def test_handle_failed_connection(self): exception = requests.ConnectionError("No connection") responses.add(responses.GET, "%s/get_id" % self.account_linking_config['rest_uri'], body=exception) account_linking = AccountLinkingModule( SATOSAConfig(self.satosa_config), self.callback_func) with pytest.raises(SATOSAAuthenticationError): account_linking.manage_al(self.context, self.internal_response)
def test_handle_failed_connection(self): exception = requests.ConnectionError("No connection") responses.add(responses.GET, "%s/get_id" % self.account_linking_config['rest_uri'], body=exception) account_linking = AccountLinkingModule( SATOSAConfig(self.satosa_config), self.callback_func ) with pytest.raises(SATOSAAuthenticationError): account_linking.manage_al(self.context, self.internal_response)
def test_store_existing_uuid_in_internal_attributes(self): uuid = "uuid" responses.add(responses.GET, "%s/get_id" % self.account_linking_config['rest_uri'], status=200, body=uuid, content_type='text/html') account_linking = AccountLinkingModule( SATOSAConfig(self.satosa_config), self.callback_func) account_linking.manage_al(self.context, self.internal_response) assert self.internal_response.get_user_id() == uuid
def test_account_link_does_not_exists(self): ticket = "ticket" responses.add(responses.GET, "%s/get_id" % self.account_linking_config['rest_uri'], status=404, body=ticket, content_type='text/html') account_linking = AccountLinkingModule( SATOSAConfig(self.satosa_config), self.callback_func) result = account_linking.manage_al(self.context, self.internal_response) assert isinstance(result, Redirect) assert self.account_linking_config["redirect"] in result.message
def test_store_existing_uuid_in_internal_attributes(self): uuid = "uuid" responses.add( responses.GET, "%s/get_id" % self.account_linking_config['rest_uri'], status=200, body=uuid, content_type='text/html' ) account_linking = AccountLinkingModule( SATOSAConfig(self.satosa_config), self.callback_func ) account_linking.manage_al(self.context, self.internal_response) assert self.internal_response.get_user_id() == uuid
def test_account_link_does_not_exists(self): ticket = "ticket" responses.add( responses.GET, "%s/get_id" % self.account_linking_config['rest_uri'], status=404, body=ticket, content_type='text/html' ) account_linking = AccountLinkingModule( SATOSAConfig(self.satosa_config), self.callback_func ) result = account_linking.manage_al(self.context, self.internal_response) assert isinstance(result, Redirect) assert self.account_linking_config["redirect"] in result.message
def __init__(self, config): """ Creates a satosa proxy base :type config: satosa.satosa_config.SATOSAConfig :param config: satosa proxy config """ if config is None: raise ValueError("Missing configuration") self.config = config LOGGER.info("Loading backend modules...") backends = load_backends(self.config, self._auth_resp_callback_func, self.config.INTERNAL_ATTRIBUTES) LOGGER.info("Loading frontend modules...") frontends = load_frontends(self.config, self._auth_req_callback_func, self.config.INTERNAL_ATTRIBUTES) self.consent_module = ConsentModule(config, self._consent_resp_callback_func) self.account_linking_module = AccountLinkingModule( config, self._account_linking_callback_func) # TODO register consent_module endpoints to module_router. Just add to backend list? if self.consent_module.enabled: backends["consent"] = self.consent_module if self.account_linking_module.enabled: backends["account_linking"] = self.account_linking_module LOGGER.info("Loading micro services...") self.request_micro_services = None self.response_micro_services = None if "MICRO_SERVICES" in self.config: self.request_micro_services, self.response_micro_services = load_micro_services( self.config.PLUGIN_PATH, self.config.MICRO_SERVICES, self.config.INTERNAL_ATTRIBUTES) self.module_router = ModuleRouter(frontends, backends)
