def test_authenticated(self): _session_db = {} cons = Consumer(_session_db, client_config=CLIENT_CONFIG, server_info=SERVER_INFO, **CONSUMER_CONFIG) sid, location = cons.begin("http://localhost:8087", "http://localhost:8088/authorization") resp = self.provider.authorization_endpoint(urlparse(location).query) assert resp.status == "303 See Other" resp = urlparse(resp.message).query with LogCapture(level=logging.DEBUG) as logcap: aresp = cons.handle_authorization_response(query=resp) assert isinstance(aresp, AuthorizationResponse) assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss']) assert _eq(cons.grant[sid].keys(), ['tokens', 'code', 'exp_in', 'seed', 'id_token', 'grant_expiration_time']) state = aresp['state'] assert _eq(logcap.records[0].msg, '- authorization - code flow -') assert logcap.records[1].msg in expected_outcome( 'QUERY: ', ['state={}'.format(state), 'code=<REDACTED>', 'client_id=client1', 'iss=https%3A%2F%2Fexample.com%2Fas']) expected = {'iss': 'https://example.com/as', 'state': state, 'code': '<REDACTED>', 'client_id': 'client1'} # Eval here to avoid intermittent failures due to dict ordering assert _eq(eval(logcap.records[2].msg[29:-1]), expected) expected = ["'client_id': 'client1'", "'iss': 'https://example.com/as'", "'keyjar': <KeyJar(issuers=[])>"] assert _eq(sorted(logcap.records[3].msg[22:-1].split(', ')), expected)
def test_authenticated_token(self): _state, location = self.cons.begin("openid", response_type="token", path="http://localhost:8087") resp = self.provider.authorization_endpoint( request=urlparse(location).query) parsed = parse_qs(urlparse(resp.message).fragment) assert parsed["token_type"][0] == "Bearer" assert "access_token" in parsed
def checkRoundtrips(self, url, parsed, split): result = urllib_parse.urlparse(url) self.assertEqual(result, parsed) t = (result.scheme, result.netloc, result.path, result.params, result.query, result.fragment) self.assertEqual(t, parsed) # put it back together and it should be the same result2 = urllib_parse.urlunparse(result) self.assertEqual(result2, url) self.assertEqual(result2, result.geturl()) # the result of geturl() is a fixpoint; we can always parse it # again to get the same result: result3 = urllib_parse.urlparse(result.geturl()) self.assertEqual(result3.geturl(), result.geturl()) self.assertEqual(result3, result) self.assertEqual(result3.scheme, result.scheme) self.assertEqual(result3.netloc, result.netloc) self.assertEqual(result3.path, result.path) self.assertEqual(result3.params, result.params) self.assertEqual(result3.query, result.query) self.assertEqual(result3.fragment, result.fragment) self.assertEqual(result3.username, result.username) self.assertEqual(result3.password, result.password) self.assertEqual(result3.hostname, result.hostname) self.assertEqual(result3.port, result.port) # check the roundtrip using urlsplit() as well result = urllib_parse.urlsplit(url) self.assertEqual(result, split) t = (result.scheme, result.netloc, result.path, result.query, result.fragment) self.assertEqual(t, split) result2 = urllib_parse.urlunsplit(result) self.assertEqual(result2, url) self.assertEqual(result2, result.geturl()) # check the fixpoint property of re-parsing the result of geturl() result3 = urllib_parse.urlsplit(result.geturl()) self.assertEqual(result3.geturl(), result.geturl()) self.assertEqual(result3, result) self.assertEqual(result3.scheme, result.scheme) self.assertEqual(result3.netloc, result.netloc) self.assertEqual(result3.path, result.path) self.assertEqual(result3.query, result.query) self.assertEqual(result3.fragment, result.fragment) self.assertEqual(result3.username, result.username) self.assertEqual(result3.password, result.password) self.assertEqual(result3.hostname, result.hostname) self.assertEqual(result3.port, result.port)
def test_issue14072(self): p1 = urllib_parse.urlsplit('tel:+31-641044153') self.assertEqual(p1.scheme, 'tel') self.assertEqual(p1.path, '+31-641044153') p2 = urllib_parse.urlsplit('tel:+31641044153') self.assertEqual(p2.scheme, 'tel') self.assertEqual(p2.path, '+31641044153') # assert the behavior for urlparse p1 = urllib_parse.urlparse('tel:+31-641044153') self.assertEqual(p1.scheme, 'tel') self.assertEqual(p1.path, '+31-641044153') p2 = urllib_parse.urlparse('tel:+31641044153') self.assertEqual(p2.scheme, 'tel') self.assertEqual(p2.path, '+31641044153')
def parse_discovery_service_request(self, url="", query=""): if url: part = urlparse(url) dsr = parse_qs(part[4]) elif query: dsr = parse_qs(query) else: dsr = {} # verify for key in ["isPassive", "return", "returnIDParam", "policy", 'entityID']: try: assert len(dsr[key]) == 1 dsr[key] = dsr[key][0] except KeyError: pass if "return" in dsr: part = urlparse(dsr["return"]) if part.query: qp = parse_qs(part.query) if "returnIDParam" in dsr: assert dsr["returnIDParam"] not in qp.keys() else: assert "entityID" not in qp.keys() else: # If metadata not used this is mandatory raise VerificationError("Missing mandatory parameter 'return'") if "policy" not in dsr: dsr["policy"] = IDPDISC_POLICY try: assert dsr["isPassive"] in ["true", "false"] except KeyError: pass if "isPassive" in dsr and dsr["isPassive"] == "true": dsr["isPassive"] = True else: dsr["isPassive"] = False if not "returnIDParam" in dsr: dsr["returnIDParam"] = "entityID" return dsr
