def authorization(environ, start_response, session_info, events, jlog,
**kwargs):
events.store(EV_REQUEST, Operation("Authorization"))
_op = session_info["op"]
logger.info('OP keys:{}'.format(key_summary(_op.keyjar, '')))
return wsgi_wrapper(environ, start_response, _op.authorization_endpoint,
session_info, events, jlog)
def _add_key(self, keyjar, issuer, key, key_type='', kid='',
no_kid_issuer=None):
if issuer not in keyjar:
logger.error('Issuer "{}" not in keyjar'.format(issuer))
return
logger.debug('Key set summary for {}: {}'.format(
issuer, key_summary(keyjar, issuer)))
if kid:
_key = keyjar.get_key_by_kid(kid, issuer)
if _key and _key not in key:
key.append(_key)
return
else:
try:
kl = keyjar.get_verify_key(owner=issuer, key_type=key_type)
except KeyError:
pass
else:
if len(kl) == 1:
if kl[0] not in key:
key.append(kl[0])
elif no_kid_issuer:
try:
allowed_kids = no_kid_issuer[issuer]
except KeyError:
return
else:
if allowed_kids:
key.extend([k for k in kl if k.kid in allowed_kids])
else:
key.extend(kl)
def authorization(environ, start_response, session_info, events, jlog,
**kwargs):
events.store(EV_REQUEST, Operation("Authorization"))
_op = session_info["op"]
logger.info('OP keys:{}'.format(key_summary(_op.keyjar, '')))
return wsgi_wrapper(environ, start_response, _op.authorization_endpoint,
session_info, events, jlog)
def _add_key(self, keyjar, issuer, key, key_type='', kid='',
no_kid_issuer=None):
if issuer not in keyjar:
logger.error('Issuer "{}" not in keyjar'.format(issuer))
return
logger.debug('Key set summary for {}: {}'.format(
issuer, key_summary(keyjar, issuer)))
if kid:
_key = keyjar.get_key_by_kid(kid, issuer)
if _key and _key not in key:
key.append(_key)
return
else:
try:
kl = keyjar.get_verify_key(owner=issuer, key_type=key_type)
except KeyError:
pass
else:
if len(kl) == 1:
if kl[0] not in key:
key.append(kl[0])
elif no_kid_issuer:
try:
allowed_kids = no_kid_issuer[issuer]
except KeyError:
return
else:
if allowed_kids:
key.extend([k for k in kl if k.kid in allowed_kids])
else:
key.extend(kl)
def op_info(environ, start_response, session_info, events, jlog, **kwargs):
_ev = Operation("ProviderConfiguration", path=environ["PATH_INFO"])
try:
_ev.query = environ["QUERY_STRING"]
except KeyError:
pass
events.store(EV_REQUEST, _ev)
_op = session_info["op"]
logger.info('OP keys:{}'.format(key_summary(_op.keyjar, '')))
return wsgi_wrapper(environ, start_response, _op.providerinfo_endpoint,
session_info, events, jlog)
def op_info(environ, start_response, session_info, events, jlog, **kwargs):
_ev = Operation("ProviderConfiguration", path=environ["PATH_INFO"])
try:
_ev.query = environ["QUERY_STRING"]
except KeyError:
pass
events.store(EV_REQUEST, _ev)
_op = session_info["op"]
logger.info('OP keys:{}'.format(key_summary(_op.keyjar, '')))
return wsgi_wrapper(environ, start_response, _op.providerinfo_endpoint,
session_info, events, jlog)
def get(self, oper_id, test_id, events, endpoint):
# addr = get_client_address(environ)
key = path = '{}/{}'.format(oper_id, test_id)
try:
_op = self.op[key]
_op.events = events
if endpoint == '.well-known/openid-configuration':
if test_id == 'rp-key-rotation-op-sign-key-native':
pass
elif test_id == 'rp-id_token-kid-absent-multiple-jwks':
setattr(_op, 'keys', self.op_args['marg']['keys'])
_op_args = {
'baseurl': self.op_args['baseurl'],
'jwks': self.op_args['marg']['jwks']
}
write_jwks_uri(_op, _op_args, self.folder)
else:
init_keyjar(_op, self.op_args['keyjar'], self.com_args)
_kj = _op.keyjar.export_jwks(True, '')
_op.keyjar.import_jwks(_kj, _op.name)
write_jwks_uri(_op, self.op_args, self.folder)
except KeyError:
if test_id in ['rp-id_token-kid-absent-multiple-jwks']:
