def _create_op(self, issuer, endpoint_baseurl, jwks_uri):
"""
Create the necessary Provider instance.
:type issuer: str
:type endpoint_baseurl: str
:type jwks_uri: str
:param issuer: issuer URL for the OP
:param endpoint_baseurl: baseurl to build endpoint URL from
:param jwks_uri: URL to where the JWKS will be published
"""
kj = KeyJar()
signing_key = KeyBundle(source="file://{}".format(self.conf["signing_key_path"]),
fileformat="der", keyusage=["sig"])
kj.add_kb("", signing_key)
capabilities = {
"response_types_supported": ["id_token"],
"id_token_signing_alg_values_supported": [self.sign_alg],
"response_modes_supported": ["fragment", "query"],
"subject_types_supported": ["public", "pairwise"],
"grant_types_supported": ["implicit"],
"claim_types_supported": ["normal"],
"claims_parameter_supported": True,
"request_parameter_supported": False,
"request_uri_parameter_supported": False,
}
if "client_db_path" in self.conf:
cdb = shelve_wrapper.open(self.conf["client_db_path"])
else:
cdb = {} # client db in memory only
self.provider = Provider(issuer, None, cdb, None, None, None, None, None, keyjar=kj,
capabilities=capabilities, jwks_uri=jwks_uri)
self.provider.baseurl = endpoint_baseurl
self.provider.endp = [RegistrationEndpoint, AuthorizationEndpoint]
def provider(tmpdir):
client_db_path = os.path.join(tmpdir.strpath, "client_db")
cdb = shelve_wrapper.open(client_db_path)
ab = AuthnBroker()
ab.add("dummy", DummyAuthn())
sdb = SessionDB("https://testprovider.com")
provider = CourseProvider("https://testprovider.com", sdb, cdb, ab, UserInfo({"user": {}}),
AuthzHandling(), None, None)
return provider
def provider(tmpdir):
client_db_path = os.path.join(tmpdir.strpath, "client_db")
cdb = shelve_wrapper.open(client_db_path)
ab = AuthnBroker()
ab.add("dummy", DummyAuthn())
sdb = SessionDB("https://testprovider.com")
provider = CourseProvider("https://testprovider.com", sdb, cdb, ab,
UserInfo({"user": {}}), AuthzHandling(), None,
None)
return provider
def setup():
with open("config.yaml", 'r') as f:
config = yaml.load(f)
issuer = config["baseurl"]
ac = AuthnBroker()
authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD,
"{}/authorization".format(issuer))
ac.add("password", authn)
URLS.append((r'^verify', make_auth_verify(authn.verify)))
authz = AuthzHandling()
client_db_path = os.environ.get("OIDC_CLIENT_DB", "client_db")
LOGGER.info("Using db: {}".format(client_db_path))
cdb = shelve_wrapper.open(client_db_path)
global OAS
OAS = CourseProvider(issuer, SessionDB(issuer), cdb, ac, None, authz,
verify_client, rndstr(16))
OAS.baseurl = issuer
OAS.userinfo = UserInfo(config["userdb"])
# Additional endpoints the OpenID Connect Provider should answer on
add_endpoints(ENDPOINTS, ENDPOINT_FUNCS)
OAS.endpoints = ENDPOINTS
authn.srv = OAS
try:
OAS.cookie_ttl = config["cookie_ttl"]
except KeyError:
pass
try:
OAS.cookie_name = config["cookie_name"]
except KeyError:
pass
keyjar_init(OAS, config["keys"])
public_keys = []
for keybundle in OAS.keyjar[""]:
for key in keybundle.keys():
public_keys.append(key.serialize())
public_jwks = {"keys": public_keys}
filename = "static/jwks.json"
with open(filename, "w") as f:
f.write(json.dumps(public_jwks))
OAS.jwks_uri = "{}/{}".format(OAS.baseurl, filename)
return config
def setup():
with open("config.yaml", 'r') as f:
config = yaml.load(f)
issuer = config["baseurl"]
ac = AuthnBroker()
authn = UsernamePasswordMako(
None, "login.mako", LOOKUP, PASSWD, "{}/authorization".format(issuer))
ac.add("password", authn)
URLS.append((r'^verify', make_auth_verify(authn.verify)))
authz = AuthzHandling()
