def test_do_2nd_refresh_access_token(self):
areq = AUTH_REQ.copy()
areq["scope"] = ["openid", "offline_access"]
_cntx = self.token_endpoint.endpoint_context
session_id = setup_session(
_cntx, areq, uid="user", acr=INTERNETPROTOCOLPASSWORD
)
_cntx.sdb.update(session_id, user="******")
_token_request = TOKEN_REQ_DICT.copy()
_token_request["code"] = _cntx.sdb[session_id]["code"]
_req = self.token_endpoint.parse_request(_token_request)
_resp = self.token_endpoint.process_request(request=_req)
_request = REFRESH_TOKEN_REQ.copy()
_request["refresh_token"] = _resp["response_args"]["refresh_token"]
_req = self.refresh_token_endpoint.parse_request(_request.to_json())
_resp = self.refresh_token_endpoint.process_request(request=_req)
_request = REFRESH_TOKEN_REQ.copy()
_request["refresh_token"] = _resp["response_args"]["refresh_token"]
_req = self.refresh_token_endpoint.parse_request(_request.to_json())
_resp = self.refresh_token_endpoint.process_request(request=_req)
assert set(_resp.keys()) == {"response_args", "http_headers"}
assert set(_resp["response_args"].keys()) == {
"access_token",
"token_type",
"expires_in",
"refresh_token",
"id_token",
}
msg = self.refresh_token_endpoint.do_response(request=_req, **_resp)
assert isinstance(msg, dict)
def test_process_request_using_private_key_jwt(self):
session_id = setup_session(
self.endpoint.endpoint_context,
AUTH_REQ,
uid="user",
acr=INTERNETPROTOCOLPASSWORD,
)
_token_request = TOKEN_REQ_DICT.copy()
del _token_request["client_id"]
del _token_request["client_secret"]
_context = self.endpoint.endpoint_context
_jwt = JWT(CLIENT_KEYJAR, iss=AUTH_REQ["client_id"], sign_alg="RS256")
_jwt.with_jti = True
_assertion = _jwt.pack({"aud": [_context.endpoint["token"].full_path]})
_token_request.update({
"client_assertion": _assertion,
"client_assertion_type": JWT_BEARER
})
_token_request["code"] = self.endpoint.endpoint_context.sdb[
session_id]["code"]
_context.sdb.update(session_id, user="******")
_req = self.endpoint.parse_request(_token_request)
_resp = self.endpoint.process_request(request=_req)
# 2nd time used
with pytest.raises(UnAuthorizedClient):
self.endpoint.parse_request(_token_request)
def test_parse_no_authn(self):
_ = setup_session(self.introspection_endpoint.endpoint_context,
AUTH_REQ,
uid="diana")
_token = self._create_jwt("diana")
with pytest.raises(UnknownOrNoAuthnMethod):
self.introspection_endpoint.parse_request({"token": _token})
def test_do_response(self):
_context = self.introspection_endpoint.endpoint_context
_ = setup_session(_context, AUTH_REQ, uid="diana")
_token = self._create_jwt("diana", lifetime=6000, with_jti=True)
_req = self.introspection_endpoint.parse_request({
"token":
_token,
"client_id":
"client_1",
"client_secret":
_context.cdb["client_1"]["client_secret"],
})
_resp = self.introspection_endpoint.process_request(_req)
msg_info = self.introspection_endpoint.do_response(request=_req,
**_resp)
assert isinstance(msg_info, dict)
assert set(msg_info.keys()) == {"response", "http_headers"}
assert msg_info["http_headers"] == [
("Content-type", "application/json"),
("Pragma", "no-cache"),
("Cache-Control", "no-store"),
]
_payload = json.loads(msg_info["response"])
assert set(_payload.keys()) == {
"sub",
"username",
"exp",
"iat",
"aud",
"active",
"iss",
"jti",
}
assert _payload["active"] == True
def test_custom_scope(self):
_auth_req = AUTH_REQ.copy()
_auth_req["scope"] = ["openid", "research_and_scholarship"]
session_id = setup_session(
self.endpoint.endpoint_context,
_auth_req,
uid="userID",
authn_event={
"authn_info": "loa1",
"uid": "diana",
"authn_time": utc_time_sans_frac(),
"valid_until": utc_time_sans_frac() + 3600,
},
)
_dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
key=session_id)
_req = self.endpoint.parse_request({},
auth="Bearer {}".format(
_dic["access_token"]))
args = self.endpoint.process_request(_req)
assert set(args["response_args"].keys()) == {
"sub",
"name",
"given_name",
"family_name",
"email",
"email_verified",
"eduperson_scoped_affiliation",
}
def test_access_token(self):
_context = self.introspection_endpoint.endpoint_context
session_id = setup_session(
_context,
AUTH_REQ,
uid="user",
