def test_server_authenticated_none():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
cons.response_type = "none"
environ = BASE_ENVIRON
location = cons.begin(environ, start_response)
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = location.split("?")[1]
resp = server.authorization_endpoint(environ, start_response)
sid = resp[0][len("<form>"):-len("</form>")]
environ2 = create_return_form_env("user", "password", sid)
resp2 = server.authenticated(environ2, start_response)
assert len(resp2) == 1
txt = resp2[0]
pos0 = txt.index("<title>") + len("<title>Redirecting to ")
pos1 = txt.index("</title>")
location = txt[pos0:pos1]
print location
assert location.startswith("http://localhost:8087/authz")
query = location.split("?")[1]
print query
assert "token_type=Bearer" in query
def setup_consumer(self, session_db_factory):
client_config = {
"client_id": CLIENT_ID,
"client_authn_method": CLIENT_AUTHN_METHOD,
}
self.consumer = Consumer(DictSessionBackend(), CONFIG, client_config,
SERVER_INFO)
self.consumer.keyjar = CLIKEYS
self.consumer.redirect_uris = ["https://example.com/authz"]
self.consumer.client_secret = "hemlig"
self.consumer.secret_type = "basic"
self.consumer.issuer = ISSUER_ID
self.provider = Provider(
ISSUER_ID,
session_db_factory(ISSUER_ID),
CDB,
AUTHN_BROKER,
USERINFO,
AUTHZ,
verify_client,
SYMKEY,
urlmap=URLMAP,
keyjar=SRVKEYS,
)
self.provider.baseurl = self.provider.name
def real_test_discover(self):
c = Consumer(None, None)
principal = "*****@*****.**"
res = c.discover(principal)
assert isinstance(res, ProviderConfigurationResponse)
assert _eq(
res.keys(),
[
"registration_endpoint",
"scopes_supported",
"identifiers_supported",
"token_endpoint",
"flows_supported",
"version",
"userinfo_endpoint",
"authorization_endpoint",
"x509_url",
"issuer",
],
)
assert res.version == "3.0" # type: ignore
assert _eq(
res.flows_supported, # type: ignore
[
"code",
"token",
"id_token",
"code token",
"code id_token",
"id_token token",
],
)
def test_server_authenticated_token():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
cons.config["response_type"] = ["token"]
environ = BASE_ENVIRON
location = cons.begin(environ, start_response)
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = location.split("?")[1]
resp = server.authorization_endpoint(environ, start_response)
sid = resp[0][len("<form>"):-len("</form>")]
environ2 = create_return_form_env("user", "password", sid)
resp2 = server.authenticated(environ2, start_response)
assert len(resp2) == 1
txt = resp2[0]
assert "access_token=" in txt
assert "token_type=Bearer" in txt
def setup_class(self):
self.consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
self.consumer.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
self.consumer.client_secret = CLIENT_SECRET
def test_client_register_token_b64(self):
c = Consumer(None, None)
c.redirect_uris = ["https://example.com/authz"]
client_info = {
"client_id": "clientid",
"redirect_uris": ["https://example.com/authz"],
}
registration_token = (
"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6IC"
"JlYjc1N2M3Yy00MWRlLTRmZDYtOTkwNy1hNGFiMDY1ZjEzMmEifQ.eyJqdGkiOiI2ZWY0MDZi"
"MC02YzA3LTQ0NzctOWU1YS1hY2FiZjNiMWNiMjgiLCJleHAiOjAsIm5iZiI6MCwiaWF0Ijox"
"NTczNzMxNjg5LCJpc3MiOiJodHRwczovL29wZW5pZC1wcm92aWRlci5leGFtcGxlLmNvbS9h"
"dXRoL3JlYWxtcy9tYXN0ZXIiLCJhdWQiOiJodHRwczovL29wZW5pZC1wcm92aWRlci5leGFt"
"cGxlLmNvbS9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJ0eXAiOiJJbml0aWFsQWNjZXNzVG9rZW4i"
"fQ.0XTlit_JcxPZeIy8A4BzrHn1NvegVP7ws8KI0ySFex8")
with responses.RequestsMock() as rsps:
rsps.add(
rsps.POST,
"https://provider.example.com/registration/",
json=client_info,
)
c.register(
"https://provider.example.com/registration/",
registration_token=registration_token,
)
header = rsps.calls[0].request.headers["Authorization"]
