def as_setup(jconf): _module = importlib.import_module('oic.utils.authn.user') ab = AuthnBroker() for _id, authn in jconf["authn"].items(): cls = getattr(_module, authn["class"]) if "template_lookup" in authn["kwargs"]: authn["kwargs"]["template_lookup"] = lookup(jconf["template_root"]) ci = cls(None, **authn["kwargs"]) ab.add(_id, ci, authn["level"], authn["authn_authority"]) _base = jconf["configuration"]["issuer"] cauth = dict([(x, CLIENT_AUTHN_METHOD[x]) for x in jconf["client_auth_methods"]]) return { "name": _base, "sdb": {}, "cdb": {}, "authn_broker": ab, "authz": Implicit("PERMISSION"), "client_authn": verify_client, "symkey": "1234567890123456", "client_authn_methods": cauth, "client_info_url": jconf["client_info_url"], "default_acr": jconf["default_acr"], "keyjar": None }
def create_authn_broker(config, lookup, password): ac = AuthnBroker() end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"] full_end_point_paths = ["%s%s" % (config.issuer, ep) for ep in end_points] username_password_authn = UsernamePasswordMako( None, "login.mako", lookup, password, "%sauthorization" % config.issuer, None, full_end_point_paths) for authkey, value in config.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: PASSWORD_END_POINT_INDEX = 0 end_point = config.AUTHENTICATION[authkey]["END_POINTS"][ PASSWORD_END_POINT_INDEX] authn = AuthnIndexedEndpointWrapper(username_password_authn, PASSWORD_END_POINT_INDEX) APP.add_url_rule("/{}".format(end_point), end_point, make_auth_verify(authn.verify), methods=['GET', 'POST']) if "JavascriptLogin" == authkey: pass if "SAML" == authkey: pass if "SamlPass" == authkey: pass if "JavascriptPass" == authkey: pass if authn is not None: ac.add(config.AUTHENTICATION[authkey]["ACR"], authn, config.AUTHENTICATION[authkey]["WEIGHT"], "") return ac
def test_pkce_verify_256(self, session_db_factory): _cli = Client( config={"code_challenge": { "method": "S256", "length": 64 }}) args, cv = _cli.add_code_challenge() authn_broker = AuthnBroker() authn_broker.add("UNDEFINED", DummyAuthn(None, "username")) _prov = Provider( "as", session_db_factory("https://connect-op.heroku.com"), {}, authn_broker, Implicit(), verify_client, ) assert _prov.verify_code_challenge(cv, args["code_challenge"]) is True assert _prov.verify_code_challenge(cv, args["code_challenge"], "S256") is True resp = _prov.verify_code_challenge("XXX", args["code_challenge"]) assert isinstance(resp, Response) assert resp.info()["status_code"] == 401
def test_pkce_verify_512(): _cli = Client(config={'code_challenge': {'method': 'S512', 'length': 96}}) args, cv = _cli.add_code_challenge() authn_broker = AuthnBroker() authn_broker.add("UNDEFINED", DummyAuthn(None, "username")) _prov = Provider("as", sdb.SessionDB(SERVER_INFO["issuer"]), CDB, authn_broker, Implicit(), verify_client) assert _prov.verify_code_challenge(cv, args['code_challenge'], 'S512') is True
def setup_authentication_methods(authn_config, template_env): """Add all authentication methods specified in the configuration.""" routing = {} ac = AuthnBroker() for authn_method in authn_config: cls = make_cls_from_name(authn_method["class"]) instance = cls(template_env=template_env, **authn_method["kwargs"]) ac.add(authn_method["acr"], instance) routing[instance.url_endpoint] = VerifierMiddleware(instance) return ac, routing
def test_pkce_verify_512(): _cli = Client(config={'code_challenge': {'method': 'S512', 'length': 96}}) args, cv = _cli.add_code_challenge() authn_broker = AuthnBroker() authn_broker.add("UNDEFINED", DummyAuthn(None, "username")) _prov = Provider("as", sdb.SessionDB(SERVER_INFO["issuer"]), CDB, authn_broker, Implicit(), verify_client) assert _prov.verify_code_challenge(cv, args['code_challenge'],'S512') is True
def provider(tmpdir): client_db_path = os.path.join(tmpdir.strpath, "client_db") cdb = shelve_wrapper.open(client_db_path) ab = AuthnBroker() ab.add("dummy", DummyAuthn()) sdb = SessionDB("https://testprovider.com") provider = CourseProvider("https://testprovider.com", sdb, cdb, ab, UserInfo({"user": {}}), AuthzHandling(), None, None) return provider
def setup(): with open("config.yaml", 'r') as f: config = yaml.load(f) issuer = config["baseurl"] ac = AuthnBroker() authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, "{}/authorization".format(issuer)) ac.add("password", authn) URLS.append((r'^verify', make_auth_verify(authn.verify))) authz = AuthzHandling() client_db_path = os.environ.get("OIDC_CLIENT_DB", "client_db") LOGGER.info("Using db: {}".format(client_db_path)) cdb = shelve_wrapper.open(client_db_path) global OAS OAS = CourseProvider(issuer, SessionDB(issuer), cdb, ac, None, authz, verify_client, rndstr(16)) OAS.baseurl = issuer OAS.userinfo = UserInfo(config["userdb"]) # Additional endpoints the OpenID Connect Provider should answer on add_endpoints(ENDPOINTS, ENDPOINT_FUNCS) OAS.endpoints = ENDPOINTS authn.srv = OAS try: OAS.cookie_ttl = config["cookie_ttl"] except KeyError: pass try: OAS.cookie_name = config["cookie_name"] except KeyError: pass keyjar_init(OAS, config["keys"]) public_keys = [] for keybundle in OAS.keyjar[""]: for key in keybundle.keys(): public_keys.append(key.serialize()) public_jwks = {"keys": public_keys} filename = "static/jwks.json" with open(filename, "w") as f: f.write(json.dumps(public_jwks)) OAS.jwks_uri = "{}/{}".format(OAS.baseurl, filename) return config
def authn_setup(config): broker = AuthnBroker() # Which methods to use is defined in the configuration file for authkey, method_conf in config.AUTHN_METHOD.items(): try: func = AUTH_METHOD[authkey] except KeyError: pass else: broker.add(method_conf["ACR"], func(method_conf), method_conf["WEIGHT"], method_conf["URL"]) return broker
def setup(): with open("config.yaml", 'r') as f: config = yaml.load(f) issuer = config["baseurl"] ac = AuthnBroker() authn = UsernamePasswordMako( None, "login.mako", LOOKUP, PASSWD, "{}/authorization".format(issuer)) ac.add("password", authn) URLS.append((r'^verify', make_auth_verify(authn.verify))) authz = AuthzHandling() client_db_path = os.environ.get("OIDC_CLIENT_DB", "client_db") LOGGER.info("Using db: {}".format(client_db_path)) cdb = shelve_wrapper.open(client_db_path) global OAS OAS = CourseProvider(issuer, SessionDB(issuer), cdb, ac, None, authz, verify_client, rndstr(16)) OAS.baseurl = issuer OAS.userinfo = UserInfo(config["userdb"]) # Additional endpoints the OpenID Connect Provider should answer on add_endpoints(ENDPOINTS, ENDPOINT_FUNCS) OAS.endpoints = ENDPOINTS authn.srv = OAS try: OAS.cookie_ttl = config["cookie_ttl"] except KeyError: pass try: OAS.cookie_name = config["cookie_name"] except KeyError: pass keyjar_init(OAS, config["keys"]) public_keys = [] for keybundle in OAS.keyjar[""]: for key in keybundle.keys(): public_keys.append(key.serialize()) public_jwks = {"keys": public_keys} filename = "static/jwks.json" with open(filename, "w") as f: f.write(json.dumps(public_jwks)) OAS.jwks_uri = "{}/{}".format(OAS.baseurl, filename) return config
def test_pkce_verify_512(self, session_db_factory): _cli = Client(config={'code_challenge': {'method': 'S512', 'length': 96}}) args, cv = _cli.add_code_challenge() authn_broker = AuthnBroker() authn_broker.add("UNDEFINED", DummyAuthn(None, "username")) _prov = Provider("as", session_db_factory('https://connect-op.heroku.com'), {}, authn_broker, Implicit(), verify_client) assert _prov.verify_code_challenge(cv, args['code_challenge'], 'S512') is True resp = _prov.verify_code_challenge('XXX', args['code_challenge']) assert isinstance(resp, Response) assert resp.info()['status_code'] == 401
def test_pkce_verify_256(session_db_factory): _cli = Client(config={'code_challenge': {'method': 'S256', 'length': 64}}) args, cv = _cli.add_code_challenge() authn_broker = AuthnBroker() authn_broker.add("UNDEFINED", DummyAuthn(None, "username")) _prov = Provider("as", session_db_factory(SERVER_INFO["issuer"]), CDB, authn_broker, Implicit(), verify_client) assert _prov.verify_code_challenge(cv, args['code_challenge']) is True assert _prov.verify_code_challenge(cv, args['code_challenge'], 'S256') is True resp = _prov.verify_code_challenge('XXX', args['code_challenge']) assert isinstance(resp, Response) assert resp.info()['status_code'] == 401