_op_args = {}
for param in [
'baseurl', 'cookie_name', 'cookie_ttl', 'endpoints'
]:
_op_args[param] = self.op_args[param]
for param in ["jwks", "keys"]:
_op_args[param] = self.op_args["marg"][param]
_op = self.setup_op(oper_id, test_id, self.com_args, _op_args,
self.test_conf, events)
else:
_op = self.setup_op(oper_id, test_id, self.com_args,
self.op_args, self.test_conf, events)
if test_id.startswith('rp-init-logout-session'):
_csi = self.check_session_iframe.replace(
'<PATH>', '{}/{}'.format(oper_id, test_id))
_op.capabilities['check_session_iframe'] = _csi
elif test_id.startswith('rp-backchannel-'):
_op.capabilities['backchannel_logout_supported'] = True
_op.capabilities[
'backchannel_logout_session_supported'] = True
elif test_id.startswith('rp-frontchannel-'):
_op.capabilities['frontchannel_logout_supported'] = True
_op.capabilities[
'frontchannel_logout_session_supported'] = True
_op.conv = Conversation(test_id, _op, None)
_op.orig_keys = key_summary(_op.keyjar, '').split(', ')
self.op[key] = _op
return _op, path, key
def _add_key(self, keyjar, issuer, key, key_type=""):
try:
logger.debug("Key set summary for {}: {}".format(issuer, key_summary(keyjar, issuer)))
except KeyError:
logger.error('Issuer "{}" not in keyjar'.format(issuer))
try:
kl = keyjar.get_verify_key(owner=issuer, key_type=key_type)
except KeyError:
pass
else:
for k in kl:
if k not in key:
key.append(k)
def _add_key(self, keyjar, issuer, key, key_type=''):
try:
logger.debug('Key set summary for {}: {}'.format(
issuer, key_summary(keyjar, issuer)))
except KeyError:
logger.error('Issuer "{}" not in keyjar'.format(issuer))
try:
kl = keyjar.get_verify_key(owner=issuer, key_type=key_type)
except KeyError:
pass
else:
for k in kl:
if k not in key:
key.append(k)
def get(self, oper_id, test_id, events, endpoint):
# addr = get_client_address(environ)
key = path = '{}/{}'.format(oper_id, test_id)
try:
_op = self.op[key]
_op.events = events
if endpoint == '.well-known/openid-configuration':
init_keyjar(_op, self.op_args['keyjar'], self.com_args)
write_jwks_uri(_op, self.op_args, self.folder)
except KeyError:
_op = self.setup_op(oper_id, test_id, self.com_args, self.op_args,
self.test_conf, events)
_op.conv = Conversation(test_id, _op, None)
_op.orig_keys = key_summary(_op.keyjar, '').split(', ')
self.op[key] = _op
return _op, path, key
def get(self, oper_id, test_id, events, endpoint):
# addr = get_client_address(environ)
key = path = '{}/{}'.format(oper_id, test_id)
try:
_op = self.op[key]
_op.events = events
if endpoint == '.well-known/openid-configuration':
if test_id == 'rp-key-rotation-op-sign-key-native':
pass
elif test_id == 'rp-id_token-kid-absent-multiple-jwks':
setattr(_op, 'keys', self.op_args['marg']['keys'])
_op_args = {
'baseurl': self.op_args['baseurl'],
'jwks': self.op_args['marg']['jwks']
}
write_jwks_uri(_op, _op_args, self.folder)
else:
init_keyjar(_op, self.op_args['keyjar'], self.com_args)
write_jwks_uri(_op, self.op_args, self.folder)
except KeyError:
if test_id in ['rp-id_token-kid-absent-multiple-jwks']:
_op_args = {}
for param in [
'baseurl', 'cookie_name', 'cookie_ttl', 'endpoints'
]:
_op_args[param] = self.op_args[param]
for param in ["jwks", "keys"]:
_op_args[param] = self.op_args["marg"][param]
_op = self.setup_op(oper_id, test_id, self.com_args, _op_args,
self.test_conf, events)
else:
_op = self.setup_op(oper_id, test_id, self.com_args,
self.op_args, self.test_conf, events)
_op.conv = Conversation(test_id, _op, None)
_op.orig_keys = key_summary(_op.keyjar, '').split(', ')
self.op[key] = _op
return _op, path, key
def op_setup(self, environ, mode, events, test_conf, endpoint):
addr = get_client_address(environ)
