def test_verify_uri_qp_match(self): _ec = self.endpoint.server_get("endpoint_context") _ec.cdb["client_id"] = {"redirect_uris": [("https://rp.example.com/cb", {"foo": ["bar"]})]} request = {"redirect_uri": "https://rp.example.com/cb?foo=bar"} verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_wrong_uri_type(self): _context = self.endpoint.server_get("endpoint_context") _context.cdb["client_id"] = {"redirect_uris": [("https://rp.example.com/cb", {})]} request = {"redirect_uri": "https://rp.example.com/cb?foo=bob"} with pytest.raises(ValueError): verify_uri(_context, request, "post_logout_redirect_uri", "client_id")
def test_verify_uri_unregistered(self): _ec = self.endpoint.server_get("endpoint_context") _ec.cdb["client_id"] = {"redirect_uris": [("https://rp.example.com/auth_cb", {})]} request = {"redirect_uri": "https://rp.example.com/cb"} with pytest.raises(RedirectURIError): verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_qp_missing_val(self): _ec = self.endpoint.server_get("endpoint_context") _ec.cdb["client_id"] = { "redirect_uris": [("https://rp.example.com/cb", {"foo": ["bar", "low"]})] } request = {"redirect_uri": "https://rp.example.com/cb?foo=bar"} with pytest.raises(ValueError): verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_none_registered(self): _context = self.endpoint.server_get("endpoint_context") _context.cdb["client_id"] = { "post_logout_redirect_uri": [("https://rp.example.com/plrc", {})] } request = {"redirect_uri": "https://rp.example.com/cb"} with pytest.raises(ValueError): verify_uri(_context, request, "redirect_uri", "client_id")
def test_verify_uri_qp_mismatch(self): _context = self.endpoint.server_get("endpoint_context") _context.cdb["client_id"] = { "redirect_uris": [("https://rp.example.com/cb", {"foo": ["bar"]})] } request = {"redirect_uri": "https://rp.example.com/cb?foo=bob"} with pytest.raises(ValueError): verify_uri(_context, request, "redirect_uri", "client_id") request = {"redirect_uri": "https://rp.example.com/cb?foo=bar&foo=kex"} with pytest.raises(ValueError): verify_uri(_context, request, "redirect_uri", "client_id") request = {"redirect_uri": "https://rp.example.com/cb"} with pytest.raises(ValueError): verify_uri(_context, request, "redirect_uri", "client_id") request = {"redirect_uri": "https://rp.example.com/cb?foo=bar&level=low"} with pytest.raises(ValueError): verify_uri(_context, request, "redirect_uri", "client_id")
def process_request( self, request: Optional[Union[Message, dict]] = None, http_info: Optional[dict] = None, **kwargs ): """ Perform user logout :param request: :param http_info: :param kwargs: :return: """ _context = self.server_get("endpoint_context") _mngr = _context.session_manager if "post_logout_redirect_uri" in request: if "id_token_hint" not in request: raise InvalidRequest("If post_logout_redirect_uri then id_token_hint is a MUST") _cookies = http_info.get("cookie") _session_info = None if _cookies: _cookie_name = _context.cookie_handler.name["session"] try: _cookie_infos = _context.cookie_handler.parse_cookie( cookies=_cookies, name=_cookie_name ) except VerificationError: raise InvalidRequest("Cookie error") if _cookie_infos: # value is a JSON document _cookie_info = json.loads(_cookie_infos[0]["value"]) logger.debug("Cookie info: {}".format(_cookie_info)) try: _session_info = _mngr.get_session_info(_cookie_info["sid"], grant=True) except KeyError: raise ValueError("Can't find any corresponding session") if _session_info is None: logger.debug("No relevant cookie") raise ValueError("Missing cookie") if "id_token_hint" in request and _session_info: _id_token = request[verified_claim_name("id_token_hint")] logger.debug("ID token hint: {}".format(_id_token)) _aud = _id_token["aud"] if _session_info["client_id"] not in _aud: raise ValueError("Client ID doesn't match") if _id_token["sub"] != _session_info["grant"].sub: raise ValueError("Sub doesn't match") else: _aud = [] # _context.cdb[_session_info["client_id"]] # verify that the post_logout_redirect_uri if present are among the ones # registered try: _uri = request["post_logout_redirect_uri"] except KeyError: if _context.issuer.endswith("/"): _uri = "{}{}".format(_context.issuer, self.kwargs["post_logout_uri_path"]) else: _uri = "{}/{}".format(_context.issuer, self.kwargs["post_logout_uri_path"]) plur = False else: plur = True verify_uri( _context, request, "post_logout_redirect_uri", client_id=_session_info["client_id"], ) payload = { "sid": _session_info["session_id"], } # redirect user to OP logout verification page if plur and "state" in request: _uri = "{}?{}".format(_uri, urlencode({"state": request["state"]})) payload["state"] = request["state"] payload["redirect_uri"] = _uri logger.debug("JWS payload: {}".format(payload)) # From me to me _jws = JWT( _context.keyjar, iss=_context.issuer, lifetime=86400, sign_alg=self.kwargs["signing_alg"], ) sjwt = _jws.pack(payload=payload, recv=_context.issuer) location = "{}?{}".format(self.kwargs["logout_verify_url"], urlencode({"sjwt": sjwt})) return {"redirect_location": location}
def test_verify_uri_noregistered(self): _ec = self.endpoint.server_get("endpoint_context") request = {"redirect_uri": "https://rp.example.com/cb"} with pytest.raises(KeyError): verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_fragment(self): _ec = self.endpoint.server_get("endpoint_context") _ec.cdb["client_id"] = {"redirect_uri": ["https://rp.example.com/auth_cb"]} request = {"redirect_uri": "https://rp.example.com/cb#foobar"} with pytest.raises(URIError): verify_uri(_ec, request, "redirect_uri", "client_id")
def test_verify_uri_unknown_client(self): request = {"redirect_uri": "https://rp.example.com/cb"} with pytest.raises(UnknownClient): verify_uri(self.endpoint.server_get("endpoint_context"), request, "redirect_uri")