assert header == "Bearer " + registration_token
def setup_userinfo_endpoint(self):
cons = Consumer({}, CONSUMER_CONFIG, {"client_id": CLIENT_ID},
server_info=SERVER_INFO, )
cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
cons.keyjar[""] = KC_RSA
cons.client_secret = "drickyoughurt"
state, location = cons.begin("openid", "token",
path=TestConfiguration.get_instance().rp_base)
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(
urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
responses.add(
responses.POST,
self.op_base + "userinfo",
body=resp.message,
status=200,
content_type='application/json')
def test_provider_config(self):
c = Consumer(None, None)
mfos = MyFakeOICServer("http://example.com")
mfos.keyjar = SRVKEYS
c.http_request = mfos.http_request
principal = "*****@*****.**"
res = c.discover(principal)
info = c.provider_config(res)
assert isinstance(info, ProviderConfigurationResponse)
assert _eq(info.keys(), ['registration_endpoint', 'jwks_uri',
'check_session_endpoint',
'refresh_session_endpoint',
'register_endpoint',
'subject_types_supported',
'token_endpoint_auth_methods_supported',
'id_token_signing_alg_values_supported',
'grant_types_supported', 'user_info_endpoint',
'claims_parameter_supported',
'request_parameter_supported',
'discovery_endpoint', 'issuer',
'authorization_endpoint', 'scopes_supported',
'require_request_uri_registration',
'identifiers_supported', 'token_endpoint',
'request_uri_parameter_supported', 'version',
'response_types_supported',
'end_session_endpoint', 'flows_supported'])
assert info["end_session_endpoint"] == "http://example.com/end_session"
def setup_consumer(self, fake_oic_server, session_db_factory):
client_id = "client_1"
client_config = {
"client_id": client_id,
"client_authn_method": CLIENT_AUTHN_METHOD,
# 'config': {}
}
self.consumer = Consumer(session_db_factory(SERVER_INFO["issuer"]),
CONFIG, client_config, SERVER_INFO)
self.consumer.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
self.consumer.client_secret = "abcdefghijklmnop"
self.consumer.keyjar = CLIKEYS
self.consumer.redirect_uris = ["https://example.com/cb"]
self.consumer.authorization_endpoint = \
"http://example.com/authorization"
self.consumer.token_endpoint = "http://example.com/token"
self.consumer.userinfo_endpoint = "http://example.com/userinfo"
self.consumer.client_secret = "hemlig"
self.consumer.secret_type = "basic"
mfos = fake_oic_server("http://localhost:8088")
mfos.keyjar = SRVKEYS
self.consumer.http_request = mfos.http_request
def test_provider_config():
c = Consumer(None, None)
mfos = MyFakeOICServer("http://example.com")
mfos.keyjar = SRVKEYS
c.http_request = mfos.http_request
principal = "*****@*****.**"
res = c.discover(principal)
info = c.provider_config(res)
assert info.type() == "ProviderConfigurationResponse"
print info.keys()
assert _eq(info.keys(), [
'registration_endpoint', 'jwks_uri', 'check_session_endpoint',
'refresh_session_endpoint', 'register_endpoint',
'subject_types_supported', 'token_endpoint_auth_methods_supported',
'id_token_signing_alg_values_supported', 'grant_types_supported',
'user_info_endpoint', 'claims_parameter_supported',
'request_parameter_supported', 'discovery_endpoint', 'issuer',
'authorization_endpoint', 'scopes_supported',
'require_request_uri_registration', 'identifiers_supported',
'token_endpoint', 'request_uri_parameter_supported', 'version',
'response_types_supported', 'end_session_endpoint', 'flows_supported'
])
assert info["end_session_endpoint"] == "http://example.com/end_session"
def init_oic(self, provider_name):
if provider_name not in PROVIDER_URL_MAP:
raise ValueError('Invalid provider: %s', provider_name)
provider = PROVIDER_URL_MAP[provider_name]
self.scopes = ['openid', 'profile', 'email']
db = SessionStore(self.db)
client = Consumer(db, consumer_config, client_config=client_config)