def __init__(self, config): """ Creates a satosa proxy base :type config: satosa.satosa_config.SATOSAConfig :param config: satosa proxy config """ if config is None: raise ValueError("Missing configuration") self.config = config LOGGER.info("Loading backend modules...") backends = load_backends(self.config, self._auth_resp_callback_func, self.config.INTERNAL_ATTRIBUTES) LOGGER.info("Loading frontend modules...") frontends = load_frontends(self.config, self._auth_req_callback_func, self.config.INTERNAL_ATTRIBUTES) self.consent_module = ConsentModule(config, self._consent_resp_callback_func) self.account_linking_module = AccountLinkingModule(config, self._account_linking_callback_func) # TODO register consent_module endpoints to module_router. Just add to backend list? if self.consent_module.enabled: backends["consent"] = self.consent_module if self.account_linking_module.enabled: backends["account_linking"] = self.account_linking_module LOGGER.info("Loading micro services...") self.request_micro_services = None self.response_micro_services = None if "MICRO_SERVICES" in self.config: self.request_micro_services, self.response_micro_services = load_micro_services( self.config.PLUGIN_PATH, self.config.MICRO_SERVICES, self.config.INTERNAL_ATTRIBUTES) self.module_router = ModuleRouter(frontends, backends)
def test_disable_account_linking(self): self.account_linking_config['enable'] = False config = SATOSAConfig(self.satosa_config) account_linking = AccountLinkingModule(config, self.callback_func) account_linking.manage_al(None, None) assert self.callback_func.called
class SATOSABase(object): """ Base class for a satosa proxy server. Does not contain any server parts. """ STATE_KEY = "SATOSA_REQUESTOR" def __init__(self, config): """ Creates a satosa proxy base :type config: satosa.satosa_config.SATOSAConfig :param config: satosa proxy config """ if config is None: raise ValueError("Missing configuration") self.config = config LOGGER.info("Loading backend modules...") backends = load_backends(self.config, self._auth_resp_callback_func, self.config.INTERNAL_ATTRIBUTES) LOGGER.info("Loading frontend modules...") frontends = load_frontends(self.config, self._auth_req_callback_func, self.config.INTERNAL_ATTRIBUTES) self.consent_module = ConsentModule(config, self._consent_resp_callback_func) self.account_linking_module = AccountLinkingModule(config, self._account_linking_callback_func) # TODO register consent_module endpoints to module_router. Just add to backend list? if self.consent_module.enabled: backends["consent"] = self.consent_module if self.account_linking_module.enabled: backends["account_linking"] = self.account_linking_module LOGGER.info("Loading micro services...") self.request_micro_services = None self.response_micro_services = None if "MICRO_SERVICES" in self.config: self.request_micro_services, self.response_micro_services = load_micro_services( self.config.PLUGIN_PATH, self.config.MICRO_SERVICES, self.config.INTERNAL_ATTRIBUTES) self.module_router = ModuleRouter(frontends, backends) def _auth_req_callback_func(self, context, internal_request): """ This function is called by a frontend module when an authorization request has been processed. :type context: satosa.context.Context :type internal_request: satosa.internal_data.InternalRequest :rtype: satosa.response.Response :param context: The request context :param internal_request: request processed by the frontend :return: response """ state = context.state state.add(SATOSABase.STATE_KEY, internal_request.requestor) satosa_logging(LOGGER, logging.INFO, "Requesting provider: {}".format(internal_request.requestor), state) context.request = None backend = self.module_router.backend_routing(context) self.consent_module.save_state(internal_request, state) UserIdHasher.save_state(internal_request, state) if self.request_micro_services: internal_request = self.request_micro_services.process_service_queue(context, internal_request) return backend.start_auth(context, internal_request) def _auth_resp_callback_func(self, context, internal_response): """ This function is called by a backend module when the authorization is complete. :type context: satosa.context.Context :type internal_response: satosa.internal_data.InternalResponse :rtype: satosa.response.Response :param context: The request context :param internal_response: The authentication response :return: response """ context.request = None internal_response.to_requestor = context.state.get(SATOSABase.STATE_KEY) user_id_attr = self.config.INTERNAL_ATTRIBUTES.get("user_id_from_attr", []) if user_id_attr: internal_response.set_user_id_from_attr(user_id_attr) # Hash the user id user_id = UserIdHasher.hash_data(self.config.USER_ID_HASH_SALT, internal_response.get_user_id()) internal_response.set_user_id(user_id) if self.response_micro_services: internal_response = \ self.response_micro_services.process_service_queue(context, internal_response) return self.account_linking_module.manage_al(context, internal_response) def _account_linking_callback_func(self, context, internal_response): """ This function is called by the account linking module when the linking step is done :type context: satosa.context.Context :type internal_response: satosa.internal_data.InternalResponse :rtype: satosa.response.Response :param context: The response context :param internal_response: The authentication response :return: response """ user_id = UserIdHasher.hash_id(self.config.USER_ID_HASH_SALT, internal_response.get_user_id(), internal_response.to_requestor, context.state) internal_response.set_user_id(user_id) internal_response.set_user_id_hash_type(UserIdHasher.hash_type(context.state)) user_id_to_attr = self.config.INTERNAL_ATTRIBUTES.get("user_id_to_attr", None) if user_id_to_attr: attributes = internal_response.get_attributes() attributes[user_id_to_attr] = internal_response.get_user_id() internal_response.add_attributes(attributes) # Hash all attributes specified in INTERNAL_ATTRIBUTES["hash] hash_attributes = self.config.INTERNAL_ATTRIBUTES.get("hash", []) internal_attributes = internal_response.get_attributes() for attribute in hash_attributes: internal_attributes[attribute] = UserIdHasher.hash_data(self.config.USER_ID_HASH_SALT, internal_attributes[attribute]) return self.consent_module.manage_consent(context, internal_response) def _consent_resp_callback_func(self, context, internal_response): """ This function is called by the consent module when the consent step is done :type context: satosa.context.Context :type internal_response: satosa.internal_data.InternalResponse :rtype: satosa.response.Response :param context: The response context :param internal_response: The authentication response :return: response """ context.request = None context.state.set_delete_state() frontend = self.module_router.frontend_routing(context) return frontend.handle_authn_response(context, internal_response) def _handle_satosa_authentication_error(self, error): """ Sends a response to the requestor about the error :type error: satosa.exception.SATOSAAuthenticationError :rtype: satosa.response.Response :param error: The exception :return: response """ context = Context() context.state = error.state frontend = self.module_router.frontend_routing(context) return frontend.handle_backend_error(error) def _run_bound_endpoint(self, context, spec): """ :type context: satosa.context.Context :type spec: ((satosa.context.Context, Any) -> satosa.response.Response, Any) | (satosa.context.Context) -> satosa.response.Response :param context: The request context :param spec: bound endpoint function :return: response """ try: if isinstance(spec, tuple): return spec[0](context, *spec[1:]) else: return spec(context) except SATOSAAuthenticationError as error: error.error_id = uuid4().urn msg = "ERROR_ID [{err_id}]\nSTATE:\n{state}".format(err_id=error.error_id, state=json.dumps( error.state.state_dict, indent=4)) satosa_logging(LOGGER, logging.ERROR, msg, error.state, exc_info=True) return self._handle_satosa_authentication_error(error) def _load_state(self, context): """ Load a state to the context :type context: satosa.context.Context :param context: Session context """ try: state = cookie_to_state(context.cookie, self.config.COOKIE_STATE_NAME, self.config.STATE_ENCRYPTION_KEY) except SATOSAStateError: state = State() context.state = state def _save_state(self, resp, context): """ Saves a state from context to cookie :type resp: satosa.response.Response :type context: satosa.context.Context :param resp: The response :param context: Session context """ if context.state.should_delete(): # Save empty state with a max age of 0 cookie = state_to_cookie(State(), self.config.COOKIE_STATE_NAME, "/", self.config.STATE_ENCRYPTION_KEY, 0) else: cookie = state_to_cookie(context.state, self.config.COOKIE_STATE_NAME, "/", self.config.STATE_ENCRYPTION_KEY) if isinstance(resp, Response): resp.add_cookie(cookie) else: try: resp.headers.append(tuple(cookie.output().split(": ", 1))) except: satosa_logging(LOGGER, logging.WARN, "can't add cookie to response '%s'" % resp.__class__, context.state) pass def run(self, context): """ Runs the satosa proxy with the given context. :type context: satosa.context.Context :rtype: satosa.response.Response :param context: The request context :return: response """ try: self._load_state(context) spec = self.module_router.endpoint_routing(context) resp = self._run_bound_endpoint(context, spec) self._save_state(resp, context) except SATOSAError: satosa_logging(LOGGER, logging.ERROR, "Uncaught SATOSA error", context.state, exc_info=True) raise except Exception as err: satosa_logging(LOGGER, logging.ERROR, "Uncaught exception", context.state, exc_info=True) raise SATOSAUnknownError("Unknown error") from err return resp