def clean_domain(self): parsed = urlparse(self.cleaned_data['domain']) if parsed.scheme or parsed.netloc: domain_string = parsed.netloc else: domain_string = parsed.path return domain_string
def _parse_request(self, request, data, sformat, client_id=None): if sformat == "json": request = request().from_json(data) elif sformat == "jwt": request = request().from_jwt(data, keyjar=self.keyjar) elif sformat == "urlencoded": if '?' in data: parts = urlparse(data) scheme, netloc, path, params, query, fragment = parts[:6] else: query = data request = request().from_urlencoded(query) else: raise ParseError("Unknown package format: '%s'" % sformat, request) # get the verification keys if client_id: keys = self.keyjar.verify_keys(client_id) sender = client_id else: try: keys = self.keyjar.verify_keys(request["client_id"]) sender = request['client_id'] except KeyError: keys = None sender = '' logger.debug("verify keys: {}".format(keys)) request.verify(key=keys, keyjar=self.keyjar, sender=sender) return request
def url_compare(url1, url2): url1 = urlparse(url1) url2 = urlparse(url2) if url1.scheme != url2.scheme: return False if url1.netloc != url2.netloc: return False if url1.path != url2.path: return False if not query_string_compare(url1.query, url2.query): return False if not query_string_compare(url1.fragment, url2.fragment): return False return True
def parse_resource(resource): """ :param resource: :return: A tuple: op_id and test_id """ p = urlparse(resource) if p[0] == 'acct': loc, dom = p[2].split('@', 1) # Should I check the domain part ? _x = loc.split('.') if len(_x) == 2: return _x elif len(_x) > 2: return '.'.join(_x[0:-1]), _x[-1] else: raise ValueError('Need both op_id and test_id, got {}'.format(_x)) elif p[0] in ['http', 'https']: _x = p[2][1:].split('/') # skip leading '/' if len(_x) >= 2: return _x[:2] # only return the first two parts else: _txt = 'Need both op_id and test_id, got {}'.format(_x) logger.error(_txt) raise ValueError(_txt) else: return None
def test_complete_auth_token(self): _state = "state0" self.consumer.consumer_config["response_type"] = ["code", "token"] args = { "client_id": self.consumer.client_id, "response_type": self.consumer.consumer_config["response_type"], "scope": ["openid"], } result = self.consumer.do_authorization_request(state=_state, request_args=args) self.consumer._backup("state0") assert result.status_code == 302 parsed = urlparse(result.headers["location"]) baseurl = "{}://{}{}".format(parsed.scheme, parsed.netloc, parsed.path) assert baseurl == self.consumer.redirect_uris[0] part = self.consumer.parse_authz(query=parsed.query) auth = part[0] acc = part[1] assert part[2] is None assert isinstance(auth, AuthorizationResponse) assert isinstance(acc, AccessTokenResponse) print(auth.keys()) assert _eq(auth.keys(), ['code', 'access_token', 'token_type', 'state', 'client_id', 'scope']) assert _eq(acc.keys(), ['token_type', 'state', 'access_token', 'scope'])
def migrate_url(apps, schema_editor): Domain = apps.get_model("projects", "Domain") Domain.objects.filter(count=0).delete() for domain in Domain.objects.all(): if domain.project.superprojects.count() or domain.project.main_language_project: print("{project} is a subproject or translation. Deleting domain.".format( project=domain.project.slug)) domain.delete() continue parsed = urlparse(domain.url) if parsed.scheme or parsed.netloc: domain_string = parsed.netloc else: domain_string = parsed.path try: domain.domain = domain_string domain.save() print(u"Added {domain} from {url}".format(url=domain.url, domain=domain_string)) except Exception as e: print(e) print(u"Failed {domain} from {url}".format(url=domain.url, domain=domain_string)) dms = Domain.objects.filter(domain=domain_string).order_by('-count') if dms.count() > 1: for dm in list(dms)[1:]: dm.delete()
def login_hint(oper, args): """ Context: AsyncAuthn Action: Sets the request argument 'login_hint' to a value picked from the configuration. Example: "login_hint": null :param oper: :param args: :return: """ _iss = oper.conv.entity.provider_info["issuer"] p = urlparse(_iss) _default = "buffy@%s" % p.netloc try: hint = oper.conv.get_tool_attribute("login_hint") except KeyError: hint = _default else: if hint is None: hint = _default # elif "@" not in hint: # hint = "%s@%s" % (hint, p.netloc) oper.req_args["login_hint"] = hint
def __call__(self, value): allow_private_repos = getattr(settings, 'ALLOW_PRIVATE_REPOS', False) public_schemes = ['https', 'http', 'git', 'ftps', 'ftp'] private_schemes = ['ssh', 'ssh+git'] valid_schemes = public_schemes if allow_private_repos: valid_schemes += private_schemes url = urlparse(value) # Malicious characters go first if '&&' in value or '|' in value: raise ValidationError(_('Invalid character in the URL')) elif url.scheme in valid_schemes: return value # Repo URL is not a supported scheme at this point, but there are # several cases where we might support it # Launchpad elif value.startswith('lp:'): return value # Relative paths are conditionally supported elif value.startswith('.') and not self.disallow_relative_url: return value # SSH cloning and ``[email protected]:user/project.git`` elif self.re_git_user.search(value) or url.scheme in private_schemes: if allow_private_repos: return value else: # Throw a more helpful error message raise ValidationError('Manual cloning via SSH is not supported') # No more valid URLs without supported URL schemes raise ValidationError(_('Invalid scheme for URL'))
