client.allow['issuer_mismatch'] = True client.provider_info = client.provider_config(self.provider) providers = self.db.oic_registration.filter(None, {'issuer':self.provider}) assert len(providers) == 1 provider = self.db.oic_registration.getnode(providers[0]) client_reg = RegistrationResponse(client_id=provider['client_id'], client_secret=provider['client_secret']) client.store_registration_info(client_reg) return client
def test_server_authenticated_2(): server = provider_init server.baseurl = server.name _session_db = {} cons = Consumer( _session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA _state, location = cons.begin(scope="openid email claims_in_id_token", response_type="code id_token", path="http://localhost:8087") print location resp = server.authorization_endpoint(request=location.split("?")[1]) print resp.message part = cons.parse_authz(resp.message) print part aresp = part[0] assert part[1] is None assert part[2] is not None #aresp = cons.parse_response(AuthorizationResponse, location, # sformat="urlencoded") print aresp.keys() assert aresp.type() == "AuthorizationResponse" assert _eq(aresp.keys(), ['scope', 'state', 'code', 'id_token']) print cons.grant[_state].keys() assert _eq(cons.grant[_state].keys(), [ 'code', 'id_token', 'tokens', 'exp_in', 'grant_expiration_time', 'seed' ]) id_token = part[2] assert isinstance(id_token, IdToken) print id_token.keys() assert _eq(id_token.keys(), [ 'nonce', 'c_hash', 'sub', 'iss', 'acr', 'exp', 'auth_time', 'iat', 'aud' ])
def test_server_authenticated(): server = provider_init _session_db = {} cons = Consumer( _session_db, CONSUMER_CONFIG, CLIENT_CONFIG, server_info=SERVER_INFO, ) cons.debug = True cons.keyjar[""] = KC_RSA _state, location = cons.begin("openid", "code", path="http://localhost:8087") QUERY_STRING = location.split("?")[1] print QUERY_STRING resp = server.authorization_endpoint(request=QUERY_STRING) print resp.message assert resp.message.startswith("http://localhost:8087/authz") part = cons.parse_authz(query=location) aresp = part[0] assert part[1] is None assert part[2] is None #aresp = client.parse_response(AuthorizationResponse, location, # format="urlencoded", # state="id-6da9ca0cc23959f5f33e8becd9b08cae") print aresp.keys() assert aresp.type() == "AuthorizationResponse" assert _eq(aresp.keys(), [ 'request', 'state', 'redirect_uri', 'response_type', 'client_id', 'claims', 'scope' ]) print cons.grant[_state].keys() assert _eq(cons.grant[_state].keys(), [ 'code', 'tokens', 'id_token', 'exp_in', 'seed', 'grant_expiration_time' ])
def test_faulty_idtoken_from_accesstoken_endpoint(): consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG, CLIENT_CONFIG, SERVER_INFO) consumer.keyjar = CLIKEYS mfos = MITMServer("http://localhost:8088") mfos.keyjar = SRVKEYS consumer.http_request = mfos.http_request consumer.redirect_uris = ["http://example.com/authz"] _state = "state0" consumer.nonce = rndstr() consumer.client_secret = "hemlig" consumer.secret_type = "basic" consumer.config["response_type"] = ["id_token"] args = { "client_id": consumer.client_id, "response_type": consumer.config["response_type"], "scope": ["openid"], } result = consumer.do_authorization_request(state=_state, request_args=args) consumer._backup("state0") assert result.status_code == 302 # assert result.location.startswith(consumer.redirect_uri[0]) _, query = result.headers["location"].split("?") print query try: consumer.parse_authz(query=query) except BadSignature: pass else: assert False
def test_client_register(): c = Consumer(None, None) c.application_type = "web" c.application_name = "My super service" c.redirect_uris = ["http://example.com/authz"] c.contact = ["*****@*****.**"] mfos = MyFakeOICServer("http://example.com") mfos.keyjar = SRVKEYS c.http_request = mfos.http_request location = c.discover("*****@*****.**") info = c.provider_config(location) c.register(info["registration_endpoint"]) assert c.client_id is not None assert c.client_secret is not None assert c.registration_expires > utc_time_sans_frac()
def test_sign_userinfo(): consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG, CLIENT_CONFIG, SERVER_INFO) consumer.keyjar = CLIKEYS mfos = MyFakeOICServer("http://localhost:8088") mfos.keyjar = SRVKEYS mfos.userinfo_signed_response_alg = "RS256" consumer.http_request = mfos.http_request consumer.redirect_uris = ["http://example.com/authz"] _state = "state0" consumer.nonce = rndstr() consumer.secret_type = "basic" consumer.set_client_secret("hemligt") consumer.keyjar = CLIKEYS consumer.client_prefs = {"userinfo_signed_response_alg": "RS256"} consumer.provider_info = { "userinfo_endpoint": "http://localhost:8088/userinfo", "issuer": "http://localhost:8088/" } del consumer.config["request_method"] args = { "client_id": consumer.client_id, "response_type": "code", "scope": ["openid"], } sid, location = consumer.begin("openid", "code") print location result = consumer.do_authorization_request(state=_state, request_args=args) assert result.status_code == 302 assert result.headers["location"].startswith(consumer.redirect_uris[0]) _, query = result.headers["location"].split("?") consumer.parse_response(AuthorizationResponse, info=query, sformat="urlencoded") consumer.complete(_state) result = consumer.get_user_info(_state) print result assert result.type() == "OpenIDSchema" assert _eq(result.keys(), ['name', 'email', 'verified', 'nickname', 'sub'])