path = '/'.join([mode['oper_id'], mode['test_id']])
key = "{}:{}".format(addr, path)
# LOGGER.debug("OP key: {}".format(key))
try:
_op = self.op[key]
_op.events = events
if endpoint == '.well-known/openid-configuration':
if mode["test_id"] == 'rp-id_token-kid-absent-multiple-jwks':
setattr(_op, 'keys', self.op_args['marg']['keys'])
_op_args = {
'baseurl': self.op_args['baseurl'],
'jwks': self.op_args['marg']['jwks']
}
write_jwks_uri(_op, _op_args)
else:
init_keyjar(_op, self.op_args['keyjar'], self.com_args)
write_jwks_uri(_op, self.op_args)
except KeyError:
if mode["test_id"] in ['rp-id_token-kid-absent-multiple-jwks']:
_op_args = {}
for param in ['baseurl', 'cookie_name', 'cookie_ttl',
'endpoints']:
_op_args[param] = self.op_args[param]
for param in ["jwks", "keys"]:
_op_args[param] = self.op_args["marg"][param]
_op = setup_op(mode, self.com_args, _op_args, self.test_conf,
events)
else:
_op = setup_op(mode, self.com_args, self.op_args,
self.test_conf, events)
_op.conv = Conversation(mode["test_id"], _op, None)
_op.orig_keys = key_summary(_op.keyjar, '').split(', ')
self.op[key] = _op
return _op, path, key
def get(self, oper_id, test_id, events, endpoint):
# addr = get_client_address(environ)
key = path = '{}/{}'.format(oper_id, test_id)
try:
_op = self.op[key]
_op.events = events
if endpoint == '.well-known/openid-configuration':
if test_id == 'rp-key-rotation-op-sign-key-native':
pass
elif test_id == 'rp-id_token-kid-absent-multiple-jwks':
setattr(_op, 'keys', self.op_args['marg']['keys'])
_op_args = {
'baseurl': self.op_args['baseurl'],
'jwks': self.op_args['marg']['jwks']
}
write_jwks_uri(_op, _op_args, self.folder)
else:
init_keyjar(_op, self.op_args['keyjar'], self.com_args)
write_jwks_uri(_op, self.op_args, self.folder)
except KeyError:
if test_id in ['rp-id_token-kid-absent-multiple-jwks']:
_op_args = {}
for param in ['baseurl', 'cookie_name', 'cookie_ttl',
'endpoints']:
_op_args[param] = self.op_args[param]
for param in ["jwks", "keys"]:
_op_args[param] = self.op_args["marg"][param]
_op = self.setup_op(oper_id, test_id, self.com_args, _op_args,
self.test_conf, events)
else:
_op = self.setup_op(oper_id, test_id, self.com_args,
self.op_args, self.test_conf, events)
_op.conv = Conversation(test_id, _op, None)
_op.orig_keys = key_summary(_op.keyjar, '').split(', ')
self.op[key] = _op
return _op, path, key
def authorization_endpoint(self, request="", cookie=None, **kwargs):
if isinstance(request, dict):
_req = request
else:
_req = {}
for key, val in parse_qs(request).items():
if len(val) == 1:
_req[key] = val[0]
else:
_req[key] = val
# self.events.store(EV_REQUEST, _req)
try:
_scope = _req["scope"]
except KeyError:
return error(
error="incorrect_behavior",
descr="No scope parameter"
)
else:
# verify that openid is among the scopes
_scopes = _scope.split(" ")
if "openid" not in _scopes:
return error(
error="incorrect_behavior",
descr="Scope does not contain 'openid'"
)
client_id = _req["client_id"]
try:
f = response_type_cmp(self.capabilities['response_types_supported'],
_req['response_type'])
except KeyError:
pass
else:
if f is False:
self.events.store(
EV_FAULT,
'Wrong response type: {}'.format(_req['response_type']))
return error_response(error="incorrect_behavior",
descr="Not supported response_type")
_rtypes = _req['response_type'].split(' ')
if 'id_token' in _rtypes:
try:
self._update_client_keys(client_id)
except TestError:
return error(error="incorrect_behavior",
descr="No change in client keys")
if isinstance(request, dict):
request = urlencode(request)
_response = provider.Provider.authorization_endpoint(self, request,
cookie,
**kwargs)
if "rotenc" in self.behavior_type: # Rollover encryption keys
