def test_cdb(): endpoint_context = EndpointContext(conf) _clients = yaml.safe_load(io.StringIO(client_yaml)) endpoint_context.cdb = _clients["oidc_clients"] assert set( endpoint_context.cdb.keys()) == {"client1", "client2", "client3"}
def create_endpoint(self): self.endpoint = userinfo.UserInfo(KEYJAR) conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "capabilities": CAPABILITIES, "jwks": { 'url_path': '{}/jwks.json', 'local_path': 'static/jwks.json', 'private_path': 'own/jwks.json' }, 'endpoint': { 'provider_config': { 'path': '{}/.well-known/openid-configuration', 'class': ProviderConfiguration, 'kwargs': {} }, 'registration': { 'path': '{}/registration', 'class': Registration, 'kwargs': {} }, 'authorization': { 'path': '{}/authorization', 'class': Authorization, 'kwargs': {} }, 'token': { 'path': '{}/token', 'class': AccessToken, 'kwargs': {} }, 'userinfo': { 'path': '{}/userinfo', 'class': userinfo.UserInfo, 'kwargs': {'db_file': 'users.json'} } }, 'client_authn': verify_client, "authentication": [{ 'acr': INTERNETPROTOCOLPASSWORD, 'name': 'NoAuthn', 'kwargs': {'user': '******'} }], 'template_dir': 'template' } endpoint_context = EndpointContext(conf, keyjar=KEYJAR) endpoint_context.cdb['client_1'] = { "client_secret": 'hemligt', "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", 'token_endpoint_auth_method': 'client_secret_post', 'response_types': ['code', 'token', 'code id_token', 'id_token'] } self.endpoint = userinfo.UserInfo(endpoint_context)
def test_get_sign_algorithm_3(self): client_info = RegistrationResponse() endpoint_context = EndpointContext(conf) endpoint_context.jwx_def["signing_alg"] = {"id_token": "RS384"} algs = get_sign_and_encrypt_algorithms(endpoint_context, client_info, "id_token", sign=True) # default signing alg assert algs == {"sign": True, "encrypt": False, "sign_alg": "RS384"}
def test_get_sign_algorithm_4(): client_info = RegistrationResponse(id_token_signed_response_alg='RS512') endpoint_context = EndpointContext(conf) endpoint_context.jwx_def["signing_alg"] = {'id_token': 'RS384'} algs = get_sign_and_encrypt_algorithms(endpoint_context, client_info, 'id_token', sign=True) # default signing alg assert algs == {'sign': True, 'encrypt': False, 'sign_alg': 'RS512'}
def test_capabilities_default(): endpoint_context = EndpointContext(conf, keyjar=KEYJAR) assert set(endpoint_context.provider_info['response_types_supported']) == { 'code', 'token', 'id_token', 'code token', 'code id_token', 'id_token token', 'code token id_token', 'none'} assert endpoint_context.provider_info[ "request_uri_parameter_supported"] is True
def create_cookie_dealer(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "endpoint": {}, "authentication": [{ 'acr': INTERNETPROTOCOLPASSWORD, 'name': 'NoAuthn', 'kwargs': { 'user': '******' } }], 'template_dir': 'template' } endpoint_context = EndpointContext(conf, keyjar=KEYJAR) self.cookie_dealer = CookieDealer(endpoint_context, 'kaka', 'https://example.com', 'op')
def init_oidc_op_endpoints(app): _config = app.srv_config.op _server_info_config = _config['server_info'] _kj_args = { k: v for k, v in _server_info_config['jwks'].items() if k != 'uri_path' } _kj = init_key_jar(**_kj_args) iss = _server_info_config['issuer'] # make sure I have a set of keys under my 'real' name _kj.import_jwks_as_json(_kj.export_jwks_as_json(True, ''), iss) try: _kj.verify_ssl = _config['server_info']['verify_ssl'] except KeyError: pass endpoint_context = EndpointContext(_server_info_config, keyjar=_kj, cwd=folder) for endp in endpoint_context.endpoint.values(): p = urlparse(endp.endpoint_path) _vpath = p.path.split('/') if _vpath[0] == '': endp.vpath = _vpath[1:] else: endp.vpath = _vpath return endpoint_context
