def test_create_fo_keys_bundle():
jb = JWKSBundle(ORGOP.iss, ORGOP.keyjar)
jb[FOP.iss] = FOP.keyjar
jb[FO1P.iss] = FO1P.keyjar
sb = jb.create_signed_bundle()
_jw = jws.factory(sb)
assert _jw
def test_dumps():
jb = JWKSBundle('iss')
for iss, op in OPERATOR.items():
jb[op.iss] = op.keyjar
bs = jb.dumps()
assert len(bs) > 2000
def __init__(self,
keyjar=None,
fo_keyjar=None,
httpcli=None,
jwks_file='',
iss=None,
keyconf=None,
bundle_sign_alg='RS256'):
Operator.__init__(self,
keyjar=keyjar,
fo_keyjar=fo_keyjar,
httpcli=httpcli,
iss=iss,
jwks_file=jwks_file)
if self.keyjar is None:
self.keyjar = build_keyjar(keyconf)[1]
if jwks_file:
fp = open(jwks_file, 'w')
fp.write(json.dumps(self.keyjar.export_jwks(private=True)))
fp.close()
self.keyconf = keyconf
self.bundle_sign_alg = bundle_sign_alg
self.jb = JWKSBundle(iss, self.keyjar)
def test_create_verify():
jb = JWKSBundle('iss', SignKeyJar)
for iss, op in OPERATOR.items():
jb[op.iss] = op.keyjar
_jws = jb.create_signed_bundle()
_jwks = SignKeyJar.export_jwks()
kj = KeyJar()
kj.import_jwks(_jwks, 'iss')
bundle = verify_signed_bundle(_jws, kj)
assert bundle
def test_create_verify_fo_keys_bundle():
jb = JWKSBundle(ORGOP.iss, ORGOP.keyjar)
jb[FOP.iss] = FOP.keyjar
jb[FO1P.iss] = FO1P.keyjar
sb = jb.create_signed_bundle()
kj = KeyJar()
kj.add_keyjar(ORGOP.keyjar)
# Necessary since otherwise it won't find the key
kj.issuer_keys[ORGOP.iss] = kj.issuer_keys['']
_jwt = verify_signed_bundle(sb, kj)
bundle = json.loads(_jwt["bundle"])
assert set(bundle.keys()) == {FOP.iss, FO1P.iss}
def test_dump_load():
jb = JWKSBundle('iss')
for iss, op in OPERATOR.items():
jb[op.iss] = op.keyjar
bs = jb.dumps()
receiver = JWKSBundle('')
receiver.loads(bs)
assert len(receiver.keys()) == 4
assert set(receiver.keys()) == set([op.iss for op in OPERATOR.values()])
class FederationOperator(Operator):
def __init__(self,
keyjar=None,
fo_keyjar=None,
httpcli=None,
jwks_file='',
iss=None,
keyconf=None,
bundle_sign_alg='RS256'):
Operator.__init__(self,
keyjar=keyjar,
fo_keyjar=fo_keyjar,
httpcli=httpcli,
iss=iss,
jwks_file=jwks_file)
if self.keyjar is None:
self.keyjar = build_keyjar(keyconf)[1]
if jwks_file:
fp = open(jwks_file, 'w')
fp.write(json.dumps(self.keyjar.export_jwks(private=True)))
fp.close()
self.keyconf = keyconf
self.bundle_sign_alg = bundle_sign_alg
self.jb = JWKSBundle(iss, self.keyjar)
def public_keys(self):
return self.keyjar.export_jwks()
def rotate_keys(self, keyconf=None):
_old = [k.kid for k in self.keyjar.get_issuers_keys('') if k.kid]
if keyconf:
self.keyjar = build_keyjar(keyconf, keyjar=self.keyjar)[1]
else:
self.keyjar = build_keyjar(self.keyconf, keyjar=self.keyjar)[1]
for k in self.keyjar.get_issuers_keys(''):
if k.kid in _old:
if not k.inactive_since:
k.inactive_since = time.time()
def export_jwks(self):
return self.keyjar.export_jwks()
def add_to_bundle(self, fo, jwks):
self.jb[fo] = jwks
def remove_from_bundle(self, fo):
del self.jb[fo]
