Esempio n. 1
0
def assertion_jwt(cli, keys, audience, algorithm):
    _now = utc_now()

    at = AuthnToken(iss=cli.client_id, sub=cli.client_id,
                    aud=audience, jti=rndstr(8),
                    exp=_now + 600, iat=_now)
    return at.to_jwt(key=keys, algorithm=algorithm)
Esempio n. 2
0
def assertion_jwt(cli, keys, audience, algorithm):
    _now = utc_now()

    at = AuthnToken(iss = cli.client_id, sub = cli.client_id,
                    aud = audience, jti = rndstr(8),
                    exp = _now+600, iat = _now)
    return at.to_jwt(key=keys, algorithm=algorithm)
Esempio n. 3
0
    def authenticated_as(self, cookie=None, authorization="", **kwargs):
        """

        :param cookie: A HTTP Cookie
        :param authorization: The HTTP Authorization header
        :param args: extra args
        :param kwargs: extra key word arguments
        :return:
        """

        return {"uid": self.user}, utc_now()
Esempio n. 4
0
def test_sub_to_authn_event():
    sdb = SessionDB(BASE_URL)
    ae2 = AuthnEvent("sub", time_stamp=utc_now())
    sid = sdb.create_authz_session(ae2, AREQ)
    sub = sdb.do_sub(sid)

    # given the sub find out weather the authn event is still valid

    sids = sdb.sub2sid[sub]
    ae = sdb[sids[0]]["authn_event"]
    assert ae.valid()
Esempio n. 5
0
    def __init__(self, uid, valid=3600, authn_info=None, time_stamp=0):
        """
        Creates a representation of an authentication event.

        :param uid: The local user identifier
        :param valid: How long the authentication is expected to be valid
        :param authn_info: Info about the authentication event
        :return:
        """
        self.uid = uid
        self.authn_time = int(time_stamp) or utc_now()
        self.valid_until = self.authn_time + int(valid)
        self.authn_info = authn_info
Esempio n. 6
0
    def authenticated_as(self, cookie=None, authorization="", **kwargs):
        """

        :param cookie: A HTTP Cookie
        :param authorization: The HTTP Authorization header
        :param args: extra args
        :param kwargs: extra key word arguments
        :return:
        """
        (encmsg, iv) = base64.b64decode(authorization).split(":")
        try:
            user = aes.decrypt(self.symkey, encmsg, iv)
        except (AssertionError, KeyError):
            raise FailedAuthentication("Decryption failed")

        return {"uid": user}, utc_now()
Esempio n. 7
0
    def authenticated_as(self, cookie=None, authorization="", **kwargs):
        """

        :param cookie: A HTTP Cookie
        :param authorization: The HTTP Authorization header
        :param args: extra args
        :param kwargs: extra key word arguments
        :return:
        """
        if authorization.startswith("Basic"):
            authorization = authorization[6:]

        (user, pwd) = base64.b64decode(authorization).split(":")
        user = urllib.unquote(user)
        self.verify_password(user, pwd)
        return {"uid": user}, utc_now()
Esempio n. 8
0
    def make_id_token(self, session, loa="2", issuer="",
                      alg="RS256", code=None, access_token=None,
                      user_info=None):
        """

        :param session: Session information
        :param loa: Level of Assurance/Authentication context
        :param issuer: My identifier
        :param alg: Which signing algorithm to use for the IdToken
        :param code: Access grant
        :param access_token: Access Token
        :param user_info: If user info are to be part of the IdToken
        :return: IDToken instance
        """
        #defaults
        inawhile = {"days": 1}
        # Handle the idtoken_claims
        extra = {}
        itc = self.id_token_claims(session)
        if itc:
            try:
                inawhile = {"seconds": itc["max_age"]}
            except KeyError:
                inawhile = {}
            if "claims" in itc:
                for key, val in itc["claims"].items():
                    if key == "auth_time":
                        extra["auth_time"] = time_util.utc_time_sans_frac()
                    elif key == "acr":
                        #["2","http://id.incommon.org/assurance/bronze"]
                        extra["acr"] = verify_acr_level(val, loa)

        if user_info is None:
            _args = {}
        else:
            _args = user_info.to_dict()

        # Make sure that there are no name clashes
        for key in ["iss", "sub", "aud", "exp", "acr", "nonce",
                    "auth_time"]:
            try:
                del _args[key]
            except KeyError:
                pass

        halg = "HS%s" % alg[-3:]

        if code:
            _args["c_hash"] = jws.left_hash(code, halg)
        if access_token:
            _args["at_hash"] = jws.left_hash(access_token, halg)

        idt = IdToken(iss=issuer, sub=session["sub"],
                      aud = session["client_id"],
                      exp = time_util.epoch_in_a_while(**inawhile), acr=loa,
                      iat = time_util.utc_now(),
                      **_args)

        for key, val in extra.items():
            idt[key] = val

        if "nonce" in session:
            idt.nonce = session["nonce"]

        return idt
Esempio n. 9
0
 def authenticated_as(self, cookie=None, **kwargs):
     if cookie == "FAIL":
         return None, 0
     else:
         return {"uid": self.user}, utc_now()
Esempio n. 10
0
    def make_id_token(self,
                      session,
                      loa="2",
                      issuer="",
                      alg="RS256",
                      code=None,
                      access_token=None,
                      user_info=None,
                      auth_time=0):
        """

