def get_info(self, requester, path, state=""):
"""
:param requester: requester
"""
resp = self.rs_query(requester, path)
self.trace.append(trace("rs_query", "C<--RS", response=resp))
if resp.status_code == 200:
return Response(resp.text)
if resp.status_code == 401: # No RPT
as_uri = resp.headers["as_uri"]
if as_uri == self.baseurl:
# It's me as it should be, means get a RPT from myself
self.get_aat(requester)
self.get_rpt(requester)
return self.get_info(requester, path, state)
else:
return R2C[500]("Wrong AS")
if resp.status_code == 403: # Permission registered, got ticket
prr = PermissionRegistrationResponse().from_json(resp.text)
kwargs = self.client.create_authorization_data_request(
requester, prr["ticket"])
resp = self.authorization_request_endpoint(
kwargs["data"], kwargs["headers"]["Authorization"])
self.trace.append(
trace("*authorization_request", "C<--AS", response=resp))
if resp.status == "200 OK":
return self.get_info(requester, path)
raise UMAError()
def register_permission(self, resp, requester):
prr = PermissionRegistrationResponse().from_json(resp.text)
kwargs = self.client.create_authorization_data_request(
requester, prr["ticket"])
pre_trace("C-->AS", "authorization_request", **kwargs)
resp = self.srv.authorization_request_endpoint(
kwargs["data"], authn=kwargs["headers"]["Authorization"])
post_trace("C<--AS", **repack_response(resp))
return resp
def do_permission_request(self, prrs):
pat = self.rs_handler.token['PAT']
kwargs = {
"headers": {"Authorization": "Bearer %s" % pat},
"body": prrs}
url = self.client.provider_info["rpt_endpoint"]
resp = self.client.send(url, "POST", **kwargs)
assert resp.status == "201 Created"
return PermissionRegistrationResponse().from_json(resp.message)[
"ticket"]
def permission_registration_endpoint_(self, entity, **kwargs):
"""
The endpoint URI at which the resource server registers a
client-requested permission with the authorization server.
This is a proposed permission waiting for the user to accept it.
"""
request = kwargs["request"]
_ticket = rndstr(24)
logging.debug("Registering permission request: %s" % request)
resp = PermissionRegistrationResponse(ticket=_ticket)
self.permission_requests.add_request(_ticket, request)
return Created(resp.to_json(), content="application/json")
def operation(self, resource, requestor, oper="GET", **kwargs):
"""
:param owner: user identifier
:param requestor: The entity_id of the SP that requests the information
:param attrs: which attributes to return
param kwargs: extra keyword arguments
"""
try:
state = kwargs["state"]
except KeyError:
state = rndstr()
self.client.state[requestor] = state
try:
authn_method = kwargs["authn_method"]
except:
authn_method = ""
resp = self.rs_query(resource, requestor, oper, **kwargs)
if resp.status_code == 200:
return Response(resp.text)
if resp.status_code == 401: # No RPT
as_uri = resp.headers["as_uri"]
resp = self.client.acquire_grant(as_uri, "RPT", requestor, state,
self.acr, authn_method)
return resp
# elif resp.status_code == 302: # which it should be
# # redirect that are part of the grant code flow
# headers = [(a, b) for a, b in resp.headers.items()
# if a != "location"]
# return Redirect(resp.headers["location"], headers=headers)
# elif resp.status_code == 200: # ???
# return Response(resp.text)
# else:
# return R2C[resp.status_code](resp.text)
if resp.status_code == 403: # Permission registered, got ticket
if state == "403": # loop ?
