def test_faulty_idtoken():
idval = {
'nonce': 'KUEYfRM2VzKDaaKD',
'sub': 'EndUserSubject',
'iss': 'https://alpha.cloud.nds.rub.de',
'exp': 1420823073,
'iat': 1420822473,
'aud': 'TestClient'
}
idts = IdToken(**idval)
key = SYMKey(key="TestPassword")
_signed_jwt = idts.to_jwt(key=[key], algorithm="HS256")
#Mess with the signed id_token
p = _signed_jwt.split(".")
p[2] = "aaa"
_faulty_signed_jwt = ".".join(p)
_info = {
"access_token": "accessTok",
"id_token": _faulty_signed_jwt,
"token_type": "Bearer",
"expires_in": 3600
}
# Should fail
at = AccessTokenResponse(**_info)
try:
at.verify(key=[key])
except BadSignature:
pass
else:
raise
def test_faulty_idtoken(self):
_now = time_util.utc_time_sans_frac()
idval = {
'nonce': 'KUEYfRM2VzKDaaKD',
'sub': 'EndUserSubject',
'iss': 'https://alpha.cloud.nds.rub.de',
'exp': _now + 3600,
'iat': _now,
'aud': 'TestClient'
}
idts = IdToken(**idval)
key = SYMKey(key="TestPassword")
_signed_jwt = idts.to_jwt(key=[key], algorithm="HS256")
# Mess with the signed id_token
p = _signed_jwt.split(".")
p[2] = "aaa"
_faulty_signed_jwt = ".".join(p)
_info = {
"access_token": "accessTok",
"id_token": _faulty_signed_jwt,
"token_type": "Bearer",
"expires_in": 3600
}
at = AccessTokenResponse(**_info)
with pytest.raises(BadSignature):
at.verify(key=[key])
def test_wrong_alg():
idval = {
'nonce': 'KUEYfRM2VzKDaaKD',
'sub': 'EndUserSubject',
'iss': 'https://alpha.cloud.nds.rub.de',
'exp': 1420823073,
'iat': 1420822473,
'aud': 'TestClient'
}
idts = IdToken(**idval)
key = SYMKey(key="TestPassword")
_signed_jwt = idts.to_jwt(key=[key], algorithm="HS256")
_info = {
"access_token": "accessTok",
"id_token": _signed_jwt,
"token_type": "Bearer",
"expires_in": 3600
}
at = AccessTokenResponse(**_info)
try:
at.verify(key=[key], algs={"sign": "HS512"})
except WrongSigningAlgorithm:
pass
def test_wrong_alg(self):
idval = {'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject',
'iss': 'https://alpha.cloud.nds.rub.de', 'exp': 1420823073,
'iat': 1420822473, 'aud': 'TestClient'}
idts = IdToken(**idval)
key = SYMKey(key="TestPassword")
_signed_jwt = idts.to_jwt(key=[key], algorithm="HS256")
_info = {"access_token": "accessTok", "id_token": _signed_jwt,
"token_type": "Bearer", "expires_in": 3600}
at = AccessTokenResponse(**_info)
with pytest.raises(WrongSigningAlgorithm):
at.verify(key=[key], algs={"sign": "HS512"})
def test_wrong_alg(self):
_now = time_util.utc_time_sans_frac()
idval = {'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject',
'iss': 'https://alpha.cloud.nds.rub.de', 'exp': _now + 3600,
'iat': _now, 'aud': 'TestClient'}
idts = IdToken(**idval)
key = SYMKey(key="TestPassword")
_signed_jwt = idts.to_jwt(key=[key], algorithm="HS256")
_info = {"access_token": "accessTok", "id_token": _signed_jwt,
"token_type": "Bearer", "expires_in": 3600}
at = AccessTokenResponse(**_info)
with pytest.raises(WrongSigningAlgorithm):
at.verify(key=[key], algs={"sign": "HS512"})
def test_make_id_token(self):
self.srv.keyjar["http://oic.example/rp"] = KC_RSA
session = {"sub": "user0",
"client_id": "http://oic.example/rp"}
issuer = "http://oic.example/idp"
code = "abcdefghijklmnop"
_idt = self.srv.make_id_token(session, loa="2", issuer=issuer,
code=code, access_token="access_token")
algo = "RS256"
ckey = self.srv.keyjar.get_signing_key(alg2keytype(algo),
session["client_id"])
_signed_jwt = _idt.to_jwt(key=ckey, algorithm="RS256")
idt = IdToken().from_jwt(_signed_jwt, keyjar=self.srv.keyjar)
_jwt = JWT().unpack(_signed_jwt)
lha = left_hash(code.encode("utf-8"),
func="HS" + _jwt.headers["alg"][-3:])
assert lha == idt["c_hash"]
atr = AccessTokenResponse(id_token=_signed_jwt,
access_token="access_token",
token_type="Bearer")
atr["code"] = code
assert atr.verify(keyjar=self.srv.keyjar)
def test_make_id_token():
srv = Server()
srv.keyjar = KEYJ
srv.keyjar["http://oic.example/rp"] = KC_RSA
session = {"sub": "user0", "client_id": "http://oic.example/rp"}
issuer = "http://oic.example/idp"
code = "abcdefghijklmnop"
_idt = srv.make_id_token(session,
loa="2",
issuer=issuer,
code=code,
access_token="access_token")
algo = "RS256"
ckey = srv.keyjar.get_signing_key(alg2keytype(algo), session["client_id"])
_signed_jwt = _idt.to_jwt(key=ckey, algorithm="RS256")
idt = IdToken().from_jwt(_signed_jwt, keyjar=srv.keyjar)
print idt
header = unpack(_signed_jwt)
lha = left_hash(code, func="HS" + header[0]["alg"][-3:])