client.allow['issuer_mismatch'] = True
# Github does not support dynamically resolving OpenID configuration.
if provider_name == PROVIDER_GITHUB:
self.scopes = ['user:email', 'read:user']
client.provider_info = {
'authorization_endpoint':
'https://github.com/login/oauth/authorize',
'token_endpoint':
'https://github.com/login/oauth/access_token',
}
client.handle_provider_config(client.provider_info, 'GitHub')
else:
client.provider_info = client.provider_config(provider)
providers = self.db.oic_registration.filter(None, {'issuer': provider})
assert len(providers) == 1
provider = self.db.oic_registration.getnode(providers[0])
client_reg = RegistrationResponse(
client_id=provider['client_id'],
client_secret=provider['client_secret'])
client.store_registration_info(client_reg)
return client
def test_discover():
c = Consumer(None, None)
mfos = MyFakeOICServer(SRVKEYS, "http://example.com/")
c.http_request = mfos.http_request
principal = "*****@*****.**"
res = c.discover(principal)
assert res == "http://example.com/"
def test_discover(self, fake_oic_server):
c = Consumer(None, None)
mfos = fake_oic_server("https://*****:*****@example.com"
res = c.discover(principal)
assert res == "https://localhost:8088/"
def test_discover(self):
c = Consumer(None, None)
mfos = MyFakeOICServer("http://*****:*****@example.com"
res = c.discover(principal)
assert res == "http://localhost:8088/"
def test_discover_redirect():
c = Consumer(None, None)
mfos = MyFakeOICServer(name="http://example.com/")
c.http_request = mfos.http_request
principal = "*****@*****.**"
res = c.discover(principal)
assert res == "http://example.net/providerconf"
def test_discover(self, fake_oic_server):
c = Consumer(None, None)
mfos = fake_oic_server("https://*****:*****@example.com"
res = c.discover(principal)
assert res == "https://localhost:8088/"
def test_discover():
c = Consumer(None, None)
mfos = MyFakeOICServer("http://*****:*****@example.com"
res = c.discover(principal)
assert res == "http://localhost:8088/"
def handle_authz_response(environ, start_response):
_cli = Consumer(SESSION_DB, CONSUMER_CONFIG, CLIENT_CONFIG, SERVER_INFO)
aresp, atr, idt = _cli.parse_authz(environ, start_response, DEVNULL())
print "ARESP: %s" % aresp
print "ATR: %s" % atr
print "IDT: %s" % idt
print "GSess: %s" % _cli.grant
kaka = http_util.cookie(CONSUMER_CONFIG["name"], _cli.state, _cli.seed, expire=360, path="/")
resp = http_util.Response("Your will is registered", headers=[kaka])
return resp(environ, start_response)
def test_faulty_id_token_in_access_token_response(self):
c = Consumer(None, None)
c.keyjar.add_symmetric("", "TestPassword", ["sig"])
_info = {"access_token": "accessTok",
"id_token": self._faulty_id_token(),
"token_type": "Bearer"}
_json = json.dumps(_info)
with pytest.raises(BadSignature):
c.parse_response(AccessTokenResponse, _json, sformat="json")
def test_faulty_id_token_in_access_token_response(self):
c = Consumer(None, None)
c.keyjar.add_symmetric("", "TestPassword", ["sig"])
_info = {"access_token": "accessTok",
"id_token": self._faulty_id_token(),
"token_type": "Bearer"}
_json = json.dumps(_info)
with pytest.raises(BadSignature):
c.parse_response(AccessTokenResponse, _json, sformat="json")
def test_server_authenticated():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
environ = BASE_ENVIRON
location = cons.begin(environ, start_response)
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = location.split("?")[1]
resp = server.authorization_endpoint(environ, start_response)
sid = resp[0][len("<form>"):-len("</form>")]
environ2 = create_return_form_env("user", "password", sid)
resp2 = server.authenticated(environ2, start_response)
print resp2[0]
assert len(resp2) == 1
txt = resp2[0]
pos0 = txt.index("<title>") + len("<title>Redirecting to ")
pos1 = txt.index("</title>")
location = txt[pos0:pos1]
print location
assert location.startswith("http://localhost:8087/authz")
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = location
part = cons.parse_authz(environ, start_response)
aresp = part[0]
assert part[1] is None
assert part[2] is None
#aresp = client.parse_response(AuthorizationResponse, location,
# format="urlencoded",
# state="id-6da9ca0cc23959f5f33e8becd9b08cae")
print aresp.keys()
assert aresp.type() == "AuthorizationResponse"
assert _eq(aresp.keys(), ['code', 'state', 'scope'])
print cons.grant[cons.state].keys()
assert _eq(cons.grant[cons.state].keys(), ['code', 'id_token', 'tokens',
'exp_in',
'grant_expiration_time', 'seed'])
def create_provider(self):
self.provider = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]),
CDB,
AUTHN_BROKER, USERINFO,
AUTHZ, verify_client, SYMKEY, urlmap=URLMAP,
keyjar=KEYJAR)
self.provider.baseurl = self.provider.name
self.cons = Consumer({}, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
self.cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
self.cons.keyjar[""] = KC_RSA
def test_faulty_id_token_in_access_token_response():
c = Consumer(None, None)