class SATOSABase(object): """ Base class for a satosa proxy server. Does not contain any server parts. """ STATE_KEY = "SATOSA_REQUESTOR" def __init__(self, config): """ Creates a satosa proxy base :type config: satosa.satosa_config.SATOSAConfig :param config: satosa proxy config """ if config is None: raise ValueError("Missing configuration") self.config = config LOGGER.info("Loading backend modules...") backends = load_backends(self.config, self._auth_resp_callback_func, self.config.INTERNAL_ATTRIBUTES) LOGGER.info("Loading frontend modules...") frontends = load_frontends(self.config, self._auth_req_callback_func, self.config.INTERNAL_ATTRIBUTES) self.consent_module = ConsentModule(config, self._consent_resp_callback_func) self.account_linking_module = AccountLinkingModule( config, self._account_linking_callback_func) # TODO register consent_module endpoints to module_router. Just add to backend list? if self.consent_module.enabled: backends["consent"] = self.consent_module if self.account_linking_module.enabled: backends["account_linking"] = self.account_linking_module LOGGER.info("Loading micro services...") self.request_micro_services = None self.response_micro_services = None if "MICRO_SERVICES" in self.config: self.request_micro_services, self.response_micro_services = load_micro_services( self.config.PLUGIN_PATH, self.config.MICRO_SERVICES, self.config.INTERNAL_ATTRIBUTES) self.module_router = ModuleRouter(frontends, backends) def _auth_req_callback_func(self, context, internal_request): """ This function is called by a frontend module when an authorization request has been processed. :type context: satosa.context.Context :type internal_request: satosa.internal_data.InternalRequest :rtype: satosa.response.Response :param context: The request context :param internal_request: request processed by the frontend :return: response """ state = context.state state.add(SATOSABase.STATE_KEY, internal_request.requestor) satosa_logging( LOGGER, logging.INFO, "Requesting provider: {}".format(internal_request.requestor), state) context.request = None backend = self.module_router.backend_routing(context) self.consent_module.save_state(internal_request, state) UserIdHasher.save_state(internal_request, state) if self.request_micro_services: internal_request = self.request_micro_services.process_service_queue( context, internal_request) return backend.start_auth(context, internal_request) def _auth_resp_callback_func(self, context, internal_response): """ This function is called by a backend module when the authorization is complete. :type context: satosa.context.Context :type internal_response: satosa.internal_data.InternalResponse :rtype: satosa.response.Response :param context: The request context :param internal_response: The authentication response :return: response """ context.request = None internal_response.to_requestor = context.state.get( SATOSABase.STATE_KEY) user_id_attr = self.config.INTERNAL_ATTRIBUTES.get( "user_id_from_attr", []) if user_id_attr: internal_response.set_user_id_from_attr(user_id_attr) # Hash the user id user_id = UserIdHasher.hash_data(self.config.USER_ID_HASH_SALT, internal_response.get_user_id()) internal_response.set_user_id(user_id) if self.response_micro_services: internal_response = \ self.response_micro_services.process_service_queue(context, internal_response) return self.account_linking_module.manage_al(context, internal_response) def _account_linking_callback_func(self, context, internal_response): """ This function is called by the account linking module when the linking step is done :type context: satosa.context.Context :type internal_response: satosa.internal_data.InternalResponse :rtype: satosa.response.Response :param context: The response context :param internal_response: The authentication response :return: response """ user_id = UserIdHasher.hash_id(self.config.USER_ID_HASH_SALT, internal_response.get_user_id(), internal_response.to_requestor, context.state) internal_response.set_user_id(user_id) internal_response.set_user_id_hash_type( UserIdHasher.hash_type(context.state)) user_id_to_attr = self.config.INTERNAL_ATTRIBUTES.get( "user_id_to_attr", None) if user_id_to_attr: attributes = internal_response.get_attributes() attributes[user_id_to_attr] = internal_response.get_user_id() internal_response.add_attributes(attributes) # Hash all attributes specified in INTERNAL_ATTRIBUTES["hash] hash_attributes = self.config.INTERNAL_ATTRIBUTES.get("hash", []) internal_attributes = internal_response.get_attributes() for attribute in hash_attributes: internal_attributes[attribute] = UserIdHasher.hash_data( self.config.USER_ID_HASH_SALT, internal_attributes[attribute]) return self.consent_module.manage_consent(context, internal_response) def _consent_resp_callback_func(self, context, internal_response): """ This function is called by the consent module when the consent step is done :type context: satosa.context.Context :type internal_response: satosa.internal_data.InternalResponse :rtype: satosa.response.Response :param context: The response context :param internal_response: The authentication response :return: response """ context.request = None context.state.set_delete_state() frontend = self.module_router.frontend_routing(context) return frontend.handle_authn_response(context, internal_response) def _handle_satosa_authentication_error(self, error): """ Sends a response to the requestor about the error :type error: satosa.exception.SATOSAAuthenticationError :rtype: satosa.response.Response :param error: The exception :return: response """ context = Context() context.state = error.state frontend = self.module_router.frontend_routing(context) return frontend.handle_backend_error(error) def _run_bound_endpoint(self, context, spec): """ :type context: satosa.context.Context :type spec: ((satosa.context.Context, Any) -> satosa.response.Response, Any) | (satosa.context.Context) -> satosa.response.Response :param context: The request context :param spec: bound endpoint function :return: response """ try: if isinstance(spec, tuple): return spec[0](context, *spec[1:]) else: return spec(context) except SATOSAAuthenticationError as error: error.error_id = uuid4().urn msg = "ERROR_ID [{err_id}]\nSTATE:\n{state}".format( err_id=error.error_id, state=json.dumps(error.state.state_dict, indent=4)) satosa_logging(LOGGER, logging.ERROR, msg, error.state, exc_info=True) return self._handle_satosa_authentication_error(error) def _load_state(self, context): """ Load a state to the context :type context: satosa.context.Context :param context: Session context """ try: state = cookie_to_state(context.cookie, self.config.COOKIE_STATE_NAME, self.config.STATE_ENCRYPTION_KEY) except SATOSAStateError: state = State() context.state = state def _save_state(self, resp, context): """ Saves a state from context to cookie :type resp: satosa.response.Response :type context: satosa.context.Context :param resp: The response :param context: Session context """ if context.state.should_delete(): # Save empty state with a max age of 0 cookie = state_to_cookie(State(), self.config.COOKIE_STATE_NAME, "/", self.config.STATE_ENCRYPTION_KEY, 0) else: cookie = state_to_cookie(context.state, self.config.COOKIE_STATE_NAME, "/", self.config.STATE_ENCRYPTION_KEY) if isinstance(resp, Response): resp.add_cookie(cookie) else: try: resp.headers.append(tuple(cookie.output().split(": ", 1))) except: satosa_logging( LOGGER, logging.WARN, "can't add cookie to response '%s'" % resp.__class__, context.state) pass def run(self, context): """ Runs the satosa proxy with the given context. :type context: satosa.context.Context :rtype: satosa.response.Response :param context: The request context :return: response """ try: self._load_state(context) spec = self.module_router.endpoint_routing(context) resp = self._run_bound_endpoint(context, spec) self._save_state(resp, context) except SATOSAError: satosa_logging(LOGGER, logging.ERROR, "Uncaught SATOSA error", context.state, exc_info=True) raise except Exception as err: satosa_logging(LOGGER, logging.ERROR, "Uncaught exception", context.state, exc_info=True) raise SATOSAUnknownError("Unknown error") from err return resp