        :param session: Session information
        :param loa: Level of Assurance/Authentication context
        :param issuer: My identifier
        :param alg: Which signing algorithm to use for the IdToken
        :param code: Access grant
        :param access_token: Access Token
        :param user_info: If user info are to be part of the IdToken
        :return: IDToken instance
        """
        #defaults
        inawhile = {"days": 1}
        # Handle the idtoken_claims
        extra = {}
        itc = self.id_token_claims(session)
        if itc:
            try:
                inawhile = {"seconds": itc["max_age"]}
            except KeyError:
                inawhile = {}
            for key, val in itc.items():
                if key == "auth_time":
                    extra["auth_time"] = auth_time
                elif key == "acr":
                    #["2","http://id.incommon.org/assurance/bronze"]
                    extra["acr"] = verify_acr_level(val, loa)

        if user_info is None:
            _args = {}
        else:
            try:
                _args = user_info.to_dict()
            except AttributeError:
                _args = user_info

        # Make sure that there are no name clashes
        for key in ["iss", "sub", "aud", "exp", "acr", "nonce", "auth_time"]:
            try:
                del _args[key]
            except KeyError:
                pass

        halg = "HS%s" % alg[-3:]

        if code:
            _args["c_hash"] = jws.left_hash(code, halg)
        if access_token:
            _args["at_hash"] = jws.left_hash(access_token, halg)

        idt = IdToken(iss=issuer,
                      sub=session["sub"],
                      aud=session["client_id"],
                      exp=time_util.epoch_in_a_while(**inawhile),
                      acr=loa,
                      iat=time_util.utc_now(),
                      **_args)

        for key, val in extra.items():
            idt[key] = val

        if "nonce" in session:
            idt["nonce"] = session["nonce"]

        return idt
Esempio n. 11
0
    def set_cookie(self, kaka):
        """PLaces a cookie (a cookielib.Cookie based on a set-cookie header
        line) in the cookie jar.
        Always chose the shortest expires time.
        """

        # default rfc2109=False
        # max-age, httponly
        for cookie_name, morsel in kaka.items():
            std_attr = ATTRS.copy()
            std_attr["name"] = cookie_name
            _tmp = morsel.coded_value
            if _tmp.startswith('"') and _tmp.endswith('"'):
                std_attr["value"] = _tmp[1:-1]
            else:
                std_attr["value"] = _tmp

            std_attr["version"] = 0
            attr = ""
            # copy attributes that have values
            try:
                for attr in morsel.keys():
                    if attr in ATTRS:
                        if morsel[attr]:
                            if attr == "expires":
                                _expires = _since_epoch(morsel[attr])
                                if std_attr["expires"] > _expires:
                                    std_attr["expires"] = _expires
                                else:
                                    std_attr["expires"] = _expires
                            else:
                                std_attr[attr] = morsel[attr]
                    elif attr == "max-age":
                        if morsel[attr]:
                            # max-age is in seconds since received
                            now = utc_now()
                            _expires = now + int(morsel[attr])
                            if std_attr["expires"] > _expires:
                                std_attr["expires"] = _expires
                            else:
                                std_attr["expires"] = _expires
            except TimeFormatError:
                # Ignore cookie
                logger.info(
                    "Time format error on %s parameter in received cookie" % (
                        attr,))
                continue

            for att, spec in PAIRS.items():
                if std_attr[att]:
                    std_attr[spec] = True

            if std_attr["domain"] and std_attr["domain"].startswith("."):
                std_attr["domain_initial_dot"] = True

            if morsel["max-age"] is 0:
                try:
                    self.cookiejar.clear(domain=std_attr["domain"],
                                         path=std_attr["path"],
                                         name=std_attr["name"])
                except ValueError:
                    pass
            else:
                # Fix for Microsoft cookie error
                if "version" in std_attr:
                    try:
                        std_attr["version"] = std_attr["version"].split(",")[0]
                    except (TypeError, AttributeError):
                        pass
                    
                new_cookie = cookielib.Cookie(**std_attr)

                self.cookiejar.set_cookie(new_cookie)
 def authenticated_as(self, cookie=None, **kwargs):
     return {"uid": self.user}, utc_now()
Esempio n. 13
0
def assertion_jwt(cli, keys, audience, algorithm=OIC_DEF_SIGN_ALG):
    at = AuthnToken(iss = cli.client_id, prn = cli.client_id,
                    aud = audience, jti = rndstr(8),
                    exp = int(epoch_in_a_while(minutes=10)), iat = utc_now())
    return at.to_jwt(key=keys, algorithm=algorithm)