def create_provider(self): authn_broker = AuthnBroker() authn_broker.add("UNDEFINED", DummyAuthn(None, "username")) self.provider = Provider("pyoicserv", sdb.SessionDB( TestProvider.SERVER_INFO["issuer"]), TestProvider.CDB, authn_broker, Implicit(), verify_client, client_info_url="https://example.com/as", client_authn_methods={ "client_secret_post": ClientSecretPost, "client_secret_basic": ClientSecretBasic, "bearer_header": BearerHeader})
def init_fed_op(cnf): with open(cnf["PROVIDER_CONFIG"]) as f: provider_config = yaml.safe_load(f) root_key = keyrep(provider_config["root_key_jwk"]) federation_keys = [keyrep(jwk) for jwk in provider_config["federations_jwk"]] authn_broker = AuthnBroker() name = "https://" + cnf["SERVER_NAME"] user = "******" authn_broker.add("password", NoAuthn(None, user)) provider = Provider(name, SessionDB(name), {}, authn_broker, None, AuthzHandling(), verify_client, None) return OP(name, root_key, provider_config["software_statements"], federation_keys, name + "/signed_jwks", provider, name + "/jwks")
def test_password_grant_type_no_authn(self): # Set a blank AuthnBroker self.provider.authn_broker = AuthnBroker() self.provider.set_token_policy('client1', {'grant_type': ['password']}) areq = ROPCAccessTokenRequest(grant_type='password', username='******', password='******') areq['client_id'] = 'client1' # Token endpoint would fill that in based on client_authn resp = self.provider.password_grant_type(areq) atr = TokenErrorResponse().deserialize(resp.message, "json") assert atr['error'] == 'invalid_grant'
def main(base, cookie_handler): as_conf = { "version": "1.0", "issuer": base, "pat_profiles_supported": ["bearer"], "aat_profiles_supported": ["bearer"], "rpt_profiles_supported": ["bearer"], "pat_grant_types_supported": ["authorization_code"], "aat_grant_types_supported": ["authorization_code"], "claim_profiles_supported": ["openid"], #"dynamic_client_endpoint": "%s/dynamic_client_endpoint" % BASE, #"token_endpoint": "%s/token_endpoint" % BASE, #"user_endpoint": "%s/user_endpoint" % BASE, #"resource_set_registration_endpoint": "%s/rsr_endpoint" % BASE, #"introspection_endpoint": "%s/introspection_endpoint" % BASE, #"permission_registration_endpoint": "%s/pr_endpoint" % BASE, #"rpt_endpoint": "%s/rpt_endpoint" % BASE, #"authorization_request_endpoint": "%s/ar_endpoint" % BASE, #"userinfo_endpoint": "%s/user_info_endpoint" % BASE # ------------ The OIDC provider config ----------------------- } base_url = "http://%s" % socket.gethostname() ab = AuthnBroker() ab.add("linda", DummyAuthn(None, "linda")) #AB.add("hans", DummyAuthn(None, "*****@*****.**")) ab.add( "UserPwd", UsernamePasswordMako(None, "login2.mako", LOOKUP, PASSWD, "%s/authorization" % base), 10, base_url) ab.add("BasicAuthn", BasicAuthnExtra(None, PASSWD), 10, base_url) AUTHZSRV = authzsrv.OidcDynRegUmaAS(base, SessionDB(base_url), CDB, ab, USERINFO, AUTHZ, verify_client, "1234567890", keyjar=None, configuration=as_conf, base_url=base) cookie_handler.init_srv(AUTHZSRV) jwks = keyjar_init(AUTHZSRV, KEYS, "a%d") fp = open("static/jwk_as.json", "w") fp.write(json.dumps(jwks)) fp.close() return AUTHZSRV
def test_pkce_verify_512(session_db_factory): _cli = Client(config={"code_challenge": {"method": "S512", "length": 96}}) args, cv = _cli.add_code_challenge() authn_broker = AuthnBroker() authn_broker.add("UNDEFINED", DummyAuthn(None, "username")) _prov = Provider( "as", session_db_factory(SERVER_INFO["issuer"]), CDB, authn_broker, Implicit(), verify_client, ) assert _prov.verify_code_challenge(cv, args["code_challenge"], "S512") is True resp = _prov.verify_code_challenge("XXX", args["code_challenge"]) assert isinstance(resp, Response) assert resp.info()["status_code"] == 401
def main(base, cookie_handler): as_conf = { "version": "1.0", "issuer": base, "pat_profiles_supported": ["bearer"], "aat_profiles_supported": ["bearer"], "rpt_profiles_supported": ["bearer"], "pat_grant_types_supported": ["authorization_code"], "aat_grant_types_supported": ["authorization_code"], "claim_profiles_supported": ["openid"], #"dynamic_client_endpoint": "%s/dynamic_client_endpoint" % BASE, #"token_endpoint": "%s/token_endpoint" % BASE, #"user_endpoint": "%s/user_endpoint" % BASE, #"resource_set_registration_endpoint": "%s/rsr_endpoint" % BASE, #"introspection_endpoint": "%s/introspection_endpoint" % BASE, #"permission_registration_endpoint": "%s/pr_endpoint" % BASE, #"rpt_endpoint": "%s/rpt_endpoint" % BASE, #"authorization_request_endpoint": "%s/ar_endpoint" % BASE, #"userinfo_endpoint": "%s/user_info_endpoint" % BASE # ------------ The OIDC provider config ----------------------- } base_url = "http://%s" % socket.gethostname() ab = AuthnBroker() ab.add("linda", DummyAuthn(None, "linda")) ab.add("hans", DummyAuthn(None, "hans")) AUTHZSRV = FakeUmaAs( base, SessionDB(base_url), CDB, ab, USERINFO, AUTHZ, verify_client, "1234567890", keyjar=None, configuration=as_conf, base_url=base) cookie_handler.init_srv(AUTHZSRV) jwks = keyjar_init(AUTHZSRV, KEYS, "a%d") fp = open("static/jwk_as.json", "w") fp.write(json.dumps(jwks)) fp.close() return AUTHZSRV
def test_password_grant_type_no_authn(self): # Set a blank AuthnBroker self.provider.authn_broker = AuthnBroker() self.provider.set_token_policy("client1", {"grant_type": ["password"]}) areq = ROPCAccessTokenRequest(grant_type="password", username="******", password="******") areq[ "client_id"] = "client1" # Token endpoint would fill that in based on client_authn resp = self.provider.password_grant_type(areq) atr = TokenErrorResponse().deserialize(resp.message, "json") assert atr["error"] == "invalid_grant"
def test(self): ac = AuthnBroker() issuer = "https://example.com/op" CAS_SERVER = "" SERVICE_URL = "" LDAP = { "uri": "ldaps://ldap.umu.se", "base": "dc=umu, dc=se", "filter_pattern": "(uid=%s)", "user": "", "passwd": "", "attr": ["eduPersonScopedAffiliation", "eduPersonAffiliation"], } LDAP_EXTRAVALIDATION = { "verify_attr": "eduPersonAffiliation", "verify_attr_valid": ["employee", "staff", "student"], } LDAP_EXTRAVALIDATION.update(LDAP) ac.add( PASSWORD, UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, "%s/authorization" % issuer), 10, "http://%s" % socket.gethostname(), ) try: ac.add( PASSWORD, CasAuthnMethod( None, CAS_SERVER, SERVICE_URL, "%s/authorization" % issuer, UserLDAPMemberValidation(**LDAP_EXTRAVALIDATION), ), 20, "http://%s" % socket.gethostname(), ) except Exception: assert len(ac) == 1 else: assert len(ac) == 2 res = ac.pick(PASSWORD) assert res # list of two 2-tuples assert len(res) == 2 assert res[0][0].__class__.__name__ == "CasAuthnMethod" assert res[1][0].__class__.__name__ == "UsernamePasswordMako"
def main(base, cookie_handler): as_conf = { "version": "1.0", "issuer": base, "pat_profiles_supported": ["bearer"], "aat_profiles_supported": ["bearer"], "rpt_profiles_supported": ["bearer"], "pat_grant_types_supported": ["authorization_code"], "aat_grant_types_supported": ["authorization_code"], "claim_profiles_supported": ["openid"], # "dynamic_client_endpoint": "%s/dynamic_client_endpoint" % BASE, # "token_endpoint": "%s/token_endpoint" % BASE, # "user_endpoint": "%s/user_endpoint" % BASE, # "resource_set_registration_endpoint": "%s/rsr_endpoint" % BASE, # "introspection_endpoint": "%s/introspection_endpoint" % BASE, # "permission_registration_endpoint": "%s/pr_endpoint" % BASE, # "rpt_endpoint": "%s/rpt_endpoint" % BASE, # "authorization_request_endpoint": "%s/ar_endpoint" % BASE, # "userinfo_endpoint": "%s/user_info_endpoint" % BASE # ------------ The OIDC provider config ----------------------- } base_url = "http://%s" % socket.gethostname() ab = AuthnBroker() ab.add("linda", DummyAuthn(None, "linda")) # AB.add("hans", DummyAuthn(None, "*****@*****.**")) ab.add( "UserPwd", UsernamePasswordMako(None, "login2.mako", LOOKUP, PASSWD, "%s/authorization" % base), 10, base_url ) ab.add("BasicAuthn", BasicAuthnExtra(None, PASSWD), 10, base_url) AS = authz_srv.OidcDynRegUmaAS( base, SessionDB(base_url), CDB, ab, USERINFO, AUTHZ, verify_client, "1234567890", keyjar=None, configuration=as_conf, base_url=base, ) cookie_handler.init_srv(AS) jwks = keyjar_init(AS, KEYS, "a%d") fp = open("static/jwk_as.json", "w") fp.write(json.dumps(jwks)) fp.close() return AUTHZSRV
