def test_cdb():
    endpoint_context = EndpointContext(conf)
    _clients = yaml.safe_load(io.StringIO(client_yaml))
    endpoint_context.cdb = _clients["oidc_clients"]

    assert set(
        endpoint_context.cdb.keys()) == {"client1", "client2", "client3"}
 def create_endpoint(self):
     self.endpoint = userinfo.UserInfo(KEYJAR)
     conf = {
         "issuer": "https://example.com/",
         "password": "******",
         "token_expires_in": 600,
         "grant_expires_in": 300,
         "refresh_token_expires_in": 86400,
         "verify_ssl": False,
         "capabilities": CAPABILITIES,
         "jwks": {
             'url_path': '{}/jwks.json',
             'local_path': 'static/jwks.json',
             'private_path': 'own/jwks.json'
         },
         'endpoint': {
             'provider_config': {
                 'path': '{}/.well-known/openid-configuration',
                 'class': ProviderConfiguration,
                 'kwargs': {}
             },
             'registration': {
                 'path': '{}/registration',
                 'class': Registration,
                 'kwargs': {}
             },
             'authorization': {
                 'path': '{}/authorization',
                 'class': Authorization,
                 'kwargs': {}
             },
             'token': {
                 'path': '{}/token',
                 'class': AccessToken,
                 'kwargs': {}
             },
             'userinfo': {
                 'path': '{}/userinfo',
                 'class': userinfo.UserInfo,
                 'kwargs': {'db_file': 'users.json'}
             }
         },
         'client_authn': verify_client,
         "authentication": [{
             'acr': INTERNETPROTOCOLPASSWORD,
             'name': 'NoAuthn',
             'kwargs': {'user': '******'}
         }],
         'template_dir': 'template'
     }
     endpoint_context = EndpointContext(conf, keyjar=KEYJAR)
     endpoint_context.cdb['client_1'] = {
         "client_secret": 'hemligt',
         "redirect_uris": [("https://example.com/cb", None)],
         "client_salt": "salted",
         'token_endpoint_auth_method': 'client_secret_post',
         'response_types': ['code', 'token', 'code id_token', 'id_token']
     }
     self.endpoint = userinfo.UserInfo(endpoint_context)
Exemple #3
0
    def test_get_sign_algorithm_3(self):
        client_info = RegistrationResponse()
        endpoint_context = EndpointContext(conf)
        endpoint_context.jwx_def["signing_alg"] = {"id_token": "RS384"}

        algs = get_sign_and_encrypt_algorithms(endpoint_context,
                                               client_info,
                                               "id_token",
                                               sign=True)
        # default signing alg
        assert algs == {"sign": True, "encrypt": False, "sign_alg": "RS384"}
def test_get_sign_algorithm_4():
    client_info = RegistrationResponse(id_token_signed_response_alg='RS512')
    endpoint_context = EndpointContext(conf)
    endpoint_context.jwx_def["signing_alg"] = {'id_token': 'RS384'}

    algs = get_sign_and_encrypt_algorithms(endpoint_context,
                                           client_info,
                                           'id_token',
                                           sign=True)
    # default signing alg
    assert algs == {'sign': True, 'encrypt': False, 'sign_alg': 'RS512'}
def test_capabilities_default():
    endpoint_context = EndpointContext(conf, keyjar=KEYJAR)
    assert set(endpoint_context.provider_info['response_types_supported']) == {
        'code', 'token', 'id_token', 'code token', 'code id_token',
        'id_token token', 'code token id_token', 'none'}
    assert endpoint_context.provider_info[
               "request_uri_parameter_supported"] is True
    def create_cookie_dealer(self):
        conf = {
            "issuer":
            "https://example.com/",
            "password":
            "******",
            "token_expires_in":
            600,
            "grant_expires_in":
            300,
            "refresh_token_expires_in":
            86400,
            "verify_ssl":
            False,
            "endpoint": {},
            "authentication": [{
                'acr': INTERNETPROTOCOLPASSWORD,
                'name': 'NoAuthn',
                'kwargs': {
                    'user': '******'
                }
            }],
            'template_dir':
            'template'
        }
        endpoint_context = EndpointContext(conf, keyjar=KEYJAR)

        self.cookie_dealer = CookieDealer(endpoint_context, 'kaka',
                                          'https://example.com', 'op')
Exemple #7
0
def init_oidc_op_endpoints(app):
    _config = app.srv_config.op
    _server_info_config = _config['server_info']

