def test_sign_encrypt_id_token():
client_info = RegistrationResponse(id_token_signed_response_alg='RS512',
client_id='client_1')
session_info = {
'authn_req': AREQN,
'sub': 'sub',
'authn_event': {
"authn_info": 'loa2',
"authn_time": time.time()
}
}
ENDPOINT_CONTEXT.jwx_def["signing_alg"] = {'id_token': 'RS384'}
ENDPOINT_CONTEXT.cdb['client_1'] = client_info.to_dict()
_token = sign_encrypt_id_token(ENDPOINT_CONTEXT,
session_info,
'client_1',
sign=True)
assert _token
_jws = jws.factory(_token)
assert _jws.jwt.headers['alg'] == 'RS512'
client_keyjar = KeyJar()
_jwks = KEYJAR.export_jwks()
client_keyjar.import_jwks(_jwks, ENDPOINT_CONTEXT.issuer)
_jwt = JWT(key_jar=client_keyjar, iss='client_1')
res = _jwt.unpack(_token)
assert isinstance(res, dict)
assert res['aud'] == ['client_1']
def test_sign_encrypt_id_token(self):
client_info = RegistrationResponse(
id_token_signed_response_alg="RS512", client_id="client_1")
session_info = {
"authn_req": AREQN,
"sub": "sub",
"authn_event": {
"authn_info": "loa2",
"authn_time": time.time()
},
}
self.endpoint_context.jwx_def["signing_alg"] = {"id_token": "RS384"}
self.endpoint_context.cdb["client_1"] = client_info.to_dict()
_token = self.endpoint_context.idtoken.sign_encrypt(session_info,
"client_1",
sign=True)
assert _token
_jws = jws.factory(_token)
assert _jws.jwt.headers["alg"] == "RS512"
client_keyjar = KeyJar()
_jwks = self.endpoint_context.keyjar.export_jwks()
client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
_jwt = JWT(key_jar=client_keyjar, iss="client_1")
res = _jwt.unpack(_token)
assert isinstance(res, dict)
assert res["aud"] == ["client_1"]
def client_registration_setup(self, request, new_id=True, set_secret=True):
try:
request.verify()
except MessageException as err:
if "type" not in request:
return ResponseMessage(error="invalid_type",
error_description="%s" % err)
else:
return ResponseMessage(error="invalid_configuration_parameter",
error_description="%s" % err)
request.rm_blanks()
try:
self.match_client_request(request)
except CapabilitiesMisMatch as err:
return ResponseMessage(
error="invalid_request",
error_description="Don't support proposed %s" % err)
_context = self.endpoint_context
if new_id:
# create new id och secret
client_id = rndstr(12)
while client_id in _context.cdb:
client_id = rndstr(12)
else:
try:
client_id = request['client_id']
except KeyError:
raise ValueError('Missing client_id')
_rat = rndstr(32)
_cinfo = {
"client_id":
client_id,
"registration_access_token":
_rat,
"registration_client_uri":
"%s?client_id=%s" % (self.endpoint_path, client_id),
"client_salt":
rndstr(8)
}
if new_id:
_cinfo["client_id_issued_at"] = utc_time_sans_frac()
if set_secret:
client_secret = secret(_context.seed, client_id)
_cinfo.update({
"client_secret":
client_secret,
"client_secret_expires_at":
client_secret_expiration_time()
})
else:
client_secret = ''
_context.cdb[client_id] = _cinfo
_context.cdb[_rat] = client_id
_cinfo = self.do_client_registration(
request,
client_id,
ignore=["redirect_uris", "policy_uri", "logo_uri", "tos_uri"])
if isinstance(_cinfo, ResponseMessage):
return _cinfo
args = dict([(k, v) for k, v in _cinfo.items()
if k in RegistrationResponse.c_param])
self.comb_uri(args)
response = RegistrationResponse(**args)
# Add the client_secret as a symmetric key to the key jar
if client_secret:
_context.keyjar.add_symmetric(client_id, str(client_secret))
_context.cdb[client_id] = _cinfo
try:
_context.cdb.sync()
except AttributeError: # Not all databases can be sync'ed
pass
logger.info("registration_response: %s" % sanitize(response.to_dict()))
return response
def client_registration_setup(self, request, new_id=True, set_secret=True):
try:
request.verify()
except (MessageException, ValueError) as err:
return ResponseMessage(
error="invalid_configuration_request", error_description="%s" % err
)
request.rm_blanks()
try:
self.match_client_request(request)
except CapabilitiesMisMatch as err:
return ResponseMessage(
error="invalid_request",
error_description="Don't support proposed %s" % err,
)
_context = self.endpoint_context
if new_id:
# create new id och secret
client_id = rndstr(12)