def __init__(self, config, issuer): self.config = config self.issuer = issuer self.root = None self.lookup = None self.username_password_authn = None self.saml_authn = None self.javascript_login_authn = None self.urls = [] self.ac = AuthnBroker() self.authn = False end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"] self.full_end_point_paths = [ "{}{}".format(self.issuer, ep) for ep in end_points] self.auth_methods = { "UserPassword": self.user_password, # "JavascriptLogin": self.javascript_login, # "SAML": self.saml_login, # "SamlPass": self.saml_pass_login, # "JavascriptPass": self.javascript_passw_login }
def main(base, cookie_handler): as_conf = { "version": "1.0", "issuer": base, "pat_profiles_supported": ["bearer"], "aat_profiles_supported": ["bearer"], "rpt_profiles_supported": ["bearer"], "pat_grant_types_supported": ["authorization_code"], "aat_grant_types_supported": ["authorization_code"], "claim_profiles_supported": ["openid"], #"dynamic_client_endpoint": "%s/dynamic_client_endpoint" % BASE, #"token_endpoint": "%s/token_endpoint" % BASE, #"user_endpoint": "%s/user_endpoint" % BASE, #"resource_set_registration_endpoint": "%s/rsr_endpoint" % BASE, #"introspection_endpoint": "%s/introspection_endpoint" % BASE, #"permission_registration_endpoint": "%s/pr_endpoint" % BASE, #"rpt_endpoint": "%s/rpt_endpoint" % BASE, #"authorization_request_endpoint": "%s/ar_endpoint" % BASE, #"userinfo_endpoint": "%s/user_info_endpoint" % BASE # ------------ The OIDC provider config ----------------------- } ab = AuthnBroker() ab.add("alice", DummyAuthn(None, "alice")) ab.add("roger", DummyAuthn(None, "roger")) ab.add("UserPwd", UsernamePasswordMako(None, "login_as.mako", LOOKUP, PASSWD, "%s/authorization" % base), 10, "http://%s" % socket.gethostname()) ab.add("BasicAuthn", BasicAuthnExtra(None, PASSWD), 10, "http://%s" % socket.gethostname()) AUTHZSRV = authzsrv.OAuth2UmaAS(base, SessionDB(), CDB, ab, AUTHZ, verify_client, "1234567890123456", keyjar=None, configuration=as_conf, base_url=base, client_info_url="%s/" % base, client_authn_methods={ "client_secret_post": ClientSecretPost, "client_secret_basic": ClientSecretBasic, "bearer_header": BearerHeader}) cookie_handler.init_srv(AUTHZSRV) init_keyjar(AUTHZSRV, KEYS, "static/jwk_as.json") return AUTHZSRV
def main(base, cookie_handler): as_conf = { "version": "1.0", "issuer": base, "pat_profiles_supported": ["bearer"], "aat_profiles_supported": ["bearer"], "rpt_profiles_supported": ["bearer"], "pat_grant_types_supported": ["authorization_code"], "aat_grant_types_supported": ["authorization_code"], "claim_profiles_supported": ["openid"], #"dynamic_client_endpoint": "%s/dynamic_client_endpoint" % BASE, #"token_endpoint": "%s/token_endpoint" % BASE, #"user_endpoint": "%s/user_endpoint" % BASE, #"resource_set_registration_endpoint": "%s/rsr_endpoint" % BASE, #"introspection_endpoint": "%s/introspection_endpoint" % BASE, #"permission_registration_endpoint": "%s/pr_endpoint" % BASE, #"rpt_endpoint": "%s/rpt_endpoint" % BASE, #"authorization_request_endpoint": "%s/ar_endpoint" % BASE, #"userinfo_endpoint": "%s/user_info_endpoint" % BASE # ------------ The OIDC provider config ----------------------- } base_url = "http://%s" % socket.gethostname() ab = AuthnBroker() ab.add("linda", DummyAuthn(None, "linda")) ab.add("hans", DummyAuthn(None, "hans")) AUTHZSRV = FakeUmaAs(base, SessionDB(base_url), CDB, ab, USERINFO, AUTHZ, verify_client, "1234567890", keyjar=None, configuration=as_conf, base_url=base) cookie_handler.init_srv(AUTHZSRV) jwks = keyjar_init(AUTHZSRV, KEYS, "a%d") fp = open("static/jwk_as.json", "w") fp.write(json.dumps(jwks)) fp.close() return AUTHZSRV
def test(self): ac = AuthnBroker() issuer = "https://example.com/op" CAS_SERVER = "" SERVICE_URL = "" LDAP = { "uri": "ldaps://ldap.umu.se", "base": "dc=umu, dc=se", "filter_pattern": "(uid=%s)", "user": "", "passwd": "", "attr": ["eduPersonScopedAffiliation", "eduPersonAffiliation"], } LDAP_EXTRAVALIDATION = { "verify_attr": "eduPersonAffiliation", "verify_attr_valid": ['employee', 'staff', 'student'] } LDAP_EXTRAVALIDATION.update(LDAP) ac.add(PASSWORD, UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, "%s/authorization" % issuer), 10, "http://%s" % socket.gethostname()) try: ac.add(PASSWORD, CasAuthnMethod( None, CAS_SERVER, SERVICE_URL, "%s/authorization" % issuer, UserLDAPMemberValidation(**LDAP_EXTRAVALIDATION)), 20, "http://%s" % socket.gethostname()) except Exception: assert len(ac) == 1 else: assert len(ac) == 2 res = ac.pick(PASSWORD) assert res # list of two 2-tuples assert len(res) == 2 assert res[0][0].__class__.__name__ == "CasAuthnMethod" assert res[1][0].__class__.__name__ == "UsernamePasswordMako"
def main_setup(args, lookup=None): sys.path.insert(0, ".") config = importlib.import_module(args.config) config.issuer = config.issuer % args.port config.SERVICE_URL = config.SERVICE_URL % args.port # Client data base cdb = shelve.open(config.CLIENT_DB, writeback=True) ac = AuthnBroker() for authkey, value in list(config.AUTHENTICATION.items()): authn = None # if "UserPassword" == authkey: # from oic.utils.authn.user import UsernamePasswordMako # authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, # "authorization") if "NoAuthn" == authkey: from oic.utils.authn.user import NoAuthn authn = NoAuthn(None, user=config.AUTHENTICATION[authkey]["user"]) if authn is not None: ac.add(config.AUTHENTICATION[authkey]["ACR"], authn, config.AUTHENTICATION[authkey]["WEIGHT"]) # dealing with authorization authz = AuthzHandling() if config.USERINFO == "SIMPLE": # User info is a simple dictionary in this case statically defined in # the configuration file userinfo = UserInfo(config.USERDB) else: userinfo = None com_args = { "name": config.issuer, "baseurl": config.baseurl, "cdb": cdb, "authn_broker": ac, "userinfo": userinfo, "authz": authz, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": { "form_post": "form_response.mako" }, "jwks_name": "./static/jwks_{}.json" } # Should I care about verifying the certificates used by other entities if args.insecure: com_args["verify_ssl"] = False else: com_args["verify_ssl"] = True try: assert os.path.isfile(config.SERVER_CERT) assert os.path.isfile(config.SERVER_KEY) com_args['client_cert'] = (config.SERVER_CERT, config.SERVER_KEY) except AttributeError: pass except AssertionError: print("Can't access client certificate and/or client secret") exit(-1) op_arg = {} try: op_arg["cookie_ttl"] = config.COOKIETTL except AttributeError: pass try: op_arg["cookie_name"] = config.COOKIENAME except AttributeError: pass # print URLS if args.debug: op_arg["debug"] = True # All endpoints the OpenID Connect Provider should answer on add_endpoints(ENDPOINTS) op_arg["endpoints"] = ENDPOINTS if args.port == 80: _baseurl = config.baseurl else: if config.baseurl.endswith("/"): config.baseurl = config.baseurl[:-1] _baseurl = "%s:%d" % (config.baseurl, args.port) if not _baseurl.endswith("/"): _baseurl += "/" op_arg["baseurl"] = _baseurl # Add own keys for signing/encrypting JWTs try: # a throw-away OP used to do the initial key setup _op = Provider(sdb=SessionDB(com_args["baseurl"]), **com_args) jwks = keyjar_init(_op, config.keys) except KeyError: pass else: op_arg["jwks"] = jwks op_arg['keyjar'] = _op.keyjar #op_arg["keys"] = config.keys try: op_arg["marg"] = multi_keys(com_args, config.multi_keys) except AttributeError as err: pass return com_args, op_arg, config