def __call__(self): # find the name of the file to which the JWKS should be written try: _uri = self.conv.entity.registration_response["jwks_uri"] except KeyError: raise RequirementsNotMet("No dynamic key handling") r = urlparse(_uri) # find the old key for this key usage and mark that as inactive for kb in self.conv.entity.keyjar.issuer_keys[""]: for key in list(kb.keys()): if key.use in self.new_key["use"]: key.inactive = True kid = 0 # only one key _nk = self.new_key _typ = _nk["type"].upper() if _typ == "RSA": kb = KeyBundle(source="file://%s" % _nk["key"], fileformat="der", keytype=_typ, keyusage=_nk["use"]) else: kb = {} for k in list(kb.keys()): k.serialize() k.kid = self.kid_template % kid kid += 1 self.conv.entity.kid[k.use][k.kty] = k.kid self.conv.entity.keyjar.add_kb("", kb) dump_jwks(self.conv.entity.keyjar[""], r.path[1:])
def __init__(self, rememberer_name, config, saml_client, wayf, cache, sid_store=None, discovery="", idp_query_param="", sid_store_cert=None, ): self.rememberer_name = rememberer_name self.wayf = wayf self.saml_client = saml_client self.conf = config self.cache = cache self.discosrv = discovery self.idp_query_param = idp_query_param self.logout_endpoints = [urlparse(ep)[2] for ep in config.endpoint( "single_logout_service")] try: self.metadata = self.conf.metadata except KeyError: self.metadata = None if sid_store: self.outstanding_queries = shelve.open(sid_store, writeback=True, protocol=2) else: self.outstanding_queries = {} if sid_store_cert: self.outstanding_certs = shelve.open(sid_store_cert, writeback=True, protocol=2) else: self.outstanding_certs = {} self.iam = platform.node()
def test_begin_file(self, tmpdir): path = tmpdir.strpath self.consumer.consumer_config["request_method"] = "file" self.consumer.consumer_config["temp_dir"] = path self.consumer.consumer_config["temp_path"] = path self.consumer.consumer_config["authz_page"] = "/authz" srv = Server() srv.keyjar = SRVKEYS sid, location = self.consumer.begin("openid", "code", path="http://localhost:8087") with responses.RequestsMock() as rsps: p = urlparse(self.consumer.request_uri) rsps.add(rsps.GET, self.consumer.request_uri, body=open(p.path).read(), status=200, content_type='application/urlencoded') authreq = srv.parse_authorization_request(url=location) assert _eq(list(authreq.keys()), ['max_age', 'state', 'redirect_uri', 'response_type', 'client_id', 'scope', 'claims']) assert authreq["state"] == sid assert authreq["scope"] == self.consumer.consumer_config["scope"] assert authreq["client_id"] == self.consumer.client_id assert authreq["redirect_uri"].startswith( "http://localhost:8087/authz")
def test_complete_secret_auth(self): _state = "state0" del self.consumer.consumer_config["password"] args = { "client_id": self.consumer.client_id, "response_type": "code", "scope": ["openid"], } result = self.consumer.do_authorization_request(state=_state, request_args=args) assert result.status_code == 302 parsed = urlparse(result.headers["location"]) baseurl = "{}://{}{}".format(parsed.scheme, parsed.netloc, parsed.path) assert baseurl == self.consumer.redirect_uris[0] self.consumer.parse_response(AuthorizationResponse, info=parsed.query, sformat="urlencoded") resp = self.consumer.complete(_state) assert isinstance(resp, AccessTokenResponse) assert _eq(resp.keys(), ['token_type', 'state', 'access_token', 'scope']) assert resp["state"] == _state
def test_userinfo(self): _state = "state0" args = { "client_id": self.consumer.client_id, "response_type": "code", "scope": ["openid"], } result = self.consumer.do_authorization_request(state=_state, request_args=args) assert result.status_code == 302 parsed = urlparse(result.headers["location"]) baseurl = "{}://{}{}".format(parsed.scheme, parsed.netloc, parsed.path) assert baseurl == self.consumer.redirect_uris[0] self.consumer.parse_response(AuthorizationResponse, info=parsed.query, sformat="urlencoded") self.consumer.complete(_state) result = self.consumer.get_user_info(_state) assert isinstance(result, OpenIDSchema) assert _eq(result.keys(), ['name', 'email', 'verified', 'nickname', 'sub'])
def test_token_endpoint_auth(self): state, location = self.cons.begin("openid", "code", path="http://localhost:8087") resp = self.provider.authorization_endpoint( request=urlparse(location).query) aresp = self.cons.parse_response(AuthorizationResponse, resp.message, sformat="urlencoded") # Construct Access token request areq = self.cons.construct_AccessTokenRequest( redirect_uri="http://example.com/authz", client_id="client_1", client_secret='abcdefghijklmnop', state=state) txt = areq.to_urlencoded() self.cons.client_secret='drickyoughurt' csb = ClientSecretBasic(self.cons) http_args = csb.construct(areq) resp = self.provider.token_endpoint(request=txt, remote_user="******", request_method="POST", authn=http_args['headers'][ 'Authorization']) atr = TokenErrorResponse().deserialize(resp.message, "json") assert atr["token_type"] == 'Bearer'