c.keyjar.add_symmetric("", "TestPassword", ["sig"])
_info = {"access_token": "accessTok", "id_token": _faulty_id_token(),
"token_type": "Bearer", "expires_in": 3600}
_json = json.dumps(_info)
try:
resp = c.parse_response(AccessTokenResponse, _json, sformat="json")
except BadSignature:
pass
else:
assert False
def real_test_discover(self):
c = Consumer(None, None)
principal = "*****@*****.**"
res = c.discover(principal)
assert isinstance(res, ProviderConfigurationResponse)
assert _eq(res.keys(), ['registration_endpoint', 'scopes_supported',
'identifiers_supported', 'token_endpoint',
'flows_supported', 'version',
'userinfo_endpoint',
'authorization_endpoint', 'x509_url', 'issuer'])
assert res.version == "3.0"
assert _eq(res.flows_supported, ['code', 'token', 'id_token',
'code token', 'code id_token',
'id_token token'])
def real_test_discover(self):
c = Consumer(None, None)
principal = "*****@*****.**"
res = c.discover(principal)
assert isinstance(res, ProviderConfigurationResponse)
assert _eq(res.keys(), ['registration_endpoint', 'scopes_supported',
'identifiers_supported', 'token_endpoint',
'flows_supported', 'version',
'userinfo_endpoint',
'authorization_endpoint', 'x509_url', 'issuer'])
assert res.version == "3.0"
assert _eq(res.flows_supported, ['code', 'token', 'id_token',
'code token', 'code id_token',
'id_token token'])
def test_userinfo_endpoint():
server = provider_init
_session_db = {}
cons = Consumer(_session_db,
CONSUMER_CONFIG,
CLIENT_CONFIG,
server_info=SERVER_INFO)
cons.debug = True
cons.client_secret = "drickyoughurt"
cons.config["response_type"] = ["token"]
cons.config["request_method"] = "parameter"
cons.keyjar[""] = KC_RSA
state, location = cons.begin("openid",
"token",
path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
line = resp.message
path, query = line.split("#")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp3 = server.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def setup_consumer(self, fake_oic_server, session_db_factory):
client_id = "client_1"
client_config = {
"client_id": client_id,
"client_authn_method": CLIENT_AUTHN_METHOD,
# 'config': {}
}
self.consumer = Consumer(session_db_factory(SERVER_INFO["issuer"]),
CONFIG, client_config, SERVER_INFO)
self.consumer.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
self.consumer.client_secret = "abcdefghijklmnop"
self.consumer.keyjar = CLIKEYS
self.consumer.redirect_uris = ["https://example.com/cb"]
self.consumer.authorization_endpoint = \
"http://example.com/authorization"
self.consumer.token_endpoint = "http://example.com/token"
self.consumer.userinfo_endpoint = "http://example.com/userinfo"
self.consumer.client_secret = "hemlig"
self.consumer.secret_type = "basic"
mfos = fake_oic_server("http://localhost:8088")
mfos.keyjar = SRVKEYS
self.consumer.http_request = mfos.http_request
def register(environ, start_response, logger, kaka=None):
"""
Initialize the OAuth2 flow
"""
_session_db = environ["oic.session_db"]
_cc = environ["oic.client_config"]
_conc = environ["oic.consumer.config"]
_server_info = environ["oic.server.info"]
# get the redirect to the authorization server endpoint
_oac = Consumer(_session_db, _conc, _cc, _server_info)
location = _oac.begin(environ, start_response, logger)
logger.info("[1] %s" % (_oac.__dict__,))
resp = http_util.Redirect(location)
return resp(environ, start_response)
def test_client_register(self, fake_oic_server):
c = Consumer(None, None)
c.application_type = "web"
c.application_name = "My super service"
c.redirect_uris = ["https://example.com/authz"]
c.contact = ["*****@*****.**"]
mfos = fake_oic_server("https://example.com")
mfos.keyjar = SRVKEYS
c.http_request = mfos.http_request
location = c.discover("*****@*****.**")
info = c.provider_config(location)
c.register(info["registration_endpoint"])
assert c.client_id is not None
assert c.client_secret is not None
assert c.registration_expires > utc_time_sans_frac()
def test_server_authenticated_token():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
location = cons.begin("openid", response_type="token",
path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
txt = resp.message
assert "access_token=" in txt
assert "token_type=Bearer" in txt
def test_server_authenticated_none():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
location = cons.begin("openid", response_type="none",
path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
assert resp.message.startswith("http://localhost:8087/authz")
query_part = resp.message.split("?")[1]
print query_part
assert "state" in query_part
def test_userinfo_endpoint():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO)
cons.debug = True
cons.client_secret = "drickyoughurt"
cons.config["response_type"] = ["token"]
cons.config["request_method"] = "parameter"
cons.keyjar[""] = KC_RSA
location = cons.begin("openid", "token", path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
line = resp.message
path, query = line.split("?")