rsa_key = RSAKey(kid="rotated_rsa_{}".format(time.time()),
use="enc").load_key(RSA.generate(2048))
ec_key = ECKey(kid="rotated_ec_{}".format(time.time()),
use="enc").load_key(P256)
keys = [rsa_key.serialize(private=True),
ec_key.serialize(private=True)]
new_keys = {"keys": keys}
self.events.store("New encryption keys", new_keys)
self.do_key_rollover(new_keys, "%d")
self.events.store("Rotated encryption keys", '')
logger.info(
'Rotated OP enc keys, new set: {}'.format(
key_summary(self.keyjar, '')))
# This is just for logging purposes
try:
_resp = self.server.http_request(_req["request_uri"])
except KeyError:
pass
except requests.ConnectionError as err:
self.events.store(EV_EXCEPTION, err)
err = unwrap_exception(err)
return error_response(error="server_error", descr=err)
else:
if _resp.status_code == 200:
self.events.store(EV_REQUEST,
"Request from request_uri: {}".format(
_resp.text))
return _response
def authorization_endpoint(self, request="", cookie=None, **kwargs):
if isinstance(request, dict):
_req = request
else:
_req = {}
for key, val in parse_qs(request).items():
if len(val) == 1:
_req[key] = val[0]
else:
_req[key] = val
# self.events.store(EV_REQUEST, _req)
try:
_scope = _req["scope"]
except KeyError:
return error_response(
error="incorrect_behavior",
descr="No scope parameter"
)
else:
# verify that openid is among the scopes
_scopes = _scope.split(" ")
if "openid" not in _scopes:
return error_response(
error="incorrect_behavior",
descr="Scope does not contain 'openid'"
)
client_id = _req["client_id"]
try:
f = response_type_cmp(self.capabilities['response_types_supported'],
_req['response_type'])
except KeyError:
pass
else:
if f is False:
self.events.store(
EV_FAULT,
'Wrong response type: {}'.format(_req['response_type']))
return error_response(error="incorrect_behavior",
descr="Not supported response_type")
_rtypes = _req['response_type'].split(' ')
if 'id_token' in _rtypes:
try:
self._update_client_keys(client_id)
except TestError:
return error_response(error="incorrect_behavior",
descr="No change in client keys")
if isinstance(request, dict):
request = urlencode(request)
if "max_age" in _req and _req["max_age"] == "0" and "prompt" in _req and _req["prompt"] == "none":
aresp = {
"error": "login_required",
}
if "state" in _req:
aresp['state'] = _req["state"]
return self.response_mode(_req, False,
aresp=aresp,
redirect_uri=_req['redirect_uri'],
headers={})
else:
_response = provider.Provider.authorization_endpoint(self, request,
cookie,
**kwargs)
if "rotenc" in self.behavior_type: # Rollover encryption keys
rsa_key = RSAKey(kid="rotated_rsa_{}".format(time.time()),
use="enc").load_key(RSA.generate(2048))
ec_key = ECKey(kid="rotated_ec_{}".format(time.time()),
use="enc").load_key(P256)
keys = [rsa_key.serialize(private=True),
ec_key.serialize(private=True)]
new_keys = {"keys": keys}
self.events.store("New encryption keys", new_keys)
self.do_key_rollover(new_keys, "%d")
self.events.store("Rotated encryption keys", '')
logger.info(
'Rotated OP enc keys, new set: {}'.format(
key_summary(self.keyjar, '')))
# This is just for logging purposes
try:
_resp = self.server.http_request(_req["request_uri"])
except KeyError:
pass
except requests.ConnectionError as err:
self.events.store(EV_EXCEPTION, err)
err = unwrap_exception(err)
return error_response(error="server_error", descr=err)
else:
if _resp.status_code == 200:
self.events.store(EV_REQUEST,
"Request from request_uri: {}".format(
_resp.text))
return _response
def authorization_endpoint(self, request="", cookie=None, **kwargs):
_req = parse_qs(request)
#self.events.store(EV_REQUEST, _req)
try:
_scope = _req["scope"]
except KeyError:
return self._error(