acr=INTERNETPROTOCOLPASSWORD,
)
_token_request = TOKEN_REQ_DICT.copy()
_token_request["code"] = _context.sdb[session_id]["code"]
_context.sdb.update(session_id, user="******")
_req = self.token_endpoint.parse_request(_token_request)
_resp = self.token_endpoint.process_request(request=_req)
_req = self.introspection_endpoint.parse_request({
"token":
_resp["response_args"]["access_token"],
"client_id":
"client_1",
"client_secret":
_context.cdb["client_1"]["client_secret"],
})
_resp = self.introspection_endpoint.process_request(_req)
_resp_args = _resp["response_args"]
assert "sub" in _resp_args
assert _resp_args["active"]
assert _resp_args["scope"] == "openid"
def test_parse(self):
session_id = setup_session(self.endpoint.endpoint_context, AUTH_REQ, uid="user")
_token_request = TOKEN_REQ_DICT.copy()
_token_request["code"] = self.endpoint.endpoint_context.sdb[session_id]["code"]
_req = self.endpoint.parse_request(_token_request)
assert isinstance(_req, AccessTokenRequest)
assert set(_req.keys()) == set(_token_request.keys())
def authz_part2(self, user, authn_event, request, **kwargs):
"""
After the authentication this is where you should end up
:param user:
:param request: The Authorization Request
:param sid: Session key
:param kwargs: possible other parameters
:return: A redirect to the redirect_uri of the client
"""
sid = setup_session(
self.endpoint_context, request, user, authn_event=authn_event
)
try:
resp_info = self.post_authentication(user, request, sid, **kwargs)
except Exception as err:
return self.error_response({}, "server_error", err)
if "check_session_iframe" in self.endpoint_context.provider_info:
ec = self.endpoint_context
salt = rndstr()
if ec.sdb.is_session_revoked(sid):
pass
else:
authn_event = ec.sdb.get_authentication_event(
sid
) # use the last session
_state = json.dumps({"authn_time": authn_event["authn_time"]})
session_cookie = ec.cookie_dealer.create_cookie(
json.dumps(_state),
typ="session",
cookie_name=ec.cookie_name["session_management"],
)
opbs = session_cookie[ec.cookie_name["session_management"]]
_session_state = compute_session_state(
opbs.value, salt, request["client_id"], resp_info["return_uri"]
)
if "cookie" in resp_info:
if isinstance(resp_info["cookie"], list):
resp_info["cookie"].append(session_cookie)
else:
append_cookie(resp_info["cookie"], session_cookie)
else:
resp_info["cookie"] = session_cookie
resp_info["response_args"]["session_state"] = _session_state
# Mix-Up mitigation
resp_info["response_args"]["iss"] = self.endpoint_context.issuer
resp_info["response_args"]["client_id"] = request["client_id"]
return resp_info
def test_info(self):
session_id = setup_session(
self.endpoint.endpoint_context, AUTH_REQ, uid="diana"
)
_dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(key=session_id)
handler = self.endpoint.endpoint_context.sdb.handler.handler["access_token"]
_info = handler.info(_dic["access_token"])
assert _info["type"] == "T"
assert _info["sid"] == session_id
def test_do_response_no_token(self):
_context = self.introspection_endpoint.endpoint_context
_ = setup_session(_context, AUTH_REQ, uid="diana")
_req = self.introspection_endpoint.parse_request({
"client_id":
"client_1",
"client_secret":
_context.cdb["client_1"]["client_secret"],
})
_resp = self.introspection_endpoint.process_request(_req)
assert "error" in _resp
def test_parse(self):
session_id = setup_session(
self.endpoint.endpoint_context, AUTH_REQ, uid="diana"
)
_dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(key=session_id)
_verifier = JWT(self.endpoint.endpoint_context.keyjar)
_info = _verifier.unpack(_dic["access_token"])
assert _info["ttype"] == "T"
assert _info["phone_number"] == "+46907865000"
assert set(_info["aud"]) == {"client_1", "https://example.org/appl"}
def test_parse_with_wrong_client_authn(self):
_context = self.introspection_endpoint.endpoint_context
_ = setup_session(_context, AUTH_REQ, uid="diana")
_token = self._create_jwt("diana")
_basic_token = "{}:{}".format(
"client_1", _context.cdb["client_1"]["client_secret"])
_basic_token = as_unicode(base64.b64encode(as_bytes(_basic_token)))
_basic_authz = "Basic {}".format(_basic_token)
