def test_custom_email_claims(self):
self.addCleanup(self.restore_email_claims,
os.environ.pop('OIDC_EMAIL_CLAIM', 'EMPTY'))
email = '*****@*****.**'
email_claim = '*****@*****.**'
tests = [({
'email': email,
Config.get_OIDC_email_claim(): email_claim
}, email_claim),
({
Config.get_OIDC_email_claim(): email_claim
}, email_claim), ({
'email': email
}, email)]
for param, result in tests:
with self.subTest(f"no custom claim {param}"):
self.assertEqual(security.get_token_email(param), result)
os.environ['OIDC_EMAIL_CLAIM'] = 'TEST_CLAIM'
for param, result in tests:
with self.subTest(f"custom claim {param}"):
self.assertEqual(security.get_token_email(param), result)
with self.subTest("missing claim"):
with self.assertRaises(DSSException) as ex:
security.get_token_email({})
self.assertEqual(ex.exception.status, 401)
self.assertEqual(ex.exception.message,
'Authorization token is missing email claims.')
def get_token_email(token_info: typing.Mapping[str, typing.Any]) -> str:
try:
email_claim = Config.get_OIDC_email_claim()
return token_info.get(email_claim) or token_info['email']
except KeyError:
raise DSSException(401, 'Unauthorized',
'Authorization token is missing email claims.')
def get_service_jwt(service_credentials, group: str = None, email=True, email_claim=False, audience=None):
iat = time.time()
exp = iat + 3600
payload = {'iss': service_credentials["client_email"],
'sub': service_credentials["client_email"],
'aud': audience or Config.get_audience(),
'iat': iat,
'exp': exp,
'scope': ['email', 'openid', 'offline_access']
}
if group:
payload[Config.get_OIDC_group_claim()] = group
if email:
payload['email'] = service_credentials["client_email"]
if email_claim:
payload[Config.get_OIDC_email_claim()] = service_credentials["client_email"]
additional_headers = {'kid': service_credentials["private_key_id"]}
signed_jwt = jwt.encode(payload, service_credentials["private_key"], headers=additional_headers,
algorithm='RS256').decode()
return signed_jwt