# redirect
atr = AuthorizationResponse().deserialize(query, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"], schema="openid")
resp3 = server.userinfo_endpoint(request=uir.to_urlencoded())
ident = OpenIDSchema().deserialize(resp3.message, "json")
print ident.keys()
assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
assert ident["sub"] == USERDB["username"]["sub"]
def test_faulty_id_token_in_access_token_response():
c = Consumer(None, None)
c.keyjar.add_symmetric("", "TestPassword", ["sig"])
_info = {
"access_token": "accessTok",
"id_token": _faulty_id_token(),
"token_type": "Bearer",
"expires_in": 3600
}
_json = json.dumps(_info)
try:
resp = c.parse_response(AccessTokenResponse, _json, sformat="json")
except BadSignature:
pass
else:
assert False
def test_client_register_token(self):
c = Consumer(None, None)
c.redirect_uris = ["https://example.com/authz"]
client_info = {
"client_id": "clientid",
"redirect_uris": ["https://example.com/authz"]
}
with responses.RequestsMock() as rsps:
rsps.add(rsps.POST,
"https://provider.example.com/registration/",
json=client_info)
c.register("https://provider.example.com/registration/",
registration_token="initial_registration_token")
header = rsps.calls[0].request.headers['Authorization']
assert header == "Bearer aW5pdGlhbF9yZWdpc3RyYXRpb25fdG9rZW4="
def authz(environ, start_response, logger, kaka=None):
"""
This is where I am returned to after authentication at the Authorization
service
"""
_session_db = environ["oic.session_db"]
_cc = environ["oic.client_config"]
_conc = environ["oic.consumer.config"]
_server_info = environ["oic.server.info"]
_log_info = logger.info
try:
_cli = Consumer(_session_db, _conc, _cc, _server_info)
aresp, atr, idt = _cli.parse_authz(environ, start_response, logger)
except (AuthzError, TokenError), err:
resp = http_util.Unauthorized("%s" % err)
return resp(environ, start_response)
def test_provider_config():
c = Consumer(None, None)
mfos = MyFakeOICServer(SRVKEYS, "http://example.com/")
c.http_request = mfos.http_request
principal = "*****@*****.**"
res = c.discover(principal)
info = c.provider_config(res)
assert info.type() == "ProviderConfigurationResponse"
print info.keys()
assert _eq(info.keys(), ['registration_endpoint', 'check_session_endpoint',
'refresh_session_endpoint', 'scopes_supported',
'identifiers_supported', 'token_endpoint',
'version', 'user_info_endpoint',
'end_session_endpoint', 'authorization_endpoint',
'flows_supported', 'issuer'])
assert info["end_session_endpoint"] == "http://example.com/end_session"
def setup_consumer(self, session_db_factory):
client_id = "client_1"
client_config = {
"client_id": client_id,
"client_authn_method": CLIENT_AUTHN_METHOD,
}
self.consumer = Consumer(DictSessionBackend(), CONFIG, client_config,
SERVER_INFO)
self.consumer.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
self.consumer.keyjar = CLIKEYS
self.consumer.redirect_uris = ["https://example.com/cb"]
self.consumer.authorization_endpoint = "https://example.com/authorization"
self.consumer.token_endpoint = "https://example.com/token"
self.consumer.userinfo_endpoint = "https://example.com/userinfo" # type: ignore
self.consumer.client_secret = "hemlig"
self.consumer.secret_type = "basic"
def test_server_authenticated_1():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
location = cons.begin("openid", "code", path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
print resp
aresp = cons.parse_response(AuthorizationResponse, location,
sformat="urlencoded")
print aresp.keys()
assert aresp.type() == "AuthorizationResponse"
assert _eq(aresp.keys(), ['request', 'state', 'redirect_uri', 'claims',
'response_type', 'client_id', 'scope'])
def setup_class(self):
self.server = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]), CDB,
AUTHN_BROKER, USERINFO,
AUTHZ, verify_client, SYMKEY, urlmap=URLMAP,
keyjar=KEYJAR)
self.cons = Consumer({}, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
self.cons.behaviour = {"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
self.cons.debug = True
self.cons.keyjar[""] = KC_RSA
def test_discover(self):
c = Consumer(None, None)
webfinger = {
"subject":
"acct:[email protected]",
"links": [{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://*****:*****@example.com"
with responses.RequestsMock() as rsps:
rsps.add(
responses.GET,
"https://example.com/.well-known/webfinger"
"?resource=acct%3Afoo%40example.com&rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer",
json=webfinger,
)
res = c.discover(principal)
assert res == "https://localhost:8088/"
def test_server_authenticated_2():
server = provider_init
server.baseurl = server.name
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
location = cons.begin(scope="openid email claims_in_id_token",
response_type="code id_token",
path="http://localhost:8087")
print location
resp = server.authorization_endpoint(request=location.split("?")[1])
print resp.message
part = cons.parse_authz(resp.message)
print part
aresp = part[0]
assert part[1] is None
assert part[2] is not None
#aresp = cons.parse_response(AuthorizationResponse, location,
# sformat="urlencoded")
print aresp.keys()
assert aresp.type() == "AuthorizationResponse"
assert _eq(aresp.keys(), ['scope', 'state', 'code', 'id_token'])
print cons.grant[cons.state].keys()
assert _eq(cons.grant[cons.state].keys(), ['code', 'id_token', 'tokens',
'exp_in',
'grant_expiration_time', 'seed'])
id_token = part[2]
assert isinstance(id_token, IdToken)
print id_token.keys()
assert _eq(id_token.keys(), ['c_hash', 'sub', 'iss', 'acr', 'exp', 'iat',
'aud', 'nonce'])
def test_client_register(self):
c = Consumer(None, None)
c.redirect_uris = ["https://example.com/authz"]
reg_resp = {