with pytest.raises(WrongAuthnMethod):
self.introspection_endpoint.parse_request({"token": _token},
_basic_authz)
def test_is_expired(self):
session_id = setup_session(
self.endpoint.endpoint_context, AUTH_REQ, uid="diana"
)
_dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(key=session_id)
handler = self.endpoint.endpoint_context.sdb.handler.handler["access_token"]
assert handler.is_expired(_dic["access_token"]) is False
assert (
handler.is_expired(_dic["access_token"], utc_time_sans_frac() + 4000)
is True
)
def test_setup_session():
endpoint_context = EndpointContext(conf)
uid = "_user_"
client_id = "EXTERNAL"
areq = None
acr = None
sid = setup_session(endpoint_context,
areq,
uid,
client_id,
acr,
salt="salt")
assert sid
def test_do_response(self):
session_id = setup_session(
self.endpoint.endpoint_context,
AUTH_REQ,
uid="user",
acr=INTERNETPROTOCOLPASSWORD,
)
self.endpoint.endpoint_context.sdb.update(session_id, user="******")
_token_request = TOKEN_REQ_DICT.copy()
_token_request["code"] = self.endpoint.endpoint_context.sdb[session_id]["code"]
_req = self.endpoint.parse_request(_token_request)
_resp = self.endpoint.process_request(request=_req)
msg = self.endpoint.do_response(request=_req, **_resp)
assert isinstance(msg, dict)
def test_sub_minting_class():
conf["sub_func"] = {"public": {"class": SubMinter}}
endpoint_context = EndpointContext(conf)
uid = "_user_"
client_id = "EXTERNAL"
areq = None
acr = None
sid = setup_session(endpoint_context,
areq,
uid,
client_id,
acr,
salt="salt")
assert endpoint_context.sdb[sid]["sub"] == uid
def test_parse_with_client_auth_in_req(self):
_context = self.introspection_endpoint.endpoint_context
_ = setup_session(_context, AUTH_REQ, uid="diana")
_token = self._create_jwt("diana")
_req = self.introspection_endpoint.parse_request({
"token":
_token,
"client_id":
"client_1",
"client_secret":
_context.cdb["client_1"]["client_secret"],
})
assert isinstance(_req, TokenIntrospectionRequest)
assert set(_req.keys()) == {"token", "client_id", "client_secret"}
def test_process_request(self):
_context = self.introspection_endpoint.endpoint_context
_ = setup_session(_context, AUTH_REQ, uid="diana")
_token = self._create_jwt("diana", lifetime=6000)
_req = self.introspection_endpoint.parse_request({
"token":
_token,
"client_id":
"client_1",
"client_secret":
_context.cdb["client_1"]["client_secret"],
})
_resp = self.introspection_endpoint.process_request(_req)
assert _resp
assert set(_resp.keys()) == {"response_args"}
def _create_at(self, uid, lifetime=0, with_jti=False):
_context = self.introspection_endpoint.endpoint_context
session_id = setup_session(
_context,
AUTH_REQ,
uid=uid,
acr=INTERNETPROTOCOLPASSWORD,
)
_token_request = TOKEN_REQ_DICT.copy()
_token_request["code"] = _context.sdb[session_id]["code"]
_context.sdb.update(session_id, user=uid)
_req = self.token_endpoint.parse_request(_token_request)
_resp = self.token_endpoint.process_request(request=_req)
_resp = AccessTokenResponse(**_resp["response_args"])
return _resp["access_token"]
def test_process_request(self):
session_id = setup_session(
self.endpoint.endpoint_context,
AUTH_REQ,
uid="user",
acr=INTERNETPROTOCOLPASSWORD,
)
_token_request = TOKEN_REQ_DICT.copy()
_context = self.endpoint.endpoint_context
_token_request["code"] = _context.sdb[session_id]["code"]
_context.sdb.update(session_id, user="******")
_req = self.endpoint.parse_request(_token_request)
_resp = self.endpoint.process_request(request=_req)
assert _resp
assert set(_resp.keys()) == {"http_headers", "response_args"}
def test_do_refresh_access_token_not_allowed(self):
areq = AUTH_REQ.copy()
areq["scope"] = ["openid", "offline_access"]
_cntx = self.endpoint.endpoint_context
session_id = setup_session(
_cntx, areq, uid="user", acr=INTERNETPROTOCOLPASSWORD
)
_cntx.sdb.update(session_id, user="******")
_token_request = TOKEN_REQ_DICT.copy()
_token_request["code"] = _cntx.sdb[session_id]["code"]
_req = self.endpoint.parse_request(_token_request)
_resp = self.endpoint.process_request(request=_req)
self.endpoint.allow_refresh = False
_request = REFRESH_TOKEN_REQ.copy()
_request["refresh_token"] = _resp["response_args"]["refresh_token"]