return {}
prr = PermissionRegistrationResponse().from_json(resp.text)
resp = self.client.authorization_data_request(requestor,
prr["ticket"])
if resp.status_code in (200, 201):
return self.operation(resource, requestor, oper, **kwargs)
raise UMAError()
def get_info(self, user, requestor, attrs=None, state="", **kwargs):
"""
:param user: user identifier
:param requestor: The entity_id of the SP that requests the information
:param attrs: which attributes to return
:param state: Where in the process am I
"""
# The real requestor is <user>@<sp_entity_id>
user_and_sp = "%s@%s" % (user, requestor)
resp = self.rs_query(user_and_sp, user, attrs)
args = {}
for attr in ["authn_method", "password"]:
try:
args[attr] = kwargs[attr]
except KeyError:
args[attr] = ""
if resp.status_code == 200:
return Response(resp.text)
if resp.status_code == 401: # No RPT
as_uri = resp.headers["as_uri"]
return self.client.acquire_grant(as_uri, "RPT", user_and_sp, state,
self.acr, **args)
#if isinstance(resp, Redirect): # which it should be
# redirect that are part of the grant code flow
# return resp
# elif resp.status_code == 200: # ???
# return Response(resp.text)
# else:
# return R2C[resp.status_code](resp.text)
if resp.status_code == 403: # Permission registered, got ticket
if state == "403": # loop ?
return {}
prr = PermissionRegistrationResponse().from_json(resp.text)
resp = self.client.authorization_data_request(
user_and_sp, prr["ticket"])
if resp.status_code in (200, 201):
return self.get_info(user, requestor, attrs, "403")
raise UMAError()
def permission_registration_endpoint_(self, request, **kwargs):
"""
The endpoint URI at which the resource server registers a
client-requested permission with the authorization server.
This is a proposed permission waiting for the user to accept it.
:param request: The permission registration request
:return: HTTP Response
"""
adb = self.get_adb(kwargs['client_id'])
prr = self.to_prr(request, kwargs['client_id'])
if prr:
_ticket = adb.ticket_factory.pack(aud=[kwargs['client_id']],
type='ticket')
logging.debug("Registering permission request: %s" % request)
adb.permission_requests[_ticket] = prr
resp = PermissionRegistrationResponse(ticket=_ticket)
return Created(resp.to_json(), content="application/json")
else:
return BadRequest("Can't register permission for unknown resource")
# The RS on the other hand registers the necessary permission at the AS
prrs = []
for rsid, scopes in pre_rpp:
prrs.append(
PermissionRegistrationRequest(resource_set_id=rsid,
scopes=scopes).to_dict())
pat = ressrv.rs_handler.token['PAT']
resp = authzsrv.permission_registration_endpoint(json.dumps(prrs),
'Bearer {}'.format(pat))
assert resp.status == "201 Created"
ticket = PermissionRegistrationResponse().from_json(resp.message)["ticket"]
# ============================== 4 ===========================================
# Crank up the client such that the relationship with the AS can be
# settled.
CLI_PORT = 8090
CLI_BASE = "https://localhost:%s" % CLI_PORT
UMA_CLIENT = UMAUserInfo(CLI_BASE, ["%s/authz_cb" % CLI_BASE],
"https://localhost:8089",
acr="BasicAuthn")
_uma_client = UMA_CLIENT.client
# uma_pcr same as in (1)
_uma_client.handle_provider_config(uma_pcr, authzsrv.baseurl, False, True)
ir = IntrospectionResponse().from_json(resp.message)
assert ir["active"] is True
assert "permissions" not in ir
# The RS registers an Authorization request
REQ_SCOPES = ["http://its.umu.se/uma/attr/displayName"]
prr = PermissionRegistrationRequest(resource_set_id=_rsid, scopes=REQ_SCOPES)
client, url, ht_args = ressrv.register_init(
RESOURCE_OWNER, "permission_registration_endpoint", prr, _rsid)
authninfo = ht_args["headers"]["Authorization"]
permresp = authzsrv.permission_registration_endpoint(prr.to_json(), authninfo)
created = PermissionRegistrationResponse().from_json(permresp.message)
_, kwargs = _uma_client.create_authorization_data_request(
USER, created["ticket"])
request = kwargs["data"]
authn_info = kwargs["headers"]["Authorization"]
res = authzsrv.authorization_request_endpoint(request, authn_info)
assert res.status == "200 OK"
# Now everything should be ready for accessing the resource
# The resource server will do an introspection of the RPT
_rpt = _uma_client.token[USER]["RPT"]
pat = ressrv.permreg.get(RESOURCE_OWNER, "pat")["access_token"]
