def _keyjar(self, keyjar=None, db_conf=None, conf=None, entity_id=''): if keyjar is None: _storage = None if db_conf: _cnf = get_storage_conf(db_conf, 'keyjar') if _cnf: _storage = storage_factory(_cnf) if 'keys' in conf: args = {k: v for k, v in conf["keys"].items() if k != "uri_path"} args.update({'storage': _storage}) _keyjar = init_key_jar(**args) else: _keyjar = KeyJar(storage=_storage) if 'jwks' in conf: _keyjar.import_jwks(conf['jwks'], '') if '' in _keyjar and entity_id: # make sure I have the keys under my own name too (if I know it) _keyjar.import_jwks_as_json(_keyjar.export_jwks_as_json(True, ''), entity_id) _httpc_params = conf.get('httpc_params') if _httpc_params: _keyjar.httpc_params = _httpc_params return _keyjar else: return keyjar
def _keyjar(self, keyjar=None, conf=None, entity_id=""): if keyjar is None: if "keys" in conf: keys_args = { k: v for k, v in conf["keys"].items() if k != "uri_path" } _keyjar = init_key_jar(**keys_args) elif "key_conf" in conf: keys_args = { k: v for k, v in conf["key_conf"].items() if k != "uri_path" } _keyjar = init_key_jar(**keys_args) else: _keyjar = KeyJar() if "jwks" in conf: _keyjar.import_jwks(conf["jwks"], "") if "" in _keyjar and entity_id: # make sure I have the keys under my own name too (if I know it) _keyjar.import_jwks_as_json( _keyjar.export_jwks_as_json(True, ""), entity_id) _httpc_params = conf.get("httpc_params") if _httpc_params: _keyjar.httpc_params = _httpc_params return _keyjar else: return keyjar
def test_eval_chains(): target = 'https://foodle.uninett.no' collector = DummyCollector(trusted_roots=ANCHOR, httpd=Publisher( os.path.join(BASE_PATH, 'base_data')), root_dir=os.path.join(BASE_PATH, 'base_data')) entity_statement = collector.get_entity_statement(target, issuer=target, subject=target) _config = verify_self_signed_signature(entity_statement) assert _config tree = collector.collect_superiors(_config['iss'], entity_statement) _node = {target: (entity_statement, tree)} chains = branch2lists(_node) key_jar = KeyJar() key_jar.import_jwks_as_json(jwks, 'https://feide.no') statements = [ eval_chain(c, key_jar, 'openid_relying_party') for c in chains ] assert len(statements) == 1 statement = statements[0] assert statement.fo == "https://feide.no" assert set(statement.metadata.keys()) == { 'response_types', 'claims', 'contacts', 'application_type', 'redirect_uris', 'id_token_signing_alg_values_supported', 'jwks_uri' }
def create(iss, sub, domain, root_dir): kj = KeyJar() iss_id = "https://{}".format(iss) iss_jwks_file = os.path.join(root_dir, iss, "{}.jwks.json".format(iss)) kj.import_jwks_as_json(open(iss_jwks_file).read(), iss_id) sub_id = "https://{}".format(sub) sub_jwks_file = os.path.join(root_dir, iss, "{}.jwks.json".format(sub)) kj.import_jwks_as_json(open(sub_jwks_file).read(), sub_id) metadata_file = os.path.join(root_dir, iss, "{}.metadata.json".format(sub)) if os.path.isfile(metadata_file): metadata = json.loads(open(metadata_file).read()) else: metadata = None if metadata: for typ, conf in metadata.items(): for key, val in conf.items(): if '<DOMAIN>' in val: metadata[typ][key] = val.replace('<DOMAIN>', domain) policy_file = os.path.join(root_dir, iss, "{}.policy.json".format(sub)) if os.path.isfile(policy_file): policy = json.loads(open(policy_file).read()) else: policy = None authority_file = os.path.join(root_dir, iss, "{}.authority.json".format(sub)) if os.path.isfile(authority_file): _auth = json.loads(open(authority_file).read()) for key, vals in _auth.items(): if '<DOMAIN>' in key: _key = key.replace('<DOMAIN>', domain) _vals = [v.replace('<DOMAIN>', domain) for v in vals] del _auth[key] _auth[_key] = _vals _jwt = create_entity_statement(iss_id, sub_id, kj, metadata, policy, _auth) else: _jwt = create_entity_statement(iss_id, sub_id, kj, metadata, policy) return _jwt
def test_collect(): jwks = open( os.path.join(BASE_PATH, 'base_data', 'feide.no', 'feide.no', 'jwks.json')).read() ANCHOR = {'https://feide.no': json.loads(jwks)} KEYJAR = KeyJar() KEYJAR.import_jwks_as_json(jwks, 'https://feide.no') chain = [] _collector = Collector(trust_anchors=ANCHOR) subject = "foodle.uninett.no" with responses.RequestsMock() as rsps: _msg = open( os.path.join(BASE_PATH, 'base_data', subject, subject, 'jws')).read() rsps.add(rsps.GET, "https://foodle.uninett.no/.well-known/openid-federation", body=_msg) # Get the self-signed entity statement from a leaf _self_signed = _collector.get_configuration_information( "https://foodle.uninett.no") chain.append(_self_signed) _statement = verify_self_signed_signature(_self_signed) assert _statement authority = "" while authority not in _collector.trusted_anchors: authority = _statement['authority_hints'][0] netloc = authority[8:] with responses.RequestsMock() as rsps: _msg = open( os.path.join(BASE_PATH, 'base_data', netloc, netloc, "jws")).read() _url = "https://{}/.well-known/openid-federation".format(netloc) rsps.add(rsps.GET, _url, body=_msg) # Get the self-signed entity statement from a leaf _self_signed = _collector.get_configuration_information(authority) _statement = verify_self_signed_signature(_self_signed) assert _statement _api_endpoint = _statement['metadata']['federation_entity'][ 'federation_api_endpoint'] with responses.RequestsMock() as rsps: _msg = open( os.path.join(BASE_PATH, 'base_data', netloc, subject, "jws")).read() _url = construct_entity_statement_query( _api_endpoint, authority, "https://{}".format(subject)) rsps.add(rsps.GET, _url, body=_msg) # Get the self-signed entity statement from a leaf _signed_statement = _collector.get_entity_statement( _api_endpoint, authority, "https://{}".format(subject)) chain.append(_signed_statement) _jwt = factory(_signed_statement) _statement = _jwt.jwt.payload() subject = _statement['iss'][8:] # Now I have the chain should be 3 items in it assert len(chain) == 3 # verify the trust chain chain.reverse() verified_chain = verify_trust_chain(chain, KEYJAR) # The result is the verified statements assert len(verified_chain) == 3 # Check that the constraints are met assert meets_restrictions(verified_chain)