def test_sign_userinfo(self): _state = "state0" self.consumer.client_prefs = {"userinfo_signed_response_alg": "RS256"} self.consumer.provider_info = { "userinfo_endpoint": "http://localhost:8088/userinfo", "issuer": "http://localhost:8088/"} del self.consumer.consumer_config["request_method"] args = { "client_id": self.consumer.client_id, "response_type": "code", "scope": ["openid"], } self.consumer.begin("openid", "code") result = self.consumer.do_authorization_request(state=_state, request_args=args) parsed = urlparse(result.headers["location"]) self.consumer.parse_response(AuthorizationResponse, info=parsed.query, sformat="urlencoded") self.consumer.complete(_state) result = self.consumer.get_user_info(_state) assert isinstance(result, OpenIDSchema) assert _eq(result.keys(), ['name', 'email', 'verified', 'nickname', 'sub'])
def test_authenticated_hybrid(self): _state, location = self.cons.begin( scope="openid email claims_in_id_token", response_type="code id_token", path="http://localhost:8087") resp = self.provider.authorization_endpoint( request=urlparse(location).query) part = self.cons.parse_authz(resp.message) aresp = part[0] assert part[1] is None assert part[2] is not None assert isinstance(aresp, AuthorizationResponse) assert _eq(aresp.keys(), ['scope', 'state', 'code', 'id_token']) assert _eq(self.cons.grant[_state].keys(), ['code', 'id_token', 'tokens', 'exp_in', 'grant_expiration_time', 'seed']) id_token = part[2] assert isinstance(id_token, IdToken) assert _eq(id_token.keys(), ['nonce', 'c_hash', 'sub', 'iss', 'acr', 'exp', 'auth_time', 'iat', 'aud'])
def set_webfinger_resource(oper, args): """ Context: WebFinger Query Action: Specifies the webfinger resource. If the OP supports webfinger queries then the resource is set to the value of 'webfinger_url' or 'webfinger_email' from the test instance configuration. :param oper: An WebFinger instance :param args: None or a dictionary with the key 'pattern' """ try: oper.resource = oper.op_args["resource"] except KeyError: if oper.dynamic: if args: _p = urlparse(get_issuer(oper.conv)) oper.op_args["resource"] = args["pattern"].format( test_id=oper.conv.test_id, host=_p.netloc, oper_id=oper.conv.operator_id) else: _base = oper.sh.tool_conf['issuer'] if oper.conv.operator_id is None: oper.resource = _base else: oper.resource = os.path.join(_base, oper.conv.operator_id, oper.conv.test_id)
def find_identifier(uri): if uri.startswith("http"): p = urlparse(uri) return p.path[1:] # Skip leading "/" elif uri.startswith("acct:"): a = uri[5:] l, d = a.split("@") return l
def test_authenticated(self): client = Client(**CLIENT_CONFIG) client.authorization_endpoint = "https://example.com/as" sid = rndstr(8) args = {"redirect_uri": "http://localhost:8087/authz", "state": sid, "response_type": "code"} url, body, ht_args, csi = client.request_info(AuthorizationRequest, "GET", request_args=args) resp = self.provider.authorization_endpoint(urlparse(url).query) assert resp.status == "302 Found" resp = urlparse(resp.message).query aresp = client.parse_authz_response(resp) assert isinstance(aresp, AuthorizationResponse) assert _eq(aresp.keys(), ["state", "code", "client_id", "iss"]) assert _eq(client.grant[sid].keys(), ["tokens", "code", "exp_in", "seed", "id_token", "grant_expiration_time"])
def parse_url_request(request, url=None, query=None): if url: parts = urlparse(url) scheme, netloc, path, params, query, fragment = parts[:6] req = request().deserialize(query, "urlencoded") req.verify() return req
def test_attributes_bad_port(self): """Check handling of non-integer ports.""" p = urllib_parse.urlsplit("http://www.example.net:foo") self.assertEqual(p.netloc, "www.example.net:foo") self.assertRaises(ValueError, lambda: p.port) p = urllib_parse.urlparse("http://www.example.net:foo") self.assertEqual(p.netloc, "www.example.net:foo") self.assertRaises(ValueError, lambda: p.port) # Once again, repeat ourselves to test bytes p = urllib_parse.urlsplit(b"http://www.example.net:foo") self.assertEqual(p.netloc, b"www.example.net:foo") self.assertRaises(ValueError, lambda: p.port) p = urllib_parse.urlparse(b"http://www.example.net:foo") self.assertEqual(p.netloc, b"www.example.net:foo") self.assertRaises(ValueError, lambda: p.port)
def save(self, *args, **kwargs): # pylint: disable=arguments-differ from readthedocs.projects import tasks parsed = urlparse(self.domain) if parsed.scheme or parsed.netloc: self.domain = parsed.netloc else: self.domain = parsed.path super(Domain, self).save(*args, **kwargs) broadcast(type='app', task=tasks.symlink_domain, args=[self.project.pk, self.pk])
def include(url, test_id): p = urlparse(url) if p.path[1:].startswith(test_id): if len(p.path[1:].split("/")) <= 1: return os.path.join(url, "_/_/_/normal") else: return url return "%s://%s/%s%s_/_/_/normal" % (p.scheme, p.netloc, test_id, p.path)