    _kj_args = {
        k: v
        for k, v in _server_info_config['jwks'].items() if k != 'uri_path'
    }
    _kj = init_key_jar(**_kj_args)

    iss = _server_info_config['issuer']

    # make sure I have a set of keys under my 'real' name
    _kj.import_jwks_as_json(_kj.export_jwks_as_json(True, ''), iss)

    try:
        _kj.verify_ssl = _config['server_info']['verify_ssl']
    except KeyError:
        pass

    endpoint_context = EndpointContext(_server_info_config,
                                       keyjar=_kj,
                                       cwd=folder)

    for endp in endpoint_context.endpoint.values():
        p = urlparse(endp.endpoint_path)
        _vpath = p.path.split('/')
        if _vpath[0] == '':
            endp.vpath = _vpath[1:]
        else:
            endp.vpath = _vpath

    return endpoint_context
 def create_endpoint(self):
     conf = {
         "issuer": "https://example.com/",
         "password": "******",
         "token_expires_in": 600,
         "grant_expires_in": 300,
         "refresh_token_expires_in": 86400,
         "verify_ssl": False,
         "endpoint": {},
         "jwks": {
             "public_path": "jwks.json",
             "key_defs": KEYDEFS,
             "private_path": "own/jwks.json",
             "uri_path": "static/jwks.json",
         },
         "authentication": {
             "anon": {
                 "acr": INTERNETPROTOCOLPASSWORD,
                 "class": "oidcendpoint.user_authn.user.NoAuthn",
                 "kwargs": {
                     "user": "******"
                 },
             }
         },
         "template_dir": "template",
     }
     self.endpoint_context = EndpointContext(conf)
     self.endpoint = Endpoint(self.endpoint_context)
Exemple #9
0
 def create_endpoint(self):
     conf = {
         "issuer": "https://example.com/",
         "password": "******",
         "token_expires_in": 600,
         "grant_expires_in": 300,
         "refresh_token_expires_in": 86400,
         "verify_ssl": False,
         "capabilities": CAPABILITIES,
         "jwks": {
             "uri_path": "static/jwks.json",
             "key_defs": KEYDEFS
         },
         "endpoint": {
             "provider_config": {
                 "path": ".well-known/openid-configuration",
                 "class": ProviderConfiguration,
                 "kwargs": {},
             },
             "token": {
                 "path": "token",
                 "class": AccessToken,
                 "kwargs": {}
             },
         },
         "template_dir": "template",
     }
     self.endpoint_context = EndpointContext(conf)
     self.endpoint = self.endpoint_context.endpoint["provider_config"]
Exemple #10
0
def init_oidc_op_endpoints(app):
    _config = app.srv_config.op
    _server_info_config = _config['server_info']

    _kj_args = {
        k: v
        for k, v in _server_info_config['jwks'].items() if k != 'uri_path'
    }
    _kj = init_key_jar(**_kj_args)

    iss = _server_info_config['issuer']

    # make sure I have a set of keys under my 'real' name
    _kj.import_jwks_as_json(_kj.export_jwks_as_json(True, ''), iss)

    endpoint_context = EndpointContext(_server_info_config,
                                       keyjar=_kj,
                                       cwd=folder)

    # sort of backward but work so...
    _kj.httpc_params = endpoint_context.httpc_params

    for endp in endpoint_context.endpoint.values():
        p = urlparse(endp.endpoint_path)
        _vpath = p.path.split('/')
        if _vpath[0] == '':
            endp.vpath = _vpath[1:]
        else:
            endp.vpath = _vpath