def main_setup(args, lookup=None): sys.path.insert(0, ".") config = importlib.import_module(args.config) config.issuer = config.issuer % args.port config.SERVICE_URL = config.SERVICE_URL % args.port # Client data base cdb = shelve.open(config.CLIENT_DB, writeback=True) ac = AuthnBroker() for authkey, value in list(config.AUTHENTICATION.items()): authn = None # if "UserPassword" == authkey: # from oic.utils.authn.user import UsernamePasswordMako # authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, # "authorization") if "NoAuthn" == authkey: from oic.utils.authn.user import NoAuthn authn = NoAuthn(None, user=config.AUTHENTICATION[authkey]["user"]) if authn is not None: ac.add(config.AUTHENTICATION[authkey]["ACR"], authn, config.AUTHENTICATION[authkey]["WEIGHT"]) # dealing with authorization authz = AuthzHandling() if config.USERINFO == "SIMPLE": # User info is a simple dictionary in this case statically defined in # the configuration file userinfo = UserInfo(config.USERDB) else: userinfo = None com_args = { "name": config.issuer, "baseurl": config.baseurl, "cdb": cdb, "authn_broker": ac, "userinfo": userinfo, "authz": authz, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": {"form_post": "form_response.mako"}, "jwks_name": "./static/jwks_{}.json" } # Should I care about verifying the certificates used by other entities if args.insecure: com_args["verify_ssl"] = False else: com_args["verify_ssl"] = True try: assert os.path.isfile(config.SERVER_CERT) assert os.path.isfile(config.SERVER_KEY) com_args['client_cert'] = (config.SERVER_CERT, config.SERVER_KEY) except AttributeError: pass except AssertionError: print("Can't access client certificate and/or client secret") exit(-1) op_arg = {} try: op_arg["cookie_ttl"] = config.COOKIETTL except AttributeError: pass try: op_arg["cookie_name"] = config.COOKIENAME except AttributeError: pass # print URLS if args.debug: op_arg["debug"] = True # All endpoints the OpenID Connect Provider should answer on add_endpoints(ENDPOINTS) op_arg["endpoints"] = ENDPOINTS if args.port == 80: _baseurl = config.baseurl else: if config.baseurl.endswith("/"): config.baseurl = config.baseurl[:-1] _baseurl = "%s:%d" % (config.baseurl, args.port) if not _baseurl.endswith("/"): _baseurl += "/" op_arg["baseurl"] = _baseurl # Add own keys for signing/encrypting JWTs try: # a throw-away OP used to do the initial key setup _op = Provider(sdb=SessionDB(com_args["baseurl"]), **com_args) jwks = keyjar_init(_op, config.keys) except KeyError: pass else: op_arg["jwks"] = jwks op_arg['keyjar'] = _op.keyjar #op_arg["keys"] = config.keys try: op_arg["marg"] = multi_keys(com_args, config.multi_keys) except AttributeError as err: pass return com_args, op_arg, config
} USERNAME = "******" USERDB = { USERNAME: { "name": "Linda Lindgren", "nickname": "Linda", "email": "*****@*****.**", "verified": True, "sub": "username" } } USERINFO = UserInfo(USERDB) AUTHN_BROKER = AuthnBroker() AUTHN_BROKER.add("UNDEFINED", DummyAuthn(None, USERNAME)) AUTHZ = AuthzHandling() SYMKEY = rndstr(16) # symmetric key used to encrypt cookie info class FakeOP: STATE = "12345678" def __init__(self): op_base_url = TestConfiguration.get_instance().rp_config.OP_URL self.provider = Provider( "https://op.tester.se/", SessionDB(op_base_url), CDB,
parser.add_argument('-b', dest='baseurl', help="base url of the OP") parser.add_argument(dest="config") args = parser.parse_args() # Client data base cdb = shelve_wrapper.open("client_db") sys.path.insert(0, ".") config = importlib.import_module(args.config) if args.baseurl: config.baseurl = args.baseurl config.issuer = config.issuer.format(base=config.baseurl, port=args.port) config.SERVICE_URL = config.SERVICE_URL.format(issuer=config.issuer) ac = AuthnBroker() saml_authn = None end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"] full_end_point_paths = ["%s%s" % (config.issuer, ep) for ep in end_points] username_password_authn = UsernamePasswordMako( None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % config.issuer, None, full_end_point_paths) for authkey, value in config.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: PASSWORD_END_POINT_INDEX = 0 end_point = config.AUTHENTICATION[authkey]["END_POINTS"][
class DummyAuthn(UserAuthnMethod): def __init__(self, srv, user): UserAuthnMethod.__init__(self, srv) self.user = user def authenticated_as(self, cookie=None, **kwargs): if cookie == "FAIL": return None, 0 else: return {"uid": self.user}, time() # AUTHN = UsernamePasswordMako(None, "login.mako", tl, PASSWD, "authenticated") AUTHN_BROKER = AuthnBroker() AUTHN_BROKER.add("UNDEFINED", DummyAuthn(None, "username")) # dealing with authorization AUTHZ = AuthzHandling() SYMKEY = rndstr(16) # symmetric key used to encrypt cookie info USERINFO = UserInfo(USERDB) KEYS = {} ISSUER = {} OPERATOR = {} for entity in ['fo', 'fo1', 'org', 'inter', 'admin', 'ligo', 'op']: fname = os.path.join(BASE_PATH, "{}.key".format(entity)) _keydef = KEYDEFS[:] _keydef[0]['key'] = fname
BASE = "http://localhost:%s/" % PORT RESOURCE_SERVER = "https://localhost:8089" # The UMA AS=C combo as_conf = { "version": "1.0", "issuer": BASE, "pat_profiles_supported": ["bearer"], "aat_profiles_supported": ["bearer"], "rpt_profiles_supported": ["bearer"], "pat_grant_types_supported": ["authorization_code"], "aat_grant_types_supported": ["authorization_code"], "claim_profiles_supported": ["openid"], } ab = AuthnBroker() ab.add("alice", DummyAuthn(None, "alice")) ab.add( "UserPwd", UsernamePasswordMako(None, "login2.mako", LOOKUP, PASSWD, "%s/authorization" % BASE), 10, "http://%s" % socket.gethostname()) ab.add("BasicAuthn", BasicAuthnExtra(None, PASSWD), 10, "http://%s" % socket.gethostname()) AUTHZSRV = AuthorizationServer(BASE, SessionDB(), CDB, ab, AUTHZ, verify_client,
def as_arg_setup(args, lookup, config): if args.port: _port = args.port else: if args.tls: _port = 443 else: _port = 80 if args.path2port: # means there is a reverse proxy in front translating # path -> port p2p_map = read_path2port_map(args.path2port) _path = p2p_map[_port] if args.xport: _issuer = "{base}:{port}/{path}".format(base=config.baseurl, port=args.xport, path=_path) _port = args.xport else: _issuer = "{base}/{path}".format(base=config.baseurl, path=_path) else: # the old port based _path = '' _issuer = "{base}:{port}".format(base=config.baseurl, port=_port) if args.tls and _issuer.startswith('http://'): _issuer = _issuer.replace('http://', 'https://') cdb = {} ac = AuthnBroker() for authkey, value in list(config.AUTHENTICATION.items()): authn = None # if "UserPassword" == authkey: # from oic.utils.authn.user import UsernamePasswordMako # authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, # "authorization") if "NoAuthn" == authkey: from oic.utils.authn.user import NoAuthn authn = NoAuthn(None, user=config.AUTHENTICATION[authkey]["user"]) if authn is not None: ac.add(config.AUTHENTICATION[authkey]["ACR"], authn, config.AUTHENTICATION[authkey]["WEIGHT"]) # dealing with authorization authz = AuthzHandling() if config.USERINFO == "SIMPLE": # User info is a simple dictionary in this case statically defined in # the configuration file userinfo = UserInfo(config.USERDB) else: userinfo = None as_args = { "name": _issuer, 'instance_path': _path, 'instance_port': _port, "cdb": cdb, "authn_broker": ac, "userinfo": userinfo, "authz": authz, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": { "form_post": "form_response.mako" }, "jwks_name": "./static/jwks_{}.json", 'event_db': Events(), } try: as_args['behavior'] = config.BEHAVIOR except AttributeError: pass com_args = { "baseurl": config.baseurl, } for arg in [ 'name', 'cdb', 'authn_broker', 'userinfo', 'authz', 'template', 'jwks_name', 'client_authn', 'symkey', 'template_lookup' ]: com_args[arg] = as_args[arg] # Add own keys for signing/encrypting JWTs try: # a throw-away OP used to do the initial key setup _op = Provider(sdb=SessionDB(com_args["baseurl"]), **com_args) jwks = keyjar_init(_op, config.keys) except KeyError: key_arg = {} else: key_arg = {"jwks": jwks, "keys": config.keys} as_args['jwks_name'] = 'static/jwks.json' f = open('static/jwks.json', 'w') f.write(json.dumps(jwks)) f.close() if args.insecure: _op.keyjar.verify_ssl = False else: _op.keyjar.verify_ssl = True as_args['keyjar'] = _op.keyjar as_args['sdb'] = SessionDB( com_args["baseurl"], token_factory=JWTToken('T', keyjar=_op.keyjar, lt_pattern={ 'code': 3600, 'token': 900 }, iss=com_args['baseurl'], sign_alg='RS256'), refresh_token_factory=JWTToken('R', keyjar=_op.keyjar, lt_pattern={'': 24 * 3600}, iss=com_args['baseurl'])) return as_args, key_arg
