def add_state(self, request_args=None, **kwargs):
if 'state' not in request_args:
request_args['state'] = rndstr(32)
# As a side effect bind logout state to session state
self.client_get("service_context").state.store_logout_state2state(request_args['state'],
kwargs['state'])
return request_args, {}
def construct_request_uri(local_dir, base_path, **kwargs):
"""
Constructs a special redirect_uri to be used when communicating with
one OP. Each OP should get their own redirect_uris.
:param local_dir: Local directory in which to place the file
:param base_path: Base URL to start with
:param kwargs:
:return: 2-tuple with (filename, url)
"""
_filedir = local_dir
if not os.path.isdir(_filedir):
os.makedirs(_filedir)
_webpath = base_path
_name = rndstr(10) + ".jwt"
filename = os.path.join(_filedir, _name)
while os.path.exists(filename):
_name = rndstr(10)
filename = os.path.join(_filedir, _name)
if _webpath.endswith("/"):
_webname = f"{_webpath}{_name}"
else:
_webname = f"{_webpath}/{_name}"
return filename, _webname
def create_state(self, iss, key=''):
"""
Create a State and assign some value to it.
:param iss: The issuer
:param key: A key to use to access the state
"""
if not key:
key = rndstr(32)
else:
if key.startswith('__') and key.endswith('__'):
raise ValueError(
'Invalid format. Leading and trailing "__" not allowed')
_state = State(iss=iss)
self._db[key] = _state.to_json()
return key
def oidc_pre_construct(self, request_args=None, post_args=None, **kwargs):
_context = self.client_get("service_context")
if request_args is None:
request_args = {}
try:
_response_types = [request_args["response_type"]]
except KeyError:
_response_types = _context.behaviour.get('response_types')
if _response_types:
request_args["response_type"] = _response_types[0]
else:
request_args["response_type"] = "code"
# For OIDC 'openid' is required in scope
if 'scope' not in request_args:
request_args['scope'] = _context.behaviour.get("scope", ["openid"])
elif 'openid' not in request_args['scope']:
request_args['scope'].append('openid')
# 'code' and/or 'id_token' in response_type means an ID Roken
# will eventually be returnedm, hence the need for a nonce
if "code" in _response_types or "id_token" in _response_types:
if "nonce" not in request_args:
request_args["nonce"] = rndstr(32)
if post_args is None:
post_args = {}
for attr in ["request_object_signing_alg", "algorithm", 'sig_kid']:
try:
post_args[attr] = kwargs[attr]
except KeyError:
pass
else:
del kwargs[attr]
if "request_method" in kwargs:
if kwargs["request_method"] == "reference":
post_args['request_param'] = "request_uri"
else:
post_args['request_param'] = "request"
del kwargs["request_method"]
return request_args, post_args
def test_token_parse_response(self):
request_args = {'grant_type': 'client_credentials'}
_srv = self.entity.client_get("service",'accesstoken')
_request_info = _srv.get_request_parameters(request_args=request_args)
response = AccessTokenResponse(**{
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value"
})
_response = _srv.parse_response(response.to_json(), sformat="json")
# since no state attribute is involved, a key is minted
_key = rndstr(16)
_srv.update_service_context(_response, key=_key)
info = _srv.client_get("service_context").state.get_item(AccessTokenResponse, 'token_response', _key)
assert '__expires_at' in info
def init_srv(self, srv):
"""
Make sure the server has the necessary attributes
:param srv: A server instance
"""
if not srv:
return
self.srv = srv
# verify that the server instance has a cymkey attribute
symkey = getattr(self.srv, 'symkey', None)
if symkey is not None and symkey == "":
msg = "CookieDealer.srv.symkey can not be an empty value"
raise ImproperlyConfigured(msg)
# if there is no 'sed' attribute defined create one
if not getattr(srv, 'seed', None):
setattr(srv, 'seed', rndstr().encode("utf-8"))
def test_2nd_refresh_token_parse_response(self):
request_args = {'grant_type': 'client_credentials'}
_srv = self.entity.client_get("service",'accesstoken')
_request_info = _srv.get_request_parameters(request_args=request_args)
response = AccessTokenResponse(**{
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value"
})
_response = _srv.parse_response(response.to_json(), sformat="json")
# since no state attribute is involved, a key is minted
_key = rndstr(16)
_srv.update_service_context(_response, key=_key)
info = _srv.client_get("service_context").state.get_item(AccessTokenResponse, 'token_response', _key)
assert '__expires_at' in info
# Move from token to refresh token service
_srv = self.entity.client_get("service",'refresh_token')
_request_info = _srv.get_request_parameters(request_args=request_args, state=_key)
refresh_response = AccessTokenResponse(**{
"access_token": 'wy4R01DmMoB5xkI65nNkVv1l',
"token_type": "example",
"expires_in": 3600,
"refresh_token": 'lhNX9LSG8w1QuD6tSgc6CPfJ',
})
_response = _srv.parse_response(refresh_response.to_json(), sformat="json")
_srv.update_service_context(_response, key=_key)
info = _srv.client_get("service_context").state.get_item(AccessTokenResponse, 'token_response', _key)
assert '__expires_at' in info
_request_info = _srv.get_request_parameters(request_args=request_args, state=_key)
assert _request_info['headers'] == {
'Authorization': 'Bearer {}'.format(refresh_response["refresh_token"]),
'Content-Type': 'application/x-www-form-urlencoded'
}
def test_refresh_token_get_request(self):
_srv = self.entity.client_get("service",'accesstoken')
_srv.update_service_context({
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "example",
"expires_in": 3600,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter": "example_value"
})
_srv = self.entity.client_get("service",'refresh_token')
_id = rndstr(16)
_info = _srv.get_request_parameters(state_id=_id)
assert _info['method'] == 'POST'
assert _info['url'] == 'https://example.com/token'
assert _info[
'body'] == 'grant_type=refresh_token'
assert _info['headers'] == {
'Authorization': 'Bearer tGzv3JOkF0XG5Qx2TlKWIA',
'Content-Type': 'application/x-www-form-urlencoded'
}