error="incorrect_behavior",
descr="No scope parameter"
)
else:
# verify that openid is among the scopes
_scopes = _scope[0].split(" ")
if "openid" not in _scopes:
return self._error(
error="incorrect_behavior",
descr="Scope does not contain 'openid'"
)
client_id = _req["client_id"][0]
try:
f = response_type_cmp(kwargs['test_cnf']['response_type'],
_req['response_type'])
except KeyError:
pass
else:
if f is False:
self.events.store(
EV_FAULT,
'Wrong response type: {}'.format(_req['response_type']))
return self._error_response(error="incorrect_behavior",
descr="Wrong response_type")
_rtypes = []
for rt in _req['response_type']:
_rtypes.extend(rt.split(' '))
if 'id_token' in _rtypes:
try:
self._update_client_keys(client_id)
except TestError:
return self._error(error="incorrect_behavior",
descr="No change in client keys")
_response = provider.Provider.authorization_endpoint(self, request,
cookie,
**kwargs)
if "rotenc" in self.behavior_type: # Rollover encryption keys
rsa_key = RSAKey(kid="rotated_rsa_{}".format(time.time()),
use="enc").load_key(RSA.generate(2048))
ec_key = ECKey(kid="rotated_ec_{}".format(time.time()),
use="enc").load_key(P256)
keys = [rsa_key.serialize(private=True),
ec_key.serialize(private=True)]
new_keys = {"keys": keys}
self.events.store("New encryption keys", new_keys)
self.do_key_rollover(new_keys, "%d")
self.events.store("Rotated encryption keys", '')
logger.info(
'Rotated OP enc keys, new set: {}'.format(
key_summary(self.keyjar, '')))
# This is just for logging purposes
try:
_resp = self.server.http_request(_req["request_uri"][0])
except KeyError:
pass
else:
if _resp.status_code == 200:
self.events.store(EV_REQUEST,
"Request from request_uri: {}".format(_resp.text))
return _response
def authorization_endpoint(self, request="", cookie=None, **kwargs):
_req = parse_qs(request)
#self.events.store(EV_REQUEST, _req)
try:
_scope = _req["scope"]
except KeyError:
return self._error(error="incorrect_behavior",
descr="No scope parameter")
else:
# verify that openid is among the scopes
_scopes = _scope[0].split(" ")
if "openid" not in _scopes:
return self._error(error="incorrect_behavior",
descr="Scope does not contain 'openid'")
client_id = _req["client_id"][0]
try:
f = response_type_cmp(kwargs['test_cnf']['response_type'],
_req['response_type'])
except KeyError:
pass
else:
if f is False:
self.events.store(
EV_FAULT,
'Wrong response type: {}'.format(_req['response_type']))
return self._error_response(error="incorrect_behavior",
descr="Wrong response_type")
_rtypes = []
for rt in _req['response_type']:
_rtypes.extend(rt.split(' '))
if 'id_token' in _rtypes:
try:
self._update_client_keys(client_id)
except TestError:
return self._error(error="incorrect_behavior",
descr="No change in client keys")
_response = provider.Provider.authorization_endpoint(
self, request, cookie, **kwargs)
if "rotenc" in self.behavior_type: # Rollover encryption keys
rsa_key = RSAKey(kid="rotated_rsa_{}".format(time.time()),
use="enc").load_key(RSA.generate(2048))
ec_key = ECKey(kid="rotated_ec_{}".format(time.time()),
use="enc").load_key(P256)
keys = [
rsa_key.serialize(private=True),
ec_key.serialize(private=True)
]
new_keys = {"keys": keys}
self.events.store("New encryption keys", new_keys)
self.do_key_rollover(new_keys, "%d")
self.events.store("Rotated encryption keys", '')
logger.info('Rotated OP enc keys, new set: {}'.format(
key_summary(self.keyjar, '')))
# This is just for logging purposes
try:
_resp = self.server.http_request(_req["request_uri"][0])
except KeyError:
pass
else:
if _resp.status_code == 200:
self.events.store(
EV_REQUEST,
"Request from request_uri: {}".format(_resp.text))
return _response