def main_setup(args, lookup=None): sys.path.insert(0, ".") config = importlib.import_module(args.config) if args.path: if config.baseurl.endswith('/'): config.issuer = '{}{}/'.format(config.baseurl, args.path) else: config.issuer = '{}/{}/'.format(config.baseurl, args.path) elif args.port and args.port not in [80, 443]: if config.baseurl.endswith('/'): config.issuer = '{}:{}/'.format(config.baseurl[:-1], args.port) else: config.issuer = '{}:{}/'.format(config.baseurl, args.port) _baseurl = config.issuer if not _baseurl.endswith("/"): _baseurl += "/" com_args = { "name": config.issuer, "baseurl": _baseurl, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": {"form_post": "form_response.mako"}, "jwks_name": "./static/jwks_{}.json" } # Client data base try: com_args['cdb'] = InMemoryBCD() #com_args['cdb'] = shelve.open(config.CLIENT_DB, writeback=True) except AttributeError: pass try: _auth = config.AUTHENTICATION except AttributeError: pass else: ab = AuthnBroker() for authkey, value in list(_auth.items()): authn = None if "NoAuthn" == authkey: from oic.utils.authn.user import NoAuthn authn = NoAuthn(None, user=_auth[authkey]["user"]) if authn is not None: ab.add(_auth[authkey]["ACR"], authn, _auth[authkey]["WEIGHT"]) com_args['authn_broker'] = ab # dealing with authorization com_args['authz'] = AuthzHandling() try: if config.USERINFO == "SIMPLE": # User info is a simple dictionary in this case statically defined in # the configuration file com_args['userinfo'] = UserInfo(config.USERDB) else: com_args['userinfo'] = None except AttributeError: pass # Should I care about verifying the certificates used by other entities if args.insecure: com_args["verify_ssl"] = False else: com_args["verify_ssl"] = True try: assert os.path.isfile(config.SERVER_CERT) assert os.path.isfile(config.SERVER_KEY) com_args['client_cert'] = (config.SERVER_CERT, config.SERVER_KEY) except AttributeError: pass except AssertionError: print("Can't access client certificate and/or client secret") exit(-1) op_arg = {} try: op_arg["cookie_ttl"] = config.COOKIETTL except AttributeError: pass try: op_arg["cookie_name"] = config.COOKIENAME except AttributeError: pass # print URLS if args.debug: op_arg["debug"] = True # All endpoints the OpenID Connect Provider should answer on add_endpoints(ENDPOINTS) op_arg["endpoints"] = ENDPOINTS op_arg["baseurl"] = _baseurl # Add own keys for signing/encrypting JWTs try: # a throw-away OP used to do the initial key setup _sdb = create_session_db(com_args["baseurl"], 'automover', '430X', {}) _op = Provider(sdb=_sdb, **com_args) jwks = keyjar_init(_op, config.keys) except KeyError: pass else: op_arg["jwks"] = jwks op_arg['keyjar'] = _op.keyjar #op_arg["keys"] = config.keys try: op_arg["marg"] = multi_keys(com_args, config.multi_keys) except AttributeError as err: pass return com_args, op_arg, config
def main_setup(args, lookup=None): sys.path.insert(0, ".") config = importlib.import_module(args.config) if args.path: if config.baseurl.endswith('/'): config.issuer = '{}{}/'.format(config.baseurl, args.path) else: config.issuer = '{}/{}/'.format(config.baseurl, args.path) elif args.port and args.port not in [80, 443]: if config.baseurl.endswith('/'): config.issuer = '{}:{}/'.format(config.baseurl[:-1], args.port) else: config.issuer = '{}:{}/'.format(config.baseurl, args.port) _baseurl = config.issuer if not _baseurl.endswith("/"): _baseurl += "/" com_args = { "name": config.issuer, "baseurl": _baseurl, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": { "form_post": "form_response.mako" }, "jwks_name": "./static/jwks_{}.json" } # Client data base try: com_args['cdb'] = shelve.open(config.CLIENT_DB, writeback=True) except AttributeError: pass try: _auth = config.AUTHENTICATION except AttributeError: pass else: ab = AuthnBroker() for authkey, value in list(_auth.items()): authn = None if "NoAuthn" == authkey: from oic.utils.authn.user import NoAuthn authn = NoAuthn(None, user=_auth[authkey]["user"]) if authn is not None: ab.add(_auth[authkey]["ACR"], authn, _auth[authkey]["WEIGHT"]) com_args['authn_broker'] = ab # dealing with authorization com_args['authz'] = AuthzHandling() try: if config.USERINFO == "SIMPLE": # User info is a simple dictionary in this case statically defined in # the configuration file com_args['userinfo'] = UserInfo(config.USERDB) else: com_args['userinfo'] = None except AttributeError: pass # Should I care about verifying the certificates used by other entities if args.insecure: com_args["verify_ssl"] = False else: com_args["verify_ssl"] = True try: assert os.path.isfile(config.SERVER_CERT) assert os.path.isfile(config.SERVER_KEY) com_args['client_cert'] = (config.SERVER_CERT, config.SERVER_KEY) except AttributeError: pass except AssertionError: print("Can't access client certificate and/or client secret") exit(-1) op_arg = {} try: op_arg["cookie_ttl"] = config.COOKIETTL except AttributeError: pass try: op_arg["cookie_name"] = config.COOKIENAME except AttributeError: pass # print URLS if args.debug: op_arg["debug"] = True # All endpoints the OpenID Connect Provider should answer on add_endpoints(ENDPOINTS) op_arg["endpoints"] = ENDPOINTS op_arg["baseurl"] = _baseurl # Add own keys for signing/encrypting JWTs try: # a throw-away OP used to do the initial key setup _sdb = create_session_db(com_args["baseurl"], 'automover', '430X', {}) _op = Provider(sdb=_sdb, **com_args) jwks = keyjar_init(_op, config.keys) except KeyError: pass else: op_arg["jwks"] = jwks op_arg['keyjar'] = _op.keyjar #op_arg["keys"] = config.keys try: op_arg["marg"] = multi_keys(com_args, config.multi_keys) except AttributeError as err: pass return com_args, op_arg, config
"name": "Hans Granberg", "nickname": "Hasse", "email": "*****@*****.**", "verified": False, "sub": "user" } } URLMAP = {CLIENT_ID: ["https://example.com/authz"]} PASSWD = {"user": "******"} ROOT = '../oc3/' tl = TemplateLookup(directories=[ROOT + 'templates', ROOT + 'htdocs'], module_directory=ROOT + 'modules', input_encoding='utf-8', output_encoding='utf-8') AUTHN_BROKER = AuthnBroker() AUTHN_BROKER.add("1", UsernamePasswordMako(None, "login.mako", tl, PASSWD, "authenticated")) # dealing with authorization AUTHZ = AuthzHandling() SYMKEY = "symmetric key used to encrypt cookie info" USERINFO = UserInfo(USERDB) provider_init = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client, SYMKEY, urlmap=URLMAP, keyjar=KEYJAR)
parser.add_argument('-X', dest='XpressConnect', action='store_true') parser.add_argument('-A', dest='authn_as', default="") parser.add_argument('-P', dest='provider_conf') parser.add_argument('-k', dest='insecure', action='store_true') parser.add_argument(dest="config") args = parser.parse_args() # Client data base cdb = shelve.open("client_db", writeback=True) sys.path.insert(0, ".") config = importlib.import_module(args.config) config.issuer = config.issuer % args.port config.SERVICE_URL = config.SERVICE_URL % args.port ac = AuthnBroker() for authkey, value in config.AUTHORIZATION.items(): authn = None if "CAS" == authkey: from oic.utils.authn.user_cas import CasAuthnMethod from oic.utils.authn.ldap_member import UserLDAPMemberValidation config.LDAP_EXTRAVALIDATION.update(config.LDAP) authn = CasAuthnMethod(None, config.CAS_SERVER, config.SERVICE_URL,"%s/authorization" % config.issuer, UserLDAPMemberValidation(**config.LDAP_EXTRAVALIDATION)) if "UserPassword" == authkey: from oic.utils.authn.user import UsernamePasswordMako authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, "%s/authorization" % config.issuer) if authn is not None: ac.add(config.AUTHORIZATION[authkey]["ACR"],