"client_id": "some_client",
"client_secret": "super_secret",
"client_secret_expires_at": 123456789,
"redirect_uris": ["https://example.com/authz"],
}
with responses.RequestsMock() as rsps:
rsps.add(responses.POST, "https://example.com/register/", json=reg_resp)
c.register("https://example.com/register/")
assert json.loads(rsps.calls[0].request.body) == {
"application_type": "web",
"response_types": ["code"],
"redirect_uris": ["https://example.com/authz"],
"grant_types": ["authorization_code"],
}
assert c.client_id == "some_client"
assert c.client_secret == "super_secret"
assert c.registration_expires == 123456789
def setup_userinfo_endpoint(self):
cons = Consumer(
{},
CONSUMER_CONFIG,
{"client_id": CLIENT_ID},
server_info=SERVER_INFO,
)
cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
cons.keyjar[""] = KC_RSA
cons.client_secret = "drickyoughurt"
state, location = cons.begin(
"openid", "token", path=TestConfiguration.get_instance().rp_base)
resp = self.provider.authorization_endpoint(
request=urlparse(location).query)
# redirect
atr = AuthorizationResponse().deserialize(
urlparse(resp.message).fragment, "urlencoded")
uir = UserInfoRequest(access_token=atr["access_token"],
schema="openid")
resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded())
responses.add(responses.POST,
self.op_base + "userinfo",
body=resp.message,
status=200,
content_type='application/json')
def test_server_authenticated_1():
server = provider_init
_session_db = {}
cons = Consumer(
_session_db,
CONSUMER_CONFIG,
CLIENT_CONFIG,
server_info=SERVER_INFO,
)
cons.debug = True
cons.keyjar[""] = KC_RSA
state, location = cons.begin("openid",
"code",
path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
print resp
aresp = cons.parse_response(AuthorizationResponse,
location,
sformat="urlencoded")
print aresp.keys()
assert aresp.type() == "AuthorizationResponse"
assert _eq(aresp.keys(), [
'request', 'state', 'redirect_uri', 'claims', 'response_type',
'client_id', 'scope'
])
def test_client_register(self, fake_oic_server):
c = Consumer(None, None)
c.redirect_uris = ["https://example.com/authz"]
mfos = fake_oic_server("https://example.com")
mfos.keyjar = SRVKEYS
c.http_request = mfos.http_request # type: ignore # FIXME: Replace with responses
location = c.discover("*****@*****.**")
info = c.provider_config(location)
c.register(info["registration_endpoint"])
assert c.client_id is not None
assert c.client_secret is not None
assert c.registration_expires > utc_time_sans_frac()
def test_server_authenticated_none():
server = provider_init
_session_db = {}
cons = Consumer(
_session_db,
CONSUMER_CONFIG,
CLIENT_CONFIG,
server_info=SERVER_INFO,
)
cons.debug = True
cons.keyjar[""] = KC_RSA
_state, location = cons.begin("openid",
response_type="none",
path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
assert resp.message.startswith("http://localhost:8087/authz")
query_part = resp.message.split("?")[1]
print query_part
assert "state" in query_part
def test_server_authenticated_token():
server = provider_init
_session_db = {}
cons = Consumer(
_session_db,
CONSUMER_CONFIG,
CLIENT_CONFIG,
server_info=SERVER_INFO,
)
cons.debug = True
cons.keyjar[""] = KC_RSA
_state, location = cons.begin("openid",
response_type="token",
path="http://localhost:8087")
resp = server.authorization_endpoint(request=location.split("?")[1])
txt = resp.message
assert "access_token=" in txt
assert "token_type=Bearer" in txt
def create_provider(self):
self.provider = Provider(SERVER_INFO["issuer"], SessionDB(SERVER_INFO["issuer"]),
CDB,
AUTHN_BROKER, USERINFO,
AUTHZ, verify_client, SYMKEY, urlmap=URLMAP,
keyjar=KEYJAR)
self.provider.baseurl = self.provider.name
self.cons = Consumer({}, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
self.cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]}
self.cons.keyjar[""] = KC_RSA
def test_server_authenticated_1():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
environ = BASE_ENVIRON
location = cons.begin(environ, start_response)
environ = BASE_ENVIRON.copy()
environ["QUERY_STRING"] = location.split("?")[1]
_ = server.authorization_endpoint(environ, start_response)
#sid = resp[0][len("FORM with "):]
environ2 = create_return_form_env("user", "password", "abcd")
resp2 = server.authenticated(environ2, start_response)
print resp2
assert resp2 == ['<html>Could not find session</html>']
def create_provider(self, session_db_factory):
self.provider = Provider(
SERVER_INFO["issuer"],
session_db_factory(SERVER_INFO["issuer"]),
self.CDB,
AUTHN_BROKER,
USERINFO,
AUTHZ,
verify_client,
SYMKEY,
urlmap=URLMAP,
keyjar=KEYJAR,
)
self.provider.baseurl = self.provider.name
self.provider.logout_verify_url = "https://127.0.0.1/logout_verify.html"
self.cons = Consumer(
DictSessionBackend(),
CONSUMER_CONFIG.copy(),
CLIENT_CONFIG,
server_info=SERVER_INFO,
)
self.cons.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
self.cons.keyjar[""] = KC_RSA
self.cons.keyjar.import_jwks(self.provider.keyjar.export_jwks(),
self.cons.issuer)
self.cons2 = Consumer({},
CONSUMER_CONFIG.copy(),
CLIENT_CONFIG_2,
server_info=SERVER_INFO)
self.cons2.behaviour = {
"request_object_signing_alg": DEF_SIGN_ALG["openid_request_object"]
}
self.cons2.keyjar[""] = KC_RSA
def test_complete_secret_auth():
consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
_state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
del consumer.config["password"]
args = {
"client_id": consumer.client_id,
"response_type": "code",
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=_state,
request_args=args)
assert result.status_code == 302
assert result.headers["location"].startswith(consumer.redirect_uris[0])
_, query = result.headers["location"].split("?")
