def to_prr(self, request, ressrv):
"""
Trying to register a permission for an unknown resource set will
fail
:param request: JSON encoded permission request or list of permission
requests
:param ressrv: Client id of the resource server
"""
decoded_req = json.loads(request)
pr_req = []
adb = self.get_adb(ressrv)
if isinstance(decoded_req, list):
for item in decoded_req:
if item['resource_set_id'] in adb.resource_set.rsid2oid:
pr_req.append(PermissionRegistrationRequest(**item))
else:
logger.warning(
'Trying to register permission for unknown resource set'
)
else:
if decoded_req['resource_set_id'] in adb.resource_set.rsid2oid:
pr_req.append(PermissionRegistrationRequest(**decoded_req))
else:
logger.warning(
'Trying to register permission for unknown resource set')
return pr_req
def test_requestor(self):
prreq = PermissionRegistrationRequest(resource_set_id='1',
scopes=[READ])
self.pr['ticket1'] = [prreq]
prreq = PermissionRegistrationRequest(resource_set_id='2',
scopes=[READ, WRITE])
self.pr['ticket2'] = [prreq]
assert self.pr.len() == 2
assert _eq(set(self.pr.keys()), {'ticket1', 'ticket2'})
self.pr.bind_requestor_to_ticket('requestor', 'ticket1')
assert self.pr.requestor2tickets('requestor') == ['ticket1']
assert self.pr.rsid2requestor('1') == ['requestor']
self.pr.bind_requestor_to_ticket('requestor', 'ticket2')
assert _eq(self.pr.requestor2tickets('requestor'),
['ticket1', 'ticket2'])
assert self.pr.rsid2requestor('2') == ['requestor']
del self.pr['ticket1']
assert self.pr.requestor2tickets('requestor') == ['ticket2']
def add_request(self, ticket, req):
"""
:param req: The Permission Registration Request as a JSON encoded string
Note that the request can be a list of requests.
"""
decoded_req = json.loads(req)
if isinstance(decoded_req, list):
prr_req = []
for item in decoded_req:
prr_req.append(PermissionRegistrationRequest(**item))
self.request[ticket] = prr_req
else:
self.request[ticket] = [
PermissionRegistrationRequest(**decoded_req)
]
def test_simple(self):
prreq = PermissionRegistrationRequest(resource_set_id='1',
scopes=[READ])
self.pr['ticket'] = [prreq]
_prreq = self.pr['ticket']
assert [prreq] == _prreq
assert list(self.pr.keys()) == ['ticket']
assert self.pr.ticket2rsid('ticket') == ['1']
req = self.pr.rsid2requests('1')
assert list(req.keys()) == ['ticket']
assert req['ticket'] == [prreq]
del self.pr['ticket']
try:
self.pr['ticket']
except KeyError:
pass
else:
assert False
assert self.pr.len() == 0
assert list(self.pr.keys()) == []
def test_senario_1():
# create ADB instance
adb = ADB(KEYJAR, 3600, issuer, RESSRV, RSR_PATH)
# register resource set
rsd = ResourceSetDescription(name='foo', scopes=[READ, WRITE])
status = adb.resource_set.create(rsd.to_json(), 'alice')
rsid = status['_id']
# assume no authorization decisions has been made
# accessing a resource set will eventually result in a ticket being issued
prreq = PermissionRegistrationRequest(resource_set_id=rsid, scopes=[READ])
ticket = adb.ticket_factory.pack(aud=['client_id'])
adb.permission_requests[ticket] = [prreq]
# Still no authz dec. So this should fail
try:
adb.issue_rpt(ticket, {'sub': 'roger'})
except TicketError as err:
assert err.typ == 'not_authorized'
else:
assert False
# Authz dec made
permission = {
'resource_set_id': rsid,
'scopes': [READ],
'require': {
'sub': 'roger'
}
}
pid = adb.store_permission(permission, 'alice')
# Get an RPT. This should now work
rpt = adb.issue_rpt(ticket, {'sub': 'roger'})
assert rpt
# later use the RPT, turn into authz descriptions
ad = adb.introspection(rpt)
assert len(ad) == 1
assert ad[0]['resource_set_id'] == rsid
assert ad[0]['scopes'] == [READ]
# Get an RPT. This should not work since the ticket is 'one time use'
try:
adb.issue_rpt(ticket, {'sub': 'roger'})
except TicketError as err:
assert err.typ == 'invalid'
else:
assert False
# The authz on which issuing the RPT is based is removed
adb.remove_permission('alice', pid=pid)
# Now introspections should fail
assert adb.introspection(rpt) == []
def test_rpt_endpoint(self):
"""
A couple of things have to happen before any action can occur on
the rpt endpoint.