config = importlib.import_module(args.config) if args.issuer: _issuer = args.issuer[0] else: if args.port not in [80, 443]: _issuer = config.ISSUER + ':{}'.format(args.port) else: _issuer = config.ISSUER if _issuer[-1] != '/': _issuer += '/' config.SERVICE_URL = config.SERVICE_URL.format(issuer=_issuer) ac = AuthnBroker() saml_authn = None end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"] full_end_point_paths = ["%s%s" % (_issuer, ep) for ep in end_points] username_password_authn = UsernamePasswordMako( None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % _issuer, None, full_end_point_paths) _urls = [] for authkey, value in config.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: PASSWORD_END_POINT_INDEX = 0
def main_setup(args, lookup): sys.path.insert(0, ".") config = importlib.import_module(args.config) config.issuer = config.issuer % args.port config.SERVICE_URL = config.SERVICE_URL % args.port # Client data base # cdb = shelve.open(config.CLIENT_DB, writeback=True) cdb = {} ac = AuthnBroker() for authkey, value in list(config.AUTHENTICATION.items()): authn = None # if "UserPassword" == authkey: # from oic.utils.authn.user import UsernamePasswordMako # authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, # "authorization") if "NoAuthn" == authkey: from oic.utils.authn.user import NoAuthn authn = NoAuthn(None, user=config.AUTHENTICATION[authkey]["user"]) if authn is not None: ac.add(config.AUTHENTICATION[authkey]["ACR"], authn, config.AUTHENTICATION[authkey]["WEIGHT"]) # dealing with authorization authz = AuthzHandling() kwargs = { "template_lookup": lookup, "template": {"form_post": "form_response.mako"}, } if config.USERINFO == "SIMPLE": # User info is a simple dictionary in this case statically defined in # the configuration file userinfo = UserInfo(config.USERDB) else: userinfo = None # Should I care about verifying the certificates used by other entities if args.insecure: kwargs["verify_ssl"] = False else: kwargs["verify_ssl"] = True uri_schemes = read_uri_schemes('uri-schemes-1.csv') as_args = { "name": config.issuer, "cdb": cdb, "authn_broker": ac, "userinfo": userinfo, "authz": authz, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": {"form_post": "form_response.mako"}, "jwks_name": "./static/jwks_{}.json", 'event_db': Events(), } com_args = { "name": config.issuer, # "sdb": SessionDB(config.baseurl), "baseurl": config.baseurl, "cdb": cdb, "authn_broker": ac, "userinfo": userinfo, "authz": authz, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": {"form_post": "form_response.mako"}, "jwks_name": "./static/jwks_{}.json", 'uri_schemes': uri_schemes } op_arg = {} try: op_arg["cookie_ttl"] = config.COOKIETTL except AttributeError: pass try: op_arg["cookie_name"] = config.COOKIENAME except AttributeError: pass try: as_args['behavior'] = config.BEHAVIOR except AttributeError: pass # print URLS if args.debug: op_arg["debug"] = True if args.port == 80: _baseurl = config.baseurl else: if config.baseurl.endswith("/"): config.baseurl = config.baseurl[:-1] _baseurl = "%s:%d" % (config.baseurl, args.port) if not _baseurl.endswith("/"): _baseurl += "/" op_arg["baseurl"] = _baseurl # Add own keys for signing/encrypting JWTs try: # a throw-away OP used to do the initial key setup _op = Provider(sdb=SessionDB(com_args["baseurl"]), **com_args) jwks = keyjar_init(_op, config.keys) except KeyError: pass else: op_arg["jwks"] = jwks op_arg["keys"] = config.keys as_args['jwks_uri'] = '{}{}/jwks.json'.format(_baseurl, 'static') as_args['jwks_name'] = 'static/jwks.json' f = open('static/jwks.json', 'w') f.write(json.dumps(jwks)) f.close() as_args['keyjar'] = _op.keyjar as_args['sdb'] = SessionDB( com_args["baseurl"], token_factory=JWTToken('T', keyjar=_op.keyjar, lt_pattern={'code': 3600, 'token': 900}, iss=_baseurl, sign_alg='RS256'), refresh_token_factory=JWTToken( 'R', keyjar=_op.keyjar, lt_pattern={'': 24 * 3600}, iss=_baseurl) ) try: op_arg["marg"] = multi_keys(as_args, config.multi_keys) except AttributeError as err: pass return as_args, op_arg, config
PARSER.add_argument('-b', dest='baseurl', help="base url of the OP") PARSER.add_argument(dest="config") ARGS = PARSER.parse_args() # Client data base CDB = shelve_wrapper.open("client_db", writeback=True) sys.path.insert(0, ".") CONFIG = importlib.import_module(ARGS.config) if ARGS.baseurl: CONFIG.BASEURL = ARGS.baseurl CONFIG.ISSUER = CONFIG.ISSUER.format(base=CONFIG.BASEURL, port=ARGS.port) CONFIG.SERVICE_URL = CONFIG.SERVICE_URL.format(issuer=CONFIG.ISSUER) AC = AuthnBroker() SAML_AUTHN = None END_POINTS = CONFIG.AUTHENTICATION["UserPassword"]["END_POINTS"] FULL_END_POINT_PATHS = ["%s%s" % (CONFIG.ISSUER, ep) for ep in END_POINTS] USERNAME_PASSWORD_AUTHN = UsernamePasswordMako( None, "login.mako", LOOKUP, PASSWD, "%sauthorization" % CONFIG.ISSUER, None, FULL_END_POINT_PATHS) for authkey, value in CONFIG.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: PASSWORD_END_POINT_INDEX = 0 end_point = CONFIG.AUTHENTICATION[authkey]["END_POINTS"][
class AuthSetup(object): def __init__(self, config, issuer): self.config = config self.issuer = issuer self.root = None self.lookup = None self.username_password_authn = None self.saml_authn = None self.javascript_login_authn = None self.urls = [] self.ac = AuthnBroker() self.authn = False end_points = config.AUTHENTICATION["UserPassword"]["END_POINTS"] self.full_end_point_paths = [ "{}{}".format(self.issuer, ep) for ep in end_points] self.auth_methods = { "UserPassword": self.user_password, # "JavascriptLogin": self.javascript_login, # "SAML": self.saml_login, # "SamlPass": self.saml_pass_login, # "JavascriptPass": self.javascript_passw_login } def init_mako(self): if self.root is None: self.root = self.config.MAKO_ROOT if self.lookup is None: from mako.lookup import TemplateLookup self.lookup = TemplateLookup( directories=[self.root + 'templates', self.root + 'htdocs'], module_directory=self.root + 'modules', input_encoding='utf-8', output_encoding='utf-8') def user_password(self, info): self.init_mako() self.username_password_authn = UsernamePasswordMako( None, "login.mako", self.lookup, self.config.PASSWD, "%sauthorization" % self.issuer, None, self.full_end_point_paths) PASSWORD_END_POINT_INDEX = 0 end_point = info["END_POINTS"][PASSWORD_END_POINT_INDEX] authn = AuthnIndexedEndpointWrapper(self.username_password_authn, PASSWORD_END_POINT_INDEX) self.urls.append((r'^' + end_point, make_auth_verify(authn.verify))) return authn # def javascript_login(self, info): # if self.javascript_login_authn is None: # self.init_mako() # # end_points = self.config.AUTHENTICATION[ # "JavascriptLogin"]["END_POINTS"] # full_end_point_paths = [ # "{}{}".format(self.issuer, ep) for ep in end_points] # # self.javascript_login_authn = JavascriptFormMako( # None, "javascript_login.mako", self.lookup, self.config.PASSWD, # "{}authorization".format(self.issuer), None, # full_end_point_paths) # # self.ac.add("", self.javascript_login_authn, "", "") # JAVASCRIPT_END_POINT_INDEX = 0 # end_point = info["END_POINTS"][JAVASCRIPT_END_POINT_INDEX] # authn = AuthnIndexedEndpointWrapper(self.javascript_login_authn, # JAVASCRIPT_END_POINT_INDEX) # self.urls.append((r'^' + end_point, make_auth_verify(authn.verify))) # return authn # # def saml_login(self, info): # from saml2 import BINDING_HTTP_REDIRECT, BINDING_HTTP_POST # # if self.saml_authn is None: # self.init_mako() # # self.saml_authn = SAMLAuthnMethod( # None, self.lookup, self.config.SAML, self.config.SP_CONFIG, # self.issuer, "{}authorization".format(self.issuer), # userinfo=self.config.USERINFO) # # self.ac.add("", self.saml_authn, "", "") # SAML_END_POINT_INDEX = 0 # end_point = info["END_POINTS"][SAML_END_POINT_INDEX] # end_point_indexes = {BINDING_HTTP_REDIRECT: 