def test_authenticated(self): _session_db = {} cons = Consumer(_session_db, client_config=CLIENT_CONFIG, server_info=SERVER_INFO, **CONSUMER_CONFIG) sid, location = cons.begin("http://localhost:8087", "http://localhost:8088/authorization") resp = self.provider.authorization_endpoint(urlparse(location).query) assert resp.status == "303 See Other" resp = urlparse(resp.message).query aresp = cons.handle_authorization_response(query=resp) assert isinstance(aresp, AuthorizationResponse) assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss']) assert _eq(cons.grant[sid].keys(), ['tokens', 'code', 'exp_in', 'seed', 'id_token', 'grant_expiration_time'])
def _verify_redirect_uri(self, areq): """ MUST NOT contain a fragment MAY contain query component :return: An error response if the redirect URI is faulty otherwise None """ try: _redirect_uri = unquote(areq["redirect_uri"]) part = urlparse(_redirect_uri) if part.fragment: raise URIError("Contains fragment") (_base, _query) = splitquery(_redirect_uri) if _query: _query = parse_qs(_query) match = False for regbase, rquery in self.cdb[str(areq["client_id"])][ "redirect_uris"]: if _base == regbase or _redirect_uri.startswith(regbase): # every registered query component must exist in the # redirect_uri if rquery: for key, vals in rquery.items(): assert key in _query for val in vals: assert val in _query[key] # and vice versa, every query component in the redirect_uri # must be registered if _query: if rquery is None: raise ValueError for key, vals in _query.items(): assert key in rquery for val in vals: assert val in rquery[key] match = True break if not match: raise RedirectURIError("Doesn't match any registered uris") # ignore query components that are not registered return None except Exception as err: logger.error("Faulty redirect_uri: %s" % areq["redirect_uri"]) try: _cinfo = self.cdb[str(areq["client_id"])] except KeyError: logger.info("Unknown client: %s" % areq["client_id"]) raise UnknownClient(areq["client_id"]) else: logger.info("Registered redirect_uris: %s" % _cinfo) raise RedirectURIError( "Faulty redirect_uri: %s" % areq["redirect_uri"])
def get_urlinfo(self, info): if '?' in info or '#' in info: parts = urlparse(info) scheme, netloc, path, params, query, fragment = parts[:6] # either query of fragment if query: info = query else: info = fragment return info
def test_authenticated_none(self): _state, location = self.cons.begin("openid", response_type="none", path="http://localhost:8087") resp = self.provider.authorization_endpoint( request=location.split("?")[1]) parsed = urlparse(resp.message) assert "{}://{}{}".format(parsed.scheme, parsed.netloc, parsed.path) == "http://localhost:8087/authz" assert "state" in parse_qs(parsed.query)
def test_userinfo_endpoint(self): self.cons.client_secret = "drickyoughurt" self.cons.config["response_type"] = ["token"] self.cons.config["request_method"] = "parameter" state, location = self.cons.begin("openid", "token", path="http://localhost:8087") resp = self.provider.authorization_endpoint( request=urlparse(location).query) # redirect atr = AuthorizationResponse().deserialize( urlparse(resp.message).fragment, "urlencoded") uir = UserInfoRequest(access_token=atr["access_token"], schema="openid") resp = self.provider.userinfo_endpoint(request=uir.to_urlencoded()) ident = OpenIDSchema().deserialize(resp.message, "json") assert _eq(ident.keys(), ['nickname', 'sub', 'name', 'email'])
def update_url_with_kwargs(url, **kwargs): if not url: return url_parts = list(urlparse(url)) query = dict(parse_qsl(url_parts[4])) query.update(kwargs) url_parts[4] = urlencode(query) return urlunparse(url_parts)
def test_authenticated(self): _session_db = {} cons = Consumer(_session_db, client_config=CLIENT_CONFIG, server_info=SERVER_INFO, **CONSUMER_CONFIG) sid, location = cons.begin("http://localhost:8087", "http://localhost:8088/authorization") resp = self.provider.authorization_endpoint(urlparse(location).query) assert resp.status == "303 See Other" resp = urlparse(resp.message).query with LogCapture(level=logging.DEBUG) as logcap: aresp = cons.handle_authorization_response(query=resp) assert isinstance(aresp, AuthorizationResponse) assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss']) assert _eq(cons.grant[sid].keys(), [ 'tokens', 'code', 'exp_in', 'seed', 'id_token', 'grant_expiration_time' ]) state = aresp['state'] assert _eq(logcap.records[0].msg, '- authorization - code flow -') assert verify_outcome(logcap.records[1].msg, 'QUERY: ', [ 'state={}'.format(state), 'code=<REDACTED>', 'client_id=client1', 'iss=https://example.com/as' ]) expected = { 'iss': 'https://example.com/as', 'state': state, 'code': '<REDACTED>', 'client_id': 'client1' } # Eval here to avoid intermittent failures due to dict ordering assert _eq(eval(logcap.records[2].msg[29:-1]), expected) expected = [ "'client_id': 'client1'", "'iss': 'https://example.com/as'", "'keyjar': <KeyJar(issuers=[])>" ] assert _eq(sorted(logcap.records[3].msg[22:-1].split(', ')), expected)
def save(self, *args, **kwargs): # pylint: disable=arguments-differ from readthedocs.projects import tasks parsed = urlparse(self.domain) if parsed.scheme or parsed.netloc: self.domain = parsed.netloc else: self.domain = parsed.path super(Domain, self).save(*args, **kwargs) broadcast(type='app', task=tasks.symlink_domain, args=[self.project.pk, self.pk],)