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "endpoint": {}, "jwks": { "public_path": "jwks.json", "key_defs": KEYDEFS, "private_path": "own/jwks.json", "uri_path": "static/jwks.json", }, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcendpoint.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "template_dir": "template", } self.endpoint_context = EndpointContext(conf) self.endpoint = Endpoint(self.endpoint_context)
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "capabilities": CAPABILITIES, "jwks": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "endpoint": { "provider_config": { "path": ".well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": {}, }, "token": { "path": "token", "class": AccessToken, "kwargs": {} }, }, "template_dir": "template", } self.endpoint_context = EndpointContext(conf) self.endpoint = self.endpoint_context.endpoint["provider_config"]
def init_oidc_op_endpoints(app): _config = app.srv_config.op _server_info_config = _config['server_info'] _kj_args = { k: v for k, v in _server_info_config['jwks'].items() if k != 'uri_path' } _kj = init_key_jar(**_kj_args) iss = _server_info_config['issuer'] # make sure I have a set of keys under my 'real' name _kj.import_jwks_as_json(_kj.export_jwks_as_json(True, ''), iss) endpoint_context = EndpointContext(_server_info_config, keyjar=_kj, cwd=folder) # sort of backward but work so... _kj.httpc_params = endpoint_context.httpc_params for endp in endpoint_context.endpoint.values(): p = urlparse(endp.endpoint_path) _vpath = p.path.split('/') if _vpath[0] == '': endp.vpath = _vpath[1:] else: endp.vpath = _vpath return endpoint_context
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "endpoint": { "webfinger": { "path": ".well-known/webfinger", "class": Discovery, "kwargs": {"client_authn_method": None}, } }, "jwks": {"uri_path": "static/jwks.json", "key_defs": KEYDEFS}, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcendpoint.user_authn.user.NoAuthn", "kwargs": {"user": "******"}, } }, "template_dir": "template", } endpoint_context = EndpointContext(conf) self.endpoint = endpoint_context.endpoint["webfinger"]
def test_capabilities_subset1(): _cnf = copy(conf) _cnf["capabilities"] = {"response_types_supported": "code"} endpoint_context = EndpointContext(_cnf) assert endpoint_context.provider_info["response_types_supported"] == [ "code" ]
def test_capabilities_subset2(): _cnf = copy(conf) _cnf["capabilities"] = {"response_types_supported": ["code", "id_token"]} endpoint_context = EndpointContext(_cnf) assert set(endpoint_context.provider_info["response_types_supported"]) == { "code", "id_token", }
def test_capabilities_no_support(): _cnf = copy(conf) _cnf["id_token"]["kwargs"] = { "id_token_signing_alg_values_supported": "RC4" } with pytest.raises(ValueError): EndpointContext(_cnf) _cnf["id_token"]["kwargs"] = {}
def test_capabilities_bool(): _cnf = copy(conf) _cnf["endpoint"]["authorization_endpoint"]["kwargs"] = { "request_uri_parameter_supported": False } endpoint_context = EndpointContext(_cnf) assert endpoint_context.provider_info[ "request_uri_parameter_supported"] is False
def create_idtoken(self): self.endpoint_context = EndpointContext(conf) self.endpoint_context.cdb["client_1"] = { "client_secret": "hemligt", "redirect_uris": [("https://example.com/cb", None)], "client_salt": "salted", "token_endpoint_auth_method": "client_secret_post", "response_types": ["code", "token", "code id_token", "id_token"], }
def create_endpoint_context(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "endpoint": {}, "jwks": { "uri_path": "static/jwks.json", "key_defs": KEYDEFS }, "authentication": { "user": { "acr": INTERNETPROTOCOLPASSWORD, "class": UserPassJinja2, "verify_endpoint": "verify/user", "kwargs": { "template": "user_pass.jinja2", "sym_key": "24AA/LR6HighEnergy", "db": { "class": JSONDictDB, "kwargs": { "json_path": full_path("passwd.json") }, }, "page_header": "Testing log in", "submit_btn": "Get me in!", "user_label": "Nickname", "passwd_label": "Secret sauce", }, }, "anon": { "acr": UNSPECIFIED, "class": NoAuthn, "kwargs": { "user": "******" }, }, }, "cookie_dealer": { "class": "oidcendpoint.cookie.CookieDealer", "kwargs": { "sign_key": "ghsNKDDLshZTPn974nOsIGhedULrsqnsGoBFBLwUKuJhE2ch", "default_values": { "name": "oidc_op", "domain": "example.com", "path": "/", "max_age": 3600, }, }, }, "template_dir": "template", } self.endpoint_context = EndpointContext(conf)