consumer.parse_response(AuthorizationResponse, info=query,
sformat="urlencoded")
resp = consumer.complete(_state)
print resp
assert resp.type() == "AccessTokenResponse"
print resp.keys()
assert _eq(resp.keys(), ['token_type', 'state', 'access_token',
'scope', 'expires_in', 'refresh_token'])
assert resp["state"] == _state
def test_provider_config():
c = Consumer(None, None)
mfos = MyFakeOICServer("http://example.com")
mfos.keyjar = SRVKEYS
c.http_request = mfos.http_request
principal = "*****@*****.**"
res = c.discover(principal)
info = c.provider_config(res)
assert info.type() == "ProviderConfigurationResponse"
print info.keys()
assert _eq(info.keys(), ['registration_endpoint', u'check_session_endpoint',
u'refresh_session_endpoint', 'scopes_supported',
'subject_types_supported',
'token_endpoint_auth_methods_supported',
'id_token_signing_alg_values_supported',
u'flows_supported', 'version',
u'identifiers_supported', u'user_info_endpoint',
'response_types_supported', 'end_session_endpoint',
'authorization_endpoint', u'discovery_endpoint',
'token_endpoint', 'x509_url', 'issuer'])
assert info["end_session_endpoint"] == "http://example.com/end_session"
def test_server_authenticated():
server = provider_init
_session_db = {}
cons = Consumer(_session_db, CONSUMER_CONFIG, CLIENT_CONFIG,
server_info=SERVER_INFO, )
cons.debug = True
cons.keyjar[""] = KC_RSA
location = cons.begin("openid", "code", path="http://localhost:8087")
QUERY_STRING = location.split("?")[1]
print QUERY_STRING
resp = server.authorization_endpoint(request=QUERY_STRING)
print resp.message
assert resp.message.startswith("http://localhost:8087/authz")
part = cons.parse_authz(query=location)
aresp = part[0]
assert part[1] is None
assert part[2] is None
#aresp = client.parse_response(AuthorizationResponse, location,
# format="urlencoded",
# state="id-6da9ca0cc23959f5f33e8becd9b08cae")
print aresp.keys()
assert aresp.type() == "AuthorizationResponse"
assert _eq(aresp.keys(), ['request', 'state', 'redirect_uri',
'response_type', 'client_id', 'claims', 'scope'])
print cons.grant[cons.state].keys()
assert _eq(cons.grant[cons.state].keys(), ['tokens', 'id_token', 'exp_in',
'seed', 'grant_expiration_time'])
def test_client_register_token(self):
c = Consumer(None, None)
c.application_type = "web"
c.application_name = "My super service"
c.redirect_uris = ["https://example.com/authz"]
c.contact = ["*****@*****.**"]
client_info = {"client_id": "clientid", "redirect_uris": ["https://example.com/authz"]}
with responses.RequestsMock() as rsps:
rsps.add(rsps.POST, "https://provider.example.com/registration/", json=client_info)
c.register("https://provider.example.com/registration/", registration_token="initial_registration_token")
header = rsps.calls[0].request.headers['Authorization'].decode()
assert header == "Bearer aW5pdGlhbF9yZWdpc3RyYXRpb25fdG9rZW4="
def init_oic(self):
self.scopes = ["openid","profile","email"]
db = SessionStore(self.db)
client = Consumer(db, consumer_config, client_config=client_config)
client.allow['issuer_mismatch'] = True
client.provider_info = client.provider_config(self.provider)
providers = self.db.oic_registration.filter(None, {'issuer':self.provider})
assert len(providers) == 1
provider = self.db.oic_registration.getnode(providers[0])
client_reg = RegistrationResponse(client_id=provider['client_id'],
client_secret=provider['client_secret'])
client.store_registration_info(client_reg)
return client
def test_server_authenticated_2():
server = provider_init
server.baseurl = server.name
_session_db = {}
cons = Consumer(
_session_db,
CONSUMER_CONFIG,
CLIENT_CONFIG,
server_info=SERVER_INFO,
)
cons.debug = True
cons.keyjar[""] = KC_RSA
_state, location = cons.begin(scope="openid email claims_in_id_token",
response_type="code id_token",
path="http://localhost:8087")
print location
resp = server.authorization_endpoint(request=location.split("?")[1])
print resp.message
part = cons.parse_authz(resp.message)
print part
aresp = part[0]
assert part[1] is None
assert part[2] is not None
#aresp = cons.parse_response(AuthorizationResponse, location,
# sformat="urlencoded")
print aresp.keys()
assert aresp.type() == "AuthorizationResponse"