def wait(self, url): domain = urlparse(url).netloc last_accessed = self.domains.get(domain) if self.delay > 0 and last_accessed is not None: sleep_secs = self.delay - (datetime.datetime.now() - last_accessed).seconds if sleep_secs > 0: time.sleep(sleep_secs) self.domains[domain] = datetime.datetime.now()
def get_urlinfo(info): # If info is a whole URL pick out the query or fragment part if '?' in info or '#' in info: parts = urlparse(info) scheme, netloc, path, params, query, fragment = parts[:6] # either query of fragment if query: info = query else: info = fragment return info
def parse_url_request(request, url=None, query=None): if url: parts = urlparse(url) scheme, netloc, path, params, query, fragment = parts[:6] if isinstance(query, dict): req = request(**query) else: req = request().deserialize(query, "urlencoded") req.verify() return req
def test_telurl_params(self): p1 = urllib_parse.urlparse('tel:123-4;phone-context=+1-650-516') self.assertEqual(p1.scheme, 'tel') self.assertEqual(p1.path, '123-4') self.assertEqual(p1.params, 'phone-context=+1-650-516') p1 = urllib_parse.urlparse('tel:+1-201-555-0123') self.assertEqual(p1.scheme, 'tel') self.assertEqual(p1.path, '+1-201-555-0123') self.assertEqual(p1.params, '') p1 = urllib_parse.urlparse('tel:7042;phone-context=example.com') self.assertEqual(p1.scheme, 'tel') self.assertEqual(p1.path, '7042') self.assertEqual(p1.params, 'phone-context=example.com') p1 = urllib_parse.urlparse('tel:863-1234;phone-context=+1-914-555') self.assertEqual(p1.scheme, 'tel') self.assertEqual(p1.path, '863-1234') self.assertEqual(p1.params, 'phone-context=+1-914-555')
def test_authorization_endpoint_id_token(self): bib = { "scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code", "id_token"], "client_id": "a1b2c3", "nonce": "Nonce", "prompt": ["none"] } req = AuthorizationRequest(**bib) areq = AuthorizationRequest(response_type="code", client_id="client_1", redirect_uri="http://example.com/authz", scope=["openid"], state="state000") sdb = self.provider.sdb ae = AuthnEvent("userX", "salt") sid = sdb.create_authz_session(ae, areq) sdb.do_sub(sid, "client_salt") _info = sdb[sid] # All this is jut removed when the id_token is constructed # The proper information comes from the session information _user_info = IdToken(iss="https://foo.example.om", sub="foo", aud=bib["client_id"], exp=epoch_in_a_while(minutes=10), acr="2", nonce=bib["nonce"]) idt = self.provider.id_token_as_signed_jwt(_info, access_token="access_token", user_info=_user_info) req["id_token"] = idt query_string = req.to_urlencoded() # client_id not in id_token["aud"] so login required resp = self.provider.authorization_endpoint(request=query_string, cookie="FAIL") parsed_resp = parse_qs(urlparse(resp.message).fragment) assert parsed_resp["error"][0] == "login_required" req["client_id"] = "client_1" query_string = req.to_urlencoded() # client_id is in id_token["aud"] so no login required resp = self.provider.authorization_endpoint(request=query_string, cookie="FAIL") assert resp.message.startswith("http://localhost:8087/authz")
def replace_host(url, host): """ 将一个url的host替换成为目标host, 生成新的url. :param url: :param host: :return: """ if url is None: return '' pr = urlparse(url) r = pr._replace(netloc=host) return r.geturl()
def test_authenticated_url(self): state, location = self.cons.begin("openid", "code", path="http://localhost:8087") resp = self.provider.authorization_endpoint( request=urlparse(location).query) aresp = self.cons.parse_response(AuthorizationResponse, resp.message, sformat="urlencoded") assert isinstance(aresp, AuthorizationResponse) assert _eq(aresp.keys(), ['code', 'state', 'scope', 'client_id', 'iss'])
def sign_http_args(method, url, headers, body=''): p = urlparse(url) kwargs = {'path': p.path, 'host': p.netloc, 'headers': headers, 'method': method} if body: kwargs['body'] = body query_params = compact(parse_qs(p.query)) kwargs['query_params'] = query_params return kwargs
def login_hint(oper, args): _iss = oper.conv.entity.provider_info["issuer"] p = urlparse(_iss) try: hint = oper.conv.get_tool_attribute("login_hint") except KeyError: hint = "buffy@%s" % p.netloc else: if "@" not in hint: hint = "%s@%s" % (hint, p.netloc) oper.req_args["login_hint"] = hint
def pack_redirect_uri(redirect_uris): ruri = [] for uri in redirect_uris: if urlparse(uri).fragment: print("Faulty redirect uri, contains fragment", file=sys.stderr) base, query = splitquery(uri) if query: ruri.append([base, parse_qs(query)]) else: ruri.append([base, query]) return ruri