def test_capabilities_subset1(): _cnf = copy(conf) _cnf["endpoint"]["authorization_endpoint"]["kwargs"] = { "response_types_supported": ["code"] } endpoint_context = EndpointContext(_cnf) assert endpoint_context.provider_info["response_types_supported"] == [ "code" ]
def test_no_default_encrypt_algorithms(): client_info = RegistrationResponse() endpoint_context = EndpointContext(conf) with pytest.raises(UnknownAlgorithm): get_sign_and_encrypt_algorithms(endpoint_context, client_info, 'id_token', sign=True, encrypt=True)
def create_endpoint_context(self): self.endpoint_context = EndpointContext({ "userinfo": { "class": UserInfo, "kwargs": { "db": USERINFO_DB } }, "password": "******", "issuer": "https://example.com/op", "token_expires_in": 900, "grant_expires_in": 600, "refresh_token_expires_in": 86400, "endpoint": { "provider_config": { "path": "{}/.well-known/openid-configuration", "class": ProviderConfiguration, "kwargs": {}, }, "registration": { "path": "{}/registration", "class": Registration, "kwargs": {}, }, "authorization": { "path": "{}/authorization", "class": Authorization, "kwargs": { "response_types_supported": [" ".join(x) for x in RESPONSE_TYPES_SUPPORTED], "response_modes_supported": ["query", "fragment", "form_post"], "claims_parameter_supported": True, "request_parameter_supported": True, "request_uri_parameter_supported": True, }, }, }, "jwks": { "public_path": "jwks.json", "key_defs": KEYDEFS, "uri_path": "static/jwks.json", }, "authentication": { "anon": { "acr": INTERNETPROTOCOLPASSWORD, "class": "oidcendpoint.user_authn.user.NoAuthn", "kwargs": { "user": "******" }, } }, "template_dir": "template", })
def test_get_sign_algorithm(): client_info = RegistrationResponse() endpoint_context = EndpointContext(conf) algs = get_sign_and_encrypt_algorithms(endpoint_context, client_info, 'id_token', sign=True) # default signing alg assert algs == {'sign': True, 'encrypt': False, 'sign_alg': 'RS256'}
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "capabilities": CAPABILITIES, "jwks": { "key_defs": KEYDEFS, "uri_path": "static/jwks.json" }, "endpoint": { "registration": { "path": "registration", "class": Registration, "kwargs": { "client_auth_method": None }, }, "registration_api": { "path": "registration_api", "class": RegistrationRead, "kwargs": { "client_authn_method": ["bearer_header"] }, }, "authorization": { "path": "authorization", "class": Authorization, "kwargs": {}, }, "token": { "path": "token", "class": AccessToken, "kwargs": { "client_authn_method": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "private_key_jwt", ] }, }, "userinfo": { "path": "userinfo", "class": UserInfo, "kwargs": {} }, }, "template_dir": "template", } endpoint_context = EndpointContext(conf) self.registration_endpoint = endpoint_context.endpoint["registration"] self.registration_api_endpoint = endpoint_context.endpoint[ "registration_read"]
def test_get_sign_algorithm_2(self): client_info = RegistrationResponse( id_token_signed_response_alg="RS512") endpoint_context = EndpointContext(conf) algs = get_sign_and_encrypt_algorithms(endpoint_context, client_info, "id_token", sign=True) # default signing alg assert algs == {"sign": True, "encrypt": False, "sign_alg": "RS512"}