0, BINDING_HTTP_POST: 0, # "disco_end_point_index": 0} # authn = AuthnIndexedEndpointWrapper(self.saml_authn, end_point_indexes) # self.urls.append((r'^' + end_point, make_auth_verify(authn.verify))) # return authn # # def saml_pass_login(self, info): # from saml2 import BINDING_HTTP_REDIRECT, BINDING_HTTP_POST # # if self.saml_authn is None: # self.init_mako() # # self.saml_authn = SAMLAuthnMethod( # None, self.lookup, self.config.SAML, self.config.SP_CONFIG, # self.issuer, "{}authorization".format(self.issuer), # userinfo=self.config.USERINFO) # # PASSWORD_END_POINT_INDEX = 1 # SAML_END_POINT_INDEX = 1 # password_end_point = self.config.AUTHENTICATION['UserPassword'][ # "END_POINTS"][PASSWORD_END_POINT_INDEX] # saml_endpoint = info["END_POINTS"][SAML_END_POINT_INDEX] # # end_point_indexes = {BINDING_HTTP_REDIRECT: 1, BINDING_HTTP_POST: 1, # "disco_end_point_index": 1} # multi_saml = AuthnIndexedEndpointWrapper(self.saml_authn, # end_point_indexes) # multi_password = AuthnIndexedEndpointWrapper( # self.username_password_authn, PASSWORD_END_POINT_INDEX) # # auth_modules = [(multi_saml, r'^' + saml_endpoint), # (multi_password, r'^' + password_end_point)] # return setup_multi_auth(self.ac, self.urls, auth_modules) # # def javascript_passw_login(self, info): # if self.javascript_login_authn is None: # self.init_mako() # # end_points = self.config.AUTHENTICATION[ # "JavascriptLogin"]["END_POINTS"] # full_end_point_paths = [ # "{}{}".format(self.issuer, ep) for ep in end_points] # self.javascript_login_authn = JavascriptFormMako( # None, "javascript_login.mako", self.lookup, self.config.PASSWD, # "{}authorization".format(self.issuer), None, # full_end_point_paths) # # PASSWORD_END_POINT_INDEX = 2 # JAVASCRIPT_POINT_INDEX = 1 # # password_end_point = self.config.AUTHENTICATION["UserPassword"][ # "END_POINTS"][PASSWORD_END_POINT_INDEX] # javascript_end_point = info["END_POINTS"][JAVASCRIPT_POINT_INDEX] # # multi_password = AuthnIndexedEndpointWrapper( # self.username_password_authn, PASSWORD_END_POINT_INDEX) # multi_javascript = AuthnIndexedEndpointWrapper( # self.javascript_login_authn, JAVASCRIPT_POINT_INDEX) # # auth_modules = [(multi_password, r'^' + password_end_point), # (multi_javascript, r'^' + javascript_end_point)] # return setup_multi_auth(self.ac, self.urls, auth_modules) def __call__(self): for authkey, value in self.config.AUTHENTICATION.items(): authn = self.auth_methods[authkey](value) if authn is not None: self.ac.add(value["ACR"], authn, value["WEIGHT"], "")
ressrv = ResourceServer(DataSet(), registration_info=reginfo) # -------------------- ResourceServer as Client --------------------- rs_client = Client({}, {"client_authn_method": CLIENT_AUTHN_METHOD}) _me = ressrv.registration_info.copy() _me["redirect_uris"] = ["https://rs.example.com/"] # init authsrv authzsrv = Provider("foo", SessionDB(), CDB, None, AUTHZ, verify_client, "1234567890", keyjar=KeyJar()) authzsrv.baseurl = "https://as.example.com/" AUTHN_BROKER = AuthnBroker() AUTHN_BROKER.add(UNSPECIFIED, DummyAuthn(None, user="******"), 0, "http://%s" % socket.gethostname()) # AUTHN_BROKER.add(PASSWORD, # UsernamePasswordMako( # None, "login.mako", LOOKUP, PASSWD, # "%s/authorization" % authzsrv.baseurl), # 10, "http://%s" % socket.gethostname()) AUTHN_BROKER.add(PASSWORD, BasicAuthn(None, PASSWD), 10, "http://%s" % socket.gethostname()) authzsrv.set_authn_broker(AUTHN_BROKER) ressrv.set_client(authzsrv.baseurl, rs_client)
config = importlib.import_module(args.config) config.ISSUER = config.ISSUER + ':{}/'.format(config.PORT) config.SERVICEURL = config.SERVICEURL.format(issuer=config.ISSUER) endPoints = config.AUTHENTICATION["UserPassword"]["EndPoints"] fullEndPointsPath = ["%s%s" % (config.ISSUER, ep) for ep in endPoints] # TODO: why this instantiation happens so early? can I move it later? # An OIDC Authorization/Authentication server is designed to # allow more than one authentication method to be used by the server. # And that is what the AuthBroker is for. # Given information about the authorisation request, the AuthBroker # chooses which method(s) to be used for authenticating the person/entity. # According to the OIDC standard a Relaying Party can say # 'I want this type of authentication', and the AuthnBroker tries to pick # methods from the set it has been supplied, to map that request. authnBroker = AuthnBroker() # UsernamePasswordMako: authenticas a user using the username/password form in a # WSGI environment using Mako as template system usernamePasswordAuthn = UsernamePasswordMako( None, # server instance "login.mako", # a mako template lookup, # lookup template usernamePasswords, # username/password dictionary-like database "%sauthorization" % config.ISSUER, # where to send the user after authentication None, # templ_arg_func ??!! fullEndPointsPath) # verification endpoints # AuthnIndexedEndpointWrapper is a wrapper class for using an authentication module with multiple endpoints. authnIndexedEndPointWrapper = AuthnIndexedEndpointWrapper(usernamePasswordAuthn, passwordEndPointIndex)
"verified": False, "sub": "user" } } URLMAP = {CLIENT_ID: ["https://example.com/authz"]} PASSWD = {"user": "******"} ROOT = '../oc3/' tl = TemplateLookup(directories=[ROOT + 'templates', ROOT + 'htdocs'], module_directory=ROOT + 'modules', input_encoding='utf-8', output_encoding='utf-8') AUTHN_BROKER = AuthnBroker() AUTHN_BROKER.add( "1", UsernamePasswordMako(None, "login.mako", tl, PASSWD, "authenticated")) # dealing with authorization AUTHZ = AuthzHandling() SYMKEY = "symmetric key used to encrypt cookie info" USERINFO = UserInfo(USERDB) provider_init = Provider("pyoicserv", SessionDB(SERVER_INFO["issuer"]), CDB, AUTHN_BROKER, USERINFO, AUTHZ, verify_client,
#'session.data_dir': './data', 'session.auto': True, 'session.timeout': 900 } sys.path.insert(0, ".") config = importlib.import_module(args.config) config.issuer = config.issuer % args.port config.SERVICE_URL = config.SERVICE_URL % args.port # Client data base cdb = shelve.open(config.CLIENT_DB, writeback=True) SETUP = {} ac = AuthnBroker() for authkey, value in config.AUTHENTICATION.items(): authn = None # if "UserPassword" == authkey: # from oic.utils.authn.user import UsernamePasswordMako # authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, # "authorization") if "NoAuthn" == authkey: from oic.utils.authn.user import NoAuthn authn = NoAuthn(None, user=config.AUTHENTICATION[authkey]["user"]) if authn is not None: ac.add(config.AUTHENTICATION[authkey]["ACR"], authn,
parser.add_argument('-v', dest='verbose', action='store_true') parser.add_argument('-d', dest='debug', action='store_true') parser.add_argument('-p', dest='port', default=80, type=int) parser.add_argument('-k', dest='insecure', action='store_true') parser.add_argument(dest="config") args = parser.parse_args() # Client data base cdb = shelve.open("client_db", writeback=True) sys.path.insert(0, ".") config = importlib.import_module(args.config) config.issuer = config.issuer % args.port config.SERVICE_URL = config.SERVICE_URL % args.port ac = AuthnBroker() for authkey, value in config.AUTHENTICATION.items(): authn = None if "UserPassword" == authkey: from oic.utils.authn.user import UsernamePasswordMako authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, "%s/authorization" % config.issuer) if "SAML" == authkey: from oic.utils.authn.saml import SAMLAuthnMethod authn = SAMLAuthnMethod(None, LOOKUP, config.SAML, config.SP_CONFIG, config.issuer, "%s/authorization" % config.issuer, config.SERVICE_URL) if authn is not None: ac.add(config.AUTHENTICATION[authkey]["ACR"], authn,