def test_attributes_without_netloc(self): # This example is straight from RFC 3261. It looks like it # should allow the username, hostname, and port to be filled # in, but doesn't. Since it's a URI and doesn't use the # scheme://netloc syntax, the netloc and related attributes # should be left empty. uri = "sip:[email protected];maddr=239.255.255.1;ttl=15" p = urllib_parse.urlsplit(uri) self.assertEqual(p.netloc, "") self.assertEqual(p.username, None) self.assertEqual(p.password, None) self.assertEqual(p.hostname, None) self.assertEqual(p.port, None) self.assertEqual(p.geturl(), uri) p = urllib_parse.urlparse(uri) self.assertEqual(p.netloc, "") self.assertEqual(p.username, None) self.assertEqual(p.password, None) self.assertEqual(p.hostname, None) self.assertEqual(p.port, None) self.assertEqual(p.geturl(), uri) # You guessed it, repeating the test with bytes input uri = b"sip:[email protected];maddr=239.255.255.1;ttl=15" p = urllib_parse.urlsplit(uri) self.assertEqual(p.netloc, b"") self.assertEqual(p.username, None) self.assertEqual(p.password, None) self.assertEqual(p.hostname, None) self.assertEqual(p.port, None) self.assertEqual(p.geturl(), uri) p = urllib_parse.urlparse(uri) self.assertEqual(p.netloc, b"") self.assertEqual(p.username, None) self.assertEqual(p.password, None) self.assertEqual(p.hostname, None) self.assertEqual(p.port, None) self.assertEqual(p.geturl(), uri)
def test_authorization_endpoint_bad_scope(self): bib = {"scope": ["openid", "offline_access"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "a1b2c3"} arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint(request=arq.to_urlencoded()) assert resp.status == "303 See Other" parsed = parse_qs(urlparse(resp.message).query) assert parsed["error"][0] == "invalid_request" assert parsed["error_description"][0] == "consent in prompt"
def test_authenticated(self): client = Client(**CLIENT_CONFIG) client.authorization_endpoint = 'https://example.com/as' sid = rndstr(8) args = { 'redirect_uri': "http://localhost:8087/authz", "state": sid, "response_type": 'code'} url, body, ht_args, csi = client.request_info( AuthorizationRequest, 'GET', request_args=args) resp = self.provider.authorization_endpoint(urlparse(url).query) assert resp.status == "303 See Other" resp = urlparse(resp.message).query aresp = client.parse_authz_response(resp) assert isinstance(aresp, AuthorizationResponse) assert _eq(aresp.keys(), ['state', 'code', 'client_id', 'iss']) assert _eq(client.grant[sid].keys(), ['tokens', 'code', 'exp_in', 'seed', 'id_token', 'grant_expiration_time'])
def test_portseparator(self): # Issue 754016 makes changes for port separator ':' from scheme separator self.assertEqual(urllib_parse.urlparse("path:80"), ('','','path:80','','','')) self.assertEqual(urllib_parse.urlparse("http:"),('http','','','','','')) self.assertEqual(urllib_parse.urlparse("https:"),('https','','','','','')) self.assertEqual(urllib_parse.urlparse("http://www.python.org:80"), ('http','www.python.org:80','','','','')) # As usual, need to check bytes input as well self.assertEqual(urllib_parse.urlparse(b"path:80"), (b'',b'',b'path:80',b'',b'',b'')) self.assertEqual(urllib_parse.urlparse(b"http:"),(b'http',b'',b'',b'',b'',b'')) self.assertEqual(urllib_parse.urlparse(b"https:"),(b'https',b'',b'',b'',b'',b'')) self.assertEqual(urllib_parse.urlparse(b"http://www.python.org:80"), (b'http',b'www.python.org:80',b'',b'',b'',b''))
def test_authenticated(self): _state, location = self.cons.begin("openid", "code", path="http://localhost:8087") resp = self.provider.authorization_endpoint( request=urlparse(location).query) parsed = urlparse(resp.message) assert "{}://{}{}".format(parsed.scheme, parsed.netloc, parsed.path) == "http://localhost:8087/authz" part = self.cons.parse_authz(query=resp.message) aresp = part[0] assert part[1] is None assert part[2] is None assert isinstance(aresp, AuthorizationResponse) assert _eq(aresp.keys(), ['code', 'state', 'scope', 'client_id', 'iss']) assert _eq(self.cons.grant[_state].keys(), ['code', 'tokens', 'id_token', 'exp_in', 'seed', 'grant_expiration_time'])
def test_mixed_types_rejected(self): # Several functions that process either strings or ASCII encoded bytes # accept multiple arguments. Check they reject mixed type input with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urlparse("www.python.org", b"http") with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urlparse(b"www.python.org", "http") with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urlsplit("www.python.org", b"http") with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urlsplit(b"www.python.org", "http") with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urlunparse(( b"http", "www.python.org","","","","")) with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urlunparse(("http", b"www.python.org","","","","")) with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urlunsplit((b"http", "www.python.org","","","")) with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urlunsplit(("http", b"www.python.org","","","")) with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urljoin("http://python.org", b"http://python.org") with self.assertRaisesRegex(TypeError, "Cannot mix str"): urllib_parse.urljoin(b"http://python.org", "http://python.org")