1. registration of Resource set
2. Registration of a permission request
3. Registration of an authorization
"""
# (1) register resource set
read_write = [SCOPES[s] for s in ['read', 'write']]
rsd = ResourceSetDescription(name='foo', scopes=read_write)
resp = self.uas.resource_set_registration_endpoint_(
"alice", RSR_PATH, method="POST", body=rsd.to_json(),
client_id="12345678")
rsid = StatusResponse().from_json(resp.message)['_id']
# (2) register a permission request
read_write = [SCOPES[s] for s in ['read', 'write']]
perm_reg = PermissionRegistrationRequest(resource_set_id=rsid,
scopes=read_write)
resp = self.uas.permission_registration_endpoint_(
owner="alice", request=perm_reg.to_json(), client_id="12345678")
assert isinstance(resp, Created)
ticket = json.loads(resp.message)['ticket']
# (3) registration of authorization
permission = {'resource_set_id': rsid, 'scopes': read_write,
'require': {'sub': 'roger'}}
adb = self.uas.get_adb("12345678")
adb.store_permission(permission, 'alice')
# Get an RPT. This should work
req = AuthorizationDataRequest(ticket=ticket)
resp = self.uas.rpt_endpoint_('roger', '12345678',
request=req.to_json())
assert resp
def create_permission_request(self, operation, uid, query):
res_set = self.rs_handler.query2permission_registration_request_primer(
operation, uid, query)
pre_rpp = [(self.rs_handler.rsd_map[lid]['_id'], [scope]) for lid, scope
in res_set]
prrs = []
for rsid, scopes in pre_rpp:
prrs.append(PermissionRegistrationRequest(resource_set_id=rsid,
scopes=scopes).to_dict())
return prrs
def test_inital_add():
uas = UmaAS()
data = ResourceSetDescription(name="stuff", scopes=ALL).to_json()
resp = uas.resource_set_registration_endpoint_("alice", RSR_PATH, method="POST",
body=data, client_id="12345678",
if_match="xyzzy")
_stat = StatusResponse().from_json(resp.message)
rsid = _stat["_id"]
headers = dict(resp.headers)
assert headers["Location"] == "/{}/{}".format(RSR_PATH, rsid)
read_write = [SCOPES["read"], SCOPES["write"]]
uas.permission_registration_endpoint_("alice", request=PermissionRegistrationRequest(
resource_set_id=rsid, scopes=read_write).to_json())
uas.store_permission("alice", "roger", {rsid: read_write})
scopes, ts = uas.read_permission("alice", "roger", rsid)
assert _eq(scopes, read_write)
def test_permission_registration_endpoint(self):
data = ResourceSetDescription(name="stuff", scopes=ALL).to_json()
# Register a resource set
resp = self.uas.resource_set_registration_endpoint_(
"alice", RSR_PATH, method="POST", body=data, client_id="12345678",
if_match="xyzzy")
rsid = StatusResponse().from_json(resp.message)['_id']
read_write = [SCOPES[s] for s in ['read', 'write']]
perm_reg = PermissionRegistrationRequest(resource_set_id=rsid,
scopes=read_write)
resp = self.uas.permission_registration_endpoint_(
owner="alice", request=perm_reg.to_json(), client_id="12345678")
assert isinstance(resp, Created)
# Trying to register a request with an unknown rsid
perm_reg = PermissionRegistrationRequest(
resource_set_id='0987654321', scopes=read_write)
resp = self.uas.permission_registration_endpoint_(
owner="alice", request=perm_reg.to_json(), client_id="12345678")
assert isinstance(resp, BadRequest)
# set permissions such that the request below succeeds
owner = safe_name(RESOURCE_OWNER, ressrv.client.client_id)
for rsid, scopes in pre_rpp:
authzsrv.permit.set_permit(owner, REQUESTOR, rsid, scopes)