def verify_outcome(msg, prefix, lista): """ Compare message to list of claims: values. :param prefix: prefix string :param lista: list of claims=value :return: list of possible strings """ assert msg.startswith(prefix) qsl = ['{}={}'.format(k, v[0]) for k, v in parse_qs(msg[len(prefix):]).items()] return set(qsl) == set(lista) AUTHN_BROKER = AuthnBroker() AUTHN_BROKER.add("UNDEFINED", DummyAuthn(None, "username")) AUTHN_BROKER2 = AuthnBroker() AUTHN_BROKER2.add('UNDEFINED', NoCookieAuthn(None, 'username')) # dealing with authorization AUTHZ = Implicit() class TestProvider(object): @pytest.fixture(autouse=True) def create_provider(self, session_db_factory): self.provider = Provider("pyoicserv", session_db_factory(ISSUER), CDB, AUTHN_BROKER, AUTHZ, verify_client, baseurl='https://example.com/as')
BASE = "http://localhost:%s/" % PORT RESOURCE_SERVER = "https://localhost:8089" # The UMA AS=C combo as_conf = { "version": "1.0", "issuer": BASE, "pat_profiles_supported": ["bearer"], "aat_profiles_supported": ["bearer"], "rpt_profiles_supported": ["bearer"], "pat_grant_types_supported": ["authorization_code"], "aat_grant_types_supported": ["authorization_code"], "claim_profiles_supported": ["openid"], } ab = AuthnBroker() ab.add("alice", DummyAuthn(None, "alice")) ab.add("UserPwd", UsernamePasswordMako(None, "login2.mako", LOOKUP, PASSWD, "%s/authorization" % BASE), 10, "http://%s" % socket.gethostname()) ab.add("BasicAuthn", BasicAuthnExtra(None, PASSWD), 10, "http://%s" % socket.gethostname()) AUTHZSRV = AuthorizationServer( BASE, SessionDB(), CDB, ab, AUTHZ, verify_client, "1234567890123456", keyjar=None, configuration=as_conf, base_url=BASE, client_info_url="%s/" % BASE, client_authn_methods={ "client_secret_post": ClientSecretPost, "client_secret_basic": ClientSecretBasic,
config = importlib.import_module(args.config) config.ISSUER = config.ISSUER + ':{}/'.format(config.PORT) config.SERVICEURL = config.SERVICEURL.format(issuer=config.ISSUER) endPoints = config.AUTHENTICATION["UserPassword"]["EndPoints"] fullEndPointsPath = ["%s%s" % (config.ISSUER, ep) for ep in endPoints] # TODO: why this instantiation happens so early? can I move it later? # An OIDC Authorization/Authentication server is designed to # allow more than one authentication method to be used by the server. # And that is what the AuthBroker is for. # Given information about the authorisation request, the AuthBroker # chooses which method(s) to be used for authenticating the person/entity. # According to the OIDC standard a Relaying Party can say # 'I want this type of authentication', and the AuthnBroker tries to pick # methods from the set it has been supplied, to map that request. authnBroker = AuthnBroker() # UsernamePasswordMako: authenticas a user using the username/password form in a # WSGI environment using Mako as template system usernamePasswordAuthn = UsernamePasswordMako( None, # server instance "login.mako", # a mako template lookup, # lookup template usernamePasswords, # username/password dictionary-like database "%sauthorization" % config.ISSUER, # where to send the user after authentication None, # templ_arg_func ??!! fullEndPointsPath) # verification endpoints # AuthnIndexedEndpointWrapper is a wrapper class for using an authentication module with multiple endpoints. authnIndexedEndPointWrapper = AuthnIndexedEndpointWrapper(
def main_setup(args, lookup): sys.path.insert(0, ".") config = importlib.import_module(args.config) config.issuer = config.issuer % args.port config.SERVICE_URL = config.SERVICE_URL % args.port # Client data base # cdb = shelve.open(config.CLIENT_DB, writeback=True) cdb = {} ac = AuthnBroker() for authkey, value in list(config.AUTHENTICATION.items()): authn = None # if "UserPassword" == authkey: # from oic.utils.authn.user import UsernamePasswordMako # authn = UsernamePasswordMako(None, "login.mako", LOOKUP, PASSWD, # "authorization") if "NoAuthn" == authkey: from oic.utils.authn.user import NoAuthn authn = NoAuthn(None, user=config.AUTHENTICATION[authkey]["user"]) if authn is not None: ac.add(config.AUTHENTICATION[authkey]["ACR"], authn, config.AUTHENTICATION[authkey]["WEIGHT"]) # dealing with authorization authz = AuthzHandling() kwargs = { "template_lookup": lookup, "template": { "form_post": "form_response.mako" }, } if config.USERINFO == "SIMPLE": # User info is a simple dictionary in this case statically defined in # the configuration file userinfo = UserInfo(config.USERDB) else: userinfo = None # Should I care about verifying the certificates used by other entities if args.insecure: kwargs["verify_ssl"] = False else: kwargs["verify_ssl"] = True uri_schemes = read_uri_schemes('uri-schemes-1.csv') as_args = { "name": config.issuer, "cdb": cdb, "authn_broker": ac, "userinfo": userinfo, "authz": authz, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": { "form_post": "form_response.mako" }, "jwks_name": "./static/jwks_{}.json", 'event_db': Events(), } com_args = { "name": config.issuer, # "sdb": SessionDB(config.baseurl), "baseurl": config.baseurl, "cdb": cdb, "authn_broker": ac, "userinfo": userinfo, "authz": authz, "client_authn": verify_client, "symkey": config.SYM_KEY, "template_lookup": lookup, "template": { "form_post": "form_response.mako" }, "jwks_name": "./static/jwks_{}.json", 'uri_schemes': uri_schemes } op_arg = {} try: op_arg["cookie_ttl"] = config.COOKIETTL except AttributeError: pass try: op_arg["cookie_name"] = config.COOKIENAME except AttributeError: pass try: as_args['behavior'] = config.BEHAVIOR except AttributeError: pass # print URLS if args.debug: op_arg["debug"] = True if args.port == 80: _baseurl = config.baseurl else: if config.baseurl.endswith("/"): config.baseurl = config.baseurl[:-1] _baseurl = "%s:%d" % (config.baseurl, args.port) if not _baseurl.endswith("/"): _baseurl += "/" op_arg["baseurl"] = _baseurl # Add own keys for signing/encrypting JWTs try: # a throw-away OP used to do the initial key setup _op = Provider(sdb=SessionDB(com_args["baseurl"]), **com_args) jwks = keyjar_init(_op, config.keys) except KeyError: pass else: op_arg["jwks"] = jwks op_arg["keys"] = config.keys as_args['jwks_uri'] = '{}{}/jwks.json'.format(_baseurl, 'static') as_args['jwks_name'] = 'static/jwks.json' f = open('static/jwks.json', 'w') f.write(json.dumps(jwks)) f.close() as_args['keyjar'] = _op.keyjar as_args['sdb'] = SessionDB(com_args["baseurl"], token_factory=JWTToken('T', keyjar=_op.keyjar, lt_pattern={ 'code': 3600, 'token': 900 }, iss=_baseurl, sign_alg='RS256'), refresh_token_factory=JWTToken( 'R', keyjar=_op.keyjar, lt_pattern={'': 24 * 3600}, iss=_baseurl)) try: op_arg["marg"] = multi_keys(as_args, config.multi_keys) except AttributeError as err: pass return as_args, op_arg, config
ROOT = '../oc3/' tl = TemplateLookup(directories=[ROOT + 'templates', ROOT + 'htdocs'], module_directory=ROOT + 'modules', input_encoding='utf-8', output_encoding='utf-8') class DummyAuthn(UserAuthnMethod): def __init__(self, srv, user): UserAuthnMethod.__init__(self, srv) self.user = user def authenticated_as(self, cookie=None, **kwargs): return {"uid": self.user} AUTHN_BROKER = AuthnBroker() AUTHN_BROKER.add("UNDEFINED", DummyAuthn(None, "username")) # dealing with authorization AUTHZ = Implicit() def content_type(headers): for key, val in headers: if key == "Content-type": if val == "application/json": return "json" def _eq(l1, l2): return set(l1) == set(l2)
if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-p', dest='port', default=80, type=int) parser.add_argument("-b", required=True, dest="base", help="base url of the provider") parser.add_argument(dest="config") args = parser.parse_args() # Client data base cdb = shelve.Shelf({}) sys.path.insert(0, ".") config = importlib.import_module(args.config) baseurl = "{base}:{port}".format(base=args.base.rstrip("/"), port=args.port) ac = AuthnBroker() authn = UsernamePasswordMako(None, "login.mako", LOOKUP, config.PASSWD, "%s/authorization" % baseurl) ac.add("UsernamePassword", authn) # dealing with authorization authz = AuthzHandling() # Consent and list tokens page renderer = MakoRenderer(LOOKUP) consent_page_handler = partial(renderer, "consent.mako", form_action="/consent_ok") list_tokens_page_handler = partial(renderer, "list_access_tokens.mako") OAS = NonWebProvider(baseurl, SessionDB(baseurl), cdb, ac, None, authz, verify_client, config.SYM_KEY,