while client_id in _context.cdb:
client_id = rndstr(12)
else:
try:
client_id = request["client_id"]
except KeyError:
raise ValueError("Missing client_id")
_cinfo = {"client_id": client_id, "client_salt": rndstr(8)}
if "registration_api" in self.endpoint_context.endpoint:
self.add_registration_api(_cinfo, client_id, _context)
if new_id:
_cinfo["client_id_issued_at"] = utc_time_sans_frac()
if set_secret:
client_secret = self.add_client_secret(_cinfo, client_id, _context)
else:
client_secret = ""
_context.cdb[client_id] = _cinfo
_cinfo = self.do_client_registration(
request,
client_id,
ignore=["redirect_uris", "policy_uri", "logo_uri", "tos_uri"],
)
if isinstance(_cinfo, ResponseMessage):
return _cinfo
args = dict(
[(k, v) for k, v in _cinfo.items() if k in RegistrationResponse.c_param]
)
comb_uri(args)
response = RegistrationResponse(**args)
# Add the client_secret as a symmetric key to the key jar
if client_secret:
_context.keyjar.add_symmetric(client_id, str(client_secret))
_context.cdb[client_id] = _cinfo
try:
_context.cdb.sync()
except AttributeError: # Not all databases can be sync'ed
pass
logger.info("registration_response: %s" % sanitize(response.to_dict()))
return response
mp_org = MetadataPolicy().from_json(org_pol)
print("4.1.6_org_policy.json", mp_org.verify())
comb_policy = MetadataPolicy(**combine_policy(mp_fed, mp_org))
print("comb", comb_policy.verify())
metadata = open("4.1.6_metadata.json").read()
md = RegistrationResponse().from_json(metadata)
print("4.1.6_metadata.json", mp_org.verify())
# apply policy
res = apply_policy(md, comb_policy)
res_md = RegistrationResponse(**res)
print(json.dumps(res_md.to_dict(), indent=4, sort_keys=True))
print('=', md.to_dict() == res_md.to_dict())
# ============== 4.3.3 ==================
print("-" * 20, "4.3.3", "-" * 20)
for item in ['4.3.3_1.json', '4.3.3_2.json']:
data = open(item).read()
tm = TrustMark().from_json(data)
print(item, tm.verify())
# ============== 5.2 ==================
print("-" * 20, "5.2", "-" * 20)
txt = open("5.2.json").read()
def client_registration_setup(self, request, new_id=True, set_secret=True):
try:
request.verify()
except (MessageException, ValueError) as err:
return ResponseMessage(error="invalid_configuration_request",
error_description="%s" % err)
request.rm_blanks()
try:
self.match_client_request(request)
except CapabilitiesMisMatch as err:
return ResponseMessage(
error="invalid_request",
error_description="Don't support proposed %s" % err,
)
_context = self.endpoint_context
if new_id:
# create new id och secret
client_id = rndstr(12)
# cdb client_id MUST be unique!
while client_id in _context.cdb:
client_id = rndstr(12)
if "client_id" in request:
del request["client_id"]
else:
client_id = request.get("client_id")
if not client_id:
raise ValueError("Missing client_id")
_cinfo = {"client_id": client_id, "client_salt": rndstr(8)}
if "registration_read" in self.endpoint_context.endpoint:
self.add_registration_api(_cinfo, client_id, _context)
if new_id:
_cinfo["client_id_issued_at"] = utc_time_sans_frac()
client_secret = ""
if set_secret:
client_secret = self.add_client_secret(_cinfo, client_id, _context)
logger.debug(
"Stored client info in CDB under cid={}".format(client_id))
_context.cdb[client_id] = _cinfo
_cinfo = self.do_client_registration(
request,
client_id,
ignore=["redirect_uris", "policy_uri", "logo_uri", "tos_uri"],
)
if isinstance(_cinfo, ResponseMessage):
return _cinfo
args = dict([(k, v) for k, v in _cinfo.items()
if k in RegistrationResponse.c_param])
comb_uri(args)
response = RegistrationResponse(**args)
# Add the client_secret as a symmetric key to the key jar
if client_secret:
_context.keyjar.add_symmetric(client_id, str(client_secret))
logger.debug(
"Stored updated client info in CDB under cid={}".format(client_id))
logger.debug("ClientInfo: {}".format(_cinfo))
_context.cdb[client_id] = _cinfo
# Not all databases can be sync'ed
if hasattr(_context.cdb, "sync") and callable(_context.cdb.sync):
_context.cdb.sync()
msg = "registration_response: {}"
logger.info(msg.format(sanitize(response.to_dict())))
return response