def decide_if_cors(sender, request, **kwargs): # pylint: disable=unused-argument """ Decide whether a request should be given CORS access. This checks that: * The URL is whitelisted against our CORS-allowed domains * The Domain exists in our database, and belongs to the project being queried. Returns True when a request should be given CORS access. """ if 'HTTP_ORIGIN' not in request.META: return False host = urlparse(request.META['HTTP_ORIGIN']).netloc.split(':')[0] # Don't do domain checking for this API for now if request.path_info.startswith('/api/v2/sustainability'): return True # Don't do domain checking for APIv2 when the Domain is known if request.path_info.startswith('/api/v2/') and request.method in SAFE_METHODS: domain = Domain.objects.filter(domain__icontains=host) if domain.exists(): return True valid_url = False for url in WHITELIST_URLS: if request.path_info.startswith(url): valid_url = True break if valid_url: project_slug = request.GET.get('project', None) try: project = Project.objects.get(slug=project_slug) except Project.DoesNotExist: log.warning( 'Invalid project passed to domain. [%s:%s]', project_slug, host, ) return False domain = Domain.objects.filter( Q(domain__icontains=host), Q(project=project) | Q(project__subprojects__child=project), ) if domain.exists(): return True return False
def main_setup(log): from oidctest import profiles from oidctest import oper parser = argparse.ArgumentParser() parser.add_argument('-f', dest='flows') parser.add_argument('-l', dest="log_name") parser.add_argument('-p', dest="profile") parser.add_argument(dest="config") cargs = parser.parse_args() if "/" in cargs.flows: head, tail = os.path.split(cargs.flows) sys.path.insert(0, head) FLOWS = importlib.import_module(tail) else: FLOWS = importlib.import_module(cargs.flows) CONF = importlib.import_module(cargs.config) if cargs.log_name: setup_logger(log, cargs.log_name) else: setup_logger(log) # Add own keys for signing/encrypting JWTs try: jwks, keyjar, kidd = build_keyjar(CONF.keys) except KeyError: raise else: # export JWKS p = urlparse(CONF.KEY_EXPORT_URL) with open("." + p.path, "w") as f: f.write(json.dumps(jwks)) jwks_uri = p.geturl() return { "base_url": CONF.BASE, "kidd": kidd, "jwks_uri": jwks_uri, "flows": FLOWS.FLOWS, "conf": CONF, "cinfo": CONF.INFO, "orddesc": FLOWS.ORDDESC, "profiles": profiles, "operations": oper, "profile": cargs.profile }
def resource(oper, args): """ Context: Action: Example: :param oper: :param args: :return: """ _p = urlparse(get_issuer(oper.conv)) oper.op_args["resource"] = args["pattern"].format( test_id=oper.conv.test_id, host=_p.netloc, oper_id=oper.conv.operator_id)
def test_authorization_endpoint(self): bib = {"scope": ["openid"], "state": "id-6da9ca0cc23959f5f33e8becd9b08cae", "redirect_uri": "http://localhost:8087/authz", "response_type": ["code"], "client_id": "a1b2c3", "nonce": "Nonce"} arq = AuthorizationRequest(**bib) resp = self.provider.authorization_endpoint(request=arq.to_urlencoded()) parsed = parse_qs(urlparse(resp.message).query) assert parsed["scope"] == ["openid"] assert parsed["state"][0] == "id-6da9ca0cc23959f5f33e8becd9b08cae" assert "code" in parsed
def test_authenticated_token(self): _session_db = {} cons = Consumer(_session_db, client_config=CLIENT_CONFIG, server_info=SERVER_INFO, **CONSUMER_CONFIG) sid, location = cons.begin("http://localhost:8087", "http://localhost:8088/authorization", "token") QUERY_STRING = location.split("?")[1] resp = self.provider.authorization_endpoint(QUERY_STRING) auth_resp = parse_qs(urlparse(resp.message).fragment) assert "access_token" in auth_resp assert auth_resp["token_type"][0] == "Bearer"
def get_base(base): """ Make sure a '/' terminated URL is returned """ part = urlparse(base) if part.path: if not part.path.endswith("/"): _path = part.path[:] + "/" else: _path = part.path[:] else: _path = "/" return "%s://%s%s" % (part.scheme, part.netloc, _path,)
def test_unparse_parse(self): str_cases = [ 'Python', './Python', 'x-newscheme://foo.com/stuff', 'x://y', 'x:/y', 'x:/', '/', ] bytes_cases = [x.encode('ascii') for x in str_cases] for u in str_cases + bytes_cases: self.assertEqual(urllib_parse.urlunsplit(urllib_parse.urlsplit(u)), u) self.assertEqual(urllib_parse.urlunparse(urllib_parse.urlparse(u)), u)
def verify(self, **kwargs): if "initiate_login_uri" in self and not self[ "initiate_login_uri"].startswith("https:"): raise RegistrationError('initiate_login_uri is not https') if "redirect_uris" in self: for uri in self["redirect_uris"]: if urlparse(uri).fragment: raise InvalidRedirectUri( "redirect_uri contains fragment: %s" % uri) for uri in ["client_uri", "logo_uri", "tos_uri", "policy_uri"]: if uri in self: try: resp = requests.request("GET", str(self[uri]), allow_redirects=True, verify=False) except requests.ConnectionError: raise MissingPage(self[uri]) if resp.status_code not in SUCCESSFUL: raise MissingPage(self[uri]) # if "grant_types" in self and "response_types" in self: # for typ in self["grant_types"]: # if typ == "authorization_code": # assert "code" in self["response_types"] # elif typ == "implicit": # assert "token" in self["response_types"] try: ss = self['software_statement'] except KeyError: pass else: # need to get the client keys before I can verify any signature # kj = kwargs['keyjar'] # The case where jwks_uri is used # try: # kj.add(,self['jwks_uri']) _ss = [] for _s in ss: _ss.append(unpack_software_statement(_s, '', kwargs['keyjar'])) self['__software_statement'] = _ss return super(RegistrationRequest, self).verify(**kwargs)