def export_bundle(self):
return self.jb.create_signed_bundle(sign_alg=self.bundle_sign_alg)
def import_from_bundle(self, uri, sign_key):
_jb = {}
p = urlparse(uri)
if p[0] == 'file':
jwks_bundle = open(p.path, 'r').read()
_jb = JWKSBundle('', sign_keys=sign_key)
_jb.loads(jwks_bundle)
elif p[0] in ['http', 'https']:
r = self.httpcli.http_request(uri)
if r.status == 200:
_jb = JWKSBundle('', sign_keys=sign_key)
_jb.loads(r.text)
else:
raise ValueError('Unsupported scheme')
if self.fo_keyjar:
kj = self.fo_keyjar
else:
kj = KeyJar()
for iss, ikj in _jb.items():
kj.issuer_keys[iss] = ikj.issuer_keys['']
def fo_member(*args):
_jb = JWKSBundle('')
for fo in args:
_jb[fo.iss] = fo.keyjar.issuer_keys['']
return Operator(jwks_bundle=_jb)
def fo_member(*args):
_jb = JWKSBundle('https://sunet.se/op')
for fo in args:
_jb[fo.iss] = fo.signing_keys_as_jwks()
return Operator(jwks_bundle=_jb)
KEYS = {}
ISSUER = {}
OPERATOR = {}
for entity in ['fo', 'fo1', 'org', 'inter', 'admin', 'ligo', 'op']:
fname = os.path.join(BASE_PATH, "{}.key".format(entity))
_keydef = KEYDEFS[:]
_keydef[0]['key'] = fname
_jwks, _keyjar, _kidd = build_keyjar(_keydef)
KEYS[entity] = {'jwks': _jwks, 'keyjar': _keyjar, 'kidd': _kidd}
ISSUER[entity] = 'https://{}.example.org'.format(entity)
OPERATOR[entity] = Operator(keyjar=_keyjar, iss=ISSUER[entity])
FOP = OPERATOR['fo']
FOP.jwks_bundle = JWKSBundle(FOP.iss)
FOP.jwks_bundle[FOP.iss] = FOP.keyjar
FO1P = OPERATOR['fo1']
FO1P.jwks_bundle = JWKSBundle(FO1P.iss)
FO1P.jwks_bundle[FO1P.iss] = FO1P.keyjar
ORGOP = OPERATOR['org']
ADMINOP = OPERATOR['admin']
INTEROP = OPERATOR['inter']
LIGOOP = OPERATOR['ligo']
OPOP = OPERATOR['ligo']
def fo_member(*args):
_jb = JWKSBundle('https://sunet.se/op')
def test_create():
jb = JWKSBundle('iss')
for iss, op in OPERATOR.items():
jb[op.iss] = op.keyjar
assert len(jb.keys()) == 4
# ----------------------------------------------------------------------------
# The RP publishes Registration Request
# ----------------------------------------------------------------------------
rere = Message(
redirect_uris=['https://sunet.se/rp1/callback'],
metadata_statements=[rp_sunet_swamid, rp_sunet_incommon]
)
print_request('Registration Request published by RP', rere)
# ### ======================================================================
# # On the OP
# ### ======================================================================
_jb = JWKSBundle('https://sunet.se/op')
_jb[swamid.iss] = swamid.signing_keys_as_jwks()
_jb[incommon.iss] = incommon.signing_keys_as_jwks()
op = Operator(iss='https://sunet.se/op', jwks_bundle=_jb)
print('Unpack the request')
# -----------------------------------------------------------------------------
# Unpacking the russian doll (= the metadata_statements)
# -----------------------------------------------------------------------------
_cms = op.unpack_metadata_statement(json_ms=rere)
res = op.evaluate_metadata_statement(_cms)
print(70 * ":")