assert lha == idt["c_hash"]
atr = AccessTokenResponse(id_token=_signed_jwt,
access_token="access_token",
token_type="Bearer")
atr["code"] = code
assert atr.verify(keyjar=srv.keyjar)
def test_construct_EndSessionRequest_kwargs_and_reqargs_state(self):
self.client.grant["foo"] = Grant()
self.client.grant["foo"].grant_expiration_time = int(time.time()) + 60
self.client.grant["foo"].code = "access_code"
# Need a proper ID Token
self.client.keyjar.add_kb(IDTOKEN["iss"], KC_SYM_S)
_sig_key = self.client.keyjar.get_signing_key("oct", IDTOKEN["iss"])
_signed_jwt = IDTOKEN.to_jwt(_sig_key, algorithm="HS256")
resp = AccessTokenResponse(
id_token=_signed_jwt,
access_token="access",
scope=["openid"],
token_type="bearer",
)
assert resp.verify(keyjar=self.client.keyjar)
self.client.grant["foo"].tokens.append(Token(resp))
# state both in request_args and kwargs
args = {"redirect_url": "http://example.com/end", "state": "req_args_state"}
esr = self.client.construct_EndSessionRequest(state="foo", request_args=args)
assert _eq(esr.keys(), ["id_token", "state", "redirect_url"])
assert esr["state"] == "req_args_state"
def make_refresh_request(self, refresh_token):
request_args = {
'grant_type': 'refresh_token',
'refresh_token': refresh_token,
}
resp = self.app.test_client().post('/token', data=request_args, headers=self.create_basic_auth_header())
assert resp.status_code == 200
token_response = AccessTokenResponse().from_json(resp.data.decode('utf-8'))
assert token_response.verify()
return token_response
def test_faulty_idtoken(self):
idval = {'nonce': 'KUEYfRM2VzKDaaKD', 'sub': 'EndUserSubject',
'iss': 'https://alpha.cloud.nds.rub.de', 'exp': 1420823073,
'iat': 1420822473, 'aud': 'TestClient'}
idts = IdToken(**idval)
key = SYMKey(key="TestPassword")
_signed_jwt = idts.to_jwt(key=[key], algorithm="HS256")
# Mess with the signed id_token
p = _signed_jwt.split(".")
p[2] = "aaa"
_faulty_signed_jwt = ".".join(p)
_info = {"access_token": "accessTok", "id_token": _faulty_signed_jwt,
"token_type": "Bearer", "expires_in": 3600}
at = AccessTokenResponse(**_info)
with pytest.raises(BadSignature):
at.verify(key=[key])
def make_code_exchange_request(self, code):
request_args = {
'grant_type': 'authorization_code',
'code': code,
'redirect_uri': TEST_REDIRECT_URI
}
resp = self.app.test_client().post('/token', data=request_args, headers=self.create_basic_auth_header())
assert resp.status_code == 200
token_response = AccessTokenResponse().from_json(resp.data.decode('utf-8'))
assert token_response.verify(key=[self.app.provider.signing_key])
return token_response
def test_make_id_token():
srv = Server(KEYS)
session = {"user_id": "user0", "client_id": "http://oic.example/rp"}
issuer = "http://oic.example/idp"
code = "abcdefghijklmnop"
idt_jwt = srv.make_id_token(session, loa="2", issuer=issuer, code=code, access_token="access_token")
jwt_keys = srv.keystore.get_keys("ver", owner=None)
idt = IdToken().from_jwt(idt_jwt, key=jwt_keys)
print idt
header = unpack(idt_jwt)
lha = left_hash(code, func="HS" + header[0]["alg"][-3:])
assert lha == idt["c_hash"]
atr = AccessTokenResponse(id_token=idt_jwt, access_token="access_token", token_type="Bearer")
atr["code"] = code
assert atr.verify(key=jwt_keys)
def test_construct_CheckSessionRequest_2(self):
self.client.grant["foo"] = Grant()
self.client.grant["foo"].grant_expiration_time = int(time.time() + 60)
self.client.grant["foo"].code = "access_code"
# Need a proper ID Token
self.client.keyjar.add_kb(IDTOKEN["iss"], KC_SYM_S)
_sig_key = self.client.keyjar.get_signing_key("oct", IDTOKEN["iss"])
_signed_jwt = IDTOKEN.to_jwt(_sig_key, algorithm="HS256")
resp = AccessTokenResponse(
id_token=_signed_jwt,
access_token="access",
scope=["openid"],
token_type="bearer",
)
assert resp.verify(keyjar=self.client.keyjar)
self.client.grant["foo"].tokens.append(Token(resp))
csr = self.client.construct_CheckSessionRequest(state="foo", scope=["openid"])
assert csr["id_token"] == _signed_jwt
def test_token_type(self):
# lacks required token_type parameter
_info = {"access_token": "accessTok", "id_token": "blabla"}
at = AccessTokenResponse(**_info)
with pytest.raises(MissingRequiredAttribute):
at.verify()
def test_token_type(self):
# lacks required token_type parameter
_info = {"access_token": "accessTok", "id_token": "blabla"}
at = AccessTokenResponse(**_info)
with pytest.raises(MissingRequiredAttribute):
at.verify()