client_db_path = os.environ.get("OIDC_CLIENT_DB", "client_db")
LOGGER.info("Using db: {}".format(client_db_path))
cdb = shelve_wrapper.open(client_db_path)
global OAS
OAS = CourseProvider(issuer, SessionDB(issuer), cdb, ac, None,
authz, verify_client, rndstr(16))
OAS.baseurl = issuer
OAS.userinfo = UserInfo(config["userdb"])
# Additional endpoints the OpenID Connect Provider should answer on
add_endpoints(ENDPOINTS, ENDPOINT_FUNCS)
OAS.endpoints = ENDPOINTS
authn.srv = OAS
try:
OAS.cookie_ttl = config["cookie_ttl"]
except KeyError:
pass
try:
OAS.cookie_name = config["cookie_name"]
except KeyError:
pass
keyjar_init(OAS, config["keys"])
public_keys = []
for keybundle in OAS.keyjar[""]:
for key in keybundle.keys():
public_keys.append(key.serialize())
public_jwks = {"keys": public_keys}
filename = "static/jwks.json"
with open(filename, "w") as f:
f.write(json.dumps(public_jwks))
OAS.jwks_uri = "{}/{}".format(OAS.baseurl, filename)
return config
def _create_op(self, issuer, endpoint_baseurl, jwks_uri):
"""
Create the necessary Provider instance.
:type issuer: str
:type endpoint_baseurl: str
:type jwks_uri: str
:param issuer: issuer URL for the OP
:param endpoint_baseurl: baseurl to build endpoint URL from
:param jwks_uri: URL to where the JWKS will be published
"""
kj = KeyJar()
signing_key = KeyBundle(source="file://{}".format(
self.conf["signing_key_path"]),
fileformat="der",
keyusage=["sig"])
kj.add_kb("", signing_key)
capabilities = {
"response_types_supported": ["id_token"],
"id_token_signing_alg_values_supported": [self.sign_alg],
"response_modes_supported": ["fragment", "query"],
"subject_types_supported": ["public", "pairwise"],
"grant_types_supported": ["implicit"],
"claim_types_supported": ["normal"],
"claims_parameter_supported": True,
"request_parameter_supported": False,
"request_uri_parameter_supported": False,
}
if "client_db_path" in self.conf:
cdb = shelve_wrapper.open(self.conf["client_db_path"])
else:
cdb = {} # client db in memory only
self.provider = Provider(issuer,
None,
cdb,
None,
None,
None,
None,
None,
keyjar=kj,
capabilities=capabilities,
jwks_uri=jwks_uri)
self.provider.baseurl = endpoint_baseurl
self.provider.endp = [RegistrationEndpoint, AuthorizationEndpoint]
def print_client(cdb, cid):
print(json.dumps(cdb[cid]))
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('-l', dest='list', action='store_true')
parser.add_argument('-c', dest='clear', action='store_true')
parser.add_argument('-p', dest='print')
parser.add_argument('-n', dest='new')
parser.add_argument('-d', dest='delete')
args = parser.parse_args()
cdb = shelve_wrapper.open("client_db")
if args.clear:
remove_old(cdb)
if args.delete:
del cdb[args.delete]
if args.list:
list_clients(cdb)
if args.print:
print_client(cdb, args.print)
if args.new:
_info = json.loads(args.new)
def op_setup(args, config, provider_cls):
# Client data base
cdb = shelve_wrapper.open("client_db")
if args.issuer:
_issuer = args.issuer[0]
else:
if args.port not in [80, 443]:
_issuer = config.ISSUER + ':{}'.format(args.port)
else:
_issuer = config.ISSUER
if _issuer[-1] != '/':
_issuer += '/'
config.SERVICE_URL = config.SERVICE_URL.format(issuer=_issuer)
auth_setup = AuthSetup(config, _issuer)
auth_setup()
# dealing with authorization
authz = AuthzHandling()
auth_setup.init_mako()
kwargs = {
"template_lookup": auth_setup.lookup,
"template": {"form_post": "form_response.mako"},
# "template_args": {"form_post": {"action": "form_post"}}
}
# Should I care about verifying the certificates used by other entities
if args.insecure:
kwargs["verify_ssl"] = False