# -----------------------------------------------------------------------------
# The client does a first attempt at getting information from the RS
# (not shown here) but without a RPT it only gets information about where
# the AS is.
# The RS on the other hand registers the necessary permission at the AS
prrs = []
for rsid, scopes in pre_rpp:
prrs.append(
PermissionRegistrationRequest(resource_set_id=rsid,
scopes=scopes).to_dict())
pat = ressrv.rs_handler.token['PAT']
resp = authzsrv.permission_registration_endpoint(json.dumps(prrs),
'Bearer {}'.format(pat))
assert resp.status == "201 Created"
ticket = PermissionRegistrationResponse().from_json(resp.message)["ticket"]
# ============================== 4 ===========================================
# Crank up the client such that the relationship with the AS can be
# settled.
CLI_PORT = 8090
CLI_BASE = "https://localhost:%s" % CLI_PORT
rtr = RPTResponse().from_json(resp.message)
_uma_client.token[USER]["RPT"] = rtr["rpt"]
# Client tries to grab some info using the RPT as authn information
# => fails the Resource server registers authz request
# Introspection reveals no permissions are bound to the RPT
ir = introspect(_uma_client, ressrv, authzsrv)
assert ir["active"] is True
assert "permissions" not in ir
# The RS registers an Authorization request
REQ_SCOPES = ["http://its.umu.se/uma/attr/displayName"]
prr = PermissionRegistrationRequest(resource_set_id=_rsid, scopes=REQ_SCOPES)
client, url, ht_args = ressrv.register_init(RESOURCE_OWNER,
"permission_registration_endpoint",
prr, _rsid)
authninfo = ht_args["headers"]["Authorization"]
permresp = authzsrv.permission_registration_endpoint(prr.to_json(), authninfo)
created = PermissionRegistrationResponse().from_json(permresp.message)
_, kwargs = _uma_client.create_authorization_data_request(USER,
created["ticket"])
request = kwargs["data"]
authn_info = kwargs["headers"]["Authorization"]
res = authzsrv.authorization_request_endpoint(request, authn_info)
request_args = {"access_token": pat}
ht_args = client_x.client_authn_method["bearer_header"](ressrv).construct(
ir, request_args=request_args)
resp = authzsrv.introspection_endpoint(ir.to_json(),
ht_args["headers"]["Authorization"])
ir = IntrospectionResponse().from_json(resp.message)
assert ir["active"] is True
assert "permissions" not in ir
# The RS registers an Authorization request
REQ_SCOPES = ["http://its.umu.se/uma/attr/displayName"]
prr = PermissionRegistrationRequest(resource_set_id=_rsid, scopes=REQ_SCOPES)
client, url, ht_args = ressrv.register_init(
RESOURCE_OWNER, "permission_registration_endpoint", prr, _rsid)
authninfo = ht_args["headers"]["Authorization"]
permresp = authzsrv.permission_registration_endpoint(prr.to_json(), authninfo)
created = PermissionRegistrationResponse().from_json(permresp.message)
_, kwargs = _uma_client.create_authorization_data_request(
USER, created["ticket"])
request = kwargs["data"]
authn_info = kwargs["headers"]["Authorization"]
res = authzsrv.authorization_request_endpoint(request, authn_info)
assert res.status == "200 OK"