    return endpoint_context
Exemple #11
0
 def create_endpoint(self):
     conf = {
         "issuer": "https://example.com/",
         "password": "******",
         "token_expires_in": 600,
         "grant_expires_in": 300,
         "refresh_token_expires_in": 86400,
         "verify_ssl": False,
         "endpoint": {
             "webfinger": {
                 "path": ".well-known/webfinger",
                 "class": Discovery,
                 "kwargs": {"client_authn_method": None},
             }
         },
         "jwks": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS},
         "authentication": {
             "anon": {
                 "acr": INTERNETPROTOCOLPASSWORD,
                 "class": "oidcendpoint.user_authn.user.NoAuthn",
                 "kwargs": {"user": "******"},
             }
         },
         "template_dir": "template",
     }
     endpoint_context = EndpointContext(conf)
     self.endpoint = endpoint_context.endpoint["webfinger"]
def test_capabilities_subset1():
    _cnf = copy(conf)
    _cnf["capabilities"] = {"response_types_supported": "code"}
    endpoint_context = EndpointContext(_cnf)
    assert endpoint_context.provider_info["response_types_supported"] == [
        "code"
    ]
def test_capabilities_subset2():
    _cnf = copy(conf)
    _cnf["capabilities"] = {"response_types_supported": ["code", "id_token"]}
    endpoint_context = EndpointContext(_cnf)
    assert set(endpoint_context.provider_info["response_types_supported"]) == {
        "code",
        "id_token",
    }
def test_capabilities_no_support():
    _cnf = copy(conf)
    _cnf["id_token"]["kwargs"] = {
        "id_token_signing_alg_values_supported": "RC4"
    }
    with pytest.raises(ValueError):
        EndpointContext(_cnf)
    _cnf["id_token"]["kwargs"] = {}
def test_capabilities_bool():
    _cnf = copy(conf)
    _cnf["endpoint"]["authorization_endpoint"]["kwargs"] = {
        "request_uri_parameter_supported": False
    }
    endpoint_context = EndpointContext(_cnf)
    assert endpoint_context.provider_info[
        "request_uri_parameter_supported"] is False
Exemple #16
0
 def create_idtoken(self):
     self.endpoint_context = EndpointContext(conf)
     self.endpoint_context.cdb["client_1"] = {
         "client_secret": "hemligt",
         "redirect_uris": [("https://example.com/cb", None)],
         "client_salt": "salted",
         "token_endpoint_auth_method": "client_secret_post",
         "response_types": ["code", "token", "code id_token", "id_token"],
     }
 def create_endpoint_context(self):
     conf = {
         "issuer": "https://example.com/",
         "password": "******",
         "token_expires_in": 600,
         "grant_expires_in": 300,
         "refresh_token_expires_in": 86400,
         "verify_ssl": False,
         "endpoint": {},
         "jwks": {
             "uri_path": "static/jwks.json",
             "key_defs": KEYDEFS
         },
         "authentication": {
             "user": {
                 "acr": INTERNETPROTOCOLPASSWORD,
                 "class": UserPassJinja2,
                 "verify_endpoint": "verify/user",
                 "kwargs": {
                     "template": "user_pass.jinja2",
                     "sym_key": "24AA/LR6HighEnergy",
                     "db": {
                         "class": JSONDictDB,
                         "kwargs": {
                             "json_path": full_path("passwd.json")
                         },
                     },
                     "page_header": "Testing log in",
                     "submit_btn": "Get me in!",
                     "user_label": "Nickname",
                     "passwd_label": "Secret sauce",
                 },
             },
             "anon": {
                 "acr": UNSPECIFIED,
                 "class": NoAuthn,
                 "kwargs": {
                     "user": "******"
                 },
             },
         },
         "cookie_dealer": {
             "class": "oidcendpoint.cookie.CookieDealer",
             "kwargs": {
                 "sign_key":
                 "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch",
                 "default_values": {
                     "name": "oidc_op",
                     "domain": "example.com",
                     "path": "/",
                     "max_age": 3600,
                 },
             },
         },
         "template_dir": "template",
     }
     self.endpoint_context = EndpointContext(conf)
def test_capabilities_subset1():
    _cnf = copy(conf)
    _cnf["endpoint"]["authorization_endpoint"]["kwargs"] = {
        "response_types_supported": ["code"]
    }
    endpoint_context = EndpointContext(_cnf)
    assert endpoint_context.provider_info["response_types_supported"] == [
        "code"
    ]
Exemple #19
0
def test_no_default_encrypt_algorithms():
    client_info = RegistrationResponse()
    endpoint_context = EndpointContext(conf)
    with pytest.raises(UnknownAlgorithm):
        get_sign_and_encrypt_algorithms(endpoint_context,
                                        client_info,
                                        'id_token',
                                        sign=True,
                                        encrypt=True)
 def create_endpoint_context(self):
     self.endpoint_context = EndpointContext({
         "userinfo": {
             "class": UserInfo,
             "kwargs": {
                 "db": USERINFO_DB
             }
         },
         "password": "******",
         "issuer": "https://example.com/op",
         "token_expires_in": 900,
         "grant_expires_in": 600,
         "refresh_token_expires_in": 86400,
         "endpoint": {
             "provider_config": {
                 "path": "{}/.well-known/openid-configuration",
                 "class": ProviderConfiguration,
                 "kwargs": {},
             },
             "registration": {
                 "path": "{}/registration",
                 "class": Registration,
                 "kwargs": {},
             },
             "authorization": {
                 "path": "{}/authorization",
                 "class": Authorization,
                 "kwargs": {