else:
kwargs["verify_ssl"] = True
if args.capabilities:
kwargs["capabilities"] = json.loads(open(args.capabilities).read())
else:
pass
_sdb = create_session_db(_issuer, 'automover', '430X', {})
_op = provider_cls(_issuer, _sdb, cdb, auth_setup.ac, None,
authz, verify_client, config.SYM_KEY, **kwargs)
_op.baseurl = _issuer
for authn in auth_setup.ac:
authn.srv = _op
if config.USERINFO == "SIMPLE":
# User info is a simple dictionary in this case statically defined in
# the configuration file
_op.userinfo = UserInfo(config.USERDB)
elif config.USERINFO == "SAML":
_op.userinfo = UserInfo(config.SAML)
elif config.USERINFO == "AA":
_op.userinfo = AaUserInfo(config.SP_CONFIG, _issuer, config.SAML)
else:
raise Exception("Unsupported userinfo source")
try:
_op.cookie_ttl = config.COOKIETTL
except AttributeError:
pass
try:
_op.cookie_name = config.COOKIENAME
except AttributeError:
pass
# print URLS
if args.debug:
_op.debug = True
try:
jwks = keyjar_init(_op, config.keys, kid_template="op%d")
except Exception as err:
logger.error("Key setup failed: %s" % err)
_op.key_setup("static", sig={"format": "jwk", "alg": "rsa"})
else:
f = open(config.JWKS_FILE_NAME, "w")
f.write(json.dumps(jwks))
f.close()
_op.jwks_uri = "%s%s" % (_op.baseurl, config.JWKS_FILE_NAME)
try:
_op.signed_jwks_uri = "%s%s" % (_op.baseurl,
config.SIGNED_JWKS_PATH)
except AttributeError:
pass
_op.keyjar.verify_ssl = kwargs["verify_ssl"]
for b in _op.keyjar[""]:
logger.info("OC3 server keys: %s" % b)
return _op
parser = argparse.ArgumentParser()
parser.add_argument('-v', dest='verbose', action='store_true')
parser.add_argument('-d', dest='debug', action='store_true')
parser.add_argument('-p', dest='port', default=80, type=int)
parser.add_argument('-t', dest='tls', action='store_true')
parser.add_argument('-k', dest='insecure', action='store_true')
parser.add_argument(
'-c', dest='capabilities',
help="A file containing a JSON representation of the capabilities")
parser.add_argument('-i', dest='issuer', help="issuer id of the OP",
nargs=1)
parser.add_argument(dest="config")
args = parser.parse_args()
# Client data base
cdb = shelve_wrapper.open("client_db")
logger.info("Known client_ids: {}".format([k for k in cdb.keys()]))
sys.path.insert(0, ".")
config = importlib.import_module(args.config)
if args.issuer:
_issuer = args.issuer[0]
else:
if args.port not in [80, 443]:
_issuer = config.ISSUER + ':{}'.format(args.port)
else:
_issuer = config.ISSUER
if _issuer[-1] != '/':
_issuer += '/'
from oic.utils.sdb import SessionDB
parser = argparse.ArgumentParser()
parser.add_argument('-v', dest='verbose', action='store_true')
parser.add_argument('-d', dest='debug', action='store_true')
parser.add_argument('-p', dest='port', default=80, type=int)
parser.add_argument('-k', dest='insecure', action='store_true')
parser.add_argument(
'-c',
dest='capabilities',
help="A file containing a JSON representation of the capabilities")
parser.add_argument(dest="config")
args = parser.parse_args()
# Client data base
cdb = shelve_wrapper.open("client_db", writeback=True)
sys.path.insert(0, ".")
config = importlib.import_module(args.config)
config.issuer = config.issuer % args.port
config.SERVICE_URL = config.SERVICE_URL % args.port
ac = AuthnBroker()
saml_authn = None
end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"]
full_end_point_paths = ["%s/%s" % (config.issuer, ep) for ep in end_points]
username_password_authn = UsernamePasswordMako(
None, "login.mako", LOOKUP, PASSWD, "%s/authorization" % config.issuer,
None, full_end_point_paths)
None, # templ_arg_func ??!!