def test_no_default_encrypt_algorithms(self): client_info = RegistrationResponse() endpoint_context = EndpointContext(conf) args = get_sign_and_encrypt_algorithms(endpoint_context, client_info, "id_token", sign=True, encrypt=True) assert args["sign_alg"] == "RS256" assert args["enc_enc"] == "A128CBC-HS256" assert args["enc_alg"] == "RSA1_5"
def test_capabilities_default(): endpoint_context = EndpointContext(conf) assert set(endpoint_context.provider_info["response_types_supported"]) == { "code", "token", "id_token", "code token", "code id_token", "id_token token", "code id_token token", } assert endpoint_context.provider_info[ "request_uri_parameter_supported"] is True
def test_setup_session(): endpoint_context = EndpointContext(conf) uid = "_user_" client_id = "EXTERNAL" areq = None acr = None sid = setup_session(endpoint_context, areq, uid, client_id, acr, salt="salt") assert sid
def create_endpoint(self): conf = { "issuer": ENTITY_ID, "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, 'keys': { 'key_defs': KEYSPEC }, "endpoint": {}, "jwks": { "private_path": "own/jwks.json", "uri_path": "static/jwks.json" }, "authentication": { "anon": { 'acr': UNSPECIFIED, "class": NoAuthn, "kwargs": { "user": "******" } } }, 'template_dir': 'template' } endpoint_context = EndpointContext(conf) self.endpoint = ProviderConfiguration(endpoint_context) # === Federation stuff ======= fe_conf = {'keys': {'key_defs': KEYSPEC}} federation_entity = FederationEntity( ENTITY_ID, trusted_roots=ANCHOR, authority_hints={'https://ntnu.no': ['https://feide.no']}, httpd=Publisher(ROOT_DIR), config=fe_conf, entity_type='openid_relying_party', opponent_entity_type='openid_provider') federation_entity.collector = DummyCollector(httpd=Publisher( os.path.join(BASE_PATH, 'data')), trusted_roots=ANCHOR, root_dir=ROOT_DIR) self.fedent = federation_entity self.endpoint.endpoint_context.federation_entity = federation_entity
def test_sub_minting_class(): conf["sub_func"] = {"public": {"class": SubMinter}} endpoint_context = EndpointContext(conf) uid = "_user_" client_id = "EXTERNAL" areq = None acr = None sid = setup_session(endpoint_context, areq, uid, client_id, acr, salt="salt") assert endpoint_context.sdb[sid]["sub"] == uid
def create_endpoint(self): conf = { "issuer": "https://example.com/", "password": "******", "token_expires_in": 600, "grant_expires_in": 300, "refresh_token_expires_in": 86400, "verify_ssl": False, "capabilities": CAPABILITIES, "jwks": { 'url_path': '{}/jwks.json', 'local_path': 'static/jwks.json', 'private_path': 'own/jwks.json' }, 'endpoint': { 'provider_config': { 'path': '{}/.well-known/openid-configuration', 'class': ProviderConfiguration, 'kwargs': {} }, 'registration': { 'path': '{}/registration', 'class': Registration, 'kwargs': {} }, 'authorization': { 'path': '{}/authorization', 'class': Authorization, 'kwargs': {} }, 'token': { 'path': '{}/token', 'class': AccessToken, 'kwargs': {} }, 'userinfo': { 'path': '{}/userinfo', 'class': userinfo.UserInfo, 'kwargs': { 'db_file': 'users.json' } } }, 'template_dir': 'template' } endpoint_context = EndpointContext(conf, keyjar=KEYJAR) self.endpoint = Registration(endpoint_context)
def test_collect_user_info(): _session_info = {'authn_req': OIDR} session = _session_info.copy() session['sub'] = 'doe' session['uid'] = 'diana' session['authn_event'] = create_authn_event('diana', 'salt') endpoint_context = EndpointContext({ 'userinfo': { 'class': UserInfo, 'kwargs': { 'db': USERINFO_DB } }, 'password': "******", 'issuer': 'https://example.com/op', 'token_expires_in': 900, 'grant_expires_in': 600, 'refresh_token_expires_in': 86400, "endpoint": {}, "authentication": [{ 'acr': INTERNETPROTOCOLPASSWORD, 'name': 'NoAuthn', 'kwargs': { 'user': '******' } }], 'template_dir': 'template' }) res = collect_user_info(endpoint_context, session) assert res == { 'given_name': 'Diana', 'nickname': 'Dina', 'sub': 'doe', 'email': '*****@*****.**', 'email_verified': False }