                     "response_types_supported":
                     [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED],
                     "response_modes_supported":
                     ["query", "fragment", "form_post"],
                     "claims_parameter_supported":
                     True,
                     "request_parameter_supported":
                     True,
                     "request_uri_parameter_supported":
                     True,
                 },
             },
         },
         "jwks": {
             "public_path": "jwks.json",
             "key_defs": KEYDEFS,
             "uri_path": "static/jwks.json",
         },
         "authentication": {
             "anon": {
                 "acr": INTERNETPROTOCOLPASSWORD,
                 "class": "oidcendpoint.user_authn.user.NoAuthn",
                 "kwargs": {
                     "user": "******"
                 },
             }
         },
         "template_dir": "template",
     })
Exemple #21
0
def test_get_sign_algorithm():
    client_info = RegistrationResponse()
    endpoint_context = EndpointContext(conf)
    algs = get_sign_and_encrypt_algorithms(endpoint_context,
                                           client_info,
                                           'id_token',
                                           sign=True)
    # default signing alg
    assert algs == {'sign': True, 'encrypt': False, 'sign_alg': 'RS256'}
Exemple #22
0
 def create_endpoint(self):
     conf = {
         "issuer": "https://example.com/",
         "password": "******",
         "token_expires_in": 600,
         "grant_expires_in": 300,
         "refresh_token_expires_in": 86400,
         "verify_ssl": False,
         "capabilities": CAPABILITIES,
         "jwks": {
             "key_defs": KEYDEFS,
             "uri_path": "static/jwks.json"
         },
         "endpoint": {
             "registration": {
                 "path": "registration",
                 "class": Registration,
                 "kwargs": {
                     "client_auth_method": None
                 },
             },
             "registration_api": {
                 "path": "registration_api",
                 "class": RegistrationRead,
                 "kwargs": {
                     "client_authn_method": ["bearer_header"]
                 },
             },
             "authorization": {
                 "path": "authorization",
                 "class": Authorization,
                 "kwargs": {},
             },
             "token": {
                 "path": "token",
                 "class": AccessToken,
                 "kwargs": {
                     "client_authn_method": [
                         "client_secret_post",
                         "client_secret_basic",
                         "client_secret_jwt",
                         "private_key_jwt",
                     ]
                 },
             },
             "userinfo": {
                 "path": "userinfo",
                 "class": UserInfo,
                 "kwargs": {}
             },
         },
         "template_dir": "template",
     }
     endpoint_context = EndpointContext(conf)
     self.registration_endpoint = endpoint_context.endpoint["registration"]
     self.registration_api_endpoint = endpoint_context.endpoint[
         "registration_read"]
Exemple #23
0
 def test_get_sign_algorithm_2(self):
     client_info = RegistrationResponse(
         id_token_signed_response_alg="RS512")
     endpoint_context = EndpointContext(conf)
     algs = get_sign_and_encrypt_algorithms(endpoint_context,
                                            client_info,
                                            "id_token",
                                            sign=True)
     # default signing alg
     assert algs == {"sign": True, "encrypt": False, "sign_alg": "RS512"}
Exemple #24
0
 def test_no_default_encrypt_algorithms(self):
     client_info = RegistrationResponse()
     endpoint_context = EndpointContext(conf)
     args = get_sign_and_encrypt_algorithms(endpoint_context,
                                            client_info,
                                            "id_token",
                                            sign=True,
                                            encrypt=True)
     assert args["sign_alg"] == "RS256"
     assert args["enc_enc"] == "A128CBC-HS256"
     assert args["enc_alg"] == "RSA1_5"
def test_capabilities_default():
    endpoint_context = EndpointContext(conf)
    assert set(endpoint_context.provider_info["response_types_supported"]) == {
        "code",
        "token",
        "id_token",
        "code token",
        "code id_token",
        "id_token token",
        "code id_token token",
    }
    assert endpoint_context.provider_info[
        "request_uri_parameter_supported"] is True
def test_setup_session():
    endpoint_context = EndpointContext(conf)
    uid = "_user_"
    client_id = "EXTERNAL"
    areq = None
    acr = None
    sid = setup_session(endpoint_context,
                        areq,
                        uid,
                        client_id,
                        acr,
                        salt="salt")
    assert sid
    def create_endpoint(self):
        conf = {
            "issuer": ENTITY_ID,
            "password": "******",
            "token_expires_in": 600,
            "grant_expires_in": 300,
            "refresh_token_expires_in": 86400,
            "verify_ssl": False,
            'keys': {
                'key_defs': KEYSPEC
            },
            "endpoint": {},
            "jwks": {
                "private_path": "own/jwks.json",
                "uri_path": "static/jwks.json"
            },
            "authentication": {
                "anon": {
                    'acr': UNSPECIFIED,
                    "class": NoAuthn,
                    "kwargs": {
                        "user": "******"
                    }
                }
            },
            'template_dir': 'template'
        }
        endpoint_context = EndpointContext(conf)
        self.endpoint = ProviderConfiguration(endpoint_context)