fullEndPointsPath) # verification endpoints
# AuthnIndexedEndpointWrapper is a wrapper class for using an authentication module with multiple endpoints.
authnIndexedEndPointWrapper = AuthnIndexedEndpointWrapper(
usernamePasswordAuthn, passwordEndPointIndex)
authnBroker.add(
config.AUTHENTICATION["UserPassword"]["ACR"], # (?!)
authnIndexedEndPointWrapper, # (?!) method: an identifier of the authentication method.
config.AUTHENTICATION["UserPassword"]["WEIGHT"], # security level
"") # (?!) authentication authority
# ?!
authz = AuthzHandling()
clientDB = shelve_wrapper.open(config.CLIENTDB)
# In-Memory non-persistent SessionDB issuing DefaultTokens
sessionDB = create_session_db(config.ISSUER,
secret=rndstr(32),
password=rndstr(32))
provider = Provider(
name=config.ISSUER, # name
sdb=sessionDB, # session database.
cdb=clientDB, # client database
authn_broker=authnBroker, # authn broker
userinfo=None, # user information
authz=authz, # authz
client_authn=verify_client, # client authentication
symkey=config.SYM_KEY, # Used for Symmetric key authentication
def db(tmpdir):
return shelve_wrapper.open(
os.path.join(tmpdir.strpath, "test_db_shelve_wrapper"))
from oic.utils.sdb import SessionDB
PARSER = argparse.ArgumentParser()
PARSER.add_argument('-v', dest='verbose', action='store_true')
PARSER.add_argument('-d', dest='debug', action='store_true')
PARSER.add_argument('-p', dest='port', default=80, type=int)
PARSER.add_argument('-k', dest='insecure', action='store_true')
PARSER.add_argument(
'-c', dest='capabilities',
help="A file containing a JSON representation of the capabilities")
PARSER.add_argument('-b', dest='baseurl', help="base url of the OP")
PARSER.add_argument(dest="config")
ARGS = PARSER.parse_args()
# Client data base
CDB = shelve_wrapper.open("client_db", writeback=True)
sys.path.insert(0, ".")
CONFIG = importlib.import_module(ARGS.config)
if ARGS.baseurl:
CONFIG.BASEURL = ARGS.baseurl
CONFIG.ISSUER = CONFIG.ISSUER.format(base=CONFIG.BASEURL, port=ARGS.port)
CONFIG.SERVICE_URL = CONFIG.SERVICE_URL.format(issuer=CONFIG.ISSUER)
AC = AuthnBroker()
SAML_AUTHN = None
END_POINTS = CONFIG.AUTHENTICATION["UserPassword"]["END_POINTS"]
FULL_END_POINT_PATHS = ["%s%s" % (CONFIG.ISSUER, ep) for ep in END_POINTS]
usernamePasswords, # username/password dictionary-like database
"%sauthorization" % config.ISSUER, # where to send the user after authentication
None, # templ_arg_func ??!!
fullEndPointsPath) # verification endpoints
# AuthnIndexedEndpointWrapper is a wrapper class for using an authentication module with multiple endpoints.
authnIndexedEndPointWrapper = AuthnIndexedEndpointWrapper(usernamePasswordAuthn, passwordEndPointIndex)
authnBroker.add(config.AUTHENTICATION["UserPassword"]["ACR"], # (?!)
authnIndexedEndPointWrapper, # (?!) method: an identifier of the authentication method.
config.AUTHENTICATION["UserPassword"]["WEIGHT"], # security level
"") # (?!) authentication authority
# ?!
authz = AuthzHandling()
clientDB = shelve_wrapper.open(config.CLIENTDB)
# In-Memory non-persistent SessionDB issuing DefaultTokens
sessionDB = create_session_db(config.ISSUER,
secret=rndstr(32),
password=rndstr(32))
provider = Provider(
name=config.ISSUER, # name
sdb=sessionDB, # session database.
cdb=clientDB, # client database
authn_broker=authnBroker, # authn broker
userinfo=None, # user information
authz=authz, # authz
client_authn=verify_client, # client authentication
symkey=config.SYM_KEY, # Used for Symmetric key authentication