assert _eq(aresp.keys(), ['scope', 'state', 'code', 'id_token'])
print cons.grant[_state].keys()
assert _eq(cons.grant[_state].keys(), [
'code', 'id_token', 'tokens', 'exp_in', 'grant_expiration_time', 'seed'
])
id_token = part[2]
assert isinstance(id_token, IdToken)
print id_token.keys()
assert _eq(id_token.keys(), [
'nonce', 'c_hash', 'sub', 'iss', 'acr', 'exp', 'auth_time', 'iat',
'aud'
])
def test_server_authenticated():
server = provider_init
_session_db = {}
cons = Consumer(
_session_db,
CONSUMER_CONFIG,
CLIENT_CONFIG,
server_info=SERVER_INFO,
)
cons.debug = True
cons.keyjar[""] = KC_RSA
_state, location = cons.begin("openid",
"code",
path="http://localhost:8087")
QUERY_STRING = location.split("?")[1]
print QUERY_STRING
resp = server.authorization_endpoint(request=QUERY_STRING)
print resp.message
assert resp.message.startswith("http://localhost:8087/authz")
part = cons.parse_authz(query=location)
aresp = part[0]
assert part[1] is None
assert part[2] is None
#aresp = client.parse_response(AuthorizationResponse, location,
# format="urlencoded",
# state="id-6da9ca0cc23959f5f33e8becd9b08cae")
print aresp.keys()
assert aresp.type() == "AuthorizationResponse"
assert _eq(aresp.keys(), [
'request', 'state', 'redirect_uri', 'response_type', 'client_id',
'claims', 'scope'
])
print cons.grant[_state].keys()
assert _eq(cons.grant[_state].keys(), [
'code', 'tokens', 'id_token', 'exp_in', 'seed', 'grant_expiration_time'
])
def test_faulty_idtoken_from_accesstoken_endpoint():
consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
consumer.keyjar = CLIKEYS
mfos = MITMServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
_state = "state0"
consumer.nonce = rndstr()
consumer.client_secret = "hemlig"
consumer.secret_type = "basic"
consumer.config["response_type"] = ["id_token"]
args = {
"client_id": consumer.client_id,
"response_type": consumer.config["response_type"],
"scope": ["openid"],
}
result = consumer.do_authorization_request(state=_state, request_args=args)
consumer._backup("state0")
assert result.status_code == 302
# assert result.location.startswith(consumer.redirect_uri[0])
_, query = result.headers["location"].split("?")
print query
try:
consumer.parse_authz(query=query)
except BadSignature:
pass
else:
assert False
def test_client_register():
c = Consumer(None, None)
c.application_type = "web"
c.application_name = "My super service"
c.redirect_uris = ["http://example.com/authz"]
c.contact = ["*****@*****.**"]
mfos = MyFakeOICServer("http://example.com")
mfos.keyjar = SRVKEYS
c.http_request = mfos.http_request
location = c.discover("*****@*****.**")
info = c.provider_config(location)
c.register(info["registration_endpoint"])
assert c.client_id is not None
assert c.client_secret is not None
assert c.registration_expires > utc_time_sans_frac()
def test_sign_userinfo():
consumer = Consumer(SessionDB(SERVER_INFO["issuer"]), CONFIG,
CLIENT_CONFIG, SERVER_INFO)
consumer.keyjar = CLIKEYS
mfos = MyFakeOICServer("http://localhost:8088")
mfos.keyjar = SRVKEYS
mfos.userinfo_signed_response_alg = "RS256"
consumer.http_request = mfos.http_request
consumer.redirect_uris = ["http://example.com/authz"]
_state = "state0"
consumer.nonce = rndstr()
consumer.secret_type = "basic"
consumer.set_client_secret("hemligt")
consumer.keyjar = CLIKEYS
consumer.client_prefs = {"userinfo_signed_response_alg": "RS256"}
consumer.provider_info = {
"userinfo_endpoint": "http://localhost:8088/userinfo",
"issuer": "http://localhost:8088/"
}
del consumer.config["request_method"]
args = {
"client_id": consumer.client_id,
"response_type": "code",
"scope": ["openid"],
}
sid, location = consumer.begin("openid", "code")
print location
result = consumer.do_authorization_request(state=_state, request_args=args)
assert result.status_code == 302
assert result.headers["location"].startswith(consumer.redirect_uris[0])
_, query = result.headers["location"].split("?")
consumer.parse_response(AuthorizationResponse,
info=query,
sformat="urlencoded")
consumer.complete(_state)
result = consumer.get_user_info(_state)
print result
assert result.type() == "OpenIDSchema"
assert _eq(result.keys(), ['name', 'email', 'verified', 'nickname', 'sub'])