        # === Federation stuff =======
        fe_conf = {'keys': {'key_defs': KEYSPEC}}

        federation_entity = FederationEntity(
            ENTITY_ID,
            trusted_roots=ANCHOR,
            authority_hints={'https://ntnu.no': ['https://feide.no']},
            httpd=Publisher(ROOT_DIR),
            config=fe_conf,
            entity_type='openid_relying_party',
            opponent_entity_type='openid_provider')

        federation_entity.collector = DummyCollector(httpd=Publisher(
            os.path.join(BASE_PATH, 'data')),
                                                     trusted_roots=ANCHOR,
                                                     root_dir=ROOT_DIR)

        self.fedent = federation_entity
        self.endpoint.endpoint_context.federation_entity = federation_entity
def test_sub_minting_class():
    conf["sub_func"] = {"public": {"class": SubMinter}}

    endpoint_context = EndpointContext(conf)
    uid = "_user_"
    client_id = "EXTERNAL"
    areq = None
    acr = None
    sid = setup_session(endpoint_context,
                        areq,
                        uid,
                        client_id,
                        acr,
                        salt="salt")
    assert endpoint_context.sdb[sid]["sub"] == uid
Exemple #29
0
 def create_endpoint(self):
     conf = {
         "issuer": "https://example.com/",
         "password": "******",
         "token_expires_in": 600,
         "grant_expires_in": 300,
         "refresh_token_expires_in": 86400,
         "verify_ssl": False,
         "capabilities": CAPABILITIES,
         "jwks": {
             'url_path': '{}/jwks.json',
             'local_path': 'static/jwks.json',
             'private_path': 'own/jwks.json'
         },
         'endpoint': {
             'provider_config': {
                 'path': '{}/.well-known/openid-configuration',
                 'class': ProviderConfiguration,
                 'kwargs': {}
             },
             'registration': {
                 'path': '{}/registration',
                 'class': Registration,
                 'kwargs': {}
             },
             'authorization': {
                 'path': '{}/authorization',
                 'class': Authorization,
                 'kwargs': {}
             },
             'token': {
                 'path': '{}/token',
                 'class': AccessToken,
                 'kwargs': {}
             },
             'userinfo': {
                 'path': '{}/userinfo',
                 'class': userinfo.UserInfo,
                 'kwargs': {
                     'db_file': 'users.json'
                 }
             }
         },
         'template_dir': 'template'
     }
     endpoint_context = EndpointContext(conf, keyjar=KEYJAR)
     self.endpoint = Registration(endpoint_context)
Exemple #30
0
def test_collect_user_info():
    _session_info = {'authn_req': OIDR}
    session = _session_info.copy()
    session['sub'] = 'doe'
    session['uid'] = 'diana'
    session['authn_event'] = create_authn_event('diana', 'salt')

    endpoint_context = EndpointContext({
        'userinfo': {
            'class': UserInfo,
            'kwargs': {
                'db': USERINFO_DB
            }
        },
        'password':
        "******",
        'issuer':
        'https://example.com/op',
        'token_expires_in':
        900,
        'grant_expires_in':
        600,
        'refresh_token_expires_in':
        86400,
        "endpoint": {},
        "authentication": [{
            'acr': INTERNETPROTOCOLPASSWORD,
            'name': 'NoAuthn',
            'kwargs': {
                'user': '******'
            }
        }],
        'template_dir':
        'template'
    })

    res = collect_user_info(endpoint_context, session)

    assert res == {
        'given_name': 'Diana',
        'nickname': 'Dina',
        'sub': 'doe',
        'email': '*****@*****.**',
        'email_verified': False
    }