with pytest.raises(ProcessError):
self.endpoint.parse_request(_request.to_json())
def test_process_request(self):
session_id = setup_session(
self.endpoint.endpoint_context,
AUTH_REQ,
uid="userID",
authn_event={
"authn_info": "loa1",
"uid": "diana",
"authn_time": utc_time_sans_frac(),
"valid_until": utc_time_sans_frac() + 3600,
},
)
_dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
key=session_id)
_req = self.endpoint.parse_request({},
auth="Bearer {}".format(
_dic["access_token"]))
args = self.endpoint.process_request(_req)
assert args
def test_process_request_using_code_twice(self):
session_id = setup_session(
self.endpoint.endpoint_context,
AUTH_REQ,
uid="user",
acr=INTERNETPROTOCOLPASSWORD,
)
_token_request = TOKEN_REQ_DICT.copy()
_context = self.endpoint.endpoint_context
_token_request["code"] = _context.sdb[session_id]["code"]
_context.sdb.update(session_id, user="******")
_req = self.endpoint.parse_request(_token_request)
_resp = self.endpoint.process_request(request=_req)
# 2nd time used
_req = self.endpoint.parse_request(_token_request)
_resp = self.endpoint.process_request(request=_req)
assert _resp
assert set(_resp.keys()) == {"error"}
def test_process_request_not_allowed(self):
session_id = setup_session(
self.endpoint.endpoint_context,
AUTH_REQ,
uid="userID",
authn_event={
"authn_info": "loa1",
"uid": "diana",
"authn_time": utc_time_sans_frac() - 7200,
"valid_until": utc_time_sans_frac() - 3600,
},
)
_dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
key=session_id)
_req = self.endpoint.parse_request({},
auth="Bearer {}".format(
_dic["access_token"]))
args = self.endpoint.process_request(_req)
assert set(
args["response_args"].keys()) == {"error", "error_description"}
def test_process_request_offline_access(self):
auth_req = AUTH_REQ.copy()
auth_req["scope"] = ["openid", "offline_access"]
session_id = setup_session(
self.endpoint.endpoint_context,
auth_req,
uid="userID",
authn_event={
"authn_info": "loa1",
"uid": "diana",
"authn_time": utc_time_sans_frac() - 7200,
"valid_until": utc_time_sans_frac() - 3600,
},
)
_dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
key=session_id)
_req = self.endpoint.parse_request({},
auth="Bearer {}".format(
_dic["access_token"]))
args = self.endpoint.process_request(_req)
assert set(args["response_args"].keys()) == {"sub"}
def test_setup_session_upgrade_to_token():
endpoint_context = EndpointContext(conf)
uid = "_user_"
client_id = "EXTERNAL"
areq = None
acr = None
sid = setup_session(endpoint_context,
areq,
uid,
client_id,
acr,
salt="salt")
assert sid
code = endpoint_context.sdb[sid]["code"]
assert code
res = endpoint_context.sdb.upgrade_to_token(code)
assert "access_token" in res
endpoint_context.sdb.revoke_uid("_user_")
assert endpoint_context.sdb.is_session_revoked(sid)
def test_process_request_using_code_twice(self):
session_id = setup_session(
self.endpoint.endpoint_context,
AUTH_REQ,
uid="user",
acr=INTERNETPROTOCOLPASSWORD,
)
_token_request = TOKEN_REQ_DICT.copy()
_context = self.endpoint.endpoint_context
_token_request["code"] = _context.sdb[session_id]["code"]
_context.sdb.update(session_id, user="******")
_req = self.endpoint.parse_request(_token_request)
_resp = self.endpoint.process_request(request=_req)
# 2nd time used
# TODO: There is a bug in _post_parse_request, the returned error
# should be invalid_grant, not invalid_client
_req = self.endpoint.parse_request(_token_request)
_resp = self.endpoint.process_request(request=_req)
assert _resp
assert set(_resp.keys()) == {"error"}
def test_do_signed_response(self):
self.endpoint.endpoint_context.cdb["client_1"][
"userinfo_signed_response_alg"] = "ES256"
session_id = setup_session(
self.endpoint.endpoint_context,
AUTH_REQ,
uid="userID",
authn_event={
"authn_info": "loa1",
"uid": "diana",
"authn_time": utc_time_sans_frac(),
"valid_until": utc_time_sans_frac() + 3600,
},
)
_dic = self.endpoint.endpoint_context.sdb.upgrade_to_token(
key=session_id)
_req = self.endpoint.parse_request({},
auth="Bearer {}".format(
_dic["access_token"]))
args = self.endpoint.process_request(_req)
assert args
res = self.endpoint.do_response(request